Facial Recognition Technology: How It Works & Your Rights

Facial recognition technology how it works is simple in concept: software turns a face in a photo or video into a “faceprint” (a biometric template) and compares it to other faceprints in a database. The problem is that wrongful arrests and privacy harms can happen when facial recognition software is inaccurate, used without consent, or treated as proof instead of a lead.

• What is facial recognition technology?
• Facial recognition technology how it works (step by step)
• Why facial recognition matters: wrongful arrests & biometric data privacy
• Wrongful arrests: real cases linked to facial recognition software
• Ban facial recognition laws and the legal landscape
• What you can do right now to protect biometric data privacy
• FAQ

What is facial recognition technology?

Facial recognition is a type of biometric identification. Instead of using something you know (like a password) or something you have (like a keycard), it uses something you are: your face.

In practice, it’s usually used in one of two ways:

• 1:1 verification (confirming identity): “Is this person the same person as the ID on file?” Example: unlocking a phone.
• 1:many identification (finding a match): “Who is this person?” Example: scanning a face from a surveillance video against a database.

The second use (identification) is where the highest stakes show up: police investigations, public-space surveillance, and searches across large databases. That’s also where accuracy gaps, consent issues, and civil-rights concerns collide.

Facial recognition isn’t a niche tool anymore. The global facial recognition market was worth $8 billion in 2025 and is projected to reach $13 billion by 2029, meaning more agencies and companies are likely to deploy it, not fewer.

Facial recognition technology how it works (step by step)

If you’ve ever wondered what the software is actually doing behind the scenes, here’s the plain-English flow. The exact math varies by vendor, but the pipeline is broadly similar.

Step 1: A camera captures an image (or many images)

The input can be a still photo, a frame from CCTV footage, a livestream from a street camera, or a body-worn camera clip. In some systems—often called live facial recognition—faces are scanned continuously as people move through a public space.

For example, London’s Metropolitan Police scanned approximately 1 million faces in 2025 using live facial recognition cameras, showing how quickly the volume can scale once it’s operational.

Step 2: The system detects a face in the image

The software first finds where the face is (even in a crowded scene), then isolates it. Poor lighting, camera angle, masks, hats, motion blur, and low-resolution footage can make this step harder—and can affect results downstream.

Step 3: The face is converted into a biometric “template”

This is the core privacy issue: the system creates a numerical representation of your face (often called a faceprint). It’s biometric data—and unlike a password, you can’t change your face if the data is copied, leaked, or reused later.

Step 4: Matching against a database (or a watchlist)

In identification mode (1:many), the faceprint is compared to many faceprints stored in a database. The output is typically a ranked list of potential matches with similarity scores.

This is where people can misunderstand what the tool is saying. A “match” is not the same as proof. It’s a probability output—often based on thresholds chosen by the operator—and it can be wrong.

Step 5: A human makes a decision (and the stakes kick in)

Even when policy requires a human review, the human is often influenced by the machine output. If the system suggests a match, the risk is that investigators start building a case around that person, especially if other evidence is thin.

Quick comparison: verification vs identification

• Verification (1:1): usually smaller scope, often user-initiated, typically less invasive.
• Identification (1:many): broad scope, often covert, higher risk of misidentification and mass surveillance.

Why facial recognition matters: wrongful arrests & biometric data privacy

People worry about facial recognition for two big reasons that show up again and again: wrongful arrests and biometric data privacy. The harms are different, but they reinforce each other.

1) Wrongful arrests aren’t hypothetical

At least 14 people in the US have been wrongfully arrested due to facial recognition false positives, and all publicly confirmed cases involve Black people. That’s not a small “error rate” story—those are real people detained, handcuffed, booked, and forced to prove they weren’t the person the software suggested.

A key reason this risk isn’t evenly distributed: a National Academies of Sciences report (2024) found facial recognition accuracy varies significantly across demographic groups and is least accurate on darker-skinned faces and women. That accuracy gap raises the risk of wrongful targeting for those groups.

2) Biometric data privacy is different from other privacy

Biometric data is persistent. If your email leaks, you can change your password. If a face template leaks—or is copied into another system—you can’t “reset” your face.

There are also consent and notice problems. In many deployments, people are scanned without being told, without opting in, and without a practical way to opt out—especially in public spaces.

