New York Biometric Privacy Update: Scanning Your Face as You Walk the City?

Locke Lord LLP
Contact

New York’s recent steps to protect biometric privacy are well worth your attention. The “Biometric Identifier Information” Law (BIIL) was passed by the New York City Council and will be effective July 9, 2021 in New York City. The “Biometric Privacy Act” (BPA) has been sponsored by a bipartisan group of lawmakers and is moving through the New York State Legislature. BIIL and BPA (if passed) means that companies collecting the biometric information of New York residents can expect similar types compliance risk and requirements seen in Illinois after that state passed its Biometric Information Privacy Act. Notably, both BIIL and BPA contain private rights of action.

Starting with BIIL, New York City’s law is a brief one page and applies to “commercial establishments,” which capture individuals’ “biometric identifier information.” BIIL, unlike BPA, is very limited in scope. “Commercial establishments” means a place of entertainment, retail store, or food and drink establishment. As such, BIIL is targeted towards physical locations in the city and is focused on preventing individuals from being tracked without their knowledge, by requiring commercial establishments to disclose their collection in plain language via a conspicuous sign. BIIL also restricts commercial establishments from selling, trading, sharing, or otherwise exchanging biometric identifier information for anything of value. While BIIL does contain a private right of action for individuals with statutory damages, it requires potential claimants to provide commercial establishments with 30 days’ notice and the opportunity to cure before initiating an action. In practice, this 30-day notice and opportunity to cure provision will dramatically reduce the litigation risk for commercial establishments in New York City.

The proposed BPA takes a decidedly different approach. New York’s BPA is a comprehensive approach to biometric information protection and privacy in New York and applies to private entities who collect and use “biometric identifiers” (facial geometry, voiceprints, etc.) and “biometric information” (information based on biometric identifiers used to identify an individual). Financial Institutions and their affiliates regulated by the Gramm-Leach-Bliley Act are exempt, and so are state agencies or local governments and their contractors and agents. In summary, BPA requires private entities that collect biometric identifiers and information to:

(1) develop a publicly available written policy outlining the private entity’s retention schedule and guidelines for the destruction of biometric identifiers and information;

(2) not collect, capture, purchase, or otherwise obtain a person’s biometric identifiers or information without first providing notice and obtaining their written informed consent, which requires providing disclosures about the purpose and length of use of the information;

(3) not sell, lease, trade, or otherwise profit from a person’s biometric identifier or information;

(4) not disclose or re-disclose a person’s biometric identifier or information without written consent or otherwise meeting a permitted exception; and

(5) follow reasonable security requirements (no less protective than other confidential and sensitive information protected by the private entity) relating to the storage, transmittal, and protection of persons’ biometric identifiers and information.

Individuals are provided a private right of action in BPA, which includes statutory damages of $1,000 per violation for negligent violations and $5,000 per violation for intention or reckless violations. Individuals may also recover reasonable fees and costs and seek injunctive relief. This private right of action will likely motivate class actions, as seen with Illinois’ BIPA.

In concert, BIIL and BPA (if passed) will bring New York into the growing list of states with highly specific and restrictive laws regulating the collection, use, and retention of biometric data.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Locke Lord LLP | Attorney Advertising

Written by:

Locke Lord LLP
Contact
more
less

Locke Lord LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.