Need A Reminder About AI Privacy Compliance? Consider the Risk of FTC Enforcement Actions Against AI Model-As-A-Service Companies

On January 9, 2024, the Federal Trade Commission published a blog post titled AI Companies: Uphold Your Privacy and Confidentiality Commitments. In it, the FTC, as part of its larger initiative to oversee the use of AI, reminds companies to abide by the privacy commitments they have made, no matter where they made them, and to disclose all material facts. If they do not, they risk an enforcement action from the FTC. To avoid legal risk, companies must coordinate across departments about their privacy policy and privacy representations as part of developing AI models.

The FTC blog post focuses on “model-as-a-service” companies. These companies develop and host AI models available to consumers via an end-user interface. Model-as-a-service companies, like other AI developers, collect data, and this data can sometimes include an individual’s sensitive or confidential information or a business user’s competitively significant information.

FTC privacy rules, the blog explains, apply to model-as-a-service companies. Model-as-a-service companies must know what privacy commitments they have made. A company’s privacy commitments are not limited to those in the terms of service a user agrees to, but can also be made in promotional materials or online communications. Privacy commitments can include commitments not to use collected data for training or revising AI models. If a company chooses to retain a user’s data for its own purposes, it must provide notice that is clear and conspicuous – not buried in legal jargon.

The FTC is clear that model-as-a-service companies that fail to abide by their privacy commitments may be liable under the laws enforced by the FTC. These include consumer protection and antitrust laws addressing unfair or deceptive acts or practices affecting commerce. Similarly, the FTC may sue a company which fails to disclose, omits, or misrepresents material facts – such as how the company collects and uses data – that would affect a user’s decision to provide their data. Companies may be found to have violated consumer protection laws or, in the case of misappropriation of business information, antitrust laws. Prior enforcement actions have resulted in requiring these companies to delete any products developed using the unlawfully obtained data and have included actions against companies which omitted material facts about their data collection. For example, the FTC has brought enforcement actions for fines and data deletion against five companies or their collecting of user data to train their AI models.

While novel, the use of generative AI does not provide an exemption from complying with existing laws. To the contrary, obligations to ensure data privacy and protection remain the same. Companies developing or hosting AI models should be prepared to update their privacy policies to disclose all facts that a user would find material and also be taking steps to actively comply with that policy. Moreover, companies should coordinate on all representations about data privacy they are making to ensure those representations align with their privacy policy. The FTC’s blog post explains that a company’s adherence to all of its privacy commitments is an ongoing and affirmative obligation that is not limited or overridden by terms of service agreements.