Partner
The City of Portland, Oregon, just banned the use of facial recognition technology by private businesses and individuals. See Popular Mechanics news report here. Portland previously banned use of facial recognition by law enforcement and city agencies. However, now all private entities are prohibited from using facial recognition software and technology anywhere in the City in any “places of public accommodation.” In practice, the prohibition covers almost every business that is open to the public.
The ordinance has three exceptions:
(1) where facial recognition technology is necessary for compliance with federal and/or state laws
(2) use for social media applications and
(3) use as verification for an individual’s access to communication and electronic devices
The ordinance authorizes individuals to bring civil actions against entities that commit “material violations” of the ordinance. The ordinance allows an award of statutory damages of $1,000 per day for each violation and attorney’s fees under some circumstances. In short, violating the new ordinance will result in potentially catastrophic lawsuits. The new ordinance will go into effect January 1, 2021.
Portland is the first government entity to ban private use of facial recognition technology. This may be a new legal trend which might be encouraging for privacy advocates or worrisome for businesses that rely on facial recognition as a means of identification and security. At minimum, businesses in Portland may be facing a new round of expensive litigation.
As many know, facial recognition software and technology takes an image of a person’s face, and “maps” that image as a means of identification. Facial recognition is a form of biometrics which is a suite of technologies that can be used to identify a person based on their unique characteristics. Fingerprints and retinal scans are common examples of biometrics; facial recognition is less well-known. Facial recognition software has long been used by cellular phones and other electronic devices as a security measure; the ordinance allows that practice to continue. Likewise, some automobile manufacturers use the technology as a form of theft prevention and security. That may now be prohibited in Portland. Many are less aware that facial recognition is routinely used as a security measure by private companies to identify customers. Banks and financial institutions often use the technology to identify account holders. That will now stop in Portland.
Privacy advocates object to use of facial recognition technology on many grounds, not least of which are lack of notice and lack of consent. Mandating notice and consent are often the “go-to” strategies for those that are trying to regulate use of private data and information. For example, these are the key components of the California Consumer Privacy Act and the Illinois Biometrics Privacy Act. However, the Portland ordinance is notable since it does not attempt to impose notice and/or consent requirements. The ordinance simply prohibits use of the technology. It will be interesting to see if other states and local governments use the Portland ordinance as a template resulting in more widespread prohibition of facial recognition technology.
For more information or if you have legal questions about the use of biometric technologies, contact the data privacy lawyers at Revision Legal at 231-714-0100.
Portland’s ban on private use of facial recognition technology in places of public accommodation was, at the time of enactment, the most aggressive such ordinance in the country. San Francisco and Oakland, California had earlier banned government use of facial recognition, and Boston, Massachusetts followed with its own government-use ban. But Portland went further by applying the prohibition to private entities operating in places open to the public. The ordinance reflects a growing policy consensus that facial recognition—unlike most biometric technologies—is deployed in public spaces without the knowledge or consent of those being scanned, raising civil liberties concerns beyond typical data privacy frameworks. “Places of public accommodation” under the ordinance encompasses virtually every business establishment, facility, or service offered to the public, including retail stores, restaurants, hotels, sports venues, transportation hubs, and healthcare facilities.
The first exception—federal or state law compliance—is narrower than it appears. It does not permit a private entity to deploy facial recognition simply because some law permits such technology; rather, it covers situations where federal or state law requires the use of facial recognition for specific compliance purposes. The second exception for social media applications covers facial recognition in photo-tagging features and does not extend to other uses by social media companies. The third exception—verification of access to devices and communications—covers Face ID and similar device-unlock biometrics, which do not involve collecting and storing facial geometry in a way that enables identification of persons in a public space.
The ordinance’s enforcement mechanism—a private right of action for $1,000 per day per violation—creates significant litigation exposure for non-compliant businesses. There is no cap on the number of daily violations that can be alleged in a single lawsuit. A class action by customers who were subject to unauthorized facial recognition scanning could generate catastrophic liability. Businesses that have deployed facial recognition in Portland locations should immediately audit those deployments and consult legal counsel about remediation.
Portland’s ordinance is part of a national trend toward facial recognition regulation that practitioners must monitor. At the federal level, proposals for a comprehensive federal biometric privacy law have been introduced in Congress but have not yet been enacted. Illinois’s BIPA remains the most litigated framework, but the landscape is shifting rapidly. Businesses that operate nationally should develop a facial recognition governance policy that satisfies the most restrictive applicable requirements rather than managing compliance state-by-state. Critically, facial recognition regulation is also expanding beyond traditional places of public accommodation—landlords, schools, and healthcare facilities are increasingly subject to targeted regulation of their use of biometric identification technology.
If your business uses or is considering facial recognition or other biometric technology, the privacy attorneys at Revision Legal can help you navigate the complex and rapidly evolving legal landscape. Contact us at 231-714-0100.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?