Practical guidance for minimizing FTC liability exposure when using facial biometrics
By David J. Oberly, attorney at Blank Rome, LLP.
Still today, no regulation governing the use of facial recognition technology exists at the federal level. Instead, the facial biometrics legal landscape entails primarily a patchwork of state and local laws impacting only a small fraction of businesses that utilize this form of biometrics for commercial purposes. Consequently, many companies continue to operate under the assumption that there is no need to maintain any type of biometric privacy compliance program when using facial recognition software.
Businesses that operate in this fashion do so at their peril. This is because doing so leaves them extremely vulnerable to the expansive liability exposure presented by the Federal Trade Commission (“FTC”), which has set its sights on aggressively policing facial recognition for the foreseeable future.
As such, all companies that have implemented facial biometrics into their business operations—even those that are not governed by any biometric privacy regulation at this juncture—are well advised to take proactive steps and build out their biometric privacy compliance programs to minimize the risk of becoming the next target of a FTC enforcement action. More than that, taking action now will also position companies to minimize their biometric privacy liability exposure moving forward—as targeted facial biometrics laws will inevitably become the norm, and not the exception, sooner rather than later.
History of the Federal Trade Commission
The FTC has held the spot as the chief federal agency on privacy and data protection enforcement since the 1970s, when it began enforcing one of the nation’s first federal privacy laws—the Fair Credit Reporting Act. Since then, rapid changes in technology have raised new privacy and security challenges, but the FTC’s overall approach has remained the same: using law enforcement to protect consumers’ sensitive personal data.
Generally speaking, the FTC pursues privacy and security enforcement actions against organizations for violations of consumers’ privacy rights or misleading or deceptive statements relating to the security of consumers’ sensitive data. Many of these enforcement actions are pursued through causes of action asserted under Section 5 of the Federal Trade Commission Act of 1914 (“FTC Act”), which is extremely broad in scope—barring “unfair and deceptive acts and practices in or affecting commerce.” The Commission also enforces other federal laws relating to consumer privacy and security.
The FTC’s new focus: policing improper facial recognition practices
Taking note of the mounting reliance—and occasional abuse—of facial biometrics, the FTC has made aggressively policing the misuse of facial recognition a top priority for the foreseeable future—significantly raising the liability risks associated with this increasingly popular form of biometrics.
In early 2021, the FTC settled its first enforcement action specifically targeting improper facial recognition practices with photo developer Everalbum, Inc. The enforcement action was a watershed event in the area of facial biometrics—demonstrating the wide liability exposure that exists for companies utilizing facial biometrics that extends well beyond today’s patchwork of various biometric privacy statutes and ordinances. More than that, in announcing the settlement, the FTC also offered an unequivocal warning that policing facial recognition technology will continue to remain one of the Commission’s top priorities for the foreseeable future.
Shortly after the Everalbum settlement, the FTC’s then-acting chair, Rebecca Kelly Slaughter, removed any doubt as to the Commission’s intentions, promising that the FTC would “redouble” its efforts to identify violations in the area of facial recognition privacy and security moving forward.
President Joe Biden’s recent nomination of Alvaro Bedoya to the FTC may further influence the Commission’s focus on policing facial biometrics in the event he is confirmed as the agency’s newest Commissioner by the U.S. Senate (which is considered likely at this time). Bedoya is an expert in facial recognition and is known for his role in co-authoring a 2016 study that is credited with the implementation of a number of state and local laws limiting the use of facial recognition by police and other parts of the public sector.
During testimony given during his confirmation hearing in late 2021, Bedoya advocated for increased FTC scrutiny over facial biometrics, noting its reputation for misuse and abuse. Bedoya did, however, indicate his support for the use of facial recognition software for certain purposes, including identify verification, so long it is used in a transparent fashion and with informed consent.
Taken together, it is clear that companies must ensure they maintain compliance programs to adequately mitigate the significant liability risk presented by the FTC’s newfound interest in policing facial recognition.
Practical guidance & best practices
In terms of actionable steps to mitigate the risks posed by the FTC in connection with the use of facial biometrics, companies should first ensure that they incorporate the principles articulated in the detailed guidance issued by the FTC on this issue.
The FTC guidance, “Facing the Facts: Best Practices for common Uses of Facial Recognition Technologies,” draws upon three core privacy and security principles—privacy-by-design, simplified consumer choice, and transparency—and recommends that companies adhere to the following protocols when using facial biometrics:
- Design and implement services that utilize facial biometrics with consumer privacy as a top priority.
- Develop sound methods for determining when to keep facial template data and when to dispose of it.
- Implement a specified retention period and permanently dispose of facial template data once it is no longer necessary for the purpose for which such data was collected.
- Provide meaningful, individualized notice at or before the time facial template data is collected.
- Obtain advance, affirmative consent from individuals before their facial template data is collected.
- If a company subsequently intends to use facial template data in a manner that is materially different than what was represented at the time of collection, obtain affirmative express consent prior to such use.
- Implement reasonable data security measures to prevent unauthorized access to stored template data, as well to protect against the compromise of systems, networks, and devices that could allow for access to facial template data in real-time.
Beyond adhering to the guidance offered by the FTC, businesses should also consider implementing the following additional compliance measures where feasible:
- Complete pre-deployment testing of facial recognition software to ensure its effectiveness and accuracy prior to its use in real-time situations.
- Permit individuals to opt out of the collection of their facial template data.
- Maintain an explicit policy strictly barring the use of facial recognition by all employees and vendors/contractors for discriminatory purposes.
- Consult with experienced biometric privacy counsel to ensure compliance with today’s constantly-evolving biometric privacy legal landscape.
With all signs pointing to the FTC aggressively pursuing enforcement actions against companies found to be engaging in improper facial recognition practices, it is imperative that all businesses operating in the U.S. and utilizing facial biometrics devote the necessary time, effort, and resources to mitigate the substantial liability exposure risks posed by the FTC.
At the same time, implementing a facial recognition-focused compliance program now will give companies a head start on mitigating the liability risks that will soon become far more expansive in the near future, as it is only a matter of time before targeted facial biometrics laws reach other parts of the country and become a ubiquitous part of the biometric privacy legal landscape.
About the author
David J. Oberly is an attorney in the Cincinnati office of Blank Rome LLP and is a member of the firm’s Biometric Privacy, Privacy, Security & Data Protection, and Privacy Class Action Litigation groups. David’s practice encompasses both counseling and advising clients on a wide range of biometric privacy, privacy, and data protection matters, as well as defending clients in high-stakes, high exposure biometric privacy, consumer privacy, and data breach class action litigation. He can be reached at email@example.com.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.