In this article, the authors examine a recent enforcement action brought by the
The
The
The
BACKGROUND
The
About 10 years later, in 2020, Reuters published7 an investigative report about
In its new lawsuit, the
- Unfair FRT practices, and
- Failure to implement or maintain a comprehensive information security program as required by the 2010 order.
THE COMPLAINT
Unfair FRT Practices
The
-
Assess, consider, or take reasonable steps to mitigate risks to consumers associated with its implementation of FRT, including risks associated with misidentification of consumers at higher rates depending on their race or gender;
- Take reasonable steps to prevent its FRT from using low-quality images, increasing the likelihood of false-positive match alerts;
- Take reasonable steps to train or oversee employees tasked with operating FRT and interpreting and acting on match alerts; and
- Take reasonable steps, after deploying FRT, to regularly monitor or test the accuracy of the technology, including by failing to implement any procedure for tracking the rate of false positive facial recognition matches or actions taken on the basis of false positive facial recognition matches.
- Surveilling and following store customers around
Rite-Aid stores; - Preventing store customers from making needed or desired purchases (in the event employees were instructed to remove the consumer from the store);
- Subjecting consumers to unwarranted searches and calling the police on consumers who were falsely flagged as shoplifters, and
- Wrongly accusing store customers of shoplifting.
- Require that service providers, by contract, implement and maintain appropriate safeguards for personal information; and
- Maintain written records relating to
Rite-Aid's information security program. - Delete biometric information collected by FRT;
- Provide notice to third-parties of the
FTC's complaint and order and require that these third-parties delete biometric information received fromRite-Aid ; - Provide the
FTC with a list of all third-parties that received any of the following information fromRite-Aid :- A first and last name;
- A home or physical address;
- An email address or other online contact information, such as an instant messaging user identifier or a screen name;
- A mobile or other telephone number;
- A driver's license or other government-issued identification number;
- A date of birth;
- Geolocation information sufficient to identify street name and name of a city or town;
- Bank account information or credit or debit card information (including a partial credit or debit card number with more than five digits);
- A user identifier, or other persistent identifier that can be used to recognize a user over time and across different devices, websites, or online services;
- User account credentials, such as a login name and password (whether plain text, encrypted, hashed, and/or salted);
- Biometric information; or
- Health information;
- Implement a comprehensive protocol for assessment, collection, maintenance, testing, retention, and safeguarding biometric information (if
Rite-Aid intends to use a non-FRT biometric security system not subject to the five-year ban); - Disclose the use of any non-FRT biometric security system to consumers in
Rite-Aid stores via "clear and conspicuous" physical signs, and on each website, mobile app, or online service that collects biometric information; - Disclose to consumers the specific types of biometric information collected, outputs generated by any non-FRT biometric security system, purposes for collecting biometric information, and timeframe for deletion of each type of biometric information;
- Implement a comprehensive information security program;
- Retain a third-party assessor to periodically assess
Rite-Aid's security program; - Report data breaches of over 500 individuals to the
FTC within 72 hours ofRite-Aid's reasonable belief of unauthorized access to covered information; - Implement mandatory recordkeeping of
Rite-Aid's revenue/sales; personnel records; consumer complaints; records related to compliance with theFTC's order; materials relied on for the mandatory system assessment; material different representations ofRite-Aid's privacy, security, availability, confidentiality, and integrity of any covered information; copies of the third-party assessor's report; subpoenas from law enforcement related to theFTC's order; and records showing lack of compliance with theFTC's orders; and - Submit an annual certification of compliance with the
FTC's order.
WHAT DOES THIS MEAN FOR BUSINESSES?
The
Rite-Aid enforcement action confirms the conclusion that theFTC's May 2023 policy statement reflects a broad set of guidelines for companies that collect or use biometric information, and non-compliance may result in theFTC filing suit under Section 5 of the FTC Act. Accordingly, companies operating inthe United States should consider reviewing their biometric information collection practices, employee training for handling biometric information, and contracts with vendors that process biometric information for compliance with theFTC's policy statement.Footnotes
1. https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.
2. https://www.ftc.gov/news-events/news/press-releases/2023/12/rite-aid-banned-using-ai-facial-recognition-after-ftc-says-retailer-deployed-technology-without.
3. https://www.ftc.gov/system/files/ftc_gov/pdf/2023190_riteaid_complaint_filed.pdf.
4. https://www.ftc.gov/sites/default/files/documents/cases/2010/07/100727riteaidagree.pdf.
5. 15 U.S.C. §§ 45(a), (n).
6. https://www.ftc.gov/sites/default/files/documents/cases/2010/11/101122riteaidcmpt.pdf.
7. https://www.reuters.com/investigates/special-report/usa-riteaid-software/.
8. https://www.sec.gov/Archives/edgar/data/84129/000155837023016503/rad-20230902x10q.htm.
9. https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.
10. https://www.ftc.gov/system/files/ftc_gov/pdf/2023190_riteaid_stipulated_order_filed.pdf.
The
Unsurprisingly, the
AILURE TO IMPLEMENT OR MAINTAIN A COMPREHENSIVE INFORMATION SECURITY PROGRAM
After addressing
-
Use reasonable steps for selecting and retaining capable service providers that appropriately safeguarded personal information;
The
THE STIPULATED ORDER
To settle the case,
-
Refrain from using FRT for five years;
Originally published by Pratt's Privacy & Cybersecurity Law Report.
Visit us at mayerbrown.com
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This
IL 60606
Tel: 3127820600
Fax: 3127017711
E-mail: Mnoonan@mayerbrown.com
URL: www.mayerbrown.com
© Mondaq Ltd, 2024 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source