I wrote recently about the Artificial Intelligence Video Interview Act in Illinois, the first law of its kind regulating the use of A.I. in evaluating job candidates' interviews. You can read all about it here.
 |
| (c) Freepik |
Maryland will have a similar law on October 1, 2020. There are important differences, however. Unlike the Illinois AIVIA, the Maryland law is not targeted precisely at the use of A.I. to evaluate interviews. Instead, it addresses the use of facial recognition (as a biometric identifier for recognition or tracking).
The new requirements:
The law simply states that job applicants must sign a simple waiver that includes (i) their name, (ii) the date, (iii) their consent to the use of "facial recognition during the interview," and (iv) a recital that the applicant has read the waiver.
You can read the statute here.
My opinion:
In my view, the policy decision here is correct, but the statute is under-inclusive.
- The statute is consistent with the general privacy principle of notice and consent at or before the time personal information is collected. Beyond that, it is clearly the right thing for employers to notify applicants before using facial recognition, as a matter of personal data rights.
- While the brevity of the statute is appreciated, it leaves a number of questions unanswered, however, such as the effect of an applicant's refusal to consent. It is unclear whether a verbal, recorded waiver would suffice. Is the consent revocable? The statute also fails to address the use of facial biometric data for purposes other than recognition and tracking (such as to evaluate interviewees' performance). One presumes these issues will be litigated in the years to come, unless the Maryland legislature enacts a more comprehensive privacy law or at least a biometric data privacy law. (The Maryland Personal Information Privacy Act covers biometric data but only in the context of a data security breach.)
- A more complete law would have a broader scope (e.g., all biometric data or all personal data) and would address other core rights such as use limitations, retention limitations, and the sale or sharing of a person's biometric data (compare to Texas' biometric data law).
How to implement:
The waiver form prescribed by the new Maryland law should be very simple to draft (in a matter of minutes).
Some organizations might consider whether to create or amend a policy statement governing the use of facial recognition data, and if so, whether to incorporate into an existing biometric data policy (perhaps adopted pursuant to Illinois' BIPA) or an existing A.I. policy.
