On May 18, the Federal Trade Commission (FTC) published a policy statement identifying practices that it will scrutinize in evaluating whether a business's use of biometric information technology constitutes an unfair or deceptive practice under the FTC Act, 15 U.S.C. § 45 (Section 5). The FTC issued the statement in response to the proliferation of biometric information technologies, which the FTC believes raises "significant concerns with respect to consumer privacy, data security, and the potential for bias and discrimination."
While FTC policy statements do not themselves carry the force of law, they do set out the Commission's interpretation of what type of business conduct may violate Section 5 (which prohibits both "deceptive" and "unfair" acts and practices in commerce) and other laws and regulations. This latest action follows closely on the heels of a joint statement released by the FTC and three other federal agencies about enforcement efforts against discrimination and bias in artificial intelligence. Taken together, the FTC is signaling strongly that: (1) its Section 5 authority is sufficiently broad and flexible to address rapidly evolving technologies such as AI and other forms of machine learning, and (2) its consumer protection mandate reaches conduct that has potential bias, discrimination, and civil rights impacts.
The FTC policy statement defines "biometric information" as data and data derivatives that "depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person's body." "Biometric information technologies" are defined as "all technologies that use or purport to use biometric information for any purpose."
Notably, the FTC's definition of "biometric information," which includes physical descriptions of an "identified or identifiable" person, is even more broad than that provided under the Illinois Biometric Information Privacy Act (BIPA). BIPA, by contrast, distinguishes between a "biometric identifier," defined to explicitly include things like palm scans and exclude physical descriptions, and derivative "biometric information" that by definition must be "used to identify an individual." 740 ICLS 14/10.
The FTC's policy statement devotes particular attention to the risks of facial recognition technology, which "may perform differently across different demographic groups in ways that facilitate or produce discriminatory outcomes," provide the source material for "deep fakes," and generate repositories of data that are attractive to malicious actors. In relying on biometric information technologies, the FTC warns that "[b]usinesses should not conclude without evidence that the involvement of a human operator is sufficient to mitigate risks to consumers."
Broadly speaking, the FTC policy statement questions whether consumers and businesses benefit from the proliferation of biometric technologies and advocates for greater transparency and accuracy of disclosures related to these technologies. The FTC's two-pronged approach focuses on preventing both deception regarding the use and functionality of these technologies and potential unfairness to consumers resulting from generating and retaining this data.
In the policy statement, the FTC affirms its "holistic" approach to assessing potential violations under Section 5 and states that it will "draw on applicable lessons that can be derived from its past work—including, but not limited to, in privacy and data security matters." Factors the FTC will consider include whether a business failed to "assess foreseeable harms to consumers before collecting biometric information" and failed to take steps to prevent misuse of or unauthorized access to biometric information. Consistent with its previous law enforcement actions involving alleged data security breaches, the FTC expects businesses to evaluate the practices of their third party vendors with access to consumers' biometric information or that operate biometric information technologies, to seek "assurances and contractual agreements that require third parties to take appropriate steps to minimize risks to consumers," and to ensure vendors "are meeting those requirements and not putting consumers at risk."
Applying this approach, the FTC highlighted the following potentially actionable deceptive and/or unfair practices regarding the marketing, collection, and use of biometric information and related technologies:
- False or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information
- Deceptive statements about the collection and use of biometric information
- Failing to assess foreseeable harms to consumers before collecting biometric information
- Failing to promptly address known or foreseeable risks
- Engaging in surreptitious and unexpected collection or use of biometric information
- Failing to evaluate the practices and capabilities of third parties
- Failing to provide appropriate training for employees and contractors
- Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information
The FTC also encourages businesses to evaluate their practices "from the perspective of any population of consumers that is particularly at risk for those harms."
In light of the FTC's renewed commitment to prosecuting unfair and deceptive practices in connection with use of biometric information technologies, businesses should rigorously assess the purposes, necessity, and potential consumer impact of biometric information technologies before implementing them. With this policy statement, the FTC sends a warning shot that it intends to participate in the already active regulatory and litigation environment related to biometric information. The European Union, United Kingdom, and several states have data privacy laws that require businesses to notify and/or secure consumers' consent before collecting biometric information. Illinois, in particular, has been a hotbed of litigation activity under BIPA, which authorizes private rights of action and statutory damages of $1,000-$5,000 dollars for each violation of its notice and consent requirements related to collection and disclosure of biometric information.
The FTC's policy statement explicitly states that it does not preempt federal, state, or local laws, and – perhaps more tellingly – further warns that "[c]ompliance with those laws ... will not necessarily preclude Commission law enforcement action." Thus, to the extent that the FTC's interpretation of its Section 5 authority relating to biometric technologies conflicts with or is broader than other state, federal, and international laws, businesses may be subject to an inconsistent patchwork of requirements.
The bottom line: the FTC's policy statement underscores that the scrutiny of biometric information and their application is only likely to increase, creating significant potential exposure for the businesses that use and rely upon these biometric technologies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.