FTC Cracks Down on Deceptive Practices and Privacy Policy Statements

The Federal Trade Commission (FTC) has intensified efforts to combat deceptive practices in digital privacy. With businesses increasingly using complex algorithms and data collection, clear and truthful privacy policy statements are under scrutiny. This initiative aims to ensure transparency and accountability, impacting companies and consumer trust in the digital age.

FTC Crackdown on AI Privacy Policies

Recently, AI has been taking over the headlines as companies rush to use personal data to train, develop, and optimize sales through artificial intelligence systems. However, many of these practices have raised serious concerns about transparency and consumer protection.

According to the Federal Trade Commission (FTC), organizations are required to clearly notify consumers about how and when their personal data may be collected, used, or developed by AI systems. This guidance is intended to make sure companies do not misuse sensitive information or mislead users about how their data is being handled.

Some states, such as California and Maryland, are also introducing stricter privacy and data regulations aimed at protecting personal and sensitive information from misuse in AI development and deployment.

The failure to properly disclose the use of personal information within AI technologies, or to clearly explain how it contributes to AI systems, may be considered an unfair and deceptive practice under FTC rules and could potentially harm consumers.

Applying NIST AI Transparency Standards to Consumer Practices

NIST AI standards focus heavily on transparency in creating systems. NIST outlines guidelines to provide model clarity in decision-making, but the same framework or way of thinking behind it can be applied to consumer-facing practices when businesses utilize AI-driven technologies.

According to Lathrop GPM, the FTC settled an enforcement action against DoNotPay Inc., an online subscription service for U.S.-based customers claiming to offer an AI service that was the world’s first “robot lawyer,” helping customers with legal matters such as demand letters and lease liability waivers. However, the AI system was not effectively trained and was found to have engaged in unfair and deceptive practices, resulting in a settlement of $193,000.

In the DoNotPay Inc. case, it becomes clear building trust is essential for AI. Creating transparent and responsible AI systems helps foster trust within communities, allowing people to more fully embrace AI and its global transformative impact.

Data Sharing Concerns Arise After OkCupid Privacy Policy Breach

OkCupid also violated FTC regulations by sharing personal information, including profile photos, location data, and profile information, with an unrelated third party. However, their privacy statement disclosed they would only share personal information with service providers, business partners, and entities within their own company network, violating their own privacy policy and leaving users in the dark about how their information was being used.

These statements must now address the growing concerns of AI, including the extent to which they collect, maintain, use, disclose, and delete information. This includes what privacy controls are set in place and what the data is actually used for.

In the case of OkCupid, for example, explaining what “delete your data” means is important. Does it mean it is deleted after 30 days? Does it mean it is deleted on certain networks but still used or stored for AI training? Is there potential for third-party AI providers to use this data? All of this needs to be explained accurately to be in alignment with current regulations and the law.

The DoNotPay Inc. case shows how the company was found to have engaged in deceptive practices involving its AI systems, while the OkCupid case shows the need for transparency regarding how user data is shared and used. Both matters demonstrate increasing FTC scrutiny surrounding AI-related consumer practices.

Had these companies aligned themselves more closely with an established framework such as the NIST AI RMF, focused on transparency, and risk management, they may have reduced AI compliance risks. Instead, these company face or may face FTC fines and advertising restrictions related to their AI claims and practices.

The NIST AI RMF framework protects against these risk as it focuses on training and acquiring requirement that are clear and documented. This includes being aware of relevant laws and regulations. It also includes evaluating data set availability, the full context of representativeness, and the validity and reliability of the system. Furthermore, it involves mapping potential risks such as the possibility of data gaps and what that means for performance and outcomes. For companies, this helps ensure they protect against these types of outcomes and build more responsible AI systems.

Building a Comprehensive Privacy AI Policy for Startups

In my own work, I’m building a privacy policy for a startup. So far, it has been my experience that it is best to align current state regulations, federal regulations, and any applicable global data privacy standards to the use of AI-powered systems. It is important to clearly state how a company plans to engage in the sharing of personal information by defining what type of service providers may have access to such information. For example, if AI agents are being used to respond to emails through Claude, Manus, or other systems, depending on state law, it must be clear that customer data is not being trained on. Consumers must also be informed and given the option to opt out in order to comply with FTC Section 5.

Even in marketing use cases where companies may skim social media, private messages, or emails to understand customer intent, states like Maryland emphasize that companies should not collect more personal or sensitive data than is reasonably necessary for the disclosed purpose. The use of that information must remain limited to the specific purpose for which it was collected, and it should not be used to train future AI models or outputs without separate consent.

Companies should also clearly state their policies on whether users are allowed to know or retain information about how their data has been used in AI training, even after the original data has been deleted. Users may want transparency on how their information has contributed to training data or model behavior.

Moreover, for third-party contracts and vendor agreements, it should be explicitly stated that AI systems handling personal information should not use that data to train their own systems. Policies should avoid vague wording like “business partners” or “contractors” when possible, and instead clearly define what each party is doing with the data.

If data is being shared with external services such as analytics tools or translation services, it must be explicitly stated whether that data may or may not be used to train AI systems. This level of clarity is necessary to avoid ambiguity and ensure compliance with applicable privacy regulations.