3) The chilling effect is real, even when nobody is arrested

Mass surveillance can change how people behave. If you believe cameras can identify you at a protest, a religious service, a union meeting, or a sensitive health clinic, you may decide not to go. That’s the “chilling effect” on free assembly and expression that civil-liberties groups warn about.

Facial recognition software risks at a glance

• Bias and uneven accuracy: higher error rates for darker-skinned faces and women (National Academies, 2024).
• No consent / no notice: you may never know you were scanned.
• Database scale: identification searches grow more invasive as databases grow.
• Data breaches: stolen biometric templates can’t be changed like passwords.

Wrongful arrests: real cases linked to facial recognition software

It’s easier to understand the stakes when you see what “false positive” means in the real world: police acting on a computer-generated match that turns out to be wrong.

Robert Williams (Detroit, 2020)

Robert Williams was wrongfully arrested in Detroit in 2020 after facial recognition matched his expired driver’s license photo to surveillance footage of a shoplifter. He was not near the store. The result was an arrest that should never have happened.

Williams’s case became a turning point because it didn’t just end quietly. It settled in June 2024 with landmark policy changes at the Detroit Police Department—reported as the first settlement in the US requiring police facial recognition policy reform. That’s a big deal: it recognizes that policy and oversight matter, not just the technology.

Porcha Woodruff (Detroit, 2023)

In 2023, Porcha Woodruff was wrongfully arrested while eight months pregnant after facial recognition matched her to a carjacking suspect. The actual perpetrator was not visibly pregnant. The mismatch is obvious in hindsight, but the arrest still happened—showing how a machine-generated lead can override common sense when systems are treated as reliable.

What these cases show (pattern, not “one-off mistakes”)

1. Low-quality source images (grainy footage, poor angles) can lead to bad matches.
2. Investigators can anchor on the match and treat it as evidence instead of a lead.
3. The person who gets flagged bears the burden—often while detained—to prove the system is wrong.
4. Errors hit unevenly, aligning with documented demographic accuracy gaps (National Academies, 2024).

If you want to see more documented examples of AI systems causing harm (not just facial recognition), keep an eye on /ai-incidents/.

Ban facial recognition laws and the legal landscape

The legal situation is confusing on purpose: rules vary by country, state, and even city. Here’s what the verified landscape looks like based on the facts we have.

United States: no federal law, but growing local bans and biometric statutes

As of 2026, the US has no federal facial recognition law. That means your protections can depend heavily on where you live.

Two trends matter:

• Biometric privacy laws: nearly two dozen states have passed biometric privacy laws. These laws can shape consent, retention, and legal remedies, but the details vary widely.
• City bans on police use: at least 16 cities have banned police use of facial recognition, including San Francisco, Boston, and Portland. Milwaukee became the latest city to ban police facial recognition in February 2026 after public outcry.

Practical takeaway: in a city with a ban, the “right” you can exercise may be as simple as insisting your local police follow their own rules—and documenting when they don’t.

European Union: the EU AI Act draws bright lines for law enforcement

The EU AI Act (fully applicable from August 2, 2026) takes a stricter approach to certain kinds of facial recognition. It prohibits real-time facial recognition in public spaces by law enforcement, with narrow exceptions, and it classifies mass facial recognition databases as “unacceptable risk” AI.

If you’re in the EU—or your city buys tech from EU-based vendors—those rules matter because they shape what companies can sell and what public agencies can justify.

For a broader overview of how the EU is regulating AI systems, see /explainers/eu-ai-act and /explainers/ai-regulation.

United Kingdom: heavy use, unclear governance

The UK has seen major operational use. As noted above, London’s Metropolitan Police scanned approximately 1 million faces in 2025 using live facial recognition.

But the governance is still unsettled. In July 2025, the UK Home Secretary acknowledged the UK needs “a proper, clear governance framework” for facial recognition—and that such a framework does not yet exist. In plain terms: the tools are being used at scale faster than the rules are being written.

Comparison table: US vs EU vs UK (high-level)

• United States: No federal facial recognition law (as of 2026); nearly two dozen state biometric laws; at least 16 city bans on police use (e.g., San Francisco, Boston, Portland); Milwaukee ban (Feb 2026).
• European Union: EU AI Act fully applicable Aug 2, 2026; bans real-time public-space facial recognition by law enforcement with narrow exceptions; mass facial recognition databases labeled “unacceptable risk.”
• United Kingdom: Live facial recognition used at scale (Met scanned ~1 million faces in 2025); Home Secretary said July 2025 UK needs a clear governance framework—one does not yet exist.

