On May 18, 2023, the Federal Trade Commission (the “FTC”) issued a policy statement on the use of biometric information under its regulatory powers in Section 5 of the FTC Act (the “Statement”). The Statement is the strongest message the FTC has ever issued regarding how certain uses of biometric technology may, depending on the circumstances, constitute unfair and deceptive trade practices under Section 5.

The Statement provides significant insight into the FTC’s shifting priorities and focus on the regulation of the use of biometric technology, a topic that so far has been regulated by state and local law – or not at all. Companies should take heed of the FTC’s guidance for purposes of understanding potential exposure not only at the federal and state regulatory level but also in the form of potential civil lawsuits under state unfair and deceptive trade practice statutes.

The Statement

In the Statement, the FTC stated that it is committed to “combatting unfair or deceptive acts related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies.” The FTC defined “biometric information” broadly, including “data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.” This includes, but is not limited to, “depictions images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern).”

The Statement recognizes several scenarios where the use of biometric technology provides “new and increasing risks.” These include (1) the use of biometric information to create counterfeit videos or recordings (“deepfakes”) to commit fraud or defame individuals; (2) the proliferation of biometric information repositories that create attractive targets for malicious actors; (3) the use of technology to reveal sensitive information about consumers, including information related to health care, religion, or politics; and (4) the potential for technology to incorporate deep biases that manifest differently across demographic groups. 

In light of these perceived risks, the Statement sets out a non-exhaustive list of examples of practices that the FTC will scrutinize going forward in determining whether a company’s use or marketing of biometric information technologies complies with Section 5 of the FTC Act. These include the following:

Deceptive Trade Practice Examples

  • False or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information; and
  • Deceptive statements about the collection and use of biometric information.

Unfair Trade Practice Examples

  • Failing to protect consumers’ personal information using reasonable data security practices;
  • Engaging in invasive surveillance, tracking, or collection of sensitive personal information that was concealed from consumers or contrary to their expectations;
  • Implementing privacy-invasive default settings in certain circumstances;
  • Disseminating an inaccurate technology that could endanger consumers;
  • Selling technologies with the potential to facilitate harmful or illegal conduct, and failing to take reasonable measures to prevent such conduct; and
  • Using biometric technology in a discriminatory manner.

In evaluating whether biometric technology violates Section 5, the FTC will take into account factors such as whether the company:

  • Fails to assess foreseeable harms to consumers before collecting biometric information;
  • Fails to promptly address known or foreseeable risks;
  • Engages in surreptitious and unexpected collection or use of biometric information;
  • Fails to evaluate the practices and capabilities of third parties who will operate or be given access to biometric technologies;
  • Fails to evaluate the practices and capabilities of third parties;
  • Fails to provide appropriate training for employees and contractors whose job duties involve interacting with biometric information or biometric technologies; and
  • Fails to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information.

Takeaways

Biometrics are directly regulated in a limited number of locations, including Illinois, Texas, Washington, and New York City. While private biometric privacy litigation has flourished in Illinois, there are few instances of private plaintiffs pursuing companies under other states’ laws for the wrongful collection or mishandling of their biometric information.

The Statement may cause an uptick in biometric privacy litigation nationwide, for two reasons.

First, the FTC’s definition of biometric information is significantly broader than definitions found under state laws that regulate biometric technology. Even in states that already regulate biometric information, there may be new exposure for collecting, possessing, or using data relating to an “identified” individual’s characteristics or traits, even if those characteristics or traits themselves are not unique enough to identify an individual with a high degree of reliability.

Second, while the FTC Act does not provide a private right of action, private litigants may attempt to use the Statement to bring claims under their state’s unfair and deceptive trade practices act.

Companies that use or create biometric-enabled technology should take note of the Statement and evaluate their compliance. Contact the authors with any questions.