NTIA Multistakeholder Process Finalizes General Privacy Guidelines for Commercial Facial Recognition Use: National Telecommunications and Information Administration
Thursday, June 23, 2016
Technology, Biometric, NTIA Multistakeholder Process Finalizes General Privacy Guidelines for Commercial Facial Recognition Use

Related Practices & Jurisdictions
Print Mail Download i

We’ve previously written about the National Telecommunications and Information Administration (NTIA) privacy multistakeholder process to address concerns associated with the emerging commercial use of facial recognition technology. Notably, last year, the self-regulatory initiative hit a stumbling block when nine consumer advocacy groups withdrew from the process due to a lack of consensus on a minimum standard of consent.  Regardless, the remaining participants continued on and last week, the stakeholders concluded the process and came to a consensus on final privacy guidelines, “Privacy Best Practice Recommendations For Commercial Facial Recognition Use.”

The guidelines generally apply to “covered entities,” or any person, including corporate affiliates, that collects, stores, or processes facial template data. The guidelines do not apply to the use of facial recognition for the purpose of aggregate or non-identifying analysis (e.g., the counting of unique visitors to a particular location), and is not applicable to certain governmental uses of the technology, such as for law enforcement or national security. Moreover, under the guidelines, data that has been “reasonably de-identified” is not facial template data and therefore not covered by the best practices.

The guidelines are generally broken down into several categories:

  • Transparency: Covered entities are encouraged to reasonably disclose to consumers their practices regarding the collection, storage and use of faceprints and update such policies in the event of material changes. Policies should generally describe the foreseeable purposes of data collection, the entity’s data retention and de-identification practices, and whether the entity offers the consumer the ability to review or delete any facial template data.  Where facial recognition technology is used at a physical location, the entity is encouraged to provide “concise notice” to consumers of such use.

  • Recommended Practices: Before implementing facial recognition technology, the guidelines suggest that entities consider certain important issues, including:

    • Voluntary or involuntary enrollment

    • Types of other sensitive data being captured and any other risks to the consumer

    • Whether faceprints will be used to determine certain eligibility for or access to certain activities covered under law (e.g., employment, healthcare)

    • Reasonable consumer expectations regarding the use of the data

  • Data Sharing: Covered entities that use facial recognition to determine an individual’s identity are encouraged to offer the individual the opportunity to control the sharing of such data with unaffiliated third parties (note: an unaffiliated third party does not include a covered entity’s vendor or supplier that provides a product or service related to the facial template data).

  • Data Security: Reasonable security measures should be used to safeguard collected data, consistent with the operator’s size, the nature and scope of the activities, and the sensitive nature of the data.

  • Redress: Covered entities are encouraged to offer consumers a process to submit concerns over the entity’s use of faceprints.

In the end, the recommendations are merely best practices for the emerging use of facial recognition technology, and they will certainly spark more debate on the issue.  Following the release, privacy advocates generally criticized the guidelines and had hoped that stronger notice and consent principles and additional guidance on how to handle certain privacy risks had been part of the final document.  It remains to be seen how many of the suggested guidelines will be implemented in practice, and whether consumers themselves will nudge the industry to erect additional privacy controls.

In the meantime, entities must still consider compliance issues surrounding the noteworthy Illinois biometric privacy law (the Biometric Information Privacy Act, or BIPA) enacted in 2008 and now the subject of much recent litigation, including:

We will continue to monitor the latest legal and important industry developments relating to biometric privacy.

© 2024 Proskauer Rose LLP.

Current Legal Analysis

More from Proskauer Rose LLP

One Month to Go Until the FCA’s Anti‑Greenwashing Rule Comes into Force
by: John Verwey , Rachel E. Lowe
Viking River Who? Another Cautionary Tale About Arbitration Agreement Drafting
by: Jonathan P. Slowik , Michelle L. Lappen
Enacted New York State Budget Includes First-in-Nation Statewide Paid Prenatal Leave (But Other Proposals are Left on the Table)
by: Allan S Bloom , Evandro C Gigante
The Honeymoon is Over: Strikes on the Rise…Even Before A First Contract
by: Joshua S. Fox , Yonatan Grossman-Boder
ELTIF 2.0 – ESMA Responds to the EU Commission’s Proposed Amendments to the Draft RTS
by: John Verwey , Rachel E. Lowe
Public Portal to Promote Healthy Competition
by: Whitney Phelps , John R Ingrassia
Conflict Between Delaware LLC Act and Bankruptcy Code Affects Creditor Toolbox
by: David M. Hillman , Vincent Indelicato
Goodbye “Five-Part Test”—DOL Finalizes New Investment Advice Fiduciary Rules
by: Adam W Scoll , Jennifer Rigterink
Private Credit Deep Dives – Going Exclusive (Europe)
by: Privacy and Data Security
Is Artificial Intelligence Inflating a Valuation Bubble?
by: Margaret A Dale , Michael R. Hackett

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins