Last week, the Federal Trade Commission (“FTC”) announced a proposed settlement with a developer of a photo storage app that allegedly deceived consumers in violation of the prohibition on unfair or deceptive acts and practices found in §5(a) of the Federal Trade Commission Act. As part of the proposed settlement, the developer, Everalbum, Inc. (“Everalbum”), agreed to certain injunctive relief.
Everalbum offered an app called “Ever” that allowed users to upload photos and videos from their mobile devices, computers, or social media accounts to be stored and organized using a cloud-based storage service. The FTC alleged that in February 2017, Everalbum launched a new feature in the Ever app, called “Friends,” that used facial recognition technology to group users’ photos by the faces of the people who appear in them and allowed users to “tag” people by name. Everalbum allegedly enabled facial recognition by default for all users when it launched the Friends feature.
Allegedly Deceptive Practices
The FTC’s complaint alleged two deceptive practices. The first related to Everalbum’s representations concerning its application of facial recognition technology to users’ content. According to the complaint, between July 2018 and April 2019, Everalbum represented that it would not apply facial recognition technology to users’ content unless users affirmatively chose to activate the feature. This feature, however, was automatically active for most users (those outside Illinois, Texas, Washington and the European Union) until April 2019 and could not be turned off.
In addition, between September 2017 and August 2019, Everalbum allegedly combined millions of facial images that it extracted from users’ photos with facial images that it obtained from public datasets to create new datasets for use in the development of its facial recognition technology. The complaint alleged that Everalbum used the resulting facial recognition technology to provide the Friends feature and also sold the technology to its enterprise customers (though Everalbum apparently did not share users’ images or other personal information with those customers).
The second deceptive practice alleged in the FTC complaint related to Everalbum’s retention of data provided by users. According to the complaint, Everalbum promised users that it would delete the photos and videos of users who terminated their accounts. However, the FTC alleged that until at least October 2019, Everalbum failed to delete the photos or videos of any users who had terminated their accounts and instead retained them indefinitely.
Terms of the Proposed Settlement
The proposed settlement requires Everalbum to delete:
- the photos and videos of users who terminated their accounts;
- all data reflecting facial features that can be used for facial recognition purposes that Everalbum derived from the photos of users who did not consent to their use; and
- any facial recognition models or algorithms developed with users’ photos or videos.
In addition, the proposed settlement prohibits Everalbum from misrepresenting how it collects, uses, discloses, maintains, or deletes personal information, and the extent to which it protects the privacy and security of personal information. Under the proposed settlement, if Everalbum markets software to consumers for personal use, it must obtain a user’s express consent before using photos or videos collected from the user to develop data derived from an image of an individual’s face or to develop facial recognition technology.
In connection with the announcement of the proposed settlement, Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said that “[e]nsuring that companies keep their promises to customers about how they use and handle biometric data will continue to be a high priority for the FTC.”
Given the FTC’s focus on the collection and use of biometric data and wider concerns being raised in regard to facial recognition technology and the processing of biometric data more generally (as evidenced by recent litigation against Clearview AI and social media companies, as well as enforcement of a growing number of state laws regulating the use of biometric data), businesses should carefully review their practices and privacy policies relating to the use of these applications.
The settlement is subject to public comment for 30 days after publication in the Federal Register, after which the FTC will decide whether to make the proposed settlement final.