The FTC recently published a policy statement with its enforcement priorities for the misuse of biometric information. To be clear, there are no new federal laws that specifically regulate the collection or use of biometric information. Instead, the FTC issued its policy statement under its broad enforcement authority of Section 5(a) of the FTC Act, which prohibits unfair or deceptive acts or practices.
The policy statement describes several ways in which the collection or use of biometric information may trigger FTC scrutiny. For example, a business may act deceptively toward consumers through unsubstantiated marketing about the performance of biometric information or if it makes misleading statements about its collection and use of biometric information. The FTC also devised six examples of a company unfairly using biometric information. These include failing to assess or address security risks of access to biometric information; engaging in surreptitious and unexpected collection or use of biometric information; failing to monitor third parties, employees and contractors with access to biometric information; and failing to ensure the quality of the products or services that relate to biometrics.
The FTC issued its policy statement in response to the growing use of biometric information across multiple industries. Employment, travel, financial services and healthcare rely on fingerprints, facial recognition and iris scans to verify identity, track movement and combat fraud. In turn, the agency stepped up enforcement surrounding biometric information. For example, in 2021, the FTC brought an enforcement action against Everalbum, Inc., after the company automatically used facial recognition on users’ pictures, a feature that Everalbum advertised as opt-in. The FTC’s $5 billion penalty against Facebook, Inc. in 2019 also covered similar misrepresentations of facial recognition of users’ pictures. The policy statement this week follows the FTC’s well-trod path in the privacy space, focusing on lax data security, misrepresentations of data collection and use, and failure to monitor technologies that use consumer data.
The FTC has two primary enforcement tools against the unfair or deceptive acts prohibited by Section 5(a), and these tools may put this policy statement to ground. First, Section 13(b) of the FTC Act allows the FTC to seek injunctive relief for violations of Section 5. However, in 2021, the Supreme Court in AMG Capital Management, LLC v. FTC held that the FTC cannot seek monetary relief under Section 13. In light of AMG, the FTC looked to its second enforcement tool: its rulemaking authority under Section 18. The FTC may seek monetary penalties for those who violate an FTC rule. Last year, the FTC announced it is pursuing a rule governing consumer surveillance, including biometric information. This week's statement only reflects the FTC's policy priorities and lacks the force of law, but the forthcoming consumer surveillance rule may add more specificity to the FTC's enforcement standards for biometric information.
In light of the increased regulatory scrutiny, businesses that process biometric information should consider the following steps to reduce their potential exposure to FTC scrutiny: