As COVID-19 continues to shutter business across industries, both the public and private sectors are grappling with safe ways to reactivate workers and re-engage consumers. Facial recognition and other biometric technologies (for instance, fingerprinting, voiceprinting, and retina, facial, hand, or eye imaging) offer possible solutions. Evaluating health risks without the need for physical contact may be key in phased return to regular business in many parts of the country. However, these same technologies confront a complicated patchwork of state and municipal privacy laws that can prove inconsistent and onerous in their scope and application. So as we look to reopen the country, the COVID-19 crisis very well may cause us to rethink how we view privacy and regulate biometric technologies. For example, under what circumstances, can a landlord, a retail store, or other commercial tenants use such technologies to determine who has had the virus and who is safe to come to work?
To be sure, tension between privacy and biometric technologies began long before the COVID-19 pandemic. Concerns over government usage of forms of biometric surveillance, including facial recognition, surfaced as technology proliferated at airports, border checkpoints, and with police body cameras. The same technology now is causing similar concerns as other countries – China, for example – are using facial recognition to enforce compliance with quarantine orders and to detect pedestrians’ body temperatures in crowds. Indeed, advances in biometric technologies now allow the ability to recognize individuals even if they are wearing masks, and biometric identification systems can offer “non-refutable” proof of antibodies by linking test subjects to results, which could enable a more targeted approach to vaccines, once available. This could prove to be of tremendous value to U.S. companies.
Specifically, in the commercial property world, landlords and office building owners tasked with the health and security of tenants and employees may find facial recognition to be a particularly useful tool. If widespread testing is implemented to determine COVID-19 immunity, facial recognition technology could potentially be used by landlords to similarly permit (or deny) building entry. Retailers similarly could use the technology to determine who is permitted to work in or patronize a store or restaurant. However, before property owners, retailers, and other businesses consider the use of facial recognition and other biometric technologies for their employees or their customers, they should give careful consideration to the varying requirements and restrictions of their state and local laws.
Biometric laws may impose notice and consent requirements, and may regulate when and if, for example, facial recognition can be used. Currently, these laws offer little if any guidance to businesses like landlords considering what options would be available if some tenants provided consent to use the applicable technology and others did not. Various jurisdictions also place limitations on how the collected data can be used or shared, as well as establish requirements to secure or dispose of the collected data in specific ways. As biometric technology becomes more sophisticated and easily available to businesses, the location of the data collection becomes a threshold issue that should inform whether and how a business can successfully implement biometrics to benefit their (and potentially the public’s) interest while complying with privacy laws.
Presently, approximately 39 laws have been proposed or passed at the city, state, and federal level that implicate private sector usage of facial recognition or biometric data more broadly. These laws tend to fall into two (sometimes overlapping) categories of legislative trends on biometrics: (1) those that require proactive obligations prior to or as part of collective biometric data (like the notice and consent issues referenced above) or prohibit the technology outright; and (2) those that impose reactive responsibilities on businesses after they have collected biometric data (primarily by including biometrics in the definition of “personal information,” triggering a notice requirement if breached). Both of these trends can significantly impact commercial real estate and other private sector businesses considering the technologies even before COVID-19-related privacy issues are taken into account, as numerous examples in recent years have shown.
In 2018, the owner of an apartment complex in Brooklyn, New York, faced this dilemma when it sought to replace key fobs with a facial recognition tool to improve building security. After tenants protested potential privacy violations, the owner withdrew its application to install the system. Mixed signals to landlords quickly followed. In 2019, New York state lawmakers introduced Bill No. A07790 (still pending) to prohibit landlord use of facial recognition technology at any residential premises. At the same time, New York state legislators also successfully expanded data security and breach notification law requiring landlords – among others – to implement security safeguards for collected private information (including biometrics), and to disclose any breach of such information under the state’s data breach notification law (the Stop Hacks and Improve Electronic Data Security Act). Of course, New York is not alone in regulating a landlord’s possession of biometric data. For example, both Maryland and North Carolina similarly impose breach notification laws, with additional discrete requirements; Maryland’s Personal Information Protection Act requires procedures to secure its residents’ biometric data (the Personal Information Protection Act), while North Carolina’s Identity Theft Protection Act prevents disclosure of residents’ biometric data if they object.
