What is this bill?  A new bill introduced in the U. S. Senate on March 14, 2019 would require companies to obtain explicit user consent before facial recognition data could be collected and shared. The bill is known as the Commercial Facial Recognition Privacy Act of 2019, and was introduced by Sens. Brian Schatz. D- Hawaii and Roy Blunt, R-Missouri.

What does the bill prohibit?  The bill makes it unlawful for any covered entity to knowingly use facial recognition technology to collect facial recognition data, UNLESS the covered entity obtains explicit consent from the individual after providing notice to such individuals. The bill would also require that covered entities notify individuals whenever their facial recognition data is used or collected.

To whom does it apply?

The bill, if enacted, would apply to “Covered Entities” meaning any person, including corporate affiliates who collect, store or process facial recognition data (e.g., a “Controller,”).  The bill excludes the following entities from coverage:

  • The Federal government or any state or local government;
  • A Law enforcement agency;
  • Any National security agency; or
  • Any Intelligence agency.

What is facial recognition technology (FRT)?

Technology that:

  • Analyzes facial features in “still” or “video” images; and
  • Is used for the unique personal identification of a specific individual.

What is facial recognition data (FCD)? 

Any unique attribute or feature of an individual’s face (e.g., the end user) that is used by FRT to assign “persistent” or “unique” personal identification of a specific person.

What is the notice requirement?

Generally, covered entities must provide a concise notice to individuals that:

  • FRT is present;
  • FRT will not be used in violation of federal or state law;
  • FRD will not be repurposed (other than as disclosed);
  • FRD will not be shared with an unaffiliated third party without affirmative consent; and
  • Notice includes information about capabilities and limitations of FRT in understandable terms.

What additional requirements must be met before consent may be given? 

The Controller must provide additional data to the individual describing the reasonably foreseeable purposes of, or examples of how the data will be shared, retained, as well as additional provisions about when consent is not required (e.g., emergency involving imminent danger or risk of death to individual in question).  Interestingly, the bill does not specify the mechanism for how individual consent is provided, whether scanned written signature or click through technology is permissible. 

What are the penalties for non-compliance and who will enforce?

Violation of the consent requirement will be considered an “unfair or deceptive act or practice” under section 18(a)(1)(B) of the Federal Trade Commission Act (FTC) and the FTC has responsibility for enforcing the bill.  There is no private action under the bill although the attorney general of any state who believes the interests of his or her state residents are threatened may bring a civil action on behalf of state residents in an appropriate state district court of the United States seeking relief.

What is the effect of such bill on other state laws? 

The bill expressly states that it does not preempt or affect any current state statute or regulation, except to the extent that the state statute or regulation is inconsistent with the bill. Thus, it does not appear that the bill will preempt stricter state laws that already regulate FRT, which include the laws in Illinois, Texas and Washington.

 What is the anticipated effective date if legislation is passed?

The bill will take effect, if enacted, on the date that is 180 days after enactment.

Observations? 

While there is general enthusiasm among individual consumers about the need to protect how their data is used, others are deeply concerned about whether such facial recognition technology may be developed and used in acts of bias and discrimination. Accordingly, the bill addresses these concerns by regulating the manner in which such information is shared to preserve consumer privacy.  However, given the widespread concerns, it is possible that additional protections may be incorporated into the bill to address these concerns before it becomes final.

It is worthy of note, that an increasing number of states, and even two localities, (in addition to those mentioned above) have attempted to ban and or regulate the use of facial recognition technology, including but not limited to San Francisco, New York City, Alaska, Delaware, Florida, Michigan, Massachusetts and New York, who all have pending legislation.

Despite the desire to ban the use of facial recognition technology, perhaps the more rational approach, given the apparent wide spread usage already in existence, may be to regulate usage in a reasonable manner. In fact, this is the approach advanced by a number of industry leading companies.