Airlines using facial recognition as part of the U.S. Customs and Border Protection Agency’s (CBP’s) Biometric Exit program are contractually bound to not use biometrics for any purpose other than verifying the identity of travelers, Law360 reports.
CBP Director of Policy and Planning Michael Hardin told an audience at the International Association of Privacy Professionals (IAPP) Global Privacy Summit in early May that airlines and other partners are bound by “business requirements” not to use any data for applications such as personalized advertising. During the presentation, CBP officials described the steps taken by the government to protect the privacy of travellers during the program’s rollout, which has reached 17 airports, and which the agency plans to extend to 97 percent of travelers within four years.
U.S. citizens can opt out of face scans, and collected scans are stored on an encrypted server, and then deleted within 12 hours, according to the officials. Airlines are also subject to auditing to make sure biometrics are not used for other purposes, and have not found any in violation of the rules so far.
Federal officials were reported in August to be considering imposing data use rules on Biometric Exit partners. The Department of Homeland Security says Biometric Exit is mandated by USA Patriot Act and Illegal Immigration Reform and Immigrant Responsibility Act statutes, but Senators have called for the program’s roll out to be delayed while privacy and legal concerns are addressed, and CBP recently revealed it is not able to assess whether its biometric systems include any racial bias