New York City’s Biometric Identifier Information Law Takes Effect

Ballard Spahr LLP
Contact

Ballard Spahr LLP

On July 9, 2021, New York City’s biometric identifier information law became effective. The law, which the New York City Council (Council) enacted in December 2020, addresses the collection and use of biometric identifier information (BII) by commercial establishments—meaning places of entertainment, retail stores, or food and drink establishments—to track customer activity. It creates a private right of action and subjects violators to statutory damages.

BII is broadly defined to mean “a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual.” Examples of BII include: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, “or any other identifying characteristic.”

Notice Requirement

The law requires a commercial establishment to post clear and conspicuous signs near all customer entrances notifying customers if the establishment collects, retains, converts, stores, or shares BII of customers. “Customer” means a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment. The New York City Department of Consumer and Worker Protection, which is instructed by the law to create rules regarding the posting of the required signage, has provided a sample sign for businesses to use.

Transactional Prohibition

The law also makes it unlawful “to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction” of BII. As the law does not define what would be considered “of value,” this prohibition likely applies broadly to transfers of BII even where no monetary compensation is given—such as transfers for the purpose of furthering a business relationship.

Exemptions

The notice requirement does not apply to a “financial institution,” which is defined to mean “a bank, trust company, national bank, savings bank, federal mutual savings bank, savings and loan association, federal savings and loan association, federal mutual savings and loan association, credit union, federal credit union, branch of a foreign banking corporation, public pension fund, retirement system, securities broker, securities dealer or securities firm.” However, the term does not include “a commercial establishment whose primary business is the retail sale of goods and services to customers and provides limited financial services such as the issuance of credit cards or in-store financing to customers.” A report issued in December by the Council’s Committee on Consumer Affairs and Business Licensing suggests that financial institutions are exempted from this requirement because they “already adhere to various disclosure requirements in terms of the collection of personal information.” Financial institutions, however, are not exempt from the transactional prohibition.

The notice requirement also does not apply to BII collected through photographs or video recordings, if:

  • The images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics; and
  • The images or video are not shared with, sold or leased to third parties other than law enforcement agencies.

Furthermore, the law exempts entirely the collection and processing of BII by government agencies, employees, or agents.

Private Right of Action

The law provides two separate frameworks for filing suit against violators of the notice requirement and the transactional prohibition:

  • At least 30 days prior to filing an action against a violator of the notice requirement, the aggrieved person must provide written notice of the violation to the commercial establishment. The commercial establishment must then cure the violation and provide a written response within 30 days stating that the violation has been cured and that no further violations will occur. Otherwise, the aggrieved person may proceed with filing suit.
  • As for violations of the prohibition against the sale, lease, trade, sharing, or profit from the transaction of BII, an aggrieved person may file an action without first affording the violator an opportunity to cure the violation.

Statutory damages are $500 for each violation of the notice requirement and each negligent violation of the transactional prohibition, and $5,000 for each intentional or reckless violation of the transactional prohibition, in addition to reasonable attorneys’ fees and costs, and other relief as a court may deem appropriate.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.