The Federal Trade Commission (“FTC”) issued a policy statement targeting biometric technologies in a signal of upcoming enforcement actions: It stated: “In light of evolving technologies and the risks to consumers, the Commission sets forth . . . examples of practices it will scrutinize to determine whether companies collecting and using biometric information or marketing or using biometric information technology are complying with Section 5 of the FTC Act [unfair or deceptive acts or practices].”
Companies that haven’t been “following” the massive wave of biometric privacy class action lawsuits or biometric-specific laws in Illinois, Texas, and Washington should take note. Even for those businesses that have a biometric privacy policy in place, the FTC made clear: “Compliance with these [state or city biometric] laws. . . will not necessarily prevent the Commission’s enforcement actions under the FTC Act or other laws.”
What type of information does the FTC’s Policy Statement cover?
The policy statement defines “biometric information” as:
data that depicts or describes physical, biological or behavioral traits, characteristics or measurements of or relating to an identified or identifiable body of a person. Biometric information includes, but is not limited to, images, images, descriptions or recordings of facial features, iris or retina, fingerprints or handprints, voice, genetics or characteristic movements or gestures (eg gait or writing pattern) of the individual . Biometric information also includes data derived from such images, images, descriptions or records to the extent that it would be reasonably possible to identify the individual from whose information the data is derived. As an example, both a photograph of a person’s face and a facial recognition template, embedding, facial print, or other data that encodes measurements or characteristics of the person depicted in the photograph constitute biometric information.
What should businesses do after the FTC’s policy statement?
- Implement data privacy and security measures to ensure that any biometric information collected or maintained is prevented from unauthorized access;
- Conduct a “comprehensive assessment” of the potential risks to users associated with the collection and/or use” of user biometric information before implementing biometric information technology;
- Immediate addressing of known or foreseeable risks (e. if biometric technology is prone to certain types of errors or biases, businesses must take steps to reduce those errors or biases);
- Disclose the collection and use of users’ biometric information in a clear, conspicuous and complete manner;
- To have a mechanism for receiving and considering consumer complaints and disputes related to the use of biometric information technologies;
- Evaluate the practices and capabilities of service providers and other third parties who will gain access to users’ biometric information or who will be tasked with working with biometric technology or processing biometric data. Contractual requirements may not be sufficient; strategic, periodic audits should be considered. As the FTC states: “Businesses should seek appropriate warranties and contractual agreements that require third parties to take appropriate steps to minimize risks to consumers. They must also go beyond contractual measures to monitor third parties and ensure that they implement these organizational and technical measures (including taking steps to ensure access to necessary information) to monitor, monitor or audit third party compliance with any requirements’;
- Provide appropriate training for employees and contractors whose job duties involve interacting with biometric information or biometric technology; and
- Conducting “ongoing monitoring” of biometric technologies in use – “to ensure that the technologies are working as expected, that the users of the technology are using it as intended, and that the use of the technology is not likely to harm users”.
How do these requirements differ from the Illinois Biometric Privacy Act?
The FTC will look for companies that have assembled a “”comprehensive assessment” of the potential risks to consumers associated with the collection and/or use” of consumer biometric information before implementing biometric information technology and conduct “ongoing monitoring” of the technologies in use . These are not requirements codified in Illinois BIPA or any other state or local biometric law.
Although existing biometric and broader consumer privacy statutes require reasonable data security measures, the FTC’s Policy Statement suggests that businesses should also have training programs regarding the use of biometric technologies.
Has the Federal Trade Commission (FTC) taken enforcement action against biometric technology?
yes In 2021, the FTC settled its lawsuit against a photo app developer, alleging that the developer had misled users about its use of facial recognition technology and that the developer had wrongfully retained photos and videos of users who had deactivated their accounts. The agreement reached includes 20 years of compliance monitoring. The FTC also charged a social media company with eight privacy-related violations that included claims it misled users about a photo tagging tool that allegedly used facial recognition. This issue reached $5 billion in 2019.
[View source.]