Senators Brian Schatz (D) and Roy Blunt (R) recently introduced S.847, the “Commercial Facial Recognition Privacy Act of 2019,” a bill that would, subject to certain important exceptions, generally prohibit the commercial use of facial recognition technology to identify and track consumers without consent. The bill, as drafted would place limitations on the third-party sharing of collected faceprint data, as well as require covered entities to meet certain minimum data security standards. As this bill wends its way through Congress (it has been referred to the Committee of Commerce, Science and Transportation), it is worth watching because it is a bipartisan bill with a narrow scope that has garnered the early conceptual support of Microsoft and other technology companies.
Specific requirements, subject to certain exceptions, include:
- Obtaining end user affirmative consent, and, to the extent possible, provide “concise notice” to the end user that facial recognition is present and documentation about such use [the bill notes that such language should not be construed to authorize the “mass scanning of faces in spaces where end users do not have a reasonable expectation that facial recognition technology is being used on them”);
- Avoiding the use of the technology for discriminatory purposes against the end user;
- Performing third-party testing prior to implementation to address accuracy and bias issues for online services;
- Not reusing the data for a purpose that is different than what the user consented to;
- Avoiding the sharing of data with outside parties without affirmative consent.
Covered entities would include any entity that “collects, stores, or processes facial recognition data” (except any governmental agency). This expansive definition would seemingly include such entities as the operator of an app that collects facial recognition data, a business that uses facial recognition on its premises (unless covered by an exception), or the outside vendor that processes such data for the original data collector.
The bill contains some notable exceptions. Perhaps most important, the bill exempts “security applications” that use the technology for loss prevention or to detect and prevent criminal activity. The bill also exempts products or services designed for “personal file management or photo or video sorting or storage if the facial recognition technology is not used for unique personal identification of a specific individual” (a provision that may or may not exempt certain social media photo tagging services or organizational apps, depending on their functionality).
While there is no private right of action, S.847 states that a statutory violation of covered statutory provisions shall be deemed an unfair or deceptive practice under the FTC Act and that state attorneys general would also have certain enforcement powers.
Several additional provisions of the bill deserve mention:
- Entities may not condition a service on consent by an end user to waive privacy rights where the use of facial recognition technology is not necessary for the service.
- Covered entities are required to “employ meaningful human review” before making any final decision based on the output of facial recognition technology if such a decision may result in foreseeable “material physical or financial harm” to a consumer or may be “unexpected or highly offensive” to a consumer.
- The bill mandates, among other things, that the FTC and NIST promulgate data security, minimization and retention standards for covered entities (in light of the data processor’s size, and the nature and scope of activities), as well as expand the list of exceptions under the statute in cases “where it is impossible for a controller to obtain affirmative consent from, or provide notice to, end users.”
- The law would not expressly preempt state biometric privacy laws, except to the extent such laws or regulations are “inconsistent” with the provisions of this bill [however, the text notes that if a state law affords greater protection than this bill, as determined by the FTC, such state law would not be deemed “inconsistent”].
This bill arrives after the recent Illinois Supreme Court’s decision that held that claimants need only allege a procedural violation to have standing to bring an action under the Illinois Biometric Information Privacy Act (BIPA), as well as following the introduction of a biometric privacy bill in other state and local legislatures, including the New York City Council. While S.847 will not result in a wave of private litigation like BIPA, the bill would have national scope and likely produce federal regulations governing the use of facial recognition technology, and bring with it the potential for state and federal enforcement. Moreover, the bill’s notice requirement, listed definitions of the covered facial recognition technologies and multiple exceptions contain some nuance and, on first blush, will require some additional interpretation before companies can develop a plan for compliance. We will certainly keep a close watch on this proposed legislation.