The use of facial recognition remains largely unregulated in the United States, aside from several individual state and municipal laws. But if your company or app policies commit that facial recognition will not be used unless the user expressly agrees, the FTC will be watching to make sure you deliver.
The FTC recently entered into a consent decree with California developer Everalbum. Everalbum’s app called “Ever” lets users upload photos and videos from their mobile devices, computers, or social media accounts and then organize and store them in the cloud. The FTC’s Complaint alleged that when Everalbum launched a new feature in the Ever app called “Friends,” it used facial recognition technology to group users’ photos by people’s faces, so users could tag people by name. Everalbum allegedly enabled facial recognition by default for all mobile app users when it launched the Friends feature.
According to the FTC, between July 2018 and April 2019, Everalbum represented that the Ever app would not use facial recognition technology unless users affirmatively opted in. During this time, the company allowed Ever app users located in three states and the European Union to choose whether to turn on facial recognition. For all other users, it was automatically active until April 2019 and could not be turned off.
How Everalbum leveraged user’s biometric data – facial images and face embeddings – was also a problem for the FTC. For almost two years, Everalbum combined millions of facial images extracted from Ever users’ photos with facial images obtained from publicly available datasets to create four datasets. Everalbum used these datasets to develop facial recognition technology, which it marketed and sold through a different subsidiary, Paravision, to other companies in the security and airline industries. Even though Everalbum did not share app users’ photos, videos, or personal information with its Paravision customers, the FTC claimed that Everalbum should not have used consumers’ biometric data for purposes other than the Ever app without either disclosing that or obtaining consent.
According to the FTC, Everalbum separately promised app users that the company would delete their photos and videos if they deactivated their Ever accounts. Everalbum failed to delete the photos or videos from the facial recognition datasets, however, retaining those indefinitely.
Under the FTC consent settlement, Everalbum must delete the facial recognition technologies enhanced by any improperly obtained photos; namely, any facial recognition models or algorithms developed with Ever users’ photos or videos. This is a new development, as prior enforcement actions did not require this forfeiture.
In addition, Everalbum must be forthcoming about how it 1) collects, uses, discloses, maintains, or deletes personal information, including face embeddings and facial recognition technology, and 2) protects the privacy and security of personal information it collects. Under the proposed settlement, if Everalbum markets app software to consumers, it must obtain users’ express consent before collecting biometric information for face embeddings or facial recognition technology.