The City of Portland, Oregon, just banned the use of facial recognition technology by private businesses and individuals. See Popular Mechanics news report here. Portland previously banned use of facial recognition by law enforcement and city agencies. However, now all private entities are prohibited from using facial recognition software and technology anywhere in the City in any “places of public accommodation.” In practice, the prohibition covers almost every business that is open to the public.
The ordinance has three exceptions:
(1) where facial recognition technology is necessary for compliance with federal and/or state laws
(2) use for social media applications and
(3) use as verification for an individual’s access to communication and electronic devices
The ordinance authorizes individuals to bring civil actions against entities that commit “material violations” of the ordinance. The ordinance allows an award of statutory damages of $1,000 per day for each violation and attorney’s fees under some circumstances. In short, violating the new ordinance will result in potentially catastrophic lawsuits. The new ordinance will go into effect January 1, 2021.
Portland is the first government entity to ban private use of facial recognition technology. This may be a new legal trend which might be encouraging for privacy advocates or worrisome for businesses that rely on facial recognition as a means of identification and security. At minimum, businesses in Portland may be facing a new round of expensive litigation.
As many know, facial recognition software and technology takes an image of a person’s face, and “maps” that image as a means of identification. Facial recognition is a form of biometrics which is a suite of technologies that can be used to identify a person based on their unique characteristics. Fingerprints and retinal scans are common examples of biometrics; facial recognition is less well-known. Facial recognition software has long been used by cellular phones and other electronic devices as a security measure; the ordinance allows that practice to continue. Likewise, some automobile manufacturers use the technology as a form of theft prevention and security. That may now be prohibited in Portland. Many are less aware that facial recognition is routinely used as a security measure by private companies to identify customers. Banks and financial institutions often use the technology to identify account holders. That will now stop in Portland.
Privacy advocates object to use of facial recognition technology on many grounds, not least of which are lack of notice and lack of consent. Mandating notice and consent are often the “go-to” strategies for those that are trying to regulate use of private data and information. For example, these are the key components of the California Consumer Privacy Act and the Illinois Biometrics Privacy Act. However, the Portland ordinance is notable since it does not attempt to impose notice and/or consent requirements. The ordinance simply prohibits use of the technology. It will be interesting to see if other states and local governments use the Portland ordinance as a template resulting in more widespread prohibition of facial recognition technology.
For more information or if you have legal questions about the use of biometric technologies, contact the data privacy lawyers at Revision Legal at 231-714-0100.