For years, the Federal Trade Commission has been the regulatory equivalent of a mall cop on a Segway -- technically present, vaguely threatening, but easy to outrun. Companies collected your data without asking, leaked it through negligence, and paid fines that registered as rounding errors on quarterly earnings. Something is shifting. It's not a revolution. The FTC isn't about to dismantle the surveillance economy single-handedly. But the agency's new Strategic Plan for FY 2026-2030, published April 3, 2026, signals something that hasn't been true in a long time: privacy enforcement might actually have teeth. Whether those teeth are sharp enough to matter is still an open question. What the Strategic Plan Actually Says The FTC's five-year roadmap puts privacy and data security at the center of its consumer protection mission. The plan commits the agency to: Aggressive enforcement against companies that collect, use, or share consumer data without adequate consent or security Stepped-up monitoring of advertising and marketing practices, particularly around targeted advertising and surveillance pricing Focus on children's privacy through COPPA enforcement and new rulemaking Continued scrutiny of AI-related data practices, including training data collection and algorithmic decision-making Coordination with international regulators to address cross-border data flows and global privacy violations The plan also scraps some older performance metrics in favor of new ones that the FTC says will better track enforcement outcomes. The Electronic Privacy Information Center (EPIC) criticized this change, arguing that removing metrics that tracked "market-wide effects" of the Commission's actions reduces accountability. EPIC has a point -- measuring enforcement by number of cases filed is different from measuring it by actual change in corporate behavior. Still, the direction is clear. The FTC is positioning itself as an agency that takes privacy seriously, or at least wants to be seen taking it seriously. After years of watching companies treat privacy fines as a cost of doing business, that matters. The AT&T Settlement: $177 Million Says Something Concurrent with the FTC's strategic shift, the privacy enforcement landscape is producing real financial consequences. AT&T reached a combined $177 million settlement over two data breaches that occurred in March and July 2024. The settlement covers call logs, account information, and personal data stolen from millions of customers. That's not nothing. It's not enough -- AT&T's annual revenue exceeds $120 billion, making $177 million roughly equivalent to what the company earns in about thirteen hours -- but it represents a trajectory. Settlements are getting larger. Courts are approving them. Attorneys are collecting about $59 million in fees, which tells you the legal market sees this as a viable and growing practice area. AT&T, by the way, was breached again in January 2026. Because apparently the $177 million wasn't enough of an incentive to actually fix the problem. The Breach Avalanche Continues If the FTC needed evidence that its work is far from done, April 2026 delivered a fresh batch of catastrophe: Booking.com confirmed on April 13 that hackers accessed customer personal data including names, email addresses, phone numbers, and reservation details. The breach was enabled through compromised hotel partner credentials -- another supply chain attack where a third party's failure becomes everyone's problem. The stolen data is detailed enough to weaponize targeted phishing attacks, and there's evidence that it already has been. Anodot, a business monitoring software maker, was breached in an attack that compromised data from at least a dozen downstream companies. TechCrunch reported that the affected companies are now facing extortion demands. This is the same supply chain pattern as the Vercel breach -- compromise one platform, cascade the damage across its entire customer base. ShinyHunters has been linked to the Anodot attack. Vercel -- the deployment platform hosting millions of websites -- confirmed a breach originating from a compromised Context AI employee's OAuth tokens. Customer API keys, source code, and deployment data were stolen and listed for sale at $2 million. We covered this in detail separately, but it's part of the same pattern: your security is only as strong as the weakest link in your supply chain. Each of these incidents represents thousands or millions of people who didn't ask to have their data handled by companies they'd never heard of, connected through partnerships they never approved, protected by security measures they had no way to evaluate. Rising Penalties Globally The U.S. isn't alone in cranking up the pressure. Australia has positioned itself as one of the most aggressive enforcers, with penalties of up to AU$50 million per serious privacy breach. The EU continues to flex GDPR enforcement, with fines regularly hitting nine figures for the biggest violators. In the cyber insurance market, a quiet but significant shift is underway: non-breach privacy claims are rising. Companies are filing claims not because they were hacked, but because they were caught violating privacy regulations. This means the financial market is starting to price in regulatory risk separately from breach risk. For companies that have treated privacy compliance as optional, the insurance bill is starting to reflect reality. What the FTC Plan Gets Wrong EPIC's critique of the strategic plan is worth taking seriously. The plan eliminates performance metrics that tracked the market-wide impact of the FTC's enforcement actions. Without those metrics, it becomes harder to measure whether the agency's work is actually changing corporate behavior or just generating headlines. The FTC also lacks rulemaking authority for a full federal privacy law. Congress has failed to pass one despite years of proposals. The FTC operates under Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices" -- a powerful but blunt instrument that requires case-by-case enforcement rather than clear, prospective rules. And then there's the resource problem. The FTC has roughly 1,100 employees to police the data practices of every company in America. That's not a typo. The entire FTC workforce is smaller than the legal department of a single big tech company. What You Should Actually Do Regulatory enforcement is necessary but insufficient. The government will not save you from data collection. Here's what you can do while the FTC slowly builds its enforcement muscle: Freeze your credit with all three bureaus. This is free, takes minutes, and stops most identity theft before it starts. Minimize your data footprint. Every company you give your data to is a potential breach. Give less. Use privacy-focused alternatives where they exist. Encrypted messaging, privacy-respecting browsers, services that don't track you. Audit your connected accounts. Revoke OAuth grants for apps you don't use. Every connected app is a potential Vercel-style supply chain compromise. Demand legislation. The FTC is doing what it can with the tools it has. What it needs is a full federal privacy law with real rulemaking authority and real penalties. Call your representatives. What You Should Remember The FTC's 2026-2030 Strategic Plan is a signal, not a solution. The AT&T settlement, the Booking.com breach, the Anodot supply chain attack, and the Vercel compromise all happened in the same month the FTC published its plan. The pace of data disasters is accelerating faster than the pace of regulatory response. But for the first time in a while, the trajectory of enforcement is heading in the right direction. Fines are getting bigger. Insurance markets are pricing in privacy risk. International coordination is improving. Companies are starting to realize that "we're sorry" and twelve months of free credit monitoring might not be enough anymore. They didn't ask if you wanted your data collected, stored, shared, leaked, and sold. But at least now, the people who are supposed to hold them accountable are starting to show up to work with sharper tools. Whether it's enough, and whether it's fast enough, depends on whether the FTC can move from signaling intent to delivering consequences -- at a scale that matches the size of the problem. --- Related: 2026 State Privacy Laws Guide Vercel Breach: Supply Chain Attack Privacy Guide 2026 Surveillance Pricing Ban 2026