FTC’s Active Listening Settlement Turns AI-Washing Into a Privacy Problem

The Federal Trade Commission's proposed "Active Listening" settlements are not just another warning about exaggerated AI claims. They connect three risks that often travel together: AI-washing, adtech targeting claims, and weak consent theories.

The FTC says Cox Media Group and two marketing firms falsely claimed to offer an AI-powered service that could target localized ads based on conversations captured from consumers' smart devices. According to the FTC, the service did not use voice data at all. It allegedly resold data-broker email lists at a markup and did not accurately place ads in customers' desired locations.

That would be a straightforward deception case on its own. But the FTC went further. It also said the companies misled customers by claiming consumers had opted into the alleged listening service. And the agency added a point that should get the attention of every company making privacy-sensitive AI claims: if the service had actually worked as advertised, collecting and using consumers' voice data from inside their homes without adequate consent would itself violate Section 5 of the FTC Act.

In other words, the problem was not only that the AI claim was false. The claimed AI capability was itself a privacy-risk representation.

What The FTC Alleged

The FTC announced proposed settlements with CMG Media Corporation, doing business as Cox Media Group, plus MindSift LLC and 1010 Digital Works LLC. The alleged customers were businesses buying advertising and marketing services, not the consumers whose supposed smart-device conversations were described in the pitch.

The companies allegedly marketed an "Active Listening" advertising service that could listen in on consumer conversations overheard by smart devices, detect relevant conversations in real time, and use that information to target ads to consumers in specific geographic areas.

The FTC says that was not true. According to the agency, the service was not based on voice data, did not listen to consumer conversations, and did not accurately place ads in the customers' desired locations. Instead, the service allegedly consisted of reselling email lists obtained from data brokers.

The agency also says the companies told customers that consumers had opted into the service. But the FTC says the companies did not seek or obtain consumer consent. The agency specifically rejected the idea that consumers "opted in" by clicking through mandatory app terms of service.

That consent point is the heart of the case for AI governance teams. Many AI products rely on layered data flows, third-party data, contractual assurances, or generalized platform terms. The FTC's framing says those shortcuts may not support privacy-sensitive claims, especially where the asserted capability involves intimate in-home voice data.

The Settlement Terms

The proposed orders require a total of $930,000 in payments: $880,000 from CMG and $25,000 each from MindSift and 1010 Digital Works. The money is intended to provide redress to CMG customers affected by the alleged practices.

The proposed orders would also prohibit each defendant from making misrepresentations about:

  • the qualities or features of advertising or marketing services;
  • the collection and use of voice data, including whether consumers consented to collection, use, or disclosure; and
  • the geographic targeting capabilities of advertising or marketing services.

The FTC issued the proposed administrative complaints and accepted the consent agreements by a 2-0 vote. The agreements remain subject to a 30-day public-comment period after publication in the Federal Register. If the orders become final, each violation may lead to a civil penalty of up to $53,088.

As usual, the settlements resolve allegations. They are not admissions of liability or litigated findings.

Why The Money Is Procedurally Important

The $930,000 payment should not be read as the FTC simply using Section 13(b) to disgorge money from the companies.

That route is no longer available after the Supreme Court's 2021 decision in AMG Capital Management, LLC v. FTC. In AMG, the Court held that Section 13(b) of the FTC Act authorizes the FTC to seek prospective injunctive relief, but does not authorize courts to award equitable monetary relief such as restitution or disgorgement for past conduct.

That matters here because the FTC is resolving the Active Listening allegations through proposed administrative consent orders, not by relying on Section 13(b) alone to obtain monetary relief in federal court.

If the parties agree, the FTC can include monetary terms in a settlement package. If they do not agree and the FTC wants monetary relief for an ordinary unfair or deceptive act or practice, the post-AMG route is more cumbersome. The FTC generally must proceed administratively under Section 5, obtain a final cease-and-desist order, and then seek consumer redress under Section 19 if the statutory standard is met, including that a reasonable person would have known under the circumstances that the conduct was dishonest or fraudulent.

Civil penalties are different again. A first-time Section 5 deception allegation does not automatically produce civil penalties simply because the FTC believes the conduct was deceptive. Penalties typically require an independent penalty hook, such as violation of a final FTC order, violation of certain rules, or another statutory basis. That is why the FTC's release says that if these proposed orders become final, future violations of the orders may carry civil penalties of up to $53,088 per violation.

So the practical sequence is:

  • settlement now, if the parties agree to money and conduct restrictions;
  • prospective injunctive relief under Section 13(b), but not standalone disgorgement or restitution after AMG;
  • administrative Section 5 proceedings followed by Section 19 redress for qualifying deceptive or unfair practices if there is no settlement; and
  • civil penalties later if a final order, rule, or other penalty-triggering authority is violated.

