The Federal Trade Commission (FTC) issued a policy statement about biometric information and Section 5 of the FTC Act. This policy statement is designed to raise awareness and combat unfair or deceptive acts related to collecting and using consumers’ biometric information.
Specifically, Section 5 of the FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce. This applies to all companies, and it’s vital for organizations to be aware of potential concerns.
The FTC will use the holistic assessments required under Section 5 to scrutinize companies that are collecting and using biometric data. Businesses should not collect or retain biometric data without any legitimate business need to do so or if it creates an increased risk of harm to consumers. If the FTC finds that a business’s conduct is deceptive or unfair, it may seek civil penalties.
What Is Biometric Data?
According to the FTC, biometric information—as used in the policy statement—is “data that is used to refer to data that depicts or describes physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.” Biometric data used in recent years include facial, iris and fingerprint recognition technologies. Further, some biometric data is used to determine the characteristics of individuals by using:
There have been significant changes to biometrics, specifically facial recognition, as technology advances. Such advancements have made biometric technology less expensive, opening opportunities for more people to use the technology. With increased use, states have passed varying laws in hopes of regulating the commercial use of biometric data. In 2019, the FTC brought enforcement actions against companies that allegedly misrepresented their use of facial technology.
Since biometric data can be used for many different functions, it creates risks for companies and the public. Some risks include:
-The creation of counterfeit videos or voice recordings
-The use of data to achieve unauthorized access to devices, facilities and more data
-The exposure of personally sensitive information (religious or political information)
There are no clear disclosures or meaningful choices for consumers to avoid these risks or consequences of using biometric data technology. The FTC looks at specific aspects that would violate Section 5 of the FTC Act. They are:
Deception—Businesses should not make false or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness or efficacy of technologies using biometric information. In addition, false or misleading statements about collecting or using biometric information constitute deceptive acts.
Unfairness—Using biometric information may be unfair under the FTC Act. For example, suppose the use of biometric information causes substantial injury to consumers and is not avoidable or beneficial to the consumer. In that case, it is considered an unfair practice under Section 5 of the FTC Act. Businesses should implement privacy and data protection measures to ensure any biometric data collected is kept safe from unauthorized access.
The FTC has provided factors that will be considered when they complete assessments. This list includes businesses not doing the following:
-Identifying potential risks or harms of consumers before collecting their biometric data
-Mitigating foreseeable risks
-Conveying to consumers that the business is, in fact, collecting biometric information
-Vetting third-party vendors for their practices of collecting biometric information
-Training employees and contractors on data security measures
-Monitoring its technologies to make sure they are performing correctly
The FTC recommends that businesses consider practices from the consumer’s viewpoint to protect against risks and harms associated with using biometric data. Assessments of how biometric data is being used should be done continually.
For a copy of this notice, click here: News Brief – FTC Issues Biometric Data Warning