Use of AI Facial Recognition by Rite Aid Banned by the FTC
December 21, 2023
Privacy Plus+
Privacy, Technology and Perspective
This week, the Federal Trade Commission (FTC) imposed a five-year ban on Rite Aid's use of AI facial recognition technology for surveillance purposes. This decision follows charges that Rite Aid deployed this technology without adequate consumer safeguards in hundreds of its stores.
The Complaint:
In a Complaint filed in federal court, the FTC alleged that from 2012 to 2020, Rite Aid used flawed AI-based facial recognition technology to identify potential shoplifters or wrongdoers, including Rite Aid employees. Unfortunately, this use of technology generated a significant number of false-positive facial recognition matches and disproportionately impacted certain populations, including racial and ethnic minority populations.
As detailed in the Complaint, Rite Aid developed the facial recognition system by contracting with two companies to compile a database of images and information of individuals labeled as “persons of interest” due to suspected or attempted criminal activity in its stores. This database included names and potentially criminal background data. However, the database contained numerous errors, in part, because it used low-quality enrolled images, failed to test and monitor the accuracy of the facial recognition technology, and failed to train and oversee employees who used the technology.
The FTC also accused Rite Aid of violating its previous consent order with the FTC because it did not implement reasonable and appropriate measures to protect personal information against unauthorized access, and failed to employ reasonable appropriate measures to prevent unauthorized access to personal information. In particular, the Complaint charged that Rite Aid failed to implement a comprehensive information security program, particularly concerning the oversight of third-party service providers handling personal information.
A link to the Complaint follows: https://www.ftc.gov/system/files/ftc_gov/pdf/2023190_riteaid_complaint_filed.pdf
The Proposed Order:
The proposed order mandates significant corrective actions by Rite Aid. These include deleting all images and data collected via the facial recognition system, notifying consumers about the use of their biometric data, investigating consumer complaints, and implementing a robust data security program. The order also requires Rite Aid to investigate and respond to consumer complaints about the biometric security system, provide clear notice about the use of such technology, and delete any biometric information within five years. Furthermore, Rite Aid is required to implement a data security program, obtain independent third-party assessments of this program, and provide annual certification from its CEO on adherence to the order's provisions.
A link to the Proposed Order follows:
https://www.ftc.gov/system/files/ftc_gov/pdf/2023190_riteaid_stipulated_order_filed.pdf
Next Steps for Enforcement:
The FTC's complaint and proposed order have been filed in the Eastern District of Pennsylvania. The order's effectiveness is contingent on approvals from the bankruptcy and federal district courts, as well as the modification of the 2010 order by the FTC.
Our Thoughts:
This case underscores the critical need for responsible deployment of facial recognition technology, especially when it involves sensitive biometric data. The FTC's actions serve as a reminder to all companies about the importance of consumer privacy and the careful management of AI-based technologies, especially when they implicate such sensitive personal information.
If you would like to learn more about this action, you can click on the following link to the FTC’s blog:
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet, and technology. Open the Future℠.