FTC to Increase Enforcement With New Biometric Data Policy

Growing use of personal biological information raises companies’ risk of law violations, agency says
FTC Washington federal agency
Photograph: Shutterstock

The Federal Trade Commission (FTC) plans to scrutinize companies’ use of biometrics, as collection and use of personal biological characteristics becomes more common, according to a new policy statement the agency issued May 18. The commission voted 3-0 to adopt the policy statement.

In light of companies’ growing use of biometrics, the federal agency in charge of protecting the public from unfair and deceptive practices and unfair methods of competition in the marketplace, warned companies using biometric information puts them at risk of privacy, data-security and consumer fraud violations.

The FTC also said it would consider whether companies using biometric technology are complying with Section 5 of the Federal Trade Commission Act. Section 5 is a broad law that involves unfair and deceptive business practices, fraud and false advertising.

The agency said it would be on the lookout for deceptive statements about biometric information collection and use, such as failing to disclose pertinent information to consumers to prevent them from being misled.

The new policy statement might be relevant to retailers considering use of Inc.’s Amazon One palm imaging payment system, which also is being used for age verification for alcohol sales. Aramark is the first company to try this new verification approach at Coors Field in Denver. Two convenience-store chains are piloting Amazon One for payment. An FTC spokesperson told CSP Daily News Monday the agency doesn't comment on specific companies unless it is involved in an enforcement case.

For over a decade, the FTC has considered consumer protection issues stemming from biometric information. The technology is becoming more pervasive, despite issues arising from it, the agency said.

Biometric information includes data describing a person’s physical, biological or behavioral traits and can include images, depictions and recordings of facial features, iris or retina, fingerprints, handprints, voice, genetics, characteristic movements and related data.

As the technology has advanced and become less expensive, state and local governments have enacted laws regulating its use. Fake or counterfeit recordings have allowed bad actors to impersonate individuals to commit fraud or defame and harass those they depict, the FTC said, and these could be a violation of federal law.

“These issues pose risks not only to individual consumers, but also to businesses and society,” the commission said.

In a 2021 enforcement action involving Everalbum, the photo app maker was ordered to delete information related to consumers who request the deletion and to obtain consent before collecting personal information.

In other cases, individuals or classes of people have sued companies for use of personal information, such as fingerprints, using states’ privacy acts. In a case the Illinois Supreme Court heard this year, employees accused White Castle System Inc. of violating Illinois’ biometric identification law thousands of times when it required employees to enter its computer system through a biometric-equipped touchpad involving fingerprints without proper consent. The company also disclosed the information to a third-party vendor, according to the legal complaint.

Illinois’ law stipulates each intentional violation of the law may be subject to damages of $5,000, while unintentional violations may be subject to $1,000 in damages. The Illinois Supreme Court upheld the law and found, in favor of the employees, “that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information.” The company estimated damages in the case involving 9,500 employees could reach $17 billion, because the law computes damages per each occurrence, according to news reports.

Privacy invasions are a risk if biometrics disclose personal information the consumer doesn’t wish to share, such as sensitive information about their health, religion or political affiliations, the FTC said. Companies could be in violation of the law if they make false statements about how the information will be used.

Inaccuracies also have been a problem, with algorithms used for facial recognition making more erroneous matches for African and Asian faces than for Eastern European faces. Women, the elderly and children are more likely to be victims of mistaken identity. Voice recordings also are prone to error, the FTC said.

“If biometric information technologies are used to provide access to financial accounts, a false negative may result in the identify thief gaining access to the account,” the agency said. “If biometric information technologies are used for security surveillance, false positives may result in individuals being falsely accused of crimes, subjected to searches or questioning, or denied access to physical premises,” the FTC said.

The FTC said it will be scrutinizing the following areas related to collection and use of biometrics:

  • False and unsubstantiated marketing claims relating to biometric information.
  • Deceptive statements about collection and use of biometric information.
  • Unfairness if a risk of serious harm is involved without allowing consumers to avoid the problematic use of the information.
  • Failing to promptly address foreseeable risks, such as errors causing consumer injury.
  • Engaging in surreptitious and unexpected biometric collection or use, such as to track consumers and cause reputational harm or emotional distress.
  • Failing to evaluate third-party practices and capabilities.
  • Failing to provide appropriate training to employees and contractors involved with the technologies or information.
  • Failing to monitor the technology to ensure it’s not likely to harm consumers or to cease practices that violate Section 5.

Consumers may be injured if they aren’t made aware of the data collection or how it’s being used, and if a method of complaining about the biometric use isn’t provided, the FTC said.

Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.


Exclusive Content


How to Make the C-Store the Hero for Retail Media Success

Here’s what motivates consumers when it comes to in-store and digital advertising

Mergers & Acquisitions

Soft Landing Now, But If Anyone Is Happy, Please Stand Up to Be Seen

Addressing the economic elephants in the room and their impact on M&A


Opportunities Abound With Limited-Time Offers

For success, complement existing menu offerings, consider product availability and trends, and more, experts say


More from our partners