Proposed Federal Law Broadens Regulatory Landscape for Facial Recognition Technology

BACKGROUND

On March 14^th, U.S. Senators Roy Blunt of Missouri and Brian Schatz of Hawaii introduced a bill to regulate the commercial applications of facial recognition technology. The bill, “The Commercial Facial Recognition Privacy Act of 2019” (“the Act”), would prohibit certain entities from using facial recognition technology and data without first obtaining user consent. While there have been many privacy-focused bills introduced at the federal level, the Act stands out, as it appears to have both bipartisan legislative backing and support from the tech industry.

OVERVIEW

Scope

The Act applies to private entities that collect, store, or process facial recognition data, and regulates how and when they may use “facial recognition technology.” “Facial recognition data” is defined under the Act as any unique attribute or feature of the face of a consumer that is used by facial recognition technology to uniquely identify a specific individual, while “facial recognition technology” is defined as technology that analyzes facial features and is used for the purposes of unique personal identification.

Federal, state, and local governments are exempt, along with law enforcement, national security, and intelligence agencies. Also of note, the Act differentiates between processors and controllers, mirroring the language and meaning used in the EU’s General Data Protection Regulation.  

Requirements

The Act prohibits controllers (i.e., the entities making decisions regarding how data is processed) from knowingly using facial recognition technology to collect facial recognition data unless the controller obtains affirmative consent from the consumer and provides the consumer with proper notice. Such notice must: 

• Inform consumers that facial recognition technology is present;
• Provide information about where the consumer can learn more about the facial recognition technology being used; and
• Provide documentation that includes information explaining the capabilities of the technology in terms that consumers can understand.

 The Act further prohibits covered entities from:

• Using facial recognition technology to discriminate against consumers;
• Repurposing facial recognition data for a purpose that is different from those disclosed to the consumer;
• Sharing the data with an unaffiliated third party without affirmative consent that is separate from the affirmative consent required for initial collection of facial recognition data; and
• Conditioning service on consent by a consumer, when the use of facial recognition technology is not necessary for that service.

 The Act also seeks to reduce possible bias in facial recognition technology, requiring covered entities to engage in meaningful human review before making any final decision based on the output of facial recognition technology that may result in foreseeable, material “harm” to a consumer, or may be unexpected or “highly offensive” to a consumer. Relatedly, if an entity makes a facial recognition technology available as an online service, that entity must allow an independent third party to conduct tests of the technology for accuracy and bias.

Enforcement

There is no private right of action under the Act. Instead, violations of the Act may be enforced by the FTC or the States’ Attorneys General. The Act specifies that the FTC would be responsible for issuing implementing regulations focusing on describing data security, minimization and retention standards that would be applicable to processors (i.e., the entities using the information at the direction of controllers); providing further insight into what constitutes “harm” and “highly offensive” for the purposes of requiring human review prior to making decisions based on output from facial recognition technology; and including additional exceptions to some of the Act’s requirements where it is impossible for a controller to obtain consent from or provide notice to consumers.

Exceptions

The Act contains two exceptions, for either “security applications” or, secondly, a list of delineated acceptable uses. The “security applications” exemption refers to loss prevention and other applications used to detect or prevent criminal activity, such as shoplifting and fraud. Controllers using security applications are not subject to the prohibitions against the use of facial recognition technology to collect facial recognition data without obtaining a consumer’s consent or giving the consumer notice.

The other listed exception includes specific acceptable uses of facial recognition technology listed in the Act that release the controller from the Act’s prohibitions, so long as the exception’s requirements are met. For example, applications for use in personal file management and photo or video sorting, or in emergencies involving imminent danger to an individual, are exempt from the Act’s prohibitions. In addition, controllers who use facial recognition data for determining whether a consumer gave affirmative consent are exempted if the controller immediately and permanently destroys the facial recognition data after determining that the consumer did not give affirmative consent. However, this does not provide authorization for a mass facial scanning in spaces where consumers have no reasonable expectation that facial recognition technology is being used.

Relationship to State Laws

The Act expressly states that it does not preempt or affect any state statute or regulation currently in effect, except to the extent that the state statute or regulation is inconsistent with the Act. Notably, state statutes and regulations will not be considered inconsistent with the Act if they provide consumers greater protections than those provided in the Act. Further, Section 7 expressly states that nothing in the Act may be construed to limit or preempt any privacy or security provision in any other federal or state law, including the regulations. 

Taken together, it does not appear that the Act will preempt stricter state laws that regulate facial recognition technology, which currently include the Illinois Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/1), Tex. Bus. & Com. § 503.001, and Wash. Rev. Code § 19.375.010. It is likely that the Act will add to the extensive list of variable privacy-driven laws rather than centralize and focus a national standard for the regulation of facial recognition technology.