Beyond laws that prohibit or impose reactive responsibilities on biometric technologies like facial recognition, a handful of states require proactive limitations on the collection, use, and disclosure of biometric data in the private sector, primarily by requiring that a business provide clear, transparent notice and (for some states) obtain written consent from the data subject prior to collection. Despite certain unresolved questions about their specific requirements, a paragon of these laws has been in effect for over a decade. In 2008, Illinois lawmakers enacted the Biometrics Information Privacy Act (740 Ill. Comp. Stat. 14/1 et seq.), which – subject to certain exceptions – restricts a private entity from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining biometric data without first providing statutory notice and receiving a signed, written release (id. at 14/15(b)). Texas and Washington have similar biometric privacy laws, but with a few notable differences. Unlike Illinois’ law, neither the Texas nor Washington laws provide for a private right of action. In addition, Texas’ and Washington’s biometric privacy laws do not specifically require written consent for biometric collection, but documenting such consent is a best practice nonetheless. Washington’s statute also includes a number of exceptions with respect to unauthorized disclosure – one exception being to “protect against or prevent actual or potential fraud, criminal activity, claims, security threats, or liability.” This security exception might allow a private entity to disclose an individual’s information without obtaining prior consent. Unlike Illinois, Texas, and Washington, California’s Consumer Privacy Act (Cal. Civ. Code section 1798.100) does not require prior consent – with some exceptions depending on how the collected information is used – but does require proactive notice obligations and deletion rights for biometric data. These states are unlikely to be the last to implement such laws, and landlords or other businesses considering the implementation of facial recognition or other biometric technology will have to consider the implications depending on where they intend to operate and the intersection with a likely staggered timeline of states reopening amid COVID-19 concerns.
It is unlikely that these issues will be uniformly resolved at either the state or federal level before states begin to reopen. In March 2019, U.S. Senator Roy Blunt (D-MO) introduced the Commercial Facial Recognition Privacy Act (Senate Bill 847) to require that affirmative consent be obtained prior to the collection or sharing of facial recognition data. With no legislative action taken since its introduction and congressional focus squarely on COVID-19 recovery, it is likely that businesses recognizing the relationship between that recovery and biometric applications will need to navigate the patchwork of state (and other federal) laws without a balanced or consistent legal framework in-place.
Conclusion
Legislation in the area of facial recognition and other biometric technologies will continue to evolve as states determine whether it is safe to reopen their communities, and what role (if any) such technologies should play. Without a comprehensive federal consensus to regulate these technologies, real estate owners, operators, and managers interested in their use face an uncertain path going forward, and will need to have policies and procedures in place to address the complicated legislation in those states across the nation that have addressed this technology as it applies to them. Questions abound as to how, when, and what the requirements addressing the use of facial recognition technology are or will be:
- Is a landlord or retail operator required to post written statutory notice and obtain a written release before using facial recognition as customers enter, pass through security, and check out?
- What are the rules controlling the storage and disposal of biometric identifiers and biometric information?
- Can the property owner or operator sell collected biometric identifiers and biometric information?
- From the customer’s perspective, can an individual file a lawsuit to protect their privacy and personal biometric identifiers and biometric information?
- Can such biometric identifiers and biometric information be shared with other interested parties?
Reed Smith’s real estate and data privacy attorneys can assist you in evaluating your state’s legislation as it relates to the use of biometric data and facial recognition in the real estate industry. Please contact us to request an evaluation of the law in your state.
Our Reed Smith Coronavirus team includes multidisciplinary lawyers from Asia, EME and the United States who stand ready to advise you on the issues above or others you may face related to COVID-19.
For more information on the legal and business implications of COVID-19, visit the Reed Smith Coronavirus (COVID-19) Resource Center or contact us at COVID-19@reedsmith.com
Client Alert 2020-276