Cox Media Group marketed an AI-powered service called "Active Listening" that claimed to monitor consumers' conversations through their smart devices and target ads based on what it heard. Their sales pitch to small businesses included the line: "Creepy? Sure. Great for marketing? Definitely."
The FTC investigated. What they found was arguably worse than illegal surveillance: the service did not actually listen to anything. It did not use voice data at all. It did not even place ads in the right geographic locations. The entire product was repackaged email lists purchased from data brokers, sold at a significant markup.
On May 21, 2026, the FTC announced a $930,000 settlement. Cox Media Group will pay $880,000. Its two partner firms, MindSift LLC and 1010 Digital Works LLC, will each pay $25,000.
But here is the line from the FTC's complaint that should concern every company operating an AI feature: "If the Active Listening service had functioned as advertised, this collection and use of consumers' voice data without adequate consent would itself violate Section 5 of the FTC Act."
In other words: even if the AI had worked, the consent framework would still have been illegal. That is the part of this story that matters for your company.
What Actually Happened
CMG Media Corporation, doing business as Cox Media Group, is a Georgia-based media and marketing company. Along with two partner firms, MindSift LLC (New Hampshire) and 1010 Digital Works LLC (Wisconsin), CMG marketed a service branded as "Active Listening."
The pitch was specific. CMG told small business customers that Active Listening used a special algorithm to listen in on conversations overheard by smart devices, in real time, to target advertising. The marketing materials promised that "voice data goes beyond search engine data, so every casual conversation between two consumers becomes a tool for you to target, retarget, and retain customers."
The FTC alleged that none of this was true. The service did not listen to conversations. It did not use voice data. It did not place ads in the geographic locations customers requested. Instead, the companies resold email lists obtained from other data brokers at a significant markup.
The FTC also alleged that all three companies told their customers that consumers had "opted in" to the Active Listening service by accepting the terms of service required to download and use apps. The FTC found this was not true. The agency explicitly stated that clicking through mandatory terms of service does not constitute opt-in consent for voice data collection from inside consumers' homes.
Under the proposed settlement orders, CMG will pay $880,000 and MindSift and 1010 Digital Works will each pay $25,000. The funds will be used to provide redress to affected CMG customers. All three companies are now prohibited from misrepresenting the capabilities of their services, their collection and use of voice data, and whether consumers have provided consent.
The Commission voted 2-0 to issue the complaints and accept the consent agreements.
"It is a basic rule of business that you need to be honest with your customers, and these companies failed to do that," said Christopher Mufarrige, Director of the FTC's Bureau of Consumer Protection.
(Source: FTC press release, May 21, 2026. FTC Matter Number 242 3029.)
The Line That Should Concern Every AI Company
The FTC did not fine Cox Media Group solely for lying about a product. It stated explicitly that if the product had functioned as advertised, the data collection itself would still violate Section 5 of the FTC Act because of inadequate consent.
This distinction matters for every company deploying AI features that touch user data.
Cox Media's business model was deceptive. Most AI companies' business models are not. Their AI features genuinely work. They genuinely collect and process user data. They genuinely use that data for model improvement, personalization, or marketing insights.
The question the FTC has now forced into the open is not whether your AI works. It is whether your users know what it does, whether your privacy policy accurately describes the data flow, and whether clicking "I agree" on a terms of service page constitutes adequate consent for what the AI actually does with the data.
The FTC has now publicly indicated that it does not.
The consent problem is structural, not exceptional
Most AI products rely on terms-of-service consent as the legal basis for data collection. The FTC's position in the Cox settlement suggests that blanket terms-of-service acceptance is not sufficient consent for invasive or unexpected data processing. If your AI feature processes behavioral, biometric, conversational, or location data, your consent mechanism may already be insufficient by the FTC's current standard.
The "we don't do what Cox did" defense does not work
Cox's fine covered two separate violations: misrepresentation of the product, and inadequate consent for data collection. Even if your company has never misrepresented its AI capabilities, the second violation stands independently. Does your privacy policy accurately describe what your AI features do today? Not what they did at launch. Not what the original developer intended. What they actually do right now, after every feature update, every model retrain, every vendor integration.
If the answer is "mostly" or "I think so," that gap is where the FTC lives.
The enforcement surface is expanding, not shrinking
The Cox settlement is not an isolated action. In May 2026 alone, the FTC also began enforcing the Take It Down Act (requiring platforms to remove deepfake imagery within 48 hours), banned data broker Kochava from selling sensitive location data, and signaled enforcement of the Protecting Americans' Data from Foreign Adversaries Act. The California Privacy Protection Agency separately expanded CCPA enforcement to cover automated decision-making by AI. Twenty U.S. states now have comprehensive privacy laws.
