Facial Recognition Technology: How Much Can State Law Protect Users?

Sei Unno

Associate Editor

Loyola University Chicago School of Law, JD 2019

Facial recognition has become mainstream, whether the laws are ready or not. Video games are using facial recognition to check the ages of their users and cars are being equipped with technology to identify drivers who are fatigued or distracted. In the U.S., states have passed their own laws to protect their residents’ privacy. Now, the Senate is considering a federal policy.

Applications of facial recognition

At the beginning of the year, the Google Arts and Culture application featured a program that could match the user’s face with a piece of historical art. However, this feature was not available to users in Illinois, most likely because of the Illinois Biometric Information Privacy Act. Texans were also prevented from using the feature because of a similar statute regulating biometric identifiers.

Although finding your twin in a historical art piece is one application of facial recognition, facial recognition technology is proliferating the technology landscape. From Apple’s FaceID to facial recognition in airports like LAX, facial recognition is increasingly sneaking into daily life. Even schools are considering integrating facial recognition software, with companies like RealNetworks offering the software to schools for free.

SAFR, developed by RealNetworks, is advertised as a “highly accurate, AI-based facial recognition platform architected to economically scale at high performance with rapid processing to detect and match millions of faces in real time.” SAFR is offering the technology at no cost for K-12 schools in the United States and Canada. SAFR explains that its product can recognize faces from a distance, detect facial expressions, and can even know if someone is wearing heavy makeup.

State law

The Texas law states that an individual cannot capture a biometric identifier for a commercial purpose unless they notify the individual and receive consent. The definition of biometric identifier includes records of face geometry. But what exactly is face geometry? Apple describes FaceID as a process of projecting and analyzing over 30,000 invisible dots on an individual’s face as well as an infrared image. Apple also describes the data as “mathematical representations” of an individual’s face. It’s unclear whether the phrasing of the statute will be robust enough, considering the advancements of facial recognition technology and its pairing with machine learning. The question remains, however, how far a company can claim commercial purpose.

The Illinois law also uses the same language of “face geometry.” Interestingly, biometric identifiers do not include photographs, tattoos descriptions, demographic data, or other presumably immutable physical characteristics. Amendments to the Biometric Information Privacy Act have been proposed in the House and Senate. Google and Facebook were involved in the process, proposing that the Act does not apply to private entities if they are not selling, leasing, trading, or similarly profiting from the information or if the “private entity stores, transmits, and protects the biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which [sic] the private entity stores, transmits, and protects other confidential and sensitive information.” The influence of technology companies like Google and Facebook on the state level provides a sneak peek at the level of influence they may have on the federal level.

California recently passed a privacy bill that will go into effect in 2020, the California Consumer Privacy Act (CCPA). The CCPA gives consumers greater control and knowledge over their data by allowing consumers to opt-out of the sale of their information to third-parties. The definition of personal information includes visual or similar information. Therefore, the definition may be broad enough to include the data needed for facial recognition technology.

Current litigation

A lawsuit was filed against Facebook by Illinois citizens under the Biometric Information Privacy Act for using a storing users’ facial information without consent. The United States District Court for the Northern District of California certified a class of plaintiffs in Illinois that Facebook had stored a face template of after June 2011. The feature in question is auto-tagging. Auto-tagging is a feature that notifies you anytime a picture of you is uploaded (either by your friends or perhaps an account impersonating you). Although the feature can be disabled, the plaintiffs argue that their rights have been violated. Facebook responded by stating the Facebook users did not suffer an actual injury.

The potential of a national framework

Is it time that the United States implement a comprehensive privacy act like GDPR or Japan’s Act on the Protection of Personal Information (APPI)? The current privacy legal landscape is a convoluted web of statutes, including the Federal Trade Commission Act to HIPAA to FERPA. But this patchwork has evidently not helped appease public fears about data privacy. The Pew Research Center has reported that about half of Americans do not trust the federal government or social media sites to protect their data. Additionally, two-thirds of Americans do not think that the current laws are robust enough to protect their privacy.

A combination of GDPR and the Act on the protection of Personal Information would provide a comprehensive framework that is robust enough to tackle current privacy concerns but flexible enough to accommodate the changing technological landscape. Territory and jurisdiction should be global in scope, as U.S. companies, residents, and citizens travel abroad but also to foreign websites. Personal information should be defined broadly in order to include any advances in technology that are not currently available. The Japanese Act focuses on a distinction between sensitive and non-sensitive personal data. Unlike GDPR, the Japanese Act is focused on the use of personal information in the business context. However, the scope should be broadened in the U.S. to try to integrate the existing patchwork of federal laws.

Although unlikely to be implemented, serious discussion should be had around creating a commission like the Japanese Personal Information Protection Commission (PIPC). The U.S. equivalent of the PIPC would allow diplomatic communications surrounding different international personal information legislation and would evaluate how changes should be made to the policy as technology advances. An independent commission would also prevent big technology companies like Facebook from influencing how consumers’ privacy and data are protected.

As Congress continues to wrestle with addressing privacy issues, it should look towards what other countries have done and how to improve upon those approaches. The new legislation should harmonize not only with existing federal policies but also should be compatible with legislation in other countries, to ensure maximum consumer privacy.