Biometrics is transforming the face of flying: Facial recognition compliance tips for airports and airlines
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
In recent years, facial recognition technology has evolved and advanced at an astonishing rate, fueling wholesale changes in a wide range of industries, including travel, hospitality, and retail, just to name a few. This next-generation technology has had an especially outsized impact on the commercial aviation industry, where facial biometrics is being adopted at a hurried pace by airlines and airports across the world.
As airlines and airports continue to expand their use of facial biometrics, states and cities across the country—as well as the federal government—are attempting to enact strict laws regulating the use of this technology by commercial entities. Facial recognition has also recently emerged as an increasingly-popular target for bet-the-company privacy class action litigation.
As the commercial aviation industry continues its efforts to make facial recognition technology a ubiquitous part of the travel experience, companies operating in this sector should implement robust, adaptable biometric privacy programs to ensure compliance with today’s growing body of law to reap the benefits of this cutting-edge technology while mitigating potential liability risk.
Current and Future Uses of Facial Recognition Technology by Airports and Airlines
The enhancements brought about to air travel through facial recognition are significant—offering passengers a seamless, frictionless gate-to-curb experience, and providing both a significant boost in overall customer satisfaction, as well as to airlines’ and airports’ bottom lines in the process.
For example, starting with the check-in counter, a simple face scan can provide travelers with a streamlined check-in process with less waiting time. At security checkpoints, travelers’ identities can be verified swiftly and accurately, significantly reducing travel stress and allowing more time to dine, shop, and relax before boarding. Similarly, customers can be identified and permitted access to airport lounges, while also receiving a more personalized experience, as a result of airlines’ ability to monitor customer preferences. Finally, at boarding, passengers are able to experience a simple and expedited boarding process that gets them to their seats quicker and, in turn, allows for a higher percentage of on-time departures.
Ultimately, facial recognition brings a myriad of different benefits for travelers, airports, and airlines alike. Three of the most significant benefits are in seen in the areas of enhanced security, speed, and ease of travel. For example, British Airways is now able to board 240 customers in only 10 minutes, and without causing any massive queuing on the aircraft—a major pain point of the flying experience. And without being required to spend their time checking travelers’ identification, airline staff are better able to give more of their attention to passengers who need it, such as the elderly or those with disabilities and other special needs.
Moreover, as travelers return to the skies in more regular numbers as the COVID-19 pandemic subsides, facial recognition will become a critical tool that can deployed to minimize person-to-person contact and the health risks associated with the virus, which will likely accelerate the rate at which airports and airlines adopt facial recognition and other forms of touchless biometric technologies, such as iris scans.
As a result of these benefits, the commercial aviation industry has rapidly moved toward widespread adoption of biometric technologies, and has reaped significant benefits as a result. According to recent Sita Air Transport IT Insights Report, following major investments in airport biometric technologies in 2018, 60 percent of airline CIOs reported a marked uptick in passenger satisfaction, with some seeing up to 20 percent increase.
Moving forward, airlines will continue to increase the amount of their investment in this next-generation technology in order to fast-track the current digital transformation which, in turn, will allow the commercial aviation industry to further increase the level of service they are able to offer to passengers.
In response to concerns about companies’ use of facial recognition biometrics in a safe and responsible manner, lawmakers across the country have sought to closely regulate this technology.
First, lawmakers have enacted targeted biometric privacy laws that address the collection and use of facial template data by business entities. Currently, three states—Illinois, Texas, and Washington—have such laws on the books.
Overall, Illinois’ Biometric Information Privacy Act (“BIPA”) is considered the most stringent. Under BIPA, a private entity cannot collect or store facial template data without first providing notice, obtaining written consent, and making certain disclosures. BIPA also contains a private right of action provision that permits recovery of statutory damages between $1,000 and $5,000 by any “aggrieved” person, which has generated a tremendous amount of class litigation from consumers alleging mere technical violations.
Second, new state consumer privacy laws include facial template data (and other forms of biometric data) within their definition of covered “personal information.” State legislators have also amended their data breach notification laws to add facial template data to the types of “personal information” which, if compromised, triggers breach notification obligations by impacted entities.
Just recently, a new type of biometric regulation has emerged: outright private-sector bans on the use of facial recognition software. In September 2020, the City of Portland, Oregon enacted a sweeping prohibition on the use of this technology by private entities, which went into effect at the start of the year. While several other cities have enacted public-sector bans, the Portland law is noteworthy because it goes one step further by applying a blanket ban to the private sector. The scope of the ban itself is extensive, encompassing essentially all types of businesses—including banks, hotels, convenience stores, and even airports—that are no longer able to use facial recognition for any purpose within the borders of Portland.
