A new set of industry best practices for protecting consumer privacy in facial recognition technology, resulting from a multistakeholder process overseen by a federal government agency, will advance privacy safeguards while also carving out most research and analytics uses of the technology.
Background
Launched on February 6, 2014, the National Telecommunications and Information Administration (NTIA) convened a varied stakeholder group of technology, policy, legal and other experts from companies, trade associations, activist groups, academic institutions and other organizations to develop and agree upon a voluntary code of conduct for the commercial use of facial recognition technology.
It was the second multistakeholder privacy process moderated by NTIA. The first, on mobile apps privacy, wrapped up somewhat ambiguously in 2013 and produced a code of conduct that hardly anyone adopted. The successful conclusion of the facial recognition privacy process on June 15, 2016, demonstrates that the mobile apps effort, while flawed, was a solid first step and an important foundation.
The Marketing Research Association (MRA) has been mostly supportive of the NTIA multistakeholder approach to privacy progress. This approach is a key element of the Obama Administration’s Consumer Privacy Bill of Rights initiative.
MRA’s white paper on the research uses of facial reconition technology
At the kickoff meeting of the NTIA process, MRA presented a white paper on the various research uses of facial recognition technology. Our overview found that researchers are already using facial recognition technology for (1) facial coding and eye tracking and (2) measuring and tracking demographics and consumer traffic flow. We also found some potential marketing research uses, such as increasing the accuracy of audience ratings measurement, or fraud and error prevention.
The NTIA multistakeholder process for facial recognition privacy was tasked only with looking at commercial applications, and survey, opinion and marketing research is recognized as inherently non-commercial. However, since the research profession is often inevitably drawn into discussions about marketing, advertising and sales, MRA offered our white paper to help inform our fellow stakeholders and improve the chances of a sensible code of conduct being produced by the multistakeholder process. Our efforts appear to have born fruit, particularly since this emerging technology is still relatively early on the privacy panic cycle.
Protections for research and analytics uses of facial recognition technology
Despite some contentious debate at the first meeting, the final NTIA facial recognition privacy best practices focus only on applications that are for identifying/authenticating an individual, and exclude most research and analytics uses of the technology:
“These principles do not apply to the use of a facial recognition for the purpose of aggregate or non-identifying analysis. For example, when facial recognition technology is used only to count the number of unique visitors to a retail establishment or to measure the genders or approximate ages of people who view a store display (for marketing research purposes), those practices are outside the scope of these principles.”
Even in the best practices’ definitions, the focus on identifying an individual is clear. For example, facial template data is defined as:
“A unique facial attribute or measurement generated by automatic measurements of an individual’s facial characteristics, which are used by a covered entity to uniquely identify an individual’s identity or authenticate an individual when the individual accesses a system or account. Data that has been reasonably de-identified and the underlying document from which the data came is not facial template data and therefore is not covered by these best practices.”
And, to further clarify, facial recognition technology is defined as:
"A computer program used to compare the visible physical structure of an individual’s face with a stored facial template to confirm an individual’s claimed identity or to uniquely identify an individual.”
NTIA’s best practices for facial recognition privacy
The final “Privacy Best Practice Recommendations For Commercial Facial Recognition Use,” as agreed upon by the NTIA multistakeholder group on June 15, 2016, are meant to serve as “general guidelines” to provide “a flexible and evolving approach to the use of facial recognition technology” that can “keep pace with the dynamic marketplace.” It is ultimately left to the companies implementing the best practices “to determine the most appropriate way to implement each of these privacy guidelines.” The technology’s current and potential uses vary widely, so “specific/detailed practices are not feasible or practical across this wide spectrum.”
The NTIA best practices apply to “Any person, including corporate affiliates, that collects, stores, or processes facial template data,” and doesn’t apply to “security applications, law enforcement, national security, intelligence or military uses.”
MRA encourages survey, opinion and marketing researchers to adopt these best practices when utilizing facial recognition technology for purposes of identifying or authenticating a specific individual.