RegImpact
ftcenforcement· Published 4/15/2026

TruHeight; Analysis of Proposed Consent Order To Aid Public Comment

The consent agreement in this matter settles alleged violations of Federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

What this rule actually says

The FTC settled a case against TruHeight (a health/growth app company) for making false claims about their product's effectiveness and misleading people about how their data would be used. The consent order requires them to have scientific evidence before claiming health benefits, get clear consent before collecting data, and stop deceptive marketing practices. This is enforcement action—the FTC is saying "here's what we caught, and here's what companies must do to avoid similar penalties."

Who it applies to

  • If you make health/medical claims (your AI medical scribe helps diagnose, your hiring tool "predicts job performance," your wellness chatbot "treats anxiety") — this applies to you, anywhere in the US
  • If you collect personal data without clear upfront consent — this applies to you (health data, employment records, behavioral data are all covered)
  • If you're in the US — FTC enforcement is US-focused, though international founders serving US customers should pay attention
  • If you use testimonials or case studies — you need real evidence backing them up
  • Exempt: Anonymous, aggregated data collection; data collection with explicit, informed consent; claims with legitimate scientific backing

What founders need to do

  1. Audit your marketing claims (2-3 days): Go through your website, pitch deck, and product descriptions. Highlight any health, safety, or efficacy claims. Ask: "Can I prove this with data?" If no, remove it or reword it as opinion/description.
  1. Document your evidence (1 week): If you *do* make claims about your AI's output (accuracy rates, time saved, diagnosis support), compile the studies, internal tests, or benchmarks proving it. The FTC will ask.
  1. Review your consent practices (2-3 days): Check your privacy policy and onboarding flow. Users must clearly understand what data you're collecting and how you'll use it—not buried in 10pt font T&Cs. If you're collecting health or employment data, make the request explicit.
  1. Get a plain-English privacy policy reviewed (3-5 days): Have someone outside your company read it. If they're confused about what data you collect, assume regulators will be too.
  1. Monitor FTC guidance (ongoing): The FTC publishes enforcement actions regularly. Skim them quarterly to see what they're targeting—this TruHeight case signals increased scrutiny of health/medical AI claims.

Bottom line

If you're making health claims or collecting sensitive data without clear consent, act now; otherwise monitor for updates to your category.