Business Blog
Body language? FTC issues policy statement about misuse of biometric data
As Emelia asked in Act V of Comedy of Errors, do “mine eyes deceive me?” Sorry to get all Shakespearean, but our eyes (and face, fingerprints, etc.) can reveal a lot of information about us – data that can be misused in deceptive or unfair ways. The FTC just issued a Policy Statement on Biometric Information and Section 5 of the Federal Trade Commission Act and it’s a must-read for businesses.
The increasing use of consumers’ biometric information – and the marketing of technologies that use it or claim to use it – raises significant concerns about data security, privacy, and the potential for bias and discrimination. This isn’t a new issue for the FTC. We’ve been looking at the consumer protection implications of biometric data for more than a decade – for example, at the FTC’s Face Facts: A Forum on Facial Recognition Technology and in the report, Facing Facts: Best Practices For Common Uses of Facial Recognition Technologies. More recently, the FTC has brought enforcement actions against photo app maker Everalbum and Facebook, charging they misrepresented their uses of facial recognition technology.
During this time, some biometric information technologies have made significant advances. NIST found that between 2014 and 2018, facial recognition had become 20 times better at finding a matching photo in a database. Many of these technologies have also become a lot less expensive to use. So it’s no surprise that the use of these technologies is showing up everywhere from retail stores to arenas.
But as rapidly as the technologies and risks are evolving, important guiderails remain in place to protect consumers: the FTC Act’s prohibitions on unfair or deceptive practices. The Policy Statement demonstrates how established legal requirements apply and lists examples of practices the agency will look at in determining whether a company’s use of biometric information or biometric information technology could violate the FTC Act.
You’ll want to read the Policy Statement for the full story, but on the deception side of Section 5, companies shouldn’t make “false or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information.” What’s more, “deceptive statements about the collection and use of biometric information” could be actionable, too.
Turning to unfairness, the Policy Statement includes factors the Commission will consider in assessing whether a use of biometric information is potentially unfair:
- failing to assess foreseeable harms to consumers before collecting biometric information;
- failing to promptly address known or foreseeable risks;
- engaging in surreptitious and unexpected collection or use of biometric information;
- failing to evaluate the practices and capabilities of third parties who will have access to consumers’ biometric information;
- failing to provide appropriate training for employees and contractors whose duties involve interacting with biometric information; and
- failing to conduct ongoing monitoring of a business’ technologies that use biometric information to ensure they’re functioning as anticipated and they’re not likely to harm consumers.
There’s no need to read between the lines to discern the FTC’s message to your company and clients. As the Policy Statement makes clear:
The Commission wishes to emphasize that – particularly in view of rapid changes in technological capabilities and uses – businesses should continually assess whether their use of biometric information or biometric information technologies causes or is likely to cause consumer injury in a manner that violates Section 5 of the FTC Act. If so, businesses must cease such practices, whether or not the practices are specifically addressed in this statement.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.