By George Curta · Last updated 2026-05-292026-05-29

FTC US: Section 5 AI Privacy Enforcement

FTC issued 19 AI enforcement actions in 2024. $875M Amazon Alexa fine. 25 state privacy laws active. Zero-knowledge architecture directly addresses FTC's.

George CurtaMay 29, 20269 minute read

FTC enforcementUS privacy lawAI privacy complianceSection 5state privacy laws

FTC Section 5: AI Privacy in the US

Updated for 2026.

The Federal Trade Commission (FTC) enforces US privacy law through Section 5 of the FTC Act. That section bans "unfair or deceptive practices." No single federal privacy law like GDPR exists in the US. Yet the agency set a new record in 2024.

2024: A Record Enforcement Year

The commission issued 19 AI-related actions in 2024. That beats the prior three years combined. Add 25 active US state privacy laws on top. Together, they create a complex burden for any company in the US.

Key 2024 cases:

Amazon Alexa ($25M, 2023/ongoing): Amazon paid $25M for COPPA violations. It had kept voice files of children past stated time limits. The agency said Amazon used those files to train AI without proper consent. Amazon was ordered to delete the retained files.

Meta ban on teen ad use: Federal regulators barred Meta from using records of users under 18 for ads. This built on an existing consent order.

AI data broker actions: The agency took action against several brokers. Those brokers sold AI-built personal profiles without proper notice or consent. The cases set a key rule: AI profiling of personal records is "sensitive" processing. That label triggers extra notice duties.

Health records cases: The commission has power over health records not covered by HIPAA. Consumer apps, wearables, and some telehealth firms fall here. Several 2024 cases hit firms that shared those records without proper consent.

25 State Laws: The US Patchwork

No single federal law covers all US residents. Instead, 25 state laws together cover most of the country.

California CPRA (from 2023): The broadest US state law. It covers 40 million state residents. It applies to firms with over $25M in revenue or that hold records on 100,000+ state consumers. It set up the California Privacy Protection Agency (CPPA) as a full-time regulator.

Virginia, Colorado, Connecticut: Three more laws with similar rights. They cover over 20 million residents combined.

Texas and Florida: Two large states now also have active privacy laws.

Washington My Health MY Data Act: The strongest US health records law outside California. It extends rights beyond HIPAA to consumer health apps.

For firms in all 50 states, the 25 laws share a core set of duties. Consumer rights, privacy notices, vendor contracts, and record limits are all required. The exact rules vary by state.

See the legal compliance guide for how these duties stack.

What the 2024 Actions Mean for Tech Teams

The 2024 cases give clear technical guidance.

Training records: Firms must track which personal records trained each AI model. They must show consent covered that training use. They must also confirm what time limits applied.

Purpose limits: AI profiles cannot be used beyond what was told to users at sign-up. Using behavior analysis for hiring when only ads were disclosed is a Section 5 violation.

Vendor duties: The agency treats SaaS vendors as the deploying firm's risk. If a tool processes user records, that must be in the privacy notice. Vendor conduct must match stated purposes.

Zero-knowledge systems: Most AI vendor cases target undisclosed use of records. A zero-knowledge system holds only encrypted files. The vendor has no key to open them. It cannot use records in ways that were not disclosed. That technical fact lines up with what the agency targets.

Learn how anonym.legal uses zero-knowledge systems at /security-compliance.

Proposed Commercial Surveillance Rule

The commission's proposed rule on commercial tracking is pending as of 2025. If passed, it would create explicit federal rules.

Record limits for AI use.
Opt-out rights for automated profiling.
Bars on using collected records for new purposes.
Security rules for stored personal records.

This rule would add GDPR-like duties for any firm serving US consumers. It would raise the floor for US privacy law across the board.

Read about record limits at /docs/faq.

Sources

FTC: Federal Trade Commission. ftc.gov.
FTC: AI Enforcement Actions 2024. ftc.gov/news-events/news/press-releases/.
CPPA: California Privacy Protection Agency. cppa.ca.gov.
FTC: Proposed Commercial Surveillance Rules. ftc.gov/legal-library/browse/rules/commercial-surveillance-rulemaking.

GDPR & Compliance

Ready to protect your data?

Start anonymizing PII with 285+ entity types across 48 languages.

Start Free Trial View Features

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

We follow these rules

GDPR (EU 2016/679).
ISO/IEC 27001:2022.
NIS2 (EU 2022/2555).
HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

We never sell your information to third parties.
We never train models on what you upload.
We never keep your work after you delete it.
We never share keys with any outside firm.
We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.