The Federal Trade Commission (“FTC” ) recently settled claims against Everalbum, Inc. (“Everalbum”) alleging that the photo storage app deceived consumers about both its use of facial recognition technology and its data retention practices.
Everalbum represented in the Help section of its website that it would not apply facial recognition technology to users’ content unless they affirmatively chose to activate it. However, except for in Illinois, Texas, Washington, and the European Union, the technology was automatically activated and could not be turned off. Everalbum used facial recognition in a feature allowing users to group their photos by the faces of those who appeared in them and to “tag” those people by name. Upon its launch, the feature allegedly was enabled by default for all mobile app users. In addition, Everalbum extracted millions of facial images from users’ photos, combining them with those obtained from publicly available datasets to create datasets for development of its facial recognition technology. The datasets helped both to provide app features and to develop facial recognition services sold to Everalbum’s enterprise customers. Notably, the company neither shared images extracted from users’ photos, nor users’ photos, videos, or personal information with those customers.
Everalbum also allegedly deceived consumers about its retention of photos and videos from deactivated user accounts, stating that it would delete the photos and videos of users who deactivated their accounts. Instead, until at least fall 2019, Everalbum failed to do so and retained such data indefinitely.
Under the proposed settlement, Everalbum must: (i) obtain consumers’ express consent before using facial recognition technology on their photos and videos; and (ii) delete deactivated users’ photos and videos, any facial recognition models and algorithms derived from user content, and all data reflecting facial features useable for facial recognition purposes that Everalbum derived from the users who did not give their express consent to such use.
Key Takeaways
This settlement reiterates the importance of being transparent and accurate with users about company data collection, use, and retention policies, particularly with respect to sensitive data categories such as biometric data.
It also signals that the FTC intends to scrutinize the use of consumers’ biometrics, particularly where companies are collecting or profiting off of biometric data without consumers’ knowledge or consent. This effort reinforces that traditional FTC deception and unfairness authorities apply to new technologies like facial recognition, and thus, companies must pay careful attention to providing notice and acting in a manner consistent with such notice.
An interesting statement by FTC Commissioner Rohit Chopra also addresses the issue of federal preemption of state privacy laws. According to Chopra, Everalbum’s unequal treatment of users outside of Illinois, Texas, Washington, and the EU highlights the importance of allowing states to continue to set high bars to protect their consumers, restricting the use of “fundamentally flawed” and potentially harmful facial recognition technology. He wrote that “broad federal preemption would severely undercut this multifront approach and leave more consumers less protected.”
In fact, a bill recently introduced in the New York State Assembly would require private entities in possession of biometric information to develop a written policy establishing a retention schedule and guidelines for permanent deletion of such data. Companies would need to delete the data upon either the satisfaction of the original purpose for which it was collected, or within three years of the consumer’s last interaction with the private entity, whichever occurs first. Significantly, this New York bill includes a private right of action, like Illinois’ Biometric Information Privacy Act.
In light of the growing potential for state biometric privacy laws, along with the FTC’s clear displeasure for differential treatment of users in this space, companies should consider developing a robust, universal policy for handling biometric data.