Facial-recognition technology has many potential benefits for event hosts, including security and real-time assessment of attendee engagement. However, there are privacy concerns around using facial recognition that event organizers must understand, or they risk civil action and financial penalty.
Case in point: In 2021, Barcelona-based Mobile World Congress required in-person attendees to upload their passport photos as a condition of registering. MWC did this to allow for facial recognition to be used at the show’s entrance to confirm attendees’ identities, although attendees did not have to submit to facial recognition for entry if they showed their passport and registration confirmation at the door. However, one person who refused to submit a photo and instead chose to attend the event virtually filed a complaint with the Spanish Agency for Data Protection (AEPD).
According to this TechCrunch article, AEPD ruled this spring that MWC’s photo requirement infringed Article 35 of the General Data Protection Regulation, which deals with requirements in the European Union for carrying out a data-protection impact assessment. Specifically, the use of biometric data such as photos is defined as “high risk” by GDPR and requires proof of necessity of such action along with the ability for attendees to opt out of the process.
“GDPR sets a clear bar for consent in order to have a valid legal basis—requiring that consent is informed, specific (i.e. not bundled with other elements requiring consent), and freely given; you cannot force consent,” the article explains. “Further, consent for processing sensitive data like facial biometrics has an even higher bar of explicit consent.” As a result, MWC was fined $224,000 for breach of privacy.
In the United States, the equivalent of GDPR is the California Consumer Privacy Act and a few other data-privacy laws soon going into effect in different states. California’s data-privacy regulation gives residents greater transparency and control over how businesses collect and use their personal information. In light of this, any events that have attendees from California—or from the E.U.— must understand the level at which personal data, especially biometric data, needs attendee consent as well as secure protection.