Facial Recognition Is Deployed Everywhere Now. Most People Don't Know When It's Scanning Them.

When you walk through a major US airport, your face is being scanned. CBP's Simplified Arrival program has deployed facial recognition at hundreds of US airport gates — your boarding pass check is increasingly a face match against your passport photo in a government database. Over 40 airlines participate. Opt-out is technically possible but practically obscure; the signs are small, the alternative line is unmarked, and most passengers never realize the scan happened.

The airport case is relatively transparent by the standards of where biometric surveillance has spread. Retail chains are scanning faces at entrances to detect previously banned shoplifters. Sports stadiums use facial recognition for entry and to flag people on watch lists. Schools have deployed face-scanning attendance systems. Police in several countries run live facial recognition cameras on public streets that compare faces in real time against criminal databases. Clearview AI has scraped tens of billions of photos from the public web and sold access to its facial recognition database to over 3,000 law enforcement agencies globally.

The deployment has outrun regulation in most jurisdictions, and the combination of dramatically improved accuracy and dramatically lower costs has created conditions for rapid, quiet expansion.

How Accurate It's Become

The 2015 generation of facial recognition systems had meaningful false positive rates — misidentifying a face in a crowd was common enough to make the technology operationally problematic for law enforcement. The 2025 generation is a different tool. NIST's Face Recognition Vendor Testing (FRVT) program, which benchmarks commercial facial recognition algorithms against standardized datasets, shows top-tier 2024-2025 systems achieving false positive rates below 0.01% on high-quality frontal images — one in ten thousand false matches. Performance degrades with lower image quality, non-frontal angles, masks, and demographic factors, but for controlled environments like airport gates with cooperative subjects looking directly at a camera, modern systems are highly accurate.

False negatives — failing to match a known person — are more common than false positives in operational deployments, which has the opposite risk profile from what civil liberties advocates focus on. But in law enforcement contexts, a 0.1% false positive rate applied to a city of one million people means 1,000 people per pass incorrectly flagged as matches for a single suspect.

The technology also works at a distance in public spaces. NEC's NeoFace system, used by several metropolitan police forces, can extract facial measurements from surveillance footage of people walking, with enough resolution to run matches against a database. The subject doesn't need to pause, look at a camera, or be aware the scan is happening.

Where It's Being Used

Airports and border crossing: The most institutionalized deployment globally. CBP's Simplified Arrival program is the US example; similar systems operate at most major European airports under EU border control programs. The data model is enrollment-based — your photo is in a passport/visa database, and the airport scanner matches against that enrollment photo rather than a street surveillance feed.

Retail: Walmart, Kroger, Sephora, and dozens of other retailers have trialed or deployed systems that flag people previously caught shoplifting. The vendor most commonly cited is Facewatch (UK-based) and RealPage's retail products. Unlike airport systems, retail facial recognition operates against databases built from loss-prevention incidents — meaning your face can be enrolled without your knowledge after a disputed shoplifting accusation. Several retailers have abandoned the technology after public backlash; others have continued quietly.

Sports and entertainment: Over 200 NFL, NBA, NHL, and MLB venues have deployed facial recognition for entry. The Madison Square Garden Company (MSG) attracted significant attention in 2022-2024 when it used facial recognition to ban lawyers involved in litigation against it from entering its venues, including the Radio City Music Hall. New York's attorney general investigated; MSG settled but maintained it had acted legally. The incident illustrated a use case — private venue operators banning people from large public-facing spaces — that is not addressed by existing law.

Law enforcement live surveillance: London's Metropolitan Police has deployed live facial recognition cameras that scan faces in public crowds in real time against a watchlist. Trials have been conducted in multiple US cities. South Wales Police in the UK ran the world's first operational live facial recognition deployment. China's deployment is the most extensive, with hundreds of millions of cameras linked to a national identification database.

The Legal Landscape

The US has no federal biometric privacy law. The patchwork of state laws is dominated by Illinois' Biometric Information Privacy Act (BIPA), which requires informed consent before collecting biometric identifiers (including face geometry), prohibits selling biometric data, and provides a private right of action — meaning individuals can sue. BIPA has generated hundreds of millions of dollars in class action settlements against companies including Facebook ($550 million), Google ($100 million), Snapchat ($35 million), and numerous smaller companies. Texas and Washington have weaker biometric laws without private rights of action; a handful of other states have passed or are considering similar legislation.

The EU's AI Act, which began applying to specific AI systems in 2024-2025, categorizes real-time remote biometric identification in public spaces as a prohibited AI practice, with narrow exceptions for law enforcement in specific high-risk situations. The exceptions are contested and the enforcement framework is still developing, but the regulatory direction is clear: the EU is treating live public facial recognition as presumptively illegal absent specific authorization.

Clearview AI has been fined by data protection authorities in the UK, France, Italy, Greece, and Australia for unlawfully scraping and processing biometric data. It has paid some fines, appealed others, and continued operating in the US market where it has no comparable restriction.

What Protection Exists in Practice

If you live in Illinois, BIPA gives you meaningful rights and a legal remedy. If you live anywhere else in the US, your practical protection is limited to whatever voluntary policies your airport, retailer, or sports venue has adopted — which are not consistently disclosed, are subject to change, and are often not enforced.

Technical countermeasures exist but are impractical for daily life: adversarial patterns printed on clothing that confuse neural network-based face detectors, IR-reflective makeup that blinds near-infrared cameras, anti-recognition eyewear like the CV Dazzle patterns documented by artist Adam Harvey. None of these are viable for routine use by ordinary people.

The most actionable protection for most people is awareness: understanding that opt-out options exist at airports, that retail facial recognition deployments are legally required to be disclosed in some jurisdictions, and that BIPA's private right of action is real and has been successfully exercised. The technology is deployed and will remain deployed; the question of whether its deployment is subject to meaningful public accountability is still being decided in state legislatures, courts, and regulators that are working faster in Europe than in the US.