Today's Law As Amended

Bill PDF |Add To My Favorites | Version:

AB-2261 Facial recognition technology.(2019-2020)

Text

Votes

History

Bill Analysis

Today's Law As Amended

Compare Versions

Status

Comments To Author

Add To My Favorites

As Amends the Law Today

SECTION 1.
Title 1.81.7 (commencing with Section 1798.300) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 1.81.7. Facial Recognition Technology

1798.300.
The Legislature finds and declares all of the following:
(a) The use of facial recognition services by the private sector and by state and local government agencies can present risks to privacy, democratic freedoms, and civil liberties that should be considered and addressed.
(b) Facial recognition technology also has many applications with potential benefits to society, including improving security, providing individuals with efficient identification experiences, locating missing or incapacitated persons, identifying victims of crime, and keeping the public safe.
(c) Accordingly, legislation is required to establish safeguards that will allow industry and government to use facial recognition services in ways that benefit society while prohibiting uses that threaten our privacy, our democratic freedoms, and our civil liberties.

1798.305.
As used in this title:
(a) “Accountability report” means a report developed by an agency in accordance with Section 1798.335.
(b) “Agency” means any state or local public entity.
(c) “Consent” means a clear affirmative act signifying a freely given, specific, informed, and unambiguous indication of an individual’s agreement to the processing of personal data relating to the individual, including by a written or electronic statement or other clear affirmative action.
(d) “Controller” means an agency or natural or legal person that, alone or jointly with others, determines the purposes and means of the processing of personal data.
(e) “Enroll” means the process by which a facial recognition service creates a facial template from one or more images of an individual and adds the facial template to a gallery used by the facial recognition service for recognition or persistent tracking of individuals, including the act of adding an existing facial template directly into a gallery used by a facial recognition service.
(f) (1) “Facial recognition service” means technology that analyzes facial features, or data representing facial features, and is used for recognition or persistent tracking of individuals in still or video images.
(2) “Facial recognition service” does not include the use of an automated or semiautomated process for the purpose of redacting a recording for release or disclosure outside of a law enforcement agency to protect the privacy of a subject depicted in the recording, if the process does not generate or result in the retention of any biometric data or surveillance information.
(g) “Facial template” means the machine-interpretable pattern of facial features, or data representing facial features, that is extracted from one or more images of an individual by a facial recognition service.
(h) “Identified or identifiable natural person” means a person who can be readily identified, directly or indirectly, in particular by reference to an identifier, including a name, an identification number, specific geolocation data, or an online identifier.
(i) “Meaningful human review” means review or oversight by one or more individuals who are trained in accordance with Section 1798.310 and who are ultimately responsible for making decisions based, in whole or in part, on the output of a facial recognition service.
(j) (1) “Ongoing surveillance” means tracking the physical movements of an individual through one or more public places over time, whether in real time or through application of a facial recognition service to historical records.
(2) “Ongoing surveillance” does not include a single recognition or attempted recognition of an individual if no attempt is made to subsequently track that individual’s movement over time.
(k) (1) “Persistent tracking” means the use of a facial recognition service by a controller or an agency to track the movements of an individual on a persistent basis, subject to the requirements of paragraph (2).
(2) Tracking described in paragraph (1) becomes persistent as soon as either of the following is true:
(A) A controller or agency maintains the facial template or unique identifier that permits the tracking for more than 48 hours after that template or identifier is first created.
(B) The controller or agency links the data created by the facial recognition service to other data, including, but not limited to, purchase or payment data, so that the individual who has been tracked is an identified or identifiable natural person.
(l) (1) “Personal data” means information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include deidentified data or publicly available information.
(2) As used in this subdivision, “publicly available information” means information that is lawfully made available from federal, state, or local government records.
(m) “Process” means collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
(n) “Processor” means an agency or natural or legal person that processes personal data on behalf of a controller.
(o) “Recognition” means the use of a facial recognition service by a controller or an agency to predict any of the following:
(1) If an unknown individual matches any individual who has been enrolled in a gallery used by the facial recognition service.
(2) If an unknown individual matches a specific individual who has been enrolled in a gallery used by the facial recognition service.
(p) “Security or safety purpose” means an immediate purpose related to physical security, safety, fraud prevention, or asset protection.
(q) “Serious criminal offense” means a felony under Part 1 (commencing with Section 187) of the Penal Code or an offense described in Section 2516 of Title 18 of the United States Code.

