On May 18, the Federal Trade Commission (FTC) issued a new policy statement warning the general public of recent increases in the use of consumers' biometric data and information for marketing purposes. Similar to previous policy statements, the agency has noted that these technologies are beginning to prompt a wide range of growing consumer privacy, data and cybersecurity concerns, citing an increased potential for bias and discrimination. State lawmakers see this newly released guidance as the latest warning shot in a line of many, indicating that the FTC is prepared to protect sensitive or otherwise high-risk consumer information.
With few states currently possessing legislation on biometric data, the FTC voted to publish the first formal position from the federal government's perspective on what exactly is or could be considered biometric data. As per the policy statement shared on a recent post on the FTC’s website, biometric information is now formally defined as "data derived from such depictions, images, descriptions or recordings to the extent that it would be reasonably possible to identify the person from whose information the data had been derived." Through this updated definition, the FTC reaffirms much, if not all, of the active state regulations on biometric data, namely Illinois' Biometric Information Privacy Act, commonly referred to as BIPA. Considered the first state-based biometric privacy law, BIPA is often regarded by privacy experts as the most enforceable legislation enacted to date, affording individuals a private right of action to bring litigation against companies violating the law.
Cobun Zweifel-Keegan, current managing director of the International Association of Privacy Professionals, believes the recent definition published by the FTC is by far one of the most comprehensive policy statements regarding biometrics, spurred on by a recent flurry of state legislation passed in Washington, Maine, Virginia and Tennessee. "It's not so much focused on particular technologies or purposes; it's more focused on sort of how a company should go about notifying people about the use of biometric technologies. In the biometric space, and even in health data more broadly, it's just clear that these things are becoming more protected, that companies need to be treating them as sensitive data, doing the things that we've always said need to be done with sensitive data and maybe some new things as well," Zweifel-Keegan said, as reported by StateScoop.
According to Samuel Levine, director of the FTC's Bureau of Consumer Protection, "Today's policy statement makes clear that companies must comply with the law, regardless of the technology they are using." To avoid future pitfalls, companies utilizing biometric data must assess their current situation and integrate more holistic methods of collecting consumer information. This may involve hiring third-party companies and investigators to evaluate the risk and the context in which the technology will be used. As stated in the policy statement, potential pitfalls may include "false or unsubstantiated marketing claims relating to the validity, reliability, accuracy, performance, fairness or efficacy of tech using biometric information," which are all practices that violate the FTC Act.