C.R.S.
Section 24-18-302
Notice of intent to use facial recognition service
- accountability reports
- public review and comment
- notice
- exemption
(1)
On and after August 10, 2022, an agency that uses or intends to develop, procure, or use a facial recognition service shall file with its reporting authority a notice of intent to develop, procure, use, or continue to use the facial recognition service and specify a purpose for which the technology is to be used.(2)
Except as described in subsection (8) of this section, after filing the notice of intent described in subsection (1) of this section, and prior to developing, procuring, using, or continuing to use a facial recognition service, an agency shall produce an accountability report for the facial recognition service. An accountability report must include:(a)
Intentionally left blank —Ed.(I)
The name, vendor, and version of the facial recognition service; and(II)
A description of its general capabilities and limitations, including reasonably foreseeable capabilities outside the scope of the agency’s proposed use;(b)
Intentionally left blank —Ed.(I)
The type of data inputs that the facial recognition service uses;(II)
How data is generated, collected, and processed; and(III)
The type of data the facial recognition service is reasonably likely to generate;(c)
A description of the purpose and proposed use of the facial recognition service, including:(I)
What decision will be used to make or support the facial recognition service; and(II)
The intended benefits of the proposed use, including any data or research demonstrating those benefits;(d)
A clear use and data management policy, including protocols for the following:(I)
How, when, and by whom the facial recognition service will be deployed or used; to whom data will be available; the factors that will be used to determine where, when, and how the technology is deployed; and other relevant information, such as whether the technology will be operated continuously or used only under specific circumstances;(II)
If the facial recognition service will be operated or used by an entity on the agency’s behalf, a description of the entity’s access and any applicable protocols;(III)
Any measures taken to minimize inadvertent collection of additional data beyond the amount necessary for the specific purpose for which the facial recognition service will be used;(IV)
Data integrity and retention policies applicable to the data collected using the facial recognition service, including how the agency will maintain and update records used in connection with the service, how long the agency will keep the data, and the processes by which data will be deleted;(V)
What processes will be required prior to each use of the facial recognition service;(VI)
Data security measures applicable to the facial recognition service, including:(A)
How data collected using the facial recognition service will be securely stored and accessed; and(B)
If an agency intends to share access to the facial recognition service or the data from that facial recognition service with any third party that is not a law enforcement agency, the rules and procedures by which the agency will ensure that the third party complies with the agency’s use and data management policy;(VII)
The agency’s training procedures, including those implemented in accordance with section 24-18-305, and how the agency will ensure that all personnel who operate the facial recognition service or access its data are knowledgeable about and able to ensure compliance with the use and data management policy before using the facial recognition service; and(VIII)
Any other policies that will govern use of the facial recognition service;(e)
The agency’s testing procedures, including its processes for periodically undertaking operational tests of the facial recognition service in accordance with section 24-18-304;(f)
Information concerning the facial recognition service’s rate of false matches, potential impacts on protected subpopulations, and how the agency will address error rates that are determined independently to be greater than one percent;(g)
A description of any potential impacts of the facial recognition service on civil rights and liberties, including potential impacts to privacy and potential disparate impacts on marginalized communities, including the specific steps the agency will take to mitigate the potential impacts; and(h)
The agency’s procedures for receiving feedback, including the channels for receiving feedback, from individuals affected by the use of the facial recognition service and from the community at large, as well as the procedures for responding to feedback.(3)
Prior to finalizing an accountability report, an agency shall:(a)
Allow for a public review and comment period;(b)
Hold at least three public meetings to obtain feedback from communities; and(c)
Consider the issues raised by the public through the public meetings.(4)
At least ninety days before an agency puts a facial recognition service into operational use, the agency shall post the final adopted accountability report on the agency’s public website and submit it to the agency’s reporting authority. The reporting authority shall post the most recent version of each submitted accountability report on its public website.(5)
An agency shall update its final accountability report and submit the updated accountability report to the agency’s reporting authority at least every two years.(6)
An agency seeking to procure a facial recognition service must require each vendor to disclose any complaints or reports of bias regarding the vendor’s facial recognition service.(7)
An agency seeking to use a facial recognition service for a purpose not disclosed in the agency’s existing accountability report must:(a)
Seek and consider public comments and community input concerning the proposed new use; and(b)
In response to such comments and input, adopt an updated accountability report as described in this section.(8)
The requirements of subsections (2), (3), (4), (5), and (7) of this section concerning accountability reports do not apply to an agency’s procurement or use of a facial recognition service if:(a)
The facial recognition service is part of a generally available consumer product;(b)
The facial recognition service is included in the consumer product only for personal or household use; and(c)
The agency certifies publicly that the facial recognition service is not the reason for the agency’s procurement or use of the consumer product and will not be used for governmental purposes.
Source:
Section 24-18-302 — Notice of intent to use facial recognition service - accountability reports - public review and comment - notice - exemption, https://leg.colorado.gov/sites/default/files/images/olls/crs2023-title-24.pdf
(accessed Oct. 20, 2023).