As we previewed in our prior Legal Update, the Federal Trade Commission (“FTC”) warned businesses of its stance on the use and collection of biometric information in a May 2023 policy statement. Now, an enforcement action filed earlier this week offers insight into the potential consequences for businesses that do not comply with the FTC’s policy statement guidelines.

On December 19, 2023, the FTC sued Rite-Aid Corporation and its parent company Rite-Aid Headquarters Corporation (together, “Rite-Aid”) in the United States District Court for the Eastern District of Pennsylvania for (1) an unfair Facial Recognition Technology (“FRT”) practice, improperly using FRT that falsely flagged Rite-Aid customers for shoplifting, and (2) failing to implement a comprehensive security program to protect customers’ personal information. The complaint alleges that Rite-Aid’s failure to take reasonable measures that would prevent harm to consumers violated a 2010 consent order (“2010 order”) with the FTC and Section 5 of the FTC Act, 15 U.S.C. §§ 45(a), (n).

The FTC attached a stipulated order to its complaint that, if approved, would not only ban Rite-Aid from using FRT for five years but also require significant modification to Rite-Aid’s existing information security policies.

Continue reading.