Client Alert: FTC Signals Greater Scrutiny of Biometric Information and Technologies in New Policy Statement

On May 18, 2023, the Federal Trade Commission (FTC) adopted a Policy Statement on biometric information that details its “significant concerns” arising from the increasing use of biometric information and technologies that use (and “purport to use”) biometric information. The statement also affirms the FTC’s commitment “to combatting unfair and deceptive acts” related to the collection and use of biometric information and marketing and use of biometric technologies. The Policy Statement outlines the FTC’s view that Section 5 of the FTC Act provides authority over consumer protection risks related to biometric information and provides a non-exhaustive list of factors the FTC will consider when examining business practices. Given the broad sweep of what the FTC views as “biometric information” and the factors it identifies as pertinent to whether a business has engaged in unfair or deceptive acts—both of which go beyond obligations under existing state and local laws—businesses should be aware of the Policy Statement and evaluate how the FTC’s pronouncements may impact their development, marketing, sale, and use of such technology.

FTC’s Concerns. The FTC notes that biometric technologies have become more advanced and more affordable, incorporating machine learning and enhanced data processing capabilities, and “increasingly pervasive.” The Policy Statement provides examples of consumer protection concerns, including that biometric information can be used to create deepfakes to commit fraud or harassment, that large databases of biometric information may be attractive targets for malicious actors, that the use of biometric technologies may reveal sensitive personal information about consumers’ locations, including that they accessed certain types of healthcare or attended religious services, and that some biometric technologies perform differently across different demographic groups and when the subject is a person with a disability—leading to discriminatory outcomes.

FTC’s View of What Constitutes “Biometric Information.” In the Policy Statement, the FTC articulates a very broad definition of “biometric information”:

As used in this document, the term “biometric information” refers to data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body. Biometric information includes, but is not limited to, depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern). Biometric information also includes data derived from such depictions, images, descriptions, or recordings, to the extent that it would be reasonably possible to identify the person from whose information the data had been derived. By way of example, both a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other data that encode measurements or characteristics of the face depicted in the photograph constitute biometric information.

The FTC’s view of what constitutes “biometric information” goes beyond the scope of existing state and local privacy laws (e.g., by including photographs and voice recordings as biometric information). In addition, the FTC expressly declines to limit its scrutiny to technologies that are used to identify individuals; instead, it makes clear that the Policy Statement applies to “all technologies that use or purport to use biometric information for any purpose.”

The FTC provides a non-exhaustive list of practices involving the collection and use of biometric information that it “will scrutinize in determining whether companies collecting and using” or “marketing” biometric information technologies are complying with Section 5 of the FTC Act.

Deception. The Policy Statement highlights two practices that may constitute deceptive practices in violation of Section 5:

    • False or unsubstantiated marketing claims relating to the “validity, reliability, accuracy, performance, fairness, or efficacy” of biometric information technologies. The FTC states that such claims may mislead consumers and competitors by making false claims about a product’s capabilities and then cause harm when the product does not work as promised or denies benefits or opportunities to consumers. For example, the FTC cautioned businesses not to make claims about a technology’s efficacy or accuracy if the claims are based on tests or audits that do not replicate real-world conditions or if the tests results are only true for a certain subset of the population.
    • Deceptive statements about the collection and use of biometric information. The FTC says it will continue scrutinizing businesses to ensure that they are not making false statements or telling “half-truths” to consumers about whether or when biometric information is collected and how businesses use such information.

Unfairness. The Policy Statement describes ways that the use of biometric information or biometric technologies may be an unfair practice under Section 5, especially when they cause harms that consumers cannot reasonably avoid and are not outweighed by countervailing benefits to consumers or competition. The FTC identifies in particular the surreptitious collection and use of biometric information, the failure to protect consumer personal information with reasonable data security practices, implementing privacy-invasive default settings, and disseminating or selling inaccurate technology or technology with the potential to cause harmful or illegal conduct without taking reasonable measures to prevent such conduct. When examining a business’s use of biometric information or biometric technology, the FTC will consider non-exhaustive factors such as:

