Tech & Sourcing @ Morgan Lewis


As businesses across America begin to reopen in the wake of the coronavirus (COVID-19) pandemic, many will likely implement new social distancing and sanitization procedures. That got us thinking about how companies may choose to use touchless authorization technologies like facial recognition as the main form of entry into their facilities, rather than continuing to use tools such as keypads or fingerprint scanners that require many people to repeatedly touch the same surfaces daily.

To date, there is limited federal regulation on the use of facial recognition technology. However, lawmakers have begun to propose legislation to establish clearer legal requirements concerning the use of such biometric tools. The Commercial Facial Recognition Act of 2019 would prohibit commercial entities from using facial recognition technology to identify an end user without obtaining “affirmative consent” of the end user. More recently, the Ethical Use of Facial Recognition Act, introduced in February, would pause the government’s use and funding of facial recognition technology until “appropriate guidelines and limitations” are passed.

Into this vacuum of federal direction, states and localities have begun to step up and provide guidance. For example, certain municipalities in Massachusetts have established local ordinances to specifically ban the use of facial recognition technology by government entities. Additionally, states such as Illinois, California, Washington, and Texas have adopted laws concerning the collection and use of biometric identifiers, including fingerprints, handprints, retinal scans, voiceprints, and facial scans. Such laws may impact facial recognition technology. These laws have led to multiple class action lawsuits regarding the use of biometric technology, particularly in Illinois.

If companies plan to use facial recognition technology when they reopen, they will need to consider what options individuals will have who want to enter a facility but do not want to submit to facial scans. The Illinois Biometric Information Privacy Act requires companies to, among other things, provide prior notice and obtain a written release or consent from an individual prior to collecting any type of biometric data, including a facial scan. The US Customs and Border Protection rules concerning US citizens reentering the country at domestic airports provides an opt-out option for travelers who do not want to submit to facial recognition technology.

Certain commercial entities that are already using facial recognition technology for touchless entry offer individuals an opt-out option in their online privacy policies. The issue with online opt-out options, however, is that unless individuals search an entity’s website ahead of time, they may not realize they have the opportunity to opt out of these facial scans or other collection of their biometrics.

As noted, the Illinois Biometric Information Privacy Act requires written consent, and the intent of the proposed Commercial Facial Recognition Act of 2019 is to require commercial entities to obtain “affirmative consent” from end users prior to using facial recognition technology. Affirmative consent would potentially require companies to do more than just post their opt-out options online, and instead provide clear notice so individuals can make a conscious decision (and potentially document) whether they agree to the use of facial scanning technology.

As companies consider the use of facial scanning technology for touchless entry to reopen during or after the COVID-19 pandemic, it is important to remain vigilant on any legal requirements that emerge regarding facial recognition, including current state and local requirements and pending federal legislation. We will provide further updates on this developing area of the law in future posts in Tech & Sourcing @ Morgan Lewis.