Publications
Article

How Cos. Can Comply with Portland Facial Recognition Ban

Law360

As the use of facial recognition technology increases, so too have the associated legal and privacy risks. This has prompted lawmakers to impose stricter limits over this especially sensitive type of biometric data.

Recently, the city of Portland, Oregon, introduced a new type of biometric regulation — an outright ban of facial recognition technology.

The Portland law — which went into effect at the start of 2021 — goes further than similar laws by barring not just the public use of this technology by the government, but by barring any use whatsoever. As such, this new law is expected to affect the larger biometric privacy landscape for years to come.

Facial Recognition Technology Explained

Facial recognition technology involves the use of biometrics, i.e., individual physical characteristics, to digitally map an individual's facial geometry. These measurements are then used to create a mathematical formula known as a facial template or facial signature. This stored template or signature is then used to compare the physical structure of an individual's face to confirm their identity or uniquely identify that individual.

The Portland Law

The new Portland law bans essentially all types of private businesses — including hotels, retailers and convenience stores, just to name a few — from using facial recognition for any purpose within the borders of Portland.

The law also contains a private right of action that gives the ban teeth by permitting any person injured by a violation thereof to pursue class action litigation and recover damages in the amount of $1,000 per day for each day of violation, as well as attorney fees under some circumstances.

What This Means for Companies Using Facial Recognition Technology

While the law only applies to businesses operating within the city limits, Portland's private sector facial recognition ban is likely to have a substantial impact on the national landscape of biometric privacy.

In recent years, cities, states and the federal government have increased their efforts to impose strict requirements and limitations over facial recognition technology.

In 2020 alone, multiple states introduced bills that directly targeted facial biometrics — including Idaho's Facial Recognition Technology Act, H.B. 492; Maryland's Facial Recognition Privacy Protection Act, H.B. 1578; and Louisiana's Act Relative to Facial Recognition Software, H.B. 662. Although none of these bills were enacted in 2020, lawmakers' awareness of the need for regulation over facial biometrics is clear.

For example, the Idaho bill's declaration of policy notes that Idaho lawmakers have found that the use of facial recognition services by the private sector can present risks to privacy, democratic freedoms and civil liberties that should be considered and addressed.

At the same time, the state's legislators also acknowledge this technology can be used in a variety of beneficial ways. As such, Idaho has taken the position that legislation is required to establish safeguards to allow industries to use facial recognition services in ways that benefit society — while prohibiting uses that threaten privacy, democratic freedoms and civil liberties.

Enter Portland's private sector facial recognition ban. Beginning with San Francisco in 2019, many jurisdictions have enacted bans over the use of facial recognition technology. Until now, these bans have been limited to the public sector generally, and law enforcement, in particular. The Portland ordinance is thus unprecedented in its all-encompassing scope.

This private sector facial recognition ban will likely have a widespread impact. First, Portland's success in enacting a sweeping ban may influence lawmakers in other parts of the country to try their hand at enacting similar laws barring private entities from using facial recognition or other forms of biometrics.

In addition, the Portland law may provide strong encouragement to lawmakers contemplating the prospect of enacting robust regulation over the use of this technology — but who do not have an appetite for passing an outright ban — to push forward with strict regulation paralleling that of Illinois' Biometric Information Privacy Act.

At the same time, facial recognition has also garnered a significant amount of negative publicity stemming from controversial and undisclosed uses. Recently, the world learned about the alleged practices of facial recognition startup Clearview AI, which built a massive database of facial templates of millions of individuals and then sold access to its database to both law enforcement and private entities.

In addition, other companies have also made headlines — for the wrong reasons — regarding purported practices involving the deployment of facial recognition technology for security/surveillance purposes without disclosing their use to patrons/customers.

This sustained negative news coverage will only add to the pressure on lawmakers to make stringent regulation over facial recognition software a reality sooner than later.

Further, while states and cities look to enact new facial recognition laws of their own, the Federal Trade Commission has set its sights on policing improper facial recognition practices at the federal level.

