With all the attention these days on NSA activities, it’s easy to forget that much surveillance in the United States takes place at the state and local level, and it is also regulated by state and local law. Much of the really high tech stuff is centralized in the federal government’s hands, but debate about at least one new technology—facial recognition—is going on in some places at the state level, and that’s a good thing.

Most facial recognition technology works by identifying various distinguishing features and measurements of an individual human face in an image and comparing them to images stored in a large database of pictures matched with other data (say, for instance, all passport or driver’s license photos or all pictures stored in a social network application). Especially if linked up with proliferating camera systems and postings of pictures online, this is a powerful identification tool, and not just for detecting or recognizing suspects but for ID-ing those with whom they associate. Those who worry about the government looking through your call records should probably worry about it looking through your pictures, too.

In the private sector, Google has put a hold on integrating facial recognition technology in its Glass pending development of privacy protections. A 2012 Federal Trade Commission report on this technology begins, though, by reminding readers of a scene from Steven Spielberg’s Minority Report, in which ubiquitous electronic advertisement systems scan moving crowds and deliver targeted ads: “John Anderton... You could use a Guinness right about now.”

In the public sector, many agencies see this and related technologies as powerful new tools. The law enforcement and intelligence value is obvious. The military has been using a variety of biometric data tracking systems in combat zones, and Department of Homeland Security and the FBI have both initiated programs that use facial recognition systems for various purposes.

Unlike many NSA data analysis programs, however, facial recognition systems are not so expensive or technically complex, which is why they are starting to proliferate at the state and local level.  This means that states and municipalities will need to develop their own sets of rules for balancing law enforcement or security interests with privacy and their own oversight systems for preventing abuses.

The case of Ohio illustrates the potential benefits of state-level experimentation and adaptation, especially as lessons are learned and best practices shared, but it also shows how processes can go awry. Ohio Attorney General Mike DeWine recently came under fire amid reports that his state was using facial recognition technology to identify crime suspects with, among other things, driver’s license photos—but without having informed the public, with poor oversight, and without any review by his office of rules for using the system.

DeWine originally defended Ohio’s system as similar to that of many other states, but a review by the Cincinnati Enquirer found that Ohio’s protocols for accessing the database were much looser than other states’. Whereas in neighboring Kentucky, for example, only about three-dozen officials are authorized to run facial recognition searches, Ohio allows all 30,000 police and court employees to do so.  Since the controversy broke publicly, DeWine’s office has been scrambling to put more checks in place.

The Ohio example shows that resolution of appropriate limits and oversight of this and other new surveillance technologies will play out at multiple levels of government: federal, state, and local.  At this point, according to a recent Washington Post story, more than two dozen states have facial recognition systems that allow for law enforcement searches (with differing rules), about a dozen others have such systems but don’t allow law enforcement searches, and the rest lack such statewide systems. That means additional legal and policy complexity, but also opportunity to work through it.

Different locales have their own policy problems, public preferences, and mixes of technical capabilities. This is an area where states can productively serve as laboratories of democracy, provided that they—as well as watchdog organizations that press them for reform—can engage in ongoing review and reassessment and can cultivate exchange of best practices across jurisdictions as powerful analytic technologies continue to advance and as public video surveillance expands.  And while the federal government might someday set some standards and will be growing its own capabilities in this area, it will have much to learn from the state-level experience.