Companies that collect faceprints, voiceprints or other biometric data without first obtaining consumers' consent could face prosecution by the Federal Trade Commission, the agency suggested on Thursday.
“Uses of biometric information or biometric information technology can pose significant risks to consumers,” the FTC said in a 12-page policy statement adopted Thursday by a 3-0 vote.
“Using biometric information technologies to identify consumers in certain locations could reveal sensitive personal information about them -- for example, that they have accessed particular types of healthcare, attended religious services, or attended political or union meetings,” the agency added. “Moreover, without clear disclosures and meaningful choices for consumers about the use of biometric information technologies, consumers may have little way to avoid these risks or unintended consequences of these technologies.”
The agency added: “Businesses may violate the law if they use or facilitate the use of biometric information or biometric information technology to surreptitiously identify or track a consumer in a manner that exposes the consumer to risks such as stalking, exposure to stigma, reputational harm, or extreme emotional distress.”
The FTC outlined the factors it will consider when deciding whether biometric data practices are deceptive or unfair.
Among others, the agency will scrutinize whether companies evaluated potential harms to consumers, disclosed practices to consumers, and evaluated how third parties may use the data.
The agency also noted that some biometric identification technology can contribute to discrimination, because the technology may be less accurate for certain demographic groups.
“This is particularly concerning when such technologies are used to determine whether consumers can receive important benefits and opportunities or are subject to penalties or less desirable outcomes,” the agency writes. “For example, if biometric information technologies are used to provide access to financial accounts, a false negative may result in the consumer being denied access to their own account, whereas a false positive may result in an identity thief gaining access to the account.”
Some states and cities have passed laws restricting the collection of biometric data, but the federal government hasn't enacted nationwide biometric privacy laws.
Even without a national law, however, the FTC has previously weighed in on biometric data collection on at least two occasions. In 2021, the agency finalized a settlement with facial-recognition company Everalbum, which allegedly used facial-recognition technology on photos by default, if users tagged their photos with names.
The agreement in that case required deletion of the raw data by people who deactivated their accounts, and to delete algorithms derived from the photos and videos uploaded by users.
And in 2020, the FTC alleged that Meta Platforms engaged in a host of problematic privacy practices, including misleading people about the use of facial recognition technology.
The complaint in that matter also included highly publicized allegations that Meta allowed defunct analytics company Cambridge Analytica to access users' data. Meta settled that complaint for $5 billion.