    • Failing to assess foreseeable harms to consumers associated with collecting and using biometric information. The FTC expects businesses that collect biometric information or use biometric technology to conduct a “holistic assessment of the potential risks to consumers” before collecting such information or deploying such technology. Such assessments should consider the context of the collection or use, what role a human operator will have, and whether using a biometric information technology system would lead or contribute to a disproportionate harm to certain groups within the population.
    • Failing to promptly address known or foreseeable risks. The FTC will look for businesses to identify and implement readily available tools to identify, reduce, or eliminate risks. This includes adopting organizational and technical measures and being informed of and taking proactive measures to identify and reduce risks of common errors and biases produced by the biometric information technologies they use.
    • Engaging in surreptitious and unexpected collection or use of biometric information. The FTC says that collecting or using biometric information or biometric information technology in ways that may cause risks of harm to consumers, including stalking or extreme emotional distress, or that makes collection or use unavoidable, including failing to clearly and conspicuously disclose the information collection and using or failing to provide a complaint mechanism, may be unfair practices.
    • Failing to evaluate the practices and capabilities of third parties. The FTC additionally expects businesses to seek assurances and contractual agreements from third parties, including affiliates, vendors, and end users, to minimize risks to consumers of access to biometric information or biometric information technology. And businesses “should also go beyond contractual measures to oversee third parties,” including through organizational and technical measures for supervision and monitoring.
    • Failing to provide appropriate training for employees and contractors regarding the collection and use of biometric information. Businesses will be expected to provide training to workforce members interacting with biometric information or biometric information technology.
    • Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information. The FTC states that businesses should monitor technologies developed, sold, or used in connection with biometric information on an ongoing basis to ensure that users of the technology are operating it as intended and use of the technology is “not likely to harm consumers.”

It may prove challenging for businesses to determine whether the Policy Statement applies to their activities—given the broad scope of the FTC’s view of “biometric information” and its stated intent to scrutinize technologies beyond those used to identify people. It may be equally challenging, as a practical matter, to apply the FTC’s views of the practices that are deceptive and unfair. For example, the FTC’s statements about the necessity of technology providers conducting ongoing monitoring of not only their vendors and affiliates, but also their customers and end users of the technology do not account for the significant practical challenges and barriers associated with implementing such monitoring.

That said, recognizing what the Policy Statement signals about the FTC’s intent to more actively regulate biometric technologies and with the expectation that the views expressed here will inform the agency’s approach to investigations and enforcement actions, it is important for any business that provides or uses technologies that may fall within the FTC’s field of view to consider whether to take any action in response to the Policy Statement.

Related Capabilities

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

Client Alert: FTC Signals Greater Scrutiny of Biometric Information and Technologies in New Policy Statement

On May 18, 2023, the Federal Trade Commission (FTC) adopted a Policy Statement on biometric information that details its “significant concerns” arising from the increasing use of biometric information and technologies that use (and “purport to use”) biometric information. The statement also affirms the FTC’s commitment “to combatting unfair and deceptive acts” related to the collection and use of biometric information and marketing and use of biometric technologies. The Policy Statement outlines the FTC’s view that Section 5 of the FTC Act provides authority over consumer protection risks related to biometric information and provides a non-exhaustive list of factors the FTC will consider when examining business practices. Given the broad sweep of what the FTC views as “biometric information” and the factors it identifies as pertinent to whether a business has engaged in unfair or deceptive acts—both of which go beyond obligations under existing state and local laws—businesses should be aware of the Policy Statement and evaluate how the FTC’s pronouncements may impact their development, marketing, sale, and use of such technology.

FTC’s Concerns. The FTC notes that biometric technologies have become more advanced and more affordable, incorporating machine learning and enhanced data processing capabilities, and “increasingly pervasive.” The Policy Statement provides examples of consumer protection concerns, including that biometric information can be used to create deepfakes to commit fraud or harassment, that large databases of biometric information may be attractive targets for malicious actors, that the use of biometric technologies may reveal sensitive personal information about consumers’ locations, including that they accessed certain types of healthcare or attended religious services, and that some biometric technologies perform differently across different demographic groups and when the subject is a person with a disability—leading to discriminatory outcomes.

