The Federal Commerce Fee (“FTC”) has issued a coverage assertion addressing biometric applied sciences in a sign of enforcement actions to come back: It states: “In gentle of the evolving applied sciences and dangers to shoppers, the Fee units out . . . examples of practices it is going to scrutinize in figuring out whether or not firms accumulating and utilizing biometric data or advertising and marketing or utilizing biometric data applied sciences are complying with Part 5 of the FTC Act [unfair or deceptive acts or practices].”

Firms who haven’t been “clocking” the mass wave of biometric privacy-related class motion litigation or the biometric-specific statutes in Illinois, Texas, and Washington, must take heed. Even for these companies who’ve a biometric privateness coverage in place, the FTC made categorical: “Compliance with these [state or city biometric] legal guidelines . .  . is not going to essentially preclude Fee legislation enforcement motion beneath the FTC Act or different statutes.”

What Kind of Info Does the FTC Coverage Assertion Cowl?

The Coverage Assertion defines “biometric data” as:

information that depict or describe bodily, organic, or behavioral traits, traits, or measurements of or referring to an recognized or identifiable individual’s physique. Biometric data contains, however isn’t restricted to, depictions, photos, descriptions, or recordings of a person’s facial options, iris or retina, finger or handprints, voice, genetics, or attribute actions or gestures (e.g., gait or typing sample). Biometric data additionally contains information derived from such depictions, photos, descriptions, or recordings, to the extent that it might be fairly potential to establish the individual from whose data the information had been derived. By the use of instance, each {a photograph} of an individual’s face and a facial recognition template, embedding, faceprint, or different information that encode measurements or traits of the face depicted within the {photograph} represent biometric data.

What Ought to Companies Be Doing within the Wake of the FTC’s Coverage Assertion?

• Implement privateness and information safety measures to make sure that any biometric data collected or maintained is prevented from unauthorized entry;
• Conduct a “holistic evaluation” of potential dangers to shoppers related to the gathering and/or use” of shopper’s biometric data earlier than deploying biometric data expertise;
• Promptly tackle recognized or foreseeable dangers (e. if biometric expertise is susceptible to sure varieties of errors or biases, companies ought to take steps to cut back these errors or biases);
• Disclose the gathering and use of biometric data to shoppers in a transparent, conspicuous, and full method;
• Have a mechanism for accepting and addressing shopper complaints and disputes associated to using biometric data expertise;
• Consider the practices and capabilities of service suppliers and different third that will likely be given entry to shoppers’ biometric data or that will likely be charged with working biometric expertise or processing biometric information. Contractual necessities might not be sufficient; strategic, periodic audits needs to be thought-about. Because the FTC states: “Companies ought to search related assurances and contractual agreements that require third events to take acceptable steps to attenuate dangers to shoppers. They need to additionally transcend contractual measures to supervise third events and guarantee they’re assembly these organizational and technical measures (together with taking steps to make sure entry to obligatory data) to oversee, monitor, or audit third events’ compliance with any necessities”;
• Present acceptable coaching for workers and contractors whose job duties contain interacting with biometric data or biometric expertise; and
• Conduct “ongoing monitoring” of biometric applied sciences used—“to make sure that the applied sciences are functioning as anticipated, that customers of the expertise are working it as meant, and that use of the expertise isn’t more likely to hurt shoppers.”

How Do These Necessities Differ from the Illinois Biometric Info Privateness Act?

The FTC will likely be on the lookout for companies to have collected a “‘holistic evaluation’ of potential dangers to shoppers related to the gathering and/or use” of shopper’s biometric data earlier than deploying biometric data expertise and to conduct “ongoing monitoring” of applied sciences used. These aren’t necessities codified within the Illinois BIPA or some other state or native biometric legislation.

Whereas present biometric and broader shopper privateness statutes require cheap information safety measures, the FTC’s Coverage Assertion suggests companies also needs to have coaching applications concerning using biometric expertise.

Has the FTC Introduced Enforcement Actions Over Biometric Applied sciences?

Sure. In 2021, the FTC settled its motion towards a photograph app developer alleging that the developer deceived shoppers about use of facial recognition expertise and the developer improperly retained photographs and movies of customers who deactivated their accounts. The settlement reached included 20 years of compliance monitoring. The FTC additionally charged a social media firm with eight privacy-related violations, which included allegations of deceptive shoppers a few photo-tagging device that allegedly used facial recognition. That matter settled for $5 billion in 2019.

[View source.]