Facial recognition technology (“FRT”) is fast becoming a part of everyday life, from the unlocking of cell phones to the mapping of faces on social media sites.  Businesses adopting this new technology must be careful to comply with existing laws, as failure to do so can lead to hefty regulatory fines and class action lawsuits.  Earlier this year, Facebook made news when it agreed to settle one such class action for $550 million, only to have the judge point out that this record-setting figure was just 1.25% of the maximum statutory damages.  This alert surveys existing and pending laws regulating FRT.

The Proliferation of Facial Recognition Technology

Businesses are using FRT in a wide variety of ways.  Smartphones unlock when they recognize the owner’s face.  Online retailers and other companies are using FRT on apps for placing orders and making payments.  Customers can use FRT online to simulate trying on cosmetics and eyeglasses.  Brick-and-mortar retailers are using FRT to fight shoplifting.  Restaurants are experimenting with FRT to remember customer preferences and monitor wait staff demeanor.  To combat COVID-19, businesses are scanning for body temperature using technology that also captures facial geometry.

In the future, the private sector use of FRT will continue to expand.  FRT will permit secure access to offices and facilities.  Our vehicles will recognize our faces, unlock the doors and automatically adjust the driver’s seat, mirrors and controls to our desired settings.  A dashboard camera may monitor driver fatigue.  Airlines will use FRT to identify travelers at check-in and boarding, and hotels and car rental companies will use it to speed check-ins and personalize greetings.  The healthcare industry has already embraced telehealth visits and is looking to use FRT to streamline patient registration, fight insurance fraud, and diagnose certain diseases.

State Laws Specifically Focused on Biometric Identifiers

In response to the increasing use of biometric identifiers, such as fingerprints, retinal scans, and FRT, various states have enacted legislation.  Illinois, Texas and Washington have laws specifically focused on biometric identifiers.  Illinois’s Biometric Information Privacy Act (“BIPA,” 740 ILCS 14/) defines “biometric identifier” to include “face geometry,” requires consent before facial data can be collected, and restricts sales of biometric data to third parties.  BIPA famously provides for a private right of action and there have been hundreds of class actions filed under it.  

Texas’s Statute on the Capture or Use of Biometric Identifier (Texas Bus. & Com. Code Ann. Sec. 503.001) is similar to BIPA.  It also defines “biometric identifier” to include “face geometry,” requires consent, and restricts third party sales.  The Texas statute does not provide for a private right of action.

The State of Washington’s Act Relating to Biometric Identifiers (RCW 19.375.010, et seq.) differs significantly from BIPA and the Texas statute.  In particular, the Washington act defines “biometric identifier” to exclude “a physical or digital photograph, video or audio recording or data generated therefrom.”  The act does not strictly require prior consent to collect biometric data, and it does not provide for a private right of action.

State Data Protection and Privacy Laws 

California regulates biometric data through the California Consumer Privacy Act (“CCPA,” Sec. 1798.100, et seq.).  The CCPA grants California consumers robust data privacy rights and control over their personal information, which is defined to include “biometric information,” such as facial imagery from which a faceprint can be extracted.  Businesses must provide notice before collecting “personal information,” including facial data, and implement reasonable security measures for its protection.  As discussed in a prior alert, the CCPA provides for a private right of action, and consumers have already brought several class actions under it.  

State Data Breach Notification Laws

New York regulates biometric data under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) (2019 N.Y. Ch. 117). The SHIELD Act amended the state's data breach notification law to add various protections.  It broadens the definition of “private information” to include biometric data, the definition of what constitutes a breach, and the territorial reach of the law.  It also requires companies to adopt reasonable security measures to protect private information.

