New FTC Enforcement Action Reveals Novel Facial Recognition Settlement
In a recent settlement with the FTC, a photo storage application agreed to delete any facial recognition technologies it enhanced using improperly obtained photos.
On January 8, 2021, the FTC announced a novel settlement requiring a photo storage application to delete the facial recognition algorithms it developed by improperly using its users' photographs and then marketed to customers in the security sector. The settlement resolved the FTC's allegations that the company made false and misleading statements about the ability of its users to opt out of the facial recognition function of the application and the deletion of user data after accounts were deactivated.
In requiring the company to delete both user data and software developed using that data, the settlement marks a more assertive focus by the FTC on the use of facial recognition technology. Indeed, in a statement about the settlement, Commissioner Rohit Chopra stated that "[t]oday’s facial recognition technology is fundamentally flawed and reinforces harmful biases."
Facial recognition software has been an area of focus for regulators across the globe, especially when it is used for security or law enforcement purposes. Data regulators in the UK and Australia recently open an investigation into a company that applies facial recognition software to photographs scraped from social media websites, and an English appeals court recently held that police use of facial recognition software unlawfully breached privacy rights in the UK (see our discussion here).
Background - Facts of the Complaint
Everalbum has offered a photo storage and organization application since 2015 and since then, it has been downloaded by approximately 12 million people. In 2017, Everalbum launched a "friends" feature on its application that applied facial recognition software to users' photos and then grouped the photos based on the faces that appeared in them.
When it launched, the "friends" feature was enabled on all user accounts by default, with no option to disable the facial recognition feature. In May 2018, Everalbum updated its application to give users in specific jurisdictions the option to disable the facial recognition function and in April 2019, the option to disable the feature was rolled out to all users.
When the "friends" feature launched in 2017, Everalbum used publicly available facial recognition software to power the feature. Post-launch, Everalbum began developing its own facial recognition software, sometimes using images uploaded by its users to improve the technology. The FTC complaint alleges that Everalbum used the resulting facial recognition software in its photo storage application but also used it to enhance the facial recognition services offered by its enterprise brand, Paravision. Paravision offers its face recognition technology to customers for purposes such as security, access control, identity verification, and facilitating payments.
The FTC complaint also asserts that Everalbum's policies and communications with users indicated that deleting an account would result in the permanent deletion of all the user's data, including all photographs he or she had uploaded. Contrary to its policies and communications, Everalbum appears to have retained some users' photographs indefinitely after they elected to delete their accounts.
Counts of the FTC Complaint
The FTC asserted that Everalbum made false or misleading statements regarding (1) its users' ability to control the facial recognition feature of its application and (2) regarding the deletion of users' data after they deactivated their accounts. The complaint asserts that these statements constitute unfair or deceptive acts or practices in violation of Section 5(a) of the FTC Act.
Terms of Settlement
The settlement contained the following stipulations:
- Everalbum neither admitted nor denied the facts alleged by the FTC in its complaint.
- Everalbum must not make misrepresentations regarding its data privacy policies. Going forward:
- Everalbum must obtain express consent from users prior to utilizing facial recognition software on uploaded photos.
- If a user does not provide express consent, Everalbum must delete all data derived from images of individuals' faces in that users' photos.
- Everalbum must delete all models or algorithms it developed using the biometric data of users of its application.
- Everalbum is required to make various reports and notices regarding compliance with the terms of the settlement.
- For ten years, Everalbum is required to keep records showing revenue for all goods and products sold, personnel showing each person providing services, copies of all consumer complaints and refund requests, copies of all public privacy statements.