Facial-recognition technology used to be the stuff of dystopian nightmares, but now your face may be used as a phone passcode or a concert ticket.

Live Nation, Ticketmaster’s parent company, announced last week that it will allow concertgoers to scan their faces for entry into shows, instead of showing up with a mobile or paper ticket. The pilot program will take place at select Live Nation venues, Ashley Dos Santos, Ticketmaster’s communications director, told The Daily Beast.

Ticketmaster partnered with Blink Identity, a biometrics company that claims its products can “identify people walking by in a ‘half a second,’ even if they aren’t looking straight at a camera,” The Verge reported. Blink’s founders have worked for government agencies and developed biometric security programs in Afghanistan and Iraq, according to the company’s website.

The partnership has faced criticism and raised privacy questions about how consumers’ data will be stored and used in the future. Dos Santos insisted that the technology will help the company provide a better “level of safety and security” during events and build “deeper customer relationships” between fans, artists, and venues. But it’s not clear if concertgoers will know exactly how their faces could be used.

Civil liberties advocates and national security experts believe that’s cause for concern, especially because consumers often agree to a company’s catch-all privacy policy, usually written in fine print, after skimming it over, if they bother reading it at all.

“Facial recognition technology has the huge potential to be used as a routine mass surveillance tool,” according to Jay Stanley, senior policy analyst of the American Civil Liberties Union’s Privacy and Technology Project. “It’s a little bit like using dynamite to dig into your garden. It can be used on people without their knowledge, let alone their permission.”

And the government isn’t doing much about it. Currently, biometric technology has no federal regulations and only three states have laws that protect users against facial recognition technology.

Illinois lawmakers passed the Biometric Privacy Act in 2008, which requires companies to ask for explicit permission from users to collect biometric data—not just facial scans, but identifiers like irises and fingerprints. Texas passed a similar law in 2009, and Washington followed suit with a looser measure last year.

The lack of regulation is a problem, Jeramie Scott, the director of the Electronic Privacy Information Center’s Domestic Surveillance Project, told the Beast. “You’re handing over a biometric without any regulation or knowledge of how that biometric will be used in the future.”

Biometrics have been commonplace among Silicon Valley’s giants including Apple, Google and Facebook. In 2010, powered by its “DeepFace” algorithm, Facebook launched Tag Suggestions, a tool that recommends photos users may be in using facial recognition. Facebook gave users the chance to opt-out only after the feature launched—and the company was hit with a class-action lawsuit over the technology.

Carlos Licata, an Illinois resident, sued the social network in 2015 for storing his biometric data. According to court documents, Licata alleged, “Facebook actively conceals from its user that its Tag Suggestion feature actually uses proprietary facial recognition software to scan their uploaded photographs, locate their faces, extract unique biometric identifiers associated with their faces, and determine who they are.”

His grievance was classified as a class-action lawsuit, allowing other users from the state to join the litigation if their faceprints were stored on the site after June 7, 2011. Facebook claimed the case holds “no merit” and unsuccessfully tried to move the lawsuit to California, home of the company’s headquarters.

The outcome of the still-pending case could be a big win for consumer rights. “It’s the first meaningful attempt to regulate the use of facial recognition, and it’s being attacked by Facebook,” Scott said.

This year, the social-media giant came under fire over user privacy once more after it was discovered that Cambridge Analytica harvested the personal data of 87 million Facebook users without their knowledge. During the same week that Zuckerberg testified before two Senate committees about his company’s role in the data breach, Illinois lawmakers backed by Facebook were considering an amendment that would weaken the state’s biometric privacy law.

While facial-recognition technology provides convenience for users, experts warn about its disturbing implications.

“There’s a real danger, facial recognition technology is like license plate recognition for people. Everywhere we go, someone may know who you are,” the ACLU’s Stanley added.