The Federal Trade Commission (“FTC”) has issued a policy statement addressing biometric technologies in a signal of enforcement actions to come: It states: “In light of the evolving technologies and dangers to customers, the Commission sets out . . . examples of practices it will scrutinize in figuring out regardless of whether firms collecting and making use of biometric info or advertising or making use of biometric info technologies are complying with Section five of the FTC Act [unfair or deceptive acts or practices].”
What Kind of Info Does the FTC Policy Statement Cover?
The Policy Statement defines “biometric information” as:
information that depict or describe physical, biological, or behavioral traits, qualities, or measurements of or relating to an identified or identifiable person’s physique. Biometric info consists of, but is not restricted to, depictions, photos, descriptions, or recordings of an individual’s facial options, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern). Biometric info also consists of information derived from such depictions, photos, descriptions, or recordings, to the extent that it would be reasonably feasible to determine the individual from whose info the information had been derived. By way of instance, each a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other information that encode measurements or qualities of the face depicted in the photograph constitute biometric info.
What Must Corporations Be Performing in the Wake of the FTC’s Policy Statement?
- Implement privacy and information safety measures to make sure that any biometric info collected or maintained is prevented from unauthorized access
- Conduct a “holistic assessment” of prospective dangers to customers connected with the collection and/or use” of consumer’s biometric info ahead of deploying biometric info technologies
- Promptly address identified or foreseeable dangers (e. if biometric technologies is prone to specific sorts of errors or biases, firms really should take actions to lessen these errors or biases)
- Disclose the collection and use of biometric info to customers in a clear, conspicuous, and total manner
- Have a mechanism for accepting and addressing customer complaints and disputes associated to the use of biometric info technologies
- Evaluate the practices and capabilities of service providers and other third that will be provided access to consumers’ biometric info or that will be charged with operating biometric technologies or processing biometric information. Contractual needs could not be sufficient strategic, periodic audits really should be thought of. As the FTC states: “Businesses really should seek relevant assurances and contractual agreements that demand third parties to take suitable actions to reduce dangers to customers. They really should also go beyond contractual measures to oversee third parties and make sure they are meeting these organizational and technical measures (such as taking actions to make sure access to vital info) to supervise, monitor, or audit third parties’ compliance with any requirements”
- Offer suitable coaching for staff and contractors whose job duties involve interacting with biometric info or biometric technologies and
- Conduct “ongoing monitoring” of biometric technologies used—“to make sure that the technologies are functioning as anticipated, that customers of the technologies are operating it as intended, and that use of the technologies is not most likely to harm customers.”
How Do These Needs Differ from the Illinois Biometric Info Privacy Act?
The FTC will be hunting for firms to have collected a “‘holistic assessment’ of prospective dangers to customers connected with the collection and/or use” of consumer’s biometric info ahead of deploying biometric info technologies and to conduct “ongoing monitoring” of technologies made use of. These are not needs codified in the Illinois BIPA or any other state or nearby biometric law.
Even though current biometric and broader customer privacy statutes demand affordable information safety measures, the FTC’s Policy Statement suggests firms really should also have coaching applications with regards to the use of biometric technologies.
Has the FTC Brought Enforcement Actions More than Biometric Technologies?
Yes. In 2021, the FTC settled its action against a photo app developer alleging that the developer deceived customers about use of facial recognition technologies and the developer improperly retained images and videos of customers who deactivated their accounts. The settlement reached integrated 20 years of compliance monitoring. The FTC also charged a social media enterprise with eight privacy-associated violations, which integrated allegations of misleading customers about a photo-tagging tool that allegedly made use of facial recognition. That matter settled for $five billion in 2019.