FTC Issues Policy Statement on Biometric Information, Signaling a New Enforcement Priority
At the Federal Trade Commission’s (FTC or Commission) May 2023 Open Commission Meeting, the FTC voted unanimously to approve a Policy Statement on Biometric Information and Section 5 of the FTC Act (the Policy Statement). The Policy Statement reveals a growing skepticism towards biometric technologies from the Commission “with respect to consumer privacy, data security, and the potential for bias and discrimination.” It builds on previous enforcement actions involving biometric information, but also describes new and relatively prescriptive steps that the agency expects companies to take when collecting and using biometric data.
Overall, the Statement should be considered to be an indication of what the Commission will look for in investigations of biometric data-related practices and a roadmap for companies in evaluating their biometric data practice. Further, the Statement is a preview of considerations that will likely inform the FTC’s ongoing privacy rulemaking.
The Policy Statement Builds on Previous Enforcement Actions
The Policy Statement explains that the FTC has been monitoring and evaluating biometric technology for “over a decade,” beginning with the “Face Facts: A Forum on Facial Recognition Technology” workshop in 2011.[1] The Policy Statement notes that since 2012, facial recognition technologies “have made significant advances,” and that the Commission has brought enforcement actions alleging that companies misrepresented their use of facial recognition technology.
In Everalbum, for example, the FTC alleged that the company violated Section 5 of the FTC Act by misrepresenting (1) users’ ability to control the Everalbum app’s face recognition feature, and (2) the deletion of users’ photos upon account deletion. According to the FTC’s complaint in that action, the FTC alleged that Everalbum automatically activated its facial recognition feature, and that the feature could not be turned off. The Commission also argued that Everalbum failed to honor commitments to consumers that the company would delete photos and videos of users who deactivated their accounts.
The Policy Statement Uses an Expansive Definition of Biometrics
The Policy Statement adopts a broad definition of the term “biometric information.” Specifically, the Policy Statement defines “biometric information” as including “depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures.” The definition also encompasses “depictions, images, descriptions, or recordings” that make it reasonably possible “to identify the person from whose information the data had been derived.”[2] The Policy Statement provides an example of this, noting that both a photograph of a person’s face and “a facial recognition template, embedding, faceprint, or other data that encode measurements or characteristics of the face” constitute biometric information. This definition therefore applies to not just data points such as particular facial characteristics or retina scans, but also photos and voice recordings.
The Policy Statement Identifies Several Perceived Harms Associated with Biometric Information Collection and Use
The Policy Statement enumerates a number of potential societal harms resulting from the use of biometric information technology, including the production of counterfeit videos or voice recordings (“deepfakes”) that facilitate fraud or defamation, heightened risks of data breaches due to the existence of large repositories of biometric information, and the disclosure of sensitive information about a consumer’s health care, attendance at religious services, or attendance at political events or union meetings.
Separately, the Policy Statement discusses that certain biometric technologies such as facial recognition technology can perform differently across demographic groups. According to the Policy Statement, for example, this can lead to higher false positives for women than men, and for elderly people and children, as compared to middle-aged adults. The FTC states that both false positives and false negatives are particularly harmful when biometric technologies are used to determine when consumers can “receive important benefits and opportunities” or are subject to penalties or other less desirable outcomes. For example, the Policy Statement notes that a false positive “may result in individuals being falsely accused of crimes, subjected to searches or questioning, or denied access to physical premises.”
The Policy Statement Itemizes Potentially Deceptive or Unfair Practices Related to the Use of Biometric Information Technologies
Deceptive Practices. The Policy Statement notes that as with other types of technology, “false or unsubstantiated marketing claims” that relate to the accuracy, bias, and reliability of biometric information technologies can constitute deceptive practices under Section 5 of the FTC Act. Specifically, the Commission cautions that companies making these claims must “have a reasonable basis” for their claims that is based on their validity and accuracy across various populations through testing using real-world conditions. Additionally, the Policy Statement warns companies against making blanket claims that biometric information technologies will deliver particular results or outcomes.
Deceptive Statements About Collection and Use of Biometric Information. The Policy Statement also notes that false or misleading statements “about the collection and use of biometric information” and “failing to disclose any material information needed to make a representation non-misleading” constitute violations of Section 5 of the FTC Act.
Unfairness Factors. The Policy Statement also enumerates factors that the Commission will consider when investigating whether a company’s use of biometric information technologies is an unfair practice under Section 5 of the FTC Act. The Statement’s discussion of these factors signals that the FTC expects companies dealing with biometric information to adopt particular kinds of practices going forward. The Policy Statement’s factors are:
- Whether the company has conducted a holistic assessment of the relevant benefits and harms of deploying biometric information technology before doing so. According to the Policy Statement, the results of testing “should be evaluated in light of how well the testing environment mirrors real world implementation and use,” including the context for deployment.
- Whether the company promptly addressed known or foreseeable risks, such as adopting policies and procedures to limit organizational access to biometric information, or timely software and hardware updates to relevant information systems.
- Whether the company engages in “surreptitious and unexpected” collection and/or use of biometric information. The Policy Statement indicates that the FTC will consider whether there was a clear and conspicuous disclosure about the collection and use of the biometric information of consumers, and that consumer injuries are compounded if companies do not have a mechanism for accepting and addressing complaints.
- Whether the company conducts third-party oversight of affiliates, vendors, and end users who will be given access to consumer biometric information.
- Whether the company provides appropriate training for employees and contractors handling biometric information and/or biometric information technologies.
- Whether the company conducts ongoing monitoring of biometric information technologies “to ensure that the technologies are functioning as anticipated, that users of the technology are operating it as intended, and that use of the technology is not likely to harm consumers.”
The FTC Is Likely to Remain Focused on Biometric Information Technologies from Both an Enforcement and a Rulemaking Perspective
The Policy Statement clearly signals an increased enforcement environment in the area of biometrics, which also may inform the Commission’s ongoing “Commercial Surveillance and Data Security” rulemaking following the Advance Notice of Proposed Rulemaking (ANPR) released this past fall (we summarized the Commission’s ANPR here). In the Commercial Surveillance and Data Security ANPR, the FTC asked several questions about the collection and use of biometric information by companies.[3] In the ANPR, the Commission also asked the public whether the agency should limit the use of “facial recognition, fingerprinting, or other biometric technologies. . .”[4]
Accordingly, companies that collect, use, or process “biometric information” should carefully review the Policy Statement and consider whether additional steps need to be taken to address the FTC’s latest guidance.
[1] FTC, Face Facts: A Forum on Facial Recognition Technology (Dec. 8, 2011), https://www.ftc.gov/newsevents/events/2011/12/face-facts-forum-facial-recognition-technology.
[2] Note that the Everalbum Consent Order defined “biometric information” to similarly cover “data that depicts or describes the physical or biological traits of an identified or identifiable person, including depictions (including images), descriptions, recordings, or copies of an individual’s facial or other physical features (e.g., iris/retina scans), finger or handprints, voice, genetics, or characteristic movements or gestures.” In re Everalbum, Inc., also d/b/a Ever and Paravision, a corporation, Decision, Docket No. C-4743, at 2 (May 6, 2021) (“Everalbum Consent Order”).
[3] Trade Regulation Rule on Commercial Surveillance and Data Security, Advance Notice of Proposed Rulemaking, 87 Fed. Reg. 51273, 51283, ¶¶ 37-38 (Aug. 22, 2022).
[4] Id. ¶ 38.