(1) A state or local government agency using or intending to develop, procure, or use a facial recognition service must file with a legislative authority a notice of intent to develop, procure, or use a facial recognition service and specify a purpose for which the technology is to be used. A state or local government agency may commence the accountability report once it files the notice of intent by the legislative authority.
(2) Prior to developing, procuring, or using a facial recognition service, a state or local government agency must produce an accountability report for that service. Each accountability report must include, at minimum, clear and understandable statements of the following:
(a)(i) The name of the facial recognition service, vendor, and version; and (ii) a description of its general capabilities and limitations, including reasonably foreseeable capabilities outside the scope of the proposed use of the agency;
(b)(i) The type or types of data inputs that the technology uses; (ii) how that data is generated, collected, and processed; and (iii) the type or types of data the system is reasonably likely to generate;
(c)(i) A description of the purpose and proposed use of the facial recognition service, including what decision or decisions will be used to make or support it; (ii) whether it is a final or support decision system; and (iii) its intended benefits, including any data or research demonstrating those benefits;
(d) A clear use and data management policy, including protocols for the following:
(i) How and when the facial recognition service will be deployed or used and by whom including, but not limited to, the factors that will be used to determine where, when, and how the technology is deployed, and other relevant information, such as whether the technology will be operated continuously or used only under specific circumstances. If the facial recognition service will be operated or used by another entity on the agency's behalf, the facial recognition service accountability report must explicitly include a description of the other entity's access and any applicable protocols;
(ii) Any measures taken to minimize inadvertent collection of additional data beyond the amount necessary for the specific purpose or purposes for which the facial recognition service will be used;
(iii) Data integrity and retention policies applicable to the data collected using the facial recognition service, including how the agency will maintain and update records used in connection with the service, how long the agency will keep the data, and the processes by which data will be deleted;
(iv) Any additional rules that will govern use of the facial recognition service and what processes will be required prior to each use of the facial recognition service;
(v) Data security measures applicable to the facial recognition service including how data collected using the facial recognition service will be securely stored and accessed, if and why an agency intends to share access to the facial recognition service or the data from that facial recognition service with any other entity, and the rules and procedures by which an agency sharing data with any other entity will ensure that such entities comply with the sharing agency's use and data management policy as part of the data-sharing agreement;
(vi) How the facial recognition service provider intends to fulfill security breach notification requirements pursuant to chapter
19.255 RCW and how the agency intends to fulfill security breach notification requirements pursuant to RCW
42.56.590; and
(vii) The agency's training procedures, including those implemented in accordance with RCW
43.386.060, and how the agency will ensure that all personnel who operate the facial recognition service or access its data are knowledgeable about and able to ensure compliance with the use and data management policy prior to use of the facial recognition service;
(e) The agency's testing procedures, including its processes for periodically undertaking operational tests of the facial recognition service in accordance with RCW
43.386.040;
(f) Information on the facial recognition service's rate of false matches, potential impacts on protected subpopulations, and how the agency will address error rates, determined independently, greater than one percent;
(g) A description of any potential impacts of the facial recognition service on civil rights and liberties, including potential impacts to privacy and potential disparate impacts on marginalized communities, and the specific steps the agency will take to mitigate the potential impacts and prevent unauthorized use of the facial recognition service; and
(h) The agency's procedures for receiving feedback, including the channels for receiving feedback from individuals affected by the use of the facial recognition service and from the community at large, as well as the procedures for responding to feedback.
(3) Prior to finalizing the accountability report, the agency must:
(a) Allow for a public review and comment period;
(b) Hold at least three community consultation meetings; and
(c) Consider the issues raised by the public through the public review and comment period and the community consultation meetings.
(4) The final accountability report must be updated every two years and submitted to a legislative authority.
(5) The final adopted accountability report must be clearly communicated to the public at least ninety days prior to the agency putting the facial recognition service into operational use, posted on the agency's public website, and submitted to a legislative authority. The legislative authority must post each submitted accountability report on its public website.
(6) A state or local government agency seeking to procure a facial recognition service must require vendors to disclose any complaints or reports of bias regarding the service.
(7) An agency seeking to use a facial recognition service for a purpose not disclosed in the agency's existing accountability report must first seek public comment and community consultation on the proposed new use and adopt an updated accountability report pursuant to the requirements contained in this section.
(8) This section does not apply to a facial recognition service under contract as of July 1, 2021. An agency must fulfill the requirements of this section upon renewal or extension of the contract.