Washington State’s Facial Recognition Law: Attempt at Transparency Still Leaves Civil Liberties Questions
In March 2020, Washington state passed the first law expressly regulating the government’s use of facial recognition technology and the service providers who provide this technology to the government. The law, SB 6280, was signed by Governor Jay Inslee and goes into effect in July 2021.
The use of facial recognition technology has been on the rise, and its use, particularly by the state, creates a number of social concerns. While the technology has many benefits when used by the state, such as for locating missing persons, identifying deceased persons, and fighting crime, the technology can also be used for massive and intrusive surveillance. These concerns relate especially to rights guaranteed under the Fourth Amendment of the U.S. Constitution. For these reasons, SB 6280 seeks to balance the benefits of the technology with the risk to civil liberties.
SB 6280 applies to Washington state and local government agencies and their vendors that use “facial recognition services,” which are defined as technology that analyzes facial features and is used by a state or local government agency for the identification, verification, or persistent tracking of individuals in still or video images. This definition for facial recognition services does not apply to technology used to unlock smart devices such as phones or tablets. Although the law applies to state and local agencies in Washington, the law does not apply to collaborations between state and federal law enforcement, which, for example, occur at Washington’s airports and shipping ports. It also does not apply to the Washington State Department of Licensing, which handles drivers’ licenses and state IDs.
The main focus of the law is on transparency and accountability in the government’s use of facial recognition technology. A government agency in Washington that wishes to use facial recognition must first file a notice of intent to use such technology and state the reason why it will be used. The agency must also produce an accountability report that includes information about the service provider and the technology, the purpose of the technology and its intended benefits, the steps taken to minimize data collection to the information necessary for the stated purpose, data retention rules, data updates and correction, and data security practices and notifications. The accountability report also needs to include information on employee training procedures, testing of the technology, and the technology’s impact on civil rights and liberties.
In addition, the agency’s use of the technology needs to incorporate “meaningful human review” if the technology is used to make decisions that produce a legal effect, such as financial decisions, decisions on education, housing, insurance, criminal justice, employment, healthcare, or basic necessities such as related to public assistance. Consistent with the information in the accountability report, the agency must also test the technology before using it and provide periodic training to all employees and contractors who use it. Further, if facial recognition is used on a criminal defendant before trial, the government must disclose that to the defendant. Agencies must not conduct ongoing surveillance, real-time identification, or persistent tracking using facial recognition technology unless certain conditions are met, such as a court order, a warrant, or exigent circumstances exist, e.g., a hot pursuit of a fleeing suspect.
Service providers providing and selling facial recognition technology to government agencies are also subject to certain requirements. First, service providers must make available an application programming interface or other technical capability that will allow independent testing of the technology’s accuracy, and the technology’s tendency to discriminate against certain subpopulations based on immutable characteristics such as race, skin tone, ethnicity, gender, age, or disability status. If the results of the independent testing identify unfair performance difference, the service provider must develop and implement a mitigation plan within 90 days of the receipt of the testing results. The service provider bears the responsibility for the cybersecurity risks associated with the independent testing.
Critically, there were mixed reactions to the passage of SB 6280. The most negative criticism came from the Washington state chapter of the American Civil Liberties Union (“ACLU”). The ACLU noted that the law appears to be only about transparency, but has no teeth. There is no apparent enforcement mechanism or penalties, there is no private cause of action for enforcement, and there is no provision for oversight of the businesses who design and sell the technology. Moreover, the government may use the technology for racial profiling and its use has been shown to be more inaccurate among racial minorities. Recent federal studies show that facial recognition misidentifies African Americans and Asian Americans up to 100 times more frequently than white males. In January 2020, for instance, an African American male in Michigan was arrested and held for 30 hours because of a computer misidentification.
The future of this law remains uncertain in light of recent events. For example, in the wake of reports that facial recognition software has been used to target protestors in the last few months, some tech companies have announced that they will not sell facial recognition technology services to police departments, and some tech executives have voiced support for a moratorium on the technology until accuracy and civil liberties questions are further addressed. For more information on Washington’s and other states’ upcoming privacy laws, listen to Knobbe Martens’ Privacy Webinar Series here.