Federal lawmakers have also targeted facial recognition. In August 2020, Senators Jeff Merkley (D-OR) and Bernie Sanders (I-VT) introduced the National Biometric Information Privacy Act of 2020 (S.4400) (the “Act”), which would impose requirements similar to BIPA from coast to coast. And also like BIPA, the Act would provide a private right of action allowing for class action litigation, which would significantly expand the scope of potential liability exposure for all U.S. companies that use biometric data in their day-to-day operations and, in turn, would likely lead to a flood of bet-the-company litigation across the nation.
Compliance Tips for Airports & Airlines
Reliance on facial recognition technology will continue to expand for both airlines and airports until it is a ubiquitous part of the travel experience—a point that may come sooner than many realize. As such, due to the rapidly expanding liability associated with facial biometrics, it is imperative that airlines and airports currently utilizing this technology—or that intend to do so in the future—devote the necessary time, effort, and resources to put in place flexible, adaptable compliance programs to help ensure compliance with current and anticipated biometric privacy requirements.
Airports and airlines that take proactive measures now to build out their biometric privacy compliance programs—especially those that may not currently be subject to a state-specific biometric privacy law at this time —can get a step ahead on the anticipated facial recognition laws that will likely be enacted in more parts of the country.
In particular, airport and airline operators should consider the following:
– Early Involvement of Biometric Privacy Counsel: Consult with experienced biometric privacy counsel well before any type of facial recognition technology is implemented to ensure compliance with today’s constantly-evolving biometric privacy legal landscape.
– Ensure Transparency Regarding the Use of Facial Recognition: For facial recognition to be widely accepted and adopted by travelers, airlines and airports must make a concerted effort to be as transparent as possible regarding their use of facial biometrics. Travelers will be much more willing to voluntarily opt-in to air travel facial recognition programs if they are provided with sufficient information to make an informed decision as to the data they are giving up to enroll in a facial biometrics program.
– Written Notice: Provide written notice—prior to the time any facial template data is collected—which clearly informs individuals that facial template data is being collected, used, and/or stored by the company; how that data will be used and/or shared; and the length of time over which the company will retain the data until it is destroyed.
– Written Release: Obtain a signed written release from all individuals prior to the time any facial template data is collected that permits the company to collect/use the individual’s biometric data and disclose this data to third parties for business purposes.
– Necessity & Proportionality: Airports and airlines should be able to justify the necessity and proportionality of their use of facial biometric technologies.
– Opt-Out: Permit travelers to opt out of the collection of their facial template data.
– Data Security: Maintain data security measures to safeguard facial template data that satisfies the reasonable standard of care applicable to the commercial aviation industry and which protects facial template data in a manner that is the same or more protective than the manner in which the company protects other forms of sensitive personal information.
– Arbitration Provisions in Ticket Contracts: Include mandatory arbitration provisions and class action waivers in all ticket contracts requiring traveler disputes or claims that may arise under biometric privacy or similar laws must be resolved through binding, individual arbitration, and not in court, to limit biometric privacy class action litigation risk.
Facial recognition technology has brought about wholesale changes to the operations of businesses across several industries, and has played an especially outsized role in fundamentally transforming the face of flying.
At the same time, liability stemming from the use of this technology is also rapidly expanding as cities, states, and Congress look to impose strict requirements and limitations on the use of facial biometrics.
Airlines, airports, and other players in the commercial aviation industry that are currently leveraging the benefits of facial recognition software, as well as those that are considering the implementation of this technology in the future—even those whose operations are located in jurisdictions where no biometric privacy regulation currently exists—are advised to take proactive measures to develop and implement facial recognition biometrics compliance programs that encompass the practices/principles described above.
About the author
David J. Oberly is an attorney in the Cincinnati office of Squire Patton Boggs LLP and is a member of the firm’s global Data Privacy, Cybersecurity, and Digital Assets Practice. David serves as the go-to legal advisor for companies that utilize biometrics in their operations—counseling clients on the full range of legal and regulatory compliance obligations applicable today and helping companies navigate the ever-evolving biometric privacy legal landscape to ensure compliance and mitigate risk. David also has extensive experience and expertise in defending companies across all industries in high-stakes, high-exposure biometric privacy class action litigation—and BIPA class actions in particular. In addition, David also advises companies on a broad range of other privacy, security, and data protection issues that arise while operating in today’s highly-digital world. He can be reached at firstname.lastname@example.org.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.