FTC to Scrutinize Commercial Use of Biometric Information Moving Forward
On 18 May 2023, the Federal Trade Commission (FTC) released a policy statement announcing its intention to combat unfair and deceptive acts related to the collection and use of consumers’ biometric information. This comes in the wake of increased use of biometric information technologies in recent years.
WHAT IS BIOMETRIC INFORMATION?
The term “biometric information” refers to “data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body. It includes depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures.”1 This information can be used to determine characteristics of the individual, ranging from an individual’s age, gender, or ethnicity, all the way to personality traits.
HOW IS IT POTENTIALLY PROBLEMATIC?
Use of biometric information poses a substantial risk of disclosure of personal information, such as one’s healthcare information or religious affiliations. There are also increasing risks of fraud, such as impersonations via “deepfake” video recordings. Per the release, the FTC intends to look closely at a company’s use of biometric technology for:
Deception: including “false of unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information” and “deceptive statements about the collection and use of biometrics information.”2
Unfairness: which includes the use of biometric information that is not sufficiently disclosed to consumers or where “access to essential goods and services is conditioned on providing [such] information.”3
FTC ACT SECTION 5
Section 5 of the Federal Trade Commission Act (FTC Act) prohibits “unfair or deceptive acts or practices in or affecting commerce.”4 Under Section 5, a practice is unfair if it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.5 Further, Section 5 requires that a company’s representations, including those about biometric information technologies, be substantiated when made—that is, those making such claims must have a reasonable basis for those claims.6
LIST OF FACTORS
Determining whether a business’s use of biometric information or biometric information technology violates Section 5 of the FTC Act requires a thorough assessment of the business’s practices.7 In making such assessments of compliance, the FTC will take into account factors including, but not limited to, the following:
Failing to assess foreseeable harms to consumers before collecting biometric information. Prior to collecting consumers’ biometric information, or deploying a biometric information technology, businesses should conduct a holistic assessment of the potential risks to consumers associated with the collection or use;8
Failing to promptly address known or foreseeable risks. For instance, if there is evidence that a certain biometric information technology is susceptible to certain types of errors or biases, businesses should take appropriate proactive measures to reduce or eliminate the risk that such errors could lead to consumer injury;
Engaging in surreptitious and unexpected collection or use of biometric information;
Failing to evaluate the practices and capabilities of third parties, including affiliates, vendors, and end users, who will be given access to consumers’ biometric information;
Failing to provide appropriate training for employees and contractors whose job duties involve interacting with biometric information; and
Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information to ensure that the technologies are functioning as anticipated, that users of the technology are operating it as intended, and that use of the technology is not likely to harm consumers.
WHAT IT MEANS
This announcement by the FTC should prompt all businesses to pause and evaluate any current usage of biometric technologies. As biometric information technologies continue to proliferate online spaces, some business organizations may have failed to address the dark sides of the tools. The FTC’s policy statement is a call for businesses to begin assessing their own practices to ensure that biometric information is being used in a proper manner.
Taylor Listau contributed to this article
1 FTC, Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, May 18, 2023, available at: https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.
4 15 U.S.C. § 45(n).
5 See Letter from the FTC to Hon. Wendell Ford & Hon. John Danforth, Ranking Minority Member, S. Comm. on Com., Sci. & Transp., Consumer Subcomm., Comm’n Statement of Pol’y on the Scope of Consumer Unfairness Jurisdiction (Dec. 17, 1980), reprinted in In re Int’l Harvester Co., 104 F.T.C. 949, 1070, 1073 (1984).
6 See, e.g., FTC Policy Statement Regarding Advertising Substantiation, appended to In re Thompson Med. Co., Inc., 104 F.T.C. 648, 839 (1984), aff’d, 791 F.2d 189 (D.C. Cir. 1986).
7 FTC, Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, May 18, 2023, available at: https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.
8 See, e.g., Complaint, In re Lenovo, Inc., FTC File No. 1523134 (Dec. 20, 2017) (alleging that respondent’s failure to take reasonable measures to assess and address security risks created by third-party software it installed on laptops it offered to consumers was an unfair practice).A