FTC AI Enforcement Actions: 2025 Tracker

The FTC spent 2025 actively enforcing against AI vendors and AI-using businesses under its existing Section 5 authority — unfairness and deception — without waiting for AI-specific legislation. That posture has consequences for every mid-market US company using AI. You don't need to wait for a new statute to be on the hook. If your AI claims are false, your use of AI is unfair, or your handling of AI-generated outputs deceives consumers, the FTC has been clear: existing law applies. This is the 2025 enforcement tracker, with the lessons each action carries for the kinds of programs my clients are running.

Operation AI Comply

Operation AI Comply was the FTC's coordinated sweep of AI vendors making unsupported claims. It produced multiple consent orders against companies marketing AI products that either didn't work as advertised, made claims their technology couldn't substantiate, or used AI to facilitate consumer fraud. The pattern across cases: bold marketing claims about AI capability that the underlying technology couldn't deliver. The lesson is straightforward — if your marketing says your AI does X, your AI had better do X, and you should be able to substantiate the claim. The FTC's longstanding endorsement and testimonial guides extend cleanly to AI capability claims, and that's how the agency is enforcing.

DoNotPay

The FTC charged DoNotPay, marketing itself as 'the world's first robot lawyer,' with making unsubstantiated claims about its AI's ability to replace attorneys. The settlement included a payment, prohibition on making the offending claims, and a notification requirement to past customers. The lesson for the mid-market: if your AI product or feature substitutes for a regulated profession (legal, medical, financial advice), you need substantiation that meets the standards of the substituted profession — not the standards of consumer-tech marketing. 'AI lawyer' isn't a marketing flourish; it's a representation that the agency will treat as actionable.

Rytr

Rytr, an AI writing tool, settled with the FTC over its 'testimonial and review writing' feature, which the agency alleged was likely to be used for consumer deception. The settlement prohibited Rytr from offering the feature. The lesson: if you build a tool that has obvious deceptive uses, the FTC may treat the existence of the tool as an unfair practice — separate from any specific instance of misuse. Mid-market companies need to assess not just whether their AI is used legitimately, but whether reasonable foreseeability of misuse creates exposure.

Healthcare-Adjacent AI

The FTC sent warning letters to a number of healthcare-adjacent AI vendors in 2025, focused on claims about AI's diagnostic, therapeutic, or risk-stratification capabilities. The agency's position is consistent: clinical claims require clinical substantiation, and the technology being 'AI' doesn't change the substantiation standard. Mid-market healthcare technology companies should treat this as the operating environment. Our note on Colorado AI Act implications for healthcare covers the state-level overlay on the FTC's federal posture.

Lending and Credit AI

Joint FTC-CFPB activity continued through 2025 on AI in lending, with particular attention to model explainability under ECOA's adverse-action notice requirements. The FTC and CFPB have both stated that 'the model is too complex to explain' is not a defense; lenders using AI must be able to provide specific adverse-action reasons. Mid-market lenders, fintechs, and embedded-finance providers should treat explainability as a hard requirement, not a nice-to-have.

What the FTC Is Signaling

Across all of 2025, three signals come through clearly. First, existing law applies — the FTC is not waiting for an AI Act and is enforcing under Section 5 today. Second, substantiation matters — claims about AI capability are treated the same as any other product claim. Third, foreseeable misuse can itself be unfair — if your product enables deception in any reasonably foreseeable way, the agency may treat that as a violation regardless of intent. None of this is surprising if you've read the FTC's business blog on AI from 2023 onward, but a surprising number of mid-market companies haven't.

What to Change in Your Program

**Audit your AI marketing claims.** Every claim about what your AI does should map to a substantiated capability. Run the audit at the same cadence as your product marketing review.

**Document your substantiation.** When the claim is made, the substantiation file should already exist. Test methodology, results, dated, signed. This is the file you'll wish you had if an inquiry arrives.

**Map foreseeable misuse.** For every AI feature, document the reasonably foreseeable misuse cases and the mitigations. This is part of your AI governance program and should be reviewed at the same time as product changes.

**Build explainability where decisions affect people.** Adverse-action notices, denial reasons, eligibility decisions — all need to be explainable in human-readable terms. If your model can't produce that, the model isn't ready for that use case.

**Treat the consent decree as a roadmap.** When the FTC settles with a competitor, read the consent decree. It's free guidance on what the agency considers an acceptable program. Cherry-pick the controls that apply to your business.

How This Connects to Your Governance Program

FTC enforcement risk is one of several risks an AI governance program needs to address — alongside state AI laws, sector-specific regulation, contractual obligations, and reputational risk. Treating any of them in isolation produces patchwork. Our broader AI Governance & Compliance program builds them into a single operating model. The advantage of starting with FTC posture is that it forces clarity on substantiation and foreseeability — two muscles that are useful regardless of which regulator shows up first.