U.S. Senators Roy Blunt (Mo.) and Brian Schatz (Hawaii) introduced the Commercial Facial Recognition Privacy Act of 2019 to strengthen consumer protections by prohibiting commercial users of facial recognition technology (FR) from collecting and re-sharing data for identifying or tracking consumers without their consent.

Under the bill, companies would be required to notify consumers when FR is being used. It also requires third-party testing and human review of technologies prior to their implementation, to address accuracy and bias issues in the technology and avoid use cases that may result in harm to consumers. The bill restricts redistributing or disseminating data to third-party entities without express consent from the end user. It also clearly defines data controllers and data processors in order to make requirements apparent for entities that either develop or vend FR products or services, store facial recognition data, or implement these technologies on a physical premise. It would require FR providers to meet data security, minimization, and retention standards as determined by the Federal Trade Commission and the National Institute of Standards and Technology.