People turning to AI-powered therapy chatbots for help with anxiety, addiction, and depression were told their conversations would stay private. A report found that several of these tools made explicit confidentiality promises they did not keep, sharing sensitive personal details in ways users never agreed to. The Federal Trade Commission has already taken enforcement action against health platforms that made similar false assurances, and in September 2025 it opened a formal inquiry into AI companion chatbots and how they handle the personal information users disclose during conversations.
False confidentiality claims draw federal enforcement attention
The gap between what AI therapy tools promise and what they actually do with user data has become a consumer protection problem with real regulatory teeth. When a company markets a mental health service as confidential and then shares that data for advertising or other commercial purposes, the FTC treats it as deception, not just a policy oversight. Two recent enforcement cases show how the agency builds these matters, and both centered on the specific language companies used to describe privacy rather than on whether a traditional data breach had occurred.
The alcohol addiction treatment firm Monument told users its services were “100% confidential,” according to the FTC. The agency charged Monument with sharing health data without consent and banned the company from disclosing that data for advertising as part of a settlement. In a separate case, the FTC ordered telehealth firm Cerebral to stop using or disclosing sensitive patient data for advertising and required it to pay $7 million. Both actions targeted companies that had explicitly marketed privacy protections to users seeking help for mental health and substance use disorders.
The pattern in these cases suggests that the FTC’s enforcement theory is built around marketing language. Monument was not penalized because hackers stole records from its servers. It was penalized because it told people their treatment would be confidential and then handed their information to advertising platforms. That distinction matters for AI therapy chatbots now facing scrutiny, because many of them use similar language to attract users who are sharing deeply personal information about their mental state, relationships, and substance use.
A reasonable reading of the FTC’s recent trajectory is that enforcement volume against mental health AI tools will track more closely with explicit confidentiality marketing claims than with actual data breach incidents. The Monument and Cerebral cases both originated from how companies described their privacy practices, not from external security failures. If AI therapy chatbots are making the same kinds of promises and failing to honor them, the regulatory framework for action already exists.
FTC inquiry targets companion chatbot data practices
The FTC opened a formal study in September 2025 into AI chatbots that present themselves as companions, signaling that the agency views these products as a distinct consumer protection concern. The inquiry focuses on how companies collect, use, and share personal information that users reveal during conversations with AI systems designed to simulate emotional connection or therapeutic support.
This inquiry is significant because it treats companion chatbots as a category requiring dedicated regulatory examination rather than lumping them in with general AI products. Users interacting with AI therapists or emotional support bots often share information they would normally reserve for a licensed professional operating under strict confidentiality rules. But AI chatbot companies are not bound by the same legal frameworks that govern therapists, psychiatrists, or addiction counselors. The privacy protections users expect may exist only in the company’s marketing copy.
The FTC’s interest also extends to how these tools affect younger users. Reporting has highlighted concerns about children and teenagers forming relationships with AI companion chatbots, raising questions about whether minors can meaningfully consent to the data collection that happens during those interactions. When a teenager shares details about self-harm or family conflict with a chatbot that promised confidentiality, the stakes of a broken promise are not abstract.
Users who believe they have been misled by an AI chatbot’s privacy claims can file complaints through the FTC’s online fraud portal. Whether complaint volumes around AI therapy tools will influence the pace of future enforcement actions is an open question, but the agency has demonstrated through the Monument and Cerebral cases that it is willing to act on deceptive confidentiality claims in the health technology space.
Gaps in accountability for AI therapy privacy promises
Several questions remain unresolved despite the FTC’s growing interest. The specific AI therapy chatbots identified in the report that prompted this scrutiny, the exact methodology used to evaluate their confidentiality claims, and the internal data-sharing agreements these companies maintain have not been fully disclosed through primary public records. Without access to those documents, it is difficult to assess how widespread the problem is or whether certain chatbot providers are worse offenders than others.
The companies behind these chatbots have also not issued detailed public responses to the findings. In the Monument and Cerebral cases, the enforcement process produced consent orders with clear prohibitions on using health data for advertising and requirements to implement stronger privacy safeguards. By contrast, the AI chatbot firms flagged in the latest report have not been publicly named in formal complaints or orders, leaving users with little insight into whether their own conversations were affected or what, if anything, has changed in the tools they rely on.
This lack of transparency creates a gap between regulatory theory and real-world accountability. The FTC’s enforcement model depends heavily on documented misrepresentations in consumer-facing statements. If AI therapy chatbots make vague assurances about “protecting your privacy” without explicitly promising confidentiality, they may avoid the kind of clear-cut deception that underpinned the Monument and Cerebral cases, even if their actual data practices feel like a betrayal to users.
Another unresolved issue is how to treat the blurred line between wellness apps and medical services. Many AI chatbots position themselves as “coaches” or “companions” rather than therapists, even as they encourage users to disclose symptoms of depression, trauma histories, or substance use patterns. That positioning can be a way to sidestep health privacy regulations while still cultivating the trust that comes with clinical language. Regulators have not yet drawn a bright line defining when an AI companion crosses into the territory of a health service that should be held to stricter standards.
What users can do now-and what comes next
For now, people using AI therapy or companion chatbots have limited tools to protect themselves beyond careful reading and skepticism. Privacy policies and terms of service often run to thousands of words and are written in dense legal language, but they remain the primary place where companies disclose how data may be used or shared. Users who see bold promises of confidentiality in marketing materials should check whether those promises are actually reflected in the fine print-and walk away if they are not.
At the same time, the burden cannot realistically rest on individual users to parse complex data practices while in crisis. The FTC’s recent actions suggest that regulators are beginning to treat deceptive privacy claims in mental health technology as a serious harm, not a niche compliance issue. The agency’s inquiry into AI companions could lead to new guidance clarifying how confidentiality promises should be interpreted in this context, or to additional enforcement actions against companies whose practices mirror those of Monument and Cerebral.
Advocates argue that any AI system designed to receive disclosures about self-harm, addiction, or trauma should be held to a higher standard of candor about data use than a typical consumer app. That could mean clearer, plain-language explanations of when conversations may be reviewed by humans, when data may be shared with third parties, and how long records are retained. It could also mean new industry norms-backed by enforcement-around banning the use of such data for targeted advertising altogether.
Until those norms and rules are in place, the confidentiality promises made by AI therapy chatbots will remain fragile. The FTC has shown that it is willing to act when companies cross the line from aspirational marketing into outright deception. Whether that is enough to rebuild trust for people who have already shared their most vulnerable moments with a machine is a question that regulators, companies, and users will be grappling with for years to come.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.