Facial Recognition Regulation: Bans, Limits, and the Patchwork of US and EU Laws

At Least 30 Cities Have Banned It—and Still It Spreads

By 2024, more than 30 US cities and counties had enacted bans or moratoriums on government use of facial recognition technology, including San Francisco, Boston, New Orleans, and Minneapolis. Yet during the same period, the technology was deployed at over 1,400 US airports by TSA, used by Immigration and Customs Enforcement for visa fraud investigations, and licensed to police departments in at least 38 states through vendors including Clearview AI. The regulatory landscape is not a coherent framework—it is a collision between rapid technological deployment and fragmented, jurisdiction-by-jurisdiction legal responses.

How Facial Recognition Works and Why It Matters for Regulation

Modern facial recognition converts an image of a face into a numerical vector representing geometric relationships between facial landmarks—eye spacing, nose bridge width, jaw curvature. This vector is compared against a database to produce a confidence-score match. The system never says "this is definitely that person"; it says "this image is X% similar to this record." That probabilistic output, when used to make consequential decisions about liberty or access, is the core regulatory concern.

Documented accuracy disparities have become a central legislative argument. The NIST Face Recognition Vendor Testing program found that many commercial algorithms produced false positive rates 10–100 times higher for Black women than for white men. At least three documented wrongful arrests in the US—Robert Williams (Detroit, 2020), Michael Oliver (Detroit, 2019), and Nijeer Parks (New Jersey, 2019)—involved facial recognition misidentification as the initial basis for prosecution.

The US Regulatory Patchwork

Federal Landscape: No Comprehensive Law—Yet

The United States has no federal statute specifically governing facial recognition. Multiple bills—the Facial Recognition and Biometric Technology Moratorium Act, the Commercial Facial Recognition Privacy Act—have been introduced repeatedly without passing. Federal agency use is governed only by the Privacy Act of 1974 (requiring system of records notices) and agency-specific regulations. The FTC has used Section 5 authority to challenge deceptive claims about facial recognition accuracy and consent, and issued guidance in 2012 warning against use of the technology in ways that consumers wouldn't expect.

Law Enforcement Use

Federal courts have not established clear Fourth Amendment rules for facial recognition. Lower courts have divided on whether using facial recognition on images gathered without a warrant constitutes a search under Carpenter v. United States (2018). The Department of Justice issued internal guidelines in 2023 limiting but not prohibiting FBI use of facial recognition, requiring human review of all matches before any investigative step.

The EU AI Act: The World's Strictest Framework

The EU Artificial Intelligence Act, entering force in 2024 with phased application through 2026, places real-time remote biometric identification systems in public spaces in the "unacceptable risk" category—essentially prohibited. Narrow law enforcement exceptions apply: searching for missing children, preventing specific imminent terrorist threats, and locating perpetrators of serious crimes listed in the Act. Even within those exceptions, prior judicial or independent administrative authorisation is required for each deployment, and post-hoc notification obligations apply.

• Post-remote biometric identification (matching against existing databases after the fact) is classified as "high risk" rather than prohibited, requiring conformity assessment, human oversight, and registration in the EU AI database.
• Emotion recognition systems in workplaces and educational institutions are prohibited entirely.
• All high-risk AI systems must maintain logs sufficient for post-hoc auditing for at least six months.
• The EU AI Act fines reach €30 million or 6% of global turnover for prohibited practice violations—higher than GDPR.

Private Sector Restrictions

Clearview AI, which built a facial recognition database by scraping billions of images from social media without consent, has been fined by data protection authorities in the UK (£7.5 million), France (€20 million), Italy (€20 million), Greece (€20 million), and Australia. All of these actions found that scraping publicly available images to build a biometric identification system violated privacy law even though the original images were publicly visible.

• Microsoft, IBM, and Amazon voluntarily suspended sales of facial recognition to law enforcement pending federal regulation (2020), though Amazon later resumed limited sales.
• Apple's Face ID is explicitly designed as a one-to-one verification system (is this the device owner?) rather than one-to-many identification (who is this person?), placing it outside most regulatory frameworks.
• Retailers using facial recognition for loss prevention face BIPA liability in Illinois regardless of whether they share data with law enforcement.

The Accuracy-Equity Problem

Regulatory debates frequently cite the NIST findings on differential accuracy. When a system used to identify potential shoplifting suspects, screen job applicants, or determine visa eligibility produces materially different error rates by race and gender, uniform deployment constitutes disparate impact under civil rights frameworks even if unintentional. The EU AI Act's high-risk classification of biometric systems implicitly acknowledges this by requiring bias testing and human oversight as mandatory requirements, not best practices.

The global regulatory trend is toward treating facial recognition as presumptively high-risk until proven otherwise—requiring consent, accuracy transparency, bias audits, and human review of consequential decisions. The patchwork will persist until a federal US law or international standard provides a coherent baseline.

Legal Disclaimer: This article is for general informational purposes only and does not constitute legal advice. Facial recognition regulation is a rapidly changing area of law. Organizations deploying such technology should consult qualified legal counsel regarding applicable requirements in their jurisdiction.