FTC Settles Facial Recognition Data Misuse Allegations with App Developer
The proliferation of mobile devices and digital media allows consumers to take, post, and store more photos and videos than ever before. Since 2015, app developer Everalbum has operated the mobile app, Ever, which offers a means for users to store photos and videos on the company’s cloud servers. Everalbum told users they could deactivate their accounts at any time and the company would delete their images. According to a complaint from the Federal Trade Commission (FTC), however, despite assurances to the contrary, the company retained users’ photos and videos after they deactivated their accounts. In addition, Everalbum did more with users’ photos and videos than store them; it used them to create facial recognition technology without permission. The FTC alleged that these practices constituted unfair or deceptive acts or practices, in violation of Section 5(a) of the FTC Act.
Everalbum launched a feature called “Friends” that uses facial recognition technology to tag people in group photos. The app sent pop-up messages to Ever users in Texas, Illinois, Washington, and the European Union – jurisdictions with biometric laws in place – and provided an option to use facial recognition. For users who did not affirmatively consent, Everalbum disabled the “Friends” facial recognition feature. Users in other jurisdictions had no way to disable the facial recognition tool, which was activated by default.
Everalbum also assured users that it would delete their images if they deactivated their accounts. But according to the FTC, until at least October 2019, the company failed to do so. In addition, between September 2017 and August 2019, Everalbum allegedly combined the photos and videos it retained with millions of photos obtained from public sources and used the resulting datasets to develop facial recognition services, which it sold to its business customers and used to develop the Ever app.
Under the terms of the proposed agreement containing consent order with the FTC, Everalbum must delete (1) all photos and videos of Ever customers who deactivated their accounts, (2) all data developed from images of Ever users who did not consent to use of their images for facial recognition purposes, and (3) any facial recognition models or algorithms developed from Ever users’ photos or videos without explicit consent.
The Commission voted 5-0 to issue the proposed administrative complaint and accept the consent agreement. Commissioner Rohit Chopra issued a separate statement in which he voiced concerns over the use of facial recognition technology, believing it to be “fundamentally flawed.” He stressed the importance of state biometric laws, noting that “Everalbum took greater care when it came to these individuals in these states. The company’s deception targeted Americans who live in states with no specific state law protections. With the tsunami of data being collected on individuals, we need all hands on deck to keep these companies in check.”
The Everalbum settlement signals that the FTC is keeping close watch on how companies that use biometric technology handle consumer data.