FTC issues privacy guide for facial recognition technology

The FTC released a study and guide on facial recognition technology, and provided guidance on notice, transparency and options required when making use of, storing and sharing facial recognition information.  The case studies included a basic use (for example, a face is scanned and then the user may make changes to see what hair, clothes, jewelry or other things look like), a more advanced use – an interactive kiosk that takes a picture of a consumer, assesses their age and gender, and presents an advertisement specifically for that consumer, and finally an example of use of facial recognition in social media and sharing those images (a la Facebook).

Anyone making use of facial recognition technology should consult these guides as they would any other FTC advertising or privacy guide, before they commence collecting, using or sharing facial recognition images.

For more information on privacy law compliance, contact Mike Oliver or Kimberly Grimsley.

FTC Privacy Report

In April 2012, the Federal Trade Commission issued its report entitled “Protecting Consumer Privacy in an Era of Rapid Change.”  You can read that here.

The Report, while a comprehensive review of hundreds of undoubtedly conflicting filings by the various extreme factions on privacy issues, ultimately just boils down to the FTC complaining that Congress has still not taken any action to normalize privacy rules.   Let’s face it, privacy law is a mess – a hodge podge of state laws, some specific federal laws in the area of financial account, children, protected health information, and education areas, and a morass of case law and regulatory rules – rules that mostly derive from other laws (like the Lanham Act) not really intended to address privacy.  For example, many of the actions the FTC has brought to enforce so called privacy, really involve false advertising – a company saying one thing to a consumer, and doing another, or offering some ability to control a privacy setting, and then ignoring the user setting.

The Report sets forth the FTC’s overview of its objectives and scope summarized here:

  • does not apply to companies that collect only non-sensitive data from fewer than 5,000 consumers a year, provided they do not share the data with third parties
  • “commonly accepted” information collection and use practices for which companies need not provide consumers with choice (product fulfillment, internal operations, fraud prevention, legal compliance and public purpose, and first-party marketing).
  • recommended that companies provide consumers with reasonable access to the data the companies maintain about them, proportionate to the sensitivity of the data and the nature of its use.
  • respect browser and consumer “do not track” election
  • disclose privacy in use of Mobile Applications (also, the major platform providers recently signed an agreement with California, to require all apps on their platforms to link to a privacy policy
  • allowing consumers to have access to and to correct information held by so called “data brokers”
  • industry self-regulation (“no lip service”)

In terms of the actual principles, they are:

  • Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy
  • Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services
  • Companies should simplify consumer choice (Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law)
  • For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data. Companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data for certain purposes
  • Privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices
  • Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use
  • All stakeholders should expand their efforts to educate consumers about commercial data privacy practices

From a lawyer for small to medium size businesses, it would be very helpful for some national, pre-emptive legislation that gave a lot of guidance and safe harbors for businesses so that they do not have top worry that they are violating some esoteric rule buried in some regulation, order or arcane state law.  Unlikely to happen, though . . .

For more information, contact Mike Oliver.