ASSEMBLY BILL 2261 as introduced, Chau. Facial recognition technology.
Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to require a business to delete personal information about the consumer, as specified.
This bill would require a processor, as defined, that provides facial recognition services to, among other things, make available an application programming interface or other technical capability, chosen by the processor, to enable controllers or third parties to conduct legitimate, independent, and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct subpopulations, as specified. The bill would also require a controller, as defined, to, among other things, provide a conspicuous and contextually appropriate notice whenever a facial recognition service is deployed in a physical premise open to the public that includes specified elements, including any purpose for which the facial recognition service is deployed. The bill would require a controller to obtain consent from an individual before enrolling an image or a facial template of that individual in a facial recognition service used in a physical premise open to the public, unless the controller enrolls an image or a facial template of an individual in a facial recognition service for a security or safety purpose, as specified.
The bill would grant to an individual the right to confirm if a controller has enrolled an image or a facial template of that individual in a facial recognition service used in a physical premise open to the public, the right to correct or challenge a decision to enroll an image or a facial template of the individual in a facial recognition service used for a security or safety purpose in a physical premise open to the public, the right to have an image or a facial template of the individual deleted that has been enrolled in a facial recognition service used in a physical premise open to the public, subject to the security and safety purpose exception described above, and the right to withdraw consent to enroll an image or a facial template of that individual in a facial recognition service used in a physical premise open to the public.
Existing law, the Information Practices Act of 1977, requires an agency to maintain in its records only personal information that is relevant and necessary for a required or authorized purpose.
This bill would require an agency, defined as a state or local public entity, using or intending to develop, procure, or use a facial recognition service to produce reports regarding the use of that service, including an accountability report for that system. The bill would require an agency to clearly communicate that accountability report to the public at least 90 days before the agency puts the service into operational use, post the report on the internet website of the agency, and submit the report to an unspecified agency that is required to post each report on its internet website. The bill would require the report to include specified elements, including the name of the facial recognition service, vendor, and version and a description of its general capabilities and limitations.
The bill would require, among other things, an agency using a facial recognition service to make decisions that produce legal effects concerning individuals or similarly significant effects concerning individuals, as specified, to ensure that those decisions are subject to meaningful human review and to conduct specified periodic training of all individuals who operate a facial recognition service or who process personal data obtained from the use of a facial recognition service. The bill would prohibit an agency from using a facial recognition service to engage in ongoing surveillance, unless specified conditions are met relating to a law enforcement investigation of a serious criminal offense, as defined.
The bill would subject a violation of its provisions to injunction and a civil penalty of not more than $2,500 for each violation or not more than $7,500 for each intentional violation, recovered only in an action brought by the Attorney General, as specified.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.