The Federal Trade Commission has issued a policy statement addressing the use of biometric information and related technologies, focusing on privacy, security, bias, and discrimination. The statement summarizes the recent increase in the collection and use of biometric information, including facial recognition technology and outlines a non-exhaustive list of practices to be scrutinized in determining whether companies collecting and using biometric information or marketing or using biometric information technologies are in compliance with Section 5 of the FTC Act.
Deception
- False or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information: The FTC will focus on false or unsubstantiated marketing claims that can mislead consumers. For example, a biometric information tool should not be marketed as “unbiased” or as guaranteed to deliver particular results such as the elimination of bias in hiring.
- Deceptive statements about the collection and use of biometric information: Businesses should accurately and completely disclose how and to the extent which they collect or use biometric information or how they implement technologies using biometric information.
Unfairness
- Failing to assess foreseeable harms to consumers before collecting biometric information: Businesses should conduct thorough assessments before collecting consumers’ biometric information or deploying a biometric information technology, including analyzing the context in which the collection or use takes place, the extent to which the technologies have been tested, the role of human operators, whether particular demographics will be disproportionately harmed, and whether the algorithms used have been tested for differential performance across demographic groups.
- Failing to promptly address known or foreseeable risks: Businesses should take proactive measures to address errors or biases with particular technologies to reduce or eliminate the likelihood of consumer injury.
- Engaging in surreptitious and unexpected collection or use of biometric information: The collection and use of biometric information may violate the law if it is used to surreptitiously track or identify a consumer in a manner that exposes them to risks such as stalking, stigma, reputational harm, or extreme emotional distress. Consumers should be provided with a mechanism for accepting and addressing consumer complaints and disputes related to the use of biometric information technologies.
- Failing to evaluate the practices and capabilities of third parties: Contracts with third parties, including affiliates, vendors, and end users should require that the third parties take steps to minimize consumer risks.
- Failing to provide appropriate training for employees and contractors: Businesses should provide training for persons whose job duties involve interacting with biometric information or biometric technologies.
- Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information: These technologies must be reviewed to ensure that they are properly functioning, that users are operating them as intended, and that the use of the technology is not likely to harm consumers.
Given the scrutiny around biometric information, companies should carefully evaluate and audit their practices regarding biometric technologies.