On Monday, the Federal Trade Commission (FTC) announced that it reached a settlement in its first case focused on facial recognition technology misuse. The Commission settled with Everalbum, Inc., a California-based photo app developer that offered the Ever app, over claims that the company deceived consumers about its use of facial recognition technology and retention of deactivated users’ photos and videos in violation of the Federal Trade Commission Act.
According to the complaint, users upload photos and videos to Ever’s cloud servers and Ever’s features automatically organize users’ photos and videos into albums by location and date. The complaint noted that in 2017, Ever launched its “Friends” features, which “uses face recognition to group users’ photos by faces of the people who appear in the photos.” A user can tag and name the individuals in their photos. The FTC claimed that the Friends facial recognition feature was enabled by default, however, Everalbum allegedly did not give users the option to disable this feature. Meanwhile, Everalbum claimed that it would not apply facial recognition without users’ consent. In May 2018, for users in select locations, the app presented a pop-up message requesting users to select if they would like the app to use facial recognition, thus disabling the feature unless users selected yes; this pop-up was presented to all users in April 2019. Therefore, prior to this, users were unable to disable the facial recognition feature and it was automatically active for users and could not be turned off. The FTC averred that since Ever presented users with the pop-up message, “approximately 25% of the approximately 300,000 users who made a selection when presented with the pop-up message chose to turn face recognition off.” However, the complaint also claimed that facial recognition was used for other things in addition to the Friends feature. For example, between September 2017 and August 2019, Everalbum purportedly used users’ photos to train its facial recognition technology. While Everalbum claimed it would delete the photos and videos of deactivated users, it allegedly failed to delete this content until at least October 2019.
Pursuant to the proposed settlement, Everalbum must obtain express consumer consent before using facial recognition technology on consumers’ photos and videos. The company is barred from misrepresenting how it “collects, uses, discloses, maintain, or deletes” this content and information and it cannot misrepresent the extent to which: “consumers can control the collection, use, disclosure, maintenance, or deletion of Covered Information,” Everalbum “accesses or permits access to Covered Information,” Everalbum “otherwise protects the privacy, security, availability, confidentiality, or integrity of any Covered Information. Additionally, Everalbum must disclose the extent, purpose and duration it retains this information after a user delete or deactivates an account.
Everalbum is also required to delete facial recognition models and algorithms that it developed using user-uploaded photos and videos. Additionally, Everalbum must delete all face embeddings, which is “data reflecting facial features that can be used for facial recognition purposes” that the company took from Ever users’ photos without their consent, as well as deleting the photos and videos of users who deactivated their accounts.
“Using facial recognition, companies can turn photos of your loved ones into sensitive biometric data,” Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said in the press release. “Ensuring that companies keep their promises to customers about how they use and handle biometric data will continue to be a high priority for the FTC.”
The FTC voted 5-0 on the complaint and proposed settlement. The FTC noted that if Everalbum violates the proposed settlement, it could result in a civil penalty up to $43,280 per violation.
Commissioner Rohit Chopra stated that “it is critical that the FTC meaningfully enforce existing law to deprive wrongdoers of technologies they build through unlawful collection of Americans’ facial images and likenesses. The case of Everalbum is a troubling illustration of just some of the problems with facial recognition.” Commissioner Chopra added “(w)ith the tsunami of data being collected on individuals, we need all hands on deck to keep these companies in check. State and local governments have rightfully taken steps to enact bans, moratoria, and other restrictions on the use of these technologies…It will be critical for the Commission, the states, and regulators around the globe to pursue additional enforcement actions to hold accountable providers of facial recognition technology who make false accuracy claims and engage in unfair, discriminatory conduct.”
