FTC Policy Statement to Biometric Facts and Technologies | Bryan Cave Leighton Paisner
The Federal Trade Commission (“FTC”) has issued a policy statement addressing biometric technologies in a signal of enforcement actions to come: It states: “In light of the evolving technologies and dangers to buyers, the Commission sets out . . . examples of practices it will scrutinize in figuring out no matter whether firms collecting and working with biometric info or advertising and marketing or working with biometric info technologies are complying with Section five of the FTC Act [unfair or deceptive acts or practices].”
What Form of Facts Does the FTC Policy Statement Cover?
The Policy Statement defines “biometric information” as:
information that depict or describe physical, biological, or behavioral traits, qualities, or measurements of or relating to an identified or identifiable person’s physique. Biometric info consists of, but is not restricted to, depictions, photos, descriptions, or recordings of an individual’s facial capabilities, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern). Biometric info also consists of information derived from such depictions, photos, descriptions, or recordings, to the extent that it would be reasonably doable to recognize the individual from whose info the information had been derived. By way of instance, each a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other information that encode measurements or qualities of the face depicted in the photograph constitute biometric info.
What Must Companies Be Performing in the Wake of the FTC’s Policy Statement?
- Implement privacy and information safety measures to make certain that any biometric info collected or maintained is prevented from unauthorized access
- Conduct a “holistic assessment” of prospective dangers to buyers linked with the collection and/or use” of consumer’s biometric info ahead of deploying biometric info technologies
- Promptly address identified or foreseeable dangers (e. if biometric technologies is prone to particular kinds of errors or biases, organizations must take actions to minimize these errors or biases)
- Disclose the collection and use of biometric info to buyers in a clear, conspicuous, and comprehensive manner
- Have a mechanism for accepting and addressing customer complaints and disputes associated to the use of biometric info technologies
- Evaluate the practices and capabilities of service providers and other third that will be provided access to consumers’ biometric info or that will be charged with operating biometric technologies or processing biometric information. Contractual specifications could not be sufficient strategic, periodic audits must be viewed as. As the FTC states: “Businesses must seek relevant assurances and contractual agreements that demand third parties to take acceptable actions to decrease dangers to buyers. They must also go beyond contractual measures to oversee third parties and make certain they are meeting these organizational and technical measures (such as taking actions to make certain access to vital info) to supervise, monitor, or audit third parties’ compliance with any requirements”
- Give acceptable education for workers and contractors whose job duties involve interacting with biometric info or biometric technologies and
- Conduct “ongoing monitoring” of biometric technologies used—“to make certain that the technologies are functioning as anticipated, that customers of the technologies are operating it as intended, and that use of the technologies is not most likely to harm buyers.”
How Do These Needs Differ from the Illinois Biometric Facts Privacy Act?
The FTC will be hunting for organizations to have collected a “‘holistic assessment’ of prospective dangers to buyers linked with the collection and/or use” of consumer’s biometric info ahead of deploying biometric info technologies and to conduct “ongoing monitoring” of technologies applied. These are not specifications codified in the Illinois BIPA or any other state or neighborhood biometric law.
Even though current biometric and broader customer privacy statutes demand affordable information safety measures, the FTC’s Policy Statement suggests organizations must also have education applications with regards to the use of biometric technologies.
Has the FTC Brought Enforcement Actions More than Biometric Technologies?
Yes. In 2021, the FTC settled its action against a photo app developer alleging that the developer deceived buyers about use of facial recognition technologies and the developer improperly retained photographs and videos of customers who deactivated their accounts. The settlement reached incorporated 20 years of compliance monitoring. The FTC also charged a social media firm with eight privacy-associated violations, which incorporated allegations of misleading buyers about a photo-tagging tool that allegedly applied facial recognition. That matter settled for $five billion in 2019.
One thought on “FTC Policy Statement to Biometric Facts and Technologies | Bryan Cave Leighton Paisner”