FTC Bans Rite Aid from Using Facial Recognition for Five Years

Rite aid used facial recognition at stores
The Federal Trade Commission has prohibited Rite Aid from using facial recognition technology for surveillance purposes for five years as part of a settlement of charges that the retailer used the technology improperly. The FTC had accused Rite Aid of failing to implement reasonable procedures and prevent harm to consumers in its use of facial recognition technology in hundreds of stores. Rite Aid used the technology to attempt to identify known shoplifters and others who have caused trouble at stores in the past.

The proposed order will require Rite Aid to implement comprehensive safeguards to prevent these types of harm to consumers when deploying automated systems that use biometric information to track them or flag them as security risks. It also will require Rite Aid to discontinue using any such technology if it cannot control potential risks to consumers. To settle charges it violated a 2010 Commission data security order by failing to adequately oversee its service providers, Rite Aid will also be required to implement a robust information security program, which must be overseen by the company’s top executives.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”

False Accusations from Facial Recognition Failures

In a complaint filed in federal court, the FTC says that from 2012 to 2020, Rite Aid deployed artificial intelligence-based facial recognition technology in order to identify customers who may have been engaged in shoplifting or other problematic behavior. The complaint, however, charges that the company failed to take reasonable measures to prevent harm to consumers, who, as a result, were erroneously accused by employees of wrongdoing because facial recognition technology falsely flagged the consumers as matching someone who had previously been identified as a shoplifter or other troublemaker.

Preventing the misuse of biometric information is a high priority for the FTC, which issued a warning earlier this year that the agency would be closely monitoring this sector. Rite Aid did not inform consumers that it was using the technology in its stores and employees were discouraged from revealing such information. In addition, the FTC says Rite Aid’s actions disproportionately impacted people of color.

According to the complaint, Rite Aid contracted with two companies to help create a database of images of individuals—considered to be “persons of interest” because Rite Aid believed they engaged in or attempted to engage in criminal activity at one of its retail locations—along with their names and other information such as any criminal background data.

The system generated thousands of false-positive matches, the FTC says. For example, the technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States, according to the complaint. Specifically, the complaint says Rite Aid failed to:

  • Consider and mitigate potential risks to consumers from misidentifying them, including heightened risks to certain consumers because of their race or gender.
  • Test, assess, measure, document, or inquire about the accuracy of its facial recognition technology before deploying it, including failing to seek any information from either vendor it used to provide the facial recognition technology about the extent to which the technology had been tested for accuracy;
  • Prevent the use of low-quality images in connection with its facial recognition technology, increasing the likelihood of false-positive match alerts;
  • Regularly monitor or test the accuracy of the technology after it was deployed, including by failing to implement or enforce any procedure for tracking the rate of false positive matches or actions that were taken based on those false positive matches; and
  • Adequately train employees tasked with operating facial recognition technology in its stores and flag that the technology could generate false positives. Even after Rite Aid switched to a technology that enabled employees to report a “bad match” and required employees to use it, the company did not take action to ensure employees followed this policy.

Failure to Safeguard Consumer’s Personal Data

In its complaint, the FTC also says Rite Aid violated its 2010 data security order with the Commission by failing to adequately implement a comprehensive information security program. Among other things, the 2010 order required Rite Aid to ensure its third-party service providers had appropriate safeguards to protect consumers’ personal data. In addition to the ban and required safeguards for automated biometric security or surveillance systems, other provisions of the proposed order prohibit Rite Aid from misrepresenting its data security and privacy practices and also require the company to:

  • Delete, and direct third parties to delete, any images or photos they collected because of Rite Aid’s facial recognition system as well as any algorithms or other products that were developed using those images and photos;
  • Notify consumers when their biometric information is enrolled in a database used in connection with a biometric security or surveillance system and when Rite Aid takes some kind of action against them based on an output generated by such a system;
  • Investigate and respond in writing to consumer complaints about actions taken against consumers related to an automated biometric security or surveillance system;
  • Provide clear and conspicuous notice to consumers about the use of facial recognition or other biometric surveillance technology in its stores;
  • Delete any biometric information it collects within five years;
  • Implement a data security program to protect and secure personal information it collects, stores, and shares with its vendors;
  • Obtain independent third-party assessments of its information security program; and
  • Provide the Commission with an annual certification from its CEO documenting Rite Aid’s adherence to the order’s provisions.

The complaint and order were filed in the Eastern District of Pennsylvania. Rite Aid is currently going through bankruptcy proceedings and the order will go into effect after approval from the bankruptcy court and the federal district court as well as modification of the 2010 order by the Commission.   end slug


Jacob Horowitz is a contributing editor at Compliance Chief 360°

Leave a Reply

Your email address will not be published. Required fields are marked *