The Federal Trade Commission is not slowing down. In 2026, FTC enforcement actions have accelerated across every sector where businesses collect data, charge subscriptions, or make claims about their products. The agency has more enforcement tools, more staff, and more political will than at any point in the past decade.
The stakes are not hypothetical. Walmart paid $2.5 billion to settle FTC charges over deceptive subscription practices. A major e-commerce platform paid $520 million over COPPA violations. A health data company paid $75 million for sharing sensitive health information with advertisers. These settlements are not anomalies. They are the FTC's stated enforcement strategy.
This article breaks down the FTC's current enforcement priorities, explains which clauses in your terms of service and privacy policy are under the most scrutiny, and tells you what to fix before an investigation begins.
How the FTC Enforces Consumer Protection Laws
The FTC's primary tool is Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices in or affecting commerce." This is a broad standard that gives the agency significant flexibility to pursue conduct that harms consumers even when no specific rule prohibits it explicitly.
Enforcement typically starts with an investigation, often triggered by consumer complaints, news reports, or the FTC's own monitoring of industry practices. The FTC issues civil investigative demands (CIDs) requesting documents, data, and testimony. Companies that receive CIDs face significant legal costs even before any formal action is filed.
Your terms of service and privacy policy are central to every FTC investigation. These documents are where the Commission looks to determine what you promised consumers and whether your actual practices match those promises. A privacy policy that says "we do not share your data with third parties" when you do creates a deception claim regardless of whether the sharing was technically permitted by another clause buried elsewhere.
Subscription and Negative-Option Practices
The FTC's "click-to-cancel" rule, which took full effect in 2025, has become one of the most actively enforced regulations in the agency's portfolio. Even after the Eighth Circuit vacated the specific rulemaking in July 2025, the FTC continued pursuing subscription businesses under ROSCA and Section 5. The $2.5 billion Walmart settlement was filed after the vacatur, demonstrating that the rule's vacatur did not reduce enforcement activity.
Your terms of service must clearly disclose the full cost of any subscription before the consumer agrees. This includes the initial price, any promotional pricing and when it ends, the price after the promotional period, and the auto-renewal terms. These disclosures must be conspicuous, meaning they must be visible to the consumer before they complete the sign-up, not buried in terms they are deemed to have accepted by clicking a button.
The Walmart settlement demonstrated that the FTC will pursue massive penalties when negative-option practices affect large numbers of consumers. Businesses with subscription models should treat their auto-renewal terms, cancellation flows, and trial-to-paid conversion practices as priority compliance areas in 2026.
Children's Data and COPPA Enforcement
The Children's Online Privacy Protection Act has been on the books since 1998, but FTC enforcement of COPPA is hitting new levels of aggression in 2026. The $520 million settlement against a major gaming platform is the largest COPPA enforcement action in history, and the FTC has made clear that it views this as a template for future actions against any platform that collects data from users under 13.
If your product could attract children, or if children actually use it, whether you designed it for them or not, COPPA applies. The FTC does not accept "our platform is for users 13 and older" as a complete defense when the platform's actual user base includes significant numbers of children. Your age verification mechanisms, your data collection practices, and your privacy policy need to reflect COPPA compliance if there is any reasonable chance children use your product.
The FTC has made clear that "we didn't know kids were using our product" is not a defense. If your analytics show users under 13, if your app store ratings suggest child-appropriate content, or if your platform's design features are likely to attract children, the FTC considers COPPA compliance an obligation regardless of your stated age policy.
Health Data and Sensitive Information
The FTC's enforcement actions against health data companies have sent a clear message: collecting, sharing, or monetizing health information in ways that consumers did not clearly consent to is an unfair practice under Section 5. The $75 million settlement against a health data company for sharing sensitive health information with advertisers is the reference point that every health-adjacent app and platform should be studying.
The FTC has expanded its definition of "health data" well beyond HIPAA's covered entities. Fitness apps, mental health platforms, period tracking apps, medication reminder apps, and any product that infers health conditions from user behavior are all within scope. If your app collects data that could reveal a user's health status, the FTC expects your privacy policy and data practices to reflect that sensitivity.
Your privacy policy must accurately describe what health-adjacent data you collect, how you use it, and who you share it with. If your advertising SDK has access to user behavior data that could be used to infer health conditions, that needs to be disclosed. If you share location data with third parties who could use it to identify sensitive locations (healthcare providers, mental health clinics), your privacy policy needs to address this.
AI and Algorithmic Claims
The FTC issued its AI guidance in 2023 and has been actively pursuing AI-related claims since 2024. In 2026, AI marketing claims have become a distinct enforcement category. The FTC is targeting three types of AI-related conduct: false claims about AI capabilities, AI that produces discriminatory outcomes, and AI systems that make decisions affecting consumers without adequate disclosure.
If your marketing claims that your product uses "AI" or "machine learning" in ways that are materially false or misleading, the FTC's standard deception framework applies. "AI-powered" is not a free pass to make claims about accuracy, personalization, or outcomes that your system cannot actually deliver.
