<https://www.lexology.com/library/detail.aspx?g=b5d0d5f9-f275-4eab-871d-c09e2...> On March 14th, U.S. Senators Roy Blunt of Missouri and Brian Schatz of Hawaii introduced a bill to regulate the commercial applications of facial recognition technology. The bill, “The Commercial Facial Recognition Privacy Act of 2019” (“the Act”), would prohibit certain entities from using facial recognition technology and data without first obtaining user consent. While there have been many privacy-focused bills introduced at the federal level, the Act stands out, as it appears to have both bipartisan legislative backing and support from the tech industry. OVERVIEW Scope The Act applies to private entities that collect, store, or process facial recognition data, and regulates how and when they may use “facial recognition technology.” “Facial recognition data” is defined under the Act as any unique attribute or feature of the face of a consumer that is used by facial recognition technology to uniquely identify a specific individual, while “facial recognition technology” is defined as technology that analyzes facial features and is used for the purposes of unique personal identification. Federal, state, and local governments are exempt, along with law enforcement, national security, and intelligence agencies. Also of note, the Act differentiates between processors and controllers, mirroring the language and meaning used in the EU’s General Data Protection Regulation. Requirements The Act prohibits controllers (i.e., the entities making decisions regarding how data is processed) from knowingly using facial recognition technology to collect facial recognition data unless the controller obtains affirmative consent from the consumer and provides the consumer with proper notice. Such notice must: Inform consumers that facial recognition technology is present; Provide information about where the consumer can learn more about the facial recognition technology being used; and Provide documentation that includes information explaining the capabilities of the technology in terms that consumers can understand. The Act further prohibits covered entities from: Using facial recognition technology to discriminate against consumers; Repurposing facial recognition data for a purpose that is different from those disclosed to the consumer; Sharing the data with an unaffiliated third party without affirmative consent that is separate from the affirmative consent required for initial collection of facial recognition data; and Conditioning service on consent by a consumer, when the use of facial recognition technology is not necessary for that service. The Act also seeks to reduce possible bias in facial recognition technology, requiring covered entities to engage in meaningful human review before making any final decision based on the output of facial recognition technology that may result in foreseeable, material “harm” to a consumer, or may be unexpected or “highly offensive” to a consumer. Relatedly, if an entity makes a facial recognition technology available as an online service, that entity must allow an independent third party to conduct tests of the technology for accuracy and bias. [...]