FTC Raises Concerns With Privacy Practices Proposed by NTIA Facial Recognition Multistakeholder Participants
Privacy advocates and consumer groups, as expected, weren't present at the NTIA’s multistakeholder meeting on facial recognition Tuesday (see 1507270044). But FTC staff attorney Amanda Koulousias did attend and said the agency has reviewed both draft documents that were circulated among stakeholders ahead of the meeting, and has concerns about the enforceability of the proposed code of conduct and the strength of the privacy protections in both. The FTC understands these are working drafts, but wanted to raise concerns early in the process to ensure the agency’s concerns were addressed, she said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The document the International Biometrics Industry Association drafted doesn't dictate or tell companies what privacy solutions for facial recognition use should be, but recommended general transparency and data security guidelines because there are new reports daily on how Germans and people in Uganda are using the technology, said IBIA Managing Director Tovah LaDier. Providers and implementers should be left to determine what the technology's most important privacy protection is, dependent on the use, LaDier said.
IBIA’s original draft was created in 2014. LaDier said the most recent draft in front of stakeholders on Tuesday was similar to the original document, with a few changes added such as clarifications, definitions and reorganization, she said. One significant change involved criteria that must be taken into account when applying privacy principles, she said. IBIA added the reasonable person expectation when applying those privacy principles, per the recommendation of the privacy advocates, LaDier said.
NetChoice Policy Counsel Carl Szabo said the draft he helped craft was designed to create a set of guidelines that helps businesses, developers, companies and consumers determine how the technology should and shouldn't be used. “What we’re doing is laying down roadwork,” Szabo said. If there's a need for speed bumps, stop signs or red lights, those can be added later. Similarly, if the rules are too restrictive and the road map would benefit from a highway, that can be added too, he said. He said the group wants input from many broad groups of people.
The FTC’s Koulousias said the drafts needed to be clearer so the FTC can enforce the rules. IABA’s draft concerned the FTC because it gave companies a lot of leeway, Koulousias said. LaDier said IABA’s document wasn't intended to be a code of conduct but a best practices document. Koulousias recommended the NetChoice draft use more definitive language in its provisions like "will," "commit to" or "shall" instead of "should." Koulousias said the transparency portion was unclear and asked if the document could include examples. The FTC also was unsure what the NetChoice document meant by sufficient consent, and said if the draft were to become the final version, no privacy protections would be offered. The FCC sees the draft as giving consumers very limited control, she said. Koulousias said the NetChoice draft’s public information exception was too broad and the agency was concerned that if not addressed it could “swallow the whole code.”
Szabo said he would be happy to discuss necessary changes but questioned the real-life applicability of some of the FTC’s suggestions. Posting a long privacy policy on the door to a retail store like Kmart or JCPenney won't be useful and may not even be noticed, he said. Steven Emmert, senior director government and industry affairs at Reed Elsevier, agreed with Szabo that it’s difficult to deliver notice in some instances, but the FTC will enforce a company’s failure to give notice or provide useful information to the consumer. Koulousias recommended companies try layered notices -- posting a sign outside of a store that says facial recognition is used on premises and tells consumers where they can go for more information if they have questions or concerns. LaDier said retail establishments, hotels and restaurants likely would push back if they have to provide extensive notice as the FTC recommended.
Though the privacy advocates and consumer groups didn't attend, LaDier said most companies participating in the meeting are very concerned about privacy and data security because no one wants the bad publicity or the cost of a data breach.
A definitive date for the next meeting wasn't set, but NTIA Director-Privacy Initiatives John Verdi proposed the group meet again in mid-October. One item that was asked to be discussed at the next meeting is what kind of privacy protections are needed for children and teens in regard to facial recognition use. The Children’s Online Privacy Protection Act protects children online, but privacy protections that exist in a brick-and-mortar environment are to be discussed.