Rite Aid will be prohibited from using facial recognition technology for surveillance purposes for five years to settle Federal Trade Commission charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in its use of facial recognition technology in hundreds of stores.
“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”
The proposed order will require Rite Aid to implement comprehensive safeguards to prevent these types of harm to consumers when deploying automated systems that use biometric information to track them or flag them as security risks. It also will require Rite Aid to discontinue using any such technology if it cannot control potential risks to consumers. To settle charges it violated a 2010 Commission data security order by failing to adequately oversee its service providers, Rite Aid will also be required to implement a robust information security program, which must be overseen by the company’s top executives.
In a complaint filed in federal court, the FTC says that from 2012 to 2020, Rite Aid deployed artificial intelligence-based facial recognition technology in order to identify customers who may have been engaged in shoplifting or other problematic behavior. The complaint, however, charges that the company failed to take reasonable measures to prevent harm to consumers, who, as a result, were erroneously accused by employees of wrongdoing because facial recognition technology falsely flagged the consumers as matching someone who had previously been identified as a shoplifter or other troublemaker.
Preventing the misuse of biometric information is a high priority for the FTC, which issued a warning earlier this year that the agency would be closely monitoring this sector. Rite Aid’s actions subjected consumers to embarrassment, harassment, and other harm, according to the complaint. The company did not inform consumers that it was using the technology in its stores and employees were discouraged from revealing such information. Employees, acting on false positive alerts, followed consumers around its stores, searched them, ordered them to leave, called the police to confront or remove consumers, and publicly accused them, sometimes in front of friends or family, of shoplifting or other wrongdoing, according to the complaint. In addition, the FTC says Rite Aid’s actions disproportionately impacted people of color.
According to the complaint, Rite Aid contracted with two companies to help create a database of images of individuals—considered to be “persons of interest” because Rite Aid believed they engaged in or attempted to engage in criminal activity at one of its retail locations—along with their names and other information such as any criminal background data. The company collected tens of thousands of images of individuals, many of which were low-quality and came from Rite Aid’s security cameras, employee phone cameras and even news stories, according to the complaint.
The system generated thousands of false-positive matches, the FTC says. For example, the technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States, according to the complaint. Specifically, the complaint says Rite Aid failed to:
- Consider and mitigate potential risks to consumers from misidentifying them, including heightened risks to certain consumers because of their race or gender. For example, Rite Aid’s facial recognition technology was more likely to generate false positives in stores located in plurality-Black and Asian communities than in plurality-White communities;
- Test, assess, measure, document, or inquire about the accuracy of its facial recognition technology before deploying it, including failing to seek any information from either vendor it used to provide the facial recognition technology about the extent to which the technology had been tested for accuracy;
- Prevent the use of low-quality images in connection with its facial recognition technology, increasing the likelihood of false-positive match alerts;
- Regularly monitor or test the accuracy of the technology after it was deployed, including by failing to implement or enforce any procedure for tracking the rate of false positive matches or actions that were taken based on those false positive matches; and
- Adequately train employees tasked with operating facial recognition technology in its stores and flag that the technology could generate false positives. Even after Rite Aid switched to a technology that enabled employees to report a “bad match” and required employees to use it, the company did not take action to ensure employees followed this policy.
In its complaint, the FTC also says Rite Aid violated its 2010 data security order with the Commission by failing to adequately implement a comprehensive information security program. Among other things, the 2010 order required Rite Aid to ensure its third-party service providers had appropriate safeguards to protect consumers’ personal data. For example, the complaint alleges the company conducted many security assessments of service providers orally, and that it failed to obtain or possess backup documentation of such assessments, including for service providers Rite Aid deemed to be “high risk.”
In addition to the ban and required safeguards for automated biometric security or surveillance systems, other provisions of the proposed order prohibit Rite Aid from misrepresenting its data security and privacy practices and also require the company to:
- Delete, and direct third parties to delete, any images or photos they collected because of Rite Aid’s facial recognition system as well as any algorithms or other products that were developed using those images and photos;
- Notify consumers when their biometric information is enrolled in a database used in connection with a biometric security or surveillance system and when Rite Aid takes some kind of action against them based on an output generated by such a system;
- Investigate and respond in writing to consumer complaints about actions taken against consumers related to an automated biometric security or surveillance system;
- Provide clear and conspicuous notice to consumers about the use of facial recognition or other biometric surveillance technology in its stores;
- Delete any biometric information it collects within five years;
- Implement a data security program to protect and secure personal information it collects, stores, and shares with its vendors;
- Obtain independent third-party assessments of its information security program; and
- Provide the Commission with an annual certification from its CEO documenting Rite Aid’s adherence to the order’s provisions.
The Commission voted 3-0 to authorize staff to file the complaint and the proposed stipulated order against Rite Aid. Commissioner Alvaro Bedoya released a statement.
The complaint and order were filed in the Eastern District of Pennsylvania. Rite Aid is currently going through bankruptcy proceedings and the order will go into effect after approval from the bankruptcy court and the federal district court as well as modification of the 2010 order by the Commission.
The principal attorneys on these matters are Robin Wetherill, Leah Frazier, Diana Chang, Christopher Erickson, and Brian Welke in the FTC’s Bureau of Consumer Protection.