The FTC recently published a policy statement with its enforcement priorities for the misuse of biometric information. To be clear, there are no new federal laws that specifically regulate the collection or use of biometric information. Instead, the FTC issued its policy statement under its broad enforcement authority of Section 5(a) of the FTC Act, which prohibits unfair or deceptive acts or practices.
The policy statement describes several ways in which the collection or use of biometric information may trigger FTC scrutiny. For example, a business may act deceptively toward consumers through unsubstantiated marketing about the performance of biometric information or if it makes misleading statements about its collection and use of biometric information. The FTC also devised six examples of a company unfairly using biometric information. These include failing to assess or address security risks of access to biometric information; engaging in surreptitious and unexpected collection or use of biometric information; failing to monitor third parties, employees and contractors with access to biometric information; and failing to ensure the quality of the products or services that relate to biometrics.
The FTC issued its policy statement in response to the growing use of biometric information across multiple industries. Employment, travel, financial services and healthcare rely on fingerprints, facial recognition and iris scans to verify identity, track movement and combat fraud. In turn, the agency stepped up enforcement surrounding biometric information. For example, in 2021, the FTC brought an enforcement action against Everalbum, Inc., after the company automatically used facial recognition on users’ pictures, a feature that Everalbum advertised as opt-in. The FTC’s $5 billion penalty against Facebook, Inc. in 2019 also covered similar misrepresentations of facial recognition of users’ pictures. The policy statement this week follows the FTC’s well-trod path in the privacy space, focusing on lax data security, misrepresentations of data collection and use, and failure to monitor technologies that use consumer data.
The FTC has two primary enforcement tools against the unfair or deceptive acts prohibited by Section 5(a), and these tools may put this policy statement to ground. First, Section 13(b) of the FTC Act allows the FTC to seek injunctive relief for violations of Section 5. However, in 2021, the Supreme Court in AMG Capital Management, LLC v. FTC held that the FTC cannot seek monetary relief under Section 13. In light of AMG, the FTC looked to its second enforcement tool: its rulemaking authority under Section 18. The FTC may seek monetary penalties for those who violate an FTC rule. Last year, the FTC announced it is pursuing a rule governing consumer surveillance, including biometric information. This week's statement only reflects the FTC's policy priorities and lacks the force of law, but the forthcoming consumer surveillance rule may add more specificity to the FTC's enforcement standards for biometric information.
In light of the increased regulatory scrutiny, businesses that process biometric information should consider the following steps to reduce their potential exposure to FTC scrutiny:
- Assess applicability of state and local biometric privacy laws. In addition to the FTC’s enforcement actions, certain state and local laws (like those in Illinois, Texas, Washington, New York City and Portland) govern biometric information. Requirements in these laws may vary. Some of these laws authorize the use of facial recognition only in certain locations, require signs at the entrances of commercial establishments that collect biometric identifiers or require consent to collect biometric information.
- Review public statements about biometrics for accuracy. Businesses should review their privacy notices and marketing to ensure that they accurately disclose how the business will collect and use biometric information. If advertising about the use of biometric information and the efficacy of products that use or analyze biometrics, businesses should ensure that they have adequate substantiation before making those claims.
- Develop, implement and document reasonable security measures for biometric information. Companies should develop reasonable security measures to protect biometric information from unauthorized access and disclosure, maintain appropriate collection and retention periods for it and document these information security practices in writing, including, for example, through written information security plans, incident response plans, document retention policies and access control policies.
- Train employees and contractors who deal with biometric information. Companies should provide training on how to properly safeguard biometric information to all employees and contractors who will have access to such biometric information.