FTC’s View of What Constitutes “Biometric Information.” In the Policy Statement, the FTC articulates a very broad definition of “biometric information”:

As used in this document, the term “biometric information” refers to data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body. Biometric information includes, but is not limited to, depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern). Biometric information also includes data derived from such depictions, images, descriptions, or recordings, to the extent that it would be reasonably possible to identify the person from whose information the data had been derived. By way of example, both a photograph of a person’s face and a facial recognition template, embedding, faceprint, or other data that encode measurements or characteristics of the face depicted in the photograph constitute biometric information.

The FTC’s view of what constitutes “biometric information” goes beyond the scope of existing state and local privacy laws (e.g., by including photographs and voice recordings as biometric information). In addition, the FTC expressly declines to limit its scrutiny to technologies that are used to identify individuals; instead, it makes clear that the Policy Statement applies to “all technologies that use or purport to use biometric information for any purpose.”

The FTC provides a non-exhaustive list of practices involving the collection and use of biometric information that it “will scrutinize in determining whether companies collecting and using” or “marketing” biometric information technologies are complying with Section 5 of the FTC Act.

Deception. The Policy Statement highlights two practices that may constitute deceptive practices in violation of Section 5:

    • False or unsubstantiated marketing claims relating to the “validity, reliability, accuracy, performance, fairness, or efficacy” of biometric information technologies. The FTC states that such claims may mislead consumers and competitors by making false claims about a product’s capabilities and then cause harm when the product does not work as promised or denies benefits or opportunities to consumers. For example, the FTC cautioned businesses not to make claims about a technology’s efficacy or accuracy if the claims are based on tests or audits that do not replicate real-world conditions or if the tests results are only true for a certain subset of the population.
    • Deceptive statements about the collection and use of biometric information. The FTC says it will continue scrutinizing businesses to ensure that they are not making false statements or telling “half-truths” to consumers about whether or when biometric information is collected and how businesses use such information.

Unfairness. The Policy Statement describes ways that the use of biometric information or biometric technologies may be an unfair practice under Section 5, especially when they cause harms that consumers cannot reasonably avoid and are not outweighed by countervailing benefits to consumers or competition. The FTC identifies in particular the surreptitious collection and use of biometric information, the failure to protect consumer personal information with reasonable data security practices, implementing privacy-invasive default settings, and disseminating or selling inaccurate technology or technology with the potential to cause harmful or illegal conduct without taking reasonable measures to prevent such conduct. When examining a business’s use of biometric information or biometric technology, the FTC will consider non-exhaustive factors such as:

    • Failing to assess foreseeable harms to consumers associated with collecting and using biometric information. The FTC expects businesses that collect biometric information or use biometric technology to conduct a “holistic assessment of the potential risks to consumers” before collecting such information or deploying such technology. Such assessments should consider the context of the collection or use, what role a human operator will have, and whether using a biometric information technology system would lead or contribute to a disproportionate harm to certain groups within the population.
    • Failing to promptly address known or foreseeable risks. The FTC will look for businesses to identify and implement readily available tools to identify, reduce, or eliminate risks. This includes adopting organizational and technical measures and being informed of and taking proactive measures to identify and reduce risks of common errors and biases produced by the biometric information technologies they use.
    • Engaging in surreptitious and unexpected collection or use of biometric information. The FTC says that collecting or using biometric information or biometric information technology in ways that may cause risks of harm to consumers, including stalking or extreme emotional distress, or that makes collection or use unavoidable, including failing to clearly and conspicuously disclose the information collection and using or failing to provide a complaint mechanism, may be unfair practices.
    • Failing to evaluate the practices and capabilities of third parties. The FTC additionally expects businesses to seek assurances and contractual agreements from third parties, including affiliates, vendors, and end users, to minimize risks to consumers of access to biometric information or biometric information technology. And businesses “should also go beyond contractual measures to oversee third parties,” including through organizational and technical measures for supervision and monitoring.
    • Failing to provide appropriate training for employees and contractors regarding the collection and use of biometric information. Businesses will be expected to provide training to workforce members interacting with biometric information or biometric information technology.
    • Failing to conduct ongoing monitoring of technologies that the business develops, offers for sale, or uses in connection with biometric information. The FTC states that businesses should monitor technologies developed, sold, or used in connection with biometric information on an ongoing basis to ensure that users of the technology are operating it as intended and use of the technology is “not likely to harm consumers.”

