The Federal Trade Commission (FTC) banned Rite Aid from using artificial intelligence (AI) based facial recognition technology for surveillance purposes. The ban will last five years to settle FTC charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in its use of facial recognition technology in hundreds of stores.

The proposed order will require Rite Aid to implement comprehensive safeguards to prevent these types of harm to consumers when deploying automated systems that use biometric information to track them or flag them as security risks. It also will require Rite Aid to discontinue using any such technology if it cannot control potential risks to consumers. To settle charges it violated a 2010 FTC data security order by failing to adequately oversee its service providers, Rite Aid will also be required to implement a robust information security program, which must be overseen by the company’s top executives.

In a complaint filed in federal court, the FTC says that from 2012 to 2020, Rite Aid deployed AI-based facial recognition technology in order to identify customers who may have been engaged in shoplifting or other problematic behavior. The complaint, however, charges that the company failed to take reasonable measures to prevent harm to consumers, who, as a result, were erroneously accused by employees of wrongdoing because facial recognition technology falsely flagged the consumers as matching someone who had previously been identified as a shoplifter or other troublemaker.

According to the complaint, Rite Aid contracted with two companies to help create a database of images of individuals — considered to be “persons of interest” because Rite Aid believed they engaged in or attempted to engage in criminal activity at one of its retail locations — along with their names and other information such as any criminal background data. The company collected tens of thousands of images of individuals, many of which were low-quality and came from Rite Aid’s security cameras, employee phone cameras and even news stories, according to the complaint.

The system generated thousands of false-positive matches, the FTC says. For example, the technology sometimes matched customers with people who had originally been enrolled in the database based on activity thousands of miles away, or flagged the same person at dozens of different stores all across the United States, according to the complaint. Specifically, the complaint says Rite Aid failed to:

• Consider and mitigate potential risks to consumers from misidentifying them, including heightened risks to certain consumers because of their race or gender. For example, Rite Aid’s facial recognition technology was more likely to generate false positives in stores located in plurality-Black and Asian communities than in plurality-White communities.
• Test, assess, measure, document, or inquire about the accuracy of its facial recognition technology before deploying it, including failing to seek any information from either vendor it used to provide the facial recognition technology about the extent to which the technology had been tested for accuracy.
• Prevent the use of low-quality images in connection with its facial recognition technology, increasing the likelihood of false-positive match alerts.
• Regularly monitor or test the accuracy of the technology after it was deployed, including by failing to implement or enforce any procedure for tracking the rate of false positive matches or actions that were taken based on those false positive matches.
• Adequately train employees tasked with operating facial recognition technology in its stores and flag that the technology could generate false positives. Even after Rite Aid switched to a technology that enabled employees to report a “bad match” and required employees to use it, the company did not take action to ensure employees followed this policy.

In its complaint, the FTC also says Rite Aid violated its 2010 data security order with the Commission by failing to adequately implement a comprehensive information security program. Among other things, the 2010 order required Rite Aid to ensure its third-party service providers had appropriate safeguards to protect consumers’ personal data. For example, the complaint alleges the company conducted many security assessments of service providers orally, and that it failed to obtain or possess backup documentation of such assessments, including for service providers Rite Aid deemed to be “high risk.”

In addition to the ban and required safeguards for automated biometric security or surveillance systems, other provisions of the proposed order prohibit Rite Aid from misrepresenting its data security and privacy practices and also require the company to:

• Delete, and direct third parties to delete any images or photos they collected because of Rite Aid’s facial recognition system as well as any algorithms or other products that were developed using those images and photos.
• Notify consumers when their biometric information is enrolled in a database used in connection with a biometric security or surveillance system and when Rite Aid takes some kind of action against them based on an output generated by such a system.
• Investigate and respond in writing to consumer complaints about actions taken against consumers related to an automated biometric security or surveillance system.
• Provide clear and conspicuous notice to consumers about the use of facial recognition or other biometric surveillance technology in its stores.
• Delete any biometric information it collects within five years.
• Implement a data security program to protect and secure personal information it collects, stores and shares with its vendors.
• Obtain independent third-party assessments of its information security program.
• Provide the FTC with an annual certification from its CEO documenting Rite Aid’s adherence to the order’s provisions.