On December 19, the FTC filed a proposed stipulated order against Rite Aid for a permanent injunction and other relief that resolves the FTC's allegations that Rite Aid engaged in unfair acts or practices in violation of the FTC Act by using facial recognition technology and failing to implement or maintain a comprehensive information security program. The order modifies a previous order issued by the FTC in 2010 that required Rite Aid to establish and maintain a comprehensive information security program.
The order imposes several restrictions and requirements on Rite Aid in relation to its use of automated biometric security or surveillance systems, which are defined as any machine-based systems that analyze or use biometric information of, from, or about individual consumers for a security or surveillance purpose. Under the order, Rite Aid will be prohibited from deploying or using any facial recognition or analysis system for five years and will be required to delete or destroy all photos and videos of consumers and any data, models, or algorithms derived from such data that were used or collected in connection with such systems.
The order also requires Rite Aid to establish and implement a comprehensive automated biometric security or surveillance system monitoring program that identifies and addresses risks to consumers from the use of such systems, including risks of physical, financial, or reputational harm, stigma, or severe emotional distress, and risks of disproportionate effects on consumers based on race, ethnicity, gender, sex, age, or disability. This program must include written assessments, safeguards, testing, training, documentation, and evaluation of each system used by Rite Aid, and must prevent the deployment or discontinue the deployment of any system that is not supported by competent and reliable scientific evidence of accuracy or that creates or contributes to a risk of harm or discrimination to consumers.
The order further requires Rite Aid to provide notice and a means of submitting complaints to consumers whose biometric information is enrolled in any gallery used in conjunction with an automated biometric security or surveillance system, or whose biometric information is used to generate an output that results in an action that could harm the consumer, such as communicating the output to law enforcement or other third parties. This includes development and implementation of retention limits for biometric information, disclosure of their use of automated biometric security or surveillance systems to consumers, and obtaining affirmative express consent from consumers for the collection and use of their biometric information in connection with such systems.
Additionally, the order requires Rite Aid to establish and implement a comprehensive information security program that protects the security, confidentiality, and integrity of covered information, which is defined as information from or about an individual consumer, including biometric information and health information. The information security program must include written documentation, designated employees, risk assessments, safeguards, testing, monitoring, evaluation, and adjustment of the program, as well as vendor selection, retention, and oversight procedures. The order also requires Respondents to obtain initial and biennial assessments of the information security program from a qualified, objective, independent third-party professional, and to cooperate with the assessor by providing information and material relevant to the assessment.
The order also prohibits Rite Aid from making any misrepresentations about the extent to which they maintain and protect the privacy, security, confidentiality, or integrity of covered information, and requires them to obtain acknowledgments of receipt of the order, submit compliance reports and notices, create and retain certain records, and allow the FTC to monitor their compliance with the order. The order is final and effective upon the date of its publication on the FTC's website, and will terminate twenty years from the date of its issuance or the date of the most recent complaint filed by the FTC alleging any violation of the order, whichever comes later.
This order( (if approved) may have significant implications for the use of AI by businesses in the United States, especially in the retail sector. The order reflects the FTC's concern about the potential harms and discrimination that may result from the use of facial recognition and other biometric technologies, and signals the FTC's intention to enforce the FTC Act and its previous orders against businesses that fail to protect consumers' privacy and security. The order may deter some businesses from using such systems, or encourage them to adopt more transparent and accountable practices, in order to avoid FTC scrutiny and enforcement. The order may also influence the development of federal or state legislation or regulation on the use of biometric technologies, as well as the adoption of industry standards or best practices, by providing a model of the FTC's expectations and requirements for businesses that use such technologies.