On 19 December 2023, the Federal Trade Commission (“FTC”) has filed a complaint against the drug store chain Rite Aid, among others, for its use of facial recognition artificial intelligence (AI) technology allegedly in violation of the FTC Act. The FTC also attached to its complaint a proposed order, under which Rite Aid will be banned from using facial recognition technology for five years, and will be subject to additional requirements and prohibitions.

By doing so, the FTC has sent a strong signal to the industry regarding its intention to focus enforcement measures in the fields of AI and biometry.

Background

According to the FTC’s findings background, Rite Aid has used AI-based facial recognition technology in its retail stores for the purpose of identifying persons who may have been engaged in shoplifting or other criminal behavior, providing to Rite Aid’s employees “match alerts” with persons in a watchlist database of Rite Aid. The supposedly matched individuals were subject to actions by Rite Aid employees (e.g., ban from entering its stores). In many cases such “match alerts” falsely identified persons as a person in a watchlist database.

Complaint

According to the FTC’s complaint, Rite Aid’s key alleged violations include two counts:

(1) Unfair facial recognition technology practices – According to the complaint, Rite Aid failed to take the reasonable steps required when implementing an AI system, including the following:

a. Facial recognition technology implementation, including assessment of risks associated with higher rates of false “matches” due to visitors’ race or gender.

b. Testing, assessment, measurement, documentation, or inquiry concerning the level of accuracy of the facial recognition technology prior to its deployment.

c. Prevention of the use of low-quality images as part of its facial recognition technology, which led to the increased probability of false positive “match alerts”.

d. Training or overseeing employees who are operating the facial recognition technology and are involved in the interpretation of the “match alerts” and acting based on such “match alerts”.

e. Conducting regular monitoring or testing of the accuracy of the used facial recognition technology.

Failure to implement or maintain a comprehensive information security program –  Under this count, Rite Aid has failed to do the following:

a. Use reasonable steps to select service providers capable of appropriately safeguarding personal information received from Rite Aid and document the implementation of this process.

b. Periodically reassess service providers.

c. Require service providers by contract to implement and maintain appropriate safeguards for personal information they received from Rite Aid.

Proposed Order

Under the proposed order, Rite Aid will be prohibited to use facial recognition or analysis systems in any retail store or retail pharmacy or on any online retail platform for 5 years.

In addition, it will be subject to a prohibition for misrepresenting data security and privacy practices and additional requirements thereon unless exceptions apply, including:

a. Deleting, and directing third parties to delete, the biometric information used or collected by the face recognition technology system. Furthermore, any algorithms or products developed using such biometric information must be removed as well.

b. Establishing a comprehensive automated biometric security or surveillance system monitoring program prior to any a use of an automated biometric security or surveillance system in connection with the biometric information collected from or about consumers.

c. Providing a proper notice to consumers that Rite Aid has biometric information about consumers in a database used in conjunction with biometric security or surveillance system; or that an action is taken against the consumer based on such systems output. Furthermore, Rite Aid will be required to provide a means of submitting complaints in this regard and to investigate them.

d. Providing a proper disclosure of the use of automated biometric security or surveillance systems to customers.

e. Complying with the retention limit of five years for biometric information and implement a written retention schedule.

f. Establishing and implementing and thereafter maintaining a comprehensive information security program.

g. Obtaining a third party information security assessment.

h. Providing the FTC with an annual certification of the CEO concerning the implementation and compliance with the requirements of the proposed order.

This enforcement action highlights the rising enforcement trend of FTC’s involvement in the use of AI and biometric systems, and its increased scrutiny over compliant use of such systems, reminiscent of FTC’s approach to privacy and data protection in the recent years.

Please feel free to contact us if you have any questions regarding the practical implications and the influence of this enforcement action. Our AI Practice experts has a wide legal experience with the evolving regulatory sphere around AI, as well as business and technical understanding and hands-on experience in the AI domain.