(1)(a) A state or local government agency that deploys a facial recognition service must require a facial recognition service provider to make available an application programming interface or other technical capability, chosen by the provider, to enable legitimate, independent, and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct subpopulations. Such subpopulations are defined by visually detectable characteristics such as: (i) Race, skin tone, ethnicity, gender, age, or disability status; or (ii) other protected characteristics that are objectively determinable or self-identified by the individuals portrayed in the testing data set. If the results of the independent testing identify material unfair performance differences across subpopulations, the provider must develop and implement a plan to mitigate the identified performance differences within ninety days of receipt of such results. For purposes of mitigating the identified performance differences, the methodology and data used in the independent testing must be disclosed to the provider in a manner that allows full reproduction.
(b) Making an application programming interface or other technical capability does not require providers to do so in a manner that would increase the risk of cyberattacks or to disclose proprietary data. Providers bear the burden of minimizing these risks when making an application programming interface or other technical capability available for testing.
(2) Nothing in this section requires a state or local government agency to collect or provide data to a facial recognition service provider to satisfy the requirements in subsection (1) of this section.
[ 2020 c 257 § 6.]