The Federal Trade Commission (FTC) has announced that it has reached a settlement with Rite Aid Corporation, one of the largest drugstore chains in the United States, over its use of facial recognition technology in hundreds of its stores. The settlement prohibits Rite Aid from using facial recognition technology without obtaining customers’ express consent and requires the company to delete any biometric data it collected from customers.
Rite Aid’s Use of Facial Recognition Technology
According to the FTC’s complaint, Rite Aid deployed facial recognition technology in about 200 of its stores across eight states between 2012 and 2020. The company used the technology to scan the faces of customers entering its stores and compare them with a database of individuals who had previously engaged in potential criminal activity at Rite Aid or other retailers. The company claimed that the technology was intended to prevent theft and protect the safety of its customers and employees.
However, the FTC alleged that Rite Aid failed to disclose its use of facial recognition technology to customers and did not obtain their consent. The FTC also alleged that Rite Aid did not implement reasonable security measures to protect the biometric data it collected from customers, such as encrypting the data or limiting access to authorized personnel. The FTC further alleged that Rite Aid retained the biometric data for longer than necessary and did not delete it when customers requested.
FTC’s Settlement with Rite Aid
The FTC’s settlement with Rite Aid requires the company to stop using facial recognition technology unless it obtains customers’ express consent. The company must also delete any biometric data it collected from customers and any facial recognition models or algorithms it developed or used. The company must also implement a comprehensive biometric information privacy program and undergo biennial assessments by an independent third-party.
The settlement also prohibits Rite Aid from misrepresenting its use of facial recognition technology or its collection, use, disclosure, maintenance, or deletion of biometric data. The company must also notify customers who were scanned by its facial recognition technology and provide them with a clear and conspicuous notice of their rights under the settlement.
The FTC’s settlement with Rite Aid is subject to public comment for 30 days, after which the FTC will decide whether to make it final.
Implications of the Settlement
The FTC’s settlement with Rite Aid is the latest in a series of actions taken by the FTC and other regulators to address the privacy and security risks posed by facial recognition technology. In January 2021, the FTC finalized a settlement with Everalbum, a photo app developer, over its deceptive use of facial recognition technology and its retention of customers’ photos and videos. In May 2021, the FTC issued a blog post warning businesses that they must comply with the FTC Act and other laws when using facial recognition technology and that they must be transparent, fair, and secure in their practices.
The FTC’s settlement with Rite Aid also reflects the growing public concern and scrutiny over the use of facial recognition technology by businesses and governments. Several states, such as California, Illinois, and Washington, have enacted laws that regulate the use of facial recognition technology and require consent from individuals. Several cities, such as San Francisco, Portland, and Boston, have banned the use of facial recognition technology by local government agencies. Several bills have been introduced in Congress to impose a moratorium or a ban on the use of facial recognition technology by federal agencies or to establish a national framework for its regulation.
The FTC’s settlement with Rite Aid shows that the FTC is committed to protecting consumers’ privacy and security when it comes to facial recognition technology and that it will hold businesses accountable for their use of this technology. Businesses that use facial recognition technology should be aware of the FTC’s enforcement authority and the potential legal and reputational risks they face if they do not comply with the FTC’s requirements and expectations.