Privacy & Information Security Law Blog

On January 11, 2021, the FTC announced that Everalbum, Inc. (“Everalbum”), developer of the “Ever” photo storage app, agreed to a settlement over allegations that the company deceived consumers about its use of facial recognition technology and its retention of the uploaded photos and videos of users who deactivated their accounts.

The Ever app had allowed users to upload their photos and videos for storage and organization using Everalbum’s cloud-based storage service. According to the complaint, in February 2017, the company launched a “Friends” feature, which used facial recognition to group a user’s photos based on the individuals in the photos. The complaint further alleged that, in July 2018, the company posted an article to the “Help” section of its website that stated: “When face recognition is turned on, you are letting us know that it’s ok for us to use the face embeddings of the people in your photos and videos, including you, and that you have the approval of everyone featured in your photos and videos.” The FTC alleged that, despite this representation, the feature was enabled by default (with no way to disable the feature) from February 2017 until May 2018 for mobile app users in Texas, Illinois, Washington and the EU and until April 2019 for mobile app users located anywhere outside of those regions.

In addition, the complaint alleges that the company combined millions of facial images it extracted from its app users’ photos with facial images the company obtained from publicly available datasets to create four datasets used in the development of its facial recognition technology. According to the complaint, one of these datasets was used to train its facial recognition technology and develop the facial recognition services it sold to its enterprise customers (although note that the company did not share images from its users’ photos or Ever users’ photos, videos or personal information with its enterprise customers).

The FTC further alleged that, although the company represented that it would delete the photos and videos of Ever users who deactivated their accounts, the company did not delete any deactivated users’ photos and videos until at least October 2019.

Under the proposed settlement, Everalbum must:

• Delete (1) the photos and videos of Ever app users who deactivated their accounts; (2) all face embeddings (i.e., the data reflecting facial features that can be used for facial recognition purposes) derived from the photos of Ever users who did not provide express consent; and (3) any facial recognition models or algorithms developed with Ever users’ photos or videos;
• Not misrepresent how it collects, uses, discloses, maintains or deletes personal information; and
• If the company markets the software to consumers for personal use, obtain a user’s express consent prior to using biometric information it collected from the user through that software to create face embeddings or develop facial recognition technology.

Notably, in connection with the announcement, the Director of the FTC’s Bureau of Consumer Protection, Andrew Smith, stated: “Ensuring that companies keep their promises to customers about how they use and handle biometric data will continue to be a high priority for the FTC.”