2023 Issue 3 | GearedUp
66
Technology on Your Radar ? Be Careful .
Question : Can private businesses use facial recognition technology for commercial purposes – for example , to capture customer demographic information ? Answer : Yes , depending on the location of the business , a private business can use facial recognition technology for commercial purposes . In doing so , a business may be required to obtain consent and follow other rules while collecting , using and / or sharing information gained from the utilization of facial recognition technology .
Currently , there are no federal laws that apply to facial recognition technology ( FRT ). While there has been federal legislation introduced that would impact FRT ( i . e ., Facial Recognition Act of 2022 and The Facial Recognition and Biometric Technology Moratorium Act of 2023 ), commercial use of FRT is regulated by a patchwork of state and local laws . Most state and local laws concerning FRT focus its application in government settings , where the government is collecting FRT and other biometric data to use in the investigation and prosecution of criminal matters .
There are a few states and local municipalities that do have laws surrounding commercial use of FRT . So far , every law requires operators to gain subjects ’ consent before collecting their biometric data . Some legislation requires consent to be opt-in ( usually referred to as “ affirmative ,” “ written ” or “ unambiguous ” consent ), as well as freely given , specific and informed . Others do not specify what is meant by consent .
One approach that indirectly regulates commercial FRT use is to regulate the collection and use of biometric data . Illinois ’ Biometric Information Privacy Act ( BIPA ) provides that private entities seeking to use consumers ’ biometric information , including facial recognition , must first notify them of the collection . Disclosure of collected biometric data is prohibited without consent , and entities cannot profit from the data . By affording consumers a private right of action , BIPA allows them to hold companies like Clearview AI and Facebook accountable .
Both Texas and Washington have biometric privacy laws with similar requirements to BIPA , but consumers in these states are not entitled to a private right of action . Laws like BIPA have various requirements for businesses to be compliant such as providing notices related to the type of biometric data , specific purpose of the collection and time period of collection and storage of the data . Businesses may also be required to : have a written retention and destruction policy for biometric information ; include restrictions on obtaining biometric information ; prohibit profiteering from biometric information ; restrict sharing of biometric by Justin Klein information ( which can impact the franchisor / franchisee relationship ); and maintain a security program to ensure the safe collection and storage of biometric identifier data . In 2009 , Texas passed the “ Capture or Use of Biometric Identifier Act ,” or CUBI . CUBI imposes a penalty of “ not more than ” $ 25,000 for each violation . However , unlike Illinois , there is no private right of action . In February 2022 , Texas Attorney General Ken Paxton acted under the CUBI legislation and filed suit against Facebook , claiming that Facebook owed billions to the state for violating CUBI for not obtaining user consent when collecting the biometric data of more than 20 million Texas residents .
Another indirect approach can be seen in the handful of comprehensive data privacy laws recently passed that include facial recognition data in their scope . The only law currently in effect is the California Consumer Privacy Act ( CCPA ). It provides consumers certain rights related to their facial recognition data , such as the right to access , opt-out of the sale of and delete their data . Supplementing the CCPA , the California Privacy Rights Act ( effective January 2023 ) allows consumers to limit a business ’ use and disclosure of their collected data . Colorado ’ s privacy law ( effective July 2023 ) requires businesses to obtain consent prior to processing consumers ’ facial recognition data , which falls under the law ’ s definition of “ sensitive data .”
Currently , only a few jurisdictions directly regulate the commercial use of FRT . For example , Portland , Oregon , prohibits private entities from using FRT in “ places of public accommodation .” Other states or municipalities have legislation pending as well .
In July 2021 , also by way of example , New York City passed a