On February 15, 2024, the Federal Trade Commission (FTC) finalized its Government and Business Impersonation Rule (the Impersonation Rule, available here) prohibiting fraudulent impersonation of governments, businesses and their officers. The Impersonation Rule is the latest indicator that the FTC will continue its aggressive rulemaking agenda in the wake of AMG Capital, in which the Supreme Court held that Section 13(b) of the FTC Act does not authorize the commission to obtain equitable monetary relief.
The Impersonation Rule would classify as an unfair or deceptive act or practice:
- “materially and falsely pos[ing] as, directly or by implication,” a government entity or business; and
- “materially misrepresent[ing], directly or by implication, affiliation with, including endorsement or sponsorship by,” a government entity or business.
Notably, the Impersonation Rule specifies that the prohibited conduct must be “material” and “in or affecting commerce.” The FTC explained that these limitations, which were not included in the language of the proposed rule, “make it abundantly clear that the scope of the final regulatory text is coterminous with the scope of the FTC’s authority under the FTC Act” and clarify that “false impersonations or misrepresentations that are not material to a commercial transaction, such as impersonation in purely artistic or recreational costumery . . . are not covered by the final rule.”
Supplemental Notice of Proposed Rulemaking
On the same day, the FTC issued a Supplemental Notice of Proposed Rulemaking (SNPR) requesting public comment on a proposed amendment to the Impersonation Rule. The proposed amendment would prohibit the impersonation of individuals, not just government entities and businesses, and create third-party liability for companies that know or have reason to know their technology is being used to defraud consumers through impersonation.
In the press release announcing the SNPR, the FTC stated that emerging technology, such as artificial intelligence (AI)-generated deepfakes, “threatens to turbocharge” impersonation fraud. In the same press release, FTC Chair Lina Khan said, “Fraudsters are using AI tools to impersonate individuals with eerie precision and at a much wider scale. With voice cloning and other AI-driven scams on the rise, protecting Americans from impersonator fraud is more critical than ever.” Expanding the Impersonation Rule to prohibit impersonation of individuals other than government entities and businesses would allow the FTC to target fraudsters perpetuating romance and other familial scams.
In addition, if adopted as written, the proposed amendment would impose third-party liability on companies that provide the “means and instrumentalities” for impersonation fraud. Khan, joined by Commissioners Rebecca Slaughter and Alvaro Bedoya, issued a statement concerning the proposed amendment, explaining:
Notably, the supplemental proposal also recommends extending liability to any actor that provides the “means and instrumentalities” to commit an impersonation scam. Under this approach, liability would apply, for example, to a developer who knew or should have known that their AI software tool designed to generate deepfakes of IRS officials would be used by scammers to deceive people about whether they paid their taxes. Ensuring that the upstream actors best positioned to halt unlawful use of their tools are not shielded from liability will help align responsibility with capability and control.
Extending liability to target the platforms used to generate the deceptive content, rather than the individuals perpetrating the fraud, would have significant ramifications. While the FTC appears to focus on AI, the language of the SNPR would create third-party liability for the developers of any instrumentality that could be used to perpetrate a fraud, despite the instrumentality’s otherwise lawful, legitimate uses. If a bad actor uses a cell phone to contact a victim and AI software to impersonate a family member to induce the victim into transferring money or sending a gift card, should the phone service provider, AI developer and money transfer service be liable for the actions of the fraudster? According to the FTC, they could be if they knew such misuse is possible. In effect, the SNPR makes the developer or provider of any product or service that could be used to facilitate a fraud into insurers against third-party misconduct.
The FTC contends that the proposed amendment “would not impose new burdens on honest individuals or businesses,” but note how the FTC interprets the comparable “substantial assistance” liability in the Telemarketing Sales Rule (TSR) in its recently filed complaint against a large retailer. The FTC alleges that the company provided “substantial assistance” in connection with telemarketing scams by providing money transfer services to persons engaged in telemarketing fraud because, according to the FTC, the company “knew about the role money transfer services play in scams and frauds” yet “turned a blind eye.” So, the “[c]ommission is holding [the company] accountable for letting fraudsters fleece its customers.”
If the FTC’s theory of liability for third parties that provide the “means and instrumentalities” to commit impersonation fraud is as broad as its theory of third-party liability under the TSR, AI platforms and software developers may be left footing the bill for the actions of fraudsters that use their products.
The FTC’s SNPR includes a set of targeted questions for consideration by public commenters, including whether the Impersonation Rule should “contain [the] prohibition against providing goods or services with knowledge or reason to know that those goods or services will be used to unlawfully impersonate a government, business, or individual?” As regulators shift their focus to perceived dangers of AI and other emerging technologies, stakeholders should engage early and constructively in these rulemaking processes to ensure the resulting regulatory framework allows for continued innovation. The text of the FTC’s SNPR, titled “Proposed Amendments to Trade Regulation Rule on Impersonation of Government and Businesses,” can be found here, and comments are due 60 days after the date of publication in the Federal Register.