Tale of Two Acts: Washington Facial Recognition Law Succeeds, Privacy Act Falters

On Tuesday, Washington Governor Jay Inslee signed into law legal restrictions on the use of facial recognition by public agencies (SB 6280), while the Washington Legislature previously reached an impasse on the proposed Washington Privacy Act (SB 6281) due to a few big ticket items, particularly whether the Act would be enforceable via a private right of action for Washington residents.

While comprehensive privacy legislation will have to wait another year, Washington residents now have increased privacy rights under a law that places restrictions on the use of facial recognition by state and local government agencies. As signed, this law becomes one of the most comprehensive facial recognition laws in the country and is directly applicable to Washington-based government agencies with flow-down requirements to vendors providing facial recognition technology to those agencies.

Overview of the Washington Facial Recognition Bill (SB 6280)

Despite the Washington House and Senate being unable to agree on comprehensive privacy legislation, they did come together to pass SB 6280—a robust law governing the use of facial recognition by Washington state and local government agencies.

The law, which becomes effective July 1, 2021, requires Washington state and local government agencies using, or intending to develop, procure or use, facial recognition technology, to file a notice of intent and produce an accountability report, which would include, among other things:

  • The name of the facial recognition service, vendor and version, and a description of its general capabilities and limitations;
  • The type of data inputs the technology uses, how that data is generated, collected and processed, and the type of data the system is reasonably likely to generate;
  • A description of the purpose and proposed use of the facial recognition service;
  • A clear use and data management policy; and
  • The agency’s testing procedures and information on the facial recognition service’s rate of false matches, potential impacts on protected subpopulations, and how the agency will address error rates greater than one percent.

The initial accountability report would be subject to public comment and the final report would be clearly communicated to the public at least 90 days prior to the agency putting the facial recognition service into operational use. In addition, operational tests of systems and meaningful human review of automated decisions would be required where the government agency is using facial recognition services to make decisions that produce legal or similarly significant effects concerning individuals. The law also requires government agencies to generally obtain a warrant to engage in ongoing surveillance, real-time or near real-time identification, or persistent tracking, and to disclose the use of facial recognition to a criminal defendant in a timely manner prior to trial.

Although the law targets the use of facial recognition by government agencies, vendors serving this customer base are also likely to be impacted. The law specifically obligates government agencies to require vendors to disclose any complaints or reports of bias regarding their facial recognition technology. In addition, government agencies are obligated to require their facial recognition vendors to make available an application programming interface or other technical capability, chosen by the vendor, to enable legitimate, independent and reasonable tests of their facial recognition services for accuracy and unfair performance differences across distinct subpopulations, such as race, gender, age, or disability status. The law places the burden on the vendor to minimize security risks in developing the interface or other technical capability. If the results of independent testing identify material unfair performance differences across subpopulations, the vendor must develop and implement a plan to mitigate the identified performance differences within 90 days of receipt of the results. Lastly, government agencies may lean heavily on vendors to assist with their other reporting obligations.

Key Takeaway: Vendors and suppliers to Washington state and local agencies need to carefully consider how this new law will impact their business and begin to predict what demands their government customers will place on them. With limited resources, Washington state and local agencies are almost certain to push down many of the requirements to their vendors and also begin to renegotiate their agreements. And, to restate the obvious, facial recognition-related technology vendors will need to develop additional technical measures to continue to be able to supply these government customers. Finally, given the reasons why Washington State passed the law, vendors should begin anticipating seeing some of these same requirements arising in contracts and RFPs from non-Washington state and local agencies.

Highlights from the Failed Washington Privacy Act

Although the Washington Privacy Act failed to pass, it is almost certainly not the last time we will see some form of this bill. Recall that the Washington Legislature proposed a substantially similar bill in 2018, only to have it similarly fail at the very last minute. If the Washington Legislature can come to terms on the few outstanding big tickets items, including the enforceability of the Act via private right of action, it is very likely the remainder of the bill would remain in its current form. The following is a brief description of what the law would have looked like if passed.

Jurisdictional Reach: This legislation would have applied to legal entities conducting business in Washington or producing products or services targeted to Washington residents that met one of two thresholds: (1) they control or process personal data of at least 100,000 Washington consumers during the calendar year, or (2) a certain amount of their gross revenue (50% in the Senate version; 25% in the House version) is derived from the sale of personal data, and the entity processes or controls personal data of at least 25,000 Washington consumers.

Enhanced Consumer Rights: The introduction to the bill explicitly referenced the European Union’s General Data Protection Regulation (GDPR) as inspiration for the drafters, which is reflected in the broad consumer rights proposed in the bill. In particular, the Washington Privacy Act would have provided Washington consumers the right to access personal data being processed by a company, as well as the right to correct inaccurate data and obtain personal data in specific formats. Subject to certain exceptions, Washington consumers would have had the right to direct companies to delete their personal data, as well as to opt out of personal data processing for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.

Under this proposed legislation, a company would have had 45 days to respond after receiving a request or could have extended this timeframe once for an additional 45 days. In the event a company declined a request, the consumer would have had the right to appeal.

Heightened Business Obligations: This legislation would have also increased disclosure and use limitation requirements for businesses falling under the scope of the Act. In particular, companies would have been required to provide meaningful privacy notices with clear instructions on how consumers could exercise their rights under the Act. It also would have limited the personal data that companies could have collected to only that data reasonably necessary and restricted their ability to use personal data for secondary purposes not previously disclosed to the consumer. In cases involving sensitive data (such as protected classifications, genetic/biometric data, children’s data and specific geolocation data), companies would have been required to affirmatively obtain consumer consent. Companies would also have been required to conduct assessments of how they use personal data, particularly when it is being sold or used for purposes such as targeted advertising or profiling, and to implement and maintain reasonable security practices to protect the confidentiality, integrity and accessibility of personal data.

Enforcement: The primary reason that this bill failed to pass was the inability of the House and Senate to reach an agreement on how the Washington Privacy Act would be enforced. While the House version provided a private right of action for consumers, the Senate bill gave the Washington Attorney General exclusive enforcement authority. If reintroduced, this issue is likely to remain the primary topic of debate within the Washington Legislature.

Key Takeaways: The Washington House and Senate failed to reach agreement on the Washington Privacy Act (SB 6281) again this year. However, the two sides seemed closer than in previous years and it is likely the Washington Privacy Act will be reintroduced next legislative session. If the Washington House and Senate can come to terms on the last big ticket items, particularly whether the Act can be enforced via private action, it is likely the bulk of the bill would remain the same in its final form.