FTC AI product claims: what Cox Media Group's $930K fine means for your team

On May 21, 2026, Cox Media Group, MindSift LLC, and 1010 Digital Works LLC paid $930,000 to settle FTC charges that they sold an AI-powered advertising service claiming capabilities it did not have. The service was marketed as using a proprietary algorithm to detect real-time conversations from consumers' smart devices and serve geographically targeted ads to nearby users. The tagline on Cox Media Group's website at the time: "It's True. Your Devices Are Listening to You."

None of this was true. The underlying product was resold data broker email lists.

The Cox Media settlement is the latest enforcement action under Operation AI Comply, the FTC's AI enforcement initiative launched in September 2024. Through May 2026, the campaign has resulted in more than a dozen enforcement actions. The pattern across those cases is consistent: companies describe AI capabilities that the underlying system cannot perform, charge customers based on those descriptions, and face Section 5 enforcement when the gap between the description and the reality becomes documented.

This guide covers what the FTC requires, which claim types have driven enforcement, and the eight steps to verify your AI marketing claims are defensible before they appear in public.

What the FTC actually requires for AI claims

The FTC applies its general advertising substantiation standard to AI: before you make a performance or capability claim, you must have "competent and reliable evidence" supporting it. This standard predates AI. It has applied to dietary supplements, financial products, and technical software for decades. It now applies to AI capabilities.

"Competent and reliable evidence" means different things depending on the claim type:

• Performance claims ("our AI increases revenue by 25%"): controlled testing with documented methodology, representative sample size, and results you can reproduce on demand
• Capability claims ("our AI detects fraudulent transactions"): technical validation showing the system performs the function in real conditions, not just a demo environment
• Comparison claims ("our AI outperforms competitors"): head-to-head testing on the same task, with methodology a third party could replicate

"AI-powered" alone is not substantiation. It is a marketing adjective. The FTC treats it as meaningless unless backed by documentation of what the AI actually does and evidence it performs as described.

The practical implication for your team: the substantiation file must exist before you publish the claim, not after you receive a civil investigative demand.

The 4 claim types FTC has already acted on

The FTC's enforcement record from 2024 through May 2026 is not random. The same four claim types appear across nearly every Operation AI Comply action. If your marketing touches any of them, the Cox Media settlement is the most relevant document on your team's reading list.

1. AI accuracy claims without independent validation data

The FTC has settled with companies that published specific accuracy figures, "98% accurate," "detects fraud with 99.2% precision", with no independent testing behind the number. The substantiation standard under Section 5 of the FTC Act requires that performance claims be backed by "competent and reliable evidence" before publication. A figure generated by the vendor's own internal team, tested on a curated dataset, or lifted from a model card without independent replication does not meet this standard.

What the FTC requires: a controlled test with documented methodology, a representative sample drawn from actual customer use conditions, and results that a third party could reproduce. The test must exist before the claim appears in marketing. If your vendor provided the accuracy figure, you need the vendor's testing methodology and underlying data, not just the number. Passing through an unverified vendor statistic is not a defense, the Air AI enforcement action made clear that the company collecting revenue based on unsubstantiated performance figures is the enforcement target, not only the original source.

2. "AI-powered" labels applied to rule-based systems

The FTC treats "AI-powered" as a capability claim, not a marketing style choice. If the underlying system is a deterministic rule engine, a set of if-then conditions coded by analysts, calling it AI-powered is materially false in the FTC's view, because it implies a machine learning model is doing the work when it isn't. This was a recurring pattern in the 2024-2025 enforcement wave: companies applying AI branding to legacy software or purchased data pipelines that had no ML component.

What the FTC requires: if you label something "AI-powered," you must be able to document what model is running, what data it was trained on, and how the model's outputs drive the product behavior. If the answer is "we use rule-based filters with an AI label," the label needs to come down or the marketing needs to accurately describe what the system does. Hybrid systems, a rules layer plus a classifier, are not automatically deceptive, but the marketing must reflect the actual proportion of AI involvement, not imply the entire system is AI-driven.

