The Federal Trade Commission recently entered the biometric fray. It settled with a now-defunct photo-storage app over its use of facial recognition technology. According to the FTC, the company engaged in a variety of deceptive and unfair acts, in violation of Section 5 of the FTC Act.

The company, Everalbum, Inc. operated an app that let users organize photos that they uploaded to the app. The app, Ever, had a “Friends” tool that used facial recognition technology to group photos by people’s faces. Everalbum told users it would only use facial recognition with consent. However, Friends was in an “opt in” mode only in jurisdictions with biometric laws (Texas, Illinois, Washington, and the European Union). For users in other locations, the technology was automatically turned on unless users opted out. This (being in opt-out mode) did not constitute the promised consent, according to the FTC.

Also of concern for the FTC was the fact that facial recognition technology was used by extracting images from uploaded photos and combining those with other images the company obtained from public datasets. The resulting datasets Everalbum created, the FTC alleged, were used to help develop Friends. The FTC was further concerned that Everalbum did not delete any users’ photos upon account deactivation, even though it represented that it would do so. Instead, Ever stored photos indefinitely.

While no civil penalties were imposed, Everalbum agreed to (1) delete all photos collected from users who deactivated their accounts and (2) delete “face embeddings” (i.e., the facial features used for facial recognition) unless the company had obtained express consent for their use. The settlement also establishes recordkeeping requirements. Everalbum also has to complete a compliance report in one year. In a supporting statement, Commissioner Chopra emphasized that absent more restrictions on the use of biometric technology, it was “critical that the FTC meaningfully enforce existing law to deprive wrongdoers of technologies they build through unlawful collection of American’s facial images and likenesses.”

Putting it Into Practice: This case shows that even absent a federal biometric law, the FTC expects companies in many situations to both provide notice and get consent before collecting and using biometric information.