Washington State Facial Recognition Law: What SB 6280 Actually Requires
- 01 What does Washington SB 6280 actually cover?
- 02 What must agencies do before deploying facial recognition?
- 03 What does SB 6280 require from facial recognition vendors?
- 04 What does SB 6280 prohibit?
- 05 How does Washington's FRT law compare to Illinois BIPA?
- 06 Shufti's approach to biometric compliance
TL;DR
- Washington’s SB 6280, signed in March 2020, limits government use of facial recognition, not private businesses.
- State and local agencies must file a notice of intent and produce a public accountability report before deploying.
- Vendors must supply an API for independent accuracy and bias testing, with a 90-day fix window if disparate impact is found.
- SB 6280 bans warrantless real-time tracking and prohibits facial recognition as the sole basis for probable cause.
- SB 6280 sets no penalties or enforcement body; individuals cannot sue, and there’s no fine schedule either.
Every time a Washington resident applies for a driver’s license, the Washington State Department of Licensing runs their photo through a facial recognition system. The technology checks whether the same face has already been issued a license under a different name, a direct fraud-prevention measure under RCW 46.20.037. Most applicants never know it is happening. That is not an accident. It is a deliberate carve-out in the Washington state facial recognition law, which governs exactly how government agencies may use this technology and what they owe the public when they do.
Signed by Governor Jay Inslee on March 31, 2020, SB 6280 was the first state law in the United States to directly regulate government facial recognition technology. It took effect in July 2021. Understanding what it requires and what it does not cover matters for every agency deploying facial recognition in Washington, every vendor supplying those systems, and every compliance team advising either of them.
What does Washington SB 6280 actually cover?
SB 6280 applies to Washington state and local government agencies that develop, procure, or use a “facial recognition service” defined as any technology that analyses facial features and is used to identify, verify, or persistently track individuals in still or video images.
That scope covers a wide range of public-sector actors: law enforcement agencies, the Department of Licensing, public schools and universities, courts, correctional facilities, and state licensing boards.
Private businesses are not covered. SB 6280 contains no provisions requiring retailers, employers, landlords, or commercial platforms to obtain consent before scanning faces, and it creates no opt-out rights for residents against private-sector facial recognition use. Washington does have a separate biometric privacy statute, RCW 19.375, enacted in 2017, which imposes notice and consent obligations on private entities collecting biometric identifiers. However, its scope and enforcement mechanisms are narrower than the government framework SB 6280 established, and it does not carry SB 6280’s pre-deployment accountability process or vendor testing requirements.
What must agencies do before deploying facial recognition?
SB 6280 requires every government agency intending to use facial recognition to complete a structured, publicly visible pre-deployment process. Skipping any stage is not a minor procedural lapse; it means the agency is operating without legal authority to use the technology.
Filing a notice of intent
The first step is filing a notice of intent with the relevant legislative authority, naming the specific purpose for which the facial recognition system will be used. The legislative authority must review and approve the notice before the agency may proceed to the next stage. This approval gate prevents agencies from treating facial recognition as a standard IT procurement with no oversight.
Producing an Accountability Report
Once the notice is approved, the agency must produce a written accountability report documenting the intended use case, the data governance procedures in place, the civil liberties protections built into the deployment, and the vendor involved. That report must be published and made available for a 90-day public comment period before the technology can go live. The 90-day window begins when the report is publicly released, not when the agency decides it is ready to deploy.
Community Consultation Requirements
During the comment period, the agency must hold community consultation meetings, giving residents a direct opportunity to ask questions and raise concerns. Agencies are required to document the feedback received and address it in their final accountability record. This requirement makes the pre-deployment process a genuine public dialogue, not a compliance formality.
What does SB 6280 require from facial recognition vendors?
Vendors supplying facial recognition services to Washington government agencies carry their own direct obligations under the law. The central requirement is technical: vendors must make available an application programming interface, or an equivalent technical mechanism, that allows independent third parties to test the system’s performance. That access must be real and usable, not a contractual promise to cooperate if asked.
The independent testing must cover two dimensions. First, overall accuracy. Second, differential performance across subpopulations defined by race, skin tone, ethnicity, gender, age, and disability status. If the independent testing identifies unfair performance differences across any of those groups, the vendor has 90 days to develop and implement a documented mitigation plan.
This accuracy and bias testing requirement is one of SB 6280’s most consequential provisions. It moves vendor accountability away from contractual representations and into independently verifiable performance standards. A vendor that cannot demonstrate equitable accuracy across demographic groups faces a concrete remediation deadline, not a vague expectation of improvement.