3. Privacy claims that contradict actual data practices

A company that tells users "your data stays private" or "we never share your information" while simultaneously selling user data to data brokers, licensing it to advertising networks, or sharing it with analytics third parties faces a straightforward Section 5 violation: the representation is materially false. This pattern appeared in multiple Operation AI Comply cases, including the Cox Media matter, where the company's claims about how consumer data was collected and used were directly contradicted by its actual data practices.

What the FTC requires: privacy representations must accurately describe actual data flows. Before publishing a privacy claim about AI data handling, "your conversations are not used to train our models," "your data is never shared with third parties," "we do not retain your inputs", verify that the claim is technically accurate for every data pathway in your system, including vendor sub-processors. Standard data processing agreements with cloud vendors often include provisions for diagnostic logging, model improvement, or aggregated analytics that contradict blanket "your data stays private" claims.

4. Implied AI capabilities through misleading demos

The FTC has flagged cases where before/after product demonstrations, case studies, or testimonials implied that an AI system produced results that were actually produced partly or entirely by human editors, curated inputs, or staged conditions. An ad claiming "our AI wrote this entire marketing campaign in 3 minutes" that relied on a human copywriter cleaning up the AI output is an implied capability claim that overstates what the AI actually does.

What the FTC requires: demos and case studies must reflect what the AI system does in real customer conditions, not best-case outputs selected for marketing. If human review or editing is part of the standard workflow, the marketing should reflect that. If your demo video was produced in a controlled environment that does not represent how most customers experience the product, the gap between the demo and the customer experience is a substantiation problem.

The documents to have on file

Three FTC documents should be referenced in every AI marketing claim review your team does:

• The FTC's 2023 AI Report ("Generative AI: Business Approaches and Risks"), which established the agency's conceptual framework for evaluating AI claims under existing consumer protection authority
• Chair Lina Khan's 2024 "AI Snake Oil" remarks and the associated FTC staff guidance, which made explicit that the agency would apply existing Section 5 authority to AI claims without waiting for new AI-specific legislation
• Section 5 of the FTC Act itself (15 U.S.C. § 45), which is the authority under which every Operation AI Comply settlement was reached

The 2024 staff guidance is particularly useful because it outlines the specific factors the FTC weighs when assessing whether an AI claim is deceptive: whether the claim is verifiable by consumers, whether it influences purchasing decisions, and whether competent evidence existed at the time the claim was published. Any internal review process for AI marketing claims should run through those three factors explicitly.

The Cox Media Group case: what failed

Cox Media Group's "Active Listening" service was marketed as using a proprietary algorithm that could detect conversations via smart device microphones and serve targeted ads to nearby users in real time. Advertisers paid for this capability, which CMG described in promotional materials in technical detail.

The FTC's investigation found:

• CMG did not collect voice data or listen to conversations through microphones at all
• The "AI listening" capability was a marketing label applied to purchased data broker email lists
• CMG told customers that consumers had opted into the Active Listening service by accepting standard app terms of service -- the FTC found this false: ToS acceptance for one service does not constitute consent for undisclosed AI-powered audio surveillance

CMG paid $880,000. MindSift and 1010 Digital Works each paid $25,000. The consent order bars all three companies from making future misrepresentations about AI capabilities, voice data collection, and geographic targeting.

The lesson isn't about product quality. It's about the gap between stated capability and actual mechanism. That's what the FTC investigates, not whether the underlying business model makes sense.

If your product description refers to AI functionality that is actually handled by a simpler mechanism (rule-based filtering, purchased data, manual review with an AI label), the description and the mechanism are what the agency investigates.

The four AI claim categories that have driven enforcement

Based on Operation AI Comply enforcement through May 2026, four categories of AI claims have consistently triggered enforcement:

Category 1: Capability claims that exceed what the system does

The defining case is Cox Media Group. The system was sold as performing a function it could not perform. This category also includes overclaiming the AI component when the AI handles a minor portion of the output and the marketing implies AI handles all of it, or when "AI-powered" is applied to rule-based or human-assisted processes that do not involve machine learning.

