IN THE SENATE OF THE UNITED STATES
March 14, 2019
Mr. Blunt (for himself and Mr. Schatz) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
To prohibit certain entities from using facial recognition technology to identify or track an end user without obtaining the affirmative consent of the end user, and for other purposes.
This Act may be cited as the
Commercial Facial Recognition Privacy Act of 2019.
In this Act:
The term affirmative consent means the consent of an end user that involves an individual, voluntary, and explicit agreement to the collection and data use policies of a controller.
The term controller means a covered entity that, alone or jointly with others, determines the purposes and means of the processing of facial recognition data.
The term covered entity—
means any person, including corporate affiliates, that collects, stores, or processes facial recognition data; and
does not include—
the Federal Government or any State or local government;
a law enforcement agency;
a national security agency; or
an intelligence agency.
The term end user means an individual.
Facial recognition technology
The term facial recognition technology means technology that—
analyzes facial features in still or video images; and
is used to assign a unique, persistent identifier; or
is used for the unique personal identification of a specific individual.
Facial recognition data
The term facial recognition data means any unique attribute or feature of the face of an end user that is used by facial recognition technology to assign a unique, persistent identifier or for the unique personal identification of a specific individual.
The term process means any operation that is performed on facial recognition data, including collection, creation, generation, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transfer, dissemination or otherwise making available, combination, erasure, or destruction.
The term processor means a covered entity that processes facial recognition data on behalf of a controller.
The term security application means loss prevention and any other application intended to detect or prevent criminal activity, including shoplifting and fraud.
Unaffiliated third party
The term unaffiliated third party means any person other than—
a user of a product or service of a covered entity;
an employee of a covered entity;
a person under common control or ownership with a covered entity; or
a person to whom—
an end user directed a covered entity to disclose information derived from facial recognition technology; or
information derived from facial recognition technology was disclosed with the affirmative consent of an end user.
Except as provided in subsection (e), it shall be unlawful for a controller to knowingly—
use facial recognition technology to collect facial recognition data, unless the controller—
obtains from an end user affirmative consent in accordance with subsection (b); and
to the extent possible, if facial recognition technology is present, provides to the end user—
a concise notice that facial recognition technology is present, and, if contextually appropriate, where the end user can find more information about the use of facial recognition technology by the controller; and
documentation that includes general information that explains the capabilities and limitations of the facial recognition technology in terms that end users are able to understand;
use the facial recognition technology to discriminate against an end user in violation of applicable Federal or State law;
repurpose facial recognition data for a purpose that is different from those presented to the end user under paragraph (1)(A); or
share the facial recognition data with an unaffiliated third party without affirmative consent that is separate from the affirmative consent required under paragraph (1)(A).
When obtaining affirmative consent, a controller shall make available to an end user a notice that describes the specific practices of the processor in terms that end users are able to understand regarding the collection, storage, and use of facial recognition data, including—
the reasonably foreseeable purposes, or examples, for which the processor collects and shares information derived from facial recognition technology or uses facial recognition technology;
the data retention and deidentification practices of the processor; and
if the controller offers the ability to review, correct, or delete information derived from facial recognition technology, the process to accomplish such actions.
If the processor and controller are not the same entity, the processor shall make easily accessible to controllers the information required under paragraph (1).
Conditioning service on consent prohibited
If the use of facial recognition technology is not necessary for a service, no controller may—
condition the service on consent by an end user to waive privacy rights; or
terminate or refuse the service as a direct consequence of refusal by the end user to provide affirmative consent to the covered entity.
A controller, and the processor if applicable, shall employ meaningful human review prior to making any final decision based on the output of facial recognition technology if the final decision—
may result in a reasonably foreseeable and material physical or financial harm to an end user; or
may be unexpected or highly offensive to a reasonable end user.
Application programming interface
A covered entity that makes a facial recognition technology available as an online service shall make available an application programming interface to enable at least 1 third party that is legitimately engaged in independent testing to conduct reasonable tests of the facial recognition technology for accuracy and bias.