What About AT&T?

There are two AT&T references that can get confused.

The Supreme Court's FCC v. AT&T Inc. decision does not do much work here. That case addressed whether corporations have "personal privacy" interests under FOIA Exemption 7(C). It is not an FTC Act remedies case and does not change the AMG limit on Section 13(b), the Section 5 administrative route, or the Section 19 redress path.

The more relevant AT&T case for FTC authority is FTC v. AT&T Mobility LLC, the Ninth Circuit's 2018 en banc decision about the FTC Act's common-carrier exemption. The Ninth Circuit held that the exemption is activity-based, not status-based: a company is outside FTC Section 5 authority only to the extent it is engaged in common-carrier activity.

That issue is not central to the Active Listening settlements because CMG, MindSift, and 1010 Digital Works are being treated as marketing and advertising-service defendants, not common carriers. But the case would matter if a telecom, broadband, or smart-device company raised a common-carrier defense to an FTC challenge involving AI-powered targeting, voice data, or marketing claims. In that setting, the question would be whether the challenged conduct is common-carrier activity or a non-common-carrier advertising, data, or marketing practice.

Why This Is More Than an AI-Washing Case

AI-washing cases usually focus on whether a product actually uses AI, whether the claimed performance is substantiated, or whether the term "AI-powered" is being used as a sales shortcut.

This case adds a different lesson: the advertised AI function may create its own legal problem.

If a company claims it can listen to private conversations through smart devices, the claim is not just a product-capability statement. It is a statement about data collection, surveillance, consent, security, and consumer expectations inside the home.

The FTC's line is unusually direct. It says mandatory app terms do not equal opt-in consent for an invasive service or for the use of consumers' voice data from inside their homes.

That matters even for companies that are not doing audio targeting. The same logic can apply to AI claims involving:

  • biometric inference;
  • location-based targeting;
  • health or mental-health signals;
  • children's or teens' behavior;
  • financial vulnerability;
  • workplace monitoring;
  • emotion detection;
  • private-message analysis; or
  • household-device data.

When the marketed AI feature depends on sensitive data, the claim must be true, substantiated, and backed by a consent theory that fits the sensitivity of the data.

The "Means and Instrumentalities" Piece

The FTC also charged MindSift and 1010 Digital Works with providing CMG the "means and instrumentalities" to deceive customers through marketing materials, sales pitches, and responses to customer questions.

That is an important vendor and partner lesson. A company does not necessarily avoid risk because another company owns the customer relationship. If it supplies misleading AI claims, sales materials, or talking points that others use with customers, it can become part of the deception theory.

Adtech and AI vendors should treat this as a documentation and channel-control problem. Marketing claims should be reviewed not only on the vendor's website, but also in partner decks, reseller scripts, pitch emails, FAQs, demos, and objection-handling materials.

What Companies Should Do Now

The FTC's case points to several practical controls.

First, inventory AI capability claims. Identify every place the company says an advertising, analytics, targeting, personalization, monitoring, or customer-intelligence product is "AI-powered," "real time," "listening," "detecting," "predicting," or "consent based."

Second, match each claim to evidence. The proof should show not only that the technology can do what the company says, but that the deployed product actually does it in the advertised context.

Third, separate data-source claims from model claims. Saying a system uses AI does not prove what data it uses. Saying a system uses a data source does not prove that consumers consented to that use.

Fourth, review consent language with sensitivity in mind. Broad mandatory terms may not support claims about invasive data collection. If the advertised feature involves voice, biometrics, location, children, health, finances, or household data, the consent record needs to be much stronger.

Fifth, audit partner materials. Vendors and agencies should not assume that downstream sales claims are someone else's problem. Resellers should not repeat vendor claims without understanding what the product actually does and what evidence supports the claim.

Finally, avoid "it would be worse if true" marketing. A privacy-invasive capability can create legal risk even when it is imaginary. If a company would need strong consent, privacy notices, security controls, and compliance review to lawfully operate the feature, it should not casually advertise that capability as a sales hook.

Bottom Line

The FTC's Active Listening settlements show how quickly AI marketing can become a privacy and consumer-protection problem.

The alleged service did not listen to consumers' conversations. But the FTC still treated the claim as serious because customers were told the service used AI to target ads from smart-device conversations and that consumers had opted in.

That is the lesson for AI products generally: do not sell a capability the product does not have, and do not claim sensitive-data consent that the company cannot prove. When the AI story depends on surveillance-like data, the marketing review is also a privacy review.

Sources