The Capability Gap: What CMG Claimed vs. What It Actually Built
The Federal Trade Commission's May 2026 enforcement action against Cox Media Group (CMG) centers on a direct mismatch between marketing copy and production architecture. Active Listening, marketed to local small businesses under the tagline "It's True. Your Devices Are Listening to You," claimed to use a proprietary algorithm that captured real-time conversations via smartphones and smart speakers, then delivered geographically targeted ads to local consumers based on overheard keywords. According to the FTC complaint, the product had no audio processing capability at any layer of its technical stack. What CMG actually shipped was a resold email list acquired from third-party data brokers at a significant markup.
This is not a case about an AI model that underperformed its benchmarks. The service, introduced commercially in 2023, had no voice-processing component — no device integration, no ambient audio capture, no keyword detection pipeline. The marketing described a specific technical architecture that did not exist in production at any point.
A second misrepresentation operated independently: geographic targeting. CMG claimed ads would reach consumers within a customer's specified local area. The FTC found delivery accuracy failed to match advertised geographic parameters. From an enforcement standpoint, each gap is independently actionable — fixing one would not have cured the other. Each claim type stands as a separate Section 5 count.
For AI product and marketing teams, the liability surface the FTC targets is the gap between marketing copy and what runs in production — not intent, business model, or whether customers received some data. The table below maps each claimed capability against actual implementation and the FTC's legal classification.
| Claimed Capability | Actual Implementation | FTC Classification |
|---|---|---|
| Proprietary AI algorithm detecting real-time voice conversations | No audio processing at any layer of the stack | Deceptive capability claim |
| Data captured via smartphones and smart speakers | Email lists purchased from third-party data brokers at markup | Deceptive data collection claim |
| Consumer opt-in consent via app terms of service | Boilerplate ToS click-through — ruled legally insufficient | Deceptive consent claim |
| Geographically targeted ad delivery to specified local area | Delivery did not meet advertised geographic parameters | Deceptive geo-targeting claim |
FTC Section 5 Applied to AI Products: The Deception Standard
Section 5 of the FTC Act prohibits "unfair or deceptive acts or practices in commerce." The standard reaches technical feature representations — not just pricing, refund terms, or contract language. A claim is deceptive if it is material (likely to affect a buyer's purchasing decision) and likely to mislead a reasonable buyer. Intent and good-faith belief are legally irrelevant. A team that genuinely believed an AI feature worked as advertised has no Section 5 defense if that belief was wrong and the claim was material to a purchase decision.
"The FTC's Section 5 analysis does not ask whether a defendant knew its AI capability claims were false — it asks whether those claims were materially likely to mislead a reasonable buyer. The CMG case reinforces that 'we believed it worked' is not a compliance posture." — Frankfurt Kurnit Klein & Selz PC, Technology Law analysis, May 2026
The CMG case produced four independently actionable claim types: (1) product capability — the voice-capture algorithm; (2) data collection — whether voice data was acquired at all; (3) consumer consent status — whether end users had opted in to surveillance; (4) geographic targeting accuracy — whether ads reached specified local areas. Each is a standalone count — the FTC need not prove all four to establish liability. This matters for teams who assume that fixing one representation cures their exposure.
A structural implication for AI product teams: claims must reflect what runs in production today. The FTC's standard does not distinguish between a beta feature, a roadmap commitment, an internal proof-of-concept, and a generally available product. If a marketing page, sales deck, or partner FAQ describes a capability as present and functional, that description is subject to Section 5 scrutiny from the moment a buyer might rely on it. Qualifying language like "coming soon" or "in beta" reduces but does not eliminate exposure if the framing implies current functionality.
The "reasonable buyer" standard tracks the actual audience receiving the claims. In CMG's case, buyers were small business owners purchasing local advertising, not ML engineers evaluating a model card. If you sell AI tools to non-technical buyers, technical nuance in your documentation does not soften a capability claim on your marketing page. The FTC asks whether a typical member of the target audience would be misled, not whether an informed practitioner would correctly interpret the caveat.
Why ToS Click-Through Does Not Satisfy AI Consent Requirements
One of the most operationally significant holdings in the CMG settlement is the FTC's explicit ruling on consent: clicking through a mandatory, boilerplate app terms-of-service agreement does not constitute opt-in consent for ambient voice surveillance conducted inside a person's home. For teams building AI products that collect ambient, behavioral, or sensor data, this ruling closes a compliance assumption many teams treated as settled: that a standard EULA or app-install permission flow covers downstream data use.