STATE LAW LANDSCAPE

In addition to the existing state laws in Illinois, Washington, and Texas, a number of state laws are pending in Massachusetts, New York, Delaware, Alaska, Michigan, and Washington. These proposed laws seek to regulate the collection of biometric information, which for many includes the collection of face images and faceprints. While some state legislation is substantially consistent with the Act, others go beyond the Act to impose stricter requirements, on par with BIPA. The laws currently pending include:

• New York (NY SB 1203)—On January 11, 2019, New York lawmakers introduced NY SB 1203, which regulates the collection of “biometric identifiers” and “biometric information.” The definition of “biometric identifier” includes “face geometry,” which arguably extends the reach of this bill to cover facial recognition technology. Unlike the federal bill, the New York bill regulates how biometric identifiers and information may be stored, requiring a “reasonable standard of care within the private entity’s industry.” Overall, the New York bill is substantially similar to BIPA (including a private right of action for “aggrieved” individuals) and would impose requirements that are stricter than those under the Act.
• Massachusetts (Bill S.120)—The proposed Massachusetts law seeks to regulate “Personal Information,” which includes “any information relating to an identified or identifiable consumer.” Thus, biometric information, such as images of the face and a resulting faceprint, are covered under the law. Unlike the Act, the proposed Massachusetts law does not require a business to obtain a consumer’s affirmative consent before collecting the consumer’s personal information. However, the law requires the business to notify the consumer of the collection and the purpose of the collection and to respond to a consumer’s request not to have her personal information collected. This latter piece is noticeably absent from the Act. Of note, the proposed Massachusetts law includes a private right of action.
• Delaware (DE HB350)—The Delaware legislature introduced the “Biometric Privacy Protection Act” in March 2018. Under the proposed law, “facial imaging or recognition” is specifically included as a “biometric identifier,” which can only be collected upon providing reasonable notice to an individual that the information is being collected, the purpose of the collection, and the length of time the information will be retained. As in the Act, while the proposed law requires an individual’s affirmative consent before collecting the individual’s information, there is no requirement that this consent be in writing. Further, there is no private right of action under the proposed law, with the Delaware Consumer Protection Unit tasked with enforcement.   
• Alaska (HB72)—Unlike in the Act and other state biometric laws, the proposed law pending in Alaska does not specifically mention facial images or faceprints in its definition of “biometric data.” Rather, the law’s definition includes a catchall phrase that biometric data includes any “other physical characteristics of an individual,” which encompasses facial images and faceprints. Similar to the other laws, however, the person collecting the biometric data must obtain an individual’s consent, either in written, electronic, or other form, and disclose the purpose for which the information is collected as well as the length of time for which it will be kept. Individuals are also granted the ability to bring a private right of action against a person who intentionally violates the proposed law, with violations costing $1,000 and $5,000 if the violation resulted in profit or monetary gain to the person. Notably, this proposed law provides an exception for use of biometric information for law enforcement purposes, including the identification of perpetrators.
• Michigan (MI HB 5019)—The proposed law in Michigan seeks to regulate “biometric identifiers,” such as face geometry. Under this proposed law, and unlike the Act, an individual must provide a written release before a private entity may collect, capture, purchase, receive through trade, or otherwise obtain the individual’s biometric identifier. Further, the proposed law goes beyond the Act by prohibiting the sale, lease, and trade of biometric identifiers, and it prohibits a private entity from profiting off of biometric identifiers. Like BIPA, this proposed law provides a private cause of action for individuals. Liability ranges from $1,000 for a negligent violation of the law to $5,000 for an intentional or reckless violation.
• Washington (2SSB 5376)—Like the Act, the Washington proposed law specifically addresses use of facial recognition technology, and it goes beyond the Act’s requirements and prohibitions. The proposed law appears to build upon existing requirements in Washington’s current biometric protection law, and uses similar terminology to the Act, such as “controller” and “processor,” and it requires controllers using facial recognition for profiling to use “meaningful human review” before making a final decision based on such profiling if the final decisions produce legal effects for consumers. These legal effects include a denial of services or support, such as housing, insurance, education enrollment, criminal justice, employment opportunities, and health care services. Further, controllers must get consumer consent before using facial recognition services in physical premises open to the public. The proposed law specifically notes that the consumer consent requirement is met where the controller places a conspicuous notice on the physical premises that announces facial recognition services are being used and the consumer enters the premises anyway. Notably, the law expressly states that there is no private right of action under this law, and enforcement is left to the Washington Attorney General. A controller will be found in violation of the proposed law if it fails to cure an alleged violation within 30 days after receiving notice of alleged noncompliance. Penalties for failure to cure include an injunction and no more than $2,500 for each violation and $7,500 for each intentional violation.

FOR MORE INFORMATION

This area of the law is rapidly developing, so if you have any specific questions about how these proposed or current facial recognition laws may impact your business activities, please contact your Winston & Strawn attorney. Winston has extensive experience in counseling companies on compliance with respect to facial recognition, biometric information privacy, and similar laws and, should it become necessary, defending consumer class data security actions in both state and federal courts.