/>iSince the Trump 2.0 administration commenced, the U.S. federal government has experienced some major policy shifts. Several Biden-Harris administration era regulations are now eliminated or on a 60-day hold while under review. States and other organizations have filed lawsuits to stay implementation of certain Trump 2.0 initiatives (i.e., the funding freezes, deferred resignation offer, birthright citizenship, among others).
Below is a summary of some of the federal ‘de-regulation’ related to privacy and AI that we are following:
The January Freeze: COPPA Rule Amendments
Issued on inauguration day, January 20, 2025, the Executive Order titled “Regulatory Freeze Pending Review” (Regulatory Freeze EO) directed federal agencies to not propose or issue any new rule and to withdraw any rule sent to the Office of the Federal Register but not published as final in the Federal Register.
The Federal Trade Commission (FTC) finalized amendments to the Children’s Online Privacy Protection Rule (COPPA Rule Amendments) on January 16, 2025. The COPPA Rule Amendments were submitted to but not published in the Federal Register prior to January 20, 2025. Accordingly, while approved as final from the FTC’s perspective, the COPPA Rule Amendments remain a proposed rule with no effective date or compliance date. The Regulatory Freeze EO directs the FTC to “withdraw” the COPPA Rule Amendments until “a department or agency head appointed or designated by the President after noon on January 20, 2025, reviews and approves the rule.”
Also on January 20th, President Trump appointed FTC Commissioner Andrew Ferguson as FTC Chairman. While still in his role as a Commissioner, Chairman Ferguson voted in favor of the COPPA Rule Amendments but also cited “three major problems” in his concurring statement, which are:
- Requiring operators to disclose and receive parental consent about the specific third parties to which the operators will disclose children’s personal information. Then-Commissioner Ferguson noted that not all additions or changes to the identities of third parties should require new parental consent. He suggested that the FTC “could have mitigated this issue” by clarifying that a “change is material for purposes of requiring new consent only when facts unique to the new third party, or the quantity of the new third parties, would make a reasonable parent believe that the privacy and security of their child’s data is being placed at materially greater risk.”
- Prohibiting indefinite retention of children’s personal information. The COPPA Rule allows for retention of children’s personal information “as long as is reasonably necessary to fulfill the purpose for which the information was collected.” (§ 312.10). Then-Commissioner Ferguson criticized the addition of the prohibition on indefinite retention because it “is likely to generate outcomes hostile to users,” providing the example that “adults might be surprised to find their digital diary entries, photographs, and emails from their childhood erased from existence.” He wrote that, because the term indefinite is not defined, operators “can comply with the Final Rule by declaring that they will retain data for no longer than two hundred years […] And if ‘indefinite’ is not meant to be taken literally, then it is unclear how the requirement is any different than the existing requirement to keep the information no longer than necessary to fulfill the purpose for which it was collected.”
- “Missed opportunity” to clarify that the Amended COPPA Rule is “not an obstacle to the use of children’s personal information solely for the purpose of age verification.” Commissioner Ferguson noted that the COPPA Rule Amendments “should have added an exception for the collection of children’s personal information for the sole purpose of age verification, along with a requirement that such information be promptly deleted once that purpose is fulfilled.”
Other notable changes in the COPPA Rule Amendments that were not part of the concurring statement include:
- An official definition for “mixed audience”. While the concept of a mixed audience online service is covered in the COPPA Rule (see the FTC’s COPPA FAQs, Section D, Question 4), the COPPA Rule Amendments add a defined term for “mixed audience website or online service”. It means an online service that is directed to children within the meaning of COPPA but “that does not target children as its primary audience, and does not collect personal information from any visitor, other than for the limited purposes set forth in § 312.5(c), prior to collecting age information or using another means that is reasonably calculated, in light of available technology, to determine whether the visitor is a child.”
- Expanded Data Security Requirements. The COPPA Rule requires “reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” (§ 312.8) The COPPA Rule Amendments provide minimum requirements for this reasonableness standard, including a written information security program that contains many of the same safeguards required under state cybersecurity laws, i.e., an accountable person, risk assessments, testing and monitoring and vendor due diligence.
