Portland’s Ban on Facial-Recognition Technology Takes Effect
Portland, Oregon’s prohibition on the use of facial-recognition technology by private actors in places of public accommodation took effect on January 1, 2021. That ban, which was adopted by the City Council last September, is the first of its kind by a locality in the US (though Portland and a number of other municipalities have recently banned use of facial-recognition technologies by law enforcement or other governmental actors).
Portland’s ordinance applies to any “Private Entity” – defined broadly to reach any party other than a government agency – using facial-recognition technology in “any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise” within the City of Portland, except for private residences, bona fide clubs, or other non-public institutions. However, ambiguities in the law (and its draconian damage provision) may cause headaches for online operators that offer facial-recognition features, even where they have no on-the-ground presence in Portland.
Like Illinois’ heavily litigated Biometric Information Protection Act (BIPA), Portland’s ordinance provides for a private right of action. Also like BIPA, penalties for non-compliance can be severe. Portland’s ordinance provides for a litigant to receive the greater of actual damages or $1,000 per day for each day of a violation. (Even BIPA, plaintiffs’ darling that it is, does not provide for a per-day damages calculation.) Portland’s law also provides a prevailing plaintiff the ability to recover attorneys’ fees. Notably, though (and unlike BIPA and other state biometric-privacy laws), Portland’s law is expressly limited to facial recognition and does not reach other biometric identifiers, like fingerprint or voiceprint.
Exempted from Portland’s new law are uses of facial-recognition technology:
To the extent necessary for compliance with applicable law;
“For user verification purposes by an individual to access the individual’s own personal or employer issued communication and electronic devices”; or
“In automatic face detection services in social media applications.”
The law’s prefatory materials make clear that it is primarily concerned with the use of surveillance technology within physical spaces - particularly facial-recognition’s inherent risks of misuse or misidentification. However, the narrow wording of the exemptions makes the law a concern even for online-only operators.
For example, while automated face-detection services in social-media applications are expressly exempt, what about other types software/services that offer facial-recognition features? If an online photo-management service can organize photos by subject and is available to residents of Portland, is it a place of public accommodation subject to the ordinance? If a downloadable app with an online facial-recognition feature is utilized in a public place by a Portland resident, is the app operator also a party that is “using” facial-recognition technology for purposes of the ordinance?
These remain open questions. However, given the private right of action and the high damages available under Portland’s ordinance, we expect plaintiff’s attorneys will look for an opportunity to push arguments of this kind. If your business operates a service that includes a facial-recognition component and is available in Portland, you will want to carefully consider the potential application of this new ordinance.
The full ordinance text is available here.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news please subscribe to InfoLawGroup’s Insights here.