Facial Recognition Privacy: Government Use is Being Regulated and Restricted Too featured image

Facial Recognition Privacy: Government Use is Being Regulated and Restricted Too

by John DiGiacomo

Partner

Internet Law

Over the last few years, there has been a significant legal trend toward protecting consumer privacy with respect to facial recognition software and other types of biometric identifiers. The California Consumer Privacy Act (“CCPA) protects personal information from being collected, shared and used by private businesses without notice and consent. The definition of “personal information” under the CCPA includes many categories of biometric data including facial recognition data. Illinois was the first state to enact protections against private abuse of biometric data in 2008 with the passage of the Illinois Biometric Information Privacy Act. Recently, New York amended its data privacy act to expand the definition of biometric data.

These consumer protections apply to private business collection and use of biometric data. We are now seeing a trend where public and governmental entities are being limited in the deployment and use of biometrics. At the end of March 2020, Washington state enacted legislation that brought law enforcement and other governmental use of facial recognition technology within constitutional privacy requirements and mandated public transparency for broad-range deployment. See Reuters report here.

Specifically, the new law requires that:

  • For government agency deployment, public notice must first be provided along with a published civil liberties impact study
  • Before deployment, a governmental agency must hold at least three community meetings with respect to the technology
  • Law enforcement must now obtain court-issued warrants for use facial recognition technologies for surveillance and/or real-time identification unless emergency conditions exists such as missing persons, child abductions and public safety
  • Banning the combination of AI technology used with facial recognition technology without “meaningful human review” if use of the AI has “legal effects” such as impacts on jobs, services, housing, education, etc.
  • Government and law enforcement employees must be trained with respect to the “limitations” of facial recognition technologies
  • The software and technology used must be enabled for independent testing for “accuracy and unfair performance differences across distinct subpopulations” including persons of color, gender and other potential categories of discrimination
  • Regular reporting on the use of facial recognition technology and results of the independent testing

Advocates of facial recognition restrictions have highlighted the need for testing and transparency because studies have shown that these technologies misidentify women and people of color more frequently than they misidentify white men. This is a concern for private uses of facial recognition software, but has enormous implications when criminal law and penalties are involved.

For now, these government-use restrictions have been limited to facial recognition technologies. But civil rights and privacy advocates are aiming to broaden the government-use restrictions to include other biometric data such as gait recognition, hand geometry and device use/keystroke dynamics.

Washington is the first state to enact restrictions on use of facial recognition by government and law enforcement. Seven cities have previously enacted restrictions including San Francisco, Berkeley and Sommerville, Massachusetts. The new law takes effect January 1, 2021. For more information or if you have legal questions about consumer privacy, contact the internet lawyers at Revision Legal at 231-714-0100. We expect to see more laws like this enacted and expect an acceleration of concern among consumers and private individuals about the collection and use of biometric data.

Extra, Extra!
Recent Posts

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Internet Law

Almost half of the States in the U.S. have enacted some version of an online personal or consumer data privacy statute. The statutes all use a similar framework that requires data collectors and processors to provide notices, obtain consent, and comply with mandates and prohibitions. For example, all of the online data privacy statutes require […]

Read more about Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Internet Law

The Ninth Circuit Court of Appeals — located in San Francisco — partially struck down California’s Age-Appropriate Design Code Act (“CAADCA”). See Cal. Civ. Code §§ 1798.99.28 et seq. The CAADCA was passed in 2022 by the California State Assembly. The CAADCA was enacted to protect the online privacy of children — persons under the […]

Read more about 9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Put Revision Legal on your side