The Federal Trade Commission is not slowing down. In 2026, FTC enforcement actions have accelerated across every sector that touches consumer data, subscription billing, and online advertising. If your business operates a website, app, or SaaS product, your terms of service and privacy policy are under more scrutiny than ever.
The stakes are not hypothetical. Walmart paid $2.5 billion to settle FTC charges over deceptive subscription practices. Match Group faced enforcement for sharing sensitive user data with third-party advertisers. These are not small businesses caught off guard. They are major corporations with large legal teams, and the FTC still found violations in their terms and disclosures.
This article breaks down the FTC’s current enforcement priorities, explains which clauses in your terms of service and privacy policy create liability, and gives you concrete steps to reduce your risk before the Commission comes looking.
1. How the FTC Enforces Consumer Protection Laws
The FTC’s primary tool is Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” That language is deliberately broad. The Commission does not need to prove you intended to mislead anyone. It only needs to show that your practices, disclosures, or terms would mislead a reasonable consumer or cause substantial harm.
Enforcement typically starts with an investigation, often triggered by consumer complaints, news reports, or the FTC’s own monitoring. If the Commission finds violations, it can issue consent orders, impose civil penalties, require refunds, and mandate changes to your business practices. In some cases, it refers matters for federal litigation.
Your terms of service and privacy policy are central to every FTC investigation. These documents are where the Commission looks first to determine whether your disclosures match your actual practices.
2. Subscription and Negative-Option Practices
The FTC’s “click-to-cancel” rule, which took full effect in 2025, has become one of the most actively enforced regulations in 2026. Under this rule, if you offer any subscription, recurring charge, or free trial that converts to a paid plan, you must make cancellation as easy as sign-up. That means no phone-call-only cancellation, no multi-step retention funnels, and no buried cancellation links.
Your terms of service must clearly disclose the full cost of any subscription before the consumer agrees. This includes the billing frequency, any price increases after an introductory period, and exactly what happens when a free trial ends. Vague language like “subscription will auto-renew at the then-current rate” is exactly the kind of clause the FTC targets.
The Walmart settlement demonstrated that the FTC will pursue massive penalties when negative-option practices affect large numbers of consumers. If your SaaS product or app uses recurring billing, review your sign-up flow and cancellation process now. Your terms need to match what actually happens in the user experience, step by step.
3. Children’s Data and COPPA Enforcement
The Children’s Online Privacy Protection Act has been on the books since 1998, but FTC enforcement of COPPA is hitting new categories of technology in 2026. The Commission is specifically targeting AI-powered products that interact with children, including companion chatbots, educational AI tools, and any app that collects voice, text, or behavioral data from users under 13.
If your product could attract children or if children actually use it, whether you designed it for them or not, COPPA applies. Your privacy policy must clearly describe what data you collect from children, how you use it, and how parents can review or delete that data. Your terms of service must include age-gating provisions and verifiable parental consent mechanisms.
The FTC has made clear that “we didn’t know kids were using our product” is not a defense. If your analytics show users under 13, or if your product’s design, content, or marketing would appeal to children, you need COPPA-compliant terms and a privacy policy that addresses children’s data specifically.
4. Data Security and Health Data Sharing
The FTC continues to bring enforcement actions against companies that fail to implement reasonable data security measures. But in 2026, the Commission has expanded its focus to companies that share health-related data with advertising platforms without adequate disclosure or consent.
This applies well beyond traditional healthcare companies. If your app tracks fitness data, mental health information, fertility cycles, medication use, or any health-adjacent data, and you share that data with analytics or advertising partners, the FTC considers that a potential Section 5 violation. The Health Breach Notification Rule now covers these scenarios even when HIPAA does not apply.
Your privacy policy must specifically identify every category of health-related data you collect and every third party that receives it. Generic disclosures like “we may share data with our partners” are insufficient. The FTC expects granular, specific descriptions of data flows, especially when sensitive health information is involved.
5. Hidden Fees and Pricing Transparency
The FTC’s rule on hidden fees, finalized in late 2024, requires businesses to disclose the total price of goods and services upfront, including all mandatory fees. In 2026, the Commission is actively enforcing this rule against e-commerce platforms, ticketing services, and SaaS companies that add processing fees, platform fees, or service charges at checkout.
If your pricing page shows one number but the final charge includes additional mandatory fees, your terms of service and checkout flow violate this rule. The fix is straightforward: display the all-in price before the consumer begins the purchase process. Your terms should reflect the actual total cost, not a base price with footnotes about additional charges.
This enforcement priority also extends to “drip pricing,” where fees are revealed incrementally during checkout. The FTC views drip pricing as inherently deceptive because it anchors the consumer’s expectations to a lower price before adding charges that are difficult to avoid.
6. Dark Patterns and Deceptive Design
Dark patterns are design choices that trick or pressure users into actions they did not intend. The FTC has been building enforcement precedent against dark patterns since 2022, and in 2026, the Commission treats deceptive design as a standalone category of Section 5 violations.
Common dark patterns the FTC targets include pre-checked consent boxes, confusing opt-out flows, misleading button labels (where “Accept” is prominent and “Decline” is barely visible), and forced account creation before allowing cancellation. If your terms of service are presented through a clickwrap or browsewrap mechanism that uses any of these tactics, the FTC can challenge both the enforceability of your terms and the design itself.
