Background: Federal Trade Commission (FTC) Complaint Against Rite Aid
On December 19, 2023, the FTC filed a complaint against Rite Aid for the company’s use of AI facial recognition technology in its stores from approximately, October 2012 to June 2020. The complaint details Rite Aid’s alleged failure to “take reasonable measures to prevent harm to consumers from its use of facial recognition technology,” which constituted unfair acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. §45(a). The FTC also alleges Rite Aid’s failure to implement or maintain a comprehensive information security program violated the Commission Order the company entered into with the FTC in 2010 for their failure to prevent unauthorized access to personal information at the time. The FTC emphasized the use of AI facial recognition technology by Rite Aid was particularly detrimental to “Black, Asian, Latino, and women consumers”.
In the complaint, the FTC describes Rite Aid’s implementation of a “persons of interest” database which included individuals that either carried out or attempted to carry out criminal activities in Rite Aid’s retail stores. The database provided images of such individuals and, if available; names, date of birth, and any information related to the crime or “‘dishonest’ behavior.” Some of the images fed into the database were low-quality images, obtained using Rite Aid’s in-store CCTV cameras. All of the collected and used images were retained for an indefinite amount of time and were stored and collected without obtaining consent from the individuals in question.
Rite Aid used the facial recognition technology in stores to match live images of consumers against its database of “persons of interest”. When a “match alert” was generated, a Rite Aid store employee would be sent an alert providing them with the database image, live image, and varying instructions, such as “[a]pproach and [i]dentify.” The FTC alleges that the facial recognition technology “generated thousands of false-positive matches.” For example, in a short span of time, “match alerts” were generated for the same individual in different stores located in vastly different US regions. Often times, a suspected consumer was escorted out of a store by an employee, who was also instructed to call the police if the consumer was non-compliant.