The Federal Trade Commission (“FTC”) has issued a policy statement addressing biometric technologies in a signal of enforcement actions to come: It states: “In light of the evolving technologies and dangers to customers, the Commission sets out . . . examples of practices it will scrutinize in figuring out regardless of whether providers collecting and working with biometric info or advertising and marketing or working with biometric info technologies are complying with Section five of the FTC Act [unfair or deceptive acts or practices].”

Corporations who have not been “clocking” the mass wave of biometric privacy-associated class action litigation or the biometric-distinct statutes in Illinois, Texas, and Washington, want to take heed. Even for these firms who have a biometric privacy policy in location, the FTC created express: “Compliance with these [state or city biometric] laws . .  . will not necessarily preclude Commission law enforcement action beneath the FTC Act or other statutes.”

What Variety of Information and facts Does the FTC Policy Statement Cover?

The Policy Statement defines “biometric information” as:

information that depict or describe physical, biological, or behavioral traits, qualities, or measurements of or relating to an identified or identifiable person’s physique. Biometric info involves, but is not restricted to, depictions, pictures, descriptions, or recordings of an individual’s facial attributes, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern). Biometric info also involves information derived from such depictions, pictures, descriptions, or recordings, to the extent that it would be reasonably achievable to recognize the individual from whose info the information had been derived. By way of instance, each a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other information that encode measurements or qualities of the face depicted in the photograph constitute biometric info.

What Ought to Enterprises Be Carrying out in the Wake of the FTC’s Policy Statement?

• Implement privacy and information safety measures to guarantee that any biometric info collected or maintained is prevented from unauthorized access
• Conduct a “holistic assessment” of prospective dangers to customers related with the collection and/or use” of consumer’s biometric info ahead of deploying biometric info technologies
• Promptly address recognized or foreseeable dangers (e. if biometric technologies is prone to specific sorts of errors or biases, firms ought to take methods to lessen these errors or biases)
• Disclose the collection and use of biometric info to customers in a clear, conspicuous, and total manner
• Have a mechanism for accepting and addressing customer complaints and disputes associated to the use of biometric info technologies
• Evaluate the practices and capabilities of service providers and other third that will be provided access to consumers’ biometric info or that will be charged with operating biometric technologies or processing biometric information. Contractual specifications could not be adequate strategic, periodic audits ought to be viewed as. As the FTC states: “Businesses ought to seek relevant assurances and contractual agreements that need third parties to take suitable methods to reduce dangers to customers. They ought to also go beyond contractual measures to oversee third parties and guarantee they are meeting these organizational and technical measures (like taking methods to guarantee access to vital info) to supervise, monitor, or audit third parties’ compliance with any requirements”
• Present suitable coaching for staff and contractors whose job duties involve interacting with biometric info or biometric technologies and
• Conduct “ongoing monitoring” of biometric technologies used—“to guarantee that the technologies are functioning as anticipated, that customers of the technologies are operating it as intended, and that use of the technologies is not most likely to harm customers.”

How Do These Needs Differ from the Illinois Biometric Information and facts Privacy Act?

The FTC will be hunting for firms to have collected a “‘holistic assessment’ of prospective dangers to customers related with the collection and/or use” of consumer’s biometric info ahead of deploying biometric info technologies and to conduct “ongoing monitoring” of technologies made use of. These are not specifications codified in the Illinois BIPA or any other state or regional biometric law.

Although current biometric and broader customer privacy statutes need affordable information safety measures, the FTC’s Policy Statement suggests firms ought to also have coaching applications relating to the use of biometric technologies.

Has the FTC Brought Enforcement Actions More than Biometric Technologies?

Yes. In 2021, the FTC settled its action against a photo app developer alleging that the developer deceived customers about use of facial recognition technologies and the developer improperly retained images and videos of customers who deactivated their accounts. The settlement reached integrated 20 years of compliance monitoring. The FTC also charged a social media enterprise with eight privacy-associated violations, which integrated allegations of misleading customers about a photo-tagging tool that allegedly made use of facial recognition. That matter settled for $five billion in 2019.

[View source.]