The Federal Trade Commission (FTC) has recently filed a lawsuit against Rite Aid, alleging that the drug store chain and its subsidiary used facial recognition technology in a manner that could harm consumers. The complaint asserts that Rite Aid implemented a covert surveillance program with facial recognition technology that was inadequately tested and operationally deficient, without considering the negative impact of its inaccurate technology on individuals wrongly identified. As part of a proposed settlement, Rite Aid would be prohibited from using facial recognition systems for security or surveillance purposes for a period of five years.
The complaint maintains that Rite Aid utilized facial recognition technology in hundreds of its retail locations to identify and prevent individuals of interest from entering their stores, without informing consumers of this use and instructing employees to maintain confidentiality. Additionally, Rite Aid created a “watchlist database” containing images of individuals suspected of criminal activities, often of low quality and uploaded by in-store employees. When a person was deemed to match an image in the database, employees received an alert directing them to approach and identify the individual, ask them to leave, and call the police if necessary.
The FTC complaint accuses Rite Aid of multiple failures in implementing facial recognition technology, including neglecting to consider the risks of false positives on consumers, providing inadequate training to staff, and failing to properly monitor and test the accuracy of the system. These shortcomings led to the wrongful identification of consumers, particularly those from marginalized communities, resulting in humiliating and injurious consequences.
In addition to the allegations related to facial recognition technology, the FTC complaint addresses Rite Aid’s failure to maintain a comprehensive information security program to protect consumers’ personal information, as required by a previous order. Specifically, the company entrusted sensitive consumer data to vendors without thoroughly evaluating their data security capabilities and failed to include sufficient information security requirements in contracts with service providers.
As part of the proposed settlement, Rite Aid would be prohibited from using facial recognition or analysis systems for security or surveillance purposes at its retail stores or online for five years. The company would also be required to delete any photos or videos collected through the facial recognition system, along with any data derived from those visuals. The settlement also covers the use of all automatic biometric security or surveillance systems and mandates the implementation of a monitoring program with sound technical and organizational controls for any future use of such systems by Rite Aid. The company must provide individualized, written notice to consumers added to its system and anyone it takes action against as a result of the system. Rite Aid would also be required to implement a robust consumer complaint procedure and disclose the use of automatic biometric security and surveillance to consumers at retail locations and online. Furthermore, Rite Aid must implement a comprehensive information security program, obtain biennial assessments of that program from a third-party assessor, and provide an annual certification of compliance to the FTC from its CEO.
Companies using AI or other automated biometric surveillance technologies should take note of the FTC’s action against Rite Aid, emphasizing the need for rigorous testing, assessment, and monitoring of these systems to ensure compliance with consumer protection standards. Regardless of the outcome of this case, it is evident that the use of facial recognition and other biometric surveillance technologies must be undertaken with the utmost care and consideration for consumer privacy and safety.
+ There are no comments
Add yours