44-15-109. Notice requirement — policy and retention requirements for third-party vendors. (1) On capturing an image of an individual when the individual interacts with a state or local government agency, the state or local government agency shall notify the individual that the individual’s image may be used in conjunction with a facial recognition service.

Ask a business law question, get an answer ASAP!
Thousands of highly rated, verified business lawyers.
Click here to chat with a lawyer about your rights.

(2)A third-party vendor contracted with a state or local government agency for the provision of a facial recognition service may not collect, capture, purchase, receive through trade, or otherwise obtain an individual’s facial biometric data in the implementation of the service unless it first:

(a)informs the individual or the individual’s legally authorized representative in writing that facial biometric data is being collected or stored;

(b)informs the individual or the individual’s legally authorized representative in writing of the specific purpose and length of term for which facial biometric data is being collected, stored, and used; and

(c)receives written consent from the individual or the individual’s legally authorized representative authorizing the collection, storage, and use of the individual’s facial biometric data.

(3)A third-party vendor contracted with a state or local government agency for the provision of a facial recognition service shall provide the state or local government agency with a written privacy policy. The privacy policy must be designed and presented in a way that is easy to read and is understandable to an average consumer and must include the date the policy was last updated. A third-party vendor shall give notice of a privacy policy change to the state or local government agency within a reasonable period.

(4)(a) Except as provided in subsection (4)(b), a third-party vendor in possession of facial biometric data because of a contract with a state or local government agency for the provision of a facial recognition service shall develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying facial biometric data when the initial purpose for collecting or obtaining the data has been satisfied. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a third-party vendor in possession of facial biometric data shall comply with its established retention schedule and destruction guidelines.

(b)A third-party vendor in possession of facial biometric data because of a contract with a state or local government agency for the provision of a facial recognition service may retain an individual’s facial biometric data after the initial purpose for collecting or obtaining the data has been satisfied on the affirmative authorization of the individual. Facial biometric data retained because of affirmative authorization must be permanently destroyed within 1 year of the individual’s last interaction with the third-party vendor.

(5)(a) A third-party vendor in possession of facial biometric data as a result of a contract with a state or local government agency for the provision of a facial recognition service shall develop a written information security policy establishing appropriate administrative, technical, and physical controls to establish and govern the acceptable use of the third-party vendor’s information technology, including networks, applications, and databases, to protect the confidentiality, integrity, and availability of any facial biometric data.

(b)The security policy under subsection (5)(a) must include a provision that the facial biometric data collected under this part is stored within the territorial boundaries of the United States.

(6)A third-party vendor in possession of facial biometric data because of a contract with a state or local government agency for the provision of a facial recognition service may not give, sell, lease, or trade an individual’s facial biometric data without affirmative authorization from the individual.

(7)A third-party vendor in possession of facial biometric data because of a contract with a state or local government agency for facial recognition services:

(a)shall store, transmit, and protect from unauthorized disclosure all facial biometric data collected and processed:

(i)using the reasonable standard of care within the third-party vendor’s industry; and

(ii)in a manner that is the same as or more protective than the way the third-party vendor stores, transmits, and protects other personal information; and

(b)may not release facial biometric data to a federal or state agency without a valid warrant or court order issued by a court of competent jurisdiction.

(8)A state or local government agency that uses facial recognition technology without a third-party vendor must develop the same written privacy and retention policies outlined in this section as required by a third-party vendor, and must adhere to the same provisions for retention, destruction, and privacy as provided in this section.