The rise of facial recognition technology: where we are and what to expect
This is a guest post by Jeffrey N. Rosenthal and David J. Oberly of Blank Rome LLP.
This is the first article in a two-part series examining the rapid rise of facial recognition technology. Part one discusses the use of facial recognition technology and the risks/challenges associated therewith, as well as an overview of the legal landscape related to biometrics generally. Part two provides tips and strategies for corporate entities incorporating facial recognition into their business activities to maximize effectiveness while ensuring compliance with the wave of facial recognition-related laws to minimize potential risk.
At the turn of the century, facial recognition technology was more science fiction than fact. In recent years, however, rapid technological advances have fueled a proliferation of this technology—which continues to expand into new areas of our public and private life. Yet several sizeable challenges and obstacles still exist in effectively incorporating this technology into commercial operations. At the same time, some consumers may be skeptical about allowing facial recognition into additional aspects of their daily lives.
To further complicate matters, various states and municipalities are enacting new, stringent laws regulating the use of facial recognition technology by commercial entities. It is thus imperative all companies using facial recognition technology take actionable steps to leverage this technology in a manner that complies with current (and anticipated) laws while building and maintaining consumer loyalty and trust in the process.
Overview of the use of facial recognition technology
Facial recognition technology involves the process of using “biometrics” (i.e., individual physical characteristics) to digitally map an individual’s facial “geometry”—such as the distance between an individual’s eyes, between his/her forehead and chin, and the width of his/her nose. These measurements are then used to create a mathematical formula known as a “facial template” or “facial signature.” This stored template or signature is then used to compare the physical structure of an individual’s face to confirm their identity or to uniquely identify that individual.
Facial recognition technology has significantly enhanced the operations of businesses across all industries in a myriad of ways—including with respect to security/identity fraud prevention; access and authentication; and accessibility to accounts and services. As a result, facial recognition software has become increasingly popular among companies, and is now heavily relied upon in a range of commercial contexts.
For example, biometric self-boarding gates—which use facial recognition technology to verify travelers by capturing passengers’ photos—have started popping-up at airports across the country. Facial recognition is also now commonly used as an authentication mechanism to unlock mobile devices, serving as a robust method for safeguarding personal data.
Facial recognition is also becoming increasingly common in the retail marketing and advertising context to identify the unique characteristics of shoppers (like age/gender) which allows retailers to target in-store offerings like how online advertisements use personal data to tailor ads to individualized interests. Moving forward, facial recognition technology will continue to advance at a rapid rate until it ultimately becomes a ubiquitous aspect of our daily lives.
Challenges and risks
While facial recognition technology provides a range of noteworthy benefits, its use is also accompanied by significant risks and challenges.
The first risk/challenge pertains to privacy. While society is generally accepting of being monitored by security cameras, facial recognition technology takes this concept one (significant) step further—identifying and tracking an individual’s public movements, evoking visions of a “Big Brother” surveillance state. At the same time, Amazon, Google, Microsoft, and other tech companies are in the process of developing facial recognition technology to “read” emotions and infer how people feel based on facial analysis—which raises its own set of privacy concerns.
Second, facial recognition technology also carries data security risks/challenges. Like other types of sensitive personal information, facial recognition technology stores much of the data it collects on individuals’ faces in databases, which are particularly susceptible to data breaches. Unlike usernames and passwords, however—which can easily be changed—once an individual’s facial template is compromised that data loses its ability to be used as a secure identifying feature.
Third, from a technical standpoint, facial recognition technology currently suffers from accuracy problems. Despite being characterized as one of today’s most promising new technologies, facial recognition is still in its infancy; it is far from perfected. Of particular concern is how the current technology is much less accurate in identifying people of color and women, thereby creating an enhanced risk of misidentification of minorities.
To further add to the challenge, and because of these shortcomings, some consumers have developed deep concerns and reservations about the use of this technology. Combined, companies that use (or intend to use) facial recognition technology must confront considerable obstacles and challenges to successfully integrate it into their day-to-day operations. This includes tackling the current flaws and limitations of the technology, as well as in addressing and alleviating consumers’ fears about the implications of its widespread use in more and more aspects of our lives.
The legal landscape
Due to concerns about companies using facial recognition technology in a safe and responsible manner, lawmakers across the country have sought ways to force companies to tighten their practices in several different respects.
One of the approaches legislators have taken is adding facial template data into the types of protected “personal information” which, if compromised, triggers breach notification obligations on the part of impacted entities.
In addition, new state consumer laws—most particularly the California Consumer Privacy Act (“CCPA”)—also include facial template data (and other forms of biometric data) within their definitions of “personal information.” Beyond that, the CCPA also requires covered entities provide notice to consumers as to how facial template data is used and provides a private right of action if facial template data is involved in certain data breach events.
To combat the risk facial template data and other biometric data poses, several states enacted new laws that focus directly on regulating the collection and use of facial template data by business entities. Illinois’ Biometric Information Privacy Act (“BIPA”) is generally considered the most stringent of all the state laws. Under BIPA, a private entity cannot collect or store biometric data without first providing notice, obtaining written consent, and making certain disclosures. BIPA also contains a private right of action provision that permits the recovery of statutory damages ranging between $1,000 and $5,000 by any “aggrieved” person under the law, which has generated a tremendous amount of class litigation from consumers alleging mere technical violations. Beyond Illinois, Texas and Washington have also enacted biometric privacy laws that cover the use of facial recognition technology, which impose similar requirements relating to notice, consent, and mandatory security measures.
In addition, many states are poised to enact their own versions of biometric data privacy legislation in the near future—with several legislatures currently considering similar statutes focused on the regulation of facial template data and other biometric data. Given the increasing use of facial recognition technology, and the potential severe, permanent adverse consequences when this type of data is compromised, more regulation by states (and potentially the federal government) may be likely.
What this means for companies utilizing facial recognition technology
Ultimately, there are many risks/concerns pertaining to facial recognition technology that must be addressed by companies to successfully integrate this technology into their day-to-day business operations. Moving forward, both state and municipal legislatures will continue to look for new-and-improved ways to have companies strengthen their facial recognition practices, leading to greater regulation in the coming months and years.
With more and more jurisdictions seeking to enact facial recognition laws of their own, it is imperative that companies utilizing facial recognition technology devote the necessary time, effort, and resources to effectively comply with the facial recognition laws that are currently on the books. These companies should also be ready to respond to the rapidly evolving legal landscape governing the use of this technology, which is sure to see many significant changes in the immediate future.
About the authors
Jeffrey N. Rosenthal is a partner at Blank Rome LLP. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. David J. Oberly is an associate at Blank Rome LLP and is a member of the firm’s Cybersecurity & Data Privacy group.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.