Various states have similar data breach notification laws covering biometric data.  These laws include Arkansas’s Personal Information Protection Act (A.C.A. Sec. 4-110-101, et seq.), Louisiana’s Data Breach Security Notification Law (La. Rev. Stat. 51:3071, et seq.), Maryland’s Personal Information and Protection Act (Md. Code Ann. Comm. Law 14-3501, et seq.), Oregon’s Consumer Information Protection Act (ORS 646A.600, et seq.), Vermont’s Security Breach Notice Act (9 V.S.A. Secs. 2430 & 2435), Colorado’s Protections for Consumer Data Privacy Act (Colo. Rev. Stat. Sec. 6-1-713. et seq.), and North Carolina’s Identity Theft Protection Act (N.C. Gen. Stat. Sec. 75-61, et seq.). 

Pending State Legislation

As we are drafting this alert, other state legislatures are considering bills that would protect biometric identifiers, including facial data.  Currently, legislation is pending in Hawaii (Senate Bill No. 418), Massachusetts (Bill S. 120) and Arizona (HB 2729) that would require prior notice to collect biometric data and grant consumers the right to have their data deleted.  The Hawaii and Arizona bills would also grant consumers the right to opt out of sales of their data, and the Massachusetts bill would grant them the right to opt out of any disclosures to third parties.

Pending Federal Legislation

The United States does not have a national data protection statute.  The Federal Trade Commission (“FTC”) protects consumer privacy under the rubric of unfair or deceptive acts or practices, and a patchwork of industry-specific laws protect personal information.  For example, the Gramm-Leach-Bliley Act restricts financial institutions’ use of “nonpublic personal information,” and the Health Insurance Portability and Accountability Act requires covered entities to protect health information.  However, there is no federal statute that specifically regulates the private sector use of FRT.

Congress is currently considering a number of privacy-related bills, at least two of which, if passed, would have a direct bearing on the private sector use of FRT.  First, Senate Bill S. 847 (Commercial Facial Recognition Privacy Act of 2019) would require affirmative consent for the collection and use of facial data.  Second, Senate Bill S. 3456 (Consumer Data Privacy and Security Act of 2020) would require express affirmative consent for the collection and processing of “sensitive personal data,” including “biometric data” and facial data.  It includes a number of other requirements as well.  Both bills would charge the FTC with enforcement but also permit actions by state attorneys general.  The second bill would require the FTC to appoint no fewer than 440 additional people to enforce laws relating to data privacy and security.

Conclusion

With class actions and regulatory enforcement on the rise, companies using FRT need to be vigilant about existing and pending legislation.  Depending on the jurisdiction, current legal requirements and best practices may include:  

(1) providing notice to consumers that the company is collecting facial images and explaining how they are stored and used; 

(2) obtaining consent before collecting facial images; 

(3) implementing reasonable security measures and practices; 

(4) providing notice in the event of breaches; 

(5) implementing policies against the sale of facial data; and 

(6) requiring vendors to comply with applicable law, to provide prompt notification of any security breach, and to permit periodic audits to ensure compliance.

For further information or for help with any of the issues discussed above, please contact any of the Hughes Hubbard lawyers listed below.

Seth D. Rothman | Partner 
Hughes Hubbard & Reed LLP
One Battery Park Plaza | New York, NY 10004-1482
Office +1 (212) 837-6872 | Cell +1 (917) 697-8093
seth.rothman@hugheshubbard.com| bio

Rita Haeusler | Partner
Hughes Hubbard & Reed LLP
1999 Avenue of the Stars, 9th Floor | Los Angeles, CA 90067-4620
Office +1 (213) 613-2896 | Cell +1 (917) 544-3587  | Fax +1 (213) 613-2895
rita.haeusler@hugheshubbard.combio

Paul Marston | Counsel
Hughes Hubbard & Reed LLP
Kojimachi Place, 9th Floor, 2-3 Kojimachi | Chiyoda-ku, Tokyo 102-0083, Japan 
Office +81-3-6272-5831 | Cell +81-80-8432-3497
paul.marston@hugheshubbard.com | bio

Shigeki Obi | Associate
Hughes Hubbard & Reed LLP
One Battery Park Plaza | New York, NY 10004-1482
Office +1 (212) 837-6106 | Cell +1 (347) 446-7428
shigeki.obi@hugheshubbard.com