FTC Escalates AI Privacy Enforcement

The FTC's stepped-up enforcement includes scrutiny of AI training data, purpose limitation, and vendor data practices. Companies must document what personal data was used to train AI models, demonstrate adequate consent for that training, and adhere to disclosed retention periods. AI-generated profiles can't be used beyond their initially stated purpose, and using behavioral AI for employment screening when only marketing was disclosed can be an FTC Act violation. The agency is particularly focused on health data not covered by HIPAA, such as that collected by consumer apps and wearables. Unauthorized health data sharing has triggered multiple enforcement actions. The FTC also holds organizations responsible for their vendors' data practices, requiring disclosure of vendor data processing in privacy notices. Zero-knowledge architectures are emerging as a solution because they limit vendors' access to unencrypted user data, directly addressing FTC concerns. This approach means vendors can't use user data beyond what's disclosed, aligning with FTC enforcement priorities. Zero-knowledge proofs (ZKPs) allow verification of AI processes without compromising data confidentiality. Operation AI Comply, launched in September 2024, highlights the FTC's focus on deceptive AI claims and tools. The FTC is cracking down on AI-powered schemes and ensuring there's no "AI exemption" from existing laws. Companies making AI-related claims must have concrete data to back them up. In one case, Amazon was fined $25 million for Children's Online Privacy Protection Act (COPPA) violations related to Alexa, and was found to have retained voice recordings beyond stated retention periods, and used them to train AI models without adequate consent. The FTC also alleged that Amazon turned a blind eye to parents' data deletion requests. Ring, Amazon's home security company, was also accused of compromising customer privacy. The FTC's enforcement actions extend to AI-driven discrimination, with the agency using its Section 5 unfairness authority to require safeguards against bias in automated tools. Algorithmic disgorgement, where companies must relinquish unlawfully collected data and any derived algorithms, is becoming a standard remedy. The FTC is also studying the impact of AI chatbot companions on children and teens. Zero-knowledge machine learning (ZKML) is being explored to enable AI models to perform computations without revealing their inputs, outputs, or internal logic. This ensures privacy, verifiability, and decentralization, making it possible to deploy AI in sensitive environments without data leaks. Zero-knowledge architectures are being used in messaging, authentication, and secure data sharing. While the FTC's enforcement approach may shift, particularly with changes in administration, focus remains on AI, privacy, and consumer fraud. Companies should expect continued scrutiny of AI products and businesses, especially regarding advertising claims and misuse of AI to perpetuate fraud.