Before you implement a biometric system, make sure you’ve addressed a potentially thorny issue – how you will protect collected data. Occupants should feel confident that their personal information will be safe and in what, if any, instances that data is released to a third party. Look to these federal and state precedents for guidance.
Facial Recognition Raises Federal Privacy Concerns
Have you ever been automatically tagged in a Facebook photo or does your smartphone unlock if it sees your face? In these situations, you’ve voluntarily consented to allow software to authenticate you. But what happens in situations where facial recognition is used without your knowledge?
The U.S. Government Accountability Office (GAO) released a report in July 2015 that details the confidentiality issues that facial recognition technology raises. Building owners may be surprised to learn that “federal law does not expressly address the circumstances under which commercial entities can use facial recognition technology to identify or track individuals, or when consumer knowledge or consent should be required for the technology’s use. Further, in most contexts federal law does not address how personal data derived from the technology may be used or shared.”
While various statutes already exist to protect personal information collected by private sector entities, it’s not clear if facial recognition can be used to identify an individual (as opposed to simply authenticating them) or if their movements can be tracked.
This lack of legal clarity “also raise[s] concerns that information collected or associated with facial recognition technology could be used, shared or sold in ways that consumers do not understand, anticipate or consent to,” notes the report.
This leaves businesses without guidance on how to properly employ facial recognition and what protections are required for the biometric data gathered. For example, while it’s necessary for a business to prominently post that the premises is under surveillance, management is not under any obligation to notify occupants that facial recognition technology in use. This eliminates the ability for individuals to “opt in” or consent to being identified.
Particularly if facial recognition analytics are embedded in surveillance cameras rather than a standalone system, this setup could make it even more difficult for individuals to know their faces are being scanned. Until federal guidelines have been clarified, companies may want to err on the side of caution and ensure occupants electively participate in facial recognition.
Texas and Illinois Mandate Consent with Biometrics
In the U.S., only Texas and Illinois have adopted privacy laws that directly address commercial uses of biometric identifiers, notes the GAO. Both states require private entities to:
- Obtain a person’s consent before collecting a biometric identifier of an individual.
- Prohibit sharing that person’s biometric identifier with a third party, unless the disclosure meets an exception, such as for law enforcement or to complete a financial transaction that the individual requested or authorized.
- Govern the retention of biometric records, including requirements for protecting biometric information and destroying such information after a certain period of time.
According the National Conference of State Legislatures, most states have general privacy laws applicable to personal data, which may also potentially apply to information from facial recognition technology. As of January 2015, 47 states, Washington, D.C., and several territories have enacted legislation requiring companies to notify residents if their personal information in the companies’ custody was compromised. Over 30 states and Puerto Rico also require entities to destroy, dispose of, or otherwise make personal information unreadable or undecipherable after it is no longer being used or after a specified amount of time.