Facial recognition technology uses algorithms that map facial features – such as the distance between a person’s eyes, or the width of a person’s nose – and compares those features to a database of known individuals. Organizations may use the technology for security (e.g., cameras that “ID” employees or criminals), marketing to consumers (e.g., cameras that “ID” particular customers), or designing products that quickly categorize digital media (e.g., photograph sorting).

There is currently no federal statute that expressly regulates private-sector use of facial recognition technology. Nonetheless, the FTC, which has authority to prevent unfair and deceptive practices, has expressed interest in the privacy implications of facial recognition technology, has issued a set of best practices concerning its use, and has investigated organizations that it believes violated those recommendations.

At least two states have also enacted statutes that govern the technology. Those statutes require that a company (1) notify state residents that the technology is in use, and (2) obtain the consent of those subject to the technology.

Practices recommended by the FTC when deploying facial recognition technology:

1. Companies should maintain reasonable data security for consumers’ images and facial geometry.
2. Retention and Disposal. Companies should establish and maintain appropriate retention and disposal practices for consumers’ images and facial geometry.
3. Sensitivity of Video-Feed. Companies should consider the sensitivity of the data that they capture including, specifically, not placing cameras in areas in which consumers would not expect them (g., locker rooms, bathrooms, health care facilities, etc.).
4. Notice. Companies should provide “clear notice” when facial recognition technology is being utilized.
5. Opt-in Consent For Materially Different Use. Companies should obtain consumers’ affirmative express consent if they use an image in a “materially different manner” than was represented when the facial geometry was collected.
6. Opt-in Consent For Sharing. Companies should obtain consumers’ affirmative express consent if they identify anonymous images of a consumer to someone who could not otherwise identify the consumer.

1. Tex. Bus. & Com. Code § 503.001(b)(3).

2. National Institute of Standards and Technology, NIST: Performance of Facial Recognition Software Continues to Improve, (June 3, 2014), http://www.nist.gov/itl/iad/face-060314.cfm.

3. See, Public Comments, FTC Matter No. P115406.

4. Bryan Cave LLP, Data Breach Notification Survey (2015).

5. See, 740 ILCS 14/20 (1)-(4); Tex. Bus. & Com. Code § 503.001(d).

[View source.]