The Federal Trade Commission has unanimously adopted a new policy statement warning that the increasing use of consumers’ biometric information and related technologies, including those powered by machine learning, raises significant consumer privacy and data security concerns and the potential for discrimination. The policy statement suggests the FTC will take a broad view of data that is “biometric” and signals the FTC’s intent to make aggressive use of its authority under Section 5 of the FTC Act to address unfair or deceptive acts and practices relating to the collection and use of such information and the marketing and use of biometric information technologies. Significantly, the statement also makes clear that compliance with state or city biometrics laws will not necessarily preclude FTC enforcement action.
The FTC identifies acts and practices, detailed below, that should be avoided and those that should be implemented and emphasizes that—particularly in view of rapid changes in technological capabilities and uses—businesses must continually assess the potential consumer injury that could result from their use of biometric information or technologies. Considering the policy statement, companies should evaluate their processing of biometric information to steer clear of problematic practices, including by assessing their security measures, disclosures, efficacy of the use of biometric information, employee training, vendor diligence, and ongoing consideration of consumer harms.
What information does the policy statement cover?
Notably, the policy statement broadly defines “biometric information” beyond the definitions used in state and local biometric laws. The definition generally covers “data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.” It “includes, but is not limited to, depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern).” (emphasis added). And it also includes “data derived from such depictions, images, descriptions, or recordings, to the extent that it would be reasonably possible to identify the person from whose information the data had been derived.” The policy statement explains that “[b]y way of example, both a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other data that encode measurements or characteristics of the face depicted in the photograph constitute biometric information.”
What risks and harms is the statement intended to address?
The statement highlights the FTC’s concerns about the increasing risks that the advancement and proliferation of biometric information technologies present to consumers, businesses, and society. It observes that biometric technology (such as “deepfake” audio and video recordings) can be used to commit fraud and to defame or harass; that large databases of biometric information are likely to be attractive targets for malicious actors; and that uses of biometric information or technology can pose significant risks to consumers—for instance, by identifying individuals in particular locations and thereby revealing sensitive personal information about them, such as their access to particular forms of healthcare, attendance of religious services, or participation in political meetings. The statement also notes that some technologies using biometric information, such as facial recognition technology, may perform differently across different demographic groups in ways that facilitate or produce discriminatory outcomes.
What kinds of acts and practices will the FTC target for enforcement action?
The policy statement includes a non-exhaustive list of the kinds of deceptive and unfair practices that could violate Section 5, such as false or unsubstantiated marketing claims and/or deceptive statements related to the use of biometric information. The FTC also outlines affirmative measures that companies using biometric information must implement to avoid harms to consumers, such evaluating practices of third parties with access to biometric information and conducting ongoing monitoring of technologies that use biometric information to ensure they are functioning as anticipated.
The policy statement adds that a practice need not be equally likely to harm all consumers to be considered unfair and, therefore, determining what practices are reasonable requires considering the perspective of any population of consumers that is particularly at risk of those harms.
What steps should companies take to ensure compliance?
The policy statement emphasizes that compliance with the FTC Act requires a “holistic” approach including the adoption of security measures that protect biometric information from unauthorized access and disclosure and review of privacy notices and marketing to confirm the accuracy of disclosures about the collection and use of biometric information and the efficacy of any products or services that use such information. Companies also should ensure that employees and contractors who interact with biometric information or technologies are adequately trained and that contracts with third parties who have access to biometric information have appropriate restrictions and obligations to minimize risks to consumers.
Overall, the statement makes clear that the FTC is focused on protecting the use of consumers’ biometric information and that companies using such information should carefully evaluate their compliance practices.