Increasingly, companies use facial recognition technology to run their operations. This technology can be used to authenticate employees and customers, to enhance physical security, to reduce fraud and theft, or to customize online services. However, any company using facial recognition technology, or any other biometric tool, should keep on top of federal, state and local developments in the law. Companies need to tailor the deployment of biometrics to avoid expensive class action liability.

As the most recent example, on Sept. 9, 2020, the city of Portland, Oregon, banned the use of facial recognition technology in any place of public accommodation, including wherever goods and services are sold. The ban defines "face recognition" broadly, to include any "automated searching for a reference image in an image repository by comparing the facial features of a probe image with the features of images contained in an image repository (one-to-many search)."

The Portland measure provides a private right of action. "Any person injured by a material violation of this Chapter by a Private Entity has a cause of action against the Private Entity in any court of competent jurisdiction for damages sustained as a result of the violation or $1,000 per day for each day of violation, whichever is greater and such other remedies as may be appropriate." The measure does not define materiality. There are exceptions to the ban: the ordinance does not apply where the use of facial recognition technology is: 1) necessary for a private entity to comply with federal, state or local laws; 2) used for user verification purposes by an individual to access the individual's own personal or employer-issued communication and electronic devices; or 3) used in automatic face detection services in social media apps.

Illinois Precedent

The Portland measure is poised to set off a firestorm of biometric privacy class actions, much like that which has sprung up in Illinois state and federal courts. In 2008, Illinois passed the Biometric Information Privacy Act (BIPA), which imposed both disclosure and program requirements on any company collecting biometric information. BIPA, like the Portland ordinance, included a private right of action and allowed for statutory damages – liquidated damages of $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation.

In Illinois, the state Supreme Court held that plaintiffs may pursue claims for mere technical violations of BIPA, even where the plaintiffs are unable to demonstrate actual harm or damage. Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. 2019). Since the decision eliminated plaintiffs' need to demonstrate actual injury or harm to pursue actions for BIPA violations, there has been a spike in the number of class actions filed relating to claims of this nature. Targets of these lawsuits include tech giants such as Facebook and Google as well as smaller business entities.

Other Cities Follow

The Portland ordinance, like the Illinois law, addresses significant concerns around such technology. A federal study released by the National Institute of Standards and Technology (NIST) in December 2019 concluded that facial recognition algorithms are likely to misidentify people of color and women. More recently, in July 2020, NIST studied pre-COVID-19 algorithms with masked faces, finding that they performed less accurately. Thus, more cities are following Portland's lead. For example, Pittsburgh is currently considering legislation to require the police department to obtain City Council approval before using facial recognition software. Other cities – such as San Francisco, Oakland and Boston – have implemented bans on facial recognition technology for government entities.

Efforts for a Federal Standard

Congress has also taken steps to regulate facial recognition technology. In addition to holding oversight hearings, in June 2020, Sens. Ed Markey (D-Mass.) and Jeff Merkley (D-Ore.) as well as Reps. Ayanna Pressley (D-Mass.) and Pramila Jayapal (D-Wash.) introduced the Facial Recognition and Biometric Technology Moratorium Act of 2020, which would prohibit the use of facial recognition technology by federal entities, which can only be lifted with an act of Congress. However, the legislation is unlikely to become law this Congress, since it has little to no Republican support, which is needed for passage in the Senate. Given the growing patchwork of state and local laws regarding biometric data, including facial recognition, a standard created by federal legislation could become more attractive.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.