One of Octillo's 2021 privacy predictions is the continued rise of biometric lawsuits and legislation, even outside Illinois’ BIPA. Case in point is a recent consent decree the Federal Trade Commission issued against EverAlbum, a California company, concerning its use of photo-tagging and facial recognition technologies.
The Claims Against EverAlbum Inc.
In its complaint, the FTC alleges that EverAlbum, Inc. violated Section 5 of the Federal Commission Act by making several misrepresentations concerning its App’s use of facial recognition technology (FRT). Specifically, the FTC alleged that:
- EverAlbum’s facial recognition feature was on by default. In February 2017, EverAlbum launched a new feature in the Ever App, called ‘Friends’ that used facial recognition technology to group users’ photos by the faces of the people who appear in them and allowed users to “tag” people by name. EverAlbum allegedly enabled facial recognition by default for all mobile app users when it launched the ‘Friends’ feature.
- EverAlbum falsely claimed that users must affirmatively activate FRT. Between July 2018 and April 2019, EverAlbum allegedly represented that it would not apply facial recognition technology to users’ content unless users affirmatively chose to activate the feature. Although, beginning in May 2018, the company allowed some Ever App users—those located in Illinois, Texas, Washington and the European Union—to choose whether to turn on the face recognition feature, it was automatically active for all other users until April 2019 and could not be turned off.
- EverAlbum used users’ images to create a larger dataset to develop its FRT, and sold FRT services to enterprise clients. Between September 2017 and August 2019, EverAlbum combined millions of facial images that it extracted from users’ photos with facial images that EverAlbum obtained from publicly available datasets to create datasets for use in the development of its facial recognition technology. The complaint alleges that EverAlbum used the facial recognition technology resulting from one of those datasets to provide the Ever App’s “Friends” feature and also to develop the facial recognition services sold to its enterprise customers without disclosing this to users.
- EverAlbum Failed to delete photos from deactivated accounts. EverAlbum is also alleged to have promised users that the company would delete the photos and videos of users who deactivated their accounts. The FTC alleges, however, that until at least October 2019, EverAlbum failed to delete the photos or videos of any users who had deactivated their accounts and instead retained them indefinitely.
FTC v. EverAlbum Inc. Settlement Agreement
In the consent Agreement, the FTC requires EverAlbum to:
- Delete Certain User Information: Specifically, within 30-90 days of the agreement, EverAlbum must delete:
- The photos and videos of Ever App users who deactivated their accounts
- All face embeddings, data reflecting facial features that can be used for facial recognition purposes, the company derived from the photos of users who did not give their express consent to their use.
- Any facial recognition models or algorithms developed with EverAlbum users’ photos or videos
- Make Clear and Conspicuous Disclosures: EverAlbum must clearly and conspicuously disclose to the user from whom the respondent has collected the biometric information, separate and apart from any Privacy Policy, Terms of Use page, or other similar document, all purposes for which respondent will use, and to the extent applicable, share, the biometric information.
- Obtain Affirmative Express Consent from Users: EverAlbum must obtain affirmative express consent from users whose biometric information is collected.
Potential Application of EverAlbum Settlement
The FTC v. EverAlbum Inc. settlement sets a defacto standard for businesses who are collecting biometric information from consumers in the United States. Companies who use biometric data or facial recognition technology should observe the following takeaways from this settlement:
First, the settlement makes clear that facial recognition technology used on photographs is a regulated biometric practice. This is somewhat unclear under the Illinois BIPA statute, where defendants have argued that photographs are exempt from the law.
Next, as a defacto standard, the FTC is requiring that businesses make clear and conspicuous disclosures regarding their biometric practices. The Agreement defines clear and conspicuous as “not difficult to miss” and easily understandable by ordinary consumers, including in all the following ways:
- In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented. In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication, even if the representation requiring the disclosure (“triggering representation”) is made through only one means.
- A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
- An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
- In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable.
- The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.
Third, as a defacto standard, the FTC is requiring businesses that collect biometric information (such as photographs used for FRT) should obtain affirmative express consent from users before doing so. Although undefined in the agreement, in other contexts affirmative express consent may be accomplished through a written release or digital signature (BIPA), through an affirmative opt-in pop up for the specific purpose of making the biometric disclosure and obtaining consent.
Recommended Next Steps
Octillo recommends all companies that collect biometric information, including facial recognition technology, take several proactive steps in the wake of the EverAlbum settlement.
- Evaluate your existing privacy policy disclosures to confirm you are in compliance with the EverAlbum requirements and to make requisite clear and conspicuous disclosures regarding the collection of biometric information and use of facial recognition technology/photo-tagging.
- Evaluate the use of pop-ups and opt-ins or written releases to obtain affirmative express consent for FRT practices in the United States (note, in IL, a written release is required).
- Evaluate default settings and deletion photo and biometric information deletion practices to ensure compliance with the EverAlbum settlement requirements.
Emerging technologies present opportunities for companies to better engage their customers, but also create new data privacy concerns. With some states looking to implement biometric privacy laws mimicking Illinois’ Biometric Information Privacy Act (BIPA), including New York Biometric Privacy Act, (AB27), companies collecting and using biometric technology, like FRT, should consult legal tech counsel to evaluate compliance with these emerging laws. Octillo attorneys, who are also technologists and former tech business owners, have years of collective experience with new technologies, like artificial intelligence, biometric data, facial recognition technology. Our team can help your company implement and mitigate the risks associated with emerging technologies.
*Attorney Advertising. Prior results do not guarantee future outcomes.
