Fresh off the UK's retreat from its iCloud surveillance demand, the FTC is telling US big tech that data security isn't up for negotiation.

On August 21, 2025, FTC Chairman Andrew N. Ferguson sent formal letters to over a dozen technology companies. The recipients included major firms like Apple, Microsoft, Meta, Alphabet, and Amazon.

The letters emphasized their responsibility to safeguard the privacy and data security of Americans. They also reminded the companies that this duty remains even when foreign governments request compliance.

The warning lands at a time when Europe and the UK are pushing new regulations that could ripple far beyond their borders. Ferguson made it clear that if companies water down promises to U.S. consumers, the FTC is ready to step in.

Foreign laws vs U.S. protections

The FTC's concern stems from a clash of legal systems. The European Union's Digital Services Act requires platforms to remove illegal content and police misinformation, with fines of up to 6% of global revenue for noncompliance.

The UK's Online Safety Act takes a similar tack, giving regulators broad discretion to demand speech restrictions. More controversially, the UK's Investigatory Powers Act gives authorities the ability to force companies to disable or weaken encryption.

That could mean backdoors into messaging services like iMessage, which millions of Americans rely on daily. The Online Safety Act recently drew headlines when Britain pressed Apple to create a backdoor into iCloud.

Apple resisted, pulling its Advanced Data Protection feature from the UK and fighting the order in court. After months of pressure from U.S. officials, including Director of National Intelligence Tulsi Gabbard, the British government backed down in August 2025.

Tablet displaying a letter from the Federal Trade Commission addressed to a company CEO, discussing free speech, censorship, and foreign government threats. Includes the FTC seal and office details.

The letters emphasized companies' responsibility to safeguard the privacy and data security of Americans

The reversal eased the immediate standoff, but privacy advocates warned the surveillance powers remain on the books. Ferguson's message to companies was clear — complying with such requests abroad doesn't excuse them from U.S. law.

If a company claims to provide end-to-end encryption but secretly weakens it overseas in ways that affect American users, that deception will trigger FTC enforcement.

The stakes for American consumers

The FTC pointed to clear risks if firms bow to foreign demands. Weaker encryption could expose Americans to surveillance, identity theft, and fraud. Censorship at the request of foreign governments, Ferguson wrote, would erode freedoms at home.

In plain English, the FTC is saying that tech firms can't "cheap out" on American privacy just to keep regulators in London or Brussels happy. If they do, they risk lawsuits at home, even as they try to dodge penalties abroad.

The companies targeted, including cloud providers like Amazon and Akamai to social media giants like Meta, Snap, and X, are caught in a regulatory crossfire. European and UK regulators want more control over content and access, while the FTC insists American users are promised strong security and free expression.

This is hardly the first time global tech has faced conflicting laws. In the '90s, the U.S. banned the export of strong encryption, forcing companies like Netscape to ship watered-down versions of their browsers overseas.

In 1999, for a period of time, the G4 tower faced export restrictions, as it was classified as a "weapon" based on the gigaflop of performance it delivered. It filed for an export ban lift, and ultimately won before the end of the year.

The FTC's track record

The agency has brought numerous cases against companies that failed to protect consumer data over the past two decades. These enforcement actions include multimillion-dollar settlements with firms that mishandled personal data or lied about encryption practices.

Ferguson's letter signals that the FTC is willing to treat foreign-driven compliance as no excuse. A company that rolls out a global software update weakening protections for UK regulators would still be on the hook if that update also affected U.S. users.

Tech companies can't play both sides without consequence. The FTC's warning is a reminder that privacy and security remain political battlegrounds. If they want to keep American trust, they'll have to resist pressure from abroad, even if it costs them fines overseas.