Background:

Facial Recognition.

Facial recognition is one of several biometric technologies which identify or verify individuals by measuring and analyzing their physiological or behavioral characteristics. Facial recognition generally works by detecting a human face, extracting it from the rest of the scene, and measuring the numerous distinguishable landmarks that make up facial features, such as the distance between the eyes or the shape of the cheekbones. A numerical code called a faceprint or a facial template is then created to represent the measured face in a database.

In a process known as "one-to-one" matching, facial recognition can confirm that a photo matches a different photo of the same person in a database. "One-to-one" matching is commonly used for verification purposes, such as unlocking a smartphone or checking a passport. A "one-to-many" matching process compares a photo of an unknown person to a database of known people and may be used to identify a person of interest.

Facial recognition systems can generate two types of errors: false positives (generating an incorrect match) or false negatives (not generating a match where one exists). The more similar the environments in which the images are compared, the better a facial recognition system will perform, particularly in a "one-to-many" matching process.

Facial recognition is used in a variety of consumer and business applications, including safety and security, secure access, marketing, and customer service. In the public sphere it is more commonly used for law enforcement and security purposes. Additionally, many states, including Washington, use facial recognition matching systems to verify the identity of an applicant for a driver's license or identification card to determine whether the person has been issued a driver's license or identification card under a different name.

State Law Regarding Biometric Identifiers.

A state agency is prohibited from obtaining a biometric identifier without providing notice that clearly specifies the purpose and use of the identifier and obtaining consent specific to the terms of the notice. A state agency that obtains biometric identifiers must minimize the review and retention of biometric identifiers and establish security policies to ensure the integrity and confidentiality of biometric identifiers. A state agency may only use a biometric identifier consistent with the terms of the notice and consent and is prohibited from selling a biometric identifier. Biometric identifiers collected by a state agency may not be disclosed under the Public Records Act.

"Biometric identifier" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's retina or iris scan, fingerprint, voiceprint, DNA, or scan of hand or face geometry. "Biometric identifier" excludes information derived from certain sources, such as demographic data, physical descriptions, or photographs.

Consolidated Technology Services.

The Consolidated Technology Services (CTS) agency, also known as WaTech, supports state agencies as a centralized provider and procurer of certain information technology (IT) services. Within the CTS, the Office of the Chief Information Officer (OCIO) has certain primary duties related to state government IT, which include establishing statewide enterprise architecture and standards for consistent and efficient operation.

Office of Privacy and Data Protection.

Within the OCIO, the Office of Privacy and Data Protection (OPDP) was created in 2016 to serve as a central point of contact for state agencies on policy matters involving data privacy and data protection. The primary duties of the OPDP with respect to state agencies include conducting privacy reviews and trainings, coordinating data protection, and articulating privacy principles and best policies.

The William D. Ruckelhaus Center.

The William D. Ruckelhaus Center is a joint effort of Washington State University and the University of Washington, created to assist public, private, tribal, nonprofit, and other entities in building consensus, resolving conflict, and developing collaborative public policy.

Summary of Amended Bill:

Government Use of Facial Recognition Services.

Specific requirements and limitations are set forth for the use of facial recognition services by state and local government agencies.

"Facial recognition service" means technology that analyzes facial features and is used by a state or local government agency for the identification, verification, or persistent tracking of individuals in still or video images.

"Facial recognition service" does not include:

the analysis of facial features to grant or deny access to an electronic device; or
the use of an automated or semiautomated process for the purpose of redacting a recording for release or disclosure outside the law enforcement agency to protect the privacy of a subject depicted in the recording, if the process does not generate or result in the retention of any biometric data or surveillance information.

Notice of Intent.

A state or local government agency using or intending to develop, procure, or use a facial recognition service must file with a legislative authority a notice of intent and specify a purpose for which the technology is to be used. The legislative authority must approve the notice of intent before the agency may commence an accountability report.

Accountability Reports.

