Rite Aid Can't Use Facial Recognition Tech for 5 Years Under FTC Settlement
Rite Aid “is pleased to reach an agreement with the FTC and put this matter behind us,” said the retailer Tuesday. It was responding to an FTC settlement, barring it from using facial recognition technology for surveillance purposes for five years, to settle charges it failed to implement “reasonable procedures and prevent harm to consumers” in its use of facial recognition technology to combat theft in “hundreds of stores.”
The FTC sued Rite Aid Tuesday in U.S. District Court for Eastern Pennsylvania in Philadelphia in a privacy suit (docket 2:23-cv-05023) over its biometric technology that falsely tagged consumers, “particularly women and people of color, as shoplifters,” the agency said in a Tuesday news release. The commission voted 3-0 to authorize staff to file the complaint and proposed stipulated order.
Though the retailer “respects the FTC’s inquiry and is aligned with its mission" to protect consumers' privacy, "we fundamentally disagree with the facial recognition allegations in the agency’s complaint," Rite Aid said, saying the allegations relate to a facial recognition technology pilot program Rite Aid deployed “in a limited number of stores” to combat shoplifting. It stopped using the technology in the “small group of stores” over three years ago, before the FTC’s investigation over use of the technology began, it said.
To settle charges it violated a 2010 FTC data security order by “failing to adequately oversee its service providers,” Rite Aid will be required to implement a “robust information security program” to be overseen by the company’s top executives, the FTC said.
The complaint alleged Rite Aid used facial recognition technology in hundreds of stores October 2012-July 2020 “to identify patrons that it had previously deemed likely to engage in shoplifting or other criminal behavior in order to ‘drive and keep persons of interest’” out of its stores. The technology generated alerts sent to employees by email or mobile phone as “match alerts,” indicating individuals who entered Rite Aid stores “were matches for entries” in its watchlist database, said the complaint.
Due to match alerts, Rite Aid employees “took action against” individuals who triggered the supposed matches, including “subjecting them to increased surveillance; banning them from entering or making purchases at Rite Aid stores; publicly and audibly accusing them of past criminal activity in front of friends, family, acquaintances, and strangers; detaining them or subjecting them to searches; and calling the police to report that they had engaged in criminal activity,” the complaint said. In “thousands” of cases, the system created match alerts that were false positives, it said.
Rite Aid’s “reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk," said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. The retailer’s failures caused “substantial injury to consumers, and especially to Black, Asian, Latino and women consumers,” the complaint said.
The complaint said Rite Aid contracted with two companies to help create a database of images of individuals considered to be “persons of interest” because they engaged in, or attempted to engage in, criminal activity at one of its retail locations, along with their names and other information, including any criminal background data. It collected “tens of thousands" of images of individuals, many of which were “low-quality” and came from Rite Aid’s security cameras, employee phone cameras and news stories, the complaint said.
Under the settlement, Rite Aid will be required to delete, and direct third parties to delete, images or photos they collected because of the facial recognition system and algorithms developed using those images and photos; notify consumers when their biometric information is enrolled in a database used with a surveillance system; and investigate and respond in writing to consumer complaints involving actions taken against consumers related to an automated biometric security system, the FTC said.
The retailer also must provide “clear and conspicuous notice” to consumers about the use of facial recognition or other biometric systems in stores; delete any biometric information it collects within five years; implement a data security program to protect and secure personal information it collects; obtain independent third-party assessments of its information security program; and provide the FTC with an annual certification from the CEO documenting its adherence to the orders’ provisions, the agency said.
Rite Aid’s mission “has always been and will continue to be to safely and conveniently serve the communities in which we operate,” said the retailer. “The safety of our associates and customers is paramount.” As part of the agreement with the FTC, the retailer will “continue to enhance and formalize the practices and policies of our comprehensive information security program,” it said.