‘Our faces are our identities’ – U.S. senators draft bill to combat irresponsible face ID collection in public places

Two members of the Senate Committee on Commerce, Science, & Transportation this week introduced the Commercial Facial Recognition Privacy Act of 2019, a proposal to prohibit commercial entities from collecting facial data without the customer’s express consent.

Acknowledging that facial recognition has been used for security and surveillance applications for decades, U.S. Senators Roy Blunt (Missouri) and Brian Schatz (Hawaii) believe the technology is evolving at break-neck speeds, leaving room for security and privacy issues.

Civil rights right organizations and privacy advocates like the Electronic Frontier Foundation and the ACLU have long expressed concern that privacy is being compromised by the use of face recognition and surveillance technologies in general. Facial recognition technology is even being used for emotion recognition in some parts of the world.

Indeed not everyone is aware that facial recognition technology is growing rapidly, especially in urban areas where it is even used to collect personally identifiable data which can then be shared with undisclosed third parties. Senators Blunt and Schatz want to regulate the use of facial recognition tech in public places to give consumers the transparency they deserve, as well as the choice to deny the collection of their physical likeness.

“Consumers are increasingly concerned about how their data is being collected and used, including data collected through facial recognition technology,” said Senator Blunt. “That’s why we need guardrails to ensure that, as this technology continues to develop, it is implemented responsibly. This bill increases transparency and consumer choice by requiring individuals to give informed consent before commercial entities can collect and share data gathered through FR. This legislation is an important step toward protecting privacy and empowering consumers, and I encourage all of my colleagues to support it.”

“Our faces are our identities. They’re personal. So the responsibility is on companies to ask people for their permission before they track and analyze their faces,” said Senator Schatz, Ranking Member of the Senate Subcommittee on Communications, Technology, Innovation, and the Internet. “Our bill makes sure that people are given the information and – more importantly  – the control over how their data is shared with companies using facial recognition technology.”

Blant and Schatz are not alone in their crusade against the free collection of face recognition data by commercial entities. Brad Smith, President of Microsoft, supports the duo’s cause. Smith believes FR tech “needs to be regulated to protect against acts of bias and discrimination, preserve consumer privacy, and uphold our basic democratic freedoms.”

Chris Calabrese, Vice President for Policy at the Center for Democracy & Technology, agrees.

“The Commercial Facial Recognition Privacy Act recognizes that face recognition is a powerful and invasive new technology,” Calabrese said. “We deserve clear rules and limits on how our faces can be analyzed, identified, and tracked over time.”

The U.S. government is beginning to take security and privacy very seriously in recent years. For example, taking a leaf from the European Union’s rulebook, the state of California instated the Consumer Privacy Act of 2018 which enhanced privacy rights and consumer protections for residents of the US state of California. And a new U.S. Congress bill is now targeting the minimum security guidelines for IoT devices.

Under the Commercial Facial Recognition Privacy Act, companies would be required to notify consumers when facial recognition technology is being used, while the technologies themselves would have to go through a lot of testing and review before implementation. The bill would further restrict redistributing or disseminating data to third-party entities without express consent from end users. Commercial users would be given clear definitions of data controllers and processors to help them become compliant. Finally, it would require FR vendors to meet a number of privacy and security standards as determined by regulatory bodies in the U.S.