FTC Releases Staff Report on Facial Recognition Technologies
October 22, 2012. A divided Federal Trade Commission (FTC) released a staff report [30 pages in PDF] titled "Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies".
The five member commission did not vote to approve this item. And, it is not a final order subject to judicial review. However, Commissioner Thomas Rosch wrote a dissent.
This report recommends that social networks should "provide consumers with (1) an easy to find, meaningful choice not to have their biometric data collected and used for facial recognition; and (2) the ability to turn off the feature at any time and delete any biometric data previously collected from their tagged photos."
It recommends that "companies using digital signs capable of demographic detection ... should provide clear notice to consumers that the technologies are in use, before consumers come into contact with the signs."
This report "recommends that companies using facial recognition technologies design their services with privacy in mind". This includes maintaining "reasonable data security protections for consumers’ images and the biometric information collected from those images" and " putting protections in place that would prevent unauthorized scraping which can lead to unintended secondary uses".
It also recommends that "companies should establish and maintain appropriate retention and disposal practices for the consumer images and biometric data that they collect".
It also recommends that "companies should consider the sensitivity of information when developing their facial recognition products and services".
This report promulgates no rules. It concludes no adjudication. Rather, it makes "recommendations" regarding what businesses "should" do. It may serve as a basis for future FTC enforcement actions involving use of facial recognition technologies brought under Section 5 of the FTC Act, which is codified at 15 U.S.C. § 45. This is essentially an anti-fraud provision.
It provides that "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." While the FTC has narrowly targeted statutory authority to regulate privacy related practices (Children's Online Privacy Protection Act, or COPPA), it does not have general privacy related authority. Rather, it relies upon Section 5.
Almost all of the FTC's privacy related Section 5 actions have alleged deceptive conduct. For example, the FTC has long and frequently asserted that if a business publishes a web site privacy policy, and then violates that policy, that is deceptive conduct in violation of Section 5.
Although, the FTC has brought a small number of Section 5 actions based upon the unfairness prong under particularly egregious circumstances.
This just released report, along with the report [112 pages in PDF] released on March 16, 2012, titled "Protecting Consumer Privacy in a Era of Rapid Change: Recommendations for Businesses and Policy Makers", reflect the FTC's ongoing effort to expand its privacy related enforcement powers from addressing deceptive conduct, to also addressing unfair conduct.
This mission creep is significant because the word "deceptive" in Section 5 has meaning in both common and legal usage, and gives businesses and FTC regulators some notice as to what actions are prohibited, while the word "unfair" lacks meaning, and provides little guidance. In each case "unfair" means whatever three out of five politically appointed commissioners want it to mean.
This report does not discuss this expansion. However, it states that "If a company uses facial recognition technologies in a manner that is unfair", then the FTC "can bring an enforcement action under Section 5". Also, the recommendations address situations in which there is no deception. Hence, these recommendations must be based upon the unfairness prong.
See also, stories titled "FTC Releases Second Report on Privacy Issues" and "Commentary: Unfair v. Deceptive Conduct" in TLJ Daily E-Mail Alert No. 2,357, March 26, 2012.
The FTC held a workshop titled "Face Facts: A Forum on Facial Recognition Technology" on December 8, 2012, and solicited public comments. See, FTC web page for this event.
Commissioner Rosch objected to the FTC's reliance upon the unfairness prong, to the issuance of a report without having first conducted a cost benefit analysis, to the issuance of recommendations without any finding of prior wrongdoing, and to recommending opt in requirements at this time.
Sen. John Rockefeller (D-WV) stated in a release regarding this report that "Facial recognition technologies can have obvious benefits for consumers but also pose serious privacy concerns -- especially online".
He continued that "I hope companies will heed this advice and implement best practices that place a premium on consumer privacy, especially protecting the basic privacy of individuals who haven't even consented to the company’s use of facial recognition. As Chairman of the Commerce Committee, I fully intend to monitor how facial recognition technologies are increasingly adopted and used as a commercial practice."
(Published in TLJ
Daily E-Mail Alert No. 2,465, October 22, 2012.)