Partner
Over the last few years, there has been a significant legal trend toward protecting consumer privacy with respect to facial recognition software and other types of biometric identifiers. The California Consumer Privacy Act (“CCPA) protects personal information from being collected, shared and used by private businesses without notice and consent. The definition of “personal information” under the CCPA includes many categories of biometric data including facial recognition data. Illinois was the first state to enact protections against private abuse of biometric data in 2008 with the passage of the Illinois Biometric Information Privacy Act. Recently, New York amended its data privacy act to expand the definition of biometric data.
These consumer protections apply to private business collection and use of biometric data. We are now seeing a trend where public and governmental entities are being limited in the deployment and use of biometrics. At the end of March 2020, Washington state enacted legislation that brought law enforcement and other governmental use of facial recognition technology within constitutional privacy requirements and mandated public transparency for broad-range deployment. See Reuters report here.
Specifically, the new law requires that:
Advocates of facial recognition restrictions have highlighted the need for testing and transparency because studies have shown that these technologies misidentify women and people of color more frequently than they misidentify white men. This is a concern for private uses of facial recognition software, but has enormous implications when criminal law and penalties are involved.
For now, these government-use restrictions have been limited to facial recognition technologies. But civil rights and privacy advocates are aiming to broaden the government-use restrictions to include other biometric data such as gait recognition, hand geometry and device use/keystroke dynamics.
Washington is the first state to enact restrictions on use of facial recognition by government and law enforcement. Seven cities have previously enacted restrictions including San Francisco, Berkeley and Sommerville, Massachusetts. The new law takes effect January 1, 2021. For more information or if you have legal questions about consumer privacy, contact the internet lawyers at Revision Legal at 231-714-0100. We expect to see more laws like this enacted and expect an acceleration of concern among consumers and private individuals about the collection and use of biometric data.
The Fourth Amendment protects individuals against unreasonable government searches. For decades, courts applying the third-party doctrine held that information voluntarily shared with others—including one’s face in public—carried no constitutional expectation of privacy. Carpenter v. United States, 585 U.S. 296 (2018), signaled a reorientation. The Supreme Court held 5-4 that accessing seven days of historical cell-site location information without a warrant violated the Fourth Amendment, even though the data was held by a third-party carrier. The majority’s reasoning—that pervasive, granular tracking of a person’s movements over time is categorically different from isolated observations—applies with equal force to real-time facial recognition surveillance systems that can identify and track individuals across an entire city’s camera network.
Several federal judges have cited Carpenter in suppression rulings involving facial recognition evidence. As courts continue to develop the doctrine, law enforcement agencies and technology vendors should treat the warrant requirement for broad-scale facial recognition surveillance as an emerging constitutional norm rather than a distant prospect.
Washington’s 2020 facial recognition law was the first statewide framework specifically governing government use of the technology. Since then, other states have enacted complementary legislation. Illinois’ Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 et seq., remains the most potent private-right-of-action statute—it allows individuals to sue for $1,000 per negligent violation and $5,000 per intentional violation without proving actual harm. Texas enacted a biometric privacy law with Attorney General enforcement authority. At the municipal level, San Francisco, Boston, Baltimore, and several dozen other cities have enacted outright bans or strict limits on government use of facial recognition.
The patchwork of state and local regulations creates significant compliance complexity for technology vendors supplying facial recognition systems to law enforcement agencies. A platform deployed by a county police department in Illinois may trigger BIPA obligations even for government customers. Vendors and procurement officers should evaluate each deployment against the applicable state biometric privacy regime.
The legislative restrictions on government facial recognition are partly driven by documented evidence of algorithmic bias. A 2019 study by the National Institute of Standards and Technology evaluated 189 facial recognition algorithms from 99 developers and found that most performed significantly worse on Black, Asian, and Native American faces than on white faces, and performed worse on women than on men. Misidentification rates for Black women in some systems were 10 to 100 times higher than for white men.
These accuracy disparities create obvious due-process concerns when facial recognition is used as the basis for arrest warrants or as evidence in criminal proceedings. At least three documented cases in the United States involved individuals who were wrongfully arrested based on erroneous facial recognition matches. Courts and legislatures are increasingly requiring human review of any facial recognition match before it is used to justify law enforcement action—exactly the meaningful human review requirement embedded in Washington’s 2020 statute.
The expanding biometric privacy framework affects any company that deploys facial recognition for access control, customer identification, workforce management, or security monitoring. Key compliance steps include: conducting a biometric data inventory to identify all systems that capture or process facial geometry or other biometric identifiers; reviewing applicable state laws for notice, consent, and data-retention obligations; implementing a written biometric data retention and destruction policy; and ensuring that vendor contracts include data-processing agreements that allocate liability appropriately.
If your business is deploying or evaluating biometric technology, or if you have received an inquiry from a state attorney general about your data practices, contact the privacy lawyers at Revision Legal at 231-714-0100.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?