Adv Mehul Bansal, Jadetimes Staff

In 2021, a school district in New York quietly installed facial recognition cameras at entrances and hallways across its facilities. Parents were not informed. Students were not consulted. The system, designed to flag individuals who had been barred from the premises, scanned the faces of thousands of children every single day, converting their unique biological features into mathematical templates stored on third-party servers. When civil liberties groups exposed the programme, the reaction was one of public outrage. The school district argued it was acting in the interest of safety. The state ultimately ordered the system shut down, finding it violated New York's student privacy laws. But the legal questions it raised have never been more relevant.

Biometric data fingerprints, iris scans, gait patterns, facial geometry is unlike any other form of personal information. A password can be changed. A credit card number can be reissued. A biometric identifier is permanent. Once compromised, it is compromised forever. Yet the regulatory framework governing the collection and use of this data across most of the world remains deeply fragmented and, in many jurisdictions, entirely absent.

In the United States, only a handful of states have enacted meaningful biometric privacy legislation. Illinois leads the way with its Biometric Information Privacy Act, enacted in 2008, which requires companies to obtain written consent before collecting biometric identifiers, mandates disclosure of how long data will be retained and how it will be destroyed, and crucially, gives individuals a private right of action. This last feature has triggered an avalanche of litigation. Companies including Google, Facebook, TikTok, and scores of smaller businesses have faced class action suits under BIPA, resulting in settlements worth hundreds of millions of dollars. In 2023, Meta agreed to pay $725 million to resolve claims that it had harvested facial recognition data without proper consent.

The European Union's General Data Protection Regulation classifies biometric data as a "special category" requiring explicit consent and stringent safeguards. Yet enforcement has been uneven. Clearview AI, an American company that scraped billions of images from public websites to build a facial recognition database, was fined by regulators in France, Italy, Greece, and the United Kingdom, and yet continues to operate and sell its services to law enforcement agencies globally. The legal principle is clear. The practical enforcement across borders is not.

The emergence of generative AI has further complicated matters. Large language models and image-generation systems are trained on datasets that frequently include photographs of real people scraped without consent. Class action lawsuits filed by artists, actors, and private individuals are working their way through courts in California and New York. The core legal theory that training an AI model on someone's likeness constitutes an actionable use of their biometric data has not yet been tested at the appellate level in most jurisdictions, but it represents one of the most consequential legal frontiers of this decade.

What the law must eventually answer is a question that sounds simple but is deeply complex: in a world where cameras are everywhere and algorithms can identify anyone in milliseconds, does a person retain any legal right to their own face in public space? The answer will define the balance between security and liberty for generations to come.