Last week, the multistakeholder group convened by the National Telecommunications and Information Administration (“NTIA”) to create set of voluntary best practices for the commercial use of facial recognition technology finalized its guidelines. While the three-page code of conduct was praised by industry groups, including the Software & Information Industry Association and Consumer Technology Association, many consumer groups, who withdrew from the process before the guidelines were finalized, criticized the final product as weak and flawed.
The guidelines are the result of a more than two-year process, first announced by the NTIA in December 2013. They recommend commercial entities do the following:
- Disclose their practices regarding collection, storage, and use of facial template data to consumers, including any sharing, retention, and de-identification policies;
- Provide notice to consumers where facial recognition is used on a physical premises;
- Consider privacy concerns when developing data management programs;
- Protect facial recognition data by implementing a program that contains administrative, technical, and physical safeguards appropriate to the entity’s size, complexity, the nature of its activities, and the sensitivity of the data;
- Take reasonable steps to maintain the integrity of the data collected; and,
- Provide a means for consumers to contact the entity regarding its use of the data.
The guidelines do not apply to the government’s use of facial recognition technology — the document specifically references “security applications, law enforcement, national security, intelligence, or military uses” — or to situations where the technology is used for the purposes of aggregate or non-identifying analysis.
These guidelines are the latest in a series of best practices documents drafted by NTIA multistakeholder groups. In 2013, a group released a voluntary code of conduct to promote transparency in mobile app practices, although few members actually agreed to adopt the code. Last month, another stakeholder group released a voluntary best practices document for drone privacy. It remains to be seen whether that document, or this most recent facial recognition document, will be followed by industry.