On May 18, 2023, the Federal Trade Commission (FTC) unanimously voted during its open meeting to adopt a new policy statement on biometric information and Section 5 of the FTC Act. In the statement, the FTC warns companies that it is committed to addressing deceptive and unfair practices involving the collection and use of biometric information, and deceptive marketing of biometric information technologies. The statement provides helpful insight into what the FTC will look at when evaluating whether companies are complying with Section 5.

In the policy statement, the FTC begins by expressing concern about the risks associated with the proliferation of biometric information technologies in recent years. These risks include, among other things, the use of biometric information to facilitate fraud, and the use of biometric information technologies to reveal sensitive personal information about consumers. As an example of the latter concern, the FTC claims that biometric information technologies can be used to reveal that a consumer has accessed particular types of healthcare, attended religious services, or attended political or union meetings. The use of information or technology to reveal sensitive details about consumers has been a consistent focus of the FTC in recent years,¹ as has unlawful conduct involving the use of biometric information.² This latest policy statement comes as no surprise given the FTC’s recent attention on artificial intelligence and biometrics, and the fact that FTC Commissioner Alvaro Bedoya has long supported addressing risks associated with biometric information technologies.³

After identifying some of the risks that the FTC is concerned about, the policy statement outlines practices that the FTC will scrutinize in determining whether companies collecting and using biometric information, or marketing or using biometric information technologies, are complying with Section 5. These practices include:

1. False or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness, or efficacy of technologies using biometric information;
2. Deceptive statements about the collection and use of biometric information;
3. Failing to assess foreseeable harms to consumers before collecting biometric information;
4. Failing to promptly address known or foreseeable risks, including by failing to identify and implement readily available tools for reducing or eliminating risks;
5. Engaging in surreptitious and unexpected collection or use of biometric information;
6. Failing to evaluate the practices and capabilities of third parties, including affiliates, vendors, and end users, who will be given access to consumers’ biometric information or will be charged with operating biometric information technologies;
7. Failing to provide appropriate training for employees and contractors whose job duties involve interacting with biometric information or technologies that use such information; and
8. Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information to ensure that the technologies are functioning as anticipated, that users of the technology are operating it as intended, and that use of the technology is not likely to harm consumers.

The statement closes with a warning to businesses: “Finally, the Commission wishes to emphasize that—particularly in view of rapid changes in technological capabilities and uses—businesses should continually assess whether their use of biometric information or biometric information technologies causes or is likely to cause consumer injury in a manner that violates Section 5 of the FTC Act. If so, businesses must cease such practices, whether or not the practices are specifically addressed in this statement.”

Wilson Sonsini’s privacy and cybersecurity practice routinely helps companies navigate legal requirements and best practices related to the collection and use of biometric information, and the marketing and use of biometric information technologies. For more information or advice on these issues, please contact Maneesha Mithal, Chris Olsen, Kelly Singleton, or another member of the firm’s privacy and cybersecurity practice.

---

^[1]See, e.g., FTC Press Release, “FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations” (August 29, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-places-worship-other?utm_source=govdelivery; FTC Business Blog Post, “Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data” (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal.

^[2]See, e.g., FTC Press Release, “California Company Settles FTC Allegations It Deceived Consumers about use of Facial Recognition in Photo Storage App,” (January 11, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/01/california-company-settles-ftc-allegations-it-deceived-consumers-about-use-facial-recognition-photo.

^[3]See, e.g., Alvaro Bedoya, Harrison Rudolph, and Laura Moy, Not Ready for Take-Off: Face Scans at Airport Departure Gates, Center on Privacy and Technology at Georgetown Law, December 2017, available at https://www.airportfacescans.com/; Alvaro Bedoya, Clare Garvie, and Jonathan Frankle, The Perpetual Line-Up: Unregulated Police Face Recognition in America, Center on Privacy and Technology at Georgetown Law, January 2017, available at https://www.perpetuallineup.org/.