The FTC has become big on the late December surprise. In late December 2022, the agency announced the health claims guidance, which was quite a big deal for advertisers. This December there were two late December announcements that we wanted to bring to your attention just in case you were focused more on eggnog and less on Pennsylvania Avenue. The first is that after four and a half long years of rulemaking, the agency issued proposed changes to the Children’s Online Privacy Protection Rule (COPPA). And the second is an interesting case involving Rite Aid and its use of facial recognition technology.
COPPA
Rulemakings rarely take this long, but clearly the FTC was eager to get things moving before hitting the five-year mark. And at the outset – let’s discuss what kind of rulemaking this is. We have talked a lot about Mag-Moss rulemaking, and that is a lot of what we are seeing from the FTC these days – rulemaking where the FTC decrees that certain practices are deceptive or unfair under the FTC Act. The COPPA rulemaking is quite different – Congress passed the statute and granted the FTC the ability to promulgate some rules to effectuate the purpose of COPPA. So these are rules that do not implicate the contours of the FTC Act.
There are a lot of proposed changes to COPPA; indeed, the Federal Register Notice (FRN) points out that the Commission “proposes modifying most provisions of the Rule.” That said, a lot of the proposals are of the relatively modest variety or are consistent with what the FTC has been saying for some time. There are two significant proposals that we do want to flag. COPPA currently requires a single consent for collection, use and disclosure of kids’ information. Under this new proposal, consent would be bifurcated. Separate parental consent would need to be obtained for disclosure unless the disclosure is integral to the nature of the site or service. And to be clear, the focus here is on limiting disclosures of data to third parties for advertising purposes. (For an agency that is not too fond of notice and choice, this does have me scratching my head just a bit.)
The second big change to highlight is a new provision that would further limit how persistent identifiers may be lawfully used for internal operations of a website or service. As you may know, COPPA allows operators to collect persistent identifiers if they don’t collect other personal information and the identifiers are only used to provide support for internal operations. The proposal, however, states that the internal operations exception would not cover uses “in connection with processes, including machine learning processes, that encourage or prompt use of a website or online service.” And in case you aren’t quite sure what they are getting at, the FRN explains that “[t]his proposed addition prohibits operators from using or disclosing persistent identifiers to optimize user attention or maximize user engagement with the website or online service, including by sending notifications to prompt the child to engage with the site or service, without verifiable parental consent.”
The FTC proposes a wide range of additional changes, including updated notice and consent requirements, revised definitions, new security requirements and new approved consent methods. For anyone involved in kids’ issues, the FRN is a must read. Comments are due 60 days after the FRN is published, and that has not happened yet – so we are looking at early March as the potential closing date for comments at the moment. And I would wager that the FTC will not wait four and a half years to get the proposed changes finalized.
Rite Aid
The second December surprise was the FTC’s case against Rite Aid. The FTC alleges, that for several years, the company had been quietly using facial recognition technology for store surveillance purposes to identify customers who may have been engaged in shoplifting or other problematic behavior. However, and this is where it gets interesting, the FTC alleges that the company engaged in unfair practices by failing to take reasonable steps to prevent harm to consumers from the use of this technology.
The harm allegedly comes in the form of false positives – consumers were flagged for and erroneously accused of wrongdoing. And the FTC states that the technology disproportionately impacted people of color. In particular, according to the complaint, once consumers were flagged, Rite Aid employees:
- surveilled and followed consumers around the store;
- instructed consumers to leave Rite Aid stores and prevented them from making needed or desired purchases, including of prescribed and over-the counter medications and other health aids;
- subjected consumers to unwarranted searches;
- publicly and wrongly accused consumers of shoplifting, including, according to consumer complaints, in front of the consumers’ coworkers, employers, children, and others; or
- called the police to confront or remove the consumer.
The FTC focuses a good deal on problems with how the technology was utilized and monitored. Among other things, the “watchlist database” contained many images that were low quality and at times led to large numbers of false positives. Indeed, the complaint provides several concerning examples. In the span of a few days, one image generated 900 separate alerts in more than 130 stores across the country. Overall, the FTC alleges that the company failed to consider the risks of false positives and did not test or track the system for accuracy or adequately review and vet the vendor. As for remedy, the headline there is that the company is banned for five years from using facial recognition technology for surveillance purposes.
Back in May 2023, the FTC issued Policy Statement on Biometric Information. And this latest action falls squarely within the ambit of issues that the FTC is focused on and will remain focused on in 2024.
And with that – Happy New Year!
[View source.]
