In January 2021, the Federal Trade Commission entered into a consent order with Everalbum Inc., which operated the now defunct photo storage app Ever. The complaint alleges misrepresentations regarding its use of facial recognition technology and deletion of photos upon request. The order provides important insight into the concept of "conspicuous" disclosure. Importantly, the company is required to delete photos, face embeddings and training algorithms if consent from the user is not acquired. This shows a renewed use by the FTC of the remedy of "disgorgement" including for machine learning and AI.

Key Takeaways

If you are giving people are choice, it has to be a real choice. Describing a choice as opt-in when it is not is worse than not giving the choice at all. (When given the choice to opt-in to facial recognition, 75% of users chose to do so).

The FTC's definition of "biometric information" is similar but not identical to that in CCPA: "data that depicts or describes the physical or biological traits of an identified or identifiable person, including depictions (including images), descriptions, recordings, or copies of an individual’s facial or other physical features (e.g., iris/retina scans), finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern)"

The FTC's detailed definition of "conspicuous" can help us with CCPA/CPRA et al. going forward: Required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:

• In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented.
• In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication even if the representation requiring the disclosure (triggering representation) is made through only one means.
• A visual disclosure, by its size, contrast, location, the length of time it appears and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read and understood.
• An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed and cadence sufficient for ordinary consumers to easily hear and understand it.
• In any communication using an interactive electronic medium, such as the internet or software, the disclosure must be unavoidable.
• The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the triggering representation appears.
• The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communication.
• The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.
• When the representation or sales practice targets a specific audience, such as children, the elderly or the terminally ill, “ordinary consumers” includes reasonable members of that group.

Under the consent order, the company is obligated to:

• Refrain from any misrepresentation regarding its data collection/processing/data protection.
• Refrain from using any biometric information to
  • Create a Face Embedding (data, such as a numeric vector, derived in whole or in part from an image of an individual’s face)
  • Train, develop or alter any face recognition model or algorithm without:
    • a clear and conspicuous disclosure regarding collecting biometric information separate and apart from any privacy policy or Terms of Use and
    • affirmative express consent of the user.
• Within 90 days of the order: delete all photos that users requested deleted
• Within 90 days of the order: delete all Face Embeddings derived from Biometric Information collected from users who have not provided express affirmative consent for the creation of Face Embeddings.
• Within 90 days of the order: delete all models or algorithms developed in whole or in part using Biometric Information collected from users.
• Submit a compliance report a year after the order.

Exception to deletion requirement (which can be instructive re: CCPA exceptions to the right to delete):

• Information may be retained, and may be disclosed, as requested by a government agency or otherwise required by law, regulation, court order, or other legal obligation, including as required by rules applicable to the safeguarding of evidence in pending litigation.
• In each written statement to the Commission required by this provision, the company must describe in detail any relevant information that it retains on any of these bases and the specific government agency, law, regulation, court order or other legal obligation that prohibits the company from deleting or destroying such information.
• Within 30 days after the obligation to retain the information has ended, the company shall provide an additional written statement to the Commission, sworn under penalty of perjury, confirming that the company has deleted or destroyed such information.

Odia Kagan is a partner in the firm's Privacy & Data Security Practice and Chair of the firm's GDPR Compliance & International Privacy Practice. For questions about this alert or other data privacy compliance issues, she can be reached at 215.444.7313 or okagan@foxrothschild.com.