By Kelly Wong
Individuals are uninformed as to what happens with their biometric information or their facial measurement information when they upload a photo into a photo-sharing application or open up their phones using their face. Finally, the Senate has acknowledged that individuals should be informed and have control over their facial biometric information by proposing the Commercial Facial Recognition Privacy Act (“FRA”). The FRA would mandate that companies obtain an individual’s consent prior to the collection of facial recognition data and require that companies disclose that they are using facial recognition technology. Notably, the Act aims to address issues around the technology’s bias and accuracy. Amidst other state laws that currently regulate biometric information, this bill goes further in that it has the enforcement of the Federal Trade Commission and in some respects it has more comprehensive protections than the Illinois Biometric Information Privacy Act (“BIPA”).
The FRA places an emphasis on obtaining an individual’s affirmative consent. The bill states that a company cannot knowingly collect an individual’s facial recognition data without their affirmative consent coupled with notice that the company has facial recognition technology present. Furthermore, a company must disclose information that would allow an individual to obtain more information about a company using facial recognition technology, along with documentation that states the capabilities and limitations of facial recognition technology. The FRA’s language mirrors BIPA, which states that a company must provide to an individual its purpose for the collection and storage of biometric information. BIPA is the nation’s strongest biometric privacy act, which encompasses facial recognition data. The FRA goes further than BIPA in that it mandates that companies state where an individual can obtain more information concerning facial recognition technology, whereas, BIPA only requires that a company state the purpose for its use. Providing individuals with information as to facial recognition technology allows the public to be more cognizant of the capabilities of this technology and to make a more informed decision prior to disclosing their facial recognition data to a company.
The FRA applies further restrictions on companies with regard to consent. Not only does the FRA require affirmative consent from individuals prior to collection, it also requires further consent if the company uses the data for a different purpose than the one originally stated prior to the initial collection of facial recognition data. Under the FRA, like BIPA, companies must obtain affirmative consent from individuals prior to sharing data with unaffiliated third-parties. Furthermore, the FRA obliges companies to disclose to individuals their practices concerning collection, storage, deletion and use of facial recognition data. BIPA has stronger provisions regarding deletion in that it requires a deletion schedule of biometric information, while the FRA only requires a deletion schedule if the company has the ability to delete the information. Overall, the FRA and BIPA have similar provisions regarding consent and retention schedules of biometric information which will be important for the protection of individual privacy. The fact that individuals will have the right to know how their facial recognition data is being stored will incentivize companies to implement secure storage systems and place more accountability on companies.
The FRA also aims to prevent bias and improve accuracy in these technologies to prevent the misidentification of individuals. To do so, the FRA states that companies must use meaningful human review before making a final decision based on the output of facial recognition technology. Accordingly, human review is needed if the final decision results in foreseeable material, physical, or financial harm to an individual or would be highly offensive to an individual. In other words, companies must review facial recognition technologies to ensure that there aren’t any issues with bias or identification accuracy prior to placing them in the market. Neither BIPA nor any other biometric state law has this provision in their statutes making the FRA the first to regulate technologies in this manner. This provision is especially important to an individual’s privacy because if technologies are flawed, consumers are at risk of being harmed through gender or race bias.
Overall, the FRA is a big step into the protection of biometric information, albeit only be through facial recognition data. The FRA’s provisions are exceptionally similar to BIPA, which is promising since BIPA has the strongest biometric data protection in the nation. Even more, the FRA goes further in including a provision for the prevention of bias in these technologies, and it has the enforcement of the FTC, which will be tougher on companies. It is with hope that the Senate will begin to explore protections for other types of biometric information, or that this Act is amended in the future to include all biometric information.
Student Bio: Kelly Wong is a second-year student at Suffolk University Law School. She is currently a staff member of the Journal of High Technology Law. She graduated from the College of the Holy Cross in 2017 with a Bachelor of Arts in Economics.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.
