Facial recognition technology has rapidly transformed—and enhanced—the consumer experience across numerous industries. This includes travel, hospitality, retail, and healthcare, to name a few. Notably, facial recognition is also making its way into the stadiums, arenas, and ballparks of professional sports franchises nationwide.
As sports venues embark on a widespread facial recognition rollout, states and cities from coast to coast—as well as federal lawmakers in Washington D.C.—are attempting to enact strict laws regulating the use of this next-generation technology. Further complicating matters, facial recognition is also emerging as the next major target of bet-the-company biometric privacy class action litigation.
To limit the potential for expansive liability, while encouraging fan participation and consumer confidence, professional sports teams (and the venues they call home) should implement robust, flexible biometric privacy compliance programs. These programs need to maintain ongoing compliance with today’s rapidly expanding body of law to avoid being on the receiving end of a potentially devastating biometric privacy class action lawsuit.
Facial Recognition Technology Explained
Facial recognition technology involves the use of facial “biometrics”—i.e., the individual physical characteristics of a person’s face—to digitally map one’s facial “geometry.” These measurements are then used to create a mathematical formula known as a “facial template” or “facial signature.” This stored template/signature is then used to compare the physical structure of an individual’s face to identify that individual.
Current & Future Uses Facial Recognition Technology at Pro Sports Venues
Biometrics is nothing new to professional sports teams and their home stadiums, arenas, and ballparks. Currently, the most common form of biometrics used at sports venues is fingerprint biometrics. This is driven in large part by the recent partnership between Major League Baseball (“MLB”) and biometrics technology vendor CLEAR—whose biometric screening technologies are also commonly seen in airports around the world. This partnership has brought dedicated biometric security lanes—which use fingerprints to verify ticketed fans for a frictionless fan entry process—to most MLB ballparks.
At the same time, other professional sports franchises have started to integrate facial recognition systems into the operations of their home venues as well.
Significantly, while fingerprint scanners currently dominate the market, facial recognition is poised to become the most popular form of biometrics at sports venues due to the rapidly increasing demand in contactless biometric solutions.
The Role of Facial Recognition in Combatting COVID-19 on Gameday
As the country prepares to shift back to its “old normal” after the current pandemic subsides, many organizations are looking to implement risk mitigation measures designed to combat the spread of COVID-19. This is especially important for professional sports teams, as stadiums, arenas, and ballparks may present a problematic environment for the spread of COVID-19 due to the close proximity of spectators.
Enter facial recognition. At this time, many teams and venues are considering integrating facial recognition into their operations in direct response to the current pandemic—as this technology possesses the ability to be deployed in several ways to prevent COVID-19 transmission on gameday.
Most importantly, facial recognition can play a significant role in getting fans into the stadium in a way that minimizes the risk of contracting the virus. With facial recognition, fans are offered a completely contactless way of having their ticket validated. Facial recognition can also be combined with other technologies—like contactless infrared thermal temperature scanners—at venue entrances to detect potentially infected fans before they enter the venue and can spread the virus to others.
But the benefits of facial recognition in the fight against COVID-19 do not stop at the ticket gate.
Once inside the stadium, facial recognition can facilitate a contactless method of purchasing food and drinks, as well as when purchasing merchandise at the pro shop. Similarly, this technology can eliminate many commonly-encountered touch points for venue employees as well, such as by swapping out traditional employee swipe cards or numeric key locks with systems controlled by facial recognition software—which not only offers a contactless method of access control, but also offers significant security enhancements.
Ultimately, facial recognition will play a supporting—if not significant—role in the safe return of fans to in-person professional sporting events by minimizing the health risks associated with COVID-19.
Legal Landscape
In response to concerns regarding the ability of companies to use facial recognition biometrics in a safe and responsible manner, lawmakers around the nation have sought to closely regulate this technology.
First, lawmakers have enacted targeted biometric privacy laws that address the collection and use of facial template data by business entities. Currently, three states—Illinois, Texas, and Washington—have such laws on the books.
Overall, Illinois’ Biometric Information Privacy Act (“BIPA”) is considered the most stringent. Under BIPA, a private entity cannot collect or store facial template data without first providing notice, obtaining written consent, and making certain disclosures. BIPA also contains a private right of action provision that permits recovery of statutory damages between $1,000 and $5,000 by any “aggrieved” person, which has generated a tremendous amount of class litigation from consumers alleging mere technical violations.
Second, new state consumer laws include facial template data (and other forms of biometric data) within their definition of covered “personal information.” State legislators have also amended their data breach notification laws to add facial template data to the types of “personal information” which, if compromised, triggers breach notification obligations by impacted entities.