Review your entire user interface, not just the legal text. The FTC evaluates the complete user experience, including button placement, color contrast, font size, and the number of steps required to opt out of data collection or cancel a subscription.
7. “Made in USA” Claims and Advertising Accuracy
While this may seem unrelated to terms of service, the FTC’s enforcement of “Made in USA” claims extends to any business that makes origin claims on its website, in its marketing, or in its terms. If your terms of service or website copy state that your product is “built in the USA” or “American-made,” the FTC requires that all or virtually all of the product be manufactured domestically.
For software and SaaS companies, this can become complicated if you use offshore development teams, foreign-hosted servers, or third-party components built outside the United States. The FTC’s Made in USA rule applies to digital products, and your marketing claims must be accurate.
8. Practical Steps to Reduce FTC Enforcement Risk
Start with an honest comparison between what your terms and privacy policy say and what your business actually does. The single biggest source of FTC liability is the gap between written disclosures and real-world practices. If your privacy policy says you do not sell data, but you share data with ad partners who use it for targeting, the FTC will treat that as deceptive.
Audit your subscription and cancellation flows. Walk through the entire process as a consumer would. Count the clicks required to cancel. Verify that your cancellation method is as simple as your sign-up method. Document the process with screenshots.
Review your data practices with specificity. Identify every third party that receives user data, what data they receive, and for what purpose. Update your privacy policy to reflect each of these data flows individually. The days of generic “we share data with partners” language are over.
If your product could be used by children, even incidentally, implement COPPA-compliant age verification and parental consent. Update your privacy policy to address children’s data collection separately.
Finally, work with a technology lawyer who understands FTC enforcement patterns. Template terms of service and privacy policies cannot account for the specific ways the FTC evaluates your particular business model, data flows, and user experience. A lawyer who tracks FTC consent orders and enforcement actions can identify risks that templates miss entirely.
9. What Happens If the FTC Targets Your Business
FTC investigations are expensive, disruptive, and public. Even if your business settles without admitting wrongdoing, the consent order becomes a public document. Future violations of that consent order carry penalties of up to $51,744 per violation, per day.
The reputational damage is often worse than the financial penalty. Consumers, business partners, and investors all review FTC enforcement actions. A single consent order can affect your ability to raise funding, close enterprise deals, or maintain existing partnerships.
Prevention is dramatically cheaper than remediation. Updating your terms of service and privacy policy to match current FTC expectations costs a fraction of what an enforcement action will cost in legal fees, penalties, and lost business.
Frequently Asked Questions
Can the FTC take action against my business even if my terms of service include a liability limitation?
Yes. Liability limitation clauses in your terms of service do not shield you from FTC enforcement. The FTC enforces federal law, and your contractual terms with consumers cannot override the Commission’s authority. A liability cap may limit your exposure in private lawsuits, but the FTC can still impose civil penalties, require refunds, and mandate changes to your business practices regardless of what your terms say.
How often should I update my privacy policy to stay compliant with FTC expectations?
Review your privacy policy at least twice per year and update it immediately whenever you change your data practices, add new third-party integrations, enter new markets, or launch new features that collect additional data. The FTC does not require a specific update schedule, but it does require that your privacy policy accurately reflect your current practices at all times. An outdated privacy policy is functionally a deceptive privacy policy.
Does the FTC enforce against small businesses or only large corporations?
The FTC enforces against businesses of all sizes. While headline-grabbing settlements involve large corporations, the Commission regularly brings actions against small and mid-size companies, particularly in areas like deceptive subscription practices, misleading health claims, and inadequate data security. The size of your business does not determine whether the FTC will investigate. The nature of your practices does.
What is the difference between “unfair” and “deceptive” under Section 5 of the FTC Act?
A deceptive practice involves a material misrepresentation or omission that is likely to mislead a reasonable consumer. An unfair practice causes substantial consumer harm that consumers cannot reasonably avoid and that is not outweighed by benefits to consumers or competition. Your terms of service can trigger either standard. Misleading disclosures are deceptive. Practices that cause harm even with accurate disclosures, like making cancellation unreasonably difficult, can be unfair.
Do I need a separate privacy policy for my mobile app and my website?
Not necessarily, but your privacy policy must cover the data practices specific to each platform. Mobile apps often collect location data, device identifiers, and sensor data that websites do not. If your single privacy policy accurately describes the data collection on both platforms, one policy is sufficient. If your app collects different data or shares it with different parties, your policy must address those differences explicitly. The FTC evaluates accuracy, not format.
Protect Your Business Before the FTC Comes Knocking
FTC enforcement in 2026 is broader, faster, and more aggressive than in any prior year. Subscription billing, data privacy, dark patterns, and hidden fees are all active enforcement priorities, and your terms of service and privacy policy are the first documents the Commission will review.
Hansen Tong and the team at TOS Lawyer work with SaaS companies, app developers, and online businesses to draft terms of service and privacy policies that match both current FTC expectations and your actual business practices. If you have not reviewed your legal documents in the past year, now is the time. Contact TOS Lawyer to schedule a consultation and get your terms and policies aligned with the enforcement landscape before a problem finds you.