US states closely watching federal rule changes on biometrics
Amazon lost two notable biometrics arguments with a U.S. regulator this week, but they are miniscule compared to analyses that a new federal policy could enforce the most restrictive protections for privacy nationwide.
The last two biometrics cases decided before the Federal Trade Commission changed its privacy-policing guidelines involved Amazon’s Ring and Alexa biometric-recognition products. Amazon paid a combined $31 million to settle two allegations of unfair or deceptive business practices.
A judge must sign off on settlement and remediation recommendations.
The FTC sued the retail and infrastructure company for what commissioners say was unfair or deceptive in business practices involving face and voice identifiers. In particular, Alexa allegedly was recording children’s voices and geolocation data via Echo speakers, which are marketed for use by children.
In the case or Ring doorbells, commissioners alleged that Amazon employees and those of a Ukrainian contractor had unfettered download rights to Ring owners’ video feeds until 2017.
That news, however, is a point on a timeline. The new FTC policy, which could end up making the state of Illinois’ Biometric Information Privacy Act could become a de facto national standard.
BIPA requires companies doing business with Illinois residents to get express consent before gathering any biometric identifiers and telling customers how the data will be managed. [See Biometric Update coverage on BIPA’s growing influence.]
The impact of the law is large, especially for employers who have collected biometrics from all employees when they clock in and out of work, sometimes over years. Courts have interpreted the law to mean every violating collection can be illegal and subject to fine.
The FTC’s update of Section 5 of its charter is unrealistic and vague, according to an analysis of the law by a trio of lawyers from the law firm Faegre Drinker Biddle & Reath in trade publication Law360.
This is a larger problem than it might appear, according to the article. States today either require officials to hew to FTC policies or they do so out of practicality. In the absence of clarity about the meaning of unfairness in biometrics, states may go with the most conservative approaches and that is BIPA.
Following publication of this article Amazon provided the following statement to Biometric Update via email:
“At Amazon, we take our responsibilities to our customers and their families very seriously. Our devices and services are built to protect customers’ privacy, and to provide customers with control over their experience. While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.
We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa. As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.
Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry. Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security.”