NTIA finalizes commercial facial recognition code of conduct
The National Telecommunications and Information Administration (NTIA) finalized its privacy guidelines for the commercial use of facial recognition last week.
Facial recognition potentially impacts a range of industry participants, including: developers of facial recognition software; retailers that employ recognition-enabled camera systems; providers of online services; and game console developers, among others.
Over the past two years, stakeholders involved in the guideline development process discussed how to ensure that consumers’ rights to control, transparency, security, access and accuracy are respected.
The process was part of the framework set forth in the White House’s “Privacy Blueprint” strategy. The Privacy Blueprint directed the NTIA to convene a series of multi-stakeholder processes that apply the Consumer Privacy Bill of Rights to particular business contexts, which included the creation of a code of conduct for the commercial use of facial recognition.
The stakeholders, according to the National Law Review, recommended in the final code of conduct that commercial entities do the following:
• Disclose their practices regarding collection, storage, and use of facial template data to consumers, including any sharing, retention, and de-identification policies;
• Provide notice to consumers where facial recognition is used on a physical premises;
• Consider privacy concerns when developing data management programs;
• Protect facial recognition data by implementing a program that contains administrative, technical, and physical safeguards appropriate to the entity’s size, complexity, the nature of its activities, and the sensitivity of the data;
• Take reasonable steps to maintain the integrity of the data collected; and,
• Provide a means for consumers to contact the entity regarding its use of the data.
Trade organizations involved in the process, including the Consumer Technology Association, the Interactive Advertising Bureau, NetChoice, the Software & Information Industry Association and the International Biometrics Industry Association (IBIA), were generally pleased with process. In statements issued at the conclusion of the process, they noted that the code of conduct would give businesses that employ facial recognition technology greater certainty about how the Privacy Blueprint’s principles apply to them.
“The clear benefits of facial recognition technology come with a responsibility to users and customers,” said Tovah LaDier, Managing Director of IBIA. “These privacy best practices will help to assure the public that facial recognition is being used responsibly and accountably. They also demonstrate the strong commitment of the industry to protecting the public’s privacy, even as new technologies and applications emerge.”
“The best practices will advance privacy, transparency and accountability among the entities that use facial recognition technology,” said Software & Information Industry Association SVP Mark MacCarthy. “As FRT applications and business models rapidly evolve, the best practices will help ensure that consumer privacy is respected and new technologies are responsibly adopted.”
“CTA is proud to be among the key industry stakeholders supporting best practices for facial recognition technologies that balance consumer protection with technological innovation,” said Alex Reynolds, director, regulatory affairs for the Consumer Technology Association. “Facial recognition tech is a rapidly developing innovation we should welcome and embrace, and we thank NTIA staff for their diligent and expert support throughout the meetings.”
“IAB thanks the NTIA for convening a privacy multistakeholder process on facial recognition technology,” said David Grimaldi, EVP of public policy for the Interactive Advertising Bureau (IAB). “Over the past 28 months we have had the opportunity to learn from a broad set of stakeholders and experts in the field of facial recognition technology. As a result of this dialogue, we are better informed about how this still-nascent technology will need to coexist with consumer expectations. We look forward to future evolutions of this conversation.”
While the process was embraced by many businesses, BiometricUpdate.com previously reported that several stakeholders withdrew from the process, including: the Center for Digital Democracy, the Center on Privacy and Technology, the American Civil Liberties Union (ACLU), Common Sense Media, the Center for Democracy & Technology (CDT), Consumer Federation of America, the Electronic Frontier Foundation (EFF), and Consumer Action. These privacy advocates withdrew from the process because they lacked confidence that the meetings would lead to establishing guidelines that enforced proper data protections.
A statement issued by CDT concerning the code of conduct contends that the privacy guidelines lacks real guidance for businesses and protection for individuals.
“Facial recognition technology raises serious privacy concerns, whether it is used for retail tracking, photo tagging, or public targeting,” said Michelle De Mooy, CDT Deputy Director of Privacy & Data. “At a minimum, businesses should notify consumers and seek permission when facial technology is used, especially if it’s being deployed to track them in public or inform decisions on issues such as employment, health care, credit, or housing. The best practices don’t even do that. Industry can and must do better.”
The best practices do not apply to the government’s use of facial recognition technology or to security applications, law enforcement, national security, intelligence, or military uses.