Recently, the Federal Trade Commission (FTC) released a policy statement addressing the use of consumer biometric information and its potential to harm consumers and violate the Federal Trade Commission Act (FTC Act). The policy statement also discussed related technologies that collect such information from consumers and included those powered by machine learning. Overall, the guidance covers issues related to consumer privacy, data security, potential bias, and discrimination. The FTC’s focus on biometric information would affect businesses that use proprietary biometric technologies, as well as those that come from a third party. In May 2023, the FTC filed a brief stating that the Children’s Online Privacy Protection Rule (COPPA) does not always preempt state online privacy laws.
What Is Biometric Information?
According to the FTC, biometric information is data that depicts or describes physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body. Examples of this information can include images, descriptions, or recordings of:
- facial features,
- retina scans,
- fingerprints, and
- voice.
As such, a photograph of a person’s face for a facial recognition program is considered such information. This information is often used for biometric identification and authentication. However, collecting such information carries a risk of it falling into the wrong hands. In that scenario, the consumer loses control over who uses their information and for what purpose. For this reason, employers and owners must protect against cybersecurity threats to ensure the security and privacy of that information.
Biometric Technologies and the Law
At the state and local levels, California, Illinois, Texas, and Washington have regulated biometric information for years. Fines for non-compliance with such state laws can be significant. Furthermore, violations can accumulate quickly if a court counts each individual data transmission as a separate violation. As of this post, however, there is no federal law specifically regulating businesses that collect and use biometric information.
FTC Statement on Biometric Information
With its recent policy statement, the FTC seeks to apply existing law to biometric technologies. Specifically, the FTC cites Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce. The policy statement includes a list of practices the FTC intends to examine to determine if a business’ biometric information collection activities violate the FTC Act. These activities include the following:
- Deceptive Practices – which can include a business’ potentially misleading claim that biometric technologies can deliver a particular outcome. The FTC warns businesses against making false statements about the extent to which they collect or use biometric information.
- Unfair Practices – whereby a business collects a consumer’s personal information in ways that are likely to cause substantial injury or disseminates technology that allows others to do so without taking reasonable measures to protect consumers from harm.
The FTC also noted that it will consider several factors when determining whether a business violates the FTC Act when collecting or using biometric information. These include failing to assess foreseeable harm to consumers, failing to promptly address known or foreseeable risks, and engaging in surreptitious and unexpected data collection.