Tale of Two Acts: Washington Facial Recognition Law Succeeds, Privacy Act Falters

April.03.2020

On Tuesday, Washington Governor Jay Inslee signed into law legal restrictions on the use of facial recognition by public agencies (SB 6280), while the Washington Legislature previously reached an impasse on the proposed Washington Privacy Act (SB 6281) due to a few big ticket items, particularly whether the Act would be enforceable via a private right of action for Washington residents.

While comprehensive privacy legislation will have to wait another year, Washington residents now have increased privacy rights under a law that places restrictions on the use of facial recognition by state and local government agencies. As signed, this law becomes one of the most comprehensive facial recognition laws in the country and is directly applicable to Washington-based government agencies with flow-down requirements to vendors providing facial recognition technology to those agencies.

Overview of the Washington Facial Recognition Bill (SB 6280)

Despite the Washington House and Senate being unable to agree on comprehensive privacy legislation, they did come together to pass SB 6280—a robust law governing the use of facial recognition by Washington state and local government agencies.

The law, which becomes effective July 1, 2021, requires Washington state and local government agencies using, or intending to develop, procure or use, facial recognition technology, to file a notice of intent and produce an accountability report, which would include, among other things:

The name of the facial recognition service, vendor and version, and a description of its general capabilities and limitations;
The type of data inputs the technology uses, how that data is generated, collected and processed, and the type of data the system is reasonably likely to generate;
A description of the purpose and proposed use of the facial recognition service;
A clear use and data management policy; and
The agency’s testing procedures and information on the facial recognition service’s rate of false matches, potential impacts on protected subpopulations, and how the agency will address error rates greater than one percent.

The initial accountability report would be subject to public comment and the final report would be clearly communicated to the public at least 90 days prior to the agency putting the facial recognition service into operational use. In addition, operational tests of systems and meaningful human review of automated decisions would be required where the government agency is using facial recognition services to make decisions that produce legal or similarly significant effects concerning individuals. The law also requires government agencies to generally obtain a warrant to engage in ongoing surveillance, real-time or near real-time identification, or persistent tracking, and to disclose the use of facial recognition to a criminal defendant in a timely manner prior to trial.

Although the law targets the use of facial recognition by government agencies, vendors serving this customer base are also likely to be impacted. The law specifically obligates government agencies to require vendors to disclose any complaints or reports of bias regarding their facial recognition technology. In addition, government agencies are obligated to require their facial recognition vendors to make available an application programming interface or other technical capability, chosen by the vendor, to enable legitimate, independent and reasonable tests of their facial recognition services for accuracy and unfair performance differences across distinct subpopulations, such as race, gender, age, or disability status. The law places the burden on the vendor to minimize security risks in developing the interface or other technical capability. If the results of independent testing identify material unfair performance differences across subpopulations, the vendor must develop and implement a plan to mitigate the identified performance differences within 90 days of receipt of the results. Lastly, government agencies may lean heavily on vendors to assist with their other reporting obligations.

Key Takeaway: Vendors and suppliers to Washington state and local agencies need to carefully consider how this new law will impact their business and begin to predict what demands their government customers will place on them. With limited resources, Washington state and local agencies are almost certain to push down many of the requirements to their vendors and also begin to renegotiate their agreements. And, to restate the obvious, facial recognition-related technology vendors will need to develop additional technical measures to continue to be able to supply these government customers. Finally, given the reasons why Washington State passed the law, vendors should begin anticipating seeing some of these same requirements arising in contracts and RFPs from non-Washington state and local agencies.

Highlights from the Failed Washington Privacy Act

Although the Washington Privacy Act failed to pass, it is almost certainly not the last time we will see some form of this bill. Recall that the Washington Legislature proposed a substantially similar bill in 2018, only to have it similarly fail at the very last minute. If the Washington Legislature can come to terms on the few outstanding big tickets items, including the enforceability of the Act via private right of action, it is very likely the remainder of the bill would remain in its current form. The following is a brief description of what the law would have looked like if passed.

