Tech companies like Facebook and Google have made rapid strides in facial recognition technology, building databases of millions of users who can be identified by the shape of their face.
Despite the obvious privacy implications—and recent alarming stories out of Russia—the technology is largely unregulated. Unless, that is, you count the final guidelines issued this week by a Commerce Department working group.
Intended to be a set of best practices for the commercial use of facial recognition tools, the guidelines received praise from tech industry trade groups like the Consumer Technology Association.
Get Data Sheet, Fortune’s technology newsletter.
“CTA is proud to be among the key industry stakeholders supporting best practices for facial recognition technologies that balance consumer protection with technological innovation,” said a CTA official in a statement. Facial recognition tech is a rapidly developing innovation we should welcome and embrace.
But the tech industry’s touting of the plan is not exactly a surprise since, well, the industry wrote them. The guidelines were supposed to be the product of industry and public interest groups—including the ACLU and the Electronic Frontier Foundation—but the latter bolted a year ago, objecting that companies refused to recognize even basic boundaries on how facial recognition is used.
Nonetheless, a Commerce Department message this week says the final guidelines came as a “consensus on a best practices document.”
Facebook’s Memories App: The End of Privacy?
Michelle De Mooy, who studies privacy issues at the Center for Democracy and Technology, disputes that assessment. In a phone call, she said working group never made an effort to bring the public interest groups back into the project, and described the final guidelines as “vague” and “toothless.”
De Mooy also explained why she views the need for guidelines as important. “Facial recognition is incredibly sensitive and it’s immutable—unless you want to go under plastic surgery every time you go outside,” she said. “Our ability to be private in public is at the core of our civil liberties.”
Other consumer groups have issued statements describing the guidelines process as “skewed to business.”
The upshot for now is that things will go on as before, though De Mooy says she hopes that the failure of the Commerce Department project to include public interest groups will lead Congress to take an interest in how companies are using consumers’ faces.
In the meantime, she says the most active oversight of facial recognition tools is occurring at the state level, pointing to examples like Illinois, which has a biometrics law that requires companies to ask consumers for permission before scanning their face. A quiet push by the tech industry to revoke the law failed late last month.