Category 2: Performance claims without documented test results

Air AI (March 2026) was marketed as an AI system that could replace human sales representatives, holding conversations indistinguishable from a human, with specific revenue outcomes customers could expect. The FTC alleged the system could not perform as described and that roughly $19 million was collected based on unsubstantiated earnings claims. The case established that specific revenue projections tied to AI capability are subject to the same substantiation standard as the capability claim itself.

Category 3: AI professional service claims

AccessiBe settled for $1 million (January 2025) after marketing its AI tool as able to make any website compliant with WCAG accessibility standards within 48 hours. Disabled users and independent accessibility auditors documented reproducible failures across site categories. DoNotPay settled for $193,000 (January 2025) after marketing itself as the "world's first robot lawyer" without testing legal outputs against legal accuracy standards or having licensed attorneys verify the system's work. For AI sold into professional contexts (legal, medical, financial, HR), the substantiation bar is higher because the consequences of failure are more severe.

Category 4: Consent misrepresentation

The Cox Media case produced the FTC's clearest statement on consent for AI data collection: ToS acceptance does not constitute opt-in consent for AI capabilities the user did not specifically agree to. This applies to any AI feature that collects or processes data beyond what a user would reasonably expect based on the service they signed up for.

Consent: what actually constitutes opt-in under FTC scrutiny

The FTC's position based on the Cox Media consent order:

ToS acceptance is not consent. Checking "I agree" to mandatory terms does not constitute affirmative consent for AI capabilities the user did not specifically and knowingly agree to.

Pre-checked boxes are not consent. If a box is checked by default and the user does not actively uncheck it, the FTC does not treat this as affirmative opt-in.

Bundled consent is not consent. Folding consent for an AI feature into general privacy policy acceptance does not satisfy the requirement for specific, informed consent for a specific AI capability.

In practice, the consent mechanism must make clear, in plain language at the point of consent, what data the AI collects and how it uses that data. A link to a privacy policy addendum accessible through a footer doesn't satisfy this standard if the user is never surfaced a specific choice about the AI data collection at the moment the AI feature activates.

This applies to:

• AI features that analyze user behavior to personalize ads or content
• AI systems that process employee activity
• AI tools that analyze customer communications for training or reporting
• AI features added to existing products after the original consent was obtained

If your product has added AI functionality since users first consented to the service, review whether the new AI data collection is covered by the original consent or requires a new consent event.

The DoNotPay and AccessiBe pattern

Two earlier Operation AI Comply cases establish the enforcement profile for companies marketing AI for professional purposes:

DoNotPay ($193,000, January 2025): The company marketed itself as the "world's first robot lawyer," offering to handle legal documents and filings. The FTC found the company had not tested legal outputs against actual legal standards and had not engaged licensed attorneys to verify the system's accuracy before making legal competence claims to consumers.

AccessiBe ($1 million, January 2025): Claimed 48-hour WCAG compliance through AI. Independent audits documented specific, reproducible failures across multiple website categories. The FTC found the performance claims were materially false based on the documented failure rate.

The pattern in both cases: a specific, measurable performance claim ("makes your website accessible," "handles your legal needs") that the AI system cannot actually deliver to the standard implied by the claim. For teams selling AI in professional services contexts, where users make purchasing decisions based on regulatory compliance outcomes, the substantiation standard requires evidence from the actual regulatory or professional context, not from internal testing in controlled conditions.

For the record of enforcement actions through 2026, see the FTC AI enforcement tracker.

The 8-step AI marketing claims compliance checklist

Run this before publishing any AI capability claim, including product page updates, investor decks, sales materials, feature announcements, and partner co-marketing.

Step 1: Identify every AI capability claim in your current public materials

Include your website, product documentation, sales decks, customer-facing emails, and partner marketing. Search for: "AI-powered," "AI-driven," "intelligent," "automated," "detects," "predicts," "learns," "understands," "personalized by AI," and any specific performance claims tied to AI. Build a list.

