The FTC’s 20-Year-Consent-Order Policy Is Burdensome and Unfair

When a business under investigation by the Federal Trade Commission settles a consumer protection dispute, it signs a consent order that is entered administratively by the FTC or judicially by a federal court. Administrative orders expire after 20 years, but federal court orders bind companies in perpetuity.

The FTC hasn’t revisited its stance consent order duration since announcing it in 1995. More than 30 years later, it’s time to do so.
Decades-long orders needlessly burden legitimate business operations and hinder innovation.

Other federal agencies issue consent orders that have a far shorter lifespan. According to our review of public statements:

• 86% of Consumer Protection Financial Bureau orders issued from May 2023 to May 2025 will terminate after five years, with some containing carveouts for certain provisions. Five percent of CFPB orders from that period will terminate after seven or 10 years.
• Nearly 66% of Federal Communications Commission orders from May 2023 to May 2025 will expire after three years, and an additional 2.9% expiring after three years allow for a 12-month extension if the business violates the order.
• Roughly 11% of FCC orders expire in two years or less (some allowing for a 12-month extension), and 8.6% expire after four years.
• Department of Justice competition consent decrees generally last from seven to 10 years, while DOJ deferred prosecution agreements typically expire in three years.

The FTC therefore should adopt a new position whereby administrative and federal court orders would both expire after five to 10 years. Administrative and federal court orders generally contain the same types of requirements:

1. Payment of money
2. Core injunctive provisions barring the unfair or deceptive conduct alleged to be unlawful
3. “Fencing-in” relief, which prohibits conduct different from but related to the allegedly unlawful conduct
4. Other affirmative provisions, which have historically included customer notice, recordkeeping, and compliance reporting, but today often include multi-year third-party compliance monitoring or privacy audits.

Compliance requires a substantial operational and financial investment over 20 years or more. In our experience, this often costs businesses tens of millions of dollars and hundreds of labor hours over the course of the order. These compliance costs burden businesses for far longer than is necessary to achieve an order’s purpose.

Even though most businesses come into compliance with the order’s core injunctive provisions before or in the first few years after order execution, they’re still subject to decades of needless regulatory oversight.

From January 2018 to May 2025, the FTC initiated at least 21 actions against individuals or businesses subject to one of its consumer protection orders. Of those actions, 17 were initiated within the first ten years after order entry, and 12 were brought within the first five years.

A 20-year order or an indefinite order term is therefore vastly overbroad and subjects already-compliant businesses to unnecessary and extraordinary compliance costs—money that otherwise would go to competing in the marketplace and creating products that benefit consumers.

FTC orders further can bind businesses to outdated technologies and understandings, hindering innovation. For example:

• A 2002 federal court order against GM Funding, Inc., still in effect today, requires the company to retain, in perpetuity, any documents related to its “business practices or business or personal finances.” The broadness of this order is burdensome and contrary to a regulatory environment that promotes data minimization principles. GM is also prohibited from deleting a swath of consumer personally identifiable information, including sensitive financial information, running afoul of consumer expectations and proper data retention practices.
  
• A 2004 administrative order requires AOL to obtain informed consent from consumers through first-class mail. In a petition to modify the order to allow electronic consent (which was later withdrawn after the FTC revealed it would reject the request), AOL said this requirement poses immense compliance challenges given that most transactions occur digitally. Dozens of businesses are anchored to similarly outdated order requirements.

The FTC also has issued numerous orders relating to artificial intelligence—including orders targeting Rite Aid Corp. and Weight Watchers International, Inc.—some requiring the businesses to delete algorithms derived from data allegedly obtained or retained unlawfully.

These provisions, drafted in the nascency of AI, may not reflect the realities of this technology and could harm the US’s position in the AI arms race. Drafting such provisions before the FTC had a full understanding of a technology’s potential risks incorrect enforcement decisions and unwieldy order requirements.

For these reasons, the FTC should adopt a new stance on the length of its order. Because its current position is set forth in a policy statement, it doesn’t need to engage in a prolonged rulemaking process to do so. A five- to 10-year term for both federal court and administrative orders would provide businesses with a much fairer playing field.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

John E. Villafranco is a partner in the advertising and marketing group of Kelley Drye & Warren and defends businesses in Federal Trade Commission investigations and litigation.

Write for Us: Author Guidelines