December 22, 2023

More Than a Ban on Facial Recognition Use: The US FTC’s Rite-Aid Action and Proposed Stipulated Order

Share

As we previewed in our prior Legal Update, the Federal Trade Commission (“FTC”) warned businesses of its stance on the use and collection of biometric information in a May 2023 policy statement. Now, an enforcement action filed earlier this week offers insight into the potential consequences for businesses that do not comply with the FTC’s policy statement guidelines.

On December 19, 2023, the FTC sued Rite-Aid Corporation and its parent company Rite-Aid Headquarters Corporation (together, “Rite-Aid”) in the United States District Court for the Eastern District of Pennsylvania for (1) an unfair Facial Recognition Technology (“FRT”) practice, improperly using FRT that falsely flagged Rite-Aid customers for shoplifting, and (2) failing to implement a comprehensive security program to protect customers’ personal information. The complaint alleges that Rite-Aid’s failure to take reasonable measures that would prevent harm to consumers violated a 2010 consent order (“2010 order”) with the FTC and Section 5 of the FTC Act, 15 U.S.C. §§ 45(a), (n).

The FTC attached a stipulated order to its complaint that, if approved, would not only ban Rite-Aid from using FRT for five years but also require significant modification to Rite-Aid’s existing information security policies.

Background

The FTC filed an administrative complaint on November 12, 2010, against Rite-Aid for failing to implement reasonable and appropriate security measures to prevent unauthorized access to personal information. Rite-Aid later agreed to the 2010 order, which required it to (1) implement and maintain a comprehensive information security program and (2) retain documents relating to its compliance with that provision of the order.

About 10 years later, in 2020, Reuters published an investigative report about Rite-Aid’s use of FRT in its stores. As reported in Rite-Aid’s SEC filings, the FTC opened an investigation that same year into Rite-Aid’s compliance with the 2010 order and followed up in 2022 with information requests related to Rite-Aid’s procedure for ensuring that contracted vendors appropriately safeguard Rite-Aid costumer information.

In the present lawsuit, filed earlier this week, the FTC brings two claims against Rite-Aid under Section 5 of the FTC Act: (1) unfair FRT practices, and (2) failure to implement or maintain a comprehensive information security program as required by the 2010 order.

The Complaint

Unfair FRT Practices

The FTC alleges that between 2012 and 2020, Rite-Aid deployed artificial intelligence-based FRT to identify customers who potentially were shoplifting in its stores. According to the complaint, Rite-Aid maintained an enrollment database of images (along with other personal information) of people who it considered “persons of interest” because they had allegedly engaged in actual or attempted criminal activity at a Rite-Aid store or because Rite-Aid had received “Be On the Look Out” information about the individual from law enforcement. The FRT captured live images of individual shoppers in Rite-Aid stores and purported to match them with images from the enrollment database. If there was a match, the FRT would generate and send employees “match alerts” with instructions for handling the suspected shoplifter. The complaint faults Rite-Aid for allegedly failing to:

  • assess, consider, or take reasonable steps to mitigate risks to consumers associated with its implementation of FRT, including risks associated with misidentification of consumers at higher rates depending on their race or gender;
  • take reasonable steps to prevent its FRT from using low-quality images, increasing the likelihood of false-positive match alerts;
  • reasonable steps to train or oversee employees tasked with operating FRT and interpreting and acting on match alerts; and
  • take reasonable steps, after deploying FRT, to regularly monitor or test the accuracy of the technology, including by failing to implement any procedure for tracking the rate of false positive facial recognition matches or actions taken on the basis of false positive facial recognition matches.

The FTC concluded that Rite-Aid’s alleged conduct caused harm to consumers by (i) surveilling and following store customers around Rite-Aid stores, (ii) preventing store customers from making needed or desired purchases (in the event employees were instructed to remove the consumer from the store), (iii) subjecting consumers to unwarranted searches and calling the police on consumers who were falsely flagged as shoplifters, and (iv) wrongly accusing store customers of shoplifting.

Unsurprisingly, the FTC’s conclusions regarding Rite-Aid’s alleged FRT practices appear to be based on the unfairness factors set forth in its May 2023 policy statement.

Failure to Implement or Maintain a Comprehensive Information Security Program

After addressing Rite-Aid’s alleged improper use of FRT, the FTC then found Rite-Aid’s existing information security program deficient because it failed to:

  • use reasonable steps for selecting and retaining capable service providers that appropriately safeguarded personal information;
  • require that service providers, by contract, implement and maintain appropriate safeguards for personal information; and
  • maintain written records relating to Rite-Aid’s information security program.

The FTC concluded that Rite-Aid’s conduct violated the 2010 order and that its violation is likely to cause substantial consumer injury.

The Stipulated Order

To settle the case, Rite-Aid agreed to comply with comprehensive information security policy mandates and ongoing reporting to the FTC. Rite-Aid is not required to pay a monetary fine. Among other things, the order requires Rite-Aid to:

  • refrain from using FRT for five years;
  • delete biometric information collected by FRT;
  • provide notice to third-parties of the FTC’s complaint and order and require that these third-parties delete biometric information received from Rite-Aid;
  • provide the FTC with a list of all third-parties that received any of the following information from Rite-Aid : a first and last name; a home or physical address; an email address or other online contact information, such as an instant messaging user identifier or a screen name; a mobile or other telephone number; a driver’s license or other government-issued identification number; a date of birth; geolocation information sufficient to identify street name and name of a city or town; bank account information or credit or debit card information (including a partial credit or debit card number with more than five digits); a user identifier, or other persistent identifier that can be used to recognize a user over time and across different devices, websites, or online services; user account credentials, such as a login name and password (whether plain text, encrypted, hashed, and/or salted); biometric information; or health information;
  • implement a comprehensive protocol for assessment, collection, maintenance, testing, retention, and safeguarding biometric information (if Rite-Aid intends to use a non-FRT biometric security system not subject to the five-year ban);
  • disclose the use of any non-FRT biometric security system to consumers in Rite-Aid stores via “clear and conspicuous” physical signs, and on each website, mobile app, or online service that collects biometric information;
  • disclose to consumers the specific types of biometric information collected, outputs generated by any non-FRT biometric security system, purposes for collecting biometric information, and timeframe for deletion of each type of biometric information;
  • implement a comprehensive information security program;
  • retain a third-party assessor to periodically assess Rite-Aid’s security program;
  • report data breaches of over 500 individuals to the FTC within 72 hours of Rite-Aid’s reasonable belief of unauthorized access to covered information;
  • implement mandatory recordkeeping of Rite-Aid’s revenue/sales; personnel records; consumer complaints; records related to compliance with the FTC’s order; materials relied on for the mandatory system assessment; material different representations of Rite-Aid’s privacy, security, availability, confidentiality, and integrity of any covered information; copies of the third-party assessor’s report; subpoenas from law enforcement related to the FTC’s order; and records showing lack of compliance with the FTC’s orders;
  • submit an annual certification of compliance with the FTC’s order.

What Does This Mean for My Business?

The Rite-Aid enforcement action confirms the conclusion from our prior Legal Update: the FTC’s May 2023 policy statement reflects a broad set of guidelines for companies that collect or use biometric information, and non-compliance may result in the FTC filing suit under Section 5 of the FTC Act. Accordingly, companies operating in the United States should consider reviewing their biometric information collection practices, employee training for handling biometric information, and contracts with vendors that process biometric information for compliance with the FTC’s policy statement.

Related Services & Industries

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe