On December 19, 2023, the Federal Trade Commission (“FTC”) announced that it reached a settlement with Rite Aid Corporation and Rite Aid Headquarters Corporation (collectively, “Rite Aid”) to resolve allegations that the companies violated Section 5 of the FTC Act (as well as a prior settlement with the agency) by failing to implement reasonable procedures to prevent harm to consumers while using facial recognition technology. As part of the settlement, Rite Aid agreed to cease using “Facial Recognition or Analysis Systems” (defined below) for five years and establish a monitoring program to address certain risks if it seeks to use such systems for certain purposes in the future.
According to the FTC’s complaint, Rite Aid “used facial recognition technology in hundreds of its retail pharmacy locations to identify patrons that it had previously deemed likely to engage in shoplifting or other criminal behavior.” The FTC claimed that the technology sent alerts to Rite Aid’s employees when patrons were matched with entries in the company’s “watchlist database.” Rite Aid employees allegedly took action against patrons who triggered the matches by, for example, subjecting them to in-person surveillance. The FTC claimed that Rite Aid failed to consider or address foreseeable harm to patrons by such conduct, including failing to (1) test the technology’s accuracy, (2) enforce image quality standards necessary for the technology to function accurately, (3) take reasonable steps to train employees, and (4) “take steps to assess or address risks that its . . . [the] technology would disproportionately harm consumers because of their race, gender, or other demographic characteristics.”
The proposed consent order places a number of restrictions and obligations on Rite Aid, including with respect to its use of a “Facial Recognition or Analysis System,” which it defines as “an Automated Biometric Security or Surveillance System that analyzes or uses depictions or images, descriptions, recordings, copies, measurements, or geometry of or related to an individual’s face to generate an Output.” An “Automated Biometric Security or Surveillance System,” in turn, is defined as “any machine-based system, including any computer software, application, or algorithm, that analyzes or uses Biometric Information of, from, or about individual consumers to generate an Output that relates to those consumers, notwithstanding any assistance by a human being in such analysis or use, and that is used in whole or in part for a Security or Surveillance Purpose,” subject to a few exceptions.
Among other restrictions, the proposed consent order requires that Rite Aid:
- not deploy or use any Facial Recognition or Analysis System for five years, either in a retail store or an online retail platform;
- delete all photos and videos of consumers used in a Facial Recognition or Analysis System, including any data, models, or algorithms derived from such information;
- prior to deploying an Automated Biometric Security or Surveillance System in the future:
- Establish and maintain a monitoring program, that among things, identifies and addresses risks that “will result, in whole or in part, in physical, financial, or reputational harm to consumers” and “any such harms [that] will disproportionately affect consumers based on race, ethnicity, gender, sex, age, or disability, alone or in combination;
- Develop mandatory notice and complaint procedures that include providing written notice to consumers whose biometric information will be enrolled in the system;
- Develop a written retention schedule that, among other things, sets a time frame of deletion for biometric information that is no greater than five years, subject to certain exceptions; and
- implement a comprehensive information security program that includes safeguards based on the “volume and sensitivity” of the information that is at risk and the likelihood that the risk could result in unauthorized collection or misuse.
The proposed FTC consent order is subject to a 30-day public comment period following publication in the Federal Register.
Rite Aid filed for relief under Chapter 11 of the Bankruptcy Code on October 15, 2023. Accordingly, the settlement is also subject to approval by the U.S. Bankruptcy Court overseeing the company’s bankruptcy proceeding.
This settlement was described by the FTC as the first enforcement action by the agency that addresses alleged discrimination through the use of automated decision-making technologies.