FTC Finds That Developer Cannot Keep Work Product of Ill-Gotten Data

In the Matter of Everalbum and Paravision, the settlement reached between the Federal Trade Commission and Everalbum included prohibitions regarding the developer’s retention of work product of ill-gotten data.

FTC law image

Everalbum is the developer of the “Ever” photo storage application, an app that was launched in 2015 that allowed consumers to store and organize digital photos and videos by uploading them to the app’s cloud-based servers.

According to the FTC, in February 2017, the company launched a new feature called “Friends,” which used facial recognition technology. The FTC alleges that the facial recognition was automatically enabled as a default for all users of the app without providing an initial option for consent, despite representations that the company would not apply its facial recognition technology without affirmative consent.

Interestingly, according to FTC attorneys, in 2018, Everalbum provided users from Texas, Illinois, Washington or the European Union an option to allow the app to use facial recognition, including a setting that allowed those users to turn the feature on or off. The foregoing locations have laws regulating the use of biometric information. In 2019, Everalbum made these same options available for users outside of Texas, Illinois, Washington, and the European Union.

According to FTC lawyers, Everalbum used the images it obtained from consumers’ photos to improve the facial recognition technology that it sold through Paravision, Everalbum’s brand.

The FTC’s complaint against Everalbum alleges that the company violated the FTC Act by misrepresenting that it was not using face recognition unless consumers enabled that function, and that the company misrepresented that it would delete consumers’ photos and videos upon account deactivation.

While the proposed settlement does not include any monetary component, it is heavy on terms pertaining to information concerning consumers, such as, without limitation, biometric information. Additionally, the company is restricted from misrepresenting the manner in which it collects, uses, discloses, maintains or deletes such information; how consumers are able to control such information; and the manner in which the company protects such information. The company is also required to “clearly and conspicuously” disclose the purposes for which it uses and shared such information, and must obtain affirmative consent from consumers prior to collection such information.

The settlement also requires the company to delete or destroy all photos and videos of consumers that requested deactivation of their accounts. The deletion of intellectual property the company obtained is noteworthy. Specifically, the company shall, within 90 days after the settlement issues, delete or destroy all “face embeddings” derived from biometric information collected from consumers that did not first provide affirmative consent.

This appears to be the first time the FTC required the deletion of intellectual property, in addition to the data itself, allegedly obtained in violation of the FTC Act. The settlement requires Everalbum to delete all “Affected Work Product,” defined as “any models or algorithms developed in whole or in part using Biometric Information collected from consumers that used the application.

Takeaway: Going forward, the Federal Trade Commission may be likely to scrutinize the manner of consent given by consumers, including the collection of biometric and other sensitive personal information. Companies that collect and process sensitive personal information should take note and ensure that proper disclosures and consents are obtained, up front.

Richard B. Newman is an FTC defense attorney at Hinch Newman LLP. Follow FTC defense attorney on Twitter.

Informational purposes only. Not legal advice. May be considered advertising material.