Hawaii Businesses Using Facial Recognition Face Heightened Legal and Compliance Risks

A significant class-action lawsuit targeting Amazon's Ring facial recognition technology underscores the growing legal and ethical challenges surrounding biometric data collection. This development indicates a critical need for Hawaii businesses, regardless of size or sector, to proactively assess and fortify their data privacy policies, especially concerning technologies that capture individuals' images or other identifying information without explicit consent.

The Change

The core of the issue stems from a lawsuit filed against Amazon alleging that its Ring "Familiar Faces" feature collects and stores images of individuals, including passersby, without their explicit consent. While this specific case targets a large corporation's residential and security product, the underlying legal principle – the right to privacy and control over one's biometric data – has broad implications. The lawsuit places a spotlight on companies that deploy surveillance technologies, making them targets for litigation and potential regulatory action. The legal precedents set by such cases can quickly cascade, influencing how similar technologies are scrutinized and regulated globally and domestically. This means that even if Hawaii does not have specific legislation mirroring the strictest global privacy laws, common law principles and evolving consumer expectations around data privacy will likely lead to increased accountability for businesses.

Who's Affected?

• Small Business Operators: Owners of restaurants, retail shops, service businesses, and local franchises may face increased scrutiny if they employ surveillance cameras with facial recognition capabilities. This could involve analyzing customer traffic patterns, enhancing security, or personalizing customer experiences. The lawsuit raises questions about the adequacy of signage or implied consent in public-facing business areas.
• Real Estate Owners: Property owners, developers, and landlords who implement security systems with facial recognition in common areas of residential buildings, commercial properties, or mixed-use developments are directly implicated. This includes managing risks related to tenant and visitor privacy, potential lawsuits from individuals captured by the systems, and compliance with future data protection regulations.
• Tourism Operators: Hotels, tour companies, vacation rental managers, and hospitality businesses often utilize technology for security, guest identification, and personalized services. The implementation of facial recognition or similar biometric systems for check-in, access control, or monitoring public areas within their establishments now carries significant legal risk.
• Healthcare Providers: Clinics, private practices, and telehealth providers who may use facial recognition for patient identification, appointment verification, or security, must confront the heightened privacy concerns and potential for regulatory intervention. Protecting sensitive patient data, including biometric information, is paramount and subject to stringent regulations.

Second-Order Effects

• Increased Compliance Costs: Businesses adopting or continuing the use of facial recognition technology may face escalating costs associated with legal counsel, privacy audits, and updating consent mechanisms. This diverts resources from core operations and growth initiatives.
• Erosion of Consumer Trust: Negative publicity surrounding data privacy breaches or misuse of facial recognition can severely damage a business's reputation. In Hawaii's close-knit community and tourism-dependent economy, such a loss of trust can lead to significant declines in customer loyalty and patronage.
• Delayed Technology Adoption: The heightened legal risks and potential for costly litigation may cause some businesses, particularly small and medium-sized enterprises, to delay or abandon the adoption of advanced surveillance and data analytics technologies, potentially ceding competitive advantages to less risk-averse entities or those in jurisdictions with clearer regulations.
• Demand for Privacy-Focused Alternatives: Businesses may see increased demand for services and products that demonstrably prioritize data privacy, creating opportunities for innovative solutions that offer security or personalization without relying on invasive biometric data.

What to Do

Given the HIGH urgency and ACT-NOW action level, businesses must take immediate steps within the next 30 days.

For Small Business Operators:

1. Conduct an Immediate Inventory: Within 10 days, identify all surveillance cameras and any systems that capture images or other personally identifiable information (PII) of individuals who are not employees. This includes noting the location and stated purpose of each device.
2. Review Existing Consent Mechanisms: Within 20 days, evaluate current signage, privacy policies, and any explicit consent forms related to data collection. Determine if they adequately inform individuals about the types of data collected, how it is used, stored, and protected, and if consent is obtained in a manner that is likely to be considered legally sufficient.
3. Seek Legal Counsel: Within 30 days, consult with a Hawaii-based attorney specializing in data privacy and business law. Discuss your findings and seek advice on the legality of your current practices and necessary adjustments. They can advise on specific signage requirements, data retention policies, and potential liabilities.
4. Consider Alternatives: Explore security and operational enhancement solutions that do not rely on facial recognition or extensive biometric data collection.

For Real Estate Owners:

1. Audit Property Surveillance Systems: Within 10 days, inventory all facial recognition or biometric data collection systems installed on properties you own or manage, focusing on common areas accessible to the public or tenants.
2. Verify Tenant/Resident Agreements: Within 20 days, review property management agreements and leases to ensure they clearly outline data collection practices, tenant privacy rights, and the property owner's responsibilities regarding surveillance technology.
3. Consult Privacy Experts: Within 30 days, engage with legal counsel or a data privacy consultant to assess compliance with current and anticipated privacy laws. This should include a review of data storage, access controls, and deletion policies for any captured biometric data.
4. Update Disclosure Notices: Immediately implement clear, conspicuous signage in all areas where such technology is in use, informing individuals that surveillance is active and detailing the purpose and data handling practices. Ensure privacy policies are updated and readily accessible.

For Tourism Operators:

1. Map Data Collection Points: Within 10 days, identify all technology used for guest identification, security, or service personalization that involves capturing biometric data, such as facial images.
2. Review Guest Consent Processes: Within 20 days, meticulously examine how guest consent for data collection is obtained during booking, check-in, or service usage. Ensure opt-in mechanisms are clear, easily understood, and granular where appropriate.
3. Consult Industry-Specific Legal Advice: Within 30 days, consult with legal experts familiar with hospitality law and data privacy. Focus on ensuring compliance with consumer protection laws, industry best practices, and potential international privacy standards if serving international clientele.
4. Enhance Transparency: Publicly share detailed privacy policies outlining data usage, retention periods, and security measures. Train customer-facing staff on how to respond to guest inquiries about data privacy.

For Healthcare Providers:

1. Payer and Compliance Review: Within 10 days, conduct a thorough review of all systems that use facial recognition or biometric data for patient identification or access control. Cross-reference these with HIPAA (Health Insurance Portability and Accountability Act) requirements and any state-specific health privacy laws.
2. Patient Consent Reformation: Within 20 days, ensure that patient consent for the use of any biometric data is explicit, documented, and separate from general treatment consent. Patients must understand what data is being collected and why, and have the right to opt-out where feasible.
3. Engage HIPAA Counsel: Within 30 days, consult with legal counsel specializing in healthcare compliance and data privacy. Verify that all storage, transmission, and access to patient biometric data meets or exceeds federal and state regulatory standards.
4. Secure Data Infrastructure: Assess the security measures in place to protect any collected biometric data against breaches and unauthorized access, ensuring robust encryption and access control protocols are active.