Report warns retailers to consider consumer privacy laws when deploying facial recognition tools
Many vendors of biometrics-based solutions have not anticipated legal and compliance challenges posed by their products, or expressly deny responsibility for those challenges, leading to increased legal action, according to the National Law Review. The article “Buyer Beware: Facial Recognition and the Current Legal Landscape” urges U.S. retailers to be prepared for consumer privacy laws to evolve as they consider implementing such technologies.
The article was authored by partners of law firm Morgan, Lewis & Bockius LLP, and compares the current context for biometrics with that of the earliest text messaging marketing programs. The programs were bought by retailers from mobile marketing vendors, “which led to a flurry of class action activity that challenged compliance and the sufficiency of consent under the Telephone Consumer Protection Act (TCPA),” according to the authors.
Illinois, Texas, and Washington are the only states with comprehensive biometric information laws, and no such federal law exists, however litigation involving biometrics has been filed against United Airlines, Intercontinental Hotels, Facebook, Hyatt, Bob Evans Restaurants, and dozens of other companies, all under Illinois’ Biometric Information Privacy Act (BIPA). Many other states have considered such regulation, according to the Review, and a coalition which lobbied against the Montana Biometric Information Privacy Act noted “a huge risk of costly class action[s].”
The article deals extensively with BIPA, but also notes the introduction of the Consumer Privacy Protection Act in November 2017 by Senator Patrick Leahy (D-VT) with six co-sponsors. The proposed legislation explicitly includes biometric data, and would empower the FTC, federal Attorney General, and state Attorneys General to bring enforcement actions. It is currently before several committees and subcommittees.
While the article recommends that retailers consider how they will obtain consent to use biometrics, how they will treat the data from collection through disposal, and how they will prevent data breach damage it also urges them when necessary to obtain written agreements with vendors covering indemnification provisions and insurance requirements.