Washington’s New State Facial Recognition Law May Signal a New Norm for Technology Providers
On March 31, 2020, Washington Senate Bill No. 6280 (the “Act”) became law, codifying one of the most detailed facial recognition regulations in the country. The Act regulates state and local government agencies in Washington using or intending to develop, procure, or use a facial recognition service but also includes important considerations for companies designing this technology.
Notably, the Act provides relatively sharp definitions that are in stark contrast to the treatment of similar data under the Illinois Biometric Information Privacy Act (“BIPA”), which, through its exceptionally broad treatment as to what constitutes biometric identifiers and biometric information, has sparked a whirlwind of litigation in Illinois and elsewhere. The Act defines a “facial recognition service” as “technology that analyzes facial features and is used by a state or local government for the identification, verification, or persistent tracking of individuals in still or video images” and a “facial template” as “the machine-interpretable pattern of facial features that is extracted from one or more images of an individual by a facial recognition service.”
Before using a facial recognition service, state and local government entities in Washington must, among a host of other specific obligations, produce an “accountability report” which identifies the “name of the facial recognition service, vendor, and version;” describes the subject technology’s capabilities and limitations (including “reasonably foreseeable capabilities outside the scope of the proposed use of the agency”); outlines the types of data collected, generated, and stored by the technology and the information management plan pertaining to that data; and provides a cost-benefit analysis of the technology that considers, for example, its proposed use in light of civil rights considerations.
While the Act seeks to regulate the use of facial recognition technology by government entities, it imposes certain obligations on providers of facial recognition services. For example, under section 6 of the Act, facial recognition service providers must make available an “application programming interface or other technical capability, chosen by the provider, to enable legitimate, independent, and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct subpopulations.” In other words, the Act puts the onus on facial recognition technology service providers to make available sufficient technical information and capabilities so that independent testing may be conducted on the accuracy and fairness of their respective technologies. Notably, the Act also shifts the burden to the provider to make its application programming interface available in a manner that minimizes the risk of cyberattacks or disclosures of proprietary data.
For facial recognition technology service providers that may find themselves subject to the Act—or potentially subject to similar legislation in other states that will follow Washington state’s lead—there are many sensitive legal issues at play. Data Security and Privacy counseling may be appropriate to assess the technology’s data management practices, the cybersecurity considerations associated with providing programming interfaces to government agencies, and to plan for other regulatory obligations that may be shifted to the provider under the Act. Intellectual Property counseling may also help eliminate or minimize the disclosure of proprietary information necessary to comply with sections 6 or 7 of the Act. Finally, Technology Transactions counseling may be relevant in analyzing licensing agreements, contractual liability shifting arrangements, and other commercial transactions involving facial recognition technology and services.
By leveraging a cross-functional team of attorneys from each relevant practice group, Honigman is well-positioned to advise facial recognition technology providers on these issues as well as best practices generally.