Time to comply with the nation’s newest biometric privacy law: Portland’s private sector facial recognition ban
By David J. Oberly, attorney at Blank Rome, LLP.
In a landmark move, the city of Portland, Oregon recently enacted a sweeping ban prohibiting the use of facial recognition technology by private entities, which officially went into effect on January 1, 2021.
The Portland ordinance continues a growing trend across the nation of states and cities enacting biometric laws directly targeting the use of facial recognition technology. At the same time, however, the law is also unprecedented because it goes one step further than other laws currently on the books by barring the use of this technology by private businesses (as opposed to public entities).
To minimize risk in the face of this increasing scope of liability exposure, companies that incorporate facial recognition into their operations or intend to do so in the future should take proactive measures to develop and implement facial recognition biometrics compliance programs to ensure continued compliance with today’s increasingly complex web of biometric privacy laws.
Key elements of Portland’s private-sector facial recognition technology ban
Under the Portland ordinance, “private entities” are barred from using facial recognition technology in any “places of public accommodation” within the boundaries of the City of Portland.
The ban defines “private entities” in an extremely broad fashion as “any individual, sole proprietorship, partnership, corporation, limited liability company, association, or any other legal entity, however organized.”
Similarly, the scope of the ban itself is extensive as a result of the ordinance’s definition of “places of public accommodation, which under the law means any “place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise.”
Together, the ban encompasses essentially all types of businesses—including banks, hotels, convenience stores, just to name a few—that are now completely barred from using facial recognition for any purpose.
Penalties & Enforcement
Importantly, the ordinance contains a private right of action permitting any person “injured” by a “material violation” of the law to pursue litigation and recover liquidated damages in the amount of “$1,000 per day for each day of violation,” as well as attorney’s fees in some instances.
What this means for companies using facial recognition technology
While the most direct result of the ordinance is that the vast majority of Portland businesses are no longer able to use facial recognition technology in any fashion or for any purpose, the Portland facial recognition ban is poised to have a sizeable impact on the landscape of biometric privacy extending well beyond the borders of Portland.
Recently, states and cities from coast to coast—and even the federal government—have increased their efforts to enact legislation directly targeting the use of facial recognition technology. Until the Portland ordinance, however, other jurisdictions had limited the scope of their facial recognition bans to the public sector, and law enforcement in particular. Portland, on the other hand, has taken this type of biometric privacy regulation a significant step further by applying it to the private sector as well.
Importantly, Portland’s success in enacting a sweeping, across-the-board private-sector ban may influence lawmakers in other parts of the country to try their hand in enacting similar laws barring private entities from using facial recognition or other forms of biometrics.
At the same time, the Portland law may provide strong encouragement to lawmakers who may be contemplating the prospect of enacting robust requirements and limitations over the use of this technology—but who do not have an appetite for passing an outright ban—to push forward with strict regulation paralleling that of BIPA.
To further complicate matters, facial recognition has recently received a significant amount of negative media coverage over potential accuracy and bias problems. Of particular concern is the fact that today’s technology is much less accurate in identifying people of color and women, thereby creating an enhanced risk of misidentification of minorities. In addition, facial recognition was also the target of additional negative press stemming from undisclosed and questionable uses of this technology. Combined, this sustained negative news coverage will only add to the pressure that has been put on lawmakers to make stringent regulation over facial recognition software a reality sooner than later.
Taken together, it is clear that potential liability exposure stemming from the use of facial recognition biometrics will increase steadily—if not drastically—in the immediate future.
Due to the rapidly expanding liability risk associated with the use of facial recognition technology, it is imperative that companies utilizing facial recognition technology devote the necessary time, effort, and resources to minimize liability exposure to the greatest extent possible.
For companies operating in Portland, immediate action should be taken to ascertain whether any form of facial recognition software is being used and, if so, whether any of the limited exemptions offered by the ordinance can be satisfied to permit continued use of the technology in 2021. Those companies that are unable to utilize any of the limited exemptions should ensure they cease all use of facial recognition software immediately. In addition, these companies should also evaluate whether any alternative technologies can be implemented to accomplish the same objectives—such as identification, authentication, or security—for which facial recognition was used.
At the same time, companies operating outside of Portland should take proactive measures by building out their biometric privacy compliance programs to get a step ahead on anticipated facial recognition laws governing the use of this technology that will likely be enacted in other parts of the country in the near future. In particular, companies should consider the following:
– Accuracy and bias testing: Because facial recognition software can produce results that are biased in ways that harm particular ethnic and racial groups, pre-deployment testing of facial recognition technology should be completed to ensure its effectiveness and accuracy before it is used in real-time situations.
– Written notice: Provide written notice—prior to the time any facial template data is collected—which clearly informs individuals that facial template data is being collected, used, and/or stored by the company; how that data will be used and/or shared; and the length of time over which the company will retain the data until it is destroyed.
– Written release: Obtain a signed written release from all individuals prior to the time any facial template data is collected that permits the company to collect/use the individual’s biometric data and disclose the data to third parties for business purposes.
– Opt-Out: Permit individuals to opt out of the collection of their facial template data.
– Data security: Maintain data security measures to safeguard facial template data that satisfies the reasonable standard of care applicable to the company’s given industry and which protects facial template data in a manner that is the same or more protective than the manner in which the company protects other forms of sensitive personal information.
– Explicit prohibitions on using technology for discriminatory purposes: Maintain an explicit policy strictly barring the use of facial recognition technology by employees, contractors, or vendors to unlawfully discriminate against individuals or groups of individuals.
The ability of companies to use facial recognition technologies in a safe and responsible manner has become a paramount concern for consumers and lawmakers alike. As a result, new laws specifically targeting facial recognition have steadily increased across the nation in recent years.
Looking ahead, the scope of liability exposure will only broaden further as additional cities, states, and Washington D.C. look to impose greater regulation over the use of facial recognition and other types of biometrics.
Consequently, companies that incorporate facial recognition technology into their operations or intend to do so in the future—even those located in jurisdictions where no applicable regulation currently exists—should take proactive measures to develop and implement facial recognition biometrics compliance programs that encompass the principles and practices described above.
About the author
David J. Oberly is an attorney in the Cincinnati office of Blank Rome LLP and is a member of the firm’s Biometric Privacy, Privacy Class Action Defense, and Cybersecurity & Data Privacy groups. David’s practice encompasses both defending clients in high-stakes, high-exposure biometric privacy, privacy, and data breach class action litigation, as well as counseling and advising clients on a wide range of biometric privacy, privacy, and data protection matters. He can be reached at [email protected].
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.