Rite Aid Banned from Using Facial Recognition by FTC

Rite Aid will be prohibited from using facial recognition technology for surveillance purposes for five years to settle Federal Trade Commission charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in its use of the technology in hundreds of stores.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Today’s groundbreaking order makes clear that the Commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”

In its complaint, the FTC alleges that Rite Aid employees called the police on customers based on bad matches from the facial recognition technology, including a black customer matched with an image that was later described as depicting “a white lady with blonde hair.” In another instance, the FTC alleges that a Rite Aid employee stopped and searched an 11-year-old girl because of a false match.

The proposed FTC order will require Rite Aid to implement comprehensive safeguards to prevent these types of alleged instances. It also will require Rite Aid to discontinue using any such technology if it cannot control potential risks to consumers. To settle charges that it violated a 2010 Commission data security order by failing to adequately oversee its service providers, Rite Aid will also be required to implement a robust information security program, which must be overseen by the company’s top executives.

In the complaint filed in federal court, the FTC says that from 2012 to 2020, Rite Aid deployed artificial intelligence-based facial recognition technology in order to identify customers who may have been engaged in shoplifting or other problematic behavior. The complaint charges that the company failed to take reasonable measures to prevent harm to consumers, who, as a result, were accused by employees of wrongdoing because facial recognition technology falsely flagged them as matching someone who had previously been identified as a shoplifter or other troublemaker.

The FTC’s complaint comes after a Reuters investigation in 2020 that alleged Rite Aid’s facial recognition technology routinely misidentified black individuals as shoplifters. The Reuters investigation also named the facial recognition vendors Rite Aid was using at the time.

In response to the FTC’s charges, Rite Aid issued the following statement: “We are pleased to reach an agreement with the FTC and put this matter behind us. We respect the FTC’s inquiry and are aligned with the agency’s mission to protect consumer privacy. However, we fundamentally disagree with the facial recognition allegations in the agency’s complaint. The allegations relate to a facial recognition technology pilot program the company deployed in a limited number of stores. Rite Aid stopped using the technology in this small group of stores more than three years ago, before the FTC’s investigation regarding the company’s use of the technology began.

“Rite Aid’s mission has always been and will continue to be to safely and conveniently serve the communities in which we operate. The safety of our associates and customers is paramount. As part of the agreement with the FTC, we will continue to enhance and formalize the practices and policies of our comprehensive information security program.

“Looking ahead, we are focused on the important actions underway to strengthen our financial position as we continue providing leading healthcare products and services to the nearly one million customers that we serve daily.”

The FTC said that preventing the misuse of biometric information is a high priority, which is why they issued a warning earlier this year that the agency would be closely monitoring this sector. The FTC alleges that Rite Aid’s actions subjected consumers to embarrassment, harassment, and other harm. Rite Aid allegedly did not inform consumers that it was using the technology in its stores and employees were discouraged from revealing such information. Employees, acting on false positive alerts, followed consumers around its stores, searched them, ordered them to leave, called the police to confront or remove them, and publicly accused them—sometimes in front of friends or family—of shoplifting or other wrongdoing, according to the complaint. In addition, the FTC says Rite Aid’s actions disproportionately impacted people of color.

According to the complaint, Rite Aid contracted with two companies to help create a database of images of individuals considered to be “persons of interest” because Rite Aid believed they engaged in or attempted to engage in criminal activity at one of its retail locations—along with their names and other information such as any criminal background data. The company collected tens of thousands of images of individuals, many of which were low-quality and came from Rite Aid’s security cameras, employee phone cameras, and even news stories, according to the complaint.

The system generated thousands of false-positive matches, the FTC says. Specifically, the complaint says Rite Aid failed to:

• Consider and mitigate potential risks to consumers from misidentifying them, including heightened risks to certain consumers because of their race or gender. For example, Rite Aid’s facial recognition technology was more likely to generate false positives in stores located in mostly black and Asian communities than in mostly white communities;
• Test, assess, measure, document, or inquire about the accuracy of its facial recognition technology before deploying it, including failing to seek any information from either vendor it used to provide the facial recognition technology about the extent to which the technology had been tested for accuracy;
• Prevent the use of low-quality images in connection with its facial recognition technology, increasing the likelihood of false positive match alerts;
• Regularly monitor or test the accuracy of the technology after it was deployed, including by failing to implement or enforce any procedure for tracking the rate of false positive matches or actions that were taken based on those false positive matches; and
• Adequately train employees tasked with operating facial recognition technology in its stores and flag that the technology could generate false positives. Even after Rite Aid switched to a technology that enabled employees to report a “bad match” and required employees to use it, the company did not take action to ensure employees followed this policy.

In its complaint, the FTC also says Rite Aid violated its 2010 data security order with the Commission by failing to adequately implement a comprehensive information security program. Among other things, the 2010 order required Rite Aid to ensure its third-party service providers had appropriate safeguards to protect consumers’ personal data. For example, the complaint alleges the company conducted many security assessments of service providers orally, and that it failed to obtain or possess backup documentation of such assessments, including for service providers Rite Aid deemed to be “high risk.”

In addition to the ban and required safeguards for automated biometric security or surveillance systems, other provisions of the proposed order prohibit Rite Aid from misrepresenting its data security and privacy practices and also require the company to:

• Delete, and direct third parties to delete, any images or photos they collected because of Rite Aid’s facial recognition system as well as any algorithms or other products that were developed using those images and photos;
• Notify consumers when their biometric information is enrolled in a database used in connection with a biometric security or surveillance system and when Rite Aid takes some kind of action against them based on an output generated by such a system;
• Investigate and respond in writing to consumer complaints about actions taken against consumers related to an automated biometric security or surveillance system;
• Provide clear and conspicuous notice to consumers about the use of facial recognition or other biometric surveillance technology in its stores;
• Delete any biometric information it collects within five years;
• Implement a data security program to protect and secure personal information it collects, stores, and shares with its vendors;
• Obtain independent third-party assessments of its information security program; and
• Provide the Commission with an annual certification from its CEO documenting Rite Aid’s adherence to the order’s provisions.

The Commission voted 3-0 to authorize staff to file the complaint and the proposed stipulated order against Rite Aid.

Commissioner Alvaro Bedoya said, “We often talk about how surveillance ‘violates rights’ and ‘invades privacy.’ We should; it does. What cannot get lost in those conversations is the blunt fact that surveillance can hurt people.”

Rite Aid is currently going through bankruptcy proceedings and the order will go into effect after approval from the bankruptcy court and the federal district court as well as modification of the 2010 order by the Commission.