Title 52. Police (State)
Chapter 1. Department of State Police
§ 52-4.5. (Effective until July 1, 2026) Facial recognition technology; authorized uses; Department to establish a State Police Model Facial Recognition Technology Policy; penalty.
A. For purposes of this section:
"Authorized use" means the use of facial recognition technology to (i) help identify an individual when there is a reasonable suspicion the individual has committed a crime; (ii) help identify a crime victim, including a victim of online sexual abuse material; (iii) help identify a person who may be a missing person or witness to criminal activity; (iv) help identify a victim of human trafficking or an individual involved in the trafficking of humans, weapons, drugs, or wildlife; (v) help identify an online recruiter of criminal activity, including but not limited to human, weapon, drug, and wildlife trafficking; (vi) help a person who is suffering from a mental or physical disability impairing his ability to communicate and be understood; (vii) help identify a deceased person; (viii) help identify a person who is incapacitated or otherwise unable to identify himself; (ix) help identify a person who is reasonably believed to be a danger to himself or others; (x) help identify an individual lawfully detained; (xi) help mitigate an imminent threat to public safety, a significant threat to life, or a threat to national security, including acts of terrorism; (xii) ensure officer safety as part of the vetting of undercover law enforcement; (xiii) determine whether an individual may have unlawfully obtained one or more state driver's licenses, financial instruments, or other official forms of identification using information that is fictitious or associated with a victim of identity theft; or (xiv) help identify a person who an officer reasonably believes is concealing his true identity and about whom the officer has a reasonable suspicion has committed a crime other than concealing his identity.
"Facial recognition technology" means an electronic system or service for conducting an algorithmic comparison of images of a person's facial features for the purpose of identification. "Facial recognition technology" does not include the use of automated or semi-automated process to redact a recording in order to protect the privacy of a subject depicted in the recording prior to release or disclosure of the recording outside of the law-enforcement agency if the process does not generate or result in the retention of any biometric data or surveillance information.
"Publicly post" means to post on a website that is maintained by the entity or on any other website on which the entity generally posts information and that is available to the public or that clearly describes how the public may access such data.
B. Pursuant to § 2.2-1112, the Division of Purchases and Supply (the Division) shall determine the appropriate facial recognition technology for use in accordance with this section. The Division shall not approve any facial recognition technology unless it has been evaluated by the National Institute of Standards and Technology (NIST) as part of the Face Recognition Vendor Test. Any facial recognition technology utilized shall utilize algorithms that have demonstrated (i) an accuracy score of at least 98 percent true positives within one or more datasets relevant to the application in a NIST Face Recognition Vendor Test report and (ii) minimal performance variations across demographics associated with race, skin tone, ethnicity, or gender. The Division shall require all approved vendors to annually provide independent assessments and benchmarks offered by NIST to confirm continued compliance with this section.
C. The Department shall create a model policy regarding the use of facial recognition technology, which shall be known as the State Police Model Facial Recognition Technology Policy, and shall, as a part of such model policy, administer protocols for handling requests for assistance in the use of facial recognition technology made to the Department by local law-enforcement agencies and campus police departments. The Department shall publicly post such policy no later than January 1, 2023, and such policy shall be updated annually thereafter and shall include:
1. Requirements for training facilitated through the Department, including the nature and frequency of specialized training required for an individual to be authorized by a law-enforcement agency to utilize facial recognition technology as authorized by this section;
2. The extent to which a law-enforcement agency shall document (i) instances when facial recognition technology is used for authorized purposes and (ii) how long such information is retained;
3. Procedures for the confirmation of any initial findings generated by facial recognition technology by a secondary examiner; and
4. Promulgation of standing orders, policies, or public materials by law-enforcement agencies that use facial recognition technology.
D. The Department may use facial recognition technology for authorized uses. A match made through facial recognition technology shall not be included in an affidavit to establish probable cause for purposes of issuance of a search warrant or an arrest warrant but shall be admissible as exculpatory evidence. The Department shall not (i) use facial recognition technology for tracking the movements of an identified individual in a public space in real time; (ii) create a database of images using a live video feed for the purpose of using facial recognition technology; or (iii) enroll a comparison image in a commercial image repository of a facial recognition technology service provider except pursuant to an authorized use. Following such use as provided in clause (iii), no comparison image may be retained or used further by the service provider except as required for auditing that use or as may be otherwise required by law.
E. The Department shall maintain records regarding its use of facial recognition technology. Such records shall be sufficient to facilitate discovery in criminal proceedings, post-conviction proceedings, public reporting, and auditing of compliance with the Department's policy. The Department shall collect data pertaining to (i) a complete history of each user's queries; (ii) the total number of queries conducted; (iii) the number of queries that resulted in a list of possible candidates; (iv) how many times an examiner offered the Department an investigative lead based on his findings; (v) how many cases were closed due to an investigative lead from facial recognition technology; (vi) what types of criminal offenses are being investigated; (vii) the nature of the image repository being compared or queried; (viii) demographic information for the individuals whose images are queried; and (ix) if applicable, any other entities with which the Department shared facial recognition data.
F. The Superintendent shall publicly post and annually update a report by April 1 each year to provide information to the public regarding the Department's use of facial recognition technology. The report shall include all data required by clauses (ii) through (viii) of subsection E in addition to (i) all instances of unauthorized access of the facial recognition technology, including any unauthorized access by employees of the Department; (ii) vendor information, including the specific algorithms employed; and (iii) if applicable, data or links related to third-party testing of such algorithms, including any reference to variations in demographic performance. If any information or data (a) contains an articulable concern for any person's safety; (b) is otherwise prohibited from public disclosure by federal or state statute; or (c) if disclosed, may compromise sensitive criminal justice information, such information or data may be excluded from public disclosure. Nothing herein shall limit disclosure of data collected pursuant to subsection E when such disclosure is related to a writ of habeas corpus.
For purposes of this subsection, "sensitive criminal justice information" means information related to (1) a particular ongoing criminal investigation or proceeding, (2) the identity of a confidential source, or (3) law-enforcement investigative techniques and procedures.
G. Any facial recognition technology operator employed by the Department who (i) violates the Department's policy for the use of facial recognition technology or (ii) conducts a search for any reason other than an authorized use is guilty of a Class 3 misdemeanor and shall be required to complete training on the Department's policy on and authorized uses of facial recognition technology before being reinstated to operate such facial recognition technology. The Department shall terminate from employment any facial recognition technology operator who violates clause (i) or (ii) for a second time. A facial recognition technology operator who commits a second or subsequent violation of this subsection is guilty of a Class 1 misdemeanor.
2022, c. 737.