Cruise Industry Compliance Tips: Facial Recognition Technology
In the past few years, the commercial use of facial recognition technology has advanced at an explosive rate, expanding into numerous industries and trades. For instance, facial biometrics is increasingly relied on by airlines and airports across the globe; a similar trend is starting to take hold in the maritime industry, particularly the cruise sector.
While this expansion is occurring, states and cities across the country—as well as the federal government—are attempting to enact strict laws regulating the use of facial recognition technology by commercial entities. Facial recognition has also recently emerged as an increasingly-popular target for bet-the-company privacy class action litigation.
As the cruise industry moves toward the widespread adoption of facial recognition technology, companies should implement robust, adaptable biometric privacy programs to ensure compliance with today’s growing body of law to reap the benefits of this exciting technology while mitigating liability exposure.
Overview of facial recognition technology
Facial recognition technology involves the use of facial “biometrics”—i.e., the individual physical characteristics of a person’s face—to digitally map one’s facial “geometry.” These measurements are then used to create a mathematical formula known as a “facial template” or “facial signature.” This stored template/signature is then used to compare the physical structure of an individual’s face to identify that individual.
Current and future uses of facial recognition technology by the cruise industry
To understand facial recognition’s potential to fundamentally transform the cruise experience, one need only look to similar enhancements made in air travel.
According to The Washington Post, 14 airports were using the technology as of August 2018. American Airlines has been trialing the technology at the Dallas/Forth Worth International Airport and Los Angeles’ LAX airport on a voluntary, opt-in basis since August 2019.
Today, facial recognition offers air passengers a seamless, frictionless curb-to-gate experience— reportedly providing a significant boost in overall customer satisfaction, as well as to the airlines’ and airports’ bottom line.
The airlines see a lot of benefits to facial recognition technology. For example, starting with the check-in counter, a simple face scan can provide travelers with a streamlined check-in process with less waiting time. At security checkpoints, travelers’ identities can be verified swiftly and accurately, significantly reducing travel stress and allowing more time to dine, shop and relax before boarding. Similarly, customers can be identified and permitted access to airport lounges, while also receiving a more personalized experience as a result of airlines’ ability to monitor customer preferences. Finally, at boarding, travelers can experience a simple, expedited boarding process that gets them to their seats quicker and, in turn, allows for a higher percentage of on-time departures.
Facial recognition has also started to have an equally noteworthy impact on the cruise industry.
In 2019, one of the major cruise lines deployed facial recognition boarding technology to offer passengers a frictionless boarding process; boarding times were cut in half. The company also deployed this technology to assist in debarkation, enhancing both the security and efficiency of one of the traditional pain points of the cruise experience.
As facial recognition becomes more widespread, cruise lines will be able to further improve the overall traveler experience. This includes providing passengers with faster and more personalized experiences in onboard shops and restaurants as this technology can also be integrated with payment systems.
And as travelers return to cruising as the COVID-19 pandemic subsides, facial recognition can be deployed to minimize person-to-person contact, and thus, the health risks associated with the virus. As a result, facial recognition will likely play an important role for cruise lines in the areas of access control and COVID-19 temperature/health screening programs.
Legal landscape
In response to concerns about companies’ use of facial recognition biometrics in a safe and responsible manner, lawmakers across the country have sought to closely regulate this technology.
First, lawmakers have enacted targeted biometric privacy laws that address the collection and use of facial template data by business entities. Currently, three states—Illinois, Texas and Washington—have such laws on the books.
Overall, Illinois’ Biometric Information Privacy Act (BIPA) is considered the most stringent. Under BIPA, a private entity cannot collect or store facial template data without first providing notice, obtaining written consent and making certain disclosures. BIPA also contains a private right of action provision that permits recovery of statutory damages between $1,000 and $5,000 by any “aggrieved” person, which has generated a tremendous amount of class litigation from consumers alleging mere technical violations.
Texas’ Capture or Use of Biometric Identifier Act (CUBI), while somewhat different than BIPA, also imposes similar requirements relating to notice, consent, prohibitions on disclosures and mandatory data security measures. And while CUBI lacks a private right of action, it poses substantial potential civil exposure for noncompliance—including penalties of up to $25,000 per violation, with no maximum cap.
Second, new state consumer laws include facial template data (and other forms of biometric data) within their definition of covered “personal information.” State legislators have also amended their data breach notification laws to add facial template data to the types of “personal information” which, if compromised, triggers breach notification obligations by impacted entities. Other states are currently attempting to enact new legislation of their own directly targeting facial recognition technology.
Federal lawmakers have also targeted facial recognition. In August 2020, Senators Jeff Merkley (D-Ore.) and Bernie Sanders (I-Vt.) introduced the National Biometric Information Privacy Act of 2020 (S.4400), which would impose requirements similar to BIPA from coast to coast.
