Last updated: June 3, 2026. This tracker lists the FTC's documented AI enforcement actions. The federal posture shifted in early 2026, see the note below the table.
FTC AI enforcement actions (verified):
| Date | Company | Violation type | Status | Penalty |
|---|---|---|---|---|
| Jan 2026 | Rytr (AI writing) | 2024 order reopened and vacated under new FTC leadership | Order withdrawn | None (reversed) |
| Aug 2025 | Workado | Misrepresented AI content-detection accuracy ("98% accurate") | Final consent order | Injunctive, no monetary penalty |
| Sep 2024 | DoNotPay | False "AI lawyer" claims (Operation AI Comply) | Consent order | $193K |
| Sep 2024 | Ascend Ecom / FBA Machine / Ecommerce Empire Builders | AI-enabled business-opportunity schemes (Operation AI Comply) | Federal court actions | Tens of millions alleged in consumer losses |
| Jul 2024 | NGL Labs | Deceptive AI chatbot messages to minors | Consent order | $5M total ($4.5M FTC redress + $500K LA DA) |
Source: FTC press releases and consent order filings (ftc.gov/legal-library). The widely reported "Operation AI Comply" sweep was announced September 25, 2024.
Direction of travel changed in 2026. In January 2026 the FTC reopened and vacated its 2024 Rytr consent order, which commentators read as a signal of a lighter federal AI-enforcement posture under the new administration. This does not repeal Section 5 of the FTC Act, deceptive AI claims and undisclosed automated decisions remain unlawful, but the cadence of new federal AI consent orders has slowed. State attorneys general (California, New York, Illinois, Texas) are now the more active enforcers. Plan for state-level exposure, not just FTC action.
TL;DR: The FTC's AI enforcement record (Operation AI Comply in 2024, the Workado and DoNotPay orders, NGL Labs) targeted deceptive AI marketing claims, automated decisions without disclosure, and fake AI-generated reviews. In January 2026 the FTC reversed its Rytr order, signaling a lighter federal posture, but Section 5 still applies and state AGs are active. Small teams are not exempt. The five actions that matter most: audit your AI capability claims, document your automated decision logic, review your training data provenance, check your review and testimonial workflows, and update your privacy disclosures.
Updated June 2026: Corrected the case tracker to verified FTC actions only, added the January 2026 Rytr reversal and the shift toward state-AG enforcement, and kept the 72-hour inquiry response protocol and copy-paste CID acknowledgment letter.
The FTC is running three active AI enforcement tracks in 2026. Here is what each targets and what triggers investigation:
| Enforcement track | What triggers it | Example violation |
|---|---|---|
| Section 5 deception | Unsubstantiated AI capability claims in marketing | "Our AI is 99% accurate" with no independent evidence |
| Automated decision disclosure | AI making decisions affecting consumers without disclosure | Chatbot routing, pricing, eligibility screening, no disclosure it's AI |
| AI-generated content | Fake reviews or testimonials written by AI, undisclosed chatbots | AI-generated testimonials attributed to real people |
Five actions that reduce your FTC exposure this month:
- Audit every public AI accuracy or capability claim, remove any you can't substantiate with your own data
- Add AI disclosure language to your privacy policy and any AI-facing customer touchpoint
- Document the logic behind automated decisions affecting customers
- Review your review/testimonial collection workflow for AI-generated content
- Name one person as AI compliance owner who can respond to an FTC inquiry within 72 hours
No lawyer required to start. The FTC's enforcement pattern is public record, the companies getting hit are not guessing about what's prohibited.
This article covers: What the FTC has actually enforced (3 tracks) • The 2026 shift toward a lighter federal touch and active states • The 3 patterns that get small teams in trouble • Step-by-step governance response (no lawyer required) • Copy-paste FTC inquiry acknowledgment letter • 72-hour response protocol for Civil Investigative Demands • Full compliance checklist (9 items) • What the FTC cannot be talked out of
The FTC's AI enforcement record is not a policy announcement. It is real consent orders (Workado, DoNotPay, NGL Labs) and court actions, even though the federal pace slowed after the January 2026 Rytr reversal. Small teams are in scope, the FTC has stated company size does not determine enforcement priority, only the harm caused by the violation, and state AGs are filling the gap.
What the FTC Is Actually Enforcing
The FTC's AI enforcement in 2026 runs on three legal tracks operating simultaneously.
Track 1 targets companies making AI capability claims that cannot be substantiated. If your marketing says your AI is "94% accurate," "removes bias," or "makes instant decisions with no errors," the FTC's position is that you must have independent evidence for those claims before you publish them, not after. The burden of proof is on the company, not the agency.
Track 2 covers automated decisions. The FTC has taken the position that automated systems making decisions that affect consumers, pricing, eligibility screening, content moderation, customer service routing, require disclosure that a system, not a human, made the decision. This extends to AI-assisted decisions where a human reviews an AI recommendation but rarely overrides it.
Track 3 is AI-generated content. This covers fake reviews written by AI and presented as organic customer feedback, AI-generated testimonials attributed to real people who did not write them, and chatbots that deny being AI when directly asked. The FTC's 2024 final rule on fake reviews explicitly covered AI-generated reviews, and 2026 enforcement is applying that rule.
The 2026 Shift: Lighter Federal Touch, More Active States
The direction of FTC AI enforcement changed in early 2026. In January the agency reopened and vacated its 2024 Rytr consent order, a move legal commentators read as a deliberate signal of a lighter federal posture toward AI under the new administration. The pace of new federal AI consent orders has slowed compared with the 2024 Operation AI Comply sweep.
That does not make AI marketing risk-free. Section 5 of the FTC Act still prohibits deceptive and unfair practices, the underlying law has not changed, and a future administration can revive enforcement against conduct that is happening now. The 2024-2025 consent orders remain a public record of what the FTC considers deceptive.
The more immediate risk for small teams in 2026 is state-level. State attorneys general in California, New York, Illinois, and Texas have their own AI and consumer-protection statutes and have been more active than the FTC this year. A company that escapes federal scrutiny can still face a state AG inquiry on the same facts. Plan for that exposure rather than assuming the federal pullback means you are safe.
What Gets Small Teams in Trouble
Three patterns account for most of the enforcement exposure small teams face.
Unsubstantiated AI marketing claims are the most common trigger. The pattern is capability inflation: claiming accuracy, speed, or bias reduction that has never been independently measured. Small teams often copy language from larger AI vendors and apply it to their own wrapper or fine-tune. That does not transfer the underlying substantiation. Your claim about your product requires your evidence.
Undisclosed AI in customer service is the second. Many small SaaS companies have replaced or partially replaced human customer service with AI chatbots without updating their terms of service, privacy policy, or in-product disclosure. If your chatbot can pass a basic Turing test, the FTC's position is that you still must disclose it is AI when the user would reasonably want to know.
AI-generated reviews in marketing materials round out the list. If you used an AI tool to generate draft testimonials, even ones later reviewed by real customers, and those testimonials appear in your marketing without disclosure, you are in the enforcement zone. The FTC's fake review rule does not require malicious intent, it requires accuracy.
The Governance Response for Small Teams
None of what follows requires a compliance team. These are operational steps that take days, not months.
Step 1, Audit every AI capability claim
Pull every page on your website, every piece of marketing collateral, and every sales deck that mentions your AI. For each claim, ask: do I have documented evidence for this specific claim about my specific product? Not evidence from your AI vendor. Evidence from your deployment.
If you cannot answer yes, the claim needs to be revised before it becomes the basis for an inquiry. Common safe rewrites:
- "94% accurate" → "accuracy measured at 94% in our internal testing on [dataset description]"
- "removes bias" → "designed to reduce exposure to [specific bias type]; independently audited results available on request"
- "instant decisions" → "automated decisions with human review available"
Step 2, Document automated decision logic
For any system that affects a customer outcome, pricing, eligibility, tier assignment, content moderation, create a one-page document explaining what inputs the system uses, what the output is, and what human review exists. This does not need to be technically detailed. It needs to exist and be findable if an investigator asks.
The document should also note whether the system uses protected-class proxies. If your pricing model uses zip code or browsing behavior, it may correlate with race or income even if you did not intend it to. Knowing that risk exists is the first step to mitigating it.
Step 3, Update your privacy policy and in-product disclosure
Your privacy policy should answer three questions about your AI: what data does it process, what decisions does it inform or make, and can the user request a human review. If your current policy does not address these, it is out of date for 2026.
The in-product disclosure question is simpler: if a user interacts with an AI and asks whether they are talking to a human or an AI, the answer must be honest. Script that answer explicitly for any AI system that handles customer interactions, and document that the script exists.
Step 4, Review your review and testimonial workflows
Pull every testimonial in your marketing materials. For each one, verify: was this written by a human, does the human still endorse it, and was any AI used in the drafting process? If AI was used in any part of the workflow, check whether that is disclosed.
Going forward, any testimonial collection process should include a written certification from the reviewer that the words are their own. A checkbox on a form is sufficient. It creates a record that substantially reduces enforcement exposure.
Step 5, Designate an AI compliance owner
The FTC's 2026 enforcement pattern shows that companies with a named internal contact for AI compliance questions fare better in investigations than those where responsibility is diffuse. The contact does not need to be a lawyer. They need to know where the documentation lives and be authorized to respond to external inquiries within 72 hours.
For a team of five people, this is a 30-minute-a-week role. For a team of 50, it is a 20% role. In both cases it is cheaper than responding to an investigation without one.
FTC Inquiry Response Template (Copy-Paste)
If you receive an FTC Civil Investigative Demand (CID) or informal inquiry letter, this initial acknowledgment response buys you time to assemble your documentation and consult legal counsel. Customize the bracketed fields.
[Your Name / Company Name]
[Address]
[Date]
Re: [FTC Reference Number or Matter Name]
Dear [FTC Investigator Name or "FTC Staff"],
We acknowledge receipt of your [letter / Civil Investigative Demand] dated [date],
regarding [brief description of subject matter].
We take our legal obligations and consumer protection responsibilities seriously.
We are currently reviewing your inquiry with our legal counsel and will respond
fully within [14 / 21 / 30] days, as the applicable rules permit.
To facilitate a prompt and complete response, we request clarification on the
following:
1. The specific products, services, or practices under review
2. The time period covered by the inquiry
3. The preferred format for document production (native files, PDF, etc.)
Our designated contact for this matter is:
Name: [Name]
Title: [Title]
Email: [Email]
Phone: [Phone]
We are committed to cooperating fully and look forward to resolving this matter
efficiently.
Sincerely,
[Signature]
[Name, Title]
[Company]
Do not send this letter without legal review. If you do not have outside counsel, the FTC's inquiry letter typically names a staff attorney, calling that number to ask procedural questions (response deadline, document format) is appropriate and does not waive any rights.
72-Hour FTC Inquiry Response Protocol
The first 72 hours after receiving an FTC inquiry determine how well-positioned you are for everything that follows. Run through these steps immediately.
Hour 0-4: Preserve and lock
- Forward the inquiry letter to all relevant internal stakeholders (CEO, legal counsel, CTO, compliance owner)
- Issue a litigation hold notice internally: do not delete, modify, or overwrite any data related to the inquiry subject matter
- Screenshot or archive any public-facing materials the inquiry references (website pages, marketing claims, product descriptions)
- Document the exact date and time the inquiry was received
Hour 4-24: Scope the exposure
- Identify every system, dataset, and marketing asset that falls within the inquiry scope
- List the employees who have knowledge of the relevant systems
- Pull any prior correspondence with the FTC or state AGs on related matters
- Identify whether the inquiry involves consumer data that may require breach notification under state law
Hour 24-72: Engage and plan
- Retain outside legal counsel if you do not have it, the FTC inquiry response is not a DIY project
- Draft the acknowledgment letter (template above) for legal review
- Create a document production log: every document you will produce, indexed by the FTC's request categories
- Schedule a weekly status call between legal counsel and your compliance owner for the duration of the inquiry
What to avoid:
- Do not contact the FTC before speaking with legal counsel
- Do not delete, overwrite, or "clean up" any data, this is spoliation and creates additional liability
- Do not make public statements about the inquiry, FTC investigations are often confidential at the outset
- Do not assume an informal inquiry will stay informal, treat every FTC contact as if it could become a CID
Compliance Checklist
- Reviewed every public AI capability claim against documented evidence
- Created a one-page automated decision logic document for each customer-affecting system
- Updated privacy policy to address AI data processing, automated decisions, and human review requests
- Added in-product disclosure for all customer-facing AI interactions
- Verified all testimonials and reviews for AI-generation disclosure compliance
- Designated a named AI compliance owner with documented authority to respond to FTC inquiries
- Confirmed AI compliance owner has access to all relevant documentation
- FTC inquiry response template saved and accessible to compliance owner
- 72-hour response protocol documented and team briefed
FTC AI Enforcement Risk by Sector
Not all industries face equal exposure. The FTC's enforcement pattern in 2025-2026 is concentrated in sectors where AI-driven consumer harm is most measurable.
| Sector | Risk level | Why | Enforcement trigger |
|---|---|---|---|
| AI hiring / HR screening | Critical | Automated adverse employment decisions; EEOC coordination | Any AI rejection without adverse action notice |
| Fintech / lending | Critical | AI credit decisions under FCRA; disparate impact on protected classes | Credit denial without FCRA-compliant adverse action |
| Health-adjacent AI | High | FDA overlap for diagnostic claims; FTC Act deception for accuracy claims | Unsubstantiated "97% accurate" health AI claims |
| SaaS with AI features | High | Undisclosed AI chatbots; AI-generated testimonials | Testimonials written by AI, presented as organic |
| E-commerce / retail | Medium | AI-driven personalized pricing without disclosure; fake AI reviews | Personalized pricing diverging from listed price without notice |
| Internal productivity AI | Low | No direct consumer interaction; limited enforcement exposure | Undisclosed employee monitoring with AI |
| Developer tools / code AI | Low | No consumer-facing AI decisions; FTC focus elsewhere | IP provenance claims (separate track, watch for 2026 action) |
For hiring AI specifically: the FTC and EEOC have a coordination agreement. An EEOC inquiry into AI hiring bias can become an FTC Section 5 investigation for deceptive AI accuracy claims. Small teams using third-party AI hiring tools are responsible for the tool's compliance, not just their own processes.
AI Hiring: Where the Real Legal Exposure Sits
AI hiring tools are the clearest example of overlapping authority, even with the FTC pulling back. The risk does not come from one headline fine, it comes from the stack of laws that already apply:
- FCRA adverse action notice. If a third-party tool scores or screens candidates, that screening can be a "consumer report." Rejected candidates may be entitled to an adverse action notice. This obligation sits on the employer, not just the vendor.
- EEOC / Title VII disparate impact. A 2023 joint statement from the EEOC, CFPB, FTC, and DOJ Civil Rights Division confirmed that existing anti-discrimination law applies to automated systems. Disparate impact from an AI screen is actionable regardless of intent.
- State laws. Illinois regulates AI video interviews (candidate notice required), New York City requires bias audits for automated employment decision tools, and several states are following.
The practical takeaway is unchanged by the federal pullback: if you use a third-party AI hiring tool, you share responsibility for its compliance. Verify the vendor supports a compliant adverse-action workflow, ask for its most recent independent bias audit, and disclose to candidates that automated screening is used. Do not rely on the vendor's "removes bias" marketing as a legal defense, that claim is the employer's to substantiate.
State AG coordination: what enforcement looks like beyond the FTC
The FTC is not the only enforcer, and in 2026 it is no longer the most active one. With the federal posture lighter after the Rytr reversal, state attorneys general have become the primary AI enforcement risk for small teams, they can move faster and on lower-harm thresholds than the FTC.
State-level AI enforcement active in 2026:
| State | Enforcement focus | What triggers it |
|---|---|---|
| California AG | CCPA AI disclosure, fake reviews | AI-generated reviews without disclosure; AI decisions about consumers without notice |
| New York AG | AI hiring discrimination | Automated hiring tools with disparate impact; no bias audit |
| Illinois AG | AI Employment Act violations | AI video interview tools without candidate notice |
| Texas AG | Deceptive AI claims under DTPA | Unsubstantiated AI accuracy claims in marketing |
| Washington AG | Algorithmic fairness | AI decisions in insurance, credit, housing |
The pattern: state AGs focus on the same three tracks as the FTC (deceptive claims, automated decisions, fake reviews) but with state-specific statutes that can apply even when the FTC has not acted.
If you operate in California, New York, or Illinois, your AI compliance obligations extend beyond FTC rules. Illinois AI Employment Act and California AG activity on CCPA AI notices are the most active state-level risk areas for small teams in 2026.
What the FTC Cannot Be Talked Out Of
The FTC has been explicit in its 2026 public statements: good intentions do not offset consumer harm. An AI system that discriminates in pricing, even if the team that built it never intended discrimination, creates liability under the same legal theory as an intentional violation. The enforcement mechanism is the outcome, not the intent.
The practical implication: governance documentation matters not because it changes what your AI does, but because it shows you thought about what your AI does. Teams that can produce a paper trail, capability claim evidence, decision logic documentation, disclosure language, review certification, have substantially more negotiating leverage in an FTC inquiry than teams that cannot.
The FTC's stated preference is to resolve AI cases through consent orders rather than litigation. Consent orders are negotiated. The quality of your governance documentation is what you negotiate with.
Use the AI Compliance Quiz to check which FTC-relevant obligations apply specifically to your team's industry and AI use cases.
References
- FTC Section 5 of the FTC Act: unfair or deceptive acts and practices authority
- FTC Final Rule on Fake Reviews and Testimonials (effective November 2024)
- FTC guidance on AI and automation: "Aiming for Truth, Fairness, and Equity in Your Company's Use of AI" (2021, still operative)
- FTC enforcement case tracker: ftc.gov/legal-library/browse/cases-proceedings
- NIST AI Risk Management Framework: nist.gov/itl/ai-risk-management-framework
- Related: AI Policy Starter Kit for Small Teams
- Related: EU AI Act obligations for US companies
- Related: TypeScript AI Agent Security Playbook, vendor incidents that trigger FTC scrutiny
- Related: Governing Embedded AI in Third-Party Tools, undisclosed capabilities as FTC deception risk