Jurisdictional Reach: This legislation would have applied to legal entities conducting business in Washington or producing products or services targeted to Washington residents that met one of two thresholds: (1) they control or process personal data of at least 100,000 Washington consumers during the calendar year, or (2) a certain amount of their gross revenue (50% in the Senate version; 25% in the House version) is derived from the sale of personal data, and the entity processes or controls personal data of at least 25,000 Washington consumers.

Enhanced Consumer Rights: The introduction to the bill explicitly referenced the European Union’s General Data Protection Regulation (GDPR) as inspiration for the drafters, which is reflected in the broad consumer rights proposed in the bill. In particular, the Washington Privacy Act would have provided Washington consumers the right to access personal data being processed by a company, as well as the right to correct inaccurate data and obtain personal data in specific formats. Subject to certain exceptions, Washington consumers would have had the right to direct companies to delete their personal data, as well as to opt out of personal data processing for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.

Under this proposed legislation, a company would have had 45 days to respond after receiving a request or could have extended this timeframe once for an additional 45 days. In the event a company declined a request, the consumer would have had the right to appeal.

Heightened Business Obligations: This legislation would have also increased disclosure and use limitation requirements for businesses falling under the scope of the Act. In particular, companies would have been required to provide meaningful privacy notices with clear instructions on how consumers could exercise their rights under the Act. It also would have limited the personal data that companies could have collected to only that data reasonably necessary and restricted their ability to use personal data for secondary purposes not previously disclosed to the consumer. In cases involving sensitive data (such as protected classifications, genetic/biometric data, children’s data and specific geolocation data), companies would have been required to affirmatively obtain consumer consent. Companies would also have been required to conduct assessments of how they use personal data, particularly when it is being sold or used for purposes such as targeted advertising or profiling, and to implement and maintain reasonable security practices to protect the confidentiality, integrity and accessibility of personal data.

Enforcement: The primary reason that this bill failed to pass was the inability of the House and Senate to reach an agreement on how the Washington Privacy Act would be enforced. While the House version provided a private right of action for consumers, the Senate bill gave the Washington Attorney General exclusive enforcement authority. If reintroduced, this issue is likely to remain the primary topic of debate within the Washington Legislature.

Key Takeaways: The Washington House and Senate failed to reach agreement on the Washington Privacy Act (SB 6281) again this year. However, the two sides seemed closer than in previous years and it is likely the Washington Privacy Act will be reintroduced next legislative session. If the Washington House and Senate can come to terms on the last big ticket items, particularly whether the Act can be enforced via private action, it is likely the bulk of the bill would remain the same in its final form.

Authors

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Nicholas Farnsworth Senior Associate, Cyber, Privacy & Data Innovation, Artificial Intelligence & Machine Learning

Boston

See my bio

M:+1 978 430 8003
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Artificial Intelligence & Machine Learning
Technology Transactions
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Nicholas Farnsworth Senior Associate

Boston

Nick provides compliance guidance on both proposed and effective laws on a federal and state level in the U.S., including:

Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Children’s Online Privacy Protection Act (COPPA)
Illinois Biometric Information Privacy Act (BIPA) and other biometric privacy laws
Fair Credit Reporting Act (FCRA)
Gramm-Leach-Bliley Act (GLBA)
Section 5 of the Federal Trade Commission Act (FTC) Act
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

He also counsels clients on the impact of international laws from a U.S. perspective, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive. In addition, Nick devotes a portion of his practice to innovative client solutions and community engagement. His pro bono practice has included representing clients in immigration and innocence matters and assisting small businesses with their legal needs. To make the CCPA more accessible, Nick was a member of the team that developed Orrick’s CCPA Readiness Assessment Tool, which provides companies an opportunity to test their preparedness for compliance with the CCPA as a first step to constructing their strategic compliance roadmap.

Nick has obtained the Certified Information Privacy Professional - United States (CIPP/US), Certified Information Privacy Technologist (CIPT) and Privacy Law Specialist (PLS) designations from the International Association of Privacy Professionals.