Casinos could increasingly become part of a national debate on how to regulate and use biometric surveillance and related high-tech methods of data collection on gaming patrons.
On one hand, privacy advocates are concerned what gaming venues and other organizations are doing with facial recognition and biometric data collection and whether patrons’ rights are being violated. In defense of casinos and other private businesses, the data can help provide a personalized experience for visitors.
Gaming venues have used facial recognition tools since the 1990s to detect and identify banned or problem gamblers. Its use has evolved and continues to help improve security.
“The use of biometrics in casinos has only become more sophisticated and widespread… [and] every day every person walking through a casino is having their facial geometry captured and processed,” Peter Hanna, a privacy attorney who is also the president of the ACLU of Illinois’ Next Generation Society, told Casino.org.
On a national level, US Sen. Catherine Cortez Masto, D-Nevada, proposed a federal privacy bill earlier this year. It was never approved, but included protections for biometric data, such as opt-in consent, Hanna said.
On state levels, Illinois, Texas and Washington state already have biometric data laws in place governing individual states. Also, the California Consumer Privacy Act (CCPA) takes effect in 2020.
Some gaming venues in California may be impacted by the CCPA, according to Hanna. The act will let residents access some information and includes an anti-discrimination provision, Hanna explained, and it could lead to a change in behavior by gaming venues.
Certain casinos may need to reevaluate and change the manner in which they collect and share certain personal information for California residents,” Hanna said about the legislation.
Illinois Privacy Act Model for Other States
For states considering enacting their own law, the Illinois Biometric Information Privacy Act (BIPA) is a “great model,” Hanna said.
“BIPA … was the first law of its kind — enacted in 2008 — and has been revised, refined and litigated at length,” he added. “It is a balanced statute and framework we have worked with for more than a decade with good results.”
Earlier this year, the Illinois Supreme Court ruled BIPA does not require actual injury or harm to bring a claim — making it easier to file a lawsuit if there was inappropriate consent. The court’s ruling was on Rosenbach v. Six Flags, where a 14-year-old’s thumbprint was taken without his informed consent at the amusement park.
Stacy Norris, an editor of the UNLV Gaming Law Journal, also recently wrote a journal article which describes BIPA as “a great example of legislation that allows for the use of biometric technology if people are given notice that their information is being collected, notice of what that information will be used for and how long, and the ability to consent or refuse consent to the collection and use of their data.
“The growing number of class-action lawsuits in Illinois should indicate to other states that this is an area that requires attention moving forward, as it is a growing concern that information is being collected without consent or notice,” Norris added. “The best recommendation would be for states to model their own acts based on the Illinois BIPA Act.”
When it comes to lawsuits, Hanna explained that litigation can be brought by individuals or state attorneys general, only under limited circumstances regarding state privacy or biometric laws.
Hanna says it is “unlikely” that a Constitutional claim could arise from private use of biometric data “strictly for security purposes.” But one possible path to litigation may include instances where corporations use biometric data in a way involving discrimination, Hanna said.
Another approach may include litigation related to the Fourth Amendment of the Constitution that prohibits unlawful searches and seizures. “We … know casinos work with law enforcement occasionally, and it is possible that there would be a legal, potentially Fourth Amendment claim, if casinos were sharing biometric data … with law enforcement that was used in connection with a criminal prosecution,” Hanna said.
With all the data collected, there is also a risk personal information could be hacked. Hackers or even disgruntled employees “could use and monetize troves of biometric data,” Hanna said.
“Biometric information collected on casino-goers should not be retained indefinitely, but to the extent it is retained, it should be used only for the very limited purpose for which it is collected,” Hanna added.
Facial Recognition Tools Improve Casino Security
Anthony Cabot, a professor of gaming law at UNLV Boyd School of Law, also told Casino.org that facial recognition collection can be “an excellent tool for identifying terrorist and criminal activity in the casino environment.”
One new initiative from Athena Security involves technology designed to help casinos detect guns and other weapons that patrons may be hiding. Facial recognition could also be useful for self-exclusion and self-imposed spending limits to ensure responsible gaming at casinos, Cabot said.
The challenges lie in balancing the customer’s privacy concerns with otherwise beneficial utilization,” Cabot explained. “What policymakers need to focus on is the use and confidentiality of the information in other contexts.
“For example, can you capture an otherwise anonymous person playing in the casino, derive his or her identification from public records and then sell that information to a third-party timeshare company so they can market to the person?” he asked.
The issue goes beyond US borders. Macau casinos have been rolling out artificial intelligence (AI) technologies in order to monitor habits of patrons and quickly identify those individuals who are likely to spend and lose.