Jun 182015

Privacy advocates abandon Commerce Department multistakeholder process on facial recognition technology code of conduct

Colleen Theresa Brown
, , ,

The National Telecommunications and Information Administration (“NTIA”), housed within the U.S. Commerce Department, has been facilitating a multistakeholder process to develop privacy safeguards for the commercial use of facial recognition technology since December of 2013—with the first in person meeting held in February 2014.  NTIA seeks to create a voluntary, enforceable code of conduct applying the administration’s privacy framework, including its proposed Consumer Privacy Bill of Rights, to facial recognition technology in a commercial context.   After a little over a year in talks, and shortly after the NTIA’s 12th meeting, the process has broken down.  On Monday, June 15, a joint statement signed by representatives of multiple privacy advocacy groups, including the Center for Democracy and Technology, the Electronic Frontier Foundation, Consumer Watchdog and the ACLU, declared that they “have decided to withdraw from further negotiations” because the process has been unable to elicit agreement “on any concrete scenario where companies should employ facial recognition only with a consumer’s permission.”  The joint statement further argues that “[t]he position that companies never need to ask permission to use biometric identification is at odds with consumer expectations, current industry practices, as well as existing state law.”

There is currently no federal legislation restricting the use of facial recognition technology.  However, the FTC issued a staff report in 2012 entitled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies” to provide guidance on privacy concerns related to facial recognition technology.  The report emphasized privacy by design, information security, and restraint for the deployment of facial recognition technologies in sensitive locations, such as where children may likely gather.  The report notably did not go so far as to insist on advance express consent for the use of such technologies, but did recommend clear notice to warn consumers prior to coming in contact with such technologies.  In contrast, some state laws already mandate consent for these evolving and increasingly prevalent technologies.  For example, Illinois and Texas both have laws requiring consent prior to the collection of biometric data that may apply to some forms of facial recognition technologies.  Illinois’ Biometric Information Privacy Act (2008) defines biometric identifiers as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  740 ILCS 14/10.  A biometrics law in Texas similarly defines biometric data to include “face geometry.”  V.T.C.A., Bus & C. §503.001(a).  In the wake of the breakdown of the multistakeholder process, and without clear federal legislation, rapid innovation in facial recognition technology will likely continue to be guided by company privacy commitments and industry standards.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

You might also like
Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.

NY DFS Proposes New Class of Entities and More Detailed Regulations in Second Amendment to Cybersecurity Regulations

On November 9, 2022, the New York Department of Financial Services (DFS) published its proposed second amendment to its cybersecurity regulations (23 NY CRR Part 500). This proposal follows a July 29 pre-proposal and comment period. The amendment is available for a sixty-day comment period – until January 9, 2023 – after which the agency may adopt final regulations or issue a further revised version.