Colorado passes legislation restricting the use of facial recognition technology by government agencies

June 16, 2022 |

Colorado’s governor has just signed into law legislation aimed at limiting the use of facial recognition technology by government agencies and state institutions.  This highlights that facial recognition is capable of proper regulation, that privacy issues can be regulated and there is a public good in properly regulating this form of technology. 

It has been well summarised in The National Law Review as:

Ramping up the state’s continued focus on data privacy, on June 8, 2022, Colorado Governor Jared Polis signed legislation aimed at limiting the use of facial recognition technology by government agencies and state institutions of higher education.

The new law, SB 113, requires an agency, defined as “an agency of the state government or of a local government; or a state institution of higher education,” that intends to “develop, procure, use or continue to use facial recognition service” to provide notice of intent to use those services with its “reporting authority” prior to using the technology.

The notice must provide details of the vendor to be used, the capabilities and limitations on the use of the facial recognition technology, the type of data collected by the technology, how data will be collected and processed, the purpose of the use, and the benefits of the proposed use of the technology. In addition, the notice must provide information on how the data will be stored and secured, what policies will govern the information collected, and details regarding testing and reporting of “false matches, potential impacts on protected subpopulations, and how the agency will address error rates that are determined independently to be greater than one percent.”


The law requires agencies and state institutions of higher education to provide an accountability report on how the use of facial recognition impacts civil rights and liberties, “including potential impacts to privacy and potential disparate impacts on marginalized communities, including the specific steps the agency will take to mitigate the potential impacts” and how it will receive feedback on the use of the technology. Agencies are required to submit an accountability report prior to deploying the technology and must allow public review and comment, including three public meetings. The accountability report is required to be published publicly at least 90 days prior to deploying the technology.

The law requires users of facial recognition technology in an agency to be trained on its use and includes certain limitations and prohibitions on the use of the technology by law enforcement. It also prohibits the use of facial recognition services by any public school, charter school, or institute charter school until January 1, 2025.

The law is dense in its requirements and goes into effect on August 10, 2022.

The summary of the Bill provides:

Section 1 of the bill creates a task force for the consideration of artificial intelligence (task force) and requires the task force to:

    • Study issues relating to the use of artificial intelligence; and
    • Submit a report on or before October 1, 2023, and on or before each October 1 thereafter, to the joint technology committee.

Section 2 repeals the task force, effective September 1, 2032, subject to a sunset review by the department of regulatory agencies.Section 3 adds new definitions of terms and renumbers existing definitions.Section 4 requires a state or local government agency (agency), including an institution of higher education , that uses or intends to develop, procure, or use a facial recognition service (FRS) to file with a reporting authority a notice of intent to develop, procure, or use the FRS and specify a purpose for which the technology is to be used. After filing the notice of intent, the agency must produce an accountability report that includes certain information and policies regarding the proposed use of the FRS. The bill establishes requirements for the adoption, implementation, and updating of accountability reports. Section 4 also requires an agency using an FRS to subject to meaningful human review any decisions that result from such use and produce legal effects concerning individuals or similarly significant effects concerning individuals. An agency must test the FRS in operational conditions before deploying the FRS in a context in which it will be used to make such decisions.

An agency using an FRS must conduct periodic training of all individuals who operate the FRS or who process personal data obtained from the FRS. An agency must maintain records that are sufficient to facilitate public reporting and auditing of compliance with the agency’s facial recognition policies.

Section 4 also prohibits a law enforcement agency (LEA) from:

    • Using an FRS to engage in ongoing surveillance, conduct real-time or near real-time identification, or start persistent tracking unless the LEA obtains a warrant authorizing such use, exigent circumstances exist, the LEA has established probable cause for such use , or the LEA obtains a court order authorizing the use of the service for the sole purpose of locating or identifying a missing person or identifying a deceased person;
    • Applying an FRS to any individual based on the individual’s religious, political, or social views or activities or any other characteristic protected by law;
    • Using an FRS to create a record depicting any individual’s exercise of rights guaranteed by the first amendment of the United States constitution and by section 10 of article II of the Colorado constitution;
    • Using the results of an FRS as the sole basis to establish probable cause in a criminal investigation; or
    • Substantively manipulating an image for use in an FRS in a manner not consistent with the FRS provider’s intended use and training.

An agency must disclose its use of an FRS on a criminal defendant to that defendant in a timely manner prior to trial. In January of each year:

    • Any judge who has issued or extended a warrant for the use of an FRS during the preceding year, or who has denied approval of such a warrant during that year, must report certain information to the state court administrator; and
    • Any agency that has applied for a warrant or an extension of a warrant for the use of an FRS to engage in any surveillance must provide to the agency’s reporting authority a report summarizing nonidentifying demographic data of individuals named in warrant applications as subjects of surveillance.

Sections 5 and 6 prohibit the use of facial recognition services by any public school, charter school, or institute charter school until January 1, 2025.Section 7 states that an individual may authorize an agent to access and process the individual’s personal data or other information held by a controller and that is otherwise accessible to the individual, and such an authorization does not constitute cybercrime.Sections 8 and 9 make conforming amendments.Section 10 makes an appropriation.

The Bill Colorado SB113 Artificial Intelligence Facial Recognition      





Leave a Reply

Verified by MonsterInsights