Portland’s New Facial Recognition Ban Increases Litigation Risk, Creates Uncertainty

Stoel Rives - Global Privacy & Security Blog®

Is your business using or thinking of using facial recognition technology for activities in Portland, Oregon? Think again.

That’s the message to businesses operating in Portland in a new ordinance that broadly bans the use of facial recognition technology in the city, subject to certain exceptions. The ordinance, which took effect January 1, 2021, restricts private businesses from using automated or semi-automated processes to identify an individual by comparing an image of a person captured through a camera with images of multiple individuals in a database. Due to the expansive language contained in the final version of the ordinance, routine business practices used to support or improve operations are no longer permitted. For example, retailers may have previously used software that compares surveillance video images of individuals as they enter a store with a cloud-based photo database to identify suspected shoplifters. The ordinance now prohibits use of this software.

The law also has teeth. It creates a private right of action, statutory damages of $1,000 per day for each violation, and allows for recovery of attorneys’ fees. Similar to other biometric privacy laws, this ordinance has the potential to trigger a wave of costly class action litigation and upend business operations. This ordinance creates significant risk with use of facial recognition technology, and organizations should proceed with this awareness. The law also raises numerous unanswered questions, as noted below.

Portland City Code, Title 34 Digital Justice:

. . . a Private Entity shall not use Face Recognition Technologies in Places of Public Accommodation within the boundaries of the City of Portland.

. . .

Any person injured by a material violation of this Chapter by a Private Entity has a cause of action against the Private Entity . . . for damages sustained as a result of the violation or $1,000 per day for each day of violation, whichever is greater and such other remedies as may be appropriate . . . [and] a court may award to the plaintiff who prevails . . . a reasonable amount . . . [of] attorney fees . . . .”

Facial recognition technologies—like other emerging biometric technologies—can be useful business tools. These programs match a human face from a digital image against a database of facial images to identify or verify the identity of an individual. Organizations may use facial recognition technology in a wide variety of circumstances: to prevent retail crime, to find missing persons, to target advertising, to validate identities of employees or customers, or to perform health screenings at large events. Personal devices and applications may also use facial recognition technology to maintain security and facilitate authorized user access, for example smartphone or online banking face identification.

But in Portland, use of such facial recognition technology now entails serious legal risk. Under the new ordinance in the “Digital Justice” Title of the City Code, the City of Portland has largely prohibited the use of facial recognition technologies in public spaces. Subject to certain exceptions, the ordinance provides that “a Private Entity shall not use Face Recognition Technologies in Places of Public Accommodation within the boundaries of the City of Portland.” Portland City Code 34.10.030 (emphases added).

This prohibition has three key operating parts.

  1. It covers “Private Entities,” which include “any individual, sole proprietorship, partnership, corporation, limited liability company, association, or any other legal entity, however organized. A Private Entity does not include a Government Agency.” Individuals and (non-governmental) organizations of all types – whether for-profit business or non-profit foundations – and all sizes – from small professional firms to local outlets of national chains – are subject to this ordinance.
  2. In regulating the use of “Face Recognition Technologies,” the ordinance restricts the use of “automated or semi-automated processes using Face Recognition that assist in identifying, verifying, detecting, or characterizing facial features of an individual or capturing information about an individual based on an individual’s face.” “Face Recognition” refers to “the automated searching for a reference image in an image repository by comparing the facial features of a probe image [g., a frame of a surveillance video] with the features of images contained in an image repository [e.g., a photograph database].” With its focus on automated or semi-automated processes, the ordinance seeks to prevent false identification produced by technological deficiencies, bounded reference inputs, and even subconscious or latent bias manifested in software, and guard against disproportionate and negative impacts on women and persons of color.
  3. It broadly applies to Private Entities’ activities in “Places of Public Accommodation,” which include “[a]ny place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise.” Places of Public Accommodation do not include “[a]n institution, bona fide club, private residence, or place of accommodation that is in its nature distinctly private.”

