Is Facial Recognition Legal?

The Technology and the Concerns

Over the past decade, computer technology has advanced at an amazingly fast rate. Problems that were once unthinkably complex, such as self-driving cars, are becoming reality.

Though technology moves quickly and benefits many people, both developers and those who seek to profit from technology – especially those who seek to profit from it – often fail to adequately address the potential downsides of a new and highly profitable technology.

Most people had never heard of facial recognition technology before Facebook implemented it about seven years ago. The first reaction many people had was, “Wow! This is pretty amazing!” And, if you were like me, the second reaction was, “I don’t think I signed up for this.” Indeed, many people find facial recognition to be creepy or even a downright invasion of privacy. Though the internet (and the massive amounts of data people upload about themselves) has eliminated much of the privacy Americans used to enjoy, facial recognition has taken that to a whole new level. Once a person’s facial geometry has been entered into a database, every online image of the person can be scanned, identified, and linked to him or her even if the image was uploaded without the subject’s consent.

Why, you may ask, would companies want this data? Why is it so lucrative? Well, the most obvious application is advertising. Facial and object recognition have become amazingly accurate and with extremely quick processing times. This Ted Talk shows that even a standard mobile phone can run a program that instantly recognizes objects. If consumers’ identities can be linked to their facial geometry, and if every image of that consumer can be scanned for nearby objects (or people), the data can be added to the advertising broker’s profile for that consumer. The more data the broker receives and the higher the quality of that data, the more valuable the data is to advertisers who may want to purchase it. For instance, if John Smith has posted 100 photos of himself hugging his iPhone with a big smile on his face (the programs are starting to decipher emotions too) you can bet that sellers of iPhone accessories will be interested in advertising to him.

Let’s take this a step further. Using real-time facial recognition a business could place cameras around its store and use them to recognize people, run them through a database (perhaps even its own customer database—no more loyalty cards!), and send a promotion to their mobile devices as they walk by. (Apple Watches do have a use!) This is a whole new level of ad targeting that would be very valuable.

Though customized advertising is annoying and a little creepy, the list of nefarious uses for this technology are endless. Have you ever wondered how anyone born in the ’90s or later will be able to run for political office? I have. It used to be hard to dig up dirt on political opponents. Now, technology makes it easy to find every picture of a candidate that exists online (including the one of the candidate smoking weed in college). Not only can people be quickly identified, but so can the other individuals in the photograph. If candidates hung out with the wrong people, this information could easily be found and used against them.

Given the prevalence of cameras in our society (a large percentage of public urban space is photographed by one camera or another at all times) and the existence of quick facial and object recognition, one has to wonder if it will only be a matter of time before a company or governmental agency comes up with a scheme to either link all cameras or place their own through some sort of camera leasing scheme. Once such a system is in place, and as computing power continues to exponentially increase, it is only a matter of time before someone will be able to know what you are doing at all times and who you are doing it with.

Is Face Recognition Legal?

Face recognition, also known as “facial geometry recognition,” has slipped by most of the agencies that would be inclined to regulate it. Whether this is because laws move very slowly or because of the tech industry lobbyists is debatable. However, a few states, including Illinois, have chosen to regulate facial recognition technology (and other biometric data).

In October of 2008, Illinois enacted the Biometric Information Privacy Act. The act was aimed at protecting an individual’s biometric identifiers, including facial geometry, from unauthorized collection, use, and sale. The Act applies to both private individuals and entities – basically everyone but federal, state and local government – and sets forth requirements for those who possess face recognition data. The legal requirements are discussed below.

For the sake of convenience, I will refer to an entity that deals in facial recognition data as the “Company” even though the law applies equally to individuals and non-profits.

Written Consent Is Required

In order for a Company to collect, capture, purchase, receive through trade, or otherwise obtain face recognition data or facial geometry data, the subject of that data must sign a written release. If any such data is collected or used without a written release, the Company is in violation of the law.

In addition to obtaining a written release, the Company must also advise the subject, in writing, that his or her facial recognition data is being collected or stored, the purpose for which it is being collected or stored, and the length of time for which the face recognition data will be collected, stored, and used. If these requirements are not met, the Biometric Information Privacy Act has been violated.

A Written Policy Is Necessary

Companies in possession of facial geometry data must have a written policy regarding the length of time the facial recognition data will be held. The policy must be available to the public, and the policy must provide that the data will be permanently destroyed when the purpose for collecting the data has been satisfied or within three years after the individual’s most recent interaction with the Company, whichever comes first.

