Using Facial Recognition for Residential Access Control: Preventing Short-Term Rentals

Chakrapan Pawangkarat

Head of Property and Asset Management, JLL Thailand

21 March 2025

Introduction

Short-term rentals pose significant challenges for residential property managers, including security risks, lease violations, and increased maintenance costs. Unauthorized guests entering the premises through key-sharing or access codes can disrupt community living.

Facial recognition access control offers a highly secure solution by ensuring that only authorized residents and pre-approved guests can enter the building. However, implementing this technology requires careful consideration of data privacy laws to protect residents' rights and comply with legal frameworks.

How Facial Recognition Access Control Works

Facial recognition systems use AI-driven cameras to scan and verify a person’s identity before granting access. The process typically involves:

1. Resident Registration: Tenants voluntarily enroll in the system by providing a facial scan.

2. Real-Time Verification: When a person approaches an entry point, the system matches their face against the stored database.

3. Access Decision: If there is a match, access is granted. Otherwise, entry is denied, and an alert may be sent to security personnel.

4. Guest Registration: Visitors can be granted temporary access, ensuring that only pre-approved guests enter the premises.

By eliminating physical keys or access codes, this system significantly reduces unauthorized access, making it a strong deterrent against short-term rentals.

Preventing Short-Term Rentals with Facial Recognition

1. Restricting Unauthorized Guests

• Unlike keycards or PIN codes, which can be shared, facial recognition requires physical presence for access.

• Residents cannot hand over access credentials to short-term rental guests.

2. Tracking Entry and Exit Logs

• The system logs every entry attempt, allowing property managers to detect unusual patterns.

• Frequent new faces at a specific unit could signal unauthorized short-term rental activity.

3. Enforcing Lease Compliance

• Facial recognition ensures that only registered tenants can access common areas.

• If unauthorized users frequently attempt entry, property managers can investigate further.

4. Enhancing Security for Residents

• Reduces risks associated with lost, stolen, or duplicated access credentials.

• Prevents unknown individuals from entering residential spaces.

Data Privacy and Legal Compliance

While facial recognition offers strong security benefits, its use is subject to strict data privacy laws and ethical considerations. Property managers must ensure compliance with local regulations, including:

1. Explicit Consent

• Residents must be informed about how their facial data will be used, stored, and processed.

• A clear opt-in mechanism should be implemented, meaning participation should be voluntary.

• Written consent agreements should outline:

  • Purpose of data collection

  • Duration of data retention

  • Third parties (if any) involved in processing data

  • Residents' rights to access or delete their data

2. Right to Opt Out

• Some residents may be uncomfortable with biometric data collection. Property managers must offer an alternative access method, such as:

  • Key fobs or access cards

  • PIN codes

  • Mobile-based digital keys

• Opt-out residents should not face discrimination in building access.

3. Secure Data Storage and Retention

• Encryption: All stored facial recognition data must be encrypted to prevent unauthorized access.

• Data Retention Policy: Limit data storage duration to the minimum necessary for security purposes.

• Access Control: Only authorized personnel should have access to the database.

4. Compliance with Thailand’s Personal Data Protection Act (PDPA)

Thailand’s Personal Data Protection Act (PDPA) governs the collection, use, and storage of personal data, including biometric data such as facial recognition. Property managers using facial recognition must comply with the following key PDPA requirements:

• Legal Basis for Data Collection: Biometric data is classified as sensitive personal data under the PDPA, requiring explicit consent before collection. Property managers must ensure that residents voluntarily agree to their facial data being stored and used for access control.

• Purpose Limitation: The use of facial recognition must be limited to building access control and security purposes. Data cannot be used for unrelated activities, such as marketing or profiling, without additional consent.

• Transparency and Resident Rights: Residents have the right to:

  • Know how their data will be used, stored, and shared.

  • Access their personal data and request corrections if needed.

  • Request deletion of their data if they no longer wish to use facial recognition for access.

• Alternative Access Options: Since consent must be freely given, residents who decline facial recognition must be provided with alternative access methods, such as keycards, PIN codes, or mobile app access.

• Data Security Measures: Property managers must implement strong security measures to prevent unauthorized access or leaks of biometric data. This includes encryption, access restrictions, and regular security audits.

• Third-Party Compliance: If a property manager works with an external vendor for facial recognition technology, they must ensure that the vendor complies with PDPA regulations and does not misuse or improperly store biometric data.

Non-compliance with PDPA can result in fines, legal penalties, and reputational damage. Therefore, property managers must work closely with legal advisors and data protection officers to ensure full compliance.

Balancing Security and Privacy: Best Practices

1. Transparent Resident Communication

   • Hold informational sessions to explain how the system works.

   • Provide written privacy policies and easy-to-understand consent forms.

2. Limited Data Retention

   • Store only necessary data and delete outdated records periodically.

   • Implement an auto-expiry system for unneeded biometric data.

3. Independent Security Audits

   • Conduct third-party audits to ensure compliance with privacy laws.

   • Test for potential vulnerabilities in the system.

4. Alternative Access Options

   • Ensure non-biometric alternatives are available for residents who opt out.

   • Maintain backup access methods in case of system failure.

Conclusion

Facial recognition access control is a powerful tool for preventing short-term rentals and enhancing security in residential buildings. However, successful implementation requires balancing security with privacy rights.

In Thailand, property managers must comply with the PDPA, ensuring explicit consent, purpose limitation, secure data storage, and opt-out options. By integrating privacy-focused policies with strong security measures, property managers can create a legally compliant and resident-friendly access control system.

Acknowledgement:

"This article was generated with the assistance of ChatGPT, an AI language model by OpenAI, and subsequently reviewed and edited by the author."