U.S. Senators Roy Blunt and Brian Schatz, members of the Senate Committee on Commerce, Science, & Transportation, introduced the Commercial Facial Recognition Privacy Act of 2019.

The bipartisan legislation would strengthen consumer protections by prohibiting commercial users of facial recognition technology (FR) from collecting and re-sharing data for identifying or tracking consumers without their consent. “Consumers are increasingly concerned about how their data is being collected and used, including data collected through facial recognition technology,” said Senator Blunt. “That’s why we need guardrails to ensure that, as this technology continues to develop, it is implemented responsibly. This bill increases transparency and consumer choice by requiring individuals to give informed consent before commercial entities can collect and share data gathered through FR. This legislation is an important step toward protecting privacy and empowering consumers and I encourage all of my colleagues to support it.”
“Our faces are our identities. They’re personal. So the responsibility is on companies to ask people for their permission before they track and analyze their faces,” said Senator Schatz, Ranking Member of the Senate Subcommittee on Communications, Technology, Innovation, and the Internet. “Our bill makes sure that people are given the information and – more importantly  – the control over how their data is shared with companies using facial recognition technology.”
While FR has been used for security and surveillance applications for decades, it is now being developed at increasing rates for commercial applications. Many consumers are unaware that FR technology exists in public places and can be used to collect personally identifiable data, which can be shared with undisclosed third parties. By regulating the use of FR in public places, consumers will have transparency and choice in the collection of their physical likeness and know that the data collected is not redistributed or repurposed.
Under the bill, companies would be required to notify consumers when FR is being used. It also requires third-party testing and human review of technologies prior to their implementation, to address accuracy and bias issues in the technology and avoid use cases that may result in harm to consumers. The bill restricts redistributing or disseminating data to third-party entities without express consent from the end user. It also clearly defines data controllers and data processors in order to make requirements apparent for entities that either develop or vend FR products or services, store facial recognition data, or implement these technologies on a physical premise. It would require FR providers to meet data security, minimization and retention standards as determined by the Federal Trade Commission and the National Institute of Standards and Technology.