The Rise of Facial Recognition Technology: Best Practices to Maximize Effectiveness and Minimize Liability Risk
This is the second article in a two-part series examining the rapid rise of biometric facial recognition technology. Part one discussed the use of facial recognition technology and the risks/challenges associated therewith, as well as an overview of the legal landscape related to biometrics generally. Part two provides tips and strategies for corporate entities incorporating facial recognition into their business activities to maximize effectiveness while ensuring compliance with the wave of facial recognition-related laws to minimize potential liability risk.
Facial recognition technology provides a wide range of benefits to companies in all sectors—including enhancements to security/identity fraud prevention, access and authentication, and accessibility to accounts and services. But this technology also presents a unique set of risks/challenges, especially in the areas of privacy, data security, and accuracy. Due to these drawbacks and limitations, some consumers remain hesitant about the widespread adoption of facial recognition. As this technology has been applied in numerous new and creative ways in recent years, legislators have responded by enacting a range of laws governing facial recognition technology—even going so far as to ban it outright in some contexts.
Combined, companies utilizing facial recognition technology must find a way to address the risks posed and alleviate consumer fears, while also complying with the growing body of law governing its use in the commercial context. Fortunately, there are several actionable steps companies can take to effectively leverage facial recognition technology in a manner that complies with the law while building and maintaining consumer trust and confidence in the process.
Privacy policy
As a starting point, companies should ensure transparency as to how they collect, use, store, and dispose of “facial template data”—i.e., data measurements used to create a mathematical formula that is then compared to the physical structure of an individual’s face to confirm their identity—used during business operations by implementing a detailed facial recognition-specific privacy policy.
Privacy policies should encompass the following issues: (1) notice that facial template data is being collected and/or stored; (2) the current and reasonably foreseeable purposes for which the company utilizes facial template data; (3) how facial template data will be used; (4) a description of the protective measures used to safeguard facial template data; and (5) the company’s facial template data retention and destruction policies and practices. These policies should also strictly prohibit the disclosure of any individual’s facial template data without their consent and should ban the company and its employees from selling or otherwise profiting from any such data.
This facial recognition privacy policy should be made publicly-available, which, at a minimum, should entail inclusion in the entity’s broader online privacy policy. Companies should also update their policies whenever any material modifications are made to their facial template data management practices.
Notice
Second, to further support the principle of transparency, companies should provide conspicuous, advance notice of the use of facial recognition technology before any facial template data is captured, used, or stored. In so doing, companies should offer consumers meaningful notice regarding how facial templates are created, and how such data will be used, shared, and stored by the company. Where appropriate, or required by law, contextual and just-in-time notices may be necessary.
Companies that use facial recognition technology at a physical location owned or operated by the company should provide consumers with explicit, transparent notice of the use of such technology and, if feasible, direct consumers to where they can obtain additional information regarding the company’s facial recognition policies, practices, and protocols. Similarly, companies using facial recognition technology to identify—or “tag”—individuals depicted in photographs should provide consumers with clear advance notice about how the feature works, what data it collects, and how that data will be used.
Consent
Third, when feasible, companies should obtain express, affirmative consent from consumers before any data derived from facial recognition technology is collected, used, or stored.
The Federal Trade Commission (“FTC”) recommends companies obtain consumers’ affirmative consent before capturing or using facial template data in at least two specific scenarios. The first concerns situations where a company intends to use consumers’ facial template data in a way that diverges from what was represented when the company originally collected the consumer’s data. The second concerns situations where a company intends to use facial recognition to identify anonymous images of a consumer to someone who could not otherwise identify that individual without assistance.
From a broader perspective, with respect to the verification of individuals using facial recognition, any company engaging in one-to-one matching activities using facial template data should obtain express, affirmative consent at the time a consumer enrolls in the company’s facial recognition database. Similarly, with respect to the identification of individuals using facial recognition, any company engaging in one-to-many matching activities using facial template data should likewise obtain express, affirmative consent at the time the consumer’s facial data is collected, and before any matching activities are attempted.
Written release
Fourth, also where feasible, companies should obtain signed, written consent—in the form of a written release—from consumers authorizing the company to collect, use, and store their facial template data prior to the time any such data is captured or used for any purpose.
In signing the written consent, the consumer should acknowledge he/she has read the company’s facial recognition privacy policy, as well as the more specific, written notice provided regarding the company’s capture and use of facial template data. This consent should also make clear the consumer consents to those policies and guidelines, as well as to the capture and use of their facial template data, including the company’s ability to share such data with any service providers or third-party vendors.
Also, companies should ensure they maintain a detailed written record of how and when consent was acquired so it can affirmatively demonstrate its compliance with applicable laws in the event its facial recognition practices are tested in court. Importantly, obtaining a written release prior to the collection of any facial template data can serve as a robust defense to any claim an individual lacked adequate notice, or did not provide consent to, the use of facial recognition technology by the company.
Data security measures
Finally, companies must ensure they implement effective data security safeguards to protect all data captured, used, and stored through facial recognition technology from improper disclosure, access, or acquisition. Companies should ensure they safeguard facial template data: (1) using the reasonable standard of care applicable to their given industry; and (2) in a manner that is the same or more protective than that in which the company stores, transmits, and protects other forms of sensitive personal information. Companies should also periodically assess their facial template data security measures and complete any updates/modifications to their security programs to address and neutralize any new or evolving threats and vulnerabilities.
In terms of data security measures themselves, all facial templates should be stored separately from other personal information such as names, birthdates, and account numbers. All stored facial template data should also be encrypted, both in transit and while at rest. And companies should establish and implement appropriate retention and disposal practices. Finally, companies must ensure their facial template data is hosted and managed by a reputable, trusted third party with the requisite experience, expertise, and security controls to effectively store and safeguard facial template data.
The final word
While the power of facial recognition is immense and possesses the potential to alter almost every aspect of our daily lives, this technology is not without its limitations and drawbacks. In addition to addressing these challenges, companies using facial recognition technology must also comply with an increasingly complex maze of laws, which will only become more difficult to navigate moving forward.
Combined, companies that incorporate facial recognition technology into their business practices (even those operating in jurisdictions where no facial recognition or other biometric laws are currently on the books) should consider taking proactive measures to create/implement facial recognition compliance programs that encompass the principles and practices described above. By doing so, companies can address the significant challenges that exist in connection with the use of facial recognition technology and attempt to alleviate the notable concerns consumers possess in allowing this technology into more corners of their lives, while also maintaining legal compliance to mitigate potential risk.
"The Rise of Facial Recognition Technology: Best Practices to Maximize Effectiveness and Minimize Liability Risk," by Jeffrey N. Rosenthal and David J. Oberly was published in Biometric Update on February 4, 2020.