What does SB 6280 prohibit?
SB 6280 draws firm lines around government uses of facial recognition that the legislature treated as categorically off-limits, regardless of agency intent or purpose.
Agencies may not use facial recognition for ongoing surveillance of individuals in public spaces or for real-time identification or persistent tracking without a warrant, exigent circumstances, or a court order. The prohibition on warrantless persistent tracking is categorical. It is not a balancing test.
Facial recognition results may not be used as the sole basis to establish probable cause in a criminal investigation. A system match must be corroborated by independent evidence before an agency can rely on it to make a consequential decision. The law also prohibits targeting individuals based on religious beliefs, political views, race, ethnicity, or citizenship status.
Where facial recognition informs decisions that carry legal consequences, such as credit, housing, employment, healthcare, education, or criminal justice, the agency must ensure those decisions are subject to meaningful human review. A fully automated adverse determination based on a face match is not permissible under SB 6280.
How does Washington’s FRT law compare to Illinois BIPA?
Washington SB 6280 and the Illinois Biometric Information Privacy Act (BIPA), enacted in 2008, are the two most substantive state-level frameworks for biometric data in the United States. They are frequently discussed together, but they regulate entirely different actors, impose different obligations, and carry very different enforcement consequences.
| Attribute | Washington SB 6280 | Illinois BIPA |
| Sector covered | Government agencies only | Private entities only |
| Consent requirement | No consent rule accountability process instead | Informed written consent is required before collection |
| Private right of action | No | Yes, individuals can sue per violation |
| Enforcement body | No dedicated enforcement body specified | Private plaintiffs and attorney general |
| Accuracy and bias testing | Yes, the vendor must provide independent testing API | No explicit accuracy testing requirement |
| Prohibition scope | Warrantless surveillance, sole-basis probable cause, discriminatory targeting | Unlawful collection, transfer, or disclosure without consent |
| Covered data types | Facial recognition specifically | Broad biometric identifiers and information |
The practical consequence of these differences is significant. An Illinois employer that scans workers’ faces without written consent can be sued individually for each violation. A Washington agency that deploys facial recognition without completing the accountability process faces no specified statutory penalty; the practical consequence is reputational and political exposure through public accountability reports, not a fine or injunction. The litigation risk profile on the BIPA side has produced thousands of class-action lawsuits in Illinois since 2019. Washington has seen no equivalent wave of enforcement actions under SB 6280.
Frequently Asked Questions
Can Washington police use facial recognition for criminal investigations?
Yes, but with limits. Law enforcement may use facial recognition to investigate crimes and identify suspects, including locating missing or deceased persons. What SB 6280 prohibits is using a facial recognition match as the sole basis for probable cause. Any match must be independently corroborated before an agency can act on it.
Can individuals sue for facial recognition violations in Washington state?
No. SB 6280 does not include a private right of action. Individuals cannot file lawsuits directly under the statute for agency violations. Enforcement runs exclusively through the Washington State Attorney General, who may pursue violations under the Washington Consumer Protection Act.
Can Washington residents opt out of facial recognition in retail stores?
Not under SB 6280 the law applies to government agencies only and creates no opt-out rights against private-sector facial recognition. Washington's 2017 biometric privacy statute covers private entities but does not establish a comparable opt-out mechanism. Residents seeking recourse against commercial facial recognition use in Washington currently have limited options under state law alone.
Who enforces Washington's facial recognition law, and what can the AG do?
No one, in the traditional sense. SB 6280 sets no penalties, no enforcement body, and no private right of action. Compliance runs through legislative approval and public accountability reports instead, a gap the ACLU of Washington flagged when the bill passed. SB 6280 remains the primary legal framework for government facial recognition use in the state.

Shufti’s approach to biometric compliance
For government agencies completing SB 6280’s accountability process and the vendors they procure from, the compliance question is not whether the technology works. It is whether you can prove it works equitably and document that proof in a format a regulator or a community consultation audience will accept.
The accountability bottleneck is the evidence chain: accuracy data segmented by demographic subgroup, an accessible testing interface for independent reviewers, and a complete audit trail for every match that fed a decision with legal consequences. Most vendors treat these as separate deliverables assembled after the fact. Shufti’s face verification layer is built around that audit architecture from the start, with iBeta Level 3 conformance under ISO/IEC 30107-3 providing the independent performance validation that agencies need to anchor their accountability reports.
See how Shufti’s face verification handles accuracy documentation and audit-ready compliance on real data. Book a 20-minute demo.
