FTC Issues Guidelines for Facial Recognition

Suggests Opt-in Regime for Secondary Uses

The Federal Trade Commission has issued best practices guidelines for facial recognition software, including that consumer privacy be baked into the design, that reasonable security measures be developed and used, and that digital signage that uses the technology not be set up where kids congregate.

FTC points out that the software can be used to determine gender and age for targeted ads or gauging their reaction to a video game or movie.

The guidelines also recommend that consumers be informed of when facial recognition is being used and have a choice as to whether that data is collected or not, including making that choice an opt-in when they use the data collected for a purpose other than that originally stated, and when they use it to identify a consumer to someone who could not otherwise identify them without that data.

"Fortunately, the commercial use of facial recognition technologies is still young.  This creates a unique opportunity to ensure that as this industry grows, it does so in a way that respects the privacy interests of consumers while preserving the beneficial uses the technology has to offer," the report says.

The fact that the technology is so new was one reason that commissioner J. Thomas Rosch dissented. "I disagree with the adoption of 'best practices' on the ground that facial recognition may be misused. There is nothing to establish that this misconduct has occurred or even that it is likely to occur in the near future. It is at least premature for anyone, much less the Commission, to suggest to businesses that they should adopt as 'best practices' safeguards that may be costly and inefficient against misconduct that may never occur," he said.

Rosch was also concerned that the staff recommended that facial recognition fall under the "unfairness" prong, rather than the "deception" prong, of the FTC's consumer protection rules. That prong is generally reserved for "substantial injury," which he says the report does not justify.

"In summary, I do not believe that such far-reaching conclusions and recommendations can be justified at this time."

The FTC report makes clear that the guidelines, to the extent that they extend beyond what is currently enforceable under FTC rules, are "not intended to serve as a template for law enforcement actions or regulations under laws currently enforced by the FTC."

Information Technology & Innovation Foundation senior analyst Daniel Castro had concerns about the direction the report was taking. "Policymakers should not create technology-specific rules for facial recognition," he said in a statement. "Facial recognition technology belongs to a larger class of biometric technology that should be treated the same. In addition, facial recognition has many benefits, from improving security to automating tasks to personalizing transactions."

"Rather than attempting to create rules based on false assumptions about anonymity, the FTC would be more effective if it promoted a robust harms-based approach to the use of biometric information that works to identify and close any potential gaps in current law. This would help ensure that individuals are fully protected against potential abuses, while not creating roadblocks to innovation for new technology."