This article originally appeared in the June 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag on Twitter and Security Business magazine on LinkedIn.
As COVID-19 continues to make its mark on the world, how do employers and landlords resume daily operations in their office environments? How do retailers welcome back customers? How do sports venues bring back fans? How do restaurants regain the confidence of their patrons?
Biometric technologies may help – enabling the landlord, the store owner, the restauranteur or the team owner to screen who enters a building, to limit where they can travel within the building, and perhaps even trace the people with whom they come in contact.
For these businesses, facial recognition could be a useful tool – particularly if it can recognize facial characteristics despite protective facemasks. If widespread testing is adopted, facial recognition technology, tied to test results, could be used to manage access to buildings.
We already use some form of these technologies for border access. Long before COVID-19, governments around the world deployed these technologies at airports, border checkpoints and other official settings. In the United States, there is resistance to these initiatives by privacy advocates and some private citizens.
Some of my prior columns have addressed the legal use of biometrics, analyzing such issues as the Illinois Biometric Information Privacy Act, facial recognition use by large retailers, the New York’s SHIELD Act, and a trial facial recognition program to protect the White House.
The challenge under the law is to put these technologies to work without being overly intrusive or without violating the patchwork of state privacy and data security laws, which tend to fall into three categories: Those that prohibit the technology outright; those that mandate advance notice and/or consent before collection of biometric data; and those that impose statutory duties to protect the data gathered and to give notice if the data is breached or compromised.
The predominance of regulation in this area is at the state level; however, in March 2019, legislation was introduced in the U.S Senate known as the Commercial Facial Recognition Privacy Act (Senate Bill 847), which sought to require affirmative consent prior to the collection or sharing of facial recognition data. Although the bill is stalled, you can be sure that this issue will be raised again in the U.S. Congress – particularly if businesses adopt facial recognition technology as a way to manage access to facilities.
Organizational Biometric Policies
Meanwhile, it is incumbent on business owners and employers to devise policies and procedures that are compliant with the state law(s) where they do business. First, they need to consider how they will manage access to their buildings and offices.
When it comes to biometric data, clear policies are needed regarding how organizations will use it, collect it and store it, as well as the level of advance notice required to collect the biometric data in the first place. Will they be required to obtain affirmative consent? If affirmative consent is required, but not all entrants of a building give it, can the solution be effective?
Once they have the data and permission to use it, what happens if data is breached or compromised? Is the data transferrable? Will the occupants or customers who enter a particular building have a private right of action if their data is improperly gathered, improperly managed or improperly shared?
These are all difficult questions – and the answers depend on the intricacies of state law. Business leaders around the world must consider these and other questions as they return to work. To navigate these challenges, let’s hope they keep their security provider and their lawyer close…well, six feet apart…but still close.
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at [email protected].
