With Donald Trump now in office as the 47th U.S. president, significant shifts in consumer data privacy and AI regulation are expected.
Jessica B. Lee, Chief Privacy & Security Partner at Loeb & Loeb, explores what businesses should anticipate from the FTC under Andrew Ferguson, the likelihood of a federal privacy law, and how AI regulation may evolve at the state and federal levels.
Donald Trump has been sworn in as the 47th President of the United States. Like all presidents, he brings a distinct set of priorities that will shape how industries operate in the coming years.
Among the issues likely to see significant changes under his administration are consumer data privacy protections and the regulation of AI, both of which are critical to the digital advertising and ad tech industry.
To understand how these priorities might evolve and their potential impact, we spoke with Jessica B. Lee, Chief Privacy & Security Partner and Chair of the Privacy, Security & Data Innovations practice at Loeb & Loeb, LLC. Lee shared her insights on what the new administration’s policies could mean for data privacy and AI, and how businesses should prepare for the changes ahead.
FTC Under Ferguson: Less Activism, More Traditional Enforcement
AdMonsters: What changes can we expect from the FTC under Andrew Ferguson’s leadership regarding consumer data privacy?
Jessica B. Lee: Based on his concurring and dissenting opinions in last year’s FTC decisions and his statements leading up to his appointment, we can get a sense of Ferguson’s priorities. While Lina Khan’s administration could be characterized as “activist,” I expect Ferguson to be active, but not “activist.”
What I mean by that is that the Ferguson administration won’t bring an end to privacy enforcement, but the actions that are brought will stay within the traditional bounds of the FTC Act. Ferguson has emphasized that the FTC under Khan was stepping in to fill a space where regulation doesn’t currently exist, but he doesn’t think the FTC should take on this role. Ferguson is not looking for the FTC to become the federal privacy regulator. As a result, regulation and enforcement will primarily focus on addressing deceptive practices.
Lina Khan’s administration focused heavily on advertising and what it referred to as “commercial surveillance.” Reading the tea leaves, Ferguson doesn’t seem to have the same innate concerns about targeted advertising and advertising in general as Khan. While this doesn’t mean there will be no enforcement in this area, I don’t think it will remain such a heavy spotlight.
Focus Areas: Data Brokers, Sensitive Information, and Location Data
AdMonsters: What specific areas of privacy enforcement will the FTC prioritize?
JBL: On the privacy front, Ferguson has shown interest in areas such as the misuse of data by data brokers and the collection use of sensitive personal information, but with a different approach than the previous administration. For instance, under Khan, proximity to a protest was considered a potentially sensitive location in some enforcement actions at the end of last year. Ferguson isn’t likely to use that specific lens. However, he seems aligned with the position that using precise location information without getting consent would be considered a violation of the FTC Act.
Ferguson has also expressed a commitment to end the—quote—Big Tech’s vendetta against competition and free speech—end quote. Combating the perceived censorship by major technology companies is a Trump Administration agenda item.
A Federal Privacy Law? Business-Friendly, But Not Guaranteed
AdMonsters: Is there likely to be a federal privacy law, and if yes, what will it look like?
JBL: Ferguson has expressed support for a federal privacy bill. I expect that there will be a push for a federal privacy bill within the first two years of the administration. With Republican control of both houses, I expect a relatively business-friendly bill that would be similar in style to the laws in effect in Texas and some of the other states that have taken the consensus approach to comprehensive privacy laws.
I expect that there will be a push for a federal privacy bill within the first two years of the administration.
A consensus-style law would include many features we see in other state privacy laws, such as standard rights for consumers to access, correct, and delete their data, as well as opt-out rights for targeted advertising and protections against discrimination. It also requires providing consumers with clear privacy notices.
These laws don’t include some of the more stringent requirements found in other state laws. For example, Maryland has a strict data minimization requirement, and Oregon requires listing third parties with whom data is shared.
Whether this effort will actually move forward is uncertain. We’ve seen states stepping into the void created by the lack of federal regulation. Without a federal law, states have taken the lead, and it’s unclear whether Congress will be able to pass something that preempts those state laws.