"The FTC's Active Listening settlement sends a direct signal that consent buried in app permissions or general ToS language will not satisfy the agency's standard for sensitive AI data collection. Each data type requires its own specific, affirmative disclosure at the point of collection." — Captain Compliance, FTC enforcement analysis, May 2026
The FTC framed the consent issue as a "double exposure": both the capability claim and the consent mechanism must independently survive Section 5 scrutiny. The agency stated explicitly that even if Active Listening had actually functioned as advertised — capturing voice data and targeting ads accordingly — the ToS-only consent mechanism would still constitute a separate Section 5 violation. Fixing your AI's technical accuracy does not cure a consent violation. Fixing your consent flow does not cure a capability misrepresentation. Each must be addressed independently.
For AI products that collect audio, behavioral signals, location data, or biometric inputs, the practical standard is: separate, affirmative, granular opt-in per data type, presented at or before the point of collection in plain language a non-technical user can evaluate before agreeing. Persistent or ambient data collection hidden inside generic platform permissions is a documented enforcement target. There is no grey area here following CMG — the ruling is explicit and applies to any product that makes marketing claims about the data it uses.
Vendor Liability: How Supplying Marketing Materials Creates FTC Exposure
The CMG settlement introduced secondary liability through the "means and instrumentalities" theory of Section 5. MindSift LLC (New Hampshire) and 1010 Digital Works LLC (Wisconsin) — two vendor firms that supplied sales scripts, pitch decks, and FAQ content to CMG — each face $25,000 penalties and the same 20-year prohibition on misrepresenting service capabilities, despite never having sold directly to the small businesses CMG deceived. The FTC drew a precise legal line: selling neutral software tools does not trigger this secondary liability; furnishing the specific deceptive content a reseller uses to mislead buyers does.
"The vendor liability theory in Active Listening is a direct warning to white-label AI providers and platform partners who produce marketing materials for downstream use. If you write the pitch script that contains the false capability claim, you have independent FTC exposure — even if you never touched the customer relationship." — Benesch Law, Operation AI Comply one-year analysis, 2025
For white-label AI tool builders and platform providers that produce co-branded or partner-facing marketing assets, this theory sits directly within scope. The FTC's reasoning is that the vendor who writes the false capability description is materially responsible for the deception, regardless of which company's logo appears on the final pitch deck. The channel partnership structure is not a liability shield if your content is what made the claim false.
| Defendant | Role | Penalty | Primary FTC Count |
|---|---|---|---|
| CMG Media Corporation (Cox Media Group, Atlanta GA) | Primary reseller and service operator | $880,000 | Deceptive capability, data collection, consent, and geo-targeting claims |
| MindSift LLC (New Hampshire) | Vendor — supplied deceptive marketing content to CMG | $25,000 | Means and instrumentalities of deception |
| 1010 Digital Works LLC (Wisconsin) | Vendor — supplied deceptive marketing content to CMG | $25,000 | Means and instrumentalities of deception |
The practical fix for vendor agreements: if you supply marketing assets — pitch scripts, capability summaries, demo FAQs, white-labeled product briefs — to channel partners or resellers, add a representation and warranty that all supplied content is technically accurate and verifiable against production functionality. Include a right-to-audit clause that allows you to review how partners are using your supplied content. If a partner modifies your content in ways that introduce false capability claims, the agreement should assign liability for modifications made beyond the supplied baseline. Treating marketing asset accuracy as a contractual obligation — not just a quality-control concern — is the structural change this case requires.
Operation AI Comply: The Enforcement Trajectory After Active Listening
The FTC launched Operation AI Comply (OAC) in September 2024 as a systematic enforcement initiative targeting AI-washing — companies that overstate the sophistication, autonomy, or measurable effectiveness of AI-powered products. The CMG settlement, announced May 21–22, 2026, is the first OAC action targeting AI audio-surveillance marketing, and the first in which the underlying product was not merely overstated but entirely fabricated — no surveillance technology existed at any layer of the stack.
Prior OAC actions establish the pattern: DoNotPay faced a $193,000 fine for overstating its AI legal-assistance capabilities; Rytr was prohibited in December 2024 from selling AI-generated fake review services; multiple defendants faced action for AI-enhanced financial scam claims. The common thread is unsubstantiated capability claims — the FTC is not targeting AI use per se, but marketing representations that cannot be verified against production behavior.
