On August 21, 2025, Federal Trade Commission Chairman Andrew N. Ferguson announced he had issued letters to top technology firms, warning that their legal duties to protect American consumers’ privacy and data security remain, even if foreign governments push for increased censorship or weaker encryption. Ferguson's letter serves to heighten the regulatory friction between U.S. and foreign law, identifying the EU’s Digital Services Act, the UK’s Online Safety Act, and the UK Investigatory Powers Act as examples of foreign regimes seeking more content control and easier law enforcement access to private data.  

Ferguson alleges in his letters that if a company deemphasizes data security controls, such as encryption, or censors Americans at the behest of a foreign government—even if only to streamline global compliance—it risks violating the FTC's prohibition on unfair or deceptive acts or practices.

Ferguson touts precedential FTC enforcement actions (Zoom, Henry Schein, Ring, Chegg, and BJ's Wholesale Club), but they do not map cleanly onto scenarios where security is weakened by explicit state mandate, rather than for profit or convenience. Businesses can benefit from learning from these and other FTC cases, but the Commission has rarely confronted cases that require balancing conflicting sovereign legal demands. As a result, businesses may struggle to anticipate enforcement outcomes in these areas. 

This development comes shortly following the U.S. Director of National Intelligence's announcement that the U.S. had persuaded U.K. leaders to drop their demand that Apple give law enforcement access to encrypted user cloud data. Whether the emboldened administration will have similar success in other areas remains to be seen.

The announcement raises more questions than it answers regarding compliance with international and domestic privacy, security, speech, and content moderation rules that often cause real operational complexity. At times, complying with the strictest applicable law can make business sense; at others, it can be important to limit legal or reputational risk by prioritizing certain values. This is rarely the simple calculation the letter implies.

What's an International Business To Do?

• Any action touching content moderation or encryption should involve U.S. and relevant foreign legal review, with a clear record of conflicting requirements and rationale for chosen courses.
• Make accurate, up-to-date representations about data practices, with particular care given to security and content moderation. Record internal decisions and reasoning if you must make “least harm” choices in the face of conflicting demands.
• Where operationally feasible, avoid applying foreign legal requirements to U.S. users that are not required by U.S. law. Geofencing and jurisdictional segmentation are increasingly important yet operationally challenging. Expect legal fragmentation and policy conflict to become a persistent reality for multinational digital services.