Vote Smart's Synopsis:

Vote to amend and pass a bill that increases consumer personal data protections and regulations on facial recognition technology.

Highlights:

• Defines the subsequent terms as follows, including, but not limited to (Sec. 3):

• “Controller” as the individual solely, or jointly, responsible for determining the means of personal data processing;

• “De-identified data” as data that cannot reasonably be linked to identify a natural person provided that the controller possessing the data:

• Ensures that this data cannot be linked to a natural person by taking reasonable measures;

• Affirms publicly a commitment to the sole use of data as de-identified without any attempt to re-identify the data; and 

• Contractually obligates all data recipients to abide by the above provisions;

• “Facial recognition service” as technology which tracks or identifies consumers by analyzing their facial features;

• Facial template” as the pattern of facial features identifiable by machines as extracted from the facial recognition service;

• “Identification” as the use of facial recognition by a controller to match an unknown consumer with a known consumer, enrolled within the controller’s gallery of known facial images;

• “Ongoing surveillance” as the tracking of a consumer’s physical movement through one or more public places over time, whether in facial recognition for historical records or in real time, and does not include a single use, or attempted use, of recognition data without a subsequent attempt to track physical consumer movements;

• “Persistent tracking” as the use of facial recognition services to track a consumer’s physical movements from one or more public places for more than 48 hours or in order to connect that consumer tracking data with other data pertaining to a specific identifiable consumer;

• “Personal data” as any data that is reasonably linked to a natural person and does not include de-identified data;

• “Profiling” as any automated processing of personal data in order to predict or analyze personal aspects of an individual’s behavior, location, movements, health, economic situation, personal preferences, interests, or reliability;

• “Pseudonymous data" as personal data that cannot be linked to a natural person without the use of additional information, so long as said information is stored separately from the personal data to ensure that a natural person cannot be identified in connection with said personal data;

• “Recognition” as the use of facial recognition services to identify any matches between an unknown consumer and any, or a specific, consumer(s) within the controller’s enrolled image gallery as extracted from facial recognition services;

• “Sale” as the exchange of personal data for monetary gain, or other valuable commodities, between the controller and a third party and does not include the disclosure of said data to:

• A processor, processing data on the controller’s behalf;

• An affiliate of the controller; or

• A third party with whom the consumer has a direct relationship by providing products and services to the consumer upon request;

• “Sensitive data” as:

• Personal data that reveals ethnic or racial origin, citizenship or immigration status, religious beliefs, sexual orientation, or health conditions or diagnoses; 

• Personal data of an identified child;

• Specific geolocation data; and

• The processing of biometric or genetic data in order to identify a natural person;

• “Specific geolocation data” as information extracted from technology, which includes but is not limited to, global positioning systems that identify the specific location of a natural person, provided said system operates with accuracy and precision below 1,750 ft; 

• “Targeted advertising” as selecting specific advertisements for consumers based on their own personal data as obtained from repeated tracking of a consumer’s activities across nonaffiliated websites in order to predict a consumer’s specific interests and does not include advertising: and

• Based on the activity within a controller’s own website;

• Based on a consumer’s current search request or visit to a website; or

• Based on a consumer’s informational or feedback request.

• “Verification” as the use of a facial recognition service by a controller to determine whether a consumer is a specific consumer whose identity is known to the controller and who has been enrolled by reference to that identity in a gallery used by a facial recognition service.

• Specifies that the provisions of this bill will apply to legal businesses providing goods and services to Washington State residents which meet the following criteria (Sec. 4):

• Possess or control the personal data of 100,000 consumers or more during one calendar year; or

• Over 50 percent of the gross revenue for this business originates from the sale or processing of the personal data of 25,000 consumers or more.

• Establishes the consumer’s following rights, including the (Sec. 3):

• Right of access to confirm whether or not a controller is processing the consumer’s own personal data;

• Right to correction of inaccurate data concerning the consumer specifically;

• Right to deletion of the consumer’s own personal data;

• Right to data portability in which the consumer may obtain their own personal data from the controller in a readily usable format so that they may transport this data to another controller;

• Right to opt out of the processing of their own personal data for advertising, sale, or profiling purposes; and

• Right to a response from the controller on a consumer’s request regarding any of the above provisions within 45 days of receipt of the request with the option of an additional 45 day extension provided the controller informs the consumer of this extended period and the reason for delay.

• Requires the controller to do the following, including (Sec. 3):

• Provide this information free of charge up to twice annually, and only when a controller reasonably finds a consumer’s request to be unfounded or excessive in character, particularly due to repetition, may they charge a reasonable fee for the services required for compliance with the request;

• Establish an internal appeals process that is conspicuous and easy to use for consumers who have had their requests denied by the controller; and

• Notify the consumer of any action taken or not taken regarding their request for appeal within 30 days of receipt of the request, with a 60 day option for extension, provided that the controller notifies the consumer of the extension itself and the reasons for it.

• Requires processors that provide facial recognition services make available an application programming interface or other technical capability to enable controllers or third parties the ability to conduct legitimate, independent, and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct subpopulations (Sec. 17).

• Authorizes a controller to enroll an image of a consumer in a facial recognition service for a security or safety purpose without first obtaining consent from that consumer (Sec. 17).

• Requires the controller to annually review any database used by their facial recognition service to remove facial templates of consumers that the controller no longer suspects as having engaged in criminal activity (Sec. 17).

• Requires the controller establish an internal process by which a consumer may correct or challenge the decision to enroll their image in a facial recognition service for security or safety purposes (Sec. 17).

• Establishes that this bill shall take effect July 31, 2021 (Sec. 20).

Full Bill Text