Prior to developing, procuring, or using a facial recognition service, a state or local government agency must produce an accountability report for that service. The accountability report must include, at a minimum:

the name of a facial recognition service and a description of its general capabilities and limitations;
the type or types of data inputs that the facial recognition service uses;
a description of the purpose and proposed use of the facial recognition service;
a clear use and data management policy;
the agency's testing procedures;
information on the facial recognition service's rate of false matches, potential impacts on protected subpopulations, and how the agency will address certain error rates;
a description of any potential impacts of the facial recognition service on privacy, civil rights and liberties, and the specific steps the agency will take to mitigate the potential impacts and prevent unauthorized use of the facial recognition service; and
the agency's procedures for receiving and responding to feedback from individuals affected by the use of the facial recognition service and from the community at large.

Prior to finalizing and implementing the accountability report, the agency must:

allow for a public review and comment period;
hold at least three community consultation meetings; and
consider issues raised by the public through a public review and comment period and community consultation meetings.

The final accountability report must be adopted by a legislative authority in a public meeting before the agency may develop, procure, or use a facial recognition service. An agency seeking to use a facial recognition service for a purpose not disclosed in the agency's existing accountability report must first seek public comment and community consultation on the proposed new use and adopt an updated accountability report.

Annual Reports.

A state or local government agency using a facial recognition service must prepare and publish an annual report that discloses:

the extent and effectiveness of the agency's use of such services, including nonidentifying demographic data about individuals subjected to a facial recognition service;
an assessment of compliance with the terms of the agency's accountability report;
any known or reasonably suspected violations of the agency's accountability report; and
any recommended revisions to the accountability report.

The annual report must be submitted to the Office of Privacy and Data Protection. The agency must hold community meetings to review and discuss the report within 60 days of its adoption by a legislative authority and public release.

Meaningful Human Review.

A state or local government agency using a facial recognition service to make decisions that produce legal effects concerning individuals or similarly significant effects concerning individuals must ensure that those decisions are subject to meaningful human review.

Decisions that produce legal effects concerning individuals or similarly significant effects concerning individuals means decisions that result in the provision or denial of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, access to basic necessities such as food and water, or that impact civil rights of individuals.

Operational Testing.

Prior to deploying a facial recognition service, a state or local government agency using the service to make decisions that produce legal effects on individuals or similarly significant effect on individuals must test the service in operational conditions. An agency must take reasonable steps to ensure best quality results by following all guidance provided by the developer of the facial recognition service.

Independent Testing.

A facial recognition service provider that provides or intends to provide facial recognition services to a state or local government agency must make available an Application Programming Interface (API) or other technical capability to enable legitimate, independent, and reasonable tests of the facial recognition service for accuracy and unfair performance differences across distinct subpopulations.

If the results of the independent testing identify material unfair performance differences across subpopulations, the provider must develop and implement a plan to mitigate the identified performance differences.

An agency is not required to collect or provide data to a facial recognition service provider to satisfy the independent testing requirements.

Training.

A state or local government agency using a facial recognition service must conduct periodic training of all individuals who operate a facial recognition service or who process personal data obtained from the use of a facial recognition service. The minimum training requirements include the coverage of the capabilities and limitations of the facial recognition service and the meaningful human review requirement.

Limitations on the Use of Facial Recognition Services.

State or local government agency that is using a facial recognition service as of the effective date of this section must suspend its use of the service until it complies with the requirements of the bill.

A state or local government agency may not use a facial recognition service to engage in any surveillance without a warrant, unless exigent circumstances exist. A warrant is not required if a facial recognition service is used solely for purposes of locating a missing child or identifying a deceased person.

An agency may not apply a facial recognition service to any individuals based on certain characteristics, such as religious or political views and activities, participation in a particular noncriminal organization or lawful event, race, age, citizenship or immigration status, or other characteristic protected by law.

An agency may not use a facial recognition service to create a record describing any individual's exercise of the rights guaranteed by the First Amendment of the United States Constitution and by Article I, section 5 of the state Constitution.

A law enforcement agency may not use the results of a facial recognition service as the sole basis to establish probable cause in a criminal investigation.

Disclosures and Reports.

A state or local government agency must disclose its use of a facial recognition service on a criminal defendant to that defendant in a timely manner prior to trial.

An agency using a facial recognition service shall maintain records of its use of the service to facilitate public reporting and auditing of compliance with the agency's facial recognition policies.

In January of each year, any judge who has issued a warrant for the use of a facial recognition service to engage in any surveillance must report to the state Supreme Court certain information regarding the warrants, including whether the warrant was granted, modified, or denied, the period of surveillance authorized by the warrant, and the nature of the public spaces where the surveillance was conducted.

In January of each year, any agency that has applied for a warrant for the use of a facial recognition service to engage in any surveillance must provide to a legislative authority a report summarizing nonidentifying demographic data of individuals named in the warrant applications as subject of surveillance with the use of a facial recognition service.

Exemptions.

The bill does not apply to a state or local government agency that is mandated to use a specific facial recognition service pursuant to a federal regulation or order, or that are undertaken to fulfill a congressional mandate. An agency must report the mandated use of a facial recognition service to a legislative authority.

The bill does not apply to the statutorily authorized use of a facial recognition matching system by the Department of Licensing.

Enforcement.

A person injured by the violations of the provisions related to the use of facial recognition services by state and local government agencies may institute proceedings for injunctive relief, declaratory relief, or a writ of mandate. A court must award costs and reasonable attorneys' fees to a prevailing plaintiff.

Facial Recognition Task Force.

The William D. Ruckelhaus Center must establish a facial recognition task force to:

provide recommendations addressing the potential abuses and threats posed by the use of facial recognition, while also addressing how to facilitate and encourage the continued development of the technology so that the society continues to utilize its benefits;
provide recommendations regarding the adequacy and effectiveness of applicable Washington state laws; and
conduct a study on the quality, accuracy, and efficacy of facial recognition.

The task force is composed of:

four legislative members;
eight representatives from advocacy organizations that represent consumers or communities historically impacted by surveillance technologies;
two members from law enforcement or other government agencies;
one representative from a company that deploys facial recognition in physical premises open to public;
two representatives from consumer protection organizations;
two representatives from companies that develop and provide facial recognition services; and
two representatives from universities or research institutions who are experts in facial recognition or its sociotechnical implications, or both.

By September 30, 2021, the task force must submit a report of its findings and recommendations to the Governor and the appropriate committees of the Legislature.

Private Sector Use of Facial Recognition Services.

Specific requirements and limitations are set forth for the use of facial recognition services by controllers and processors of personal data.

"Facial recognition service" means technology that analyzes facial features and is used for identification, verification, or persistent tracking of consumers in still or video images.

Independent Testing.

Processors that provide facial recognition services must make available an API to enable controllers or third parties to conduct independent testing of facial recognition services for accuracy and unfair performance differences across distinct subpopulations. If independent testing identifies material unfair performance differences across distinct subpopulations, the processor must develop and implement a plan to mitigate the identified performance differences.

Processors that provide facial recognition services must provide documentation that plainly explains the capabilities and limitations of the services and enables their testing.

Notice of Use and Consent.

Controllers deploying a facial recognition service in physical premises open to the public must provide a conspicuous and contextually appropriate notice that meets certain requirements and obtain a consumer's consent prior to enrolling the consumer's image in the facial recognition service.

Meaningful Human Review.

Controllers that use a facial recognition service to make decisions that produce legal effects or similarly significant effects on consumers must test the service in operational conditions prior to deployment and ensure that the decisions are subject to meaningful human review.

Training.

Controllers must conduct periodic training of all individuals who operate a facial recognition service or process personal data obtained from the use of a facial recognition service.

Limitations on the Use of Facial Recognition Services.

Controllers may not knowingly disclose personal data obtained from a facial recognition service to law enforcement except when the disclosure is:

pursuant to consumer consent;
required by law in response to a warrant;
necessary to prevent or respond to an emergency; or
to the National Center for Missing and Exploited Children.

Exemptions.

Voluntary facial recognition services used to verify an aviation passenger's identity in connection services regulated by certain federal laws are exempt from these requirements.

