Companies would be required to obtain people's explicit consent before sharing their faceprints, under a bill proposed this week by Sens. Brian Schatz (D-Hawaii) and Roy Blunt (R-Missouri).
The Commercial Facial Recognition Privacy Act would also require companies to notify people about the use of facial recognition technology, and impose testing requirements aimed at addressing inaccuracies in the technology.
“Our faces are our identities. They’re personal. So the responsibility is on companies to ask people for their permission before they track and analyze their faces,” Schatz stated Thursday.
The proposed bill would task the Federal Trade Commission with enforcement, and would also allow states to impose their own, tougher laws.
Microsoft, which has been calling for new limits on the use of facial recognition technology, has already expressed support for the proposed federal legislation.
A few other states -- including Illinois and Texas -- already regulate biometric privacy. The Illinois law, which provides for damages of up to $5,000 per violation, requires companies to obtain users' consent before collecting scans of facial geometry.
Companies including Facebook, Google and Shutterfly are currently facing lawsuits alleging violations of the Illinois law.
Washington state lawmakers are also considering new restrictions on the use of facial recognition technology. A proposed law that already passed in the state Senate would require private companies to notify consumers about the use of facial recognition and “exercise choice.” That law would also prohibit government agencies from using the technology in public spaces without a court order, unless there's an emergency.