Private sector use of facial recognition faces legal challenges
Innovations in the development of facial recognition software is among the most important technology trends to impact the physical security industry this past decade. Driven by advancements in machine learning, the solutions available on the market today can detect the faces of individuals with an incredible degree of accuracy.
Unsurprisingly, facial recognition has also been the subject of much controversy of late as privacy advocates and lawmakers have expressed concerns about how the technology could potentially be misused by law enforcement and other government agencies. Some cities, such as San Francisco and Oakland, have already taken the extraordinary step to ban government use of the technology within their jurisdictions.
But while news surrounding these governmental bans have garnered most of the recent headlines, the private sector has encountered its own set of legal challenges regarding use of the technology. Last month, class action lawsuits were filed against home improvement stores Lowe’s and Home Depot for allegedly scanning the faces of customers inside store locations in Illinois. Attorneys for the plaintiffs claim the use of facial recognition by these retailers violate the state’s Biometric Information Privacy Act (BIPA) and are seeking damages of $1,000 to $5,000 per violation.
BIPA, which places limitations on how private entities can collect and use a person’s biometric data, was passed by the Illinois legislature more than a decade ago but relatively few lawsuits leveraging the law’s protections were brought forth until more recently. Earlier this year, the Illinois Supreme Court potentially paved the way for even more BIPA litigation after issuing a ruling in a landmark case, Rosenbach v. Six Flags Entertainment Corp., in which they found that someone doesn’t need to sustain actual injury beyond technical violations of the law in order to pursue a claim. The lawsuit was brought by the mother of a 14-year-old boy who alleged that the amusement park scanned and stored her son’s fingerprint without parental consent.
“Normally in civil litigation you have to show both the breach of a statute and that you were harmed in some way. The reason that BIPA is so impactful, and has been used the way it has, is due to how the law was written; it says you can have either actual or statutory damages,” explains Jeffrey N. Rosenthal, a Partner at the law firm Blank Rome LLP who specializes in privacy and consumer protection class action defense. “There are hundreds of these BIPA cases being filed more and more often now because the plaintiffs’ bar has figured out that there is the potential for serious damages here and serious exposure.”
In an interview with SecurityInfoWatch.com (SIW) earlier this year, Karla Grossenbacher, an attorney with the law firm of Seyfarth Shaw LLP who heads up the firm’s Biometrics Privacy Compliance & Litigation Group, said that laws governing how facial recognition and other biometric technologies can be used has changed very little over the past few years. However, rising public awareness about the existence of these technologies and their proliferation has resulted in an increased level of scrutiny.
“What’s changed is that, all of a sudden, people are aware of them and particularly (BIPA) because at some point in 2016 and 2017 someone woke up, realized this law was here and started filing lawsuits,” she says.
According to Rosenthal, companies that have found themselves involved in BIPA cases have typically fallen into two categories: those that offer photo-tagging services, such as Facebook and Shutterfly, and businesses that use fingerprints or other biometric identifiers for time and attendance tracking. However, Rosenthal says the class action lawsuits against Home Depot and Lowe’s mark the next iteration in the use of BIPA in the courts and potentially expose retailers and other organizations using facial recognition for security applications to a new wave of lawsuits.
“What makes these cases unique is that biometrics are being used for loss prevention surveillance; it shows another way to extend the statute. Normally it has been photo tagging, fingerprints, etc., but now however many stores like Lowe’s and Home Depot are using these loss prevention and facial recognition software for customers in the door, we think that plaintiffs are going to continue to seek ways to expand the reach of the law.”
More Laws on the Horizon?
Though several states have similar laws on the books, Illinois is currently the only one in the nation that gives citizens a private right of action to purse statutory damages. For example, Texas, New York and Washington have all enacted legislation that protect facial scans and biometric information, but they do not provide for private right of action – the right to sue is typically reserved for the attorney general or other state officials – nor do they award statutory damages. “The plaintiffs’ bar isn’t as interested in that because there is no opportunity for civil damages,” Rosenthal adds.
However, Rosenthal says other states likely aren’t far behind in passing their own BIPA-type laws.
“In New York, for example, earlier this year the legislature introduced for the third time a bill that would implement the New York Biometric Privacy Act, which is identical, a carbon copy, of the Illinois BIPA,” he explains. “That would further expand where these cases could be filed and the number of potential claimants that could bring these cases as well.
“It’s a very aggressive approach that these states and municipalities are seeking to enact their own biometric privacy laws and the reasoning, at least according to the Illinois legislature, makes sense,” Rosenthal continues. “From their perspective, the reason they have written the law this way is when you think about identify theft and what can happen if someone gets your credit card number, passwords, or Social Security number, there are ways to correct that – you can get a new Social Security number, change your password or get a new credit card. But when we’re talking about biometrics… it’s very difficult if not impossible to change that.”
Mitigating Potential Lawsuits
For those organizations that are currently using or are thinking about deploying facial recognition or other biometric security solutions, Rosenthal recommends retaining legal counsel as early as possible to help establish policies and procedures that will reduce the likelihood of the businesses ending up in court.
“You only get one shot to setup the right disclosures and make sure you are as compliant as you can be,” he says. “Oftentimes what we find is these cases hit the desks of clients and they’ve never heard of BIPA before or they’re not familiar with the way the law is written. Even though it has been around for over ten years, it has only recently come into the foreground of the biometric and security space.”
At its’ core, BIPA and the laws that will likely follow it in other states, are consent statutes, according to Rosenthal, meaning that if companies inform people that they are collecting their biometric information as well as tell them how they intend to use it and store it, then it will be harder to prove that they weren’t compliant. “The whole idea is to give the consumer, employee or whomever, safety and security in knowing that, ‘ok, my face is being scanned for this purpose but the chance that it is going to go outside the enterprise or that someone will have my face scan and do whatever they can try to do with it is low because these companies are complying and they’re telling me how they’re doing so,’” he says.
However, if a state, such as New York, moves forward with legislation that essentially creates a “BIPA 2,” Rosenthal says you can rest assured there will be a plethora of new cases making their way to civil dockets over the use of biometrics.
“It just a takes a swipe of the legislature’s pen to expand the law and, all of a sudden, separate from just the government enforcing the law on private entities, it will be other private plaintiffs,” he says.
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].