The Federal Trade Commission (FTC) has released a policy statement announcing an intention to combat unfair and deceptive acts related to collecting and using consumer biometric information.
What Is Biometric Information?
Biometric information is data that depict or describes physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body. It includes depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures.”1 This information can be used to determine individual characteristics, ranging from age, gender, or ethnicity to personality traits.
How Is This A Problem?
Using biometric information poses a substantial risk of disclosure of personal information, such as one’s healthcare information or religious affiliations. There are also increasing risks of fraud, like deepfake video recordings. The FTC intends to look closely at a company’s use of biometric technology for:
Deception: including false or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information and deceptive statements about the collection and use of biometric information.
Unfairness includes using biometric information in ways not sufficiently disclosed to consumers or where access to essential goods and services is conditioned on providing such information.
FTC Act Section 5
The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce. Under Section 5, a practice is unfair if it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition; the law also requires that a company’s representations be substantiated when made—those making such claims must have a reasonable basis for those claims.
What FTC Will Look For
Determining whether a business’s use of biometric information or biometric information technology violates the FTC Act requires a thorough assessment of the practices. In making assessments of compliance, the FTC will take into account factors including, but not limited to:
Failing to assess foreseeable harms to consumers before collecting biometric information. Before collecting consumers’, biometric information or deploying a biometric information technology, businesses should assess the potential risks to consumers associated with the collection or use.
Failing to address known or foreseeable risks promptly. For instance, if there is evidence that a specific biometric information technology is susceptible to certain errors or biases, businesses should take appropriate proactive measures to reduce or eliminate the risk of such errors leading to consumer injury.
Engaging in surreptitious and unexpected collection or use of biometric information.
Failing to evaluate the practices and capabilities of third parties, including affiliates, vendors, and end users, who will be given access to consumers’ biometric information.
Failing to provide appropriate training for employees and contractors whose job duties involve interacting with biometric information;
Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information to ensure that the technologies are functioning as anticipated, that users of the technology are operating it as intended, and that use of the technology is not likely to harm consumers.
Action
This announcement should prompt all businesses to evaluate any current usage of biometric technologies. As biometric information technologies continue to proliferate online, some business organizations may still need to address the dark sides of the tools. The FTC’s policy statement calls for businesses to assess their practices to ensure that biometric information is used correctly.