(1) Except as described in subsection (4) of this section, before deploying a facial recognition service in a context in which it will be used to make decisions that produce legal effects concerning individuals or similarly significant effects concerning individuals, an agency must test the facial recognition service in operational conditions. An agency must take reasonable steps to ensure best quality results by following all guidance provided by the developer of the facial recognition service. (2) (a) Except as described in subsection (4) of this section, an agency that deploys a facial recognition service shall require the facial recognition service provider to make available an application programming interface or other technical capability, chosen by the provider, to enable legitimate, independent, and reasonable tests of the facial recognition service for accuracy and to identify unfair performance differences across distinct subpopulations, including subpopulations that are defined by visually detectable characteristics such as: (I) Race, skin tone, ethnicity, gender, age, or disability status; or (II) Other protected characteristics that are objectively determinable or self-identified by the individuals portrayed in the testing dataset. (b) If the results of independent testing identify material unfair performance differences across subpopulations, the provider must develop and implement a plan to mitigate the identified performance differences within ninety days after receipt of the results. (c) Subsection (2)(a) of this section does not require a provider to disclose proprietary material or make available an application programming interface or other technical capability in a manner that would increase the risk of cyber attacks. Providers bear the burden of minimizing these risks when making an application programming interface or other technical capability available for testing purposes. (3) Nothing in this section requires an agency to collect or provide data to a facial recognition service provider to satisfy the requirements in subsection (1) of this section. (4) The requirements of subsections (1) and (2) of this section do not apply if the facial recognition service provider is a participant in the face recognition vendor test ongoing project of the national institute of standards and technology.
‹ Prev All Colorado sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.