On January 11, the Federal Trade Commission (FTC) announced it has settled with a California-based photo app developer involving allegations that it was building and using its users’ photos and videos to create facial recognition technology without their express consent.

Facial recognition software is typically comprised of three steps: detection, mapping, and identification. During the detection step, facial recognition software is developed to distinguish an individual’s face in an image or video from, say, a toaster. To do this, developers will train the software by introducing it to photos of known human faces. Once the software can distinguish a face from other objects, then it will analyze the face by mapping facial features, such as by measuring the width of the nose, eyes, mouth, and chin. Once the software has successfully mapped an individual’s facial features, it will typically then identify the individual in the image with the subject in question.

Organizations use facial recognition software in many ways, such as to verify international travelers or to track students on campus who may show COVID-19 symptoms. No matter how organizations use facial recognition software, the FTC’s recent proposed settlement with Everalbum, Inc. reminds organizations that they must first obtain consumers’ express consent before using facial recognition software.

Everalbum developed an app called Ever. The app allowed consumers to upload images from their devices to Ever’s cloud-based storage service. The FTC alleged that, since February 2017, Ever used facial recognition, by default, to “group users’ photos by the faces of the people who appear in them and allowed users to ‘tag’ people by name.” However, the facial recognition services were used beyond the Ever app to “develop [other] facial recognition services [] to its enterprise customers” without users’ consent, the FTC alleged.

Additionally, Everalbum promised consumers that it would destroy the photos and videos of users who deactivated their account; however, the FTC alleged that Everalbum failed in meeting that promise.

In this week’s proposed settlement announcement, the FTC requires Everalbum to:

  • Clearly and conspicuously disclose to its users all the purposes for which Everalbum will use and share biometric information;
  • Obtain the affirmative express consent of the user who uploaded the biometric information;
  • Destroy all photos and videos that Everalbum collected from users who requested deactivation of their Ever accounts;
  • Destroy all facial mappings derived from users who did not provide their express affirmative consent; and
  • Destroy any models or algorithms developed in whole or in part using the biometric information collected from users of the Ever application.

Although facial recognition software has garnered much attention under the Illinois’ Biometric Information Privacy Act (BIPA) in recent years, this week’s announcement is a reminder that the FTC continues to enforce and deprive wrongdoers of databases and technologies they build through the use of unlawfully collected biometric information.

The FTC and the state of Illinois are not the only ones with their sights on regulating facial recognition software. Texas, Washington, and New York lawmakers specifically deal with consumer protections relating to facial recognition technology. For instance, New York’s Assembly Bill A27 would provide a private right of action to consumers, up to $1,000 for negligent violations and $5,000 for intentional and reckless violations, of its Biometric Privacy Act.

Other states’ laws, such as the California Consumer Privacy Act (CCPA), implicate the use of facial recognition software through broader terms. Considering the broad definition of biometric information under the CCPA, which includes “an individual’s physiological, biological or behavioral characteristics[;]” coupled with the CCPA’s broad applicability, non-California organizations may still need to be aware of rights provided to California residents under the CCPA. To learn more about the CCPA, check out Troutman Pepper’s California Consumer Privacy Act Enforcement Series.

To read the FTC’s full proposed settlement, click here.