The CMG case introduces a meaningful classification distinction. Prior OAC cases involved exaggeration of real but limited functionality ("AI washing"). The CMG case involves complete fabrication of nonexistent functionality ("AI fraud"). This distinction may shape how the FTC prioritizes and classifies future cases: fabricated products with zero technical basis may face accelerated enforcement timelines and larger penalties relative to cases involving overstated real capabilities.
Under the proposed consent orders, each future violation carries a civil penalty of up to $53,088 per incident. All three defendants face 20-year prohibitions on misrepresenting advertising service capabilities, voice data collection and consent, and geographic targeting accuracy. The 2026 OAC enforcement signals continued scrutiny on AI-native ad-tech, AI surveillance marketing, and AI-powered onboarding flows targeting small businesses — three areas where the capability-versus-reality gap has historically been wide and buyer technical literacy relatively low.
Practical Compliance Checklist for AI Product and Marketing Teams
The CMG case produces five concrete compliance obligations that apply broadly to any AI product team making capability claims in marketing materials, sales assets, or partner-facing content. Each item below maps to a specific FTC liability theory from the Active Listening enforcement action.
1. Capability Matrix: Trace Every Claim to a Production Feature
Every marketing claim — on your site, in your pitch deck, in a partner FAQ, in a demo script — must trace to a documented, tested feature in the current production version of your product. Keep on file an implementation reference (code path, architecture doc, or feature spec) and test evidence (passing integration or acceptance test) for each marketing claim. Claims describing roadmap items or beta functionality must be explicitly and prominently labeled as such, not buried in footnotes. If a non-technical buyer could reasonably read the claim as describing current, available functionality, the FTC may apply Section 5 scrutiny to it regardless of your internal qualification intent.
2. Data Flow Audit: Align Documentation to Marketing Copy Before Launch
Before launch — and at each material update to your product's data collection behavior — run a data flow audit: instrument what data is actually collected, how it is processed, what it is used for, and what is retained or shared. Compare the results against every marketing claim that references data collection. If the audit reveals a gap between what your product collects and what your marketing says it collects (in either direction), resolve the gap before external-facing content goes live. Collecting less than you claim is a Section 5 issue just as collecting more than you disclosed is a privacy issue. The audit output is also evidence of good-faith compliance practice.
3. Consent Specificity: Granular Opt-In Per Data Type
General ToS acceptance is not consent for sensitive data collection under the FTC's post-CMG standard. For each category of data your AI product collects — audio, behavioral signals, location, biometric, or inferred attributes — implement a separate, affirmative opt-in at or before the point of collection. The disclosure must specify what is collected and how it will be used, must not be pre-checked, and must not be bundled with unrelated consent items. For ambient or persistent data collection specifically, obtain fresh consent rather than relying on one-time install-flow acceptance. This applies regardless of whether your product's data collection is described in your marketing materials — the consent standard is independent of the capability claim standard.
4. Vendor Review: Add Accuracy Warranties to Marketing Asset Agreements
If your company supplies marketing assets to downstream resellers or channel partners — pitch scripts, capability FAQs, demo narratives, co-branded product briefs — include a representation and warranty in your agreement that all supplied content is technically accurate and reflects current production functionality. Add a right-to-audit clause that allows you to review how partners are using your content. Specify that liability for modifications made beyond the supplied baseline belongs to the partner, and establish a process for partners to notify you of capability changes that require marketing content updates. Treating marketing asset accuracy as a contractual obligation, not a quality-of-life concern, is the change the "means and instrumentalities" theory requires.
5. Targeting Claims: Measure Before You Market
If your AI product makes claims about delivery accuracy, targeting precision, or performance parameters — geographic, demographic, behavioral, or otherwise — measure actual delivery accuracy against advertised parameters in production before making those claims publicly. Do not rely on architectural design intent; test against production behavior at realistic scale. Provide customers with verifiable performance metrics they can audit against the parameters in your sales materials. If your product consistently underperforms its advertised targeting parameters, that underperformance is independently actionable under Section 5, regardless of how well other aspects of your AI architecture function.
Frequently Asked Questions
Does FTC Section 5 apply to B2B AI products, not just consumer-facing services?
