With the ongoing BIPA litigation activity in Illinois surrounding collection of biometrics, it can be easy to forget that other issues might surround this practice. Last month the FTC reminded companies not to forget general privacy and data security concerns. Concerns as most know, it enforces under Section 5 of the FTC Act (which prohibits deception and unfairness).
The FTC recognized that there may be an uptick in companies desire to collect biometrics through machine learning. Or, to use biometric information to understand people’s characteristics. The FTC’s issuance of this policy statement suggests it may bring biometric-related actions in the coming months. Its warnings can thus be a helpful signal of things not to do.
Some recommendations to avoid potential allegations of deception and unfairness include:
- Not making unsubstantiated or false claims about the efficacy of technologies that use biometrics. For example, selling products to business consumers that do not work, and the result being consumer harm.
- Avoiding deceptive claims about how the company uses biometrics. This includes both misleading a consumer about what biometric information is collected. It also means not deceiving people about how information might be used.
- Assessing and addressing foreseeable harms. Potential harms could be where a company knows technology is prone to errors, but fails to take steps to prevent them. Appropriate steps would be to find and put in place “readily available tools” to reduce risks.
- Not “surreptitiously” collecting biometric information. This also covers “unexpected” collection of that information that exposes someone to harm. Those might include, for example, stalking or reputational harm.
- Evaluating the third parties that will have access biometric information. Appropriate measures, according to the FTC, include both contractual obligations for vendors to minimize risks to consumers and vendor oversight.
- Training employees. In particular, those who interact with biometric information or technologies that collect or use it.
Putting It into Practice: The FTC has signaled with this policy statement what activities it deems unfair or deceptive in the biometric space. Companies can keep these in mind, in addition to state law obligations of notice and choice.