The Upshot, for Busy People
- On May 18, 2023, the Federal Trade Commission (“FTC”) issued a policy statement warning companies of the ways that collecting and using biometric information, or using biometric information technologies, might amount to an unfair or deceptive practice in violation of Section 5 of the FTC Act.
- The policy statement identified several potentially deceptive practices: false or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information; and deceptive statements about the collection and use of biometric information.
- The policy statement also identified several unfair practices that, while not deceptive, might nonetheless violate Section 5, including failing to assess foreseeable harms prior to collection; not addressing known or foreseeable risks; surreptitious collection or use; diligence failures on third party partners; and failing to provide appropriate training.
- Although the policy statement purports to represent merely the FTC’s views under existing law, companies that collect or use biometric information should take this enforcement statement—alongside its other privacy-related endeavors—as a sign that the FTC is laser-focused in this area.
A Background on the FTC and Data Privacy
It is no secret that the FTC has been active in using Section 5 of the FTC Act to investigate and penalize data privacy-related consumer protection violations. Lacking an overarching federal privacy statute, the FTC has cobbled together its privacy enforcement program from various statutes with related subject matter—the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act, the Gramm-Leach-Bliley Act, among others—and has largely relied on its overarching authority to prohibit unfair and deceptive acts or practices.
But the FTC had been staying relatively quiet on biometric information-related sectors and technology. More than a decade ago, the FTC hosted a public workshop, “Face Facts: A Forum on Facial Recognition Technology,” and published a report titled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies.” It has also only brought two enforcement actions relating to the use of biometric information—one in 2019 and another in 2021.
The Policy Statement on Biometric Information
Released on May 18, 2023, the policy statement’s opening paragraph notes an increasing use of consumer biometric information and related marketing of technologies, along with rising concerns of consumer privacy, data security, and potential for bias from biometric-related technology. To combat these concerns, the FTC’s policy statement provides “guidance” on how it intends to enforce Section 5 vis-à-vis companies’ use of biometric-related technology.
Defining Biometric Information
The FTC’s policy statement defines “biometric information” as data “that depict[s] or describe[s] physical, biological, or behavioural traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.” The definition “includes . . . depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern) . . . [and] data derived from such depictions, images, descriptions, or recordings[.]” The FTC also refers to “biometric technologies” as all technologies using, or purporting to use, biometric technology for any purpose—expanding its reach beyond technology only used to identify individuals.
This is a significant expansion of what constitutes biometric information. The National Science and Technology Council, for example, has defined “biometrics” as “a measurable biological (anatomical and physiological) and behavioral characteristic that can be used for automated recognition.” And, indeed, various state biometric and privacy law definitions are even narrower. For example, Illinois and Texas biometric privacy statutes define a “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Washington’s biometric privacy statute defines a “biometric identifier” as “data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics.”
The California Consumer Privacy Act, later amended by the California Privacy Rights Act, defines “biometric information” to include “an individual’s physiological, biological or behavioural characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA) . . . imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings.” And Connecticut, Virginia, and Utah consumer privacy statutes similarly define “biometric data” as “data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns or characteristics.”
Risks Associated with the Collection and Use of Biometric Information
The FTC’s policy statement also identifies “increasing risks” to consumers associated with the rise in use of biometric-related technology. In the fraud context, such risks include malicious actors (i) producing “deepfakes,” i.e., counterfeit videos or voice recordings that impersonate individuals and (ii) stealing biometric data from large biometric databases to access devices, facilities, or other data.
In the data privacy context, the FTC also noted that “using biometric information technologies to identify consumers in certain locations could reveal sensitive personal information about them.” According to the FTC, without clear and meaningful disclosures about a business’s use of this technology, “consumers may have little way to avoid these risks or unintended consequences of these technologies.” And, finally, the FTC identifies the risk that biometric technologies “such as facial recognition technology, may perform differently across different demographic groups in ways that facilitate or produce discriminatory outcomes.”
In other words, the above-mentioned risks, according to the FTC’s policy statement, fall well within the FTC’s authority for determining an unfair business practice.
Outline of Deceptive and Unfair Practices Relating to the Use and Collection of Biometric Data
The FTC’s policy statement identifies several examples of deceptive and unfair practices:
- False or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information. The FTC cautions that it “intends to carefully scrutinize [a company’s] claims about these technologies”—and any false or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information constitutes a deceptive practice. These aspects will appear at least somewhat familiar to in-house counsel accustomed to advertising substantiation in other areas related to product marketing.
- Deceptive statements about the collection and use of biometric information. The FTC will deem any false or misleading statements about the collection and use of biometric information deceptive acts. This includes failing to disclose material information needed to make a representation non-misleading and “half-truths.”
- Failing to assess foreseeable harms to consumers before collecting biometric information. To determine liability, the FTC will also consider whether a company, before deployment of biometric technology, “conduct[s] a holistic assessment of the potential risks to consumers associated with the collection and/or use.” These assessments “should take into account the context in which the collection or use will take place and . . . [whether] the specific biometric information technologies to be used have been tested by the business or a third party.” After testing, companies “should not conclude without evidence that the involvement of a human operator is sufficient to mitigate risks to consumers.”
- Failing to promptly address known or foreseeable risks. The FTC warns that such a failure includes “failing to identify and implement readily available tools for reducing or eliminating risks.” Companies, according to the policy statement, should “timely update relevant systems, including both software components like algorithms and hardware components that are used to capture, process, or store biometric information[.]”
- Engaging in surreptitious and unexpected collection or use of biometric information. In addition to a company’s failing to properly notify consumers of its use of biometric information, the FTC warned that a company’s “use of biometric information or biometric information technology to surreptitiously identify or track a consumer . . . that exposes the consumer to risks such as stalking, exposure to stigma, reputational harm, or extreme emotional distress” may be unfair “in and of itself.”
- Failing to evaluate the practices and capabilities of third parties. The FTC stated that it would also consider whether a company evaluates its affiliates, vendors and “end users, who will be given access to consumers’ biometric information or will be charged with operating biometric information technologies.” Companies should also “supervise, monitor or audit the third parties’ compliance with any requirements.”
- Failing to provide appropriate training for employees and contractors. This factor appears to encompass employees “whose job duties involve interacting with biometric information or technologies that use such information.”
- Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information. The FTC flagged that companies should “ensure that the technologies are functioning as anticipated, that users of the technology are operating it as intended, and that use of the technology is not likely to harm consumers.”
What Does This Mean for My Business?
Although the policy statement does not purport to impose new legal requirements on companies, companies should view this document as reflecting the FTC’s expectations regarding how companies use and develop biometric information/technology. Given the FTC’s recent string of litigation defeats, it’s not clear whether courts would agree with some of the agency’s more “innovative” legal views. That said, by issuing this statement, the FTC has made clear that biometric privacy issues likely will be more prominent in current and future enforcement actions, and companies should consider taking another look at their data practices to ensure they are aligned with the company’s overall risk profile and enterprise strategy.