NYC’s New Biometric Privacy Law, Soon to be Effective, Imposes New Obligations on Businesses That Collect Biometric Data
New York, N.Y. (June 29, 2021) - Right on cue with mask mandates being lifted, a new NYC law aimed at the ever-popular facial recognition software takes effect on July 9, 2021. New York City’s Biometric Identifier Information Law applies to a broad array of biometric data and will have important implications for businesses going forward. Below is a breakdown of the key features of the law and takeaways for businesses to avoid potential litigation.
The NYC Biometric Identifier Information Law (the “Law”) is likely to draw comparisons to the notorious Illinois Biometric Information Privacy Act (“BIPA”), under which approximately 1,000 class action lawsuits have been filed since its 2008 enactment. Unlike BIPA, the Law does not provide an automatic private right of action for solely collecting biometric data, nor does it require employers to obtain prior written employee consent to biometric data collection. These key differences should allay initial concerns that the Law will result in the same tidal wave of litigation that has hit Illinois.
Requirements for Businesses
The Law prohibits commercial establishments - defined as retail stores, food and drink establishments, and entertainment venues - from selling or sharing customers’ biometric information and requires businesses that collect biometric identifier information to display conspicuous signage indicating that it is being collected. The Law has an expansive definition of “biometric identifier information,” which includes any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”
Financial institutions, government agencies, government employees, and government agents are exempt from the law’s signage requirement, but not its prohibition on sharing or selling biometric identifier information.
The signage requirement also does not appear to apply to run-of-the-mill security cameras, providing a carveout for devices that simply film individuals without analyzing the information or sharing it with others.
The Law’s