If you think about it, biometric facial recognition technology was basically considered a crazy idea that you imagine might happen in the future. Well, now it is here and changes are happening. Rapid advances in technology have fed a proliferation of said technology that is still spreading to new areas in both private and public life. While at the same time, several municipalities and states are executing new laws that will regulate facial recognition technology by commercial individuals. Therefore, all companies that use facial recognition technology have to take steps in order to leverage it effectively so it complies with current and potential laws.
Facial Recognition Technology Analysis
Facial recognition utilizes biometric technology (i.e, individual physical characteristics) in order to map someone’s face digitally. The measurements are then used to make a formula mathematically also known as a “facial signature” or “template”. This is then saved and used to compare an individual’s physical facial structure to uniquely identify the individual. Advancements in technology keep unlocking new ways for businesses to take advantage of facial template data in order to improve the effectiveness and efficiency of operations. Today, it’s common for someone to open their smartphone with their face or to “check-in” at the airport. However, while this technology has produced tons of benefits, using it also has serious privacy risks. Once compromised, facial template and other biometric forms of data lose the ability to be used as a security feature.
The Rise of Biometric Privacy Regulation (And Corresponding Risk)
In order to combat the risk that comes along with facial template data and other forms of biometric data, multiple states put laws into place that regulate the collecting and using of facial template data by businesses. Illinois’ Biometric Privacy Act, or, “BIPA” is thought of as the most binding state law. Under BIPA, a private entity can’t collect or save facial template date without providing any notice, obtaining written consent, and making disclosures, BIPA contains a private right of action provision that allows recovery of statutory damages between one and five thousand dollars.
Texas and Washington have also put biometric privacy laws into place, they cover facial recognition technology which imposes similar requirements that relate to notice, mandatory security measures, and consent.
Biometrics and Liability
The new wave of biometric privacy laws has created substantial liability. The risk primarily exists because of the statutory damages that were made available under BIPA, which the Illinois Supreme Court made quite a bit easier to recover due to a ruling in 2019 ruling that plaintiffs may pursue BIPA claims even where no real harm or damage exists. Several states that do not have laws regulating facial recognition technology amped up their efforts in the beginning of 2020 in order to put similar laws of their own into place.
Privacy policies should encompass the following issues:
- Notice that facial template data is being collected/saved
- The current and foreseeable purposes for which the company uses facial template data
- How this facial template data will be utilized
- Description of protective measures taken to guard facial template data
- Companies facial template data retention and destruction policies and practices which should also prohibit giving out any individuals data without their consent and should ban the company and its employees from profiting from any data
Second, to further support the principle of transparency, companies should provide conspicuous, advance notice of the use of facial recognition technology before any facial template data is captured, used, or stored.
By doing this, companies should be able to offer their customers adequate information about how facial templates work, how the data will be utilized, shared, and saved by the company. Wherever it is required or appropriate or required by the law, contextual and just-in-time notices might be necessary.
Third, when feasible, companies should obtain express, affirmative consent from consumers before any data derived from facial recognition technology is collected, used, or stored.
The Federal Trade Commission (FTC) recommends that companies gain their customer’s absolute consent before capturing or using facial template data, at the very least, where a company intends to use their facial template data, when the company collected their data, and where a company intends to use facial recognition to identify images anonymously to someone who couldn’t identify that person without assistance otherwise.
Data Security Measures
Finally, companies must ensure they implement effective data security safeguards to protect all data captured, used, and stored through facial recognition technology from improper disclosure, access, or acquisition. Companies should be sure that they safeguard facial template data:
Using the reasonable standard of care that is applicable to their given industry and; in a manner that is in the same or is more protective than what the company stores, transmits, and protects different forms of personal, sensitive information. Companies also should assess their facial template data security measures periodically as well as make any modifications or updates to their security programs to address and neutralize any new or evolving threats or vulnerabilities.