Washington Enacts First-in-the-Nation State Law Regulating Governmental Use of Facial Recognition Technology
Governor Jay Inslee signed (with a partial veto) S.B. 6280 on March 31, 2020, establishing new statutory regulations on the use of facial recognition technology by state and local government agencies. The new law, which takes effect on July 1, 2021, imposes an array of requirements designed to ensure that the technology is used in an open, accountable manner that protects civil liberties while permitting legitimate governmental uses. (The veto only applied to an unfunded legislative task force and does not affect the substance of the bill.)
Accountability Reports
Once the new law takes effect, no state or local agency will be permitted to “develop[ ], procure[ ] or use[ ]” facial recognition technology without first preparing a detailed “accountability report” that provides at least the following:
- The name of the vendor providing the service, along with a description of its general capabilities and limitations.
- The types and sources of data the service uses.
- A description of the service’s purpose and proposed use.
- A “clear use and data management policy” addressing how the service will be used, how to avoid inadvertent data collection, data integrity, data security, and training systems.
- Information on the service’s “rate of false matches, potential impacts on protected subpopulations” and how the agency will deal with significant error rates (1 percent or greater).
- A description of the impact of the service on civil rights and civil liberties, including impacts on privacy, steps to prevent unauthorized use, and potentially disparate impacts on marginalized communities.
The accountability report must be subject to public review and comment, including at least three community meetings, before being finalized; the final report must be communicated to the public and included on the agency’s website; and it must be updated every two years.
However, an “accountability report” is not required for facial recognition services that are “under contract as of the effective date of this section,” although it does apply to contract renewals or extensions. This language could lead to a spate of state and local agencies entering into new contracts with facial recognition services prior to the law’s effective date—more than a year away—which would seem to effectively exempt those contracts from the “accountability report” requirements until some future point when they are renewed or extended. This was likely one of the factors that led civil liberties groups to urge the legislature to impose a ban—at least temporarily—on the deployment of facial recognition services.
Meaningful Human Review
The law requires agencies using facial recognition technology “to make decisions that produce legal … or similarly significant effects” to provide “meaningful human review,” which means “review or oversight” by appropriately trained individuals “who have the authority to alter the decision under review.” So, “review” of decisions driven by facial recognition cannot be delegated to low-level employees.
The “meaningful human review” requirement applies to decisions affecting “provision or denial of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, healthcare services, or access to basic necessities… or that impact civil rights of individuals.”
Testing and Validation
An agency’s facial recognition service must have an application programming interface (API) or similar capability to allow independent third parties to test the service to ensure it does not produce inaccurate or unfair results for “distinct subpopulations,” defined as groups as having “visually detectable characteristics” such as age, skin tone, gender, race, or disability status.
If the tests show problems in this regard, within 90 days, the vendor must “develop and implement a plan to mitigate” them. At the same time, the vendor must be given the “methodology and data used” in the independent testing so that it can reproduce the results and fix the problems.
Training
Any agency deploying a facial recognition system has to ensure that anyone who operates the system is adequately trained, including coverage of the capabilities and limitations of the system; how to interpret and act on the system’s output; and how the “meaningful human review” requirement will be met.
Criminal Justice Issues
If a criminal case relies on facial recognition, the prosecution must disclose that “in a timely manner prior to trial.” Also, an agency may not use “the results of a facial recognition service as the sole basis to establish probable cause in a criminal investigation,” although they may be used in combination “with other information and evidence lawfully obtained.” Moreover, agencies may not use facial recognition to identify someone based on a sketch or “other manually produced image.”
An agency must obtain a warrant before using facial recognition for ongoing surveillance (tracking someone’s movements, either in real time or based on stored data); for “identification” (matching someone with a known individual); and before initiating “persistent tracking” (tracking someone’s movements for more than 48 hours, or linking someone being tracked to other information, making them identifiable).
Both state judges who issue warrants, and agencies that apply for them, must provide reports including the number of those applications and denials.
Warrants are not required in “exigent circumstances,” which is undefined but would cover commonly imagined extreme scenarios, such as kidnapping. A court order is required to use facial recognition to locate or identify missing persons or to identify deceased persons.
Civil Liberties Protections
Agencies may not use facial recognition “based on” a range of factors, including someone’s religious, political, or social views or activities, participating in noncriminal organizations or lawful events, or race, ethnicity, immigration status, gender identity, or sexual orientation. The law states that it does not “condone profiling, including … predictive law enforcement tools.”
It is not clear what “based on” means in this context, what this will mean in practice, or what particular practices are not “condoned” as “profiling” or “predictive law enforcement tools.” An agency also “may not use a facial recognition service to create a record describing” someone’s exercise of their First Amendment rights. Only time (and, likely, litigation) will clarify what these provisions mean in practice.
Exclusions
The law does not apply to:
- Using facial recognition pursuant to a federal regulation or order, or in partnership with a federal agency to fulfill a Congressional mandate; or
- Using facial recognition to verify the identities of people at airports or seaports.
However, when an agency uses a facial recognition service for those purposes, it must still report that use to the relevant “legislative authority.”
Some Observations on the New Law
The new law compromises between those opposing new restrictions on governmental use of facial recognition and opposing any use of the technology at all. It will be interesting to see how agencies respond to the forthcoming July 1, 2021 effective date, and whether there is a rush to get facial recognition services up and running before then.
Interestingly, Washington already bans commercial entities from identifying people using “biometric identifiers” without notice and consent through Revised Code of Washington § 19.375.010 - .900. That law is written broadly enough to cover facial recognition by private entities (with some exceptions, including “a security or law enforcement purpose”), although there are no reported cases holding that it specifically covers facial recognition technology.
Washington thus appears to be the first state to address the use of facial recognition technology by both the public and private sectors. It remains to be seen what effect taking this leading role may have, either on how Washington’s citizens are affected by facial recognition technology or on what other states may decide to do in this area.
Firms offering facial recognition technology should carefully review the new law as part of developing and improving their services, with a focus on at least three areas:
- First, vendors should consider how to provide the API the law requires to facilitate independent non-discrimination (and other) testing. (Of course, vendors should also do their best to develop products that perform in a non-discriminatory manner, irrespective of the new law.)
- Second—while the law does not specify that training for state and local agency users of a facial recognition service would be provided by the vendor—vendors are the logical place for agencies to look, so they should develop training programs to permit the agencies to meet their training obligations.
- Third, and relatedly, the law requires agencies to “ensure best quality results by following all guidance provided by” the technology’s “developer.” This gives vendors an opportunity to craft and provide such “guidance” to state and local agencies.