In a policy statement released on May 18, 2023, the Federal Trade Commission (FTC) warned of several consumer data privacy risks related to the increasing commercial use of biometrics technologies.1 The Commission unanimously voted 3-0 to adopt the policy statement, which builds on more than a decade of Commission guidance on biometrics, including its 2012 report on best practices for facial recognition technology.
Currently, there is no federal privacy law governing the collection and use of individuals’ biometric information, and only a few states and cities (Illinois, Texas, Washington, Portland and New York City) have enacted such legislation.2 However, the policy statement comes in a year when bills addressing biometric privacy issues have been introduced in at least 13 state legislatures. Biometric information has also appeared under the definition of “sensitive” information in several state comprehensive privacy laws, including the California Consumer Privacy Act (CCPA) and Tennessee’s recently enacted privacy law, mandating additional or heightened protections and consumer rights for this type of information.3 Against this backdrop of state action, the FTC acknowledges the commercial benefits of biometric technologies, but cautions that businesses utilizing these tools in ways that harm consumers may face enforcement actions under Section 5 of the Federal Trade Commission Act (“FTC Act”), along with other laws.
Notably, the FTC defines “biometric information technologies” as “technologies that use or purport to use biometric information.”4 “Biometric information” is defined broadly as “data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.” The FTC then specifies that biometric information “includes, but is not limited to, depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern)” and “also includes data derived from such depictions, images, descriptions, or recordings, to the extent that it would be reasonably possible to identify the person from whose information the data had been derived.”5
Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.”6 As the FTC explains, the evolution and proliferation of biometric information technologies inevitably create new and increased risks to consumers. For example, not only may biometrics technologies be abused for fraudulent means, but also they “may perform differently across different demographic groups in ways that facilitate or produce discriminatory outcomes.”7
Under this framework, the policy statement includes a non-exhaustive list of exemplar practices the FTC may consider “unfair” or “deceptive,” warning businesses that these practices may lead to enforcement action and encouraging businesses to frequently assess their practices against the ever-expanding legal and technological landscape.
Deception
The Commission advises that the following practices may constitute deceptive trade practices that violate the FTC Act:
- False or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness or efficacy of technologies using biometric information.
- Deceptive statements about the collection and use of biometric information.
Unfairness
The FTC also describes several unfair practices related to the collection and use of biometric information that could violate the FTC Act. Further, it notes a business’s failure to clearly and conspicuously disclose the collection and use of such information may deprive consumers of the ability to avoid harm and may therefore meet the definition of an unfair trade practice.
Assessment
Finally, the policy statement provides the following non-exhaustive list of factors the FTC may consider when assessing a company’s practices related to biometric information:
- Failing to assess foreseeable harms to consumers before collecting biometric information.
- Failing to promptly address known or foreseeable risks.
- Engaging in surreptitious and unexpected collection or use of biometric information.
- Failing to evaluate the practices and capabilities of third parties.
- Failing to provide appropriate training for employees and contractors.
- Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale or uses in connection with biometric information.
To underscore its commitment to preventing deceptive and unfair practices in connection with the collection and use of biometric information, the FTC cites complaints from numerous data privacy-related enforcement actions. The message to businesses is clear: businesses must consider, and mitigate, the risk of harm to consumers if they wish to reap the benefits of biometric information technology.
1 FTC Policy Statement, https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf ; see also https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-warns-about-misuses-biometric-information-harm-consumers.
2 See Biometric Information Privacy Act (BIPA), 740 ILCS 14; Texas Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. Com. Code Ann. § 503.001; Washington Biometric Law, RCW §19.375.010; NYC Admin. Code §§ 22-1201 – 1205; NYC Admin. Code §§ 26-3001 – 3007; Portland City Code Chapter 34.10;
3 California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah and Virginia consider biometric information that is processed for the purpose of uniquely identifying an individual as “sensitive data” or “sensitive personal information.” Note that California and Tennessee also list biometric information generally as a type of personal information.
4 Policy Statement at 1.
5 Id.
6 15 U.S.C. § 45(n).
7 Policy Statement at 4.