As Emelia asked in Act V of Comedy of Errors, do “mine eyes deceive me?” Sorry to get all Shakespearean, but our eyes (and face, fingerprints, etc.) can reveal a lot of information about us – data that can be misused in deceptive or unfair ways. The FTC just issued a Policy Statement on Biometric Information and Section 5 of the 鶹ý Trade Commission Act and it’s a must-read for businesses.
The increasing use of consumers’ biometric information – and the marketing of technologies that use it or claim to use it – raises significant concerns about data security, privacy, and the potential for bias and discrimination. This isn’t a new issue for the FTC. We’ve been looking at the consumer protection implications of biometric data for more than a decade – for example, at the FTC’s Face Facts: A Forum on Facial Recognition Technology and in the report, Facing Facts: Best Practices For Common Uses of Facial Recognition Technologies. More recently, the FTC has brought enforcement actions against photo app maker Everalbum and Facebook, charging they misrepresented their uses of facial recognition technology.
During this time, some biometric information technologies have made significant advances. NIST found that between 2014 and 2018, facial recognition had become 20 times better at finding a matching photo in a database. Many of these technologies have also become a lot less expensive to use. So it’s no surprise that the use of these technologies is showing up everywhere from retail stores to arenas.
But as rapidly as the technologies and risks are evolving, important guiderails remain in place to protect consumers: the FTC Act’s prohibitions on unfair or deceptive practices. The Policy Statement demonstrates how established legal requirements apply and lists examples of practices the agency will look at in determining whether a company’s use of biometric information or biometric information technology could violate the FTC Act.
You’ll want to read the Policy Statement for the full story, but on the deception side of Section 5, companies shouldn’t make “false or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information.” What’s more, “deceptive statements about the collection and use of biometric information” could be actionable, too.
Turning to unfairness, the Policy Statement includes factors the Commission will consider in assessing whether a use of biometric information is potentially unfair:
- failing to assess foreseeable harms to consumers before collecting biometric information;
- failing to promptly address known or foreseeable risks;
- engaging in surreptitious and unexpected collection or use of biometric information;
- failing to evaluate the practices and capabilities of third parties who will have access to consumers’ biometric information;
- failing to provide appropriate training for employees and contractors whose duties involve interacting with biometric information; and
- failing to conduct ongoing monitoring of a business’ technologies that use biometric information to ensure they’re functioning as anticipated and they’re not likely to harm consumers.
There’s no need to read between the lines to discern the FTC’s message to your company and clients. As the Policy Statement makes clear:
The Commission wishes to emphasize that – particularly in view of rapid changes in technological capabilities and uses – businesses should continually assess whether their use of biometric information or biometric information technologies causes or is likely to cause consumer injury in a manner that violates Section 5 of the FTC Act. If so, businesses must cease such practices, whether or not the practices are specifically addressed in this statement.