Privacy & Information Security Law Blog

On October 22, 2012, the Federal Trade Commission released a report entitled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies.” The report focuses on privacy concerns associated with facial recognition technology, which is becoming increasingly ubiquitous across a variety of commercial applications ranging from search engines to video games to password authentication.

The report, which was developed after a workshop on facial recognition technology and subsequent public comments requested by the FTC, sets forth several best practices for the use of facial recognition technology. These best practices are based on the principles contained in the FTC’s March 2012 report on privacy and include: (1) privacy by design, (2) simplified consumer choice and (3) transparency.

In the report, the FTC illustrates through case studies how companies may implement these principles. In one case study, an eyeglass company enables consumers to upload images to the company’s website and place different eyeglass styles on those images. The report recommends that the company implement privacy by design by requiring “reasonable data security protections” for the images, establishing a specific retention period for the images and deleting the images once they are no longer necessary. In another case study, a sports drink company operates a digital sign in a grocery store with a camera that can detect a consumer’s age and gender. The report advises the company to “provide clear notice that digital signs using facial recognition to detect demographic characteristics are in operation, before the consumer comes into contact with the sign.” According to the report, the notice could be posted at the entrance to the store, or on or near the sign itself. In a third case study, a social networking website uses facial recognition technology to help its users “tag” photos of their friends. The report states that the company “should also be transparent with consumers about its data practices regarding the facial recognition feature and provide consumers a choice about the use of facial recognition technologies.” The report also recommends that the social networking website obtain users’ express opt-in consent in two cases: (1) before using a consumer’s image in a materially different manner than what was represented when the image was collected and (2) when “identify[ing] users to other users who are not their ‘friends’ on the site.”

Finally, the report notes that the best practices for facial recognition “can guide companies as they develop new products and services and craft the processes and systems that will govern their operations,” which will help ensure that the use of the technology “respects the privacy interests of consumers while preserving the beneficial uses the technology has to offer.”

The FTC voted 4-1 to release the report. Commissioner J. Thomas Rosch issued a dissenting statement, citing his concerns that the report goes “too far, too soon” and that the conclusions are not supported by the report or by a “rigorous cost-benefit analysis.”