The impact of this first-of-its-kind legislation will extend far beyond the borders of Portland, writes David Oberly
ANALYSIS The ability of organizations to use facial recognition technology in a safe and responsible manner has become a paramount concern for lawmakers and consumers alike.
Recent events that have come to light concerning controversial uses of this technology, such as that of facial recognition startup Clearview AI, have further amplified calls for strict regulation over facial biometrics.
In a landmark move, policymakers in Portland, Oregon, have enacted a sweeping ban prohibiting the use of facial recognition technology by private entities. The law will go into effect on January 1, 2021.
The Portland ordinance continues a growing trend across the US of cities and states enacting biometric laws directly targeting the use of facial recognition.
At the same time, however, the law is also unprecedented because while other American jurisdictions have banned the use of this technology in the public sector, Portland is the first to bar its use by private entities.
Portland’s facial recognition ban: What you need to know
Under the Portland ordinance, “private entities” are barred from using “facial recognition technology” in any “places of public accommodation” within the boundaries of the City of Portland.
“Facial recognition technology” is defined under the ordinance to mean “automated or semi-automated processes using face recognition that assist in identifying, verifying, detecting, or characterizing facial features of an individual or capturing information about an individual based on an individual’s face”.
“Face recognition”, in turn, is defined as:
The automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository (one-to-many search).
A Face Recognition search will typically result in one or more most likely candidates – or candidate images – ranked by computer-evaluated similarity or will return a negatives result.
Importantly, the ban defines “private entities” in an extremely broad fashion as “any individual, sole proprietorship, partnership, corporation, limited liability company, association, or any other legal entity, however organized”.
Similarly, the scope of the ban is extensive as well due to the ordinance’s definition of “places of public accommodation” as “[a]ny place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise.”
Thus, the ban encompasses essentially all types of businesses – including banks, hotels, convenience stores, and even airports – that will no longer be able to use facial recognition for any purpose.
RELATED Vermont amends data breach notification law with focus on biometric data protection
The ordinance provides three limited exemptions from the ban: (1) to the extent necessary for a private entity to comply with federal, state, or local laws; (2) for user verification purposes by an individual to access the individual’s own personal or employer-issued communication and electronic devices; and (3) in automatic face detection services in social media applications.
Importantly, the ordinance contains a private right of action permitting any person “injured” by a “material violation” of the law to pursue litigation and recover liquidated damages in the amount of “$1,000 per day for each day of violation,” as well as attorney’s fees in some instances.
While the ordinance will have direct consequences on companies located in Portland, the ultimate impact of this private sector ban will extend far beyond the city’s borders.
Portland’s success in enacting a sweeping, across-the-board private sector ban may influence lawmakers in other parts of the country to try their hand in enacting similar laws barring private entities outright from using facial recognition or other forms of biometrics.
Read more of the latest data privacy news
At the same time, the success experienced by Portland will provide strong encouragement for other lawmakers to push forward with enacting robust requirements and limitations over the use of this technology, similar to the well-known Illinois Biometric Information Privacy Act (BIPA) – which has spawned a title wave of bet-the-company biometric privacy class action litigation for mere technical violations of the law.
Taken together, it is clear that potential liability exposure stemming from the use of facial recognition biometrics will increase steadily – if not drastically – in the immediate future.
What to do now
Looking ahead, the scope of liability exposure will only broaden further as additional cities, states, and Washington DC look to impose greater regulation over the use of facial recognition and other types of biometrics.
Consequently, companies that incorporate facial recognition technology into their operations or intend to do so in the future – even those located in jurisdictions where no applicable regulation currently exists – should take proactive measures to develop and implement facial recognition biometrics compliance programs that will ensure compliance with current and future facial recognition regulation.
Significantly, an early start toward compliance can make all the difference between being able to fully comply with the increasingly complex web of laws targeting facial recognition technology and being on the receiving end of a potentially catastrophic class action lawsuit.
RECOMMENDED CCPA regulations go live, ushering in tighter data privacy controls for California residents