Except as provided in paragraph (2), subsections (a)(1) and (b) shall not apply to controllers that use—
an application that—
is a product or service designed for personal file management or photo or video sorting or storage if the facial recognition technology is not used for unique personal identification of a specific individual;
involves identification of public figures for journalistic media created for public interest;
involves identification of public figures in copyrighted material for theatrical release; or
is used if there is an emergency involving imminent danger or risk of death or serious physical injury to an individual; or
facial recognition data to determine whether an end user has given affirmative consent if the controller immediately and permanently destroys the facial recognition data after determining that the end user has not given affirmative consent.
Subsections (a)(1)(A) and (b) shall not apply to controllers that use an application that is a security application.
Rule of construction
Nothing in paragraph (1)(B) may be construed to authorize the mass scanning of faces in spaces where end users do not have a reasonable expectation that facial recognition technology is being used on them.
Unfair or deceptive act or practice
A violation of section 3 shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).
Powers of Commission
The Federal Trade Commission shall enforce this Act in the same manner, by the same means, and with the same jurisdiction as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act.
Privileges and immunities
Any person who violates section 3 shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act (15 U.S.C. 41 et seq.).
Enforcement by States
If the attorney general of a State has reason to believe that an interest of the residents of the State has been or is being threatened or adversely affected by a practice that violates section 3, the attorney general of the State may, as parens patriae, bring a civil action on behalf of the residents of the State in an appropriate district court of the United States to obtain appropriate relief.
Rights of Commission
Notice to Commission
Except as provided in clause (iii), the attorney general of a State, before initiating a civil action under paragraph (1), shall provide written notification to the Commission that the attorney general intends to bring such civil action.
The notification required under clause (i) shall include a copy of the complaint to be filed to initiate the civil action.
If it is not feasible for the attorney general of a State to provide the notification required under clause (i) before initiating a civil action under paragraph (1), the attorney general shall notify the Commission immediately upon instituting the civil action.
Intervention by Commission
The Commission may—
intervene in any civil action brought by the attorney general of a State under paragraph (1); and
be heard on all matters arising in the civil action; and
file petitions for appeal of a decision in the civil action.
Nothing in this subsection may be construed to prevent the attorney general of a State from exercising the powers conferred on the attorney general by the laws of the State to conduct investigations, to administer oaths or affirmations, or to compel the attendance of witnesses or the production of documentary or other evidence.
Venue; service of process
Any action brought under paragraph (1) may be brought in—
the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code; or
another court of competent jurisdiction.
Service of process
In an action brought under paragraph (1), process may be served in any district in which—
the defendant is an inhabitant, may be found, or transacts business; or
venue is proper under section 1391 of title 28, United States Code.
Actions by other State officials
In addition to a civil action brought by an attorney general under paragraph (1), any other officer of a State who is authorized by the State to do so may bring a civil action under paragraph (1), subject to the same requirements and limitations that apply under this subsection to civil actions brought by attorneys general.
Nothing in this subsection may be construed to prohibit an authorized official of a State from initiating or continuing any proceeding in a court of the State for a violation of any civil or criminal law of the State.
Not later than 180 days after the date of enactment of this Act, the Federal Trade Commission, in consultation with the National Institute of Standards and Technology, shall promulgate regulations, in accordance with section 553 of title 5, United States Code—
describing data security, minimization, and retention standards to be met at a minimum by processors;
defining what is harmful and highly offensive under paragraphs (1) and (2) of section 3(c); and
expanding the list of exceptions described in section 3(e) in cases where it is impossible for a controller to obtain affirmative consent from, or provide notice to, end users.
In promulgating regulations under subsection (a), the Commission shall consider, among other factors—
the size of the processor;
the complexity of the offerings of the processor; and
the nature and scope of the activities of the processor.
Relation to State laws
This Act shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this Act, and then only to the extent of the inconsistency.
Greater protection under State law
For purposes of this Act, a State statute, regulation, order, or interpretation is not inconsistent with the provisions of this subtitle if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection provided under this Act, as determined by the Federal Trade Commission.
Relation to other privacy and security laws
Nothing in this Act may be construed to—
modify, limit, or supersede the operation of any privacy or security provision in any other Federal or State law (including regulations); or
limit the authority of the Commission under any other provision of law.
This Act shall take effect on the date that is 180 days after the date of enactment of this Act.