Baltimore recently prohibited several uses of “face surveillance” technology. Under the new law, companies cannot use systems that identify or verify individuals based on their faces. The law also prohibits saving information gathered from these systems. Getting an individual’s consent is not a way around the prohibition. Nor is promising not to connect information gathered with other personal information.
Still, there is an important exception that many companies will find helpful. Namely, the law permits facial recognition technologies that are used to give access to specific locations or devices. Some are concerned that the law is overly restrictive.
The article has been written to offer several tips to try if you want to use facial recognition technology. The original article was written by David Oberly, an associate at Blank Rome, and can be found here.
Rapid advances have fueled a proliferation of facial recognition technology. It continues to spread to new areas of public and private life. In particular, today retailers and similar commercial organizations are increasingly relying on facial recognition for security and surveillance purposes.
At the same time, however, facial recognition is becoming an increasingly popular target for class-action litigation pursued under the Illinois Biometric Information Privacy Act ("BIPA"). Many states and Congress are trying to enact additional strict laws regulating facial recognition technology by commercial enterprises.
All organizations that use facial recognition technology today, especially those that use this technology for security and surveillance purposes, must ensure that they have appropriate biometric privacy practices.
They have to take measures not to become the next target of a potentially game-changing biometric privacy class action lawsuit.
Legal landscape
Currently, only three states have passed biometric privacy laws directly regulating the use of facial recognition technology.
Of these laws, the BIPA of Illinois is considered the strictest. According to BIPA, an individual cannot collect or store data of a third party without prior notification, obtaining written consent, and disclosure of certain information.
In addition to Illinois, Texas and Washington have also passed biometric privacy laws regarding facial recognition technology. They establish similar requirements for notification, consent, and mandatory security measures.
Many states are currently trying to pass their legislation on the privacy of biometric data. It will extend notification, consent, and security requirements similar to BIPA to additional parts of the country.
The scope of many of these bills goes far beyond BIPA and will include additional requirements. Pre-deployment testing and periodic training of employees will be mandatory requirements. As well as permission for testing this technology by third parties will be obligatory too.
The state has also included facial recognition as one of the main areas for countrywide regulation. Federal lawmakers will establish uniform requirements throughout the country regarding the use of technologies.
Additional problems and risks
The current (and future) problems associated with facial recognition technology are not limited to significant legal liability.
Facial recognition has recently received a significant amount of negative media coverage. It concerned the potential accuracy and bias problems associated with this technology. Modern technologies are much less accurate in identifying people of color and women, thereby creating an increased risk of incorrect identification of people.
The new purpose of the class action lawsuit for the protection of biometric privacy
Recently, the focus of BIPA class action lawsuits has been on employers. Many of them use biometric fingerprint readers to record working hours and attendance. However, not long ago, a new BIPA target has appeared on the radar of the plaintiff's attorneys: companies using facial recognition for security and surveillance purposes.
Compliance Tips
Due to the rapidly increasing liability exposure associated with facial recognition technology, companies using this technology or planning to do so in the future should not wait for the adoption of new laws. Even if they are not currently subject to any regulations, they should take positive measures now to implement flexible, adaptable compliance programs. Thus, it can ensure continuous compliance with the rules of facial recognition.
Fortunately, there are several practical steps that companies can take to effectively use facial recognition technology in a way that meets their legal obligations. In particular, companies should consider the following:
* Accuracy and bias testing: Since facial recognition software can produce biased results and harm certain ethnic and racial groups, it is necessary to complete preliminary testing to ensure its effectiveness and accuracy before using it in real-time situations.
* Privacy Policy: Develop a publicly available, detailed privacy policy regarding facial recognition, which includes, at a minimum, an apparent notification that face template data is being collected, as well as additional information about the purposes for which face template data is used, as well as the company's schedule and guidelines for preserving and destroying this data.
* Written Notice: Provide a written notice — before any facial template data is collected. It has to inform individuals that the facial template data is collected, used, and(or) stored by the company; or how this data will be used and(or) transmitted, and the length of time the company will retain the data until it is destroyed.
* Written Release: Obtain a signed written consent form from all individuals before any facial template data is being collected. It has to permit the company to collect or use biometric data and disclose the data to third parties for business purposes.
* Opt-out: Permit individuals to opt-out of collecting their face template data.
* Data Security: Maintain data security measures to protect facial template data that meet reasonable standards of care applicable to the company's industry and protect facial template data in the same or more secure manner than the manner the company protects other forms of confidential personal information.
* Explicit prohibitions on using technology for discriminatory purposes: Adhere to a clear policy that strictly prohibits the use of facial recognition technology by employees, contractors, or suppliers to unlawfully discriminate against individuals or groups of individuals.
Conclusion
Facial recognition technology has significantly improved the performance of enterprises in all industries in many different ways, including security/fraud prevention using personal data, access and authentication, and the availability of accounts and services.
At the same time, this technology is becoming an increasingly frequent target of class-action lawsuits for biometric privacy, exposing enterprises to tremendous potential legal liability. In the future, the scale of responsibility will only increase as additional states and Washington, DC, will seek to introduce stricter rules regarding the use of facial biometrics.
Consequently, companies should take proactive measures to develop and implement biometrics compliance programs for facial recognition that cover the principles and methods described above.
If you find our posts riveting, you can subscribe here. If you have any questions, you may write to info@digt.com: we will be delighted to get feedback.
