Biometric Privacy Legal Landscape Legislative Developments & Trends

Montana Passes Law Regulating Facial Recognition Use by Police

Jason C. Hirsch |

Montana recently passed the Facial Recognition for Government Use Act (“FRGUA”), which permits state and local agencies, including law enforcement, to use facial recognition to look for suspects, victims of, or witnesses to serious crimes. However, FRGUA prohibits the use of “continuous” facial recognition and establishes human review and audit procedures to ensure compliance with the technology. FRGUA requires police to obtain a warrant to use facial recognition absent exigent circumstances. It also restricts the state motor vehicle division to set up facial recognition only with prior approval of the legislature.

In terms of disclosure, third-party vendors of facial technology and public agencies must have use and privacy policies for individuals. Finally, FRGUA imposes monetary penalties for negligent violations of the statute and grants the attorney general the authority to initiate enforcement actions.

To read more articles from the August 2023 edition of Blank Rome’s BR Privacy & Security Download, please visit our website.

Biometric Privacy Compliance Tips Biometric Privacy Legal Landscape Legislative Developments & Trends

NYC Introduces Bills to Limit Facial Recognition in Private Sector

Tianmei Ann Huang |

New York City Council (“Council”) members are expected to formally introduce two Local Laws on April 27, 2023, during the next Council meeting, seeking to regulate private-sector use of facial recognition (or similar surveillance technology) for identification or verification purposes.

The first bill would amend New York City’s administrative code to prohibit businesses and venues from using “biometric identifier information” (e.g., face scans) to identify or verify customers without first obtaining their written consent. These businesses and venues must also develop and make publicly available a retention-and-destruction policy, and must further comply with certain data protection, privacy, and security obligations. The proposal also includes a private right of action for civil damages up to $500 per negligent violation and up to $5,000 per intentional or reckless violation, as well as attorneys’ fees.

The second bill would ban owners of “multiple dwelling” properties (e.g., residential buildings) from installing, activating, or using “biometric recognition technology” to identify tenants or their guests. The legislation, if enacted, would be one of the first laws to place city-wide restrictions on the use of biometric recognition technology in the private sector.

Based on the introduction of these dual bills, companies in NYC that currently collect biometric data, or are considering doing so, are encouraged to contact experienced counsel to provide protective compliance measures—lest they become the target of civil litigation.

Biometric Privacy Legal Landscape The Lighter Side of Biometrics

Delta Airlines Debuts “Parallel Reality” Biometric Flight Information Display

Rachel Evans* |

On June 29, 2022, travelers at the Detroit Metropolitan Airport were the first to interact with a new flight information display that uses facial recognition technology “to identify participating travelers and show them the appropriate information.”

How It Works

Customers can opt-in to the experience by either scanning their boarding pass or activating facial recognition at the Parallel Reality kiosk to check in to their flight and receive day-of-travel information at their fingertips—or, more appropriately, at their facial scan.

Once a customer has checked in and approached the flight information board, cameras embedded in the board will match an individual to their picture and engage multi-view pixels to display a unique message only the intended customer can see.

Nearly all travelers can simultaneously look at the display and receive completely different, personalized information relating to their travel plan.

Biometric Privacy Compliance Tips

Practical Compliance Tips: Baltimore Private-Sector Facial Recognition Ban

David J. Oberly |

In mid-2021, Baltimore, Maryland, passed Council Bill 21-0001 (the “FRT Ordinance”), becoming the second U.S. jurisdiction to enact sweeping facial recognition regulation that bans the use of facial biometrics by any private entity or individual within city limits.

While a number of cities have enacted laws prohibiting law enforcement and other governmental agencies from using facial recognition, Portland, Oregon, enacted the nation’s first blanket ban over the use of this technology by the private sector at the beginning of 2021. The Baltimore FRT Ordinance goes even further than Portland by imposing criminal penalties of up to a year in jail for companies and individuals that run afoul of the ban.

As federal lawmakers continue to drag their feet on enacting a nationwide, uniform biometric privacy regulatory regime, companies should anticipate that cities and states will continue to take the lead in implementing new biometrics regulation in 2022. In particular, the success seen by Baltimore and Portland in enacting outright bans over the commercial use of facial recognition software is likely to encourage lawmakers in other cities and states to follow suit by enacting tighter controls over the collection and use of facial geometry data in other parts of the country.

Taken together, all businesses that operate in Baltimore and use any type of facial recognition software should assess whether the Baltimore FTC Ordinance applies to them and, if so, take prompt measures to ensure compliance with the law. And from a broader perspective, as this strict type of biometric privacy regulation is likely expand to additional parts of the country moving forward, companies that use or intend to use facial recognition technology (“FRT”) need to familiarize themselves with this new type of biometrics regulation and consider taking proactive steps to minimize their anticipated liability exposure.


  • Scope/Applicability: The Baltimore ordinance bars “persons” from obtaining, retaining, accessing, or using any “face surveillance system” or any information obtained from face surveillance system within the City of Baltimore.
  • “Person”: The ordinance defines the term “person” as any individual, partnership, firm, association, corporation, other entity, receiver, trustee, guardian, personal representative, or fiduciary.
  • “Face Surveillance System”: “Face surveillance system” means “any computer software or application that performs face surveillance.”
  • “Face Surveillance”: “Face surveillance,” in turn, is defined as “an automated or semi-automated process that assists in identifying or verifying an individual based on the physical characteristics of the individual’s face.”


  • Access Control Systems: Excluded from the scope of the ordinance are “biometric security system[s] designed specifically to protect against unauthorized access to a particular location or an electronic device.”
  • Maryland Image Repository System: Also excluded from the scope of the ordinance is the Maryland Image Repository System (facial recognition software that allows law enforcement to compare images of unidentified individuals to images from motor vehicle records and criminal mugshots).

Core Compliance Requirement

  • Prohibition on FRT Use: Under the ordinance, a person may not obtain, retain, access, or use in Baltimore City: (1) any face surveillance system; or (2) any information obtained from a face surveillance system.

Enforcement and Remedies

  • Misdemeanor: Any person who violates the Baltimore FRT Ban is guilty of a misdemeanor and subject to a fine of not more than $1,000, imprisonment for not more than 12 months, or both fine and imprisonment.
  • Each Day a Separate Offense: Each day that a violation continues is a separate offense.

Practical Compliance Tips & Best Practices

All businesses that maintain operations in Baltimore should take immediate action (if they have not already done so) to ensure compliance with the city’s FRT ban. Companies should consider the following action steps to determine the applicability of the ban to their operations and to come into compliance with the Baltimore ordinance if the organization falls under the scope of the law:

  • Determine Whether Technology Falls under Scope of Law: First, companies should determine if their technology falls under the scope of the law. To do so, the system must assist in identifying or verifying individuals based on their facial characteristics.
  • Evaluate Applicability of Access Control Exemption: If the technology falls under the scope of the ban, evaluate whether the narrow exemption offered by the ordinance for facial recognition-powered access control systems applies to allow the company to continue its use of the technology.
  • Cease Use if Exemption Inapplicable: If the technology does not serve the purpose of protecting against unauthorized access to a particular location or electronic device, eliminate the use of facial recognition across the board immediately.
  • Identify Availability of Suitable Alternative Technologies: At the same time, companies that are no longer permitted to use their current facial biometrics technology should evaluate whether any alternative technologies can be implemented to accomplish the same objectives—such as identification, verification/authentication, or security—for which facial recognition was used.