The enforcement environment for AI companies is not getting more lenient. It is getting more specific.
Five Questions Your AI Features Need to Answer
Before calling anyone, your company can self-assess against these five questions. If you cannot answer all five confidently, you have gaps worth identifying.
1. Does your AI product collect or process data beyond what users explicitly consented to?
Not "beyond what your terms of service technically allow." Beyond what a reasonable user would understand they agreed to. The FTC drew this distinction explicitly in the Cox settlement. Click-through consent on a terms of service page is not the same as informed consent for AI data processing.
2. Does your privacy policy accurately describe what your AI model actually does with user data?
Not what it did at launch. What it does today. AI products evolve faster than their legal documentation. If your AI added a personalization feature, a recommendation engine, or a model-training data pipeline after the privacy policy was last updated, you have a documentation gap.
3. Do your vendor agreements allow third parties to use customer data for AI training?
Many AI API providers include clauses about data usage for model improvement in their standard terms. If your product sends user data to an AI vendor, your customers' data may be entering a training pipeline they never consented to. The FTC's position on third-party data sourcing is clear from both the Cox settlement and the Kochava enforcement action.
4. Would the FTC consider your data collection "unfair" under Section 5?
Section 5 of the FTC Act prohibits unfair or deceptive practices. "Unfair" is broader than "deceptive." It covers practices that cause substantial consumer injury, are not outweighed by countervailing benefits, and are not reasonably avoidable by consumers. AI data collection that is technically disclosed in fine print but practically invisible to users can qualify as "unfair" even when it is not "deceptive."
5. Have you mapped your AI features against the NIST AI Risk Management Framework?
The NIST AI RMF is becoming the de facto U.S. standard for AI governance. State AI laws in Colorado, Texas, and elsewhere increasingly reference it. Federal procurement requirements cite it. If you have not mapped your AI features against the NIST AI RMF's risk categories, you do not know the full scope of your exposure.
What the FTC Is Actually Enforcing in 2026
The Cox Media settlement is not an outlier. It fits a pattern that has accelerated through the first half of 2026:
- May 21, 2026: FTC settles with Cox Media Group, MindSift, and 1010 Digital Works for $930,000 over AI marketing deception and inadequate consent claims.
- May 19, 2026: FTC begins enforcing the Take It Down Act, requiring platforms to remove nonconsensual intimate deepfake imagery within 48 hours. Warning letters sent to companies.
- May 4, 2026: FTC moves to ban data broker Kochava from selling sensitive location data linked to millions of mobile devices.
- January 1, 2026: California Privacy Protection Agency's expanded CCPA regulations take effect, including new transparency and opt-out requirements for AI-driven automated decision-making.
- 2026 to date: Indiana, Kentucky, and Rhode Island privacy laws take effect, bringing the total to 20 U.S. states with comprehensive privacy legislation.
The enforcement pattern is clear: the FTC is targeting AI-related deception and data misuse with increasing specificity, the CPPA is enforcing AI-specific automated decision-making rules, and the number of states with privacy enforcement authority is growing every quarter.
Three Steps to Take This Week
These are not legal advice. They are practical checks any company can complete in under three hours.
Step 1: Review your privacy policy against what your AI features actually do.
Open your privacy policy in one browser tab and your product's data flow documentation in another. Compare them line by line. If the two documents do not match, or if you do not have current data flow documentation, that is your first gap.
Step 2: Audit your vendor data agreements for AI training clauses.
Pull every AI vendor agreement your company has signed. Search for clauses referencing "model improvement," "training data," "aggregated data," and "de-identified data." If any clause permits the vendor to use your customers' data for model training without explicit customer consent, that is your second gap.
Step 3: Map your AI features against the NIST AI Risk Management Framework.
Download the NIST AI Risk Management Framework 1.0 (free at nist.gov/artificial-intelligence). Review the "Map" function. For each of your AI features, identify which risk categories apply. If you cannot confidently map every feature, that is your third gap.
What to Do If You Found Gaps
If any of the five questions above gave you pause, or if the three steps surfaced gaps you did not know you had, that is not unusual. Most AI companies have documentation that lags behind their product's actual data practices. The question is whether that gap gets identified by your own review or by an enforcement action.
StarGuard Law's AI Exposure Audit maps six areas of legal exposure for companies deploying AI: terms of service and privacy compliance, vendor contract risks, IP ownership, data processing, platform compliance, and regulatory classification. It is built on three authoritative frameworks (U.S. Copyright Office rulings, the NIST AI Risk Management Framework, and the OWASP LLM Top 10) and delivers a scored risk profile with specific remediation steps. If the questions and checks above surfaced gaps, that is the place to start.
This article is for general information only — not legal advice.