U.S. Senators Roy Blunt (Mo.) and Brian Schatz (Hawaii) introduced the Commercial Facial Recognition Privacy Act of 2019 to strengthen consumer protections by prohibiting commercial users of facial recognition technology (FR) from collecting and re-sharing data for identifying or tracking consumers without their consent.

“Consumers are increasingly concerned about how their data is being collected and used, including data collected through facial recognition technology,” said Senator Blunt. “That’s why we need guardrails to ensure that, as this technology continues to develop, it is implemented responsibly. This bill increases transparency and consumer choice by requiring individuals to give informed consent before commercial entities can collect and share data gathered through FR. This legislation is an important step toward protecting privacy and empowering consumers, and I encourage all of my colleagues to support it.”
 
“Our faces are our identities. They’re personal. So the responsibility is on companies to ask people for their permission before they track and analyze their faces,” said Senator Schatz, Ranking Member of the Senate Subcommittee on Communications, Technology, Innovation, and the Internet. “Our bill makes sure that people are given the information and – more importantly  – the control over how their data is shared with companies using facial recognition technology.”

Under the bill, companies would be required to notify consumers when FR is being used. It also requires third-party testing and human review of technologies prior to their implementation, to address accuracy and bias issues in the technology and avoid use cases that may result in harm to consumers. The bill restricts redistributing or disseminating data to third-party entities without express consent from the end user. It also clearly defines data controllers and data processors in order to make requirements apparent for entities that either develop or vend FR products or services, store facial recognition data, or implement these technologies on a physical premise. It would require FR providers to meet data security, minimization, and retention standards as determined by the Federal Trade Commission and the National Institute of Standards and Technology.