The National Telecommunications and Information Administration finalized its privacy guidelines for the commercial use of facial recognition (“the Guidelines”), which introduce a set of voluntary best practices for the commercial use of facial recognition technology.

The Guidelines generally apply to any person, including corporate affiliates (collectively, “Covered Entities”) which collect, store or process facial template data, namely, a unique facial measurement generated by automatic measurements of an individual’s facial characteristics, which are used by a Covered Entity to uniquely identify an individual’s identity or authenticate an individual. The Guidelines do not apply to the use of facial recognition for the purpose of aggregate or non-identifying analysis.

The Guidelines cover different issues of transparency, privacy, security and other essential topics which relate to facial recognition use. In particular, the Guidelines include the following requirements: 

  • Transparency: Covered Entities should disclose to users their data practices regarding the collection, storage and use of facial template data (e.g. by referring them to a suitable privacy policy). Such disclosure should elaborate on the purposes of the data collection, the data retention periods, the use of any de-identification practices, and more.
  • Privacy by design: When developing their facial template data management practices, the Guidelines suggest that Covered Entities should consider certain issues, such as: the way by which facial template data will be stored and used; the collection and processing of any non-facial recognition sensitive data; the risks and harms this process may impose on users; and the reasonable expectations of users with respect to the use of their facial template data.
  • Data sharing: Covered Entities should offer their users the opportunity to control the sharing of facial template data with third parties.
  • Security: Covered Entities should implement reasonable security measures to safeguard users’ data, consistent with the nature and scope of the activities of the Covered Entities and the sensitive nature of the data.
  • Users’ privacy rights: Covered Entities should take reasonable steps to maintain the integrity of the facial template data collected by them and to offer users a procedure to contact the Covered Entity with regard to its use of facial template data.

These Guidelines reflect privacy and security risks surrounding the use of facial recognition technology and demonstrate the focus of the industry as well as other regulators, aiming to address the various privacy and security concerns stemming from these technologies.