The Federal Trade Commission rang in the new year in grand fashion with its announcement that it had reached a proposed settlement with photo app developer Everalbum Inc. stemming from Everalbum’s deceptive practices relating to its use of facial recognition technology.
The Everalbum settlement—the first FTC case specifically targeting the misuse of facial recognition technology—is a noteworthy development for companies that use facial biometrics in their operations, as the case illustrates the wide scope of liability exposure that exists in connection with the use of facial recognition software extending well beyond today’s targeted biometric privacy statutes.
Key Takeaways From the FTC Settlement
The Everalbum settlement provides several valuable lessons for companies that use facial recognition technology.
First, it provides an unequivocal warning that the FTC will make policing facial recognition technology a priority for the foreseeable future. In particular, in announcing the settlement, the FTC cautioned that ensuring companies adhere to their promises and representations regarding how they use and handle facial template data and other forms of biometric data “will continue to be a high priority” for the FTC.
Moving forward, it is clear that—in addition to complying with the ever-extending patchwork of state and municipal-level laws governing the use of facial biometrics—companies must also ensure that their compliance programs adequately address issues relating to potentially false or deceptive claims and other improper activities regarding the collection, use, and retention of facial template data to avoid becoming the next target of a FTC enforcement action.
Second, the settlement shows that although biometric privacy statutes—such as the Illinois Biometric Information Privacy Act —exclude from the scope of regulation biometric data derived from photographs, such data is still nonetheless subject to regulation through avenues such as the FTC.
Third, the FTC settlement highlights the importance of following through any organizational promises or representations made regarding the company’s collection, use, and retention of facial template data. In particular, when companies claim that data will be permanently deleted, companies must adhere to these data destruction guidelines and schedules.
Expected Impact Is New Regulation, Litigation
The Everalbum settlement represents the latest in a string of recent unflattering incidents relating to the commercial use of facial recognition technology. Moving forward, these developments regarding its undisclosed and improper use will likely have a significant impact on the legal landscape of facial biometrics in 2021 and beyond.
In particular, states and cities will likely seek to enact new regulation over the use of facial biometric data, either through the implementation of targeted biometric privacy statutes or, alternatively, outright bans over the use of this technology by private entities, similar to the private-sector facial recognition ban that went into effect at the start of 2021 in Portland, Ore.
At the same time—as the Everalbum settlement demonstrates—the FTC (and state consumer protection agencies) will make policing facial biometrics practices a top priority in 2021.
Further, as consumers become more aware of the improper and uncontemplated commercial uses of facial biometrics, the risk of consumer privacy class action litigation relating to the use of facial recognition technology is likely to increase as well.
Fortunately, there are several key, actionable steps companies can take to effectively leverage facial recognition technology in a manner that satisfies their legal obligations. In particular, companies should consider the following:
1. Transparency-First Mindset. Companies that utilize facial recognition technology must make a concerted effort to be as transparent as possible regarding their facial biometrics practices.
Companies can significantly limit their liability exposure by placing an emphasis on ensuring that relevant information regarding the company’s facial recognition practices is provided to users/consumers at each stage of the biometric data lifecycle.
2. Adherence to Representations Made Regarding the Use of Facial Template Data. Ensure that organizational practices relating to facial template data are consistent with representations made by the company regarding how and why it collects, uses, stores, retains, and deletes facial template data.
5. Written Consent. Obtain advance, written consent—such as through a signed written release—from all individuals permitting the company to collect, store, use, and share their facial template data for business purposes before any such data is collected.
6. Opt-Out. Permit individuals to opt out of the collection of their facial template data.
7. Data Security. Maintain data security measures to protect and safeguard facial template data.
8. Early Involvement of Biometric Privacy Counsel. Consult with experienced biometric privacy counsel well before any type of facial recognition technology is implemented to ensure compliance with today’s constantly-evolving biometric privacy legal landscape.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
David J. Oberly is an attorney in the Cincinnati office of Blank Rome LLP and is a member of the firm’s Biometric Privacy, Privacy Class Action Defense, and Cybersecurity & Data Privacy groups. His practice encompasses defending clients in high-stakes litigation, and counseling and advising clients on a wide range of privacy, data security and cybersecurity matters.