Members of Congress put forward a bill today named the National Biometric Information Privacy Act, which would make it illegal for businesses to collect, purchase, or trade biometric information obtained from customers without permission. This includes face prints used in facial recognition as well as voice prints for AI assistant personalization as well as eye scans and other forms of unique information about a person’s body used to identify people.
The law was proposed today by Sen. Jeff Merkley (D-OR) and Sen. Bernie Sanders (I-VT). During his run for president, Sanders made a ban on facial recognition use by police part of his criminal justice reform plan. Merkley cosponsored a bill in June that would ban facial recognition use by the federal government as well as the Ethical Use of Artificial Intelligence Act in February, a bill that would establish a commission whose job would be to ensure fair applications of facial recognition.
The move comes just days after Reuters reported that Rite Aid used facial recognition in hundreds of stores in cities like New York and Los Angeles, often in low-income communities. If passed, the bill would require companies deploying facial recognition, as well as AI assistants like Amazon’s Alexa and Google Assistant, get approval from users.
The law would require businesses to enact biometric policy within 60 days “establishing a retention schedule and guidelines for permanently destroying such biometric identifiers.” The law can require biometric data is deleted within one year of collection by a private entity. That data can be altered if the data is considered part of a valid warrant or subpoena.
“We can’t let companies scoop up or profit from people’s faces and fingerprints without their consent,” Merkley said in a statement. “We have to fight against a ‘big brother’ surveillance state that eradicates our privacy and our control of our own information, be it a threat from the government or from private companies.”
Under the law, businesses could collect or trade biometric data if it involves providing a service to a customer and some other limited purposes, but the customer must first be informed in writing and give consent. These sorts of written releases cannot be involved in employment contracts. Individuals who feel their rights were violated would be able to sue the company. Whether or not a business receives liability protection is an issue that comes up in Congress when it relates to algorithmic bias as well as overarching privacy legislation and even COVID-19 relief bills.
The National Biometric Information Privacy Act resembles an Illinois law that protects against collection of biometric data without consent. As a result of the law, last month, Facebook paid $650 million in a class-action lawsuit settlement for its collection of data for facial recognition. Multiple lawsuits have also been filed against tech companies with the Illinois law, including an ACLU lawsuit against Clearview AI and Amazon and Google, whose respective AI assistants Alexa and Google Assistant record exchanges after hearing the “Alexa” or “Hey, Google” wake words.
Legislation introduced today follows a flurry of activity earlier this year to push back against the use of facial recognition following continued calls for police reform and the dismantlement of institutional racism during Black Lives Matter protests across the country. Alongside commitments from Amazon, IBM, and Microsoft to pause or discontinue facial recognition sales to police, in June the first known case of a person falsely arrested due to misidentification by a facial recognition system emerged in Detroit. Also in June: Citing potential discrimination, Boston became one of the biggest cities in the country to ban use of facial recognition. State lawmakers are currently considering a bill that would ban facial recognition use, which would make Massachusetts the first state to ban use of the technology.