Companies that are using or plan to use facial recognition technologies should bake in certain best practices to protect privacy, the Federal Trade Commission staff recommended in a report released Oct. 22.
“If companies consider the issues of privacy by design, meaningful choice, and transparency at this early stage, it will help ensure that this industry develops in a way that encourages companies to offer new benefits to consumers and respect their privacy interests[,]” the commission staff said in the report.
The report follows the FTC's December 2011 workshop on the use of facial recognition technologies (10 PVLR 1857, 12/19/11). The FTC later solicited public comments on the issue (11 PVLR 44, 1/2/12). According to the report, the commission received 80 public comments.
The recommendations in the facial recognition report mirror those in the FTC's March 2012 final consumer privacy report, which called on industry to adopt best practices incorporating privacy by design, simplified notice and choice mechanisms, and greater transparency about data collection and use in a co-regulatory scheme giving the FTC oversight and some enforcement powers (11 PVLR 590, 4/2/12).
The FTC staff emphasized that its recommendations are intended only to provide guidance. “[T]o the extent the recommended best practices go beyond existing legal requirements, they are not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC[,]” the staff said in the report.
An FTC official said as much at a hearing before the Senate Judiciary Subcommittee on Privacy, Technology and the Law in July 2012 (11 PVLR 1166, 7/23/12).
“I hope companies will heed this advice and implement best practices that place a premium on consumer privacy, especially protecting the basic privacy of individuals who haven't even consented to the company's use of facial recognition,” Sen. John D. Rockefeller IV (D-W.Va.), chairman of the Senate Commerce, Science, and Transportation Committee, said in an Oct. 22 statement.
Companies have already adopted facial recognition technologies in multiple contexts, such as social networks, mobile applications, and digital signs, the FTC said in an Oct. 22 statement announcing the release of the report.
“They have a number of potential uses, such as determining an individual's age range and gender in order to deliver targeted advertising; assessing viewers' emotions to see if they are engaged in a video game or a movie; or matching faces and identifying anonymous individuals in images,” the commission explained.
A prevalent use of the technology is “semi-automated photo tagging or photo organization on social networks and in photo management applications,” according to the report.
The privacy concerns raised by facial recognition technologies include the identification of anonymous individuals in public and the data's susceptibility to breaches and hacking, the FTC report said.
The FTC staff urged companies using facial recognition technologies to incorporate privacy by design into their services.
The FTC staff said that it “supports a sliding scale approach to notice and choice” in the realm of various uses of facial recognition technology.
They can do so in three ways, the staff said: by “maintain[ing] reasonable data security protections for consumers' images and the biometric information collected from those images”; “establish[ing] and maintain[ing] appropriate retention and disposal practices for the consumer images and biometric data that they collect”; and “consider[ing] the sensitivity of information.”
“Social networks should also provide consumers with (1) an easy to find, meaningful choice not to have their biometric data collected and used for facial recognition; and (2) the ability to turn off the feature at any time and delete any biometric data previously collected from their tagged photos[,]” the report added.
The FTC staff said that it “supports a sliding scale approach to notice and choice.” For example, a “walk away choice” may be sufficient for a digital sign if the company is transparent, only detects the consumer's age and gender, and does not store the consumer's image.
According to the report, a consumer's affirmative, express consent is necessary in two situations: using a consumer's image or biometric data from that image “in a materially different manner than [companies] represented when they collected the data” or identifying anonymous images of a consumer to another person who is unable to identify the consumer.
The staff said that it supports efforts by trade associations to develop voluntary codes of conduct and privacy standards for facial recognition, adding that the FTC will enforce the FTC Act, 15 U.S.C. §§ 41-58, against companies that fail to abide by self-regulatory principles.
FTC Commissioner J. Thomas Rosch dissented from the staff report. “Although I appreciate Staff's efforts to examine the issues surrounding the development and use of facial recognition technology, I believe the Report goes too far, too soon,” Rosch said.
First, the “deception” prong of Section 5 of the FTC Act, 15 U.S.C. § 45--not the “unfairness” prong--is the more appropriate basis on which to bring enforcement actions in the facial recognition industry, Rosch said. The report does not sufficiently describe a “substantial injury” necessary to enforce the “unfairness” prong, he explained.
Rosch also disagreed with the report's “adoption of 'best practices' on the ground that facial recognition may be misused.”
Finally, the requirement that a company provide a consumer with choice where the use of facial recognition technology is inconsistent with the transaction or the consumer's relationship with the company would amount to an opt-in requirement in many contexts, he contended.
The FTC staff report, “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies,” is available at http://www.ftc.gov/os/2012/10/121022facialtechrpt.pdf.
Commissioner Rosch's dissenting statement is available at http://www.ftc.gov/os/2012/10/121022fr_jtr_dissentingstmnt.pdf.