Airlines are required to disclose and obtain customer consent prior to capturing an image. Airlines are prohibited from retaining any images captured with the exempt facial recognition service for more than 24 hours.

Enforcement.

A person injured by the violations of the provisions related to the use of facial recognition services by controllers or processors may institute proceedings for injunctive relief, declaratory relief, a writ of mandate, or to recover actual damages, but not less than statutory damages of $7,500 per violation, whichever is greater.

A court must award costs and reasonable attorneys' fees to a prevailing plaintiff.

Staff Summary of Public Testimony (Innovation, Technology & Economic Development):

(In support) Strong moral guardrails are required for facial recognition technology. Last year, the Legislature considered but did not pass a moratorium on facial recognition, so a lot of time and effort went into this bill because it is important to get this right.

This bill is informed by numerous stakeholder conversations and other policy proposals in this area. The potential benefits of facial recognition should not be discounted, and the potential harms should not be ignored. This bill allows beneficial uses to continue while putting appropriate safeguards in place to protect against potential harms. There are many examples where thoughtful regulation has improved markets for both customers and producers.

(Opposed) Facial recognition is like plutonium—limited beneficial uses, but toxic and extremely dangerous otherwise. A moratorium on the use of this technology should be in place until the legislative task force comes back with its report.

Some aspects of the bill are really good, but overall the protections are nowhere near strong enough. The bill relies on transparency and reporting requirements, but does not provide any oversight or consequences for failure to report problems or to report at all, which creates opportunities for law enforcement to expand unlawful surveillance. The bill focuses heavily on the process and ignores the rights. Nothing in the bill discusses secondary uses of data or prohibits matching camera footage to personally identifiable information. Additional language is needed to protect our rights in public spaces and in our interactions with governmental agencies.

The independent testing requirement ignores intersectional biases and does not specify who approves the bias mitigation plan or what happens if mitigation is insufficient. Huge loopholes would allow companies to prevent effective testing, as they have already done with other algorithmic issues.

Wrongful convictions based on bad identification disproportionately affect communities of color. Facial recognition technology exacerbates this issue because its rates of error in identifying people of color is 100 times higher than when identifying white people. Facial recognition also creates a huge confirmation bias.

The bill puts weak restrictions on just one narrow surveillance use of facial recognition and allows broad use of the technology in support of law enforcement activities. Even if facial recognition operates perfectly, the widespread surveillance it creates poses great threats to constitutionally protected rights and civil liberties. Numerous community groups—Japanese Americans, Muslims, trans and gender nonconforming individuals, and immigrant communities—have testified to long having been subject to surveillance and asked for the opportunity to truly decide if, not just how, facial recognition should be used. By pushing for weak regulations that do not threaten the bottom line, the industry hopes to create a façade of responsibility and avoid the real debate about whether this technology should be allowed at all.

The bill empowers corporations and not communities to set the terms of how facial recognition is used. Independent testing requirements intend to address issues of bias, but requiring this testing while using, rather than prior to using, this technology will allow for ongoing experimentation, and marginalized communities will be the ones most impacted.

This bill restricts law enforcement's ability to enforce public safety laws. Law enforcement should not be able to use facial recognition absent reasonable suspicion that a crime has occurred or is about to occur. Law enforcement should not use facial recognition information by itself as the basis for probable cause.

It is a mistake to cast all facial recognition technology as surveillance technology. When used safely and responsibly, facial recognition technology makes everyone safer. The industry has a moral obligation that no technology is used for unethical or discriminatory purposes. Some provisions of the bill could actually curtail a range of beneficial uses. The bill provides an exemption for use related to unlocking electronic devices; a similar exemption should be added in for one-to-one verifications for people who opt into this use of facial recognition. This would not have any privacy or civil liberties impact, but would allow users to securely access government buildings or authenticate their identity for other purposes.

The independent testing requirement unfairly disadvantages small developers because most of them work with programs designed for government use and do not make their technology publicly available. They should have the option to satisfy the testing requirement by participating in the testing conducted by the National Institute of Standards and Technology.

(Other) Government agencies should not be required to collect or provide data to third parties, so additional clarification regarding the independent testing requirement is needed.