When considering privacy risks, thoughts typically turn to personally identifiable information such as account numbers, demographic data, credit card information, usernames and passwords. These types of information are certainly of considerable concern. Historically these were the types of personally identifi able information companies collected and used – and were the most valuable targets for bad actors. However, there is another type of personally identifi able information that can’t be hidden, can’t be changed, is extremely sensitive to customers, and is increasingly collected and used – facial and biometric recognition.

Facial recognition uses sophisticated software, typically artifi - cial intelligence algorithms, to analyze captured images and quickly determine a person’s identity. Imagine a hotel that immediately greets guests by name, provides a guest’s preferred beverage without request, controls room and elevator access without a keycard, and can gather data on the behavior of every guest in the hotel to improve services. This technology is already in use in hotels and casinos. In China, Marriott is piloting facial recognition for check-in. In Europe, some high-end properties have reportedly begun using facial recognition to identity VIP guests for special treatment. Otherpossible uses of facial recognition include customer recognition and personalization, access and security, and marketing research. In the diverse and rapidly evolving hospitality industry, the competitive advantage of facial recognition is indisputable.

Just as indisputable are the privacy concerns such technology creates. Laws already exist to limit the use of facial recognition, and regulation will certainly grow.

Probably the most well-known privacy law is the European Union General Data Protection Regulation (GDPR). In the GDPR, biometric data, including facial features, falls within the defi nition of “sensitive personal data,” subjecting it to a higher level of protection. Under the GDPR, limitations apply when “specifi c technical means” are used to identify a person from biometric data, not simply when images of the face are captured. In commercial use, a facial recognition program will comply with GDPR only when the subject provides explicit consent. 

It is not enough to simply inform subjects that it is happening, even if they are given the option of opting out. The GDPR also requires a formal “Data Protection Impact Assessment” before a company can collect or use biometric data. This entails a formal review of the privacy issues related to the collection and use biometric data. Due to these strict regulations, companies that service EU countries and citizens need to exercise caution.

It is not just the EU. Similar limitations already exist in some parts of the United States and are spreading. One U.S. privacy law closely watched by both industry and privacy proponents is the California Consumer Privacy Act (CCPA), currently scheduled to go into effect in January 2020. The CCPA, while still subject to revision before implementation, will be the most comprehensive privacy law in the U.S. In its current iteration, the CCPA specifically applies to biometric data, including facial recognition, and while it currently does not require affirmative opt-in, it does require notification and the right to opt-out of collection and use of biometric data.

Several other U.S. states, most notably Illinois, have their own laws prohibiting the use of biometric data, and some even allow aggrieved individuals to sue for violations. In one example, a Six Flags theme park was sued for collecting thumbprints of park patrons. In other examples, social media sites have been sued for using facial recognition algorithms without explicit consent. It is critical to review whether any such state laws may apply before implementing a facial recognition program. For example, the Illinois law requires written consent of the subject and sets strict time retention limits. Three states, Illinois, Texas, and Washington have laws addressing these issues, and at least three others have proposed legislation.

What does a company need to do if they wish to be on the leading edge of this technology? Under most of the current privacy models that address facial recognition, affirmative consent is the key factor. The most obvious solution is to limit facial recognition to brand loyalty members who will have given express consent to the use of their biometric data. Another way to ensure that the customer is giving knowing consent is to require the customer to provide an image of their face in concert with consent. This way images captured on-site can be compared only to stored images of customers who have given consent. Any images captured on-site that do not match to a consenting customer need to be destroyed immediately.

Facial recognition has clear benefits and will be used in the hospitality industry in new and exciting ways. However, prior to implementation it is critical to understand the legal regime that applies to a particular company or property and understand what limitations may apply.