Rite Aid, an American drug store chain, will be banned by a regulator from using facial recognition applications to identify suspicious customers for five years because of the way it implemented the technology.
The U.S. Federal Trade Commission (FTC) said today its proposed order will settle charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in its use of facial recognition technology in hundreds of stores.
The decision also covers an allegation that Rite Aid’s wrongful use of facial recognition technology also violated a 2010 FTC order that it adequately oversee its service providers.
“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its [2010] order violations put consumers’ sensitive information at risk,” said Samuel Levine, director of the FTC’s bureau of consumer protection. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”
Rite Aid Corp., which has over 1900 stores in 16 states, is currently going through bankruptcy proceedings, and the order will go into effect after approval from a bankruptcy court and the federal district court.
The decision is a warning to American organizations that they risk sanctions for deploying facial recognition technology if they don’t consider and mitigate potential risks to consumers from misidentifying them, test and assess the accuracy of the facial recognition technology before deploying it, and regularly monitor or test the accuracy of the technology after deployment.
In a statement, Rite Aid said it had reached a settlement with the FTC. However, it added, “we fundamentally disagree with the facial recognition allegations in the agency’s complaint. The allegations relate to a facial recognition technology pilot program the company deployed in a limited number of stores. Rite Aid stopped using the technology in this small group of stores more than three years ago, before the FTC’s investigation regarding the company’s use of the technology began.”
If the order announced today is approved by a federal court, Rite Aid will have to implement comprehensive safeguards to prevent these types of harm to consumers when deploying automated systems that use biometric information to track them or flag them as security risks. It also will require Rite Aid to discontinue using any such technology if it cannot control potential risks to consumers. The company will also have to implement a robust information security program, which must be overseen by top executives.
The FTC alleged that, from 2012 to 2020, Rite Aid deployed artificial intelligence-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behavior. The complaint charges that the company failed to take reasonable measures to prevent harm to consumers who were erroneously accused by employees of wrongdoing because facial recognition technology falsely flagged the consumers as matching someone who had previously been identified as a shoplifter or other troublemaker.
Employees, acting on false positive alerts, followed consumers around its stores, searched them, ordered them to leave, called the police to confront or remove consumers, and publicly accused them, sometimes in front of friends or family, of shoplifting or other wrongdoing, according to the FTC complaint. In addition, the FTC says Rite Aid’s actions disproportionately impacted people of colour.
Rite Aid’s actions “subjected consumers to embarrassment, harassment, and other harm, ” the regulator alleged in its complaint. The company didn’t tell consumers that it was using the technology in its stores, and employees were discouraged from revealing it.
Earlier this year, the FTC issued a warning to firms about the potential abuse of biometric information.
According to the complaint, Rite Aid contracted with two companies to help create a database of images of individuals — considered to be “persons of interest” because Rite Aid believed they engaged in or attempted to engage in criminal activity at one of its retail locations — along with their names and other information such as any criminal background data. The company collected tens of thousands of images of individuals, many of which were low-quality and came from Rite Aid’s security cameras, employee phone cameras and even news stories, according to the complaint.
The system generated thousands of false-positive matches, the FTC says. For example, the technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States, according to the complaint.
Issues around facial recognition are also being addressed in Canada. Last year a Canadian parliamentary committee recommended the government create a federal legal framework for facial recognition and artificial intelligence.
In April, B.C.’s information and privacy commissioner said four independently owned Canadian Tire affiliate stores broke the province’s privacy law in the way their facial recognition solution was implemented.
The Calgary-based legal advocacy organization Justice Centre for Constitutional Freedoms (JCCF) issued a report in August saying digital ID applications like facial recognition “undermine the inviolate personality or human dignity of their users.”
