Facial recognition technology was used to identify the man charged with carrying out the Capitol Gazette shooting in Baltimore, Maryland on June 28, 2018. It is the highest-profile case where the facial recognition technology has been used. A Maryland county police department used a photograph of the suspect to identify him from a database of driver’s license images and mug shots.

Thirty-one states now allow police to run facial-recognition searches against driver’s license photos. Maryland's database is particularly aggressive, as it permits police to search about 7 million driver's license photos, 3 million state mug shots, and 25 million mug shots in the FBI's database. The database is not scrubbed to eliminate suspects who were found innocent or never charged. In 2013, Maryland added images from driver's licenses, including those of individuals who have never been arrested.

It remains to be seen whether privacy concerns will curtail the use of the new technology. One proposed bill, which passed the Maryland House but thus far has failed in committee, would mandate auditing in the state to “ensure that face recognition is used only for legitimate law enforcement purposes” and would prohibit the use of Maryland’s face recognition system without a court order. Last month, after fielding criticism from several civil rights groups, Orlando’s police department announced that it would no longer be using facial-recognition software.

The push for biometric privacy has extended into the private sector as well. Earlier this year, a California district court allowed a novel biometric-privacy lawsuit against Facebook to proceed, certifying a class. In re Facebook Biometric Privacy Litigation, No. 15-cv-03747 (N.D. Cal. Apr. 16, 2018). Putative class plaintiffs allege that Facebook, by scanning facial geometry in photographs in order to suggest individuals to tag, is violating Illinois' Biometric Information Act (“BIPA”). Colorado recently became the latest state to include biometric information in the definition of personal information for the purposes of its breach notification statute. Beginning September 1, 2018, under Colo. Rev. Stat. § 6-1-713 et seq., companies must notify Colorado residents of a data breach that includes their biometric information.