Computers, Privacy & the Constitution

U.S. Privacy Laws and Facial Recognition Technology

-- By ChristopheWassaf - 16 Mar 2016

The use of biometric software for facial recognition has grown in recent years, as the technology has become less costly and more accurate. Applications of the technology range from automatic tagging of photographs on social media, to secure access to computers and other devices, to consumer service and other uses. Such applications can be beneficial in some situations. For instance, New York State is planning on using facial recognition technology to catch identity thieves trying to obtain fraudulent drivers’ licenses. However, despite the potential benefits of facial recognition, its use raises serious privacy concerns.

Privacy Concerns

One of the main privacy concerns arising from facial recognition is its potential use to track people’s movements in public. Individuals, companies, and governments may be able to identify individuals and collect information on their activities and whereabouts. While individuals should not have expectations of complete anonymity when in public, that level of anonymity may be greatly reduced as the use of facial recognition becomes increasingly widespread. Furthermore, given the amount of information shared online, an individual’s face may automatically be associated with their Internet behavior, public activities and other information. Privacy advocates have stated that such privacy concerns may detract people from visiting certain places, assembling in public to support different causes, or conducting other activities in public.

Another privacy concern related to collection of information through facial recognition is that it often occurs without the individual’s knowledge or consent. For instance, Facebook uses facial recognition technology for its “tag suggestion” feature without notifying users and obtaining their consent in advance. The company faces several lawsuits that allege that such use violates privacy laws. Similarly, Shutterfly a photo sharing website, faces a class action by individuals who do not use the company’s services, and who allege that the company used pictures uploaded by other users to create a “faceprint” of them without their knowledge or consent.

Overall, the potential of face recognition to be used to collect information about individuals’ activities both online and offline, coupled with the lack of people’s control over their own information, make privacy a major concern in the use of this technology.

U.S. Privacy Laws

Several privacy laws may potentially apply to facial recognition technology. Federal laws that govern the collection, use and storage of personal information limit the disclosure of individuals’ personal information without their consent. For instance, the Gramm-Leach-Bliley Act requires financial institutions to provide consumers notice and an opportunity to opt out before sharing nonpublic personal information with non-affiliated third parties. The Act defines personal information to include any information obtained by financial institutions in connection with providing a financial product or service to a customer. Therefore, it potentially includes facial images and associated information. The Children’s Online Privacy Protection Act requires parental consent before covered websites can collect information from children under 13 years of age. Implementing regulations define personal information to include photographs or videos containing a child’s image. Other federal privacy laws that may apply to facial recognition include the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and others. However, the applicable federal privacy laws tend to be narrow in scope and do not provide protection in all situations.

Most states have general privacy laws that govern the use of personal data, and many are similar to the federal laws discussed above. However, outside of data breach laws, only two states – Illinois and Texas – have privacy laws that specifically address facial recognition technology. TEX. BUS. & COM. CODE ANN. 503.001; 740 ILL. COMP. STAT. 14/1-99. The Illinois law, on which most recent facial recognition lawsuits rely, requires private entities in possession of biometric identifiers or information – including that obtained through facial recognition – to develop written policies establishing a retention schedule and guidelines for permanently destroying such biometric identifiers and information. Destruction is required when the initial purpose for obtaining the biometric information has been satisfied, or within 3 years of the individual’s last interaction with the private entity. In addition, no private entity may obtain or disclose a person’s biometric identifier or information unless it informs the individual that such information is being collected, as well as the purpose and length of time for which the information is collected and used, and receives the individual’s consent. Private entities may not sell such information or profit from it. The Texas law also requires consent and destruction of the biometric identifier within a period of time. However, it does not expressly prohibit the sale of biometric information for profit, nor does it require a publicly available written policy on the retention and destruction of biometric information. Other states, such as California, have proposed laws to include biometric information as personal information and require certain security measures to protect such information.


The laws passed by Illinois and Texas are a good first step toward regulating the use and disclosure of information obtained through facial recognition. Companies should be required to provide clear policies regarding their collection and use of such information, and to obtain users’ consent prior to the use of the technology. Such consent is particularly important in the case of facial recognition because, unlike most other biometric information, it can be collected without the individual’s knowledge. Sale of facial recognition information should be prohibited, and laws should limit retention of the information as much as possible to address privacy concerns and limit injury to individuals from potential breaches. In addition, given the grave potential misuses of the technology, punitive damages must be implemented to deter violations. As the use of facial recognition technology continues to spread, companies will undoubtedly continue to collect such information and associate it with other information about customers that is available to them. Lawmakers and regulators must try to incentivize transparency and limit the extent to which information collected can be used and disclosed to other parties.

From an editorial point of view, this draft has an under-reported feel, like a comment piece based on a Google search. There's no linking or sourcing of any kind, so the reader isn't given any starting points for additional learning, or even a way to confirm what you report. The facts, and the interpretive sentences concerning what they mean, are not put in context by anyone whose capacity to do so we can comprehend (one or more "storytellers," likely to be persons with indicia of broad knowledge). No literature interpreting the broad context is mentioned, let alone cited or linked. So we have more of a small, empty box than we should after the effort you have put into learning.

Substantively, the draft doesn't really come to grips with the problems that its point of view might have: it's as though the only duty were to find a way to say "privacy," leaving the rest to someone else. But, here in this learning context in particular, it's surprising that the basic constitutional problem isn't discussed: don't I have a First Amendment right to look at the faces of people, remember what I see there, and tell others about it? How can there be a meaningful regime of freedom of thought that doesn't include protection for those activities? Surely the conceptual difficulty underlying the whole of our analysis in the course is relevant enough to mention?

You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.


Webs Webs

r2 - 12 May 2016 - 14:14:46 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM