On June 14, Baltimore passed Council Bill 21-0001 and will become the second U.S. jurisdiction to enact sweeping facial recognition regulation that bans the use of facial biometrics by any private entity or individual within city limits.

While a number of cities have enacted laws prohibiting law enforcement and other governmental agencies from using facial recognition, Portland, Oregon, became the first jurisdiction to extend a blanket ban over the use of this technology to the private sector in September 2020.

The Baltimore ordinance goes even further than its Portland counterpart by imposing criminal penalties of up to a year in jail on companies and individuals that run afoul of the ban.

The ordinance is currently awaiting signature from Baltimore Mayor Brandon Scott and will go into effect 30 days after it is enacted.

Council Bill 21-0001: Baltimore's Private-Sector Face Surveillance System Ban

Under the ordinance, individuals and businesses are prohibited from obtaining, retaining, accessing or using within the city limits of Baltimore any facial surveillance system or any information obtained from it. A facial surveillance system is defined as any software or application that performs an automated or semiautomated process to assist in identifying or verifying an individual based on the physical characteristics of the individual's face.

The ordinance is essentially boundless in its scope, applying to both individuals and all types of entities alike and offering only a single, narrow carveout for biometric security systems designed to protect against unauthorized access to a particular location or electronic device. With that said, the law does provide one additional noteworthy carveout — for law enforcement, which is completely exempted from the ordinance.

The ordinance also contains a sunset provision, which will trigger the automatic expiration of the law at the end of 2022 in the event that Baltimore lawmakers do not vote approve a five-year extension of the ban before that time.

Enforcement and Penalties

One of the most noteworthy aspects of the ordinance is its enforcement and penalty scheme. The law not only subjects violators to civil penalties of up to $1,000 but also makes any violation a criminal misdemeanor offense punishable by up to 12 months in jail.

This element of the Baltimore ordinance goes far further than the private-sector facial biometrics ban instituted by Portland — which only subjects violators to liquidated damages and attorney fees — and is the first piece of biometric privacy legislation to criminalize the use of facial recognition. In addition, under the law each day that a violation continues is a separate offense.

Analysis and Takeaways

Recently, states and cities from coast to coast — and even the federal government — have increased their efforts to enact legislation directly targeting the use of facial recognition technology. Until the Portland ordinance, however, other jurisdictions had limited the scope of their facial biometrics bans to the public sector and law enforcement in particular.

Baltimore has now taken this new, draconian form of biometrics regulation a significant step further by applying criminal penalties to private entities and individuals that violate the ban.

The new Baltimore ordinance continues the recent trend of municipal lawmakers taking matters into their own hands and enacting biometric privacy regulation while state and federal legislators continue to drag their feet on implementing new requirements and restrictions over the collection and use of biometric data.

Moreover, the recent success seen by both Portland and now Baltimore in enacting sweeping, across-the-board private-sector bans may provide lawmakers in other jurisdictions with significant motivation to try their hand at enacting similar laws banning private entities from using facial recognition or other types of biometrics altogether.

Similarly, the Baltimore ordinance may provide strong encouragement to lawmakers who are contemplating the prospect of enacting robust requirements and limitations over the use of this technology — but who do not have an appetite for passing an outright ban — to push forward with strict regulation paralleling that of the well-known Illinois Biometric Information Privacy Act.

Taken together, it is clear that potential liability exposure stemming from the use of facial biometrics will increase steadily — if not drastically — in the immediate future.

What To Do Now

Due to the rapidly expanding liability risk associated with the use of facial biometrics, it is imperative that companies utilizing facial recognition software devote the necessary time, effort and resources to minimize their liability exposure to the greatest extent possible.

Companies located in Baltimore should take immediate action to ascertain whether any form of facial recognition software is being used. If so — and the technology does not serve the purpose of protecting against unauthorized access to a particular location or electronic device — the use of facial recognition should be eliminated across the board immediately.

And although the ordinance has yet to go into effect, companies should act now in order to give themselves sufficient time to ensure all facial recognition tech has been fully disabled and to evaluate whether an alternative, suitable technology can be implemented in its place to accomplish the objectives for which facial recognition was used.

From a broader perspective, all companies — regardless of where they are located — should take proactive measures to build out their biometric privacy compliance programs to ensure the ability to adeptly respond to the additional new facial recognition laws that will likely be put in place in other parts of the country in the coming months and years. In particular, companies should consider the following:

Accuracy and Bias Testing

Because facial recognition software can produce results that are biased in ways that harm particular ethnic and racial groups, predeployment testing of facial recognition technology should be completed to ensure its effectiveness and accuracy before it is used in real-time situations.

Privacy Policy

Develop a publicly available, detailed facial recognition-specific privacy policy that includes, at a minimum, clear notice that facial template data is being collected, as well as additional information regarding the purposes for which facial template data is used and the company's schedule and guidelines for the retention and destruction of this data.

Written Notice

Provide written notice — prior to the time any facial template data is collected — that clearly informs individuals that facial template data is being collected, used and/or stored by the company; how that data will be used and/or shared; and the length of time over which the company will retain the data until it is destroyed.

Written Consent (Release)

Obtain written consent by ensuring all individuals execute a written release relating to the collection and use of their facial template data prior to the time any scans of facial geometry are collected that permits the company to collect/use the individual's facial template data and disclose that data to third parties for business purposes.

Opt-Out Choice

Permit individuals to opt out of the collection of their facial template data.

Data Security

Safeguarding facial template data by maintaining data security measures satisfy the reasonable standard of care applicable to the company's given industry. The measures should also protect facial template data in the same or a more protective manner as that by which the company protects other forms of sensitive personal information.

Explicit Prohibitions on Using Technology for Discriminatory Purposes

Maintain an explicit policy strictly barring the use of facial recognition technology by employees, contractors or vendors to discriminate unlawfully against individuals or groups of individuals.

Conclusion

The responsible use of facial recognition technology by commercial entities continues to be a popular topic of national conversation.

To further complicate matters, facial biometrics continues to receive a significant amount of negative media coverage stemming from allegedly improper or controversial uses of this technology. All of this has put significant pressure on lawmakers to implement greater regulation over the collection and use of facial template data.

As such, companies that operate in Baltimore must take action immediately — if they have not already done so — to ensure compliance with the city's new private-sector facial recognition ban.

At the same time, all companies that use facial biometrics — even those that are not currently subject to any biometric privacy laws at this time — should ensure they have in place flexible, adaptable biometric privacy compliance frameworks that integrate the common elements required across today's growing body of biometric privacy regulation.

Doing so now will put companies in a position where only small adjustments will be required to come into compliance with any new requirements or restrictions placed on the collection and use of facial template or other types of biometric data. This will allow entities to maintain ongoing compliance even if many new wrinkles are added to the legal landscape over a condensed period of time.