Just recently, the FTC announced it reached a proposed settlement with photo app developer Everalbum Inc. stemming from the company's alleged deceptive practices. Notably, the Everalbum settlement represents the first FTC case specifically targeting facial recognition technology. In announcing the settlement, the FTC also cautioned that ensuring companies adhere to their practices, promises and representations about facial template data and other forms of biometric data will continue to be a high priority for the agency.

And while all five FTC commissioners approved the proposed settlement, FTC Commissioner Rohit Chopra penned a separate statement of his own to express his support for a moratorium or restrictions on the use of facial recognition technology.

Taken together, potential exposure stemming from the use of facial biometrics will increase steadily — if not drastically — in the immediate future.

Compliance Tips

Fortunately, there are several key, actionable steps companies can take to leverage facial recognition technology in a manner that satisfies their legal obligations.

For Portland companies, immediate action should be taken to ascertain whether any form of facial recognition software is being currently being used. If so, companies should evaluate whether any alternative technologies — such as biometric fingerprint scanning, which falls outside the ban — can be implemented to accomplish the same objectives.

Companies operating outside Portland should consider implementing the following action steps where feasible.

Transparency Regarding the Use of Facial Biometrics

Companies that use facial recognition technology must make a concerted effort to be as transparent as possible. Companies can significantly limit their exposure by placing an emphasis on ensuring relevant information regarding recognition practices are offered to users/consumers at each stage of the biometric data lifecycle.

Adherence to Representations Made Regarding the Use of Facial Template Data

Companies should ensure that organizational practices relating to facial template data are consistent with their representations regarding how and why it collects, uses, stores, retains and deletes facial template data.

Accuracy and Bias Testing

Because facial recognition software can produce results that are biased in ways that harm certain ethnic and racial groups, predeployment testing of facial recognition technology should be completed to ensure its effectiveness and accuracy before it is used in real-time situations.

Privacy Policy

Companies should develop a publicly available facial recognition-specific privacy policy that provides clear notice facial template data is being collected, as well as additional information regarding the purposes for which the data is used and the companies' schedule and guidelines for the retention and destruction of this data.

Written Notice

Companies should provide advance written notice — separate and apart from any privacy policy, terms-of-use page or similar document — that clearly informs individuals that facial template data is being collected, used, and/or stored by the company; how that data will be used and/or shared; and the length of time over which the company will retain the data until it is destroyed.

Written Consent

Companies should obtain advance, written consent — such as through a signed written release, digital signature or an affirmative opt-in pop-up used for the express purpose of obtaining consent — from all individuals prior any facial template data collection and disclose whether this data is transmitted to third parties for business purposes.

Opt-Out Provision

Companies should permit individuals to opt out of the collection of their facial template data.

Data Security

Companies should maintain data security measures to safeguard facial template data that satisfies the reasonable standard of care applicable to the company's given industry and that protects facial template data in a manner that is the same or more protective than the manner in which the company protects other forms of sensitive personal information.

Explicit Prohibitions on Using Technology for Discriminatory Purposes

Finally, companies should maintain an explicit policy strictly barring the use of facial recognition technology by employees, contractors or vendors to unlawfully discriminate against individuals or groups of individuals.

Conclusion

Facial recognition technology has brought wholesale changes to the operations of businesses from coast to coast, fundamentally transforming a myriad of industries.

At the same time, liability stemming from the use of this technology is also rapidly expanding as cities, states and Congress look to impose strict requirements and limitations over — and even outright bans of — the use of facial biometrics. The FTC's recent interest in policing improper facial recognition practices will further expand the scope of potential liability.

As such, companies that are currently leveraging the benefits of facial recognition software or intend to do so in the immediate future — even those whose operations are in jurisdictions where no biometric privacy regulation currently exists — are advised to take proactive measures to develop and implement facial recognition biometrics compliance programs.

“How Cos. Can Comply with Portland Facial Recognition Ban,” by Jeffrey N. Rosenthal and David J. Oberly was published in Law360 on January 22, 2021.