If your AI system makes decisions that affect consumers (lending decisions, hiring screening, insurance pricing, content moderation), your terms of service need to disclose that automated decision-making is being used and provide consumers with meaningful information about how those decisions are made. The FTC has signaled that "our AI makes this decision" without further explanation may not satisfy consumer protection standards.
What Your Terms of Service and Privacy Policy Must Get Right
Based on current FTC enforcement priorities, here are the specific provisions in your terms of service and privacy policy that are under the most scrutiny in 2026.
Subscription disclosures: Your terms must clearly state auto-renewal terms, the price that will be charged at renewal, and how to cancel, in plain language and in a location the consumer will actually see before completing their purchase.
Data sharing: Your privacy policy must accurately describe every third party you share data with and the purpose of that sharing. Broad language like "we may share your data with our partners for marketing purposes" is the type of vague disclosure the FTC targets as deceptive when it covers practices consumers would find objectionable.
Data security: If your privacy policy makes security representations ("we take reasonable measures to protect your data"), those representations must be accurate. The FTC has pursued companies whose security representations were materially inconsistent with their actual security practices.
Children's data: If COPPA applies to your product, your privacy policy must include COPPA-specific disclosures and your data practices must comply with COPPA's requirements regardless of what your terms say about minimum age.
AI disclosures: If you use automated decision-making in ways that affect consumers, your terms should explain that automated systems are used, what decisions they make, and what recourse consumers have if they believe a decision was incorrect.
The Cost of Non-Compliance vs. the Cost of Prevention
Prevention is dramatically cheaper than remediation. Updating your terms of service and privacy policy to match current FTC expectations costs a fraction of a percent of what a civil investigative demand, settlement negotiation, or enforcement action costs. The FTC's settlements in 2025 averaged over $200 million for the cases that went to final order.
Beyond the direct financial cost, FTC enforcement actions carry reputational consequences, mandatory compliance monitoring programs, and ongoing reporting obligations that last years after the settlement. Companies under FTC consent orders face regular audits and the risk of additional penalties if they violate the order's terms.
The FTC also shares information with state attorneys general, who frequently bring parallel actions under state consumer protection laws. An FTC action can trigger simultaneous investigations from multiple state regulators, each with their own penalties and settlement requirements.
Frequently Asked Questions
Can the FTC take action against my business even if my terms of service include a liability limitation?
Yes. Liability limitations in your terms of service govern your relationships with your customers and users. They do not bind the FTC, which is a government regulator acting under statutory authority. FTC civil penalties and settlement obligations are not subject to contractual liability caps. Your terms can limit consumer claims against you, but they have no effect on government enforcement actions.
How often should I update my privacy policy to stay compliant with FTC expectations?
Review your privacy policy at least annually and any time your data practices change. The FTC's enforcement theory in many cases is that companies made promises in their privacy policies that their actual practices did not honor. If your data practices change and your privacy policy does not, you create a deception claim. Any time you add a new third-party integration, change your advertising practices, or add new data collection, review your privacy policy to ensure it accurately reflects those changes.
Does the FTC enforce against small businesses or only large corporations?
The FTC enforces against businesses of all sizes. While the largest enforcement actions in terms of dollar amounts target large companies, the agency regularly pursues smaller businesses, particularly in areas like health data, COPPA, and subscription billing. A company does not need to be large to face an FTC investigation. It needs to have practices that harm consumers and come to the agency's attention.
What is the difference between "unfair" and "deceptive" under Section 5 of the FTC Act?
A deceptive practice involves a material misrepresentation or omission that is likely to mislead consumers acting reasonably. You do not need to intend to deceive. If a reasonable consumer would be misled by your claims or disclosures, the practice may be deceptive. An unfair practice causes or is likely to cause substantial consumer harm that consumers cannot reasonably avoid and that is not outweighed by countervailing benefits. Difficult cancellation flows are often characterized as "unfair" rather than "deceptive."
Do I need a separate privacy policy for my mobile app and my website?
Not necessarily, but your privacy policy must cover all the data practices of all your products. If your mobile app collects different data than your website (location data, device identifiers, camera or microphone access), those practices must be disclosed. Many companies use a single privacy policy that addresses all their platforms, with platform-specific sections for any unique data practices. The key is accuracy and completeness, not the number of documents.
Protect Your Business Before the FTC Comes Knocking
FTC enforcement in 2026 is broader, faster, and more aggressive than in any prior year. Subscription billing, data privacy, COPPA, and AI claims are all active enforcement areas where businesses with outdated or inaccurate terms and privacy policies face real regulatory risk.
Hansen Tong and the team at TOS Lawyer work with SaaS companies, app developers, and online businesses to draft terms of service and privacy policies that reflect current FTC expectations and protect against regulatory exposure. Contact TOS Lawyer to get your legal documents reviewed and updated before they become a liability.