Several other states are attempting to enact new legislation of their own directly targeting facial recognition technology. For example, currently pending in the Pennsylvania state legislature is the proposed Consumer Data Privacy Act (“CDPA”), which, if enacted, would impose a wide range of requirements and limitations over the use of facial template data. The CDPA would also mandate immediate compliance as soon as the bill is enacted. Similarly, pending is the proposed New York Biometric Privacy Act which, if passed, would impose obligations identical to those found in Illinois’ BIPA.
Federal lawmakers have also targeted facial recognition. In August 2020, Senators Jeff Merkley (D-OR) and Bernie Sanders (I-VT) introduced the National Biometric Information Privacy Act of 2020 (S.4400), which would impose requirements similar to, but stricter than, BIPA from coast to coast.
Compliance Tips: How Pro Sports Teams/Venues Can Stay a Step Ahead of Biometric Privacy Compliance
Pro sports teams have already been the target of class action litigation under today’s biometric privacy laws. As just one example, in early 2020, the Chicago Blackhawks were hit with a BIPA class action lawsuit stemming from the team’s use of facial scanning technology at home games.
From a broader perspective, while relatively few biometric privacy laws are in existence today, the nation is likely to see a flood of new regulation governing the collection/use of biometric data in the future. This is especially so as lawmakers resume their normal activities after spending much of their time in 2020 on pandemic-related matters, and as companies rely more heavily on biometrics to leverage the health benefits these contactless technologies provide.
Pro sports franchises and venues that take proactive steps to build out their biometric privacy compliance programs—especially those that may not yet be subject to state-specific biometric privacy laws—can get a step ahead on the anticipated facial recognition laws that will likely be put in place.
Professional teams and their venues should consider the following:
- Early Involvement of Biometric Privacy Counsel: Consult with experienced biometric privacy counsel well before any type of facial recognition technology is implemented to ensure compliance with today’s constantly-evolving biometric privacy legal landscape.
- Privacy Policy: Develop a publicly-available, detailed facial recognition-specific privacy policy that includes, at a minimum, clear notice that facial template data is being collected, as well as additional information regarding the purposes for which facial template data is used and the team’s/venue’s schedule and guidelines for the retention and destruction of this data.
- Written Notice: Provide written notice—before any facial template data is collected—which clearly informs individuals that facial template data is being collected, used, and/or stored by the company; how that data will be used and/or shared; and the length of time over which the team/venue will retain the data until it is destroyed.
- Written Release: Obtain a signed written release from all individuals prior to the time any facial template data is collected that permits the team/venue to collect/use the individual’s biometric data and disclose this data to third parties for business purposes.
- Opt-Out: Permit fans to opt out of the collection of their facial template data.
- Data Security: Maintain data security measures to safeguard facial template data from unauthorized access, disclosure, or acquisition.
- Arbitration Provisions in Ticket Contracts: Include mandatory arbitration provisions and class action waivers in all ticket contracts requiring fan disputes or claims that may arise under biometric privacy or similar laws must be resolved through binding, individual arbitration, and not in court, to limit biometric privacy class action litigation risk.
The Final Word
Biometrics has already transformed the fan experience on gameday. Moving forward, continued advancements in facial recognition technology, combined with the growing need for contactless biometric solutions, will drive rapid, widespread implementation of facial recognition software at stadiums, arenas, and ballparks around the country.
As biometrics becomes more popular, the scope of liability stemming from its use is also rapidly expanding as cities, states, and Congress seek to impose rigorous mandates and limitations on the use of facial biometrics.
Professional sports teams currently using, or contemplating the use of, this game-changing technology—even those whose home venues are located in parts of the nation where no biometric privacy regulation currently exists—are strongly encouraged to take a proactive stance and develop/implement biometric compliance programs that encompass the practices and principles described above.
Jeffrey N. Rosenthal is a partner at Blank Rome LLP where he leads the Firm’s Biometric Privacy team. He concentrates his complex corporate litigation practice on consumer and privacy class action defense and regularly publishes and presents on class action trends, attorney ethics and marketing/advertising law. He can be reached at rosenthal-j@blankrome.com.
David J. Oberly is an attorney in the Cincinnati office of Blank Rome LLP and is a member of the firm’s Biometric Privacy, Privacy Class Action Defense, and Cybersecurity & Data Privacy groups. David’s practice encompasses both defending clients in high-stakes, high-exposure biometric privacy, privacy, and data breach class action litigation, as well as counseling and advising clients on a wide range of biometric privacy, privacy, and data protection/cybersecurity matters. He can be reached at doberly@blankrome.com.
This article originally in Hackney Publications.