The same standard for taking and storing fingerprints should apply to face recognition, DNA or any other biometric data.
For fingerprints and DNA, a proper sample can be taken only with the knowledge (not necessarily willing consent) of the subject. For face recognition and some other biometric data this can be done remotely without the knowledge and consent of the subject.
Under GDPR legislation this should be considered to be personal data with all the protection this is designed to entail and prevent intrusive face recognition being applied.
100% false positives means it is pretty worthless (at the moment) anyway!