The Federal Trade Commission (“FTC”) has issued a policy statement addressing biometric technologies in a signal of enforcement actions to come: It states: “In light of the evolving technologies and dangers to shoppers, the Commission sets out . . . examples of practices it will scrutinize in figuring out whether or not businesses collecting and applying biometric details or marketing and advertising or applying biometric details technologies are complying with Section five of the FTC Act [unfair or deceptive acts or practices].”
What Kind of Details Does the FTC Policy Statement Cover?
The Policy Statement defines “biometric information” as:
information that depict or describe physical, biological, or behavioral traits, traits, or measurements of or relating to an identified or identifiable person’s physique. Biometric details contains, but is not restricted to, depictions, pictures, descriptions, or recordings of an individual’s facial capabilities, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern). Biometric details also contains information derived from such depictions, pictures, descriptions, or recordings, to the extent that it would be reasonably doable to recognize the particular person from whose details the information had been derived. By way of instance, each a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other information that encode measurements or traits of the face depicted in the photograph constitute biometric details.
What Really should Companies Be Performing in the Wake of the FTC’s Policy Statement?
- Implement privacy and information safety measures to make certain that any biometric details collected or maintained is prevented from unauthorized access
- Conduct a “holistic assessment” of prospective dangers to shoppers linked with the collection and/or use” of consumer’s biometric details ahead of deploying biometric details technologies
- Promptly address identified or foreseeable dangers (e. if biometric technologies is prone to specific forms of errors or biases, corporations really should take measures to minimize these errors or biases)
- Disclose the collection and use of biometric details to shoppers in a clear, conspicuous, and full manner
- Have a mechanism for accepting and addressing customer complaints and disputes connected to the use of biometric details technologies
- Evaluate the practices and capabilities of service providers and other third that will be provided access to consumers’ biometric details or that will be charged with operating biometric technologies or processing biometric information. Contractual needs might not be adequate strategic, periodic audits really should be thought of. As the FTC states: “Businesses really should seek relevant assurances and contractual agreements that call for third parties to take proper measures to decrease dangers to shoppers. They really should also go beyond contractual measures to oversee third parties and make certain they are meeting these organizational and technical measures (such as taking measures to make certain access to required details) to supervise, monitor, or audit third parties’ compliance with any requirements”
- Give proper education for staff and contractors whose job duties involve interacting with biometric details or biometric technologies and
- Conduct “ongoing monitoring” of biometric technologies used—“to make certain that the technologies are functioning as anticipated, that customers of the technologies are operating it as intended, and that use of the technologies is not most likely to harm shoppers.”
How Do These Needs Differ from the Illinois Biometric Details Privacy Act?
The FTC will be searching for corporations to have collected a “‘holistic assessment’ of prospective dangers to shoppers linked with the collection and/or use” of consumer’s biometric details ahead of deploying biometric details technologies and to conduct “ongoing monitoring” of technologies utilized. These are not needs codified in the Illinois BIPA or any other state or nearby biometric law.
Though current biometric and broader customer privacy statutes call for affordable information safety measures, the FTC’s Policy Statement suggests corporations really should also have education applications relating to the use of biometric technologies.
Has the FTC Brought Enforcement Actions More than Biometric Technologies?
Yes. In 2021, the FTC settled its action against a photo app developer alleging that the developer deceived shoppers about use of facial recognition technologies and the developer improperly retained photographs and videos of customers who deactivated their accounts. The settlement reached incorporated 20 years of compliance monitoring. The FTC also charged a social media organization with eight privacy-connected violations, which incorporated allegations of misleading shoppers about a photo-tagging tool that allegedly utilized facial recognition. That matter settled for $five billion in 2019.