The ordinance’s expansive scope is limited by three exceptions. First, the ordinance allows the use of facial recognition technology to comply with federal, state, or local laws. Second, it permits use of facial recognition technology for user verification purposes by an individual to access the individual’s own personal or employer issued communications and electronic devices. Third, it allows facial recognition technology in automatic detection services in social media applications.

Despite these limiting exceptions, the broad scope of the ordinance bars outright many increasingly common practices and creates substantial uncertainty about others. In addition to banning automated detection of suspected shoplifters, which was a motivating concern for the ordinance, the ordinance would appear to preclude retailers from using surveillance footage to identify in-store shoppers for behavioral tracking or identification for rewards programs.

Potentially even more problematic, it is unclear whether the ordinance permits employers to use facial recognition technology for the purpose of identifying employees or visitors, who may or may not receive temporary photo IDs, for facility access. A city government press release announcing the City’s passage of the ordinance states that the term “Places of Public Accommodation” does not include “[c]ommercial facilities operated by private entities,” but this exception does not appear within the ordinance itself. Many business facilities are both open to the public and have employee-only or other restricted spaces that might be secured through use of facial recognition access controls. Mixed-used buildings providing residential, temporary lodging, office space, and consumer retail spaces are increasingly common. Whether and where facial recognition technology may be permissibly utilized in such environments is unclear. The ordinance also does not specify whether an individual may waive her rights under the ordinance or otherwise contract around the prohibitions. Businesses might be able to find legal solutions which would allow them to use facial recognition technology, but they should first strongly consider the significant potential penalties of a violation before attempting to test the limits of the ordinance.

Notably, the ordinance allows for private lawsuits and establishes statutory damages. The ordinance provides that “any person injured by a material violation” can bring a cause of action. A plaintiff can then recover the greater of actual damages sustained as a result of a violation or $1,000 per day.  Attorneys’ fees are also available to a prevailing plaintiff.

Although courts have yet to interpret what constitutes a “material violation” and no lawsuits have yet been filed in Oregon state courts, similar causes of action under comparable statutes in other jurisdictions have unleashed waves of class action litigation. The Illinois Biometric Information Privacy Act (“BIPA”) is among the most heavily litigated. Like the Portland ordinance, BIPA regulates the use of facial recognition technology, allows for a private right of action, and establishes statutory penalties. Since 2017, hundreds of class action claims have been filed under BIPA. Litigation has been widespread, in part, because Illinois courts have held that a plaintiff need not allege actual damages to bring a claim. But, because of BIPA’s statutory penalties, damages and settlements have been significant. Court have approved class action settlements as high as $650 million.

How BIPA has been applied and interpreted could signal serious risks for businesses that use or attempt to use facial recognition technology and do business in Portland. Class action claims may be filed against any use of facial recognition technology “within the boundaries” of Portland, even if a business may have its headquarters or operations elsewhere. Damages of $1,000 per day, per individual, may add up quickly and provide strong incentives for lawyers to bring cases under the ordinance against large and small businesses.

Regulation of facial recognition technology in Oregon is still evolving. The text of the Portland ordinance suggests that more specific and targeted legislation will be enacted. A rationale for the ordinance is that “the City needs to take precautionary actions until these [facial recognition] technologies are certified and safe to use and civil liberties issues are resolved” and that “existing methodologies assessing bias in Face Recognition Technologies show progress on their performance.” But the Ordinance makes clear that its broad prohibitions remain in effect “until the City adopts or revises an appropriate model for regulation of Face Recognition Technologies.”

What You Should Do

Any business that operates in Portland, Oregon and is considering using facial recognition technology should carefully consider the risks before proceeding. Businesses in Portland that already use this technology should reevaluate their systems and discuss their options with an attorney.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Stoel Rives - Global Privacy & Security Blog® | Attorney Advertising

Written by:

Stoel Rives - Global Privacy & Security Blog®
Contact
more
less

Stoel Rives - Global Privacy & Security Blog® on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.