SENATE BILL REPORT
This analysis was prepared by non-partisan legislative staff for the use of legislative members in their deliberations. This analysis is not a part of the legislation nor does it constitute a statement of legislative intent.
As Amended by House, March 6, 2020
Title: An act relating to the use of facial recognition services.
Brief Description: Concerning the use of facial recognition services.
Sponsors: Senate Committee on Environment, Energy & Technology (originally sponsored by Senators Nguyen, Carlyle, Wellman, Salomon, Lovelett, Das, Randall, Pedersen, Wilson, C. and Hunt).
Committee Activity: Environment, Energy & Technology: 1/15/20, 1/23/20 [DPS, DNP, w/oRec].
Passed Senate: 2/19/20, 30-18.Passed House: 3/06/20, 63-33.
SENATE COMMITTEE ON ENVIRONMENT, ENERGY & TECHNOLOGY
Majority Report: That Substitute Senate Bill No. 6280 be substituted therefor, and the substitute bill do pass.
Signed by Senators Carlyle, Chair; Lovelett, Vice Chair; Das, Hobbs, Liias, McCoy, Nguyen, Stanford and Wellman.
Minority Report: Do not pass.
Signed by Senators Brown, Rivers and Short.
Minority Report: That it be referred without recommendation.
Signed by Senators Ericksen, Ranking Member; Fortunato, Assistant Ranking Member, Environment.
Staff: Angela Kleis (786-7469)
Background: Facial Recognition in General. Facial recognition is a type of biometric technology that provides a way to establish or verify the identify of natural person based on one or more physical or behavioral characteristics and is used in various applications such as security, law enforcement, banking, and retail. Examples of physical characteristics are face, fingerprint, and iris images. An example of a behavioral characteristic is an individual's signature.
Facial recognition technology compares an individual’s facial features to available images for identification or authentication. Facial detection technology determines whether the image contains a face. Facial analysis technology aims to identify attributes such as gender, age, or emotion from detected faces.
Current State Laws. Unless authorized by law, state agencies may not collect, capture, purchase or otherwise obtain a biometric identifier without first providing notice and obtaining the individual's consent. Agencies that obtain any biometric identifier must establish certain security policies and meet certain requirements regarding the use, storage, sale, and sharing of such information.
Biometric identifier means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Exceptions are identified such as when information is derived from photographs, demographic data, or physical descriptions such as height, weight, hair color, or eye color.
State Agencies. The Consolidated Technology Services (CTS) agency supports state agencies as a centralized provider and procurer of information technology services. Within CTS, the Office of the Chief Information Officer (OCIO) has primary duties related to information technology for state government, which include establishing statewide enterprise architecture and standards for consistent and efficient operation. Within the OCIO, the Office of Privacy and Data Protection (OPDP) serves as a central point of contact for state agencies on policy matters involving data privacy and data protection.
Summary of Engrossed First Substitute Bill: Accountability Report. Agencies using or intending to develop, procure, or use a service must produce an accountability report for that service. Each accountability report must include certain statements such as a description of the proposed use of the service, information on the service's rate of false matches, data security measures, and procedures regarding testing and channels for receiving feedback.
Each accountability report must be subject to a public review period and be updated every two years. The report must be posted on the agency's website and submitted to CTS for posting to its public website.
Annual Report. Agencies using a service must publish an annual report disclosing:
the extent of their use of such services;
an assessment of compliance with the terms of their accountability report;
any known or reasonably suspected violations of their accountability report; and
any recommended revisions to the accountability report.
The annual report must be submitted to the OPDP. All agencies must hold community meetings to review their annual report within 60 days of its public release.
Meaningful Human Review. Agencies using a service to make decisions that produce legal effects or similarly significant effects concerning individuals must ensure those decisions are subject to meaningful human review. Decisions that produce legal effects or similarly significant effects concerning individuals means decisions resulting in the provision or denial of financial and lending services, housing, insurance, education enrollment, employment opportunities, health care services, or access to basic necessities.
Independent Testing. Agencies must require a service provider to make available an application programming interface to enable independent testing for accuracy and unfair performance differences across distinct subpopulations. However, making available an application programming interface for tests does not require disclosure of certain information such as proprietary data, or if doing so would increase the risk of cyberattacks. If results of the independent testing identify material unfair performance difference across subpopulations and those results are validated, then the provider must develop and implement a plan to mitigate the identified performance differences.
Operational Testing. Prior to deploying a service, agencies using a service to make decisions that produce legal effects or similarly significant effects on individuals must test a service in operational conditions. Agencies must take steps to ensure best quality results by following guidance provided by the service developer.
Training. Agencies using a service must conduct periodic training of all individuals who operate a service or who process personal data obtained from the use of a service. Minimum training requirements are specified.