Compliance tips: what cruise lines can do to get a step ahead of impending biometric privacy laws
Cruise lines have already been the target of class actions under other consumer protection laws, such as the Telephone Consumer Protection Act. These cases have resulted in settlements in the tens of millions of dollars.
Due to the rapidly expanding liability associated with facial biometrics, it is imperative cruise lines utilizing this technology—or that intend to do so—devote the necessary time, effort and resources to put in place flexible, adaptable compliance programs to help ensure compliance with state and federal requirements.
Cruise lines that take proactive measures now to build out their biometric privacy compliance programs—especially those that may not currently be subject to a state-specific biometric privacy law—can get a step ahead on the anticipated facial recognition laws that will likely be enacted in more parts of the country.
Cruise lines should consider the following:
- Early involvement of biometric privacy counsel: Consult with experienced biometric privacy counsel well before any type of facial recognition technology is implemented to ensure compliance with today’s constantly-evolving biometric privacy legal landscape.
- Privacy policy: Develop a publicly-available, detailed facial recognition-specific privacy policy that includes, at a minimum, clear notice that facial template data is being collected, as well as additional information regarding the purposes for which facial template data is used and the cruise line’s schedule and guidelines for the retention and destruction of this data.
- Written notice: Provide written notice—prior to the time any facial template data is collected—which clearly informs individuals that facial template data is being collected, used and/or stored by the company; how that data will be used and/or shared; and the length of time over which the cruise line will retain the data until it is destroyed.
- Written release: Obtain a signed written release from all individuals prior to the time any facial template data is collected that permits the cruise line to collect/use the individual’s biometric data and disclose this data to third parties for business purposes.
- Opt-out: Permit travelers to opt out of the collection of their facial template data.
- Data security: Maintain data security measures to safeguard facial template data that satisfies the reasonable standard of care applicable to the cruise industry and which protects facial template data in a manner that is the same or more protective than the manner in which the cruise line protects other forms of sensitive personal information.
- Arbitration provisions in ticket contracts: Include mandatory arbitration provisions and class action waivers in all ticket contracts requiring traveler disputes or claims that may arise under biometric privacy or similar laws must be resolved through binding, individual arbitration and not in court, to limit biometric privacy class action litigation risk.
Conclusion
Facial recognition technology has fundamentally transformed the operations of businesses across several industries; it is poised to do the same for the cruise industry in the immediate future.
At the same time, liability stemming from the use of this technology is also rapidly expanding as cities, states and Congress look to impose strict requirements and limitations on the use of facial biometrics.
Companies operating in the cruise industry contemplating the use of this next-generation technology—even those whose operations are located in jurisdictions where no biometric privacy regulation currently exists—are encouraged to take proactive measures to develop and implement facial recognition biometrics compliance programs that encompass the practices/principles described above.
The authors
Jeffrey N. Rosenthal is a partner at Blank Rome LLP where he leads the Firm’s Biometric Privacy team. He concentrates his complex corporate litigation practice on consumer and privacy class action defense and regularly publishes and presents on class action trends, attorney ethics and social media law. He can be reached at rosenthal-j@blankrome.com.
David J. Oberly is an attorney in the Cincinnati office of Blank Rome LLP and is a member of the firm’s Biometric Privacy, Privacy Class Action Defense and Cybersecurity & Data Privacy groups. David’s practice encompasses both defending clients in high-stakes, high-exposure biometric privacy, privacy and data breach class action litigation, as well as counseling and advising clients on a wide range of biometric privacy, privacy and data protection/cybersecurity matters. He can be reached at doberly@blankrome.com.
Jeanne M. Grasso is a partner in the Washington, D.C. office and Co-Practice Group Leader of the Maritime and International Trade Practice Group. Jeanne focuses her practice on maritime and environmental law for domestic and international clients. She regularly counsels owners and operators of vessels, charterers, cargo owners and facilities on maritime and environmental issues, including ballast water, air emissions and coastwise trade. Her practice involves counseling on all aspects of maritime and environmental regulatory compliance; internal and grand jury investigations; defense of administrative, civiland criminal enforcement actions; and pollution incident response. She can be reached at grasso@blankrome.com.
Douglas J. Shoemaker is a partner in the Houston office of Blank Rome LLP. Douglas focuses his practice on complex maritime transactions and litigation. He has over 25 years' experience advising clients on a wide range maritime law topics, including charterparty negotiation and drafting, arbitration, vessel construction and flagging, purchase and sale and mergers and acquisitions, personal injury, property damage, pollution, onboard investigations, navigational error, Jones Act, stevedoring accidents, cargo damage defense and general average. His email contact is dshoemaker@blankrome.com.