The policy must include guidelines for destroying the face recognition data, and the Company must follow its policy except in cases of a valid warrant.

No Profiting, Trading, or Disclosure Is Permitted

Even if a Company has written consent from the subject to collect, store, or use face recognition data, the Company is not allowed to sell the data or profit from someone’s facial geometry under any circumstances. This is hugely important because many of the companies that collect biometric data do so in the hopes that they can sell the (hugely valuable) data in the future. There is nothing in the Biometric Information Privacy Act that allows a waiver of this provision.

The law also specifically prohibits the trading and leasing facial recognition data. Once again, there is no provision allowing this prohibition to be waived. Companies cannot sell or make money off of the subject’s data in Illinois.

Conversely, a Company is allowed to disseminate or disclose the subject’s facial recognition data if one of the following conditions are met:

  1. The subject consents to the disclosure;
  2. The disclosure completes a financial transaction that was authorized or requested by the subject;
  3. The disclosure is required by state, federal, or local law; or
  4. The disclosure is pursuant to a valid warrant.

The Holder of Face Recognition Data Must Keep It Safe

If a Company has written consent from the subject and has a written policy with respect to the destruction of facial geometry data, the Company is allowed to collect and hold the facial recognition data, but the Company is still required to keep the data safe. As we are all aware, hackers have targed  all valuable data that is stored in computers. The massive 2017 hack of the Equifax data aggregator demonstrated what many of us already know; Even the most sensitive information held by the biggest of companies can be exposed to hackers and those that may abuse it. Over 100 million people were potentially impacted by the Equifax breach. The data held by credit reporting agencies like equifax is of the most personal type – the type often used to confirm the identity of people completing remote transactions. The breach will likely impact those affected for the rest of their lives.

Though the damage done by the Equifax breach (and the many others that have occurred in recent years) is massive, most of the data collected (such as social security numbers and account numbers) can theoretically be changed. However, biometric markers such as facial geometry, fingerprints, retina characteristics, voice prints, and hand geometry are almost completely unchangeable. If biometric data is compromised, the subject must either cease using the biometric for identification or transactions or be at risk for identity theft for the rest of his or her life.

Illinois considered the sensitive and immutable character of face recognition data when drafting the Biometric Information Privacy Act. Accordingly, the state imposed the following requirements on Companies that possess face recognition data:

  1. The Company must protect facial geometry data in accordance with the reasonable standard of care in the Company’s industry when storing or transmiting the data; and
  2. The Company must protect face recognition data in a manner that is equal to or more protective than the manner in which it protects other confidential and sensitive information (for example social security numbers and account numbers).

Victim’s Rights When the Law Is Violated

If a Company violates the Biometric Information Privacy Act when collecting, handling, storing, or transmitting face recognition data, the subject of that data has substantial rights under Illinois law.

Illinois provides the victim with a monetary award when a Company captures, uses, stores, or transmits facial recognition data without complying with every part of the law. The amount of the monetary award depends on whether the violation was negligent, reckless, or intentional.

If the Company negligently fails to comply with the Biometric Information Privacy Act, the victim whose facial geometry was mishandled is entitled to a $1,000.00 award or the value of the actual harm caused, whichever is greater.

If the Company recklessly or intentionally violates the Act, the victim is entitled to a $5,000.00 award or the value of the actual harm suffered, whichever is greater.

Because Companies are not in the habit of admitting they violated a law or paying out monetary awards to victims, the victim will usually have to take the Company to court. Fortunately, the Biometric Information Privacy Act also provides that if the victim’s suit is successful, the Company will have to pay attorney fees, expert witness fees, and litigation expenses.


Illinois has recognized that the collection, storage, and transmission of facial recognition data raises important privacy concerns and carries the risk of irreparable harm if exposed to hackers and other criminals. Because of this, Illinois enacted the Biometric Information Privacy Act to ensure that companies do not collect facial geometry or other biometric identifiers without the subject’s consent. In cases where consent is given, Illinois regulates the manner in which the data can be stored, the purposes for which it can be used, and the length of time a company may keep the data.

If a company fails to follow the law, the Act provides substantial rights to victims including an award of money, litigation costs, expert fees, and attorney fees. This gives consumers the ability to exercise their rights even if they are not able to afford a lawyer.

If you are an Illinois resident and believe your face recognition data was improperly stored, collected, or used, you can click this link to fill out a short form and so we can try to connect you with an appropriate lawyer.