Regulation of the collection and use of biometric data is on the rise, a trend which is likely to continue through 2021 and beyond. Currently, three states have laws that regulate what private businesses can do with biometric data, and nearly a dozen other states and cities have proposed bills that would continue this trend. While what constitutes biometric data can involve a number of physical characteristics, one use — facial recognition technology (“FRT”) — stands out. FRT has become a clear focus of federal, state, and city governments. FRT is also particularly treacherous for companies because it is perhaps the only biometric element that can transform ordinary non-biometric data, such as photographs, simply through application of software. For this reason, companies should take special care when collecting and using pictures (which by themselves are typically not biometric data), and pay extra attention to the evolving legal and regulatory landscape.
Texas, Illinois, and Washington already have laws on the books that regulate the collection and use of biometric information, primarily through prior notice and informed consent requirements imposed on businesses. Other states have also proposed legislation: a proposed bill in New York would require private entities that collect biometric identifiers, or information derived from that data, to provide notice and obtain individuals’ informed consent before collecting the information. Many other states including Oklahoma and Kentucky have proposed legislation that would mandate the provision of clear notice and require businesses to obtain informed consent. In contrast, Florida and Utah have proposed privacy laws that focus on data subject rights and notice requirements.
Cities are now getting into the game as well, particularly where the technology moves into the physical world. Portland, Oregon enacted an ordinance flatly prohibiting the use of FRT in businesses open to the public within the city boundaries. Portland’s ordinance has a few exemptions, namely excluding FRT when used automatically in social media apps. Similar to Portland’s bill, which applies to places of entertainment, retail stores, and food and drink establishments within the city’s boundaries, New York City has recently proposed a bill that would apply to businesses in the city. New York would not prohibit businesses from using FRT on their consumers, but would require posting clear and conspicuous signs near all customer entrances that inform those entering of the use of FRT.
Federal Law and Enforcement on Biometric Privacy
Even where biometric data is collected from consumers not located in states with biometric data laws, businesses must be extremely careful to accurately disclose their practices around collection, use, and disclosure of biometric data. This increasing scrutiny is highlighted by the U.S. Federal Trade Commission’s January 2021 settlement with Everalbum, Inc. The Everalbum enforcement action signals to businesses the importance of not only complying with the stringent data privacy regulations such as Illinois, Texas, and Washington, but also honoring the privacy commitments made to all consumers everywhere.
The Consent Order resolved FTC’s allegations that Everalbum misled customers about its facial recognition technology and data deletion procedures.
The FTC alleged that: (1) Everalbum misled users into believing that the company would only enable facial recognition technology features after receiving permission, even though the company allegedly used facial recognition by default for all users of Everalbum’s mobile app, Ever, who were located anywhere other than Texas, Illinois, Washington, and the European Union; the FTC alleged that the company did not provide those users with a setting to turn off facial recognition, (2) Everalbum misled users into believing that the company would delete their photos and videos when they deactivated their accounts, even though the company stored the data indefinitely, and (3) the company used consumer photos uploaded to Ever to develop facial recognition technology that was subsequently used by both Ever and Everalbum’s enterprise brand.
In addition to other relief, the Order required Everalbum to comply with two requirements before creating a facial embedding from a photograph, or using the collected data to “train, develop, or alter any face recognition model or algorithm.”
- Second, the company would need to obtain affirmative express consent from consumers before proceeding with data collection.
The FTC also required the company to delete (a) photos and videos from deactivated Ever user accounts, (b) all facial embeddings collected from Ever users who have not provided express affirmative consent, and (c) “any models or algorithms developed in whole or in part” from user uploaded photos and videos.
Lessons for Businesses
The Everalbum settlement and the existing and proposed laws carry a number of lessons for businesses, but perhaps none more important than the reminder to take great care when collecting and communicating with users about biometric information. There is a clear trend that biometric data collection is top of mind for regulators at all levels of government. Regulators will use all laws at their disposal to aggressively pursue enforcement against biometric information processing that the regulators view is unfair, deceptive, or not sufficiently transparent, even where specific laws governing biometric data collection do not yet exist. Because there is no federal biometric privacy law, companies will have choices in whether to employ national (or global) standards for their biometric data collection and processing, or to employ a state-by-state approach. For companies that operate nationally and globally, the compliance burden in creating different tiers of protection may not be feasible. No matter the approach companies take, the default of acting with utmost transparency and empowering consumer choice will be the least risky option and likely the best approach for businesses in the long term.
Goodwin’s Chambers and Legal 500 ranked Data, Privacy and Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients’ data protection needs.