Not-So-Final: Sensitive Personal Data Transfers and Negative Options
On December 30, 2024, the U.S. Department of Justice released a Final Rule titled “Preventing Access to U.S. Sensitive Personal Data and Government Related Data by Counties or Concern or Covered Persons” (DOJ Rules). President Biden’s Executive Order 14117 (EO 14117, dated February 28, 2024) directed the DOJ to issue the DOJ Rules. The DOJ Rules were published in the Federal Register on January 8, 2025.
In brief, the DOJ Rules apply to “U.S. persons,” which means U.S. citizens, national or lawful permanent residents, qualified refugees, entities organized under U.S. law or persons “in the U.S.” (§ 202.256). Subject to certain exemptions (§ 202.501 to § 202.511), U.S. persons are prohibited or restricted from knowingly engaging in a “covered data transaction,” which means a sales or licensing of “bulk sensitive personal data” or “United States Government-related data,” a vendor agreement, employment agreement, or investment agreement (§ 202.210), that involves access by a “country of concern” (§ 202.209) or “covered person” (§ 202.211.) (Counties of concern are China, Cuba, Iran, North Korea, Russia and Venezuela (§ 202.209).)
The DOJ Rules are effective on April 8, 2025. But, as a final rule published in the Federal Register prior to January 20th, the Regulatory Freeze EO requests that federal agencies “consider” postponing the effective date and opening a comment period for interested parties.
Even before the Regulatory Freeze EO was released, the DOJ had announced its intention to “continue to robustly engage with stakeholders to determine whether additional time for implementation is necessary and appropriate” during the 90 days between the DOJ Rules’ publication in the Federal Register and the effective date. Unlike many other Biden-era Executive Orders, EO 14117 was not rescinded on Inauguration Day. Whether the exclusion of EO 14117 means that the DOJ Rules will survive the regulatory freeze is unclear.
Another final rule subject to the regulatory freeze: FTC’s “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (Final Negative Option Rule), which was published in the Federal Register as final on November 15, 2024.
Parts of the Final Negative Option Rule were effective January 14, 2025, but businesses have until May 14, 2025, to comply with certain sections Final Negative Option Rule, i.e., § 425.4 (disclosures’ form, content and placement), § 425.5 (consent) and § 425.6 (simple cancellation mechanism).
Commissioner Holyoake wrote a dissent (89 FR 90540) to the Final Negative Option Rule, citing procedural issues and the failure to “define with specificity” the acts or practices that are unfair or deceptive and whether these practices are “prevalent.” FTC Chair Ferguson joined, which may indicate the parts of the Final Negative Option Rule that the FTC will revisit or replace. (More about the Final Negative Option Rule is available here).
A third rule – Personal Financial Data Rights Rule (PFDR Rule) – was published as final on November 8, 2024, and effective January 17, 2025 – three days before the Regulatory Freeze EO was issued. On February 3, 2025, the federal agency that issued the PFDR Rule – the Consumer Financial Protection Bureau (CFPB) – announced that Treasury Secretary Scott Bessent took over as acting head and ordered the CFPB to halt all activities. Subsequently, Democrats in Congress expressed concern in a February 7th letter to Acting Director Bessant. That same day, Russell Vought, the newly sworn-in Director of the Office of Management and Budget (OMB) and an architect of The Heritage Foundation’s Project 2025, reportedly replaced Secretary Bessant as acting head of the CFPB and echoed Secretary Bessant’s orders to the CFPB staff. In a social media post, Director Voight announced that the CFPB “will not be taking its next draw of unappropriated funding because it is not ‘reasonably necessary’ to carry out its duties. The Bureau’s current balance of $711.6 million is in fact excessive in the current fiscal environment.”
The CFPB website at https://www.consumerfinance.gov/ currently displays a “404: Page Not Found Error” and the CFPB offices were closed to CFPB staff and taken over by the Department of Government Efficiency (headed by Elon Musk) as of February 9, 2025.
