• Tue. May 30th, 2023

FTC Policy Statement to Biometric Information and facts and Technologies | Bryan Cave Leighton Paisner


May 27, 2023

The Federal Trade Commission (“FTC”) has issued a policy statement addressing biometric technologies in a signal of enforcement actions to come: It states: “In light of the evolving technologies and dangers to shoppers, the Commission sets out . . . examples of practices it will scrutinize in figuring out irrespective of whether organizations collecting and applying biometric data or advertising and marketing or applying biometric data technologies are complying with Section five of the FTC Act [unfair or deceptive acts or practices].”

Businesses who have not been “clocking” the mass wave of biometric privacy-connected class action litigation or the biometric-certain statutes in Illinois, Texas, and Washington, will need to take heed. Even for these organizations who have a biometric privacy policy in location, the FTC produced express: “Compliance with these [state or city biometric] laws . .  . will not necessarily preclude Commission law enforcement action beneath the FTC Act or other statutes.”

What Sort of Information and facts Does the FTC Policy Statement Cover?

The Policy Statement defines “biometric information” as:

information that depict or describe physical, biological, or behavioral traits, traits, or measurements of or relating to an identified or identifiable person’s physique. Biometric data contains, but is not restricted to, depictions, pictures, descriptions, or recordings of an individual’s facial options, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern). Biometric data also contains information derived from such depictions, pictures, descriptions, or recordings, to the extent that it would be reasonably attainable to determine the individual from whose data the information had been derived. By way of instance, each a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other information that encode measurements or traits of the face depicted in the photograph constitute biometric data.

What Must Enterprises Be Undertaking in the Wake of the FTC’s Policy Statement?

  • Implement privacy and information safety measures to make certain that any biometric data collected or maintained is prevented from unauthorized access
  • Conduct a “holistic assessment” of possible dangers to shoppers related with the collection and/or use” of consumer’s biometric data ahead of deploying biometric data technologies
  • Promptly address recognized or foreseeable dangers (e. if biometric technologies is prone to specific forms of errors or biases, organizations should really take methods to lessen these errors or biases)
  • Disclose the collection and use of biometric data to shoppers in a clear, conspicuous, and comprehensive manner
  • Have a mechanism for accepting and addressing customer complaints and disputes connected to the use of biometric data technologies
  • Evaluate the practices and capabilities of service providers and other third that will be offered access to consumers’ biometric data or that will be charged with operating biometric technologies or processing biometric information. Contractual needs might not be sufficient strategic, periodic audits should really be thought of. As the FTC states: “Businesses should really seek relevant assurances and contractual agreements that demand third parties to take proper methods to reduce dangers to shoppers. They should really also go beyond contractual measures to oversee third parties and make certain they are meeting these organizational and technical measures (such as taking methods to make certain access to essential data) to supervise, monitor, or audit third parties’ compliance with any requirements”
  • Deliver proper education for workers and contractors whose job duties involve interacting with biometric data or biometric technologies and
  • Conduct “ongoing monitoring” of biometric technologies used—“to make certain that the technologies are functioning as anticipated, that customers of the technologies are operating it as intended, and that use of the technologies is not most likely to harm shoppers.”

How Do These Specifications Differ from the Illinois Biometric Information and facts Privacy Act?

The FTC will be hunting for organizations to have collected a “‘holistic assessment’ of possible dangers to shoppers related with the collection and/or use” of consumer’s biometric data ahead of deploying biometric data technologies and to conduct “ongoing monitoring” of technologies employed. These are not needs codified in the Illinois BIPA or any other state or neighborhood biometric law.

Whilst current biometric and broader customer privacy statutes demand affordable information safety measures, the FTC’s Policy Statement suggests organizations should really also have education applications relating to the use of biometric technologies.

Has the FTC Brought Enforcement Actions More than Biometric Technologies?

Yes. In 2021, the FTC settled its action against a photo app developer alleging that the developer deceived shoppers about use of facial recognition technologies and the developer improperly retained pictures and videos of customers who deactivated their accounts. The settlement reached integrated 20 years of compliance monitoring. The FTC also charged a social media firm with eight privacy-connected violations, which integrated allegations of misleading shoppers about a photo-tagging tool that allegedly employed facial recognition. That matter settled for $five billion in 2019.

[View source.]