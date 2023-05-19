













(Reuters) - The U.S. Federal Trade Commission issued a clear warning on Thursday to companies that use facial recognition and other biometric identifiers in their interactions with customers: Think hard about whether you need it and how you use it.

The FTC’s caution came in a new policy statement that reflects what the commission said is “increasingly pervasive” use of technology that culls biometric markers, such as facial features, eye scans, fingerprints and even voice recognition, from consumers. (The FTC noted, as an example of the ubiquity of the technology, the controversial use of facial recognition screening by Madison Square Garden Entertainment Corp, which scans the faces of visitors to its venues to be sure they are not lawyers engaged in litigation against the company.) The agency said it is concerned both about how businesses collect biometric data and how they use the data in interactions with consumers.

Among its fears, the FTC said, is that companies will collect biometric data that reveals sensitive personal information about consumers, such as their attendance at political events or union meetings or their visits to particular healthcare providers. (The commission did not spell it out, but I'm guessing that it was thinking about data harvested from abortion providers, among other things.)

Even if businesses don’t intend for the data to be misused, the agency said, “malicious actors” will undoubtedly try to tap into databases to obtain biometric information that could, for instance, allow them to access consumers’ personal devices or bank accounts.

Consumers, the FTC said, may not even be aware that their biometric data is being harvested or that companies are using it to develop additional products.

“Without clear disclosures and meaningful choices for consumers about the use of biometric information technologies, consumers may have little way to avoid these risks or unintended consequences of these technologies,” the agency said.

The FTC urged companies to weigh those risks carefully against the perceived benefits of relying on biometric data. The commission said in the new policy statement that it is prepared to use its enforcement power against businesses that fail to tell consumers everything about their data collection policies, fail to safeguard the information they’ve collected and fail to assure that the technology is not disproportionately hurting any particular demographic group.

“In some situations, the adoption of a contemplated practice may be unjustifiable,” the FTC said. “If more accurate, less risky alternatives are available, using a technology that is proven to have high error rates may present unjustifiable risk to consumers, even if the technology is more convenient, more efficient, or more profitable for the business.”

So far, the FTC has brought only two cases that involved biometric data privacy. In its 2019 suit accusing Facebook Inc, now known as Meta Platforms Inc, of violating user privacy protections by sharing data with political consultant Cambridge Analytica and other outsider app developers, the FTC also alleged that Facebook had activated facial recognition technology on about 60 million users without obtaining their consent.

Facebook paid $5 billion to settle the FTC’s wide-ranging case. The company later ponied up $650 million in a class action settlement with Illinois users who claimed Facebook had violated their state’s groundbreaking biometric privacy statute.

The FTC's biometric privacy allegations were a bit of a sideshow in the 2019 case against Facebook but were the main event in the agency's 2021 action against photo storage app developer Everalbum Inc.

The FTC claimed the company deceived its users by promising that it would use facial recognition technology only when customers affirmatively consented to activate that feature in order to sort photos and tag friends. According to the FTC, the app in fact excluded only users from a handful of U.S. states and from the European Union when it developed facial recognition algorithms based on photos and videos uploaded by users who had never consented to the technology.

In a settlement finalized in May 2021, the photo app agreed to ditch the algorithms it had developed and to delete content from users who had deactivated their accounts. It also promised that going forward, it would obtain express consent from U.S. customers before using their biometric data.

The new FTC policy paper issued on Thursday suggests that the agency will probe beyond obvious cases in which companies fail to reveal that they’re harvesting data from consumers or that they are surreptitiously using biometric markers to surveil customers. The agency said it plans a “holistic” assessment of businesses’ use of biometric data, taking into account such factors as companies’ analysis of the risk of bias in its use of the data and their establishment of systems to respond when problems arise.

Biometric privacy has already become a big potential pitfall for businesses that rely on facial recognition and other bio markers. In February, the Illinois Supreme Court ruled in Cothron v. White Castle System, Inc that companies can be held liable for each violation of its landmark biometric privacy statute, not just the initial misuse of data from a consumer or employee.

The ruling vastly magnified companies’ exposure to biometric privacy claims, since the Illinois law imposes penalties of $1,000 per violation (and $5,000 for reckless or intentional misuse of data). White Castle, for instance, said plaintiffs’ claims could total more than $15 billion.

Other state and local governments, as the new FTC policy paper notes, have since enacted their own biometric data privacy laws, although I’m not aware of any that have produced the same volume of litigation – or hundred-million-dollar settlements – as the Illinois law.

I doubt the new FTC policy will slow the seemingly unstoppable spread of biometric data collection. But maybe it will push companies to disclose what they are harvesting and how they’re using the information – and to do whatever they can to shield our information from leaking out.

