Retail pharmacy chain Rite Aid agreed to a five-year ban on its use of facial recognition technology for surveillance purposes as part of a settlement with the Federal Trade Commission (FTC).

The FTC alleged Rite Aid “failed to implement reasonable procedures and prevent harm to consumers in its use of facial recognition technology in hundreds of stores,” according to an agency press release Tuesday.

The company was also accused of violating a 2010 data security order with the FTC by not ensuring its third-party service providers had appropriate safeguards in place to protect consumers’ personal data.

The details: From 2012-20, Rite Aid used artificial intelligence-based facial recognition technology in its efforts to thwart potential shoplifters, the FTC detailed in its complaint. The company worked with two service providers to build a database of customers believed to have attempted criminal activity at its stores.

But the technology proved flawed and generated thousands of false-positive matches, according to the FTC. This led to instances where employees confronted mistaken consumers, the agency said, subjecting them to embarrassment and harassment.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in the agency’s release. “Today’s groundbreaking order makes clear that the commission will be vigilant in protecting the public from unfair biometric surveillance and unfair data security practices.”

Regarding the 2010 data security order, the FTC found Rite Aid did not adequately implement a comprehensive information security program. The agency said the company conducted security assessments of service providers orally and did not maintain proper documentation of such assessments.

Compliance considerations: Rite Aid failed to “test, assess, measure, document, or inquire about the accuracy of its facial recognition technology before deploying it” and did not regularly monitor the technology after it was deployed, the FTC said.

As part of its settlement, the company must:

  • Implement an information security program overseen by its top executives and assessed by an independent third party;
  • Delete images collected through its facial recognition system and, in future, any biometric information it collects within five years;
  • Notify consumers when their biometric information is logged in its database and provide clear notice on its use of biometric surveillance technology in its stores; and
  • Have its chief executive officer certify to the FTC annually its compliance with the agency’s proposed order.

“[This] settlement offers a strong baseline for what an algorithmic fairness program should look like,” said FTC Commissioner Alvaro Bedoya in a statement.

Company response: “We respect the FTC’s inquiry and are aligned with the agency’s mission to protect consumer privacy,” said Rite Aid in a statement. “However, we fundamentally disagree with the facial recognition allegations in the agency’s complaint.

“The allegations relate to a facial recognition technology pilot program the company deployed in a limited number of stores. Rite Aid stopped using the technology in this small group of stores more than three years ago, before the FTC’s investigation regarding the company’s use of the technology began.”