In a policy statement released on May 18, 2023, the
Federal Trade Commission (FTC) warned of several consumer data
privacy risks related to the increasing commercial use of
biometrics technologies.1 The Commission unanimously voted 3-0
to adopt the policy statement, which builds on more than a decade
of Commission guidance on biometrics, including its 2012 report on best practices for facial
recognition technology.
Currently, there is no federal privacy law governing the
collection and use of individuals’ biometric information, and
only a few states and cities (Illinois, Texas, Washington, Portland
and New York City) have enacted such legislation.2 However, the policy
statement comes in a year when bills addressing biometric privacy
issues have been introduced in at least 13 state legislatures.
Biometric information has also appeared under the definition of
“sensitive” information in several state comprehensive
privacy laws, including the California Consumer Privacy Act (CCPA)
and Tennessee’s recently enacted privacy law, mandating
additional or heightened protections and consumer rights for this
type of information.3 Against this backdrop of state
action, the FTC acknowledges the commercial benefits of biometric
technologies, but cautions that businesses utilizing these tools in
ways that harm consumers may face enforcement actions under Section
5 of the Federal Trade Commission Act (“FTC Act”), along
with other laws.
Notably, the FTC defines “biometric information
technologies” as “technologies that use or purport to use
biometric information.”4 “Biometric information” is
defined broadly as “data that depict or describe physical,
biological, or behavioral traits, characteristics, or measurements
of or relating to an identified or identifiable person’s
body.” The FTC then specifies that biometric information
“includes, but is not limited to, depictions, images,
descriptions, or recordings of an individual’s facial features,
iris or retina, finger or handprints, voice, genetics, or
characteristic movements or gestures (e.g., gait or typing
pattern)” and “also includes data derived from such
depictions, images, descriptions, or recordings, to the extent that
it would be reasonably possible to identify the person from whose
information the data had been derived.”5
Section 5 of the FTC Act prohibits “unfair or deceptive
acts or practices in or affecting commerce.”6 As the FTC explains,
the evolution and proliferation of biometric information
technologies inevitably create new and increased risks to
consumers. For example, not only may biometrics technologies be
abused for fraudulent means, but also they “may perform
differently across different demographic groups in ways that
facilitate or produce discriminatory outcomes.”7
Under this framework, the policy statement includes a
non-exhaustive list of exemplar practices the FTC may consider
“unfair” or “deceptive,” warning businesses
that these practices may lead to enforcement action and encouraging
businesses to frequently assess their practices against the
ever-expanding legal and technological landscape.
Deception
The Commission advises that the following practices may
constitute deceptive trade practices that violate the FTC Act:
- False or unsubstantiated marketing claims relating to the
validity, reliability, accuracy, performance, fairness or efficacy
of technologies using biometric information. - Deceptive statements about the collection and use of biometric
information.
Unfairness
The FTC also describes several unfair practices related to the
collection and use of biometric information that could violate the
FTC Act. Further, it notes a business’s failure to clearly and
conspicuously disclose the collection and use of such information
may deprive consumers of the ability to avoid harm and may
therefore meet the definition of an unfair trade practice.
Assessment
Finally, the policy statement provides the following
non-exhaustive list of factors the FTC may consider when assessing
a company’s practices related to biometric information:
- Failing to assess foreseeable harms to consumers before
collecting biometric information. - Failing to promptly address known or foreseeable risks.
- Engaging in surreptitious and unexpected collection or use of
biometric information. - Failing to evaluate the practices and capabilities of third
parties. - Failing to provide appropriate training for employees and
contractors. - Failing to conduct ongoing monitoring of technologies that the
business develops, offers for sale or uses in connection with
biometric information.
To underscore its commitment to preventing deceptive and unfair
practices in connection with the collection and use of biometric
information, the FTC cites complaints from numerous data
privacy-related enforcement actions. The message to businesses is
clear: businesses must consider, and mitigate, the risk of harm to
consumers if they wish to reap the benefits of biometric
information technology.
Footnotes
1 FTC
Policy Statement, https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf
; see also https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-warns-about-misuses-biometric-information-harm-consumers
.
2
See Biometric Information Privacy Act (BIPA), 740 ILCS 14;
Texas Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus.
Com. Code Ann. § 503.001; Washington Biometric Law, RCW
§19.375.010; NYC Admin. Code §§ 22-1201 – 1205;
NYC Admin. Code §§ 26-3001 – 3007;
Portland City Code Chapter 34.10;
3
California, Colorado, Connecticut, Indiana, Iowa, Montana,
Tennessee, Utah and Virginia consider biometric information that is
processed for the purpose of uniquely identifying an individual as
“sensitive data” or “sensitive personal
information.” Note that California and Tennessee also list
biometric information generally as a type of personal
information.
4 Policy
Statement at 1.
5
Id.
6 15
U.S.C. § 45(n).
7 Policy
Statement at 4.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
