Over the last few years, there has been a significant legal trend toward protecting consumer privacy with respect to facial recognition software and other types of biometric identifiers. The California Consumer Privacy Act (“CCPA) protects personal information from being collected, shared and used by private businesses without notice and consent. The definition of “personal information” under the CCPA includes many categories of biometric data including facial recognition data. Illinois was the first state to enact protections against private abuse of biometric data in 2008 with the passage of the Illinois Biometric Information Privacy Act. Recently, New York amended its data privacy act to expand the definition of biometric data.
These consumer protections apply to private business collection and use of biometric data. We are now seeing a trend where public and governmental entities are being limited in the deployment and use of biometrics. At the end of March 2020, Washington state enacted legislation that brought law enforcement and other governmental use of facial recognition technology within constitutional privacy requirements and mandated public transparency for broad-range deployment. See Reuters report here.
Specifically, the new law requires that:
- For government agency deployment, public notice must first be provided along with a published civil liberties impact study
- Before deployment, a governmental agency must hold at least three community meetings with respect to the technology
- Law enforcement must now obtain court-issued warrants for use facial recognition technologies for surveillance and/or real-time identification unless emergency conditions exists such as missing persons, child abductions and public safety
- Banning the combination of AI technology used with facial recognition technology without “meaningful human review” if use of the AI has “legal effects” such as impacts on jobs, services, housing, education, etc.
- Government and law enforcement employees must be trained with respect to the “limitations” of facial recognition technologies
- The software and technology used must be enabled for independent testing for “accuracy and unfair performance differences across distinct subpopulations” including persons of color, gender and other potential categories of discrimination
- Regular reporting on the use of facial recognition technology and results of the independent testing
Advocates of facial recognition restrictions have highlighted the need for testing and transparency because studies have shown that these technologies misidentify women and people of color more frequently than they misidentify white men. This is a concern for private uses of facial recognition software, but has enormous implications when criminal law and penalties are involved.
For now, these government-use restrictions have been limited to facial recognition technologies. But civil rights and privacy advocates are aiming to broaden the government-use restrictions to include other biometric data such as gait recognition, hand geometry and device use/keystroke dynamics.
Washington is the first state to enact restrictions on use of facial recognition by government and law enforcement. Seven cities have previously enacted restrictions including San Francisco, Berkeley and Sommerville, Massachusetts. The new law takes effect January 1, 2021. For more information or if you have legal questions about consumer privacy, contact the internet lawyers at Revision Legal at 231-714-0100. We expect to see more laws like this enacted and expect an acceleration of concern among consumers and private individuals about the collection and use of biometric data.