Yes. Section 5 covers commercial transactions broadly — the "reasonable buyer" standard applies to business purchasers, not only individual consumers. CMG's customers were small businesses purchasing local advertising services; the FTC's deception analysis applied in full to those business-to-business transactions. If your AI product is sold to enterprise or SMB buyers, Section 5 applies to the capability and data collection claims you make to those buyers in the same way it applies to consumer-facing representations. The size of the buyer's company does not affect the Section 5 analysis.
What makes an AI capability claim "deceptive" under FTC rules?
A claim is deceptive under Section 5 if it is material (likely to affect a buyer's purchasing decision), likely to mislead a reasonable buyer, and unsupported by actual production functionality. All three elements must be present. Critically, good-faith belief that the feature worked as described is not a defense — the FTC does not need to prove knowledge or intent to deceive. If your team genuinely believed an AI capability existed and it did not, that belief is irrelevant to the Section 5 analysis. The claim is evaluated against what your product does in production, not against what you intended to build or believed you had shipped.
If we resell a third-party AI service, are we liable for their marketing claims?
Yes, if you incorporate those claims into your own sales materials. CMG bore the largest fine ($880,000) as the primary reseller and service operator — it could not reduce liability by pointing to the underlying third-party data sources or to the vendor firms that supplied marketing content. Resellers cannot pass FTC liability upstream by citing the original vendor's claims. If your sales process repeats or incorporates capability claims about a third-party AI service you resell, you are responsible for the accuracy of those claims as if you made them independently. Performing your own technical due diligence before repeating a vendor's capability claims is a practical mitigation, not just a legal formality.
We only supply marketing assets to a partner — can we be held liable for their AI misrepresentations?
Yes, under the "means and instrumentalities" theory applied to MindSift and 1010 Digital Works in the CMG case. Supplying false pitch scripts, FAQ documents, capability summaries, or other marketing content creates independent FTC exposure even if you never sold directly to the end customer and even if your underlying software or technology was technically sound. The FTC drew a precise line: selling neutral software tools does not trigger this secondary liability, but furnishing the specific deceptive content a reseller uses to mislead buyers does. If you produce partner-facing or co-branded marketing materials, their accuracy is your legal responsibility regardless of who delivers them to the buyer.
What consent mechanism does the FTC consider adequate for AI audio or sensor data collection?
Specific, affirmative, granular disclosure for each data type at or before the point of collection — not general ToS acceptance. The FTC explicitly ruled that mandatory, boilerplate app terms-of-service click-through is insufficient consent for ambient voice surveillance, and stated that this would remain a Section 5 violation even in a hypothetical scenario where the surveillance technology had actually functioned as claimed. Adequate consent requires plain-language disclosure of what is collected and how it will be used, plus an affirmative opt-in action specific to that data type. Pre-checked boxes, bundled consent items, and buried permission clauses do not meet this standard under the FTC's current enforcement posture as established in the Active Listening settlement.
What the CMG Case Establishes for AI Teams Going Forward
The Active Listening enforcement action draws a clear perimeter around AI marketing claims. Section 5 applies to technical feature representations — not just pricing or contract terms — and the standard is objective: does the claim accurately describe what your product does in production today? Intent, belief, and business model are not defenses. The gap between what you market and what you ship is the liability surface, and the FTC has now demonstrated it will pursue enforcement on fabricated capability claims, not just exaggerated ones. The distinction between AI washing and AI fraud may shape future enforcement prioritization, but both categories remain within Section 5 scope.
The vendor liability theory is the case's most operationally significant element for the AI tooling ecosystem. Platform providers, white-label API vendors, and channel partners that supply marketing assets sit within the "means and instrumentalities" framework regardless of how many intermediaries separate them from the end customer. If you write the script that a reseller uses to make a false AI claim, you are a named defendant. That risk warrants contractual changes now — accuracy warranties and audit rights in vendor agreements — rather than waiting for the next OAC enforcement action to name a vendor in your supply chain.
The consent ruling closes an assumption that many teams treated as settled. General ToS click-through is not consent for sensitive data collection. Affirmative, granular, per-data-type opt-in is required. Building that into your product's data-collection flow is a compliance requirement under current FTC enforcement posture, and the CMG standard is explicit enough that it should be treated as the floor — not aspirational guidance — for any AI product that collects audio, behavioral, biometric, or location data.
Last updated: 2026-05-28. Based on the FTC's proposed consent orders announced May 21–22, 2026, and publicly available enforcement records through that date. Regulatory posture may evolve; verify against current FTC guidance before relying on this analysis for legal decisions.
