US City Ends Public Use of Facial Recognition by Private Sector

Since the beginning of 2021 private businesses have been prohibited from using facial recognition technology in public places throughout the US city of Portland, Oregon. Though several cities had already banned the use of the surveillance technology by branches of government, Portland’s laws go significantly further by allowing members of the public to claim damages of USD1,000 for every day a business violates their new rights. Portland’s anti-surveillance rules were imposed following a unanimous decision by the city council in September.

David J. Oberly, attorney at Blank Rome LLP, writes in BiometricUpdate.com about how extensive the law is:

The ban defines “private entities” in an extremely broad fashion as “any individual, sole proprietorship, partnership, corporation, limited liability company, association, or any other legal entity, however organized.”

Similarly, the scope of the ban itself is extensive as a result of the ordinance’s definition of “places of public accommodation, which under the law means any “place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise.”

The law will not just affect businesses directly serving the 650,000 inhabitants of Portland. It also effectively mandates new compliance procedures for any business involved in processing the associated data. Rather than trying to monitor and track every different place that introduces new rules, it is likely that firms involved in matching images of people to biometric databases will need to accommodate the selective prevention of the capture of information relating to individuals whose new rights would otherwise be violated. This will be especially relevant to those working in the field of security and identity verification, as they are likely to be amongst the most aggressive adopters of facial recognition technology. As Oberly noted:

To minimize risk in the face of this increasing scope of liability exposure, companies that incorporate facial recognition into their operations or intend to do so in the future should take proactive measures to develop and implement facial recognition biometrics compliance programs to ensure continued compliance with today’s increasingly complex web of biometric privacy laws.

The use of biometrics can be controversial, and it is unsurprising that a city of Portland would adopt such a strong stance given it is a hotbed for anti-racist activism and there are legitimate concerns about the use of facial recognition technology accentuating racial bias. There are other countries where the use of the same technology is already being normalized, and these disparities will soon become apparent to technology and communications businesses who serve customers across borders. Managing different expectations will likely prove challenging and any business planning to rely upon biometrics for identifying customers will need expert guidance as they navigate a legal and cultural minefield.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.