FTC AI Regulations: What Your Business Needs to Do Now

The Federal Trade Commission is not waiting for Congress to pass comprehensive AI legislation before it acts. Using its existing authority under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce, the FTC has made AI one of its highest enforcement priorities. It has brought actions, issued guidance, opened investigations, and made clear that companies deploying AI in ways that harm consumers will face consequences under existing law.

If your business uses AI in customer-facing applications, automated decision-making, marketing, or data processing, you are operating in an environment where the FTC is paying close attention. This post explains what the FTC has done, what it is focused on, and what your business needs to do to manage compliance risk.

The FTC's authority over AI

The FTC does not yet have AI-specific rulemaking authority from Congress, though it has sought it. What it does have is broad authority under Section 5 of the FTC Act to prohibit unfair or deceptive acts or practices affecting commerce. This authority is expansive and has been applied to technology companies for decades.

A practice is deceptive under Section 5 if it involves a material misrepresentation or omission that is likely to mislead a reasonable consumer. A practice is unfair if it causes or is likely to cause substantial consumer injury that is not reasonably avoidable and is not outweighed by countervailing benefits.

Both standards map directly onto common AI deployment practices. AI systems that make claims about their capabilities they cannot support are deceptive. AI systems that make consequential decisions about consumers without adequate transparency or recourse can be unfair. The FTC has been explicit about both applications.

The FTC also enforces several statutes with specific relevance to AI, including the Fair Credit Reporting Act (which applies to AI systems used in credit, employment, and housing decisions), the Children's Online Privacy Protection Act (which applies to AI systems that collect data from children), and the Health Breach Notification Rule (which applies to AI handling health data).

What the FTC has done so far

Operation AI Comply

In September 2024, the FTC launched Operation AI Comply, a coordinated enforcement sweep targeting companies it found were using AI to facilitate deceptive practices. The five actions brought as part of the operation illustrate the range of conduct the FTC is targeting.

One action targeted a company that claimed its AI could help consumers negotiate away debts and bills, a claim the FTC found was materially false. Another targeted a business formation service that used AI chatbots to upsell consumers on unnecessary services through misleading interactions. A third targeted an online business opportunity platform that used AI-generated testimonials and fake earnings claims to lure consumers into paying for programs that did not deliver the promised results.

The pattern across the Operation AI Comply actions is consistent: AI being used to scale deceptive practices that would be illegal if done by a human salesperson or marketer. The FTC's position is that adding AI to an illegal practice does not make it legal. It makes it faster and more harmful.

The Rytr action

The FTC also took action against Rytr, an AI writing tool, for offering a service that generated fake consumer reviews. The FTC's complaint focused on the fact that Rytr's tool was specifically marketed and designed to help users create large volumes of deceptive testimonials. This was the FTC's first action specifically targeting an AI content generation tool for facilitating deceptive review practices, and it signals that the FTC holds AI platforms accountable for foreseeable harmful uses of their products, not just the end users.

Guidance documents and policy statements

Beyond enforcement, the FTC has issued a series of guidance documents that function as advance notice of where it is looking. Its 2023 policy statement on AI and biometrics warned companies against using AI to make false or unsubstantiated claims about products or services. Its guidance on dark patterns, which applies directly to AI-powered interfaces, identifies specific design practices that the FTC considers deceptive, including interfaces that make it harder to cancel subscriptions, hide material terms, or manipulate consumer choices.

The FTC has also been vocal about AI in hiring, warning employers that using AI tools that produce discriminatory outcomes can violate both Section 5 and federal civil rights laws, regardless of whether the discrimination was intentional.

The five areas of highest FTC enforcement risk

1. AI-generated claims about your product or service

If your business uses AI to generate marketing content, product claims, or service representations, those claims are subject to the same truth-in-advertising standards as human-generated content. AI does not create a lower standard of accuracy. If anything, the FTC has signaled it will hold AI-generated claims to the same or higher scrutiny because the speed and scale at which AI can propagate false claims amplifies consumer harm.

Practically: review AI-generated marketing content before publication, ensure that product and service claims are substantiated, and do not rely on AI outputs as a substitute for human review of material representations to consumers.

2. AI-generated reviews and testimonials

The FTC's endorsement guides prohibit fake reviews, and its action against Rytr makes clear that using AI to generate them violates those guides regardless of the tool used. The FTC finalized updated rules on fake reviews in 2024 that explicitly prohibit AI-generated testimonials presented as genuine consumer reviews.

Practically: do not use AI tools to generate customer reviews, ratings, or testimonials for your products or services, even if those reviews are based on real customer data. Ensure that any AI-generated content presented as consumer feedback is clearly disclosed as such.

3. AI in automated decision-making affecting consumers

When AI makes or significantly influences decisions about consumers, including credit decisions, insurance pricing, employment screening, rental applications, and loan approvals, the FTC expects companies to be able to explain those decisions, provide notice to consumers, and offer meaningful recourse. The Fair Credit Reporting Act imposes specific notice and dispute rights when AI-driven decisions adversely affect consumers in covered contexts.

Practically: if your AI system makes adverse decisions affecting consumers, ensure your disclosure and notice practices comply with applicable law. Maintain the ability to explain, audit, and override AI-driven decisions. Do not deploy AI decision systems without human review processes for high-stakes outcomes.

