The Federal Trade Commission (“FTC”) has issued a policy statement addressing biometric technologies as a signal of future enforcement actions: “In light of evolving technologies and dangers to buyers, the Commission is setting . . . examples of practices they will examine when figuring out regardless of whether providers that gather and use biometric information and facts or advertising or use biometric information and facts technologies comply with Section five of the FTC Act [unfair or deceptive acts or practices].”
Providers that have not “followed” the enormous wave of biometric privacy class-action lawsuits or the biometrics-distinct statutes in Illinois, Texas, and Washington want to take note. Even for these providers that have biometric privacy policies in location, the FTC stated, “Complying with these [state or city biometric] Laws. . . will not necessarily preclude Commission enforcement actions beneath the FTC Act or other statutes.”
What sort of information and facts does the FTC’s policy statement cover?
The policy statement defines “biometric information and facts” as:
information describing or describing physical, biological or behavioral traits, qualities or measures of or relating to the physique of an identified or recognizable individual. Biometric information and facts consists of, but is not restricted to, pictures, pictures, descriptions, or recordings of a person’s facial functions, iris or retina, fingerprints or handprints, voice, genetics, or characteristic movements or gestures (eg, gait or typing pattern). Biometric information and facts also consists of information derived from such displays, pictures, descriptions or recordings, to the extent that it would be reasonably attainable to recognize the person from whose information and facts the information is derived. For instance, each a photograph of a person’s face and a facial recognition template, embedding, facial print, or other information that encodes the measurements or qualities of the face depicted in the photograph constitute biometric information and facts.
What must companies do soon after the FTC’s policy statement?
- Implement information privacy and safety measures to make sure that all biometric information and facts collected or maintained is protected against unauthorized access
- Conduct a “holistic assessment” of the possible dangers to buyers related with the collection and/or use of consumers’ biometric information and facts prior to the implementation of biometric information and facts technologies
- Address identified or foreseeable dangers quickly (e. if biometric technologies is prone to specific varieties of errors or biases, companies must take actions to lower these errors or biases)
- Disclose the collection and use of biometric information and facts to buyers in a clear, conspicuous and total manner
- Have a mechanism for accepting and resolving customer complaints and disputes associated to the use of biometric information and facts technologies
- Assess the practices and capabilities of service providers and other third parties who will be offered access to the biometric information and facts of buyers or who will be in charge of the operation of biometric technologies or the processing of biometric information. Contractual specifications might not be adequate strategic, periodic testimonials must be viewed as. As the FTC states: “Businesses must seek relevant assurances and contractual agreements that demand third parties to take suitable actions to reduce dangers to buyers. They must also go beyond contractual measures to monitor third parties and make sure that they meet these organizational and technical measures (such as taking actions to make sure access to needed information and facts) to monitor, monitor or audit third parties’ compliance with any requirements”
- Present suitable coaching for staff and contractors whose job duties involve interaction with biometric information and facts or biometric technologies and
- Conduct “ongoing monitoring” of the biometric technologies utilised – “to make sure that the technologies are operating as intended, that customers of the technologies are making use of the technologies as intended, and that the use of the technologies is not most likely to harm buyers.”
How do these specifications differ from the Illinois Biometric Privacy Act?
The FTC will demand providers to conduct a “holistic assessment” of the possible dangers to buyers related with the collection and/or use” of consumers’ biometric information and facts just before implementing biometric information and facts technologies and to conduct “ongoing monitoring” of the technologies utilised. These are not specifications codified in the Illinois BIPA or any other state or nearby biometric law.
Even though current biometric and broader customer privacy statutes demand affordable information safety measures, the FTC’s policy statement suggests that companies must also have coaching applications associated to the use of biometric technologies.
Has the FTC taken action to enforce biometric technologies?
Yes. In 2021, the FTC settled a lawsuit against the developer of a photo app alleging that the developer misled buyers about its use of facial recognition technologies and that the developer improperly retained images and videos of customers who deactivated their accounts. The settlement reached involved 20 years of compliance monitoring. The FTC also charged the social media firm with eight privacy violations, such as allegations of misleading buyers about a photo tagging tool that allegedly utilised facial recognition. That problem was settled for $five billion in 2019.