A PYMNTS Company

FTC’s Five-Year Roadmap Puts Privacy at the Center 

By  |  April 22, 2026

The Federal Trade Commission is telling businesses where it plans to look next. And the agency is pointing straight at how companies handle personal data.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    The FTC just published its 2026-2030 Strategic Plan. The document lays out the agency’s top goals for the next five years. Privacy and data security sit at the top of the list. That matters for any business that collects information from customers, tracks users online, or builds products aimed at children.

    There is a wrinkle, though. The FTC is supposed to have five commissioners. Right now, it has only two. Both of them voted for the plan. But the final shape of enforcement could shift once new commissioners arrive. Companies still have a clear signal to work with in the meantime.

    A recent analysis from law firm Sheppard Mullin walks through what the plan means for businesses designing privacy programs. The firm notes that the plan spells out three main goals, and the first one is about protecting consumers from unfair or deceptive acts. Under that goal, the FTC names five priority areas. The agency says it will go after deception that causes what it calls “high-dollar harm.” It plans to crack down on unlawful conduct tied to privacy and data security. It wants to hold Big Tech accountable when children get hurt or when the online marketplace gets distorted. It will focus on worker protections. And it will keep pushing back against deceptive practices in ticket sales.

    The firm also points out that the FTC is trying to strike a balance. Per Sheppard Mullin, one objective in the plan is for the agency to take action “without unduly burdening legitimate business activity.” In plain terms, it wants to stop bad actors without creating headaches for companies that are playing by the rules.

    Related: FTC Set to Enforce Sweeping COPPA Updates Expanding Compliance Burdens

    The tools the FTC plans to use are familiar ones. The agency will keep collecting consumer complaints through its online portal at reportfraud.ftc.gov. It will keep working with law enforcement and Better Business Bureaus to spot patterns. And it will keep suing companies it believes are breaking privacy laws, including the Children’s Online Privacy Protection Act and Section 5 of the FTC Act. The agency will measure its own success by tracking how much money it returns to consumers and how many court orders it wins against unfair practices.

    None of this is brand new. The FTC has been active on privacy for years. What the plan does is confirm that the agency is not backing off. If anything, it is sharpening its focus on the areas where consumer harm tends to be biggest and most visible.

    So, what should companies do with this information? Sheppard Mullin suggests treating the FTC plan as an internal planning document. Businesses can use it to stress-test their own privacy and data security programs. The firm recommends that companies run what it calls “premortems.” Before something goes wrong, walk through the ways it could go wrong. Find the weak points that might lead to the kind of high-dollar harm the FTC has flagged. Then fix them.

    The bigger picture for businesses is that the FTC’s enforcement direction is now on paper for everyone to see. Companies that want to avoid being the subject of a case study in 2028 or 2029 have a five-year head start. The agency has told them which doors it plans to knock on. The question is whether businesses will use that time to get their houses in order, or whether they will wait and find out the hard way.