4. AI and data practices

The FTC has consistently emphasized that how companies collect, use, and share consumer data to train or operate AI systems must be consistent with their privacy representations and with reasonable consumer expectations. Using data collected for one purpose to train an AI model for a different purpose raises both deception and unfairness concerns. Sharing consumer data with AI vendors without adequate disclosure raises similar issues.

Practically: review your privacy policy to ensure it accurately describes how consumer data is used in AI systems. Review your AI vendor agreements to understand how your customer data is handled, whether it is used to train the vendor's models, and what rights you retain. Update your privacy disclosures if your AI data practices are not adequately described.

5. AI chatbots and consumer interfaces

The FTC has been particularly focused on AI-powered chatbots and conversational interfaces that manipulate consumers through dark patterns, misrepresent the bot as a human, or use persuasion techniques that exploit consumer psychology. Chatbots that create false urgency, obscure cancellation options, or use emotional manipulation to drive purchases are in the FTC's crosshairs.

Practically: ensure that AI chatbots deployed in consumer-facing contexts are transparent about being automated systems when sincerely asked, do not use manipulative design patterns, and do not make representations the business cannot support. Apply the same consumer protection standards to chatbot interactions that you would apply to human sales conversations.

The intersection with other regulators

The FTC does not operate alone. Other regulators are applying their own frameworks to AI, and in many cases their requirements overlap with or extend beyond the FTC's.

The EEOC has issued guidance on AI in employment decisions, warning that employers are responsible for discriminatory outcomes from AI tools even if they purchased the tool from a third party and did not design it themselves.

The CFPB has applied adverse action notice requirements to AI-driven credit decisions and has signaled that explainability is a consumer protection requirement, not just a technical nicety.

State attorneys general in California, New York, Illinois, and Colorado have their own consumer protection authority over AI practices and have been active in coordinating with federal agencies.

For companies operating in the EU, the EU AI Act creates parallel obligations that may be more demanding than current US requirements, particularly for AI systems classified as high-risk.

What your business needs to do now

Audit your AI-facing consumer touchpoints. Identify every place your business uses AI in interactions with consumers, including marketing content generation, chatbots, recommendation engines, pricing systems, and automated decision-making. Evaluate each one against the FTC's deception and unfairness standards.

Review your advertising and marketing AI workflows. Establish a review process for AI-generated content before it reaches consumers. Ensure that claims made in AI-generated content are substantiated. Remove any AI-generated reviews or testimonials that are presented as genuine consumer feedback.

Update your privacy disclosures. If your privacy policy does not accurately describe how consumer data is used in AI systems, update it. Consumers have a right to know how their data is being used, and misrepresenting that use is a deception claim waiting to happen.

Review your AI vendor agreements. Understand what your AI vendors do with your customer data. Negotiate data processing agreements that protect your customers' data and your compliance position. Ensure that vendor terms align with your regulatory obligations.

Build human review into high-stakes AI decisions. For any AI system that makes or significantly influences decisions affecting individual consumers, establish human review processes, maintain audit trails, and ensure that consumers have a meaningful path to contest adverse decisions.

Document your compliance efforts. In FTC investigations and enforcement proceedings, evidence that a company took its compliance obligations seriously, built processes to manage them, and acted promptly to correct problems is relevant to both liability and remedies. Build the paper trail now.

Frequently asked questions

Does the FTC's AI enforcement apply to small businesses?

Yes. The FTC Act applies to businesses of all sizes engaged in commerce. Operation AI Comply included actions against companies that were not large platforms. The FTC has been explicit that AI does not create a safe harbor for deceptive practices, regardless of company size.

What is the difference between FTC enforcement and EU AI Act compliance?

The FTC enforces against unfair and deceptive practices under existing consumer protection law. It does not impose proactive governance requirements in most cases. The EU AI Act imposes affirmative compliance obligations, including risk assessments, technical documentation, human oversight requirements, and conformity assessments, before high-risk AI systems can be deployed. US companies with EU exposure need to address both frameworks.

Can I be liable for how my customers use my AI tool?

Potentially, yes. The FTC's action against Rytr demonstrates that the agency will hold AI platform providers accountable for foreseeable harmful uses of their tools, particularly when those uses are marketed or facilitated by the platform. If your AI product is designed or marketed in ways that enable deceptive practices, the FTC may hold you responsible even if individual users are the ones deploying it deceptively.

What should I do if the FTC contacts my company about AI practices?

Treat any FTC inquiry as a serious legal matter and engage experienced counsel immediately. Do not respond to FTC requests for information without legal advice. Preserve all relevant documents and communications. The FTC's investigation process can move from initial inquiry to formal action quickly, and early legal guidance is essential to protecting your company's position.

How quickly is the regulatory landscape changing?

Very quickly. The FTC issued new guidance and brought new enforcement actions throughout 2024 and 2025. State AI legislation is advancing in multiple jurisdictions. Congressional action on comprehensive AI legislation remains possible. Companies should review their AI compliance posture at least annually and monitor regulatory developments on an ongoing basis.

The FTC's message to businesses using AI is clear: existing consumer protection law applies fully to AI-enabled practices, enforcement is active, and the scale at which AI can cause consumer harm makes the agency more focused on this area, not less.

The companies best positioned to navigate this environment are the ones that treat AI compliance as an ongoing legal function rather than a one-time policy document. If you want to assess your company's AI regulatory exposure or build a compliance framework that addresses FTC requirements, contact Ana Law to schedule a strategy session.