1798.310.
(a) (1) A processor that provides facial recognition services shall make available an application programming interface or other technical capability, chosen by the processor, to enable controllers or third parties to conduct legitimate, independent, and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct subpopulations.
(2) If the results of an independent test described in paragraph (1) identify material unfair performance differences across subpopulations, and those results are disclosed directly to the processor, who, acting reasonably, determines that the methodology and results of that testing are valid, then the processor shall develop and implement a plan to mitigate the identified performance differences.
(3) (A) This subdivision shall not prevent a processor from prohibiting the use of its facial recognition service by a competitor for competitive purposes.
(B) A processor may satisfy the requirements of this subdivision by submitting deployed algorithms to each relevant Face Recognition Vendor Test that the National Institute of Standards and Technology (NIST) performs, including, but not limited to, overall accuracy and demographic-specific tests.
(C) This subdivision does not require a processor to disclose trade secrets or other intellectual property.
(4) As used in this subdivision, “subpopulations” mean groups defined by any of the following traits:
(A) Race.
(B) Skin tone.
(C) Ethnicity.
(D) Gender.
(E) Age.
(F) Disability status.
(G) Any other protected characteristic that is objectively determinable or self-identified by the individuals portrayed in the testing dataset.
(b) A processor that provides facial recognition services shall provide documentation that includes information that accomplishes both of the following:
(1) Explains the capabilities and limitations of the services in plain language.
(2) Enables testing of the services in accordance with this section.
(c) A processor that provides facial recognition services shall prohibit, in the contract by which the controller is permitted to use the facial recognition service, the use of the facial recognition services by a controller to unlawfully discriminate under federal or state law against an individual or groups of individuals.
(d) A controller shall provide a conspicuous and contextually appropriate notice whenever a facial recognition service is deployed in a physical premise open to the public that includes, but is not limited to, the following:
(1) Any purpose for which the facial recognition service is deployed.
(2) Information about where individuals can obtain additional information about the facial recognition service, including, but not limited to, a link to an applicable online notice, terms, or policy that provides information about where and how individuals can exercise any rights that they have with respect to the facial recognition service.
(e) (1) Except as provided in paragraph (4), a controller shall obtain consent from an individual before enrolling an image or a facial template of that individual in a facial recognition service used in a physical premise open to the public.
(2) Except as provided in paragraph (3), a controller shall not deny access or service to an individual at a physical premise open to the public because that individual has exercised the right to withhold consent for enrolling an image or facial template of that individual in a facial recognition service pursuant to paragraph (1).
(3) A controller may deny service to an individual at a physical premise open to the public because that individual has exercised the individual’s right to withhold consent for enrolling an image or facial template of that individual in a facial recognition service pursuant to paragraph (1) if enrollment of that image or facial template is directly necessary for the provision of that service.
(4) A controller may enroll an image or a facial template of an individual in a facial recognition service for a security or safety purpose without first obtaining consent from that individual only if all of the following requirements are met:
(A) The controller has probable cause to believe that the individual has committed, or attempted to commit, a serious criminal offense.
(B) A database used by a facial recognition service for recognition, verification, or persistent tracking of individuals for a security or safety purpose is used only for that purpose and maintained separately from any other databases maintained by the controller.
(C) The controller removes the image or facial template as soon as the controller no longer has probable cause to believe that the individual has committed, or has attempted to commit, a serious criminal offense.
(D) The controller reviews a database described in subparagraph (B) at least twice per year to remove facial templates that meet either of the following criteria:
(i) The controller no longer has probable cause to believe that the individual depicted by the facial template has committed, or attempted to commit, a serious criminal offense.
(ii) The facial template is more than three years old.
(D) The controller establishes an internal process whereby individuals may correct or challenge the decision to enroll the image of an individual in a facial recognition service for a security or safety purpose.
(f) (1) A controller using a facial recognition service to make decisions that produce legal effects concerning individuals or similarly significant effects concerning individuals shall ensure that those decisions are subject to meaningful human review.
(2) As used in paragraph (1), “legal effects” and “similarly significant effects” shall include, but not be limited to, all of the following:
(A) Denial of consequential services or support, including financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services.
(B) Denial of access to basic necessities.
(C) Negative impact on the civil rights of individuals.
(g) Before deploying a facial recognition service, a controller shall test the facial recognition service in operational conditions and take commercially reasonable steps to ensure best quality results in operational conditions by following all reasonable guidance provided by the developer of the facial recognition service.
(h) A controller using a facial recognition service shall conduct, at least, annual training of all individuals that operate a facial recognition service or that process personal data obtained from the use of facial recognition services, which shall include, but not be limited to, the following:
(1) The capabilities and limitations of the facial recognition service.
(2) Procedures to interpret and act on the output of the facial recognition service.
(3) To the extent applicable to the deployment context, the meaningful human review requirement, described in subdivision (f), for decisions that produce legal effects concerning individuals or similarly significant effects concerning individuals.
(i) A controller shall not knowingly disclose personal data obtained from a facial recognition service to a person or agency unless any of the following is true:
(1) (A) The disclosure is pursuant to the consent of the individual to whom the personal data relates, and, except as provided in subparagraph (B), consent to share the data was not a requirement for the provision of a service.
(B) A controller may disclose personal data obtained from a facial recognition service to a person or agency if the disclosure is directly necessary for the provision of a service.
(2) The disclosure is required by federal, state, or local law in response to a court order, court-ordered warrant, subpoena or summons issued by a judicial officer, or grand jury subpoena.
(3) The controller has a good faith belief that the disclosure is necessary to prevent or respond to an emergency involving danger of death or serious physical injury to a person.
(4) The disclosure is made to the National Center for Missing and Exploited Children, in connection with a report submitted thereto pursuant to Section 2258A of Title 18 of the United States Code.
(5) The disclosure is made between a controller and a processor to provide a facial recognition service, including the processing of personal data pursuant to that service, so long as the engagement is governed by a contract between the controller and the processor that is binding on the processor and that sets out the mandatory processing instructions to which the processor is bound, including the obligations imposed by this paragraph.

