On May 18, 2023, the Federal Trade Commission (FTC) issued a Policy Statement on Biometric Information and Section 5 of the FTC Act (Policy Statement). Section 5 of the FTC Act, 15 U.S.C. § 45, prohibits “unfair or deceptive practices in or affecting commerce” and empowers the FTC to bring civil actions for penalties of not more than $10,000 per violation and issue cease and desist orders.
While the Policy Statement does not confer any rights on any person and does not operate to bind the FTC or the public, companies should be mindful that the FTC is now focusing on the use of “biometric information” and the technology used in relation to such biometric information.
The FTC defines the term “biometric information” as “data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.” “Biometric information includes, but is not limited to, depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern).” “Biometric information also includes data derived from such depictions, images, descriptions, or recordings, to the extent that it would be reasonably possible to identify the person from whose information the data had been derived.” The FTC explains that “[b]y way of example, both a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other data that encode measurements or characteristics of the face depicted in the photograph constitute biometric information.”
The FTC identifies examples of practices that it will scrutinize in determining “whether companies collecting and using biometric information or marketing or using biometric information technologies are complying with Section 5 of the FTC Act.” Specifically, the FTC will be looking at the following as potential violations:
- False or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information;
- Deceptive statements about the collection and use of biometric information;
- Failing to assess foreseeable harms to consumers before collecting biometric information;
- Failing to promptly address known or foreseeable risks;
- Engaging in surreptitious and unexpected collection or use of biometric information;
- Failing to evaluate the practices and capabilities of third parties;
- Failing to provide appropriate training for employees and contractors interacting with biometric information or technologies; and
- Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information.
Bottom Line: If you are collecting or using biometric information or related technology, you should evaluate your practices to ensure that you are addressing the FTC’s concerns set forth in the Policy Statement.