Step 2: For each claim, document what the AI actually does

One paragraph per claim: what data goes in, what model or system processes it, what output comes out. If the answer is "our vendor handles it," that does not end your obligation -- it starts a vendor documentation request (see Step 5 below).

Step 3: Identify any gap between the claim language and the documented reality

If the marketing says "real-time AI analysis" and the system runs batch jobs every four hours, that is a gap. If the marketing says "AI-powered matching" and the matching is rule-based with an AI classifier as one component, document the actual proportion the AI contributes to the output. The FTC doesn't require AI to be the only component in a pipeline, but it can't be labeled as the primary mechanism when it isn't.

Step 4: Verify performance claims against your actual test data

For any quantitative claim ("30% faster," "95% accurate," "reduces costs by half"), pull the test records that support the specific figure. If records don't exist, the claim is unsubstantiated. If records don't support the specific number claimed, revise the claim to what the records support. Test conditions must be representative of customer use, not optimized for favorable results.

Step 5: Request substantiation documentation from your AI vendor

If you are marketing capabilities built on a third-party AI service or foundation model, obtain from the vendor: documentation of what the model actually does, third-party benchmark results if you cite specific accuracy or performance figures, and any limitations or failure modes documented in the vendor's technical materials. The FTC has enforced against companies that passed through vendor capability claims they could not independently verify. Your vendor due diligence checklist should include a substantiation documentation request.

Step 6: Review consent mechanisms for AI data collection

For any AI feature collecting, analyzing, or sharing user data beyond the baseline service expectation, verify the consent is: specific (identifies the AI capability and what data it uses), affirmative (requires a positive user action, not just ToS acceptance), and accessible (users can review and withdraw consent through a clear mechanism). If the consent is embedded in a privacy policy addendum and was not specifically surfaced to users at the point of feature activation, assess whether it survives FTC scrutiny based on the Cox Media standard.

Step 7: Build and maintain a claims substantiation file

Create a document listing each public AI claim, the evidence supporting it, the date the evidence was generated, and who approved the claim for publication. Update it each time you add or revise a claim. This file is what you produce when the FTC sends a civil investigative demand. Its absence signals a systemic compliance failure, not just an oversight on one claim.

Step 8: Add AI claim pre-publication review to your release process

Before any new AI capability claim goes public, require sign-off from someone who has seen the substantiation file entry for that claim. This doesn't require legal review of every marketing email, but it does require someone with authority to stop publication if the claim isn't backed by documented evidence. A simple checklist item in your release or content approval workflow accomplishes this.

What to do this week

The Cox Media settlement is the prompt for a claims audit if you have not done one recently.

Three steps this week:

1. Search your website, product documentation, and sales materials for AI capability claims. Export to a list and assign each to the team member who owns that content.
2. For each claim, note whether a substantiation file entry exists. Flag any claim where the supporting documentation cannot be identified within 30 minutes of searching internal records.
3. Check consent flows for any AI features that collect behavioral data. If the consent is bundled into ToS or disclosed only through a privacy policy link, assess whether it meets the FTC's affirmative, specific consent standard from Cox Media.

The cost of this audit is a few hours. Based on Operation AI Comply enforcement through May 2026, the cost of skipping it has ranged from $25,000 (MindSift LLC) to $19 million (Air AI case allegation), with ongoing compliance monitoring and marketing restrictions in every consent order.

For how to structure your broader AI compliance program, including how to document and review AI vendor claims across your organization, see the AI compliance program maturity model. For legal team guidance on AI governance documentation, see the AI governance guide for legal teams and general counsel.

Sources: FTC consent order, Cox Media Group, MindSift LLC, 1010 Digital Works LLC, May 21, 2026 (FTC.gov). FTC complaint, Air AI matter, March 2026. FTC settlement, Matter of AccessiBe Ltd., January 2025. FTC settlement, Matter of DoNotPay Inc., January 2025. Operation AI Comply enforcement overview (FTC.gov). Section 5 of the FTC Act, 15 U.S.C. § 45.