chevron-down Created with Sketch Beta.


FTC Enforcement Action Against Rite Aid Over Use of AI Facial Recognition Tech

Kewa Jiang

FTC Enforcement Action Against Rite Aid Over Use of AI Facial Recognition Tech
Peter Cade via Getty Images

Background: Federal Trade Commission (FTC) Complaint Against Rite Aid

On December 19, 2023, the FTC filed a complaint against Rite Aid for the company’s use of AI facial recognition technology in its stores from approximately, October 2012 to June 2020. The complaint details Rite Aid’s alleged failure to “take reasonable measures to prevent harm to consumers from its use of facial recognition technology,” which constituted unfair acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. §45(a). The FTC also alleges Rite Aid’s failure to implement or maintain a comprehensive information security program violated the Commission Order the company entered into with the FTC in 2010 for their failure to prevent unauthorized access to personal information at the time. The FTC emphasized the use of AI facial recognition technology by Rite Aid was particularly detrimental to “Black, Asian, Latino, and women consumers”.

In the complaint, the FTC describes Rite Aid’s implementation of a “persons of interest” database which included individuals that either carried out or attempted to carry out criminal activities in Rite Aid’s retail stores. The database provided images of such individuals and, if available; names, date of birth, and any information related to the crime or “‘dishonest’ behavior.” Some of the images fed into the database were low-quality images, obtained using Rite Aid’s in-store CCTV cameras. All of the collected and used images were retained for an indefinite amount of time and were stored and collected without obtaining consent from the individuals in question.  

Rite Aid used the facial recognition technology in stores to match live images of consumers against its database of “persons of interest”. When a “match alert” was generated, a Rite Aid store employee would be sent an alert providing them with the database image, live image, and varying instructions, such as “[a]pproach and [i]dentify.” The FTC alleges that the facial recognition technology “generated thousands of false-positive matches.” For example, in a short span of time, “match alerts” were generated for the same individual in different stores located in vastly different US regions. Often times, a suspected consumer was escorted out of a store by an employee, who was also instructed to call the police if the consumer was non-compliant.  

Proposed Settlement Against Rite Aid

The proposed FTC settlement with Rite Aid includes several comprehensive provisions to prevent future use of AI facial recognition technology in its retail stores and remedial measures regarding the data previously collected. If the company decides to use automated biometric security or surveillance, in a manner that is not prohibited by the order, the company must implement comprehensive monitoring programs and risk assessment.

Five-year ban on use of AI facial recognition technology: The order states that Rite Aid and any businesses owned, controlled, directly or indirectly by Rite Aid are prohibited from using “any Facial Recognition or Analysis System, whether directly or through an intermediary, in any retail store or retail pharmacy or on any online retail platform”.

Deletion of covered biometric information: Once the order goes into effect, Rite Aid has 45 days to “delete or destroy all photos and videos of consumers used or collected in connection with the operation of a Facial Recognition or Analysis System prior to the effective date of this Order”. The order also specifically requires Rite Aid to delete any “data, models, or algorithms derived in whole or in part” from the data collected. Within 60 days from when the order goes into effect, Rite Aid must also identify all third parties that may have received collected data and instruct them to also delete all photos and videos of consumers.

Looking Ahead

The complaint against Rite Aid marks a milestone in AI regulatory history as the first time the FTC has taken enforcement action against a company’s use of AI in an allegedly biased and unfair manner. The complaint and proposed settlement with Rite Aid serves as a crucial case study in the FTC’s enforcement approach to the use of biometric data for the development of AI models, algorithms, and surveillance. As 2024 begins, AI will continue to remain at the forefront of the agenda of companies, regulatory agencies, and consumers alike.