Loyola University Chicago School of Law, JD 2021
The use of facial recognition technology in the commercial context generates numerous consumer privacy concerns. As technology becomes increasingly present in many aspects of our life, regulations on states and federal level are struggling to catch up. Currently, only three states (Illinois, Washington, and Texas) implemented biometric privacy laws, and only Illinois grants individuals with a private right of action.
Why are regulations needed?
Facial recognition data is both personal and sensitive. Unlike credit card numbers, passwords, or even names, which can be changed from time to time, the biometric information captured from an individual’s face is biologically unique and has a heightened risk for identity theft once it is compromised. Rapidly changing technologies, such as cameras that capture facial images from greater distances and with enhanced precision, only serve to further aggravate the problem. Moreover, compromised biometric data is not only a privacy issue, but also a fundamental ethics issue. According to Wojciech Wiewiórowski, an acting European Data Protection Supervisor, “turning the human face into another object for measurement and categorization by automated processes controlled by powerful companies and governments touches the right to human dignity.”
Current regulations at a glance
As of today, there is no federal law that regulates the collection of biometric data. In 2012, the Federal Trade Commission (“FTC”) raised concerns surrounding this issue and in turn released a “Best Practices” Guide for companies that use facial recognition technology. In the Guide, FTC underscores the importance of companies obtaining affirmative consent from consumers before extracting and collecting their biometric identifiers and biometric information from digital photographs. While helpful, this recommendation does not have any enforcement power.
At the state level, only Illinois, Washington, and Texas have passed biometric legislations. Arizona, Florida, and Massachusetts have proposed legislation, and other states are also considering biometric data protection. The Illinois Biometric Information Privacy Act (“BIPA”) is for now “the gold standard for biometric privacy protection nationwide” according to the Electronic Frontier Foundation. It states that private entities may not obtain and/or possess an individual’s biometric information unless it: (1) informs that person in writing that biometric identifiers or information will be collected or stored; (2) informs that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used; (3) receives a written release from the person for the collection of his or her biometric identifiers or information; and (4) publishes publicly available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information. Most importantly, any person aggrieved by a violation of BIPA has a right of action.
Current biometric privacy litigations
The following are just a few of the many current litigations brought under BIPA.
MegaFace: a Flickr user, Chole Papa, who posted photos of her children 14 years ago now found their faces in a MegaFace database that is used to train face-identification algorithms. By law, most Americans do not have the right to sue MegaFace, but Chole, as a resident of Illinois, is protected under one of the strictest state privacy laws—BIPA.
Vimeo: On September 20, 2019, Plaintiff Acaley brought a class action for violation of BIPA against Vimeo, claiming Vimeo “has created, collected and stored, in conjunction with its cloud-based Magisto service, thousands of ‘face templates’—highly detailed geometric maps of the face—from thousands of Magisto users” without consent.
Facebook: In August 2019, the Ninth Circuit affirmed the district court’s decision and rejected Facebook’s action to dismiss a class-action lawsuit alleging it illegally collected and stored biometric data using facial recognition technology for millions of users without their consent. Under BIPA’s penalty, the class action could cost Facebook up to $35 billion.
Efforts on future regulations
The Commercial Facial Recognition Privacy Act of 2019 was introduced in the U.S. Senate on March 14, 2019, with bipartisan sponsorship. This was the first attempt at federal regulation of biometric technology in the country. FaceFirst, a facial recognition platform that provides AI-enabled security and identity management solutions, is working closely with U.S. lawmakers on facial biometrics privacy regulations and working to help move forward the Commercial Facial Recognition Privacy Act of 2019. The primary focus of the collaboration is to protect consumer biometric privacy without obstructing innovation on technology.
Amazon also joins the game. Its public policy team is initiating facial recognition regulations amidst criticism of its cloud computing software Rekognition that allows law enforcement to track faces. Amazon CEO Jeff Bezos said there is a lot of potential for abuse on facial recognition here and regulation is necessary.
The future looks bright as interested parties are collaborating to bring about a comprehensive and robust framework for biometric privacy protection instead of wrestling against each other. However, can we truly trust the tech giants and AI-based facial recognition platforms on writing their own rules of the game?