FTC Issues Privacy Guidelines for Facial Recognition Technology

A new Federal Trade Commission report provides suggestions for how companies can use facial recognition technology, particularly in social networks while protecting users privacy.

The Federal Trade Commission issued a report Oct. 23 that suggested best practices for companies using facial recognition technology, including a focus on how it should be used responsibly by social networking sites.

According to the FTC, facial recognition technologies are being used in a number of ways, from online social networks to mobile applications. The technology has a number of uses. Facebook, for example, has used facial recognition technology as part of its Tag Suggest feature, which the company has agreed to scrap in Europe in the name of complying with government regulations. The feature was taken offline for users everywhere months ago so that it could be made more efficient.

Facebook did not offer any specific comments on the FTC report. In the report, however, the FTC noted that the facial recognition application that potentially raises the most privacy concerns is identifying anonymous individuals in images. It also particularly suggests controls on the use of this functionality by social networks.

Social networks should provide users with a clear notice about how such features work and how the data will be used, the FTC recommends. They also should provide consumers with an easy way to opt out of having their biometric data collected and use for facial recognition as well as the ability to turn the feature off at any time and have any biometric data previously collected from their photos deleted forever, the FTC said.

"There are at least two scenarios in which social networks should obtain consumers’ affirmative express consent before collecting or using biometric data from facial images," according to the report. "First, as with all companies, social networks should obtain a consumer’s affirmative express consent before using a consumer’s image or any biometric data derived from that image in a materially different manner than it represented when it collected the data. Second, the social network should not identify users to other users who are not their ‘friends’ on the site without first obtaining their affirmative express consent."

Overall, the FTC urged companies using facial recognition technology to: design their services with consumer privacy in mind; develop security protections for information they collect, as well as methods for determining when to keep that information and when to get rid of it; and consider the sensitivity of information when developing their facial recognition products and services, such as not setting up digital signs using facial recognition in areas where children tend to be.

The commission voted four to one to release the report, with Commissioner Thomas Rosch serving as the lone dissenter. In his dissenting statement, Rosch wrote that he did not believe the "far-reaching conclusions and recommendations" in the report could be justified at this time.

"There is no support at all in the Staff Report for them, much less the kind of rigorous cost-benefit analysis that should be conducted before the Commission embraces such recommendations," he wrote. "Nor can they be justified on the ground that technological change will occur so rapidly with respect to facial recognition technology that the Commission cannot adequately keep up with it when, and if, a consumer’s data security is compromised or facial recognition technology is used to build a consumer profile. On the contrary, the Commission has shown that it can and will act promptly to protect consumers when that occurs."

In the report, the FTC noted that the commercial use of facial recognition technologies is still immature, providing a "unique opportunity to ensure that as this industry grows, it does so in a way that respects the privacy interests of consumers while preserving the beneficial uses the technology has to offer."