First Federal Legislation Proposed Relating to Protection of BiometricsAmidst privacy concerns and booming technological innovation, Sens. Roy Blunt (R-Mo.) and Brian Schatz (D-Hawaii) have introduced a bill proposed as the “Commercial Facial Recognition Privacy Act of 2019” (CFRPA) targeting arguably the most “personal” biometric identifier—our face. While several states have enacted legislation relating to protection of biometric identifiers, this is the first federal legislation targeted at consumer protection using biometrics, namely facial recognition (FR). The purpose of the bill is to prohibit certain entities from using FR technology to identify or track an individual without obtaining the affirmative consent of that end user. Below is a high-level overview of the key components proposed by the bill:

  • Prohibited Activity and General Requirements
    • Using FR technology to collect FR data on an individual requires “affirmative consent,” which must involve an individual, voluntary and explicit agreement to the collection and data use policies of the covered entity.
      • When obtaining consent, a covered entity must make available to the individual detailed notice describing the specific practices of the processor in terms that end users are able to understand regarding the collection, storage, and use of FR data.
      • The consent must include a description of the specific collection, use and storage practices of any third-party that processes FR data on behalf of a covered entity.
      • Generally, a covered entity cannot condition service on consent unless the FR technology is required for the service.
    • FR cannot be used to discriminate against an individual.
    • Both the covered entity and any third-party that processes FR data on behalf of a covered entity must employ a meaningful human review prior to making any final decision based on FR technology, if the decision could result in physical or financial harm, or be unexpected or offensive to the individual.
    • Sharing FR data with an unaffiliated third party requires affirmative consent separate than that required for general use.
  • Exceptions
    • Applications that do not use FR technology to: (1) analyze unique personal facial features in still or video images, (2) assign a unique persistent identifier, or (3) personally identify a specific individual.
    • Controllers that use FR applications as a “security application” (i.e., loss prevention or application intended to prevent criminal activity such as shoplifting and fraud) are not subject to the affirmative consent requirement; however general disclosure, anti-discrimination, and sharing requirements still apply.
  • Security Requirements and Regulation/Enforcement
    • CFRPA requires FR providers to meet data security, minimization and retention standards as determined by the Federal Trade Commission (FTC) and the National Institute of Standards and Technology, which would be promulgated within 180 days of the act’s enactment.
    • Violation of the law shall be deemed an unfair or deceptive act or practice under the FTC Act.
    • State attorneys’ general have the power to enforce the act via civil action.
    • State law can provide greater protection and is not preempted except as inconsistent with CFRPA.
    • The proposed bill does not include an explicit private right of action for individuals.

If Enacted, How Will This Affect Existing State Biometric Laws?

Currently, only three states — Illinois, Washington and Texas — have biometric privacy laws. The current Washington statute does not specifically encompass FR technology, however, a newly proposed Washington state law would specifically address the use of FR. On the horizon, California’s sweeping new privacy law, the California Consumer Privacy Act, which will become effective on January 1, 2020, will also apply to biometric data. Additionally, at least six other states have proposed biometric laws (Alaska, Delaware, Florida, Massachusetts, Michigan and New York), several of which include a private right of action.

Illinois’ Biometric Information Privacy Act (BIPA), often considered the “gold standard” of biometric privacy laws, makes it illegal for a company to collect an individual’s biometric identifier or information, unless the company first informs the person in writing and discloses the specific purpose and length of time for which the data is being collected, stored, or used. BIPA provides a private right of action for violations — $1,000 in statutory damages for each negligent violation and $5,000 for intentional or reckless violations, as well as costs and attorneys’ fees. The two other states do not provide a private right of action.

The proposed federal law, CFRPA, clearly states that “This Act shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State, except to the extent . . . inconsistent with the provisions of this Act, and then only to the extent of the inconsistency.” As a result, it does not appear that the proposed federal law will affect existing state biometric laws, nor curb the marked increase in litigation relating to biometric data collection.

Why Is the Bill Limited to Facial Recognition Technology?

CFRPA’s sponsors, including Sen. Schatz, have stated that “Our faces are our identities. They’re personal. So the responsibility is on companies to ask people for their permission before they track and analyze their faces.” As reported by The Economic Times, a study from MIT Media Lab has found that FR technology is often subject to bias, specifically determining that Amazon’s FR system made errors in recognizing darker-skinned women. Additionally, more regulation and oversight of FR technologies have been supported by tech giants such as Amazon, Microsoft and Google. Brad Smith, the president of Microsoft, is a strong supporter of the bill. “Facial recognition technology creates many new benefits for society and should continue to be developed. Senators Blunt and Schatz’s bill has started an important conversation in Congress about the responsible use of this technology. We’re encouraged by their efforts, applaud their leadership and look forward to working with them to develop balanced policy.”

How Would This Affect Employers?

Employers who utilize FR technologies for authentication should closely monitor this bill. For example, some employers utilize FR to control access to physical facilities instead of ID cards. Additionally, other employers may utilize FR technologies to access services, such as access to computers and copiers.

What Can I Do Now?

Any companies that collect or store FR data or use FR technology should carefully monitor this legislation and its potential progression, as well as the various pending state biometric laws. To the extent this bill or others gain traction, companies should pay close attention to any potential revisions and changes, particularly as under CFRPA — the proposed effective date is only 180 days after its enactment. Further analysis will certainly be needed to flesh out key terms in the proposed bill, such as what constitutes adequate notice or how can affirmative consent be effectuated. Additionally, knowledge of and compliance with these laws will continue to be important to companies who utilize biometric data, or process biometric data on behalf of a covered entity, as the risks increase through an enhanced regulatory environment and potential litigation.