1798.315.
(a) An individual has the right to confirm if a controller has enrolled an image or a facial template of that individual in a facial recognition service used in a physical premise open to the public.
(b) An individual has the right to correct or challenge a decision to enroll an image or a facial template of the individual in a facial recognition service used for a security or safety purpose in a physical premise open to the public.
(c) (1) An individual has the right to have an image or a facial template of the individual deleted that has been enrolled in a facial recognition service used in a physical premise open to the public.
(2) Paragraph (1) shall not apply in the case of an image or facial template used for a security and safety purpose, if the controller has met each of the requirements described in paragraph (2) of subdivision (e) of Section 1798.310.
(d) An individual has the right to withdraw, at any time, consent to enroll an image or a facial template of that individual in a facial recognition service used in a physical premise open to the public.

1798.320.
(a) An individual may exercise the rights set forth in Section 1798.315 by submitting a request, at any time, to a controller specifying the rights the individual wishes to exercise.
(b) Except as provided in this title, the controller shall comply, free of charge to the requester, with a request to exercise a right described in Section 1798.315.
(c) The processor shall assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligation to respond to individuals’ requests made pursuant to this section.
(d) (1) Except as provided in paragraph (2), a controller shall notify an individual of an action taken on a request made pursuant to this section within 30 days of receipt of the request.
(2) The time period described in paragraph (1) may be extended by 60 additional days where reasonably necessary based on the complexity and number of the requests being processed by the controller.
(3) A controller shall notify the requester of an extension conforming with paragraph (2) within 30 days of receipt of the request and shall include in that notice any reason for the delay.
(4) Paragraphs (1) to (3), inclusive, shall apply to a controller’s decision not to comply with a request.
(e) A controller may refuse to comply with a request if either of the following is true:
(1) (A) A request is manifestly unfounded or excessive.
(B) A controller refusing to comply with a request pursuant to subparagraph (A) shall bear the burden of demonstrating that a request is manifestly unfounded or excessive.
(C) If the controller fails to demonstrate that a refused request is manifestly unfounded or excessive pursuant to subparagraph (B), the individual making the request shall be entitled to recovery of court costs and reasonable attorney fees from the controller.
(2) (A) The controller is unable to determine, using reasonable efforts, that the request is being made by the individual to whom the request pertains.
(B) If subparagraph (A) applies, the controller may request the provision of additional information reasonably necessary to determine that the request is being made by the individual to whom the request pertains.

