GAO, Facial Recognition Technology: Privacy and Accuracy Issues Related to Commercial Uses, (GAO-20-522) (July 13, 2020) (full-text).


Facial recognition technology can verify or identify an individual from a facial image. Advocacy groups and others have raised privacy concerns related to private companies' use of the technology, as well as concerns that higher error rates among some demographic groups could lead to disparate treatment.


The GAO was asked to review the commercial use of facial recognition technology and related accuracy and privacy issues. Among other issues, this report examines how companies use the technology, its accuracy and how accuracy differs across demographic groups, and how privacy issues are addressed in laws and industry practices.

This report examines (1) current and potential uses of facial recognition technology in the commercial sector, (2) the characteristics of facial image data sets assembled for commercial purposes and any related privacy and data security risks, (3) differences in how accurately the technology performs across demographic groups, and (4) privacy protections under federal and state law applicable to commercial use of facial recognition technology and privacy frameworks developed by private entities. The scope of this report does not include government use of facial recognition technology. Further, this report discusses but does not focus on facial analysis, which interprets facial features to determine characteristics such as gender, race, age, and emotions. Instead, this report primarily focuses on the use of facial recognition technology in private and commercial sectors and how the technology is used to detect, identify, and verify individuals.


Although the accuracy of facial recognition technology has increased dramatically in recent years, differences in performance exist for certain demographic groups. National Institute of Standards and Technology tests found that facial recognition technology generally performs better on lighter-skin men and worse on darker-skin women, and does not perform as well on children and elderly adults. These differences could result in more frequent misidentification for certain demographics, such as misidentifying a shopper as a shoplifter when comparing the individual's image against a data set of known shoplifters. There is no consensus on what causes performance differences, including physical factors (such as lighting) or factors related to the creation or operation of the technology. However, stakeholders and literature identified various methods that could help mitigate differences in performance among demographic groups.


Stakeholders and literature identified concerns related to privacy, such as the inability of individuals to remain anonymous in public or the use of the technology without individuals' consent. Facial recognition technology may collect or store facial images, posing varying levels of risk. Some federal and state laws and the European Union's General Data Protection Regulation impose requirements on U.S. companies related to facial recognition technology. However, as the GAO reported in 2015, there is no comprehensive federal privacy law governing the collection, use, and sale of personal information by private-sector companies. Some stakeholders, including privacy and industry groups, have developed voluntary frameworks that seek to address privacy concerns. Most of these frameworks were consistent with internationally recognized principles for protecting the privacy and security of personal information. However, U.S. companies are not required to follow these voluntary frameworks.


The GAO reiterates its previous suggestion from a 2013 report (Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace) that Congress consider strengthening the consumer privacy framework to reflect changes in technology and the marketplace.

Community content is available under CC-BY-SA unless otherwise noted.