Facial recognition technology uses algorithms that map facial features – such as the distance between a person’s eyes, or the width of a person’s nose – and compares those features to a database of known individuals. Organizations may use the technology for security (e.g., cameras that “ID” employees or criminals), marketing to consumers (e.g., cameras that “ID” particular customers), or designing products that quickly categorize digital media (e.g., photograph sorting).

There is currently no federal statute that expressly regulates private-sector use of facial recognition technology. Nonetheless, the FTC, which has authority to prevent unfair and deceptive practices, has expressed interest in the privacy implications of facial recognition technology, has issued a set of best practices concerning its use, and has investigated organizations that it believes violated those recommendations.

At least two states have also enacted statutes that govern the technology. Those statutes require that a company (1) notify state residents that the technology is in use, and (2) obtain the consent of those subject to the technology.

1

Number of years that an organization is allowed to keep biometric data under state law after the purpose for which it was collected has expired.1

30%

Percentage increase in accuracy of facial recognition algorithms over a three year period.2

80

Number of public comments received following FTC workshop on facial recognition technology.3

5

Number of state data breach notification laws that may apply to facial recognition telemetry if lost or stolen.4

$5,000 - $25,000

The range of possible fines and damages that could be assessed under state law for each violation of a facial recognition statute.5


Practices recommended by the FTC when deploying facial recognition technology:

  1. Companies should maintain reasonable data security for consumers’ images and facial geometry.
  2. Retention and Disposal. Companies should establish and maintain appropriate retention and disposal practices for consumers’ images and facial geometry.
  3. Sensitivity of Video-Feed. Companies should consider the sensitivity of the data that they capture including, specifically, not placing cameras in areas in which consumers would not expect them (g., locker rooms, bathrooms, health care facilities, etc.).
  4. Notice. Companies should provide “clear notice” when facial recognition technology is being utilized.
  5. Opt-in Consent For Materially Different Use. Companies should obtain consumers’ affirmative express consent if they use an image in a “materially different manner” than was represented when the facial geometry was collected.
  6. Opt-in Consent For Sharing. Companies should obtain consumers’ affirmative express consent if they identify anonymous images of a consumer to someone who could not otherwise identify the consumer.

1. Tex. Bus. & Com. Code § 503.001(b)(3).

2. National Institute of Standards and Technology, NIST: Performance of Facial Recognition Software Continues to Improve, (June 3, 2014), http://www.nist.gov/itl/iad/face-060314.cfm.

3. See, Public Comments, FTC Matter No. P115406.

4. Bryan Cave LLP, Data Breach Notification Survey (2015).

5. See, 740 ILCS 14/20 (1)-(4); Tex. Bus. & Com. Code § 503.001(d).