Prohibitions. Agencies may not use a service for ongoing surveillance unless the use is in support of law enforcement activities and there is probable cause to believe that an individual has committed, is engaged in, or is about to commit a felony or there is a need by law enforcement to invoke their community care-taking function, and either:
a search warrant has been obtained; or
where the agency reasonably determines that an exigent circumstance exists, and an appropriate court order is obtained as soon as reasonably practicable.
Agencies must not apply a service to any individual based on certain characteristics protected by law. This prohibition does not prohibit agencies from applying a service to an individual who happens to possess one or more characteristics where an officer of that agency holds a reasonable suspicion that the individual has committed, is engaged in, or is about to commit a felony or there is need to invoke their community care-taking function.
Agencies may not use a service to create a record describing any individual's exercise of rights guaranteed by the First Amendment of the U.S. Constitution and by Article I, section 5 of the state Constitution, unless:
such use is specifically authorized by applicable law and is pertinent to and within scope of an authorized law enforcement activity; and
there is reasonable suspicion to believe the individual has committed, is engaged in, or is about to commit a felony or there is need to invoke their community care-taking function.
Exemption. This act does apply to a state or local government agency mandated to use a specific facial recognition service pursuant to a federal regulation or order.
Disclosure and Records. Agencies must disclose their use of a service on a criminal defendant to that defendant in a timely manner prior to trial. Agencies using a service shall maintain records of their use of a service to facilitate public reporting and auditing of compliance with the agency's service policies.
Any judge who has issued a warrant for ongoing surveillance shall report to the state supreme court information regarding the warrants, such as the fact that a warrant or extension was applied for, the period of ongoing surveillance, and the nature of the public spaces where the surveillance was conducted.
Task Force. A legislative task force on facial recognition services is established with the purpose of:
providing recommendations addressing the potential abuses and threats posed by the use of a service while also addressing how to facilitate and encourage the continued development of a service so society continues to utilize its benefits;
providing recommendations regarding the adequacy and effectiveness of applicable Washington state laws; and
conducting a study on the quality, accuracy, and efficacy of a service.
Task force membership is composed of legislative members and representatives from advocacy organizations, government agencies, retailers that deploy services in public spaces, companies that develop and provide services, consumer protection organizations, and research institutions with expertise on services. The task force shall submit a report of its findings and recommendations to the Governor and the Legislature by September 30, 2021.
Fiscal Note: Available.
Creates Committee/Commission/Task Force that includes Legislative members: Yes.
Effective Date: Ninety days after adjournment of session in which bill is passed.
Staff Summary of Public Testimony on Original Bill: The committee recommended a different version of the bill than what was heard. PRO: We need accountability measures in place to serve our communities. This is thoughtful regulation of the government's use of facial recognition technology by requiring transparency, judicial oversight, and community engagement.
CON: We suggest a moratorium on the government use of the technology until certain requirements are met. This seeks to regulate technology before allowing communities to decide if they want the technology used in the first place. The reporting requirements are a deterrent to the use of certain technology. There are concerns with provisions regarding a search warrant.
OTHER: We want to make sure that the testing requirements do not release any proprietary information and that this is not in conflict with the body camera statute.
Persons Testifying: PRO: Senator Joe Nguyen, Prime Sponsor; Ryan Harkins, Microsoft. CON: Cameron Cantrell, University of Washington School of Law; Jevan Hutson, University of Washington School of Law; Jennifer Lee, ACLU of Washington; James McMahan, Washington Association Sheriffs and Police Chiefs; Mark Streuli, Motorola Solutions. OTHER: Russell Brown, Executive Director, WAPA; Michael Transue, AXON.
Persons Signed In To Testify But Not Testifying: No one.
EFFECT OF HOUSE AMENDMENT(S):
Requires an agency to file a notice of intent with a legislative authority, obtain approval of the notice before commencing the accountability report, and hold at least three community consultation meetings prior to finalizing the accountability report.
Requires a legislative authority to adopt the final accountability report in a public meeting before the agency may develop, procure, or use a facial recognition service.
Removes the requirement to update the accountability report every two years.
Modifies the definition of decisions that produce legal effects to include decisions that impact civil rights of individuals.
Expands the judicial report requirement to include applications for warrants for the use of a service to engage in any surveillance, rather than applications for warrants for ongoing surveillance.
Requires each agency that has applied for a warrant for the use of a service to engage in surveillance to provide to a legislative authority a report summarizing nonidentifying demographic data of individuals named in warrant applications as subjects of the surveillance.
Prohibits agencies from using facial recognition for any surveillance without a warrant, unless exigent circumstances exist.
Removes the exemption to this prohibition which permitted the application of a service under certain circumstances.
Prohibits the use of the results of a service as the sole basis to establish probable cause.
Permits agencies to use the results of a service in conjunction with other lawfully obtained evidence to establish probable cause.
Adds enforcement provisions.
Exempts the facial recognition matching system by the Department of Licensing.
Provides a regulatory framework for the use of a service in the private sector including testing, disclosure, consent, meaningful human review, and training requirements.
Directs the William D. Ruckelshaus Center to convene the facial recognition task force.