On July 9, 2021, New York City’s biometric identifier information law became effective. The law, which the New York City Council (Council) enacted in December 2020, addresses the collection and use of biometric identifier information (BII) by commercial establishments—meaning places of entertainment, retail stores, or food and drink establishments—to track customer activity. It creates a private right of action and subjects violators to statutory damages.
BII is broadly defined to mean “a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual.” Examples of BII include: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, “or any other identifying characteristic.”
The law requires a commercial establishment to post clear and conspicuous signs near all customer entrances notifying customers if the establishment collects, retains, converts, stores, or shares BII of customers. “Customer” means a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment. The New York City Department of Consumer and Worker Protection, which is instructed by the law to create rules regarding the posting of the required signage, has provided a sample sign for businesses to use.
The law also makes it unlawful “to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction” of BII. As the law does not define what would be considered “of value,” this prohibition likely applies broadly to transfers of BII even where no monetary compensation is given—such as transfers for the purpose of furthering a business relationship.
The notice requirement does not apply to a “financial institution,” which is defined to mean “a bank, trust company, national bank, savings bank, federal mutual savings bank, savings and loan association, federal savings and loan association, federal mutual savings and loan association, credit union, federal credit union, branch of a foreign banking corporation, public pension fund, retirement system, securities broker, securities dealer or securities firm.” However, the term does not include “a commercial establishment whose primary business is the retail sale of goods and services to customers and provides limited financial services such as the issuance of credit cards or in-store financing to customers.” A report issued in December by the Council’s Committee on Consumer Affairs and Business Licensing suggests that financial institutions are exempted from this requirement because they “already adhere to various disclosure requirements in terms of the collection of personal information.” Financial institutions, however, are not exempt from the transactional prohibition.
The notice requirement also does not apply to BII collected through photographs or video recordings, if:
- The images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics; and
- The images or video are not shared with, sold or leased to third parties other than law enforcement agencies.
Furthermore, the law exempts entirely the collection and processing of BII by government agencies, employees, or agents.
Private Right of Action
The law provides two separate frameworks for filing suit against violators of the notice requirement and the transactional prohibition:
- At least 30 days prior to filing an action against a violator of the notice requirement, the aggrieved person must provide written notice of the violation to the commercial establishment. The commercial establishment must then cure the violation and provide a written response within 30 days stating that the violation has been cured and that no further violations will occur. Otherwise, the aggrieved person may proceed with filing suit.
- As for violations of the prohibition against the sale, lease, trade, sharing, or profit from the transaction of BII, an aggrieved person may file an action without first affording the violator an opportunity to cure the violation.
Statutory damages are $500 for each violation of the notice requirement and each negligent violation of the transactional prohibition, and $5,000 for each intentional or reckless violation of the transactional prohibition, in addition to reasonable attorneys’ fees and costs, and other relief as a court may deem appropriate.