Privacy advocates abandon Commerce Department multistakeholder process on facial recognition technology code of conduct

The National Telecommunications and Information Administration (“NTIA”), housed within the U.S. Commerce Department, has been facilitating a multistakeholder process to develop privacy safeguards for the commercial use of facial recognition technology since December of 2013—with the first in person meeting held in February 2014.  NTIA seeks to create a voluntary, enforceable code of conduct applying the administration’s privacy framework, including its proposed Consumer Privacy Bill of Rights, to facial recognition technology in a commercial context.   After a little over a year in talks, and shortly after the NTIA’s 12th meeting, the process has broken down.  On Monday, June 15, a joint statement signed by representatives of multiple privacy advocacy groups, including the Center for Democracy and Technology, the Electronic Frontier Foundation, Consumer Watchdog and the ACLU, declared that they “have decided to withdraw from further negotiations” because the process has been unable to elicit agreement “on any concrete scenario where companies should employ facial recognition only with a consumer’s permission.”  The joint statement further argues that “[t]he position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.”

There is currently no federal legislation restricting the use of facial recognition technology.  However, the FTC issued a staff report in 2012 entitled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies” to provide guidance on privacy concerns related to facial recognition technology.  The report emphasized privacy by design, information security, and restraint for the deployment of facial recognition technologies in sensitive locations, such as where children may likely gather.  The report notably did not go so far as to insist on advance express consent for the use of such technologies, but did recommend clear notice to warn consumers prior to coming in contact with such technologies.  In contrast, some state laws already mandate consent for these evolving and increasingly prevalent technologies.  For example, Illinois and Texas both have laws requiring consent prior to the collection of biometric data that may apply to some forms of facial recognition technologies.  Illinois’ Biometric Information Privacy Act (2008) defines biometric identifiers as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  740 ILCS 14/10.  A biometrics law in Texas similarly defines biometric data to include “face geometry.”  V.T.C.A., Bus & C. §503.001(a).  In the wake of the breakdown of the multistakeholder process, and without clear federal legislation, rapid innovation in facial recognition technology will likely continue to be guided by company privacy commitments and industry standards.