10 min read

Writen by Daniela Atanasovska

Posted on: January 3, 2024

The Rite Aid FTC Ban: A Wake-Up Call for Companies Using AI Facial Recognition Systems

The U.S. Federal Trade Commission (FTC) has recently taken a significant step into addressing issues of bias and discrimination in artificial intelligence (AI), as seen in a landmark case involving Rite Aid. In a groundbreaking move, the consumer protection agency addressed concerns about Rite Aid’s use of facial recognition technology for retail theft deterrence.

Rite Aid, a prominent player in the retail pharmacy landscape, holds the distinction of being the third-largest drugstore chain in the United States, managing an extensive network of over 2,000 retail pharmacies. 

The company has recently come under the regulatory spotlight as the U.S. Federal Trade Commission (FTC) addressed concerns surrounding its deployment of facial recognition technology for retail theft deterrence.

This enforcement marks a significant moment in the intersection of data privacy, artificial intelligence, and corporate responsibility, emphasizing the need for robust governance practices in the implementation of advanced technologies within the retail sector.

This case is more than a rebuke to a specific company; it establishes a precedent for heightened accountability and scrutiny surrounding biased AI systems. 

Below are explained the key lessons for privacy and AI governance professionals and the far-reaching implications of the FTC’s actions.

For years, the FTC has been a pivotal player in U.S. data privacy enforcement. However, on December 19, 2023, it took its first significant step into the AI landscape. 

By settling a complaint against Rite Aid, the FTC not only addressed the company’s AI bias issues but also provided a roadmap for reasonable bias mitigation in AI systems. 

While FTC orders are binding for the specific company involved, they serve as a guiding light for other entities seeking to navigate the evolving landscape of regulatory scrutiny.

The FTC’s complaint against Rite Aid outlined several critical issues in the company’s AI governance practices throughout the deployment of third-party vendors’ facial recognition systems. 

Notable concerns included lack of oversight in vendor selection, failures in the enrollment process, and shortcomings in the match alert process.

Vendor Selection Oversight

Alleged lack of oversight and diligence in obtaining information about the accuracy and reliability of deployed systems from third-party vendors.

Enrollment Process Failures

  Failure to account for reduced accuracy from low-quality images during the enrollment process.

  Enrolling numerous low-quality images from diverse sources and prioritizing quantity over quality.

  Retaining enrolled images indefinitely, raising privacy concerns.

Match Alert Process Shortcomings

Lack of confidence values on match alerts sent to store employees when potential matches were identified.

The FTC’s intervention led to a prohibition on Rite Aid’s use of facial recognition technologies for the next five years. If the company chooses to reintroduce this technology post-ban, it must adhere to a detailed governance program specified by the FTC. 

This enforcement underscores the imperative for AI practices to align with ethical standards, transparency, and fairness.

The FTC, in its consent order, outlines best practices for addressing bias in AI systems. These encompass conducting pre-assessments, testing for accuracy and reliability, annual employee training and monitoring, calibrated enrollment policies, clear notices and complaint procedures, and a mandatory information security program.

Conducting Pre-assessments

 A written system assessment of risks foreseeing potential harms to consumers.

Analysis of adverse consequences, accuracy testing, data factors, industry practices, algorithm development methods, and deployment context.

Testing for Accuracy and Reliability

Mandatory testing and assessment of system accuracy before and after deployment.

Implementation, maintenance, and documentation of safeguards to control identified risks.

Annual Employee Training and Monitoring

Annual training for operators of AI systems on governance risks and best practices.

Documentation and review of employee performance against established metrics.

Calibrated Enrollment Policies

Ensuring quality data inputs by establishing and enforcing written image quality standards.

Setting retention limits for biometric information to maintain privacy.

Clear Notices and Complaint Procedures

Providing written notice to individuals enrolled in the system.

Mandatory notice when the system is used for actions that could harm consumers.

Timely and substantive responses to consumer complaints within 30 days.

Mandatory Information Security Program

Detailed expectations for Rite Aid’s data security program to safeguard biometric information.

The Rite Aid case marks the commencement of AI bias enforcements from the FTC, extending its lessons to various AI systems. 

Retail companies, particularly those deploying facial recognition, must scrutinize the order for compliance expectations. 

Moreover, companies using biometrics in any capacity should take heed, as this marks the FTC’s first public enforcement post-May policy statement on consumer biometric information misuse. 

The case provides a template for best practices in AI governance, aligning with emerging standards and guidelines in the U.S.

This Rite Aid case represents a pivotal milestone in the dynamic realm of AI governance. Marking the inaugural step in regulating biased AI systems, it serves as a guiding light for the adoption of ethical AI practices. Industries are urged to draw valuable lessons from Rite Aid’s experiences, emphasizing the need to align AI strategies with principles of transparency, fairness, and accountability. 

Beyond holding Rite Aid accountable, the FTC’s order establishes a precedent for the responsible and ethical deployment of AI technologies in the foreseeable future. This landmark case distinctly highlights the FTC’s unwavering dedication to shaping the ethical landscape amid the rapid advancement of AI technologies.

In the context of GDPR compliance, the Rite Aid FTC ban sends a compelling message to companies utilizing AI facial recognition systems. The enforcement action by the U.S. Federal Trade Commission underscores the critical intersection of data privacy, artificial intelligence, and corporate responsibility. 

For companies subject to GDPR regulations, this landmark case highlights the increasing global scrutiny on the ethical deployment of advanced technologies. 

The GDPR places a strong emphasis on protecting individuals’ rights regarding the processing of personal data, and the lessons drawn from the Rite Aid case serve as a wake-up call for businesses to align their AI strategies with GDPR principles. 

Companies must prioritize transparency, fairness, and robust governance practices to ensure compliance with evolving data protection standards and avoid potential legal ramifications.

More information about the intersection of GDPR and AI and how the GDPR enforces data protection principles and grants rights to individuals, posing challenges for AI development you can read in this blog  “GDPR and Artificial Intelligence“. 

GDPRlocal offers vital assistance to companies navigating AI governance challenges by providing robust support for GDPR compliance. With the Compliance Hub and expert consultants, businesses gain access to ongoing guidance, compliance audits tailored to AI systems, and expertise in addressing intricate data protection issues associated with artificial intelligence.

Whether opting for continuous support via the Compliance Hub or engaging on an ad-hoc basis, GDPRlocal empowers companies to effectively manage AI governance within the regulatory framework of GDPR. 

To learn more or connect with GDPRlocal, visit our website or use the provided contact numbers.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy