In a pivotal development on December 19, 2023, the Federal Trade Commission (FTC) resolved an enforcement action against retail giant Rite Aid, bringing to light critical insights for companies navigating the complex realm of biometrics and artificial intelligence (AI) tools. The settlement, triggered by alleged Section 5 violations linked to Rite Aid’s use of facial biometrics, emphasizes the heightened risks and scrutiny surrounding the commercial deployment of advanced technologies.
The FTC’s intervention underscores the urgent need for companies to reassess their strategies in utilizing biometrics and AI tools. The aftermath of the Rite Aid settlement offers a playbook for managing the evolving landscape of regulatory oversight, particularly concerning the risks associated with false positive matches and potential harm to consumers, especially minority customers.
Historical perspective
Rite Aid, a prominent retail pharmacy chain, found itself entangled in legal proceedings as the FTC raised concerns about its use of facial biometrics to identify and deter individuals with suspected criminal intent. The FTC alleged that Rite Aid’s approach, relying on alerts triggered by the biometric system, lacked reasonable safeguards, leading to false positive matches and posing a heightened risk to minority customers.
The Commission also invoked a separate Section 5 claim, pointing to Rite Aid’s failure to comply with a 2010 order, which mandated diligence in selecting service providers, obtaining contractual assurances, and maintaining a written information security program.
Settlement specifications
To resolve the matter, Rite Aid consented to a Stipulated Order imposing stringent requirements and restrictions:
Ban on Facial Biometrics – Rite Aid faces a five-year prohibition on using any facial biometrics.
Biometric System Monitoring Program – The company must establish a comprehensive program, covering pre-deployment risk assessments, ongoing evaluations, and safeguards against identified consumer risks.
Data and Algorithmic Disgorgement – Rite Aid must delete all data derived from improper facial biometrics use and notify third parties to do the same.
Information Security Program – In addition to the biometric system monitoring program, Rite Aid must implement a broader information security program, validated by independent third-party assessments.
Evaluation and key implications
The Rite Aid case serves as a wake-up call for companies engaged in or planning to use biometrics or AI tools. It provides valuable insights into the FTC’s focus areas, laying the foundation for a proactive approach to mitigate legal risks. The settlement emphasizes the Commission’s commitment to scrutinizing biometrics and AI, signaling a need for organizations to dedicate resources to compliance measures and governance programs.
The key takeaways from Rite Aid’s enforcement action include the importance of conducting thorough risk assessments, implementing robust monitoring programs, and addressing the specific concerns raised by the FTC. By identifying and addressing these issues proactively, companies can navigate the evolving legal landscape surrounding biometrics and AI technologies.
Next steps – Practical compliance advice for AI tools deployment
The Rite Aid matter not only highlights pitfalls to avoid but also provides a roadmap for companies looking to enhance their compliance programs. Practical tips include:
Biometric System Monitoring Program – Follow the FTC’s blueprint, incorporating risk assessments, ongoing evaluations, and tailored controls for identified risks.
Notice Mechanisms: Implement clear and transparent notice mechanisms, both individualized and general, to inform data subjects about biometrics systems and potential adverse actions.
Data Retention/Destruction – Establish and adhere to a biometric data retention schedule, ensuring the permanent deletion of sensitive information.
Consumer Complaint Mechanism – Create avenues for consumers to submit complaints related to biometric system outputs, fostering a responsive process for investigation and resolution.
Information Security Program – Beyond biometrics, implement a comprehensive information security program, regularly validated through third-party assessments.
As businesses grapple with the evolving landscape of biometrics and AI regulation, the Rite Aid settlement offers a blueprint for proactive compliance. The question now is, how will companies adapt to these lessons, and what additional measures will they take to ensure the responsible deployment of advanced technologies in the face of increased regulatory scrutiny?
