The Federal Trade Commission (“FTC”) has issued a policy statement addressing biometric technologies in a signal of enforcement actions to come: It states: “In light of the evolving technologies and dangers to buyers, the Commission sets out . . . examples of practices it will scrutinize in figuring out irrespective of whether providers collecting and employing biometric data or advertising or employing biometric data technologies are complying with Section five of the FTC Act [unfair or deceptive acts or practices].”
What Kind of Details Does the FTC Policy Statement Cover?
The Policy Statement defines “biometric information” as:
information that depict or describe physical, biological, or behavioral traits, qualities, or measurements of or relating to an identified or identifiable person’s physique. Biometric data contains, but is not restricted to, depictions, pictures, descriptions, or recordings of an individual’s facial attributes, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern). Biometric data also contains information derived from such depictions, pictures, descriptions, or recordings, to the extent that it would be reasonably attainable to recognize the particular person from whose data the information had been derived. By way of instance, each a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other information that encode measurements or qualities of the face depicted in the photograph constitute biometric data.
What Ought to Corporations Be Undertaking in the Wake of the FTC’s Policy Statement?
- Implement privacy and information safety measures to make certain that any biometric data collected or maintained is prevented from unauthorized access
- Conduct a “holistic assessment” of prospective dangers to buyers related with the collection and/or use” of consumer’s biometric data ahead of deploying biometric data technologies
- Promptly address identified or foreseeable dangers (e. if biometric technologies is prone to particular kinds of errors or biases, corporations must take measures to minimize these errors or biases)
- Disclose the collection and use of biometric data to buyers in a clear, conspicuous, and comprehensive manner
- Have a mechanism for accepting and addressing customer complaints and disputes associated to the use of biometric data technologies
- Evaluate the practices and capabilities of service providers and other third that will be offered access to consumers’ biometric data or that will be charged with operating biometric technologies or processing biometric information. Contractual needs may possibly not be sufficient strategic, periodic audits must be deemed. As the FTC states: “Businesses must seek relevant assurances and contractual agreements that call for third parties to take acceptable measures to reduce dangers to buyers. They must also go beyond contractual measures to oversee third parties and make certain they are meeting these organizational and technical measures (such as taking measures to make certain access to required data) to supervise, monitor, or audit third parties’ compliance with any requirements”
- Supply acceptable education for staff and contractors whose job duties involve interacting with biometric data or biometric technologies and
- Conduct “ongoing monitoring” of biometric technologies used—“to make certain that the technologies are functioning as anticipated, that customers of the technologies are operating it as intended, and that use of the technologies is not most likely to harm buyers.”
How Do These Needs Differ from the Illinois Biometric Details Privacy Act?
The FTC will be hunting for corporations to have collected a “‘holistic assessment’ of prospective dangers to buyers related with the collection and/or use” of consumer’s biometric data ahead of deploying biometric data technologies and to conduct “ongoing monitoring” of technologies utilized. These are not needs codified in the Illinois BIPA or any other state or regional biometric law.
Even though current biometric and broader customer privacy statutes call for affordable information safety measures, the FTC’s Policy Statement suggests corporations must also have education applications with regards to the use of biometric technologies.
Has the FTC Brought Enforcement Actions More than Biometric Technologies?
Yes. In 2021, the FTC settled its action against a photo app developer alleging that the developer deceived buyers about use of facial recognition technologies and the developer improperly retained images and videos of customers who deactivated their accounts. The settlement reached integrated 20 years of compliance monitoring. The FTC also charged a social media corporation with eight privacy-associated violations, which integrated allegations of misleading buyers about a photo-tagging tool that allegedly utilized facial recognition. That matter settled for $five billion in 2019.