The Federal Commerce Fee (“FTC”) has issued a coverage assertion addressing biometric applied sciences in a sign of enforcement actions to return: It states: “In mild of the evolving applied sciences and dangers to shoppers, the Fee units out . . . examples of practices it’ll scrutinize in figuring out whether or not corporations accumulating and utilizing biometric data or advertising or utilizing biometric data applied sciences are complying with Part 5 of the FTC Act [unfair or deceptive acts or practices].”

Firms who haven’t been “clocking” the mass wave of biometric privacy-related class motion litigation or the biometric-specific statutes in Illinois, Texas, and Washington, must take heed. Even for these companies who’ve a biometric privateness coverage in place, the FTC made specific: “Compliance with these [state or city biometric] legal guidelines . .  . won’t essentially preclude Fee regulation enforcement motion underneath the FTC Act or different statutes.”

What Kind of Info Does the FTC Coverage Assertion Cowl?

The Coverage Assertion defines “biometric data” as:

information that depict or describe bodily, organic, or behavioral traits, traits, or measurements of or referring to an recognized or identifiable particular person’s physique. Biometric data consists of, however just isn’t restricted to, depictions, pictures, descriptions, or recordings of a person’s facial options, iris or retina, finger or handprints, voice, genetics, or attribute actions or gestures (e.g., gait or typing sample). Biometric data additionally consists of information derived from such depictions, pictures, descriptions, or recordings, to the extent that it could be moderately potential to establish the particular person from whose data the information had been derived. By means of instance, each {a photograph} of an individual’s face and a facial recognition template, embedding, faceprint, or different information that encode measurements or traits of the face depicted within the {photograph} represent biometric data.

What Ought to Companies Be Doing within the Wake of the FTC’s Coverage Assertion?

• Implement privateness and information safety measures to make sure that any biometric data collected or maintained is prevented from unauthorized entry;
• Conduct a “holistic evaluation” of potential dangers to shoppers related to the gathering and/or use” of client’s biometric data earlier than deploying biometric data know-how;
• Promptly handle recognized or foreseeable dangers (e. if biometric know-how is liable to sure forms of errors or biases, companies ought to take steps to cut back these errors or biases);
• Disclose the gathering and use of biometric data to shoppers in a transparent, conspicuous, and full method;
• Have a mechanism for accepting and addressing client complaints and disputes associated to using biometric data know-how;
• Consider the practices and capabilities of service suppliers and different third that shall be given entry to shoppers’ biometric data or that shall be charged with working biometric know-how or processing biometric information. Contractual necessities will not be sufficient; strategic, periodic audits ought to be thought of. Because the FTC states: “Companies ought to search related assurances and contractual agreements that require third events to take applicable steps to reduce dangers to shoppers. They need to additionally transcend contractual measures to supervise third events and guarantee they’re assembly these organizational and technical measures (together with taking steps to make sure entry to mandatory data) to oversee, monitor, or audit third events’ compliance with any necessities”;
• Present applicable coaching for workers and contractors whose job duties contain interacting with biometric data or biometric know-how; and
• Conduct “ongoing monitoring” of biometric applied sciences used—“to make sure that the applied sciences are functioning as anticipated, that customers of the know-how are working it as supposed, and that use of the know-how just isn’t prone to hurt shoppers.”

How Do These Necessities Differ from the Illinois Biometric Info Privateness Act?

The FTC shall be on the lookout for companies to have collected a “‘holistic evaluation’ of potential dangers to shoppers related to the gathering and/or use” of client’s biometric data earlier than deploying biometric data know-how and to conduct “ongoing monitoring” of applied sciences used. These will not be necessities codified within the Illinois BIPA or some other state or native biometric regulation.

Whereas present biometric and broader client privateness statutes require cheap information safety measures, the FTC’s Coverage Assertion suggests companies also needs to have coaching applications relating to using biometric know-how.

Has the FTC Introduced Enforcement Actions Over Biometric Applied sciences?

Sure. In 2021, the FTC settled its motion in opposition to a photograph app developer alleging that the developer deceived shoppers about use of facial recognition know-how and the developer improperly retained pictures and movies of customers who deactivated their accounts. The settlement reached included 20 years of compliance monitoring. The FTC additionally charged a social media firm with eight privacy-related violations, which included allegations of deceptive shoppers a couple of photo-tagging instrument that allegedly used facial recognition. That matter settled for $5 billion in 2019.

[View source.]