On July 9, 2021, new restrictions on biometric monitoring similar to the Illinois Biometric Information Privacy Act (BIPA) were added into New York City’s administrative code (N.Y.C. Admin. Code §§ 22-1201 et. seq.). These restrictions apply to all “commercial establishments” which are broadly defined as all stores (including newsstands); all restaurants, food trucks, hot dog stands, and other venues where food is offered for sale or served; and all “places of entertainment,” including theaters, stadiums, amusement parks, museums, etc. This definition does not include financial institutions such as banks, credit unions, and brokerage firms that are specifically exempted from the law unless the specific establishment is primarily engaged in “the retail sale of goods and services to customers” and only provides “limited financial services such as the issuance of credit cards or in-store financing.” This exception to the exception appears intended to ensure that major retailers are included within the definition of commercial establishments, even if such retailers offer custom credit cards and layaway or other, similar services. Government agencies, including the police, are also categorically exempt from the law.
WHAT INFORMATION IS COVERED
N.Y.C. Admin. Code §§ 22-1201 defines biometric information more simply than BIPA. The New York City law covers any “physiological or biological characteristic” which is used to identify, in whole or in part, a specific person. The law cites four examples of such information: retina/iris scans, fingerprints, and “a scan of hand or face geometry” (i.e. automated facial recognition systems). The law exempts from this definition CCTV and photographs if they are not analyzed by recognition software and not shared with entities beyond law enforcement, such as security cameras used in stores and other establishments.
To comply with the new requirements, all covered commercial establishments which handle biometric information must post a “clear and conspicuous” sign near all customer entrances detailing their practices and use of the information. The notice must be in plain language and follow a form set by regulations promulgated by the city’s Department of Consumer and Worker Protection. The notice must describe how the biometric information is collected, retained, stored, converted, and shared, as applicable.
The sale of covered biometric information is also prohibited. Under N.Y.C. Admin. Code §§ 22-1202 “sale” is defined broadly as any act to “sell, lease, trade, share [biometric information] in exchange for anything of value or otherwise profit from the transaction.” This includes common arrangements like the disclosure of such information for free, unrelated services (such as consulting) or discounted access to a data lake or other form of shared database between entities. Unlike the notice requirements, the sales ban does not mention commercial establishments and therefore applies to all entities except those that are exempt from the law under N.Y.C. Admin. Code §§ 22-1204(b)(2).
Like BIPA, the law includes a robust private right of action, however it is moderated by a thirty-day notice-and-cure period. Under N.Y.C. Admin. Code §§ 22-1203, a prevailing plaintiff in such an action has the right to damages of up to $500 for violations of the notice requirements or negligent violations of the sale ban. “Intentional or reckless” violations of the sale ban award a right to damages up to $5,000. In all cases, litigants are entitled to reasonable attorney’s fees, costs (including of expert witnesses), and other relief, including injunctive relief.
POTENTIAL IMPACT ON BUSINESS
In recent years, many large and small U.S. retailers have been using systems provided by vendors to experiment with facial recognition as a mechanism to identify shoplifters. This recent move by New York City will likely require the disclosure of these practices to customers and will likely further limit the use of such data.
This law comes as a part of a broader push in 2021 for greater privacy regulation across the United States, including of biometric data. In addition to New York City, Maine’s legislature passed similar restrictions on the use of biometric information last month. Both Virginia’s Consumer Data Protection Act and the Colorado Privacy Act, two omnibus state privacy laws passed earlier this year, treat biometric data as sensitive personal information whose use requires a data protection impact assessment, among other protections. Over twenty-six states have seen the introduction of privacy regulation bills with various scopes during the current legislative session.