Cyber One Solutions logo.
Get Support

Industry News

Facing the Facts About Facial Recognition

January 12, 2021

Facial recognition technology has become embedded in consumer products in ways that many users do not fully understand.

Facial recognition technology has become embedded in consumer products in ways that many users do not fully understand. A Federal Trade Commission enforcement action against photo storage company Everalbum illustrates how this technology can be deployed without genuine user consent.

The Everalbum Case

From 2015 through September 2020, Everalbum operated Ever, a mobile app that let users upload photos and videos to the company's cloud servers. In February 2017, the company launched a "Friends" feature that allowed users to tag people in photos and group images by the individuals pictured.

When the feature launched, Everalbum enabled facial recognition by default for all users. It did not provide a way to turn it off.

The company's own help documentation stated that enabling facial recognition meant the user was consenting to its use. According to the FTC complaint, that description applied only to users in Texas, Illinois, Washington, and the European Union, where specific biometric privacy laws required opt-in consent.

For the rest of Everalbum's user base, the company was using facial recognition without offering any choice. The FTC alleged that Everalbum continued providing inaccurate information to those users until at least April 2019.

Using Customer Photos to Build Commercial Technology

Separately from the Friends feature, Everalbum used images uploaded by Ever app users to develop its own facial recognition technology. The company combined millions of images from user uploads with publicly available datasets.

These models were later marketed to other businesses under its enterprise brand, Paravision. Users whose photos contributed to this commercial development had not been told their images would be used for this purpose.

The Account Deletion Problem

When users chose to deactivate their Ever accounts, the app warned them they would permanently lose access to their photos. Everalbum's representatives told users who asked that all photos and videos would be permanently deleted.

According to the FTC complaint, this was not accurate. Until at least October 2019, Everalbum retained the photos and videos of deactivated users indefinitely rather than deleting them as promised.

What the Settlement Required

The proposed FTC settlement required Everalbum to:

The order also prohibited misrepresentations about the collection, use, disclosure, and deletion of consumer data. It required affirmative express consent before using consumer images for facial recognition in any future product.

Broader Lessons for Businesses and Consumers

The Everalbum case carries clear implications for any organization that collects and processes personal data. Privacy promises made to consumers are legally binding commitments, not aspirational statements.

The obligation to honor those promises applies throughout the entire data lifecycle, including at deletion. When a company tells a user their data will be permanently removed, that expectation must be met.

From a consumer perspective, this case is a reminder to review the privacy settings of any app before uploading personal photos or videos. Approximately 25 percent of Everalbum users who were eventually offered a choice about facial recognition chose to disable it.

Regulatory attention to biometric data is growing. Several U.S. states and jurisdictions internationally have enacted laws that place specific requirements on the collection and use of facial recognition data. Organizations that handle biometric information should treat compliance in this area as a current priority.

Need Help with Data Privacy and Compliance?

Cyber One Solutions works with organizations to build security and privacy programs that meet regulatory requirements and hold up under scrutiny. Contact us today to schedule a consultation.