1798.325.
The obligations imposed on a controller or a processor under this title do not restrict a controller’s or processor’s ability to do any of the following:
(a) Comply with federal, state, or local laws.
(b) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authority.
(c) Investigate, establish, exercise, prepare for, or defend legal claims.

1798.335.
(a) An agency using or intending to develop, procure, or use a facial recognition service shall produce an accountability report for that system.
(b) An accountability report shall be clearly communicated to the public at least 90 days before the agency puts the service into operational use and posted on the internet website of the agency.
(c) An accountability report shall be submitted to the ____ agency. The ____ agency shall post each submitted accountability report on its internet website.
(d) An accountability report shall include, but not be limited to, clear and understandable statements of all of the following:
(1) The name of the facial recognition service, vendor, and version and a description of its general capabilities and limitations, including reasonably foreseeable capabilities outside the scope of the proposed use of the agency.
(2) Any type of data inputs that the facial recognition service uses when it is deployed, how that data is generated, collected, and processed, and the types of data the system is reasonably likely to generate.
(3) A description of any purpose and proposed use of the facial recognition service, including any decision it will be used to make or support, whether it is a final or support decision system, and its intended benefits, including any data or research demonstrating those benefits.
(4) A clear use and data management policy, including protocols for all of the following:
(A) How, when, why, and by whom the facial recognition service will be deployed or used.
(B) Any measures taken to minimize inadvertent collection of additional data beyond the amount necessary for any specific purpose for which the facial recognition service will be used.
(C) Data integrity and retention policies applicable to the data collected using the facial recognition service, including all of the following:
(i) How the agency will maintain and update records used in connection with the service.
(ii) How long the agency will keep the data.
(iii) The processes by which data will be deleted.
(D) Any additional rules that will govern use of the facial recognition service and what processes will be required before each use of the facial recognition service.
(E) Data security measures applicable to the facial recognition service, including all of the following:
(i) How data collected using the facial recognition service will be securely stored and accessed.
(ii) If and why an agency intends to share access to the facial recognition service or the data from that facial recognition service with any other entity.
(iii) The rules and procedures by which an agency sharing data with other entities will ensure that those entities comply with the sharing agency’s use and data management policy as part of the data-sharing agreement.
(F) The agency’s training procedures and how the agency will ensure that all personnel who operate the facial recognition service or access its data are knowledgeable about and able to ensure compliance with the use and data management policy before use of the facial recognition service.
(5) The agency’s testing procedures.
(6) A description of any potential impacts of the facial recognition service on civil rights and liberties, including both of the following:
(A) Potential impacts to privacy and potential disparate impacts on marginalized communities.
(B) The specific steps the agency will take to mitigate the potential impacts and prevent unauthorized use of the facial recognition service.
(7) The agency’s procedures for receiving and responding to feedback.
(e) Before finalizing and implementing the accountability report, the agency shall consider issues raised by the public through both of the following:
(1) A public review and comment period.
(2) Community consultation meetings during the public review period.
(f) The accountability report shall be updated every two years, and each update shall be subject to the public comment and community consultation processes described in subdivision (e).
(g) An agency seeking to use a facial recognition service for a purpose not disclosed in the agency’s existing accountability report shall first seek public comment and community consultation on the proposed new use and adopt an updated accountability report pursuant to the requirements contained in this section.

1798.340.
(a) An agency that uses a facial recognition service shall prepare and publish an annual report that discloses all of the following:
(1) The extent of the agency’s use of facial recognition services.
(2) An assessment of compliance with the terms of the accountability report.
(3) Any known or reasonably suspected violations of the accountability report, including complaints alleging violations.
(4) Any revisions to the accountability report recommended by the agency during the next update of the policy.
(b) The annual report required by this section shall be submitted to the Legislature in compliance with Section 9795 of the Government Code.
(c) An agency shall hold a community meeting to review and discuss its annual report within 60 days of its public release.

