In early March, the Washington state legislature passed a public sector facial recognition privacy bill that has been little noticed due the failure of the Washington Privacy Act (WPA) as well as the subsequent coronavirus disease 2019 (COVID-19) pandemic, which emerged quickly in the state. In reaching agreement on SB 6280, the Washington Senate and House avoided the roadblocks that prevented WPA’s passage and succeeded in placing significant controls on public sector use of facial recognition technology in the state.
The law includes significant provisions, described below, requiring extensive accountability reports, three public hearings and a cooling off period before deploying a facial recognition service, as well as human review of consequential decisions made using the technology, significant testing to prevent discriminatory effects , a warrant requirement and other restrictions on surveillance conducted using facial recognition technology.
The law also includes a first-in-the-nation definition of “decisions that produce legal effects concerning individuals or other similarly significant effects concerning individuals.” These are defined as “decisions that result in the provision or denial of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities such as food and water, or that impact civil rights of individuals.” This concept may well be used in other state and federal statutes addressing other privacy issues. Already, the 2020 session has seen many privacy bills (including the WPA) that include non-discrimination provisions prohibiting the use of consumer data to engage in invidious discrimination. With this precedent ensconced in the Washington Revised Code, it would not be surprising to see it in , and in future state privacy laws governing the public sector (including the Washington Privacy Act’s eventual passage). The concept is in the current draft of a Uniform Law Commission model privacy bill.
Washington’s new law treats government use of facial recognition technology as a very significant privacy issue and imposes extensive requirements and limitations on government use that will very likely slow deployment of the technology in the state.
The key provisions of the law are as follows:
I. Effective date, scope of application, key definitions
The law takes effect July 1, 2021.
It applies to all state and local government agencies except for the department of licensing. The law also exempts the use of facial recognition services when done either to comply with a federal mandate or in partnership with federal authorities, including the use of facial recognition at airports. However, the use of facial recognition services under these conditions still requires disclosure to the state.
The key definitions are as follows:
- “Facial recognition service” means technology that analyzes facial features and is used by a state or local government agency for the identification, verification, or persistent tracking of individuals in still or video images.
- The term excludes functionality that enables access to electronic devices, and the redaction of recordings to protect the subject depicted in the recording, if the process does not generate or result in the retention of biometric or surveillance information.
- “Facial template” means the machine-interpretable pattern of facial features that is extracted from one or more images of an individual by a facial recognition service.
- “Enroll” means the process by which a facial recognition service creates a facial template from one or more images of an individual and adds the facial template to a gallery used by the facial recognition service for recognition or persistent tracking of individuals. It also includes the act of adding an existing facial template directly into a gallery used by a facial recognition service.
II. Notice of intent
Prior to developing, procuring, or using a facial recognition service, a state or local agency is required to file with a legislative authority a notice of intent to obtain and implement a facial recognition service. The agency is also required to specify a purpose for which the technology is to be used.
The statute makes this notice a prerequisite for undertaking any additional actions with respect to facial recognition services.
III. Accountability reports
After filing the notice of intent, it may then proceed to developing the accountability report. There are very specific requirements for the content, including:
- The name of the service and vendor, with a description of its general capabilities and limitations, as well as “reasonably foreseeable capabilities outside the scope of the proposed use of the agency.”
- The types of data inputs that the technology uses, how that data is processed, and the types of data the system is reasonably likely to generate.
- A description of the purpose and proposed uses of the facial recognition service, including what decision or decisions will be used to make or support it; whether it is a “final or support” decision system; and its intended benefits, “including any data or research demonstrating those benefits.”
- A data management policy that includes very detailed requirements, including the factors that determine when the technology will be deployed, data minimization measures, data integrity measures, data security measures (including how the provider will fulfill data breach notification requirements), testing procedures, information on the facial recognition service’s rate of false positives and potential impacts on protected subpopulations, and descriptions of potential impacts on civil liberties.
- The agency must also require a vendor to disclose any complaints of bias regarding the service.
Prior to finalizing the accountability report, the state or public agency must provide for public comment, and hold 3 community hearings. The report must be submitted and updated every two years to the legislative authority. The final report must then be communicated to the public at least ninety days prior to deploying the technology.
IV. Meaningful human review for disparate impact activities
The statute requires the state or government agency to implement “meaningful human review” (defined in the statute) when the facial recognition service produces “legal effects concerning individuals or similarly significant effects concerning individuals.” As stated above, this is a first-in-the-nation state requirement. It may be drawn upon in future regulation of other contexts, such as for similarly consequential automated data processing using AI.
Additionally, when an agency intends to deploy facial recognition services in the field under the above conditions, it must test it in operational conditions prior to its deployment.
The statute also includes open API language similar to the WPA’s section on facial recognition. The law will require state or local government agencies to make available their application programming interface (API) or other technology chosen by the provider, to enable testing of its service for bias across minority subpopulations.
If such testing does identify “material unfair performance” (e.g., biased outcomes), the provider is required to develop a plan to mitigate the performance within 90 days of the results.
There is an important cybersecurity exception to this open API requirement that excuses the provider from making the API or other technical capability available if doing so would increase the risk of cyberattacks or disclose proprietary data.
Government agencies deploying facial recognition services must additionally provide periodic training to operators of the service, or individuals who process personal data obtained from facial recognition services. The training must include coverage of not only the limitations of the service, but also procedures to interpret and act on the output of the facial recognition service, and, where applicable, the human review requirement.
VII. Warrant requirement and disclosure of use to defendants
Significantly, the statute extends its reach beyond government deployment of facial recognition services, into procedural protections for criminal defendants with regard to use of the technology in prosecutorial cases.
Government agencies are prohibited from using the technology to “engage in ongoing surveillance, conduct real-time or near real-time identification, or start persistent tracking” without a warrant or exigent circumstances. This restriction applies to the use of body cameras. What is more, evidence obtained through facial recognition may not constitute probable cause on its own. Other evidence is required to meet this threshold.
The law specifically prohibits using the technology to gather information based on protected classes or identities, or to “create a record describing any individual’s exercise of rights guaranteed by the First Amendment.”
It also prohibits the use of the technology to match suspects based on sketches or other manually produced images.
In court proceedings, government agencies must disclose the use of facial recognition services to criminal defendants “in a timely manner prior to trial.” This puts the defendant on notice to be able to challenge adherence to the law’s requirements.
There are obligations placed on the judicial branch as well. Judges who have issued warrants for the use of the technology are required to make annual reports to the administrator for the courts as to the application process for the warrants, the identity of the law enforcement officer, and the nature of the public spaces where the technology was conducted and demographic information regarding the targets of warrants.
Although the California legislature in 2019 placed a moratorium on use of facial recognition technology by law enforcement in the context of body cameras , in passing this landmark bill, Washington State establishes itself as a leader in placing regulatory controls and restrictions on use of this technology by government entities. Viewed in conjunction with the state’s biometrics statute, Washington can lay claim to the most forward-thinking regulatory regime in the nation.
This legislation is likely to serve as a model in other states in the 2021 session, and both legislators and private sector entities that employ such technology should be prepared to understand the significant operational implications of the law and the privacy values it embodies, which may appear in other privacy laws over the next few years.
Please contact your usual DLA Piper contact if you would like further assistance.