The Congressional Review Act (CRA) (codified at 5 U.S.C. §§801- 808) also is a consideration for these final rules. If a final rule is deemed a “major rule” (5 U.S.C. §804) by the OMB, the CRA provides for a special congressional procedure to overturn the rule during a so-called look-back period. The OMB deemed each of the Negative Option Final Rule, the DOJ Rules and the PFDR Rule as a major rule.
The Senate Parliamentarian has determined that the CRA’s lookback period began on August 16, 2024, for rules submitted in the second session of the 118th Congress, which ended on January 3, 2025. Republican lawmakers already have indicated that they intend to use the CRA procedure to target as many as the Biden-Harris administration rules as possible.
The Big Shift in Artificial Intelligence Policy
President Biden’s Executive Order 14110 of October 30, 2023, titled “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”, focused on “governing the development and use of AI safely and responsibly,” was rescinded by Trump’s Executive Order 14148 (“Initial Rescissions of Harmful Executive Orders and Actions”) and replaced by Executive Order 14179 (“Removing Barriers to American Leadership in Artificial Intelligence”) (Trump AI Executive Order) on January 23, 2025.
The Biden administration focused broadly on eight overarching principles for AI development: safety and security; privacy; managing AI bias and civil rights; consumer, patient and student protection; worker support; privacy; innovation and competition; worker support; international AI leadership; and federal use of AI. (Read more here.) By contrast, the Trump AI Executive Order is centered on deregulation and the promotion of AI innovation as a means of maintaining U.S. global dominance. (Read more here.)
The January Shakeup: The Data Privacy Framework
Like the CFPB and other U.S. federal government staffing changes as well as the controversial Deferred Resignation Program, President Trump fired three of the four members of the Privacy and Civil Liberties Oversight Board (PCLOB), including Chair Sharon Bradford Franklin, who was three years into her six-year term, Professor Edward Felton, and Travis LeBlanc, who served in the Obama administration.
By statute, the PCLOB can have up to five members appointed by the President and confirmed by the Senate. Three members constitute quorum and only three members of the PCLOB can be members of the same political party. As of January 31, 2025, only one PCLOB member – Beth Williams, who served in the first Trump administration, – remains at the PCLOB.
The PCLOB appointee removals are symbolically and practically significant to the future of the EU-U.S. Data Privacy Framework (DPF). The agreement between the European Commission and the U.S. that created the DPF (DPF Agreement) relies on a multi-layer mechanism for non-U.S. individuals to obtain review and redress of their allegations that their personal data collected through U.S. Signals Intelligence was unlawfully handled by the United States. As part of the negotiations for the DPF Agreement, President Biden issued Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (EO 14086), directing federal agencies to address concerns – including redress mechanisms – relating to bulk digital surveillance by U.S. law enforcement and intelligence agencies. (These concerns underpinned objections from EU regulators to the DPF’s predecessors. (Learn more about DPF generally here.)
The PCLOB, which was created in 2004 to advise the federal government on civil liberties matters in connection with U.S. anti-terrorism laws, advised on the creation of the DPF’s redress mechanism. Even though the DPF Agreement was not voted into law by Congress and EO 14086 could be overturned by another President, the redress mechanism in the DPF Agreement was pivotal in demonstrating to the European Commissions that EU citizens could receive protection for their personal data that is essentially equivalent to EU data protection law.
While the U.S. federal government is amid structural changes initiated by Trump 2.0, businesses looking to prepare for and advance compliance efforts are faced with the difficult decision about whether to continue on with compliance efforts under the final rules described above or to stand down until the dust settles in Washington. For example, should a DPF-certified business revisit other cross-border transfer mechanisms now in case the DPF does not survive legal challenges? Meanwhile, state legislatures continue to fill the void. So far this year, many states have already teed up new or amended privacy laws and new AI laws. Since neither a new federal AI law nor a new federal consumer privacy law seem to be top of mind for the Administration, business can for now continue on with state law and federal sectoral law compliance efforts.
Krista Setera and Mary Aldrich contributed to this article.