1798.360.
(a) An agency shall not use a facial recognition service to engage in ongoing surveillance, unless that use is in support of law enforcement activities, may provide evidence of a serious criminal offense, and either of the following is true:
(1) A search warrant has been obtained to permit the use of the facial recognition service for ongoing surveillance.
(2) The agency reasonably determines that ongoing surveillance is necessary to prevent or respond to an emergency involving imminent danger or risk of death or serious physical injury to a person, and both of the following are true:
(A) Written approval is obtained from the agency’s director or the director’s designee before using the service.
(B) A search warrant is obtained within 48 hours after the ongoing surveillance begins.
(b) (1) An agency shall not apply a facial recognition service to an individual based on any of the following:
(A) The individual’s religious, political, or social views or activities.
(B) The individual’s participation in a particular noncriminal organization or lawful event.
(C) The individual’s actual or perceived race, ethnicity, citizenship, place of origin, age, disability, gender, gender identity, sexual orientation, or other characteristic protected by law.
(2) Paragraph (1) shall not prohibit an agency from applying a facial recognition service to an individual who happens to possess one or more of the characteristics described in paragraph (1), if an officer of that agency has probable cause to believe the individual has committed, is committing, or is about to commit a serious criminal offense.
(c) An agency shall not use a facial recognition service to create a record describing an individual’s exercise of rights guaranteed by the First Amendment of the United States Constitution or by Section 2 of Article I of the California Constitution unless both of the following are true:
(1) That use is specifically authorized by applicable law and is pertinent to and within the scope of an authorized law enforcement activity.
(2) There is probable cause to believe the individual has committed, is committing, or is about to commit a serious criminal offense.

1798.365.
(a) An agency using a facial recognition service shall maintain records of its use of the service that are sufficient to facilitate public reporting and auditing of compliance with the applicable accountability report.
(b) (1) Within 10 calendar days after the period of ongoing surveillance authorized by a warrant has ended, the officer who executed the warrant shall submit to the Department of Justice all information required by subdivision (a) of Section 1546.2 of the Penal Code.
(2) If an order delaying notice is obtained pursuant to subdisivion (b) of Section 1546.2 of the Penal Code, the government entity shall submit to the department upon the expiration of the period of delay of the notification all of the information required in paragraph (3) of subdivision (b) of Section 1546.2 of the Penal Code.
(3) The department shall publish all those reports on its internet website within 90 days of receipt and may redact names or other personal identifying information from the reports.
(c) (1) Within 10 calendar days after the period of ongoing surveillance authorized by a warrant has ended, the officer who executed the warrant shall notify the person who was tracked pursuant to subdivision (a) of Section 1546.2 of the Penal Code.
(2) Notice pursuant to this subdivision may be delayed pursuant to subdivision (b) of Section 1546.2 of the Penal Code.

1798.370.
(a) On or before January 1, 2023, and at least biennially thereafter, the nonpartisan California State Auditor shall conduct an independent audit of agencies deploying facial recognition services to evaluate compliance with the provisions of this title.
(b) Based on the independent audit performed pursuant to subdivision (a), the nonpartisan California State Auditor shall prepare a report detailing its review and shall include in that report any violations of the provisions of this title, as well as any recommendations for improvements to state and local policies on the use of facial recognition services by agencies.
(c) (1) The report prepared pursuant to subdivision (b) shall be made available to the public and shall be posted on the internet websites of the State Auditor and of the Attorney General.
(2) A copy of the report prepared pursuant to subdivision (b) shall be distributed to the Assembly Committees on the Judiciary, the Assembly Committee on Public Safety, the Assembly Committee on Privacy and Consumer Protection, the Senate Committee on Judiciary, and the Senate Committee on Public Safety.

1798.375.
(a) The Attorney General has exclusive authority to enforce this title by bringing an action in the name of the people of the State of California.
(b) A controller or processor that violates this title is subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation.
(c) If more than one controller or processor, or both a controller and a processor, contribute to the same violation of this title, the liability for the violation shall be allocated among the parties according to principles of comparative fault.

SEC. 2.
If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code.