It may prove challenging for businesses to determine whether the Policy Statement applies to their activities—given the broad scope of the FTC’s view of “biometric information” and its stated intent to scrutinize technologies beyond those used to identify people. It may be equally challenging, as a practical matter, to apply the FTC’s views of the practices that are deceptive and unfair. For example, the FTC’s statements about the necessity of technology providers conducting ongoing monitoring of not only their vendors and affiliates, but also their customers and end users of the technology do not account for the significant practical challenges and barriers associated with implementing such monitoring.

That said, recognizing what the Policy Statement signals about the FTC’s intent to more actively regulate biometric technologies and with the expectation that the views expressed here will inform the agency’s approach to investigations and enforcement actions, it is important for any business that provides or uses technologies that may fall within the FTC’s field of view to consider whether to take any action in response to the Policy Statement.

Related Capabilities

© 2026 Jenner & Block LLP. Attorney Advertising. Jenner & Block LLP is an Illinois Limited Liability Partnership including professional corporations. This publication, presentation, or event is not intended to provide legal advice but to provide information on legal matters and/or firm news of interest to our clients and colleagues. Readers or attendees should seek specific legal advice before taking any action with respect to matters mentioned in this publication or at this event. The attorney responsible for this communication is Brent E. Kidwell, Jenner & Block LLP, 353 N. Clark Street, Chicago, IL 60654-3456. Prior results do not guarantee a similar outcome. Jenner & Block London LLP, an affiliate of Jenner & Block LLP, is a limited liability partnership established under the laws of the State of Delaware, USA and is authorised and regulated by the Solicitors Regulation Authority with SRA number 615729. Information regarding the data we collect and the rights you have over your data can be found in our Privacy Notice. For further inquiries, please contact dataprotection@jenner.com.

News and Insights

Podcasts

Partner Laurel Loomis Rimon Discusses Fintech Enforcement, Debanking, and Regulatory Risk on Fintech Layer Cake Podcast

Partner Laurel Loomis Rimon was featured on the Fintech Layer Cake podcast, where she discussed how fintech enforcement and prosecution actually work in practice, and what exposes fintechs and banks to regulatory risk.

July 15, 2026

Publications

Supreme Court Clarifies Scope of Private Rights of Action Under the Investment Company Act, Private Equity Law Report

Partners Charles Riely, Todd C. Toral, and Martin Glass authored a guest article for Private Equity Law Report examining the US Supreme Court's June 11, 2026, ruling on the scope of private rights of action under the Investment Company Act of 1940.

July 14, 2026

Publications

Emily Loeb Discusses Congressional Oversight Preparedness in Bloomberg Law

Partner Emily Loeb, co-chair of Jenner & Block's Congressional Investigations Practice, spoke with Bloomberg Law article about how companies can prepare for potential oversight exposure ahead of this fall's midterm elections.

July 7, 2026

Publications

In New York Law Journal, The True Lender Doctrine and the OppFi Decision

Partners Jeremy Creelan, Michael Ross, Megan Poetzel, and Laurel Loomis Rimon, and Associate Molly Oberstein-Allen authored an article for the New York Law Journal examining the "True Lender" doctrine in light of a May 2026 California decision that provides the most detailed judicial framework to date for evaluating bank-nonbank lending partnerships.

July 1, 2026

Event

Partner Michael Vernick to Speak at NACUA's 2026 Annual Conference

On July 1, Partner Michael Vernick will speak on a panel at the National Association of College and University Attorneys (NACUA) 2026 Annual Conference in Nashville.

July 1, 2026