If you’re tracking where public concern is rising—and why—browse /ai-backlash/ for examples of pushback and policy fights around AI systems.

What you can do right now to protect biometric data privacy

It’s easy to feel powerless with surveillance tech. But there are practical steps that help, especially if you focus on your local rules and what creates a paper trail.

1) Check whether your city has a ban (and use it)

Because at least 16 US cities have banned police use of facial recognition, the first question is simply: Does my city have a ban or restrictions? If it does, you can:

• Ask your local representatives how the ban is enforced and what reporting exists.
• Request policy documents (public agencies often have written policies even when the public hasn’t seen them).
• Document and report concerns to local oversight bodies if you believe prohibited use occurred.

2) Treat a “match” like a lead, not proof (and insist others do too)

If facial recognition software ever enters a situation involving you or someone you know—at work, at school, or in a law enforcement context—remember: a match is not an ID. A healthy standard is: no enforcement action should be based on facial recognition alone.

That principle is consistent with what the Detroit cases illustrate: the harm comes when people treat software output as certainty.

3) If someone is wrongfully arrested, contact the ACLU

This is specific and practical: if you or someone you know is wrongfully arrested due to a facial recognition false positive, the guidance is to contact the ACLU. Early legal support can help preserve records and challenge flawed procedures.

4) Support clearer facial recognition legislation

Rules don’t appear on their own. If you want stronger guardrails—limits on real-time public surveillance, rules on consent, retention limits, auditing, and transparency—support facial recognition legislation efforts where you live. A starting point is /fighting-back/, which tracks ways to push for change.

5) Keep a record of AI-related harms and patterns

Individual stories matter, but patterns change policy. If you see a harmful deployment (in policing, school settings, housing, retail, or elsewhere), track it and share it through channels that document incidents. One place to start is /ai-incidents/.

6) Understand the bigger ecosystem (optional, but useful)

Facial recognition doesn’t exist in a vacuum. It’s tied to broader AI deployment, data infrastructure, and public trust. If you’re trying to connect the dots:

• Learn more about facial surveillance and related tools in /explainers/facial-recognition.
• If you’re seeing AI reshape jobs and workplace monitoring, compare with /ai-layoffs/ and /will-ai-replace-my-job/.
• To understand the physical footprint behind AI systems, see /data-center-map/ and /explainers/data-center-impact.

FAQ

Is facial recognition technology accurate?

Accuracy depends on the system, the image quality, and the person being scanned. A National Academies of Sciences (2024) report found accuracy varies significantly across demographic groups and is least accurate on darker-skinned faces and women, which increases the risk of wrongful targeting.

How do wrongful arrests happen with facial recognition software?

Wrongful arrests can happen when police treat a facial recognition “match” as evidence rather than a lead. At least 14 people in the US have been wrongfully arrested due to facial recognition false positives, and all publicly confirmed cases involve Black people.

Can cities ban police facial recognition?

Yes. In the US, at least 16 cities have banned police use of facial recognition, including San Francisco, Boston, and Portland. Milwaukee banned police facial recognition in February 2026 after public outcry.

What does the EU AI Act do about facial recognition?

The EU AI Act, fully applicable from August 2, 2026, prohibits real-time facial recognition in public spaces by law enforcement, with narrow exceptions. It also classifies mass facial recognition databases as “unacceptable risk” AI.

What should I do if I think facial recognition was used on me without consent?

Start local: find out whether your city or state has restrictions or biometric privacy laws. If you’re in a city with a ban on police use, you can ask elected officials how it’s enforced and request policy documents. You can also document the situation and share verified details via /ai-incidents/.

Conclusion

Facial recognition technology how it works is straightforward—scan a face, create a biometric template, compare it to a database—but the consequences can be severe when the system is biased, deployed as mass surveillance, or treated as proof. The documented record of wrongful arrests, plus the unique risks of biometric data privacy, is why ban facial recognition laws and strong governance frameworks matter.

If you want to help push for clear limits and accountability, start at /fighting-back/. If you’re tracking harms and patterns, use /ai-incidents/. And if you want context for how public pressure is changing AI policy, see /ai-backlash/—plus related accountability fights at /ai-lawsuits/. To understand AI’s broader impact on work and infrastructure, explore /ai-layoffs/ and /data-center-map/.