Time is running short before July 2, the date by which the Federal Trade Commission is collecting public comments, and privacy advocates are gearing up for a fresh clash with X. The former Twitter, now controlled by Elon Musk, is trying to shed the independent audits imposed by the US authority after a serious privacy violation uncovered years ago. But digital rights groups are sounding the alarm: ending the checks now could expose millions of Americans to real risks.

The story goes back to 2022, when the FTC fined Twitter (before it became X) for a coding bug that mixed contact information submitted for two-factor authentication with data used for ad profiling. Phone numbers and email addresses meant to enhance account security were being used for commercial purposes without user consent. The 2022 order forced X to undergo periodic external audits at its own expense and gave the FTC the power to demand documents to verify compliance with privacy laws without needing to file new legal actions each time.

Now Musk’s company argues the order is no longer necessary because it has done enough to change course: new control systems, revised internal policies and, it claims, a different corporate culture. But advocates are unconvinced. In a series of filings to the FTC, groups like the Center for Digital Democracy and the Electronic Privacy Information Center called X’s request “a dangerous gamble” and pointed to a “serious risk to Americans’ privacy.” In their view, the platform has never truly fixed the underlying flaws behind the violation, and a change of ownership does not in itself guarantee greater attention to data protection.

The X case is the latest reminder that handling personal data remains slippery terrain even for large platforms. For those designing artificial intelligence systems today, the lesson is stark: configuration or coding mistakes can turn a security mechanism – like two-factor authentication – into an opening for commercial surveillance. And when Large Language Models enter the picture, the line between legitimate use and abuse is even fuzzier, because user data could end up in training or inference without proper safeguards.

Many are looking at self-hosted solutions, where the organization retains full control over data, as an antidote to the fragility of cloud platforms. But an on-premise deployment of an LLM does not erase the need for rigorous audits: data must be protected, access tracked, and compliance with GDPR or equivalent regulations demonstrated with hard evidence. The FTC has shown that in the United States, tolerance for poor data management is at a historic low, and European businesses know all too well that regulators do not back down when it comes to big names. In this sense, the X affair is a warning for everyone: the data sovereignty gained by bringing infrastructure in-house must be matched by radical transparency in processes; otherwise, the risk of sanctions – and of losing trust – is just around the corner.

The outcome of the FTC hearing could set an important precedent. If the authority accepts X’s request, other companies might feel emboldened to seek early removal of similar measures. If it denies the motion, it will confirm that privacy commitments cannot be affirmed in words alone. Meanwhile, the tech world is watching July 2 as a key date to understand which way the wind is blowing.