In recent years, advances in facial recognition technology have resulted in a rapid expansion in the prevalence of private sector biometric technologies. Facial recognition, while providing new potentials for safety and security and personalized marketing by retailers implicates complicated questions about the nature of consumer privacy and surveillance where a “collection imperative” incentivize corporate actors to accumulate increasingly massive reservoirs of consumer data. However, the law has not yet fully developed to address the unique risks to consumers through the use of this technology. This Note examines existing regulatory mechanisms, finding that consumer sensitivities and the opaque nature of the technology have resulted in over- and underinclusive regulatory regimes.

This Note proposes that the broad implications of biometric privacy harms justify more extensive privacy regulation than a narrow focus on data security and self-regulation. It suggests that regulation predicated on consumer data self-management is inefficient in controlling the flow of information generated by facial recognition.

This Note finds that a regulatory approach based in collaborative governance may be better suited for regulating complex systems that create hard-to-calculate risks, change too quickly for traditional regulatory approaches, and involve technical and industry expertise that regulators and legislators are unlikely to have.