On May 18, 2023, the Federal Trade Commission (“FTC”) unanimously adopted its Policy Statement on Biometric Information and Section 5 of the Federal Trade Commission Act (“Policy Statement”), addressing the increasing use of consumers’ biometric information and the marketing of technologies that use or claim to use it—regarding which the FTC raises significant concerns. In the areas of privacy, data security, and the potential for bias and discrimination. In addition, the Policy Statement also provides a detailed discussion of the established legal requirements applicable to the use of biometrics, particularly those relating to Section 5 of the FTC Act, and lists examples of the practices the agency will scrutinize in determining whether companies’ use of biometric technologies run afoul of Section 5.
The Policy Statement does not constitute binding law and does not impose any legal obligations on FTC or businesses that fall under the agency’s jurisdiction. That said, if the FTC’s enforcement of activities that have followed other policy statements in recent history can be used as a guide, companies should consider this as a signal by the Commission of its intent to focus future enforcement on the uses of biometric information.
Given the extremely broad definition of biometric information in the Policy Statement, which includes plain photographs, videos, sound recordings, and other information that are excluded from the scope of other legal schemes – including Illinois’ infamous BIPA (the “Biometric Information Privacy Act”) – this guidance is a must-read for most companies. This is true whether your company, directly or through a third party, leverages biometrics in its daily operations, collects and processes what was traditionally considered biometrics-adjacent information, or stores and collects photographs, videos (including CCTV footage), and voice recordings. Companies whose activities fall within the scope of those discussed here should consider updating their internal policies and procedures, external-facing privacy policies, personnel training programs, and internal and third-party risk assessment and remediation programs to account for this guidance.
Definition of “Biometric Information”
The FTC’s definition of “biometric information,” for those familiar with biometrics legislation, jurisprudence, and regulatory schemes, might evoke a visceral reaction or, at the very least, cause one’s jaw to drop. Departing from state privacy laws such as the CCPA and even BIPA, the FTC includes photographs, videos, and audio recordings, and other information expressly excluded from other regulatory schemes, in its definition of biometric information.
The FTC defines biometric information as “data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.” Under the FTC’s definition, biometric information includes, but is not limited to, “depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern),” as well as “data derived from such depictions, images, descriptions, or recordings, to the extent that would be reasonably possible to identify the person from whose information the data had been derived.” To avoid any doubt, the FTC provides a clarifying example: “By way of example, both a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other data that encode measurements or characteristics of the face depicted in the photograph constitute biometric information.”
This definition is markedly distinct and broader than the CCPA and other state privacy laws, which all exclude from their scope photos, videos and sound recordings, with some of them also excluding data generated from photos, videos, and sound recordings. Though, notably, there is some nuance to the definition of biometric information/biometric data across the state privacy laws.
Deception and Unfairness Cases Involving Biometric Information – What the FTC Will Be Looking For
The FTC identifies a number of biometric information practices it will scrutinize when assessing deception and unfairness.
False or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of biometric technologies.
Deceptive statements regarding the collection and/or use of biometric information. This includes “false statements regarding the extent to which [businesses] collect or use biometric information or whether or how they implement technologies using biometric information.” In view of the broad definition, companies will need to assess the public statements they have made about the collection and use of biometric information. Because BIPA and other biometrics laws have influenced companies to (rightfully) take the position that they do not collect biometric information and perhaps even state this directly in their privacy policies, following this FTC guidance will require a change in how companies disclose their collection and use of biometric information. Companies will have to draft carefully measured disclosures in order to continue to avoid the risk of being sucked into an unfounded BIPA lawsuit and to address the FTC’s concerns from this Policy Statement.
The FTC asserts in this Policy Statement that “the use of biometric information or biometric information technology may be an unfair practice within the meaning of the FTC Act.” The FTC considers that an act or practice is “unfair” if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” 15 U.S.C. Sec. 45(n). The Commission points to prior examples of enforcement based on unfairness that may be readily applied to biometric information technology and other applications implicating biometric information:
Failing to protect consumers’ personal information using reasonable data security practices;
Engaging in invasive surveillance, tracking, or collection of sensitive personal information that was concealed from consumers or contrary to their expectations;
Implementing privacy-invasive default settings;
Disseminating an inaccurate technology that, if relied on by consumers, could endanger them or others; and
Offering for sale technologies with the potential to cause or facilitate harmful and illegal conduct like covert tracking and failing to take reasonable measures to prevent such conduct.
Here, the Commission states that its assessment of whether a business’ activities constitute an unfair practice will take into account several factors, including, but not limited to, the following:
Failing to assess foreseeable harms to consumers prior to collecting biometric information. The FTC endorses an assessment approach – that companies should have in place already to comply with data protection and risk assessment obligations under privacy laws. However, given the breadth of the definition of biometric information adopted by the Commission, most businesses will have to expand the scope of activities which are subject to such assessments.
Failing to promptly address known or foreseeable risks. Risks highlighted here include errors and biases that result from the use of biometric information technology and unauthorized internal access to systems that store biometric information. The FTC highlights “organizational measures, such as policies and procedures to appropriately limit access to biometric information” as steps that can be taken to address such risks.
Engaging in surreptitious and unexpected collection or use of biometric information. The FTC, on multiple occasions in the Policy Statement, points out consumers’ inability to avoid the collection and use of their biometric information and the potential resulting harm. The FTC encourages, to avoid engaging in unfair treatment of consumers, clear and conspicuous disclosure of the collection and use of biometric information, as well as mechanisms for accepting and addressing consumer complaints and disputes related to use of biometric information technologies.
Failing to evaluate the practices and capabilities of third parties. This includes affiliates, vendors, and end users, who will be given access to consumers’ biometric information or will be responsible for operating biometric technologies. Companies should already be carrying out such assessments in order to comply with other privacy schemes and, in view of the broad definition adopted by the FTC, should expand the scope of third-party diligence and contracting practices.
Failing to provide appropriate training for employees and contractors whose job duties involve interacting with biometric information or technologies that use such information.
Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information to ensure that the technologies are functioning as anticipated, that users are operating it as intended, and that the use of the technology is not likely to harm consumers.
Particularly in the absence of a uniform federal privacy law, the FTC is anticipated to remain focused on biometric information and technologies under Section 5 of the FTC Act. The Policy Statement underscores that the FTC is laying the groundwork to use its Section 5 enforcement authority to take action against companies that develop or utilize biometric technologies in manners that it deems “deceptive” or “unfair.” However, in many regards, the Policy Statement leaves a great deal of ambiguity and uncertainty for even the most well-intentioned companies seeking to avoid regulatory scrutiny.
This development is also occurring within the broader development of a surge in biometric privacy claims under BIPA as well as other theories of liability. The plaintiffs’ bar has been quick in privacy class actions to raise claims under negligence or negligence per se for a defendant failing to comply with relevant industry standards (including those issued by the FTC), or otherwise relying on state consumer protection laws which similarly prohibit “deceptive” and “unfair” practices. As a result, the Policy Statement will have an impact outside of the context of FTC enforcement activity.
The FTC’s recent Policy Statement on Biometric Information strongly indicates the agency’s overall apprehension and distrust as it relates to the use of biometrics, which should serve as a warning to all companies that use biometrics in their commercial operations regarding the likely increase in investigative and enforcement activity over the utilization by biometrics by the Commission moving forward.