Post-Cookie Tracking: Legal Gray Areas and Compliance Challenges
AdMonsters: Do you see fingerprinting or IP-based tracking becoming an issue, particularly as third-party cookies are phased out?
JBL: Yes and no. I don’t think that IP-based tracking or fingerprinting is new. As third-party cookies are phased out, companies will look for new methods or sources for replacing those lost signals. Whether it is an issue will depend on whether the use of these and other post-cookie solutions comply with the current set of legal obligations.
These activities aren’t prohibited outright, but companies are required to provide transparency and give consumers the right to opt-out.
Opt-Out Mechanisms: The Real Test for Privacy Compliance
AdMonsters: So the issue is more about whether IP-based tracking is allowed or whether the opt-out mechanisms are working?
JBL: I think there are two things to consider here. First, in the U.S., you can generally use IP addresses for targeting, except in certain cases when that address is tied to sensitive categories of information or precise location data. The question is whether you get consent when required, and offer an opt-out in the states that require it.
The second issue is whether the opt-out is actually working. That’s something some companies are still working through—how to ensure that the opt-out is applied across what can be a complex set of data flows continues to be a work in progress.
DOGE’s Role: More Deregulation, Less Privacy Impact
AdMonsters: Will the new Department of Government Efficiency (DOGE) affect privacy regulations?
JBL: Not necessarily, My understanding is that DOGE will focus on eliminating bureaucracy. I think that will have more of an impact on AI, rather than on privacy.
Because there is no federal privacy bill or a federal privacy office, there is nothing for DOGE to eliminate. I guess we can see DOGE recommending the reduction of FTC’s power or staff, but I haven’t heard that mentioned as an area of focus.
Additionally, the FTC now has a Republican leader who is going to execute on their vision, which means there’s a motivation to keep the FTC in place and simply shift its priorities.
States Take the Lead: A Patchwork of Privacy Laws Emerges
AdMonsters: You mentioned that the states will continue to fill the federal privacy void. What trends are we seeing at the state level for privacy regulations?
JBL: Looking at where the administration is going—and understanding that the FTC will likely be less active in some areas—I expect that we’ll see a very active state regulatory landscape.
We’ve historically focused on California, which passed the first and most prescriptive privacy law and has been the most active state in terms of enforcement and activity. However, we’re now starting to see states like Texas, Colorado, and others ramp up their enforcement activity.
Even in states without comprehensive privacy laws, we see state attorneys general enforce privacy issues based on their own “little FTC acts”—i.e. unfair and deceptive acts and practices they have on the books at the state level.
Your readers need to know that while there’s an expectation of decreased regulation at the federal level, the states will step in. That could potentially lead to even more chaos than having a very active FTC.
AI Regulation: The U.S. Takes a Hands-Off Approach
AdMonsters: Switching gears, will the U.S. adopt an AI regulation similar to the EU’s AI Act?
JBL: If I had to predict, I would say there will absolutely not be an EU AI Act equivalent in the United States, at least in the near future. We might get there eventually, but the typical approach in the US is to let innovation move forward and then step in to correct harms as they arise. That’s how we’ve ended up with the patchwork of regulations we see at the privacy level, and I suspect we’ll see the same with AI.
If I had to predict, I would say there will absolutely not be an EU AI Act equivalent in the United States, at least in the near future.
With AI, even more than privacy, I think there’s going to be a shift toward deregulation and a focus on innovation. We’ve heard this from Trump, from members of his team, and from Andrew Ferguson at the FTC. There’s a concern that over-regulating AI could cause the U.S. to lose its competitive advantage.
We might see legislation that supports the use of AI to drive innovation, but I don’t expect heavy regulation on the commercial sector because of this desire to let AI move forward.
AI Regulation at the State Level: A Growing Patchwork
AdMonsters: So similarly to privacy, will we see regulation of AI at the state level?
JBL: Absolutely. Last year, we saw several AI-related bills introduced at the state level, and now that we’re at the start of a new legislative year, I expect many of the bills that didn’t pass last year to be refiled, either in their original form or with revisions. I definitely anticipate seeing new AI bills proposed and passed this year, though we’ll have to see what those ultimately look like.
Some of these bills take a broader, EU AI Act-style approach, focusing on principles and flagging high-risk AI applications. They might include requirements for AI assessments. On the other hand, we’ve also seen narrowly tailored laws, such as those addressing the use of AI in employment or focusing specifically on facial recognition.
We’re heading toward a potential patchwork of AI regulation. It’s not just at the state level—cities are also passing their own AI laws. For example, New York City has a law governing the use of AI in hiring processes. That’s not a New York state law, but a city-level law. So, we’re going to start seeing micro-regulations being introduced, which might create an even more challenging patchwork to navigate than what we’ve seen with privacy laws.
Fairness vs. Security: How AI Regulation is Taking Shape
AdMonsters: There are many guidance or directives from various federal agencies regarding the use of AI, such as the FTC’s rule against using AI to discriminate in offers. Would you say state regulations focus more on fairness, while federal regulations are centered on security?
JBL: I think that’s likely. But to be clear, I don’t know that we’ll necessarily see a federal AI regulation. The only context where I think that might happen is if the administration looks around, sees several state laws being passed, and decides to preempt them to give companies more freedom to innovate. That’s one potential avenue for federal AI regulation, but I don’t expect big, sweeping AI regulation to emerge.
What we’re more likely to see is what you referenced—federal agencies issuing guidance specific to their areas of responsibility. For instance, the FDA could issue additional guidance, and the DOJ will be focused on national security. However, I don’t think we’ll see an actual comprehensive AI bill anytime soon. There are just so many competing interests around what should be included or addressed in AI regulation.
AI in Advertising: Will States Classify It as High-Risk?
AdMonsters: How might potential state-level AI regulations affect the advertising industry, if at all?
JBL: We’ll need to monitor the state level and see how they are treating advertising in the context of their AI regulation. For example, California, right now, has a rule-making package that addresses automated decision-making. Although it’s framed as automated decision-making in the context of their privacy law, it’s really being read as a broad AI regulation because automated decision-making is defined so broadly.
I mentioned earlier that some states are focused on regulating what they would describe as high-risk activities involving AI. The question is, where does advertising fall? Right now, in the current draft of California’s regulations, targeted advertising and behavioral advertising are defined as high-risk activities. That would require a risk assessment and have some other requirements attached to it.
We’ll have to see if other states also view targeted advertising as a high-risk activity. Even if targeted advertising isn’t specifically called out, I imagine we’ll see things like the use of sensitive information, health information, or precise geolocation information being considered high-risk activities, even if not explicitly in the context of advertising.
Staying Ahead: How Businesses Can Navigate Privacy and AI Changes
AdMonsters: So it sounds like it will be a busy four years for those navigating privacy and AI regulations under this administration. Any final advice for our readers?
JBL: Stay informed and keep monitoring developments, especially at the state level. The landscape is evolving quickly, and understanding where and how new rules apply will be essential.
__
About Jessica Lee
Jessica B. Lee, Chair of Loeb & Loeb LLP’s Privacy, Security & Data Innovations practice, is the trusted advisor behind some of the world’s leading media, technology, and ad tech companies. Known for translating dense legal obligations into practical, actionable strategies, she empowers clients to unlock the full value of their data while honoring consumers’ privacy rights. Jessica’s counsel covers every corner of the digital landscape, guiding organizations as they launch, market, and monetize innovative products and content. Jessica has designed privacy programs for dozens of companies, drafted and negotiated data-driven transactions, supported companies in regulatory investigations, and provided product counsel across both U.S. and international compliance frameworks.
Named a 2023 Top Women in Media & Ad Tech Honoree by AdExchanger and AdMonsters, a Notable Diverse Leader in Law (2022), and a Notable Woman in Law (2019), she is frequently called on to speak about privacy, cybersecurity, and the future of digital innovation. She has also testified before the California Senate Judiciary Committee on the impact of privacy legislation on businesses. Jessica devotes her time to community service and mentorship initiatives outside her practice, serving as the Chair of the Board of Trustees at Weeksville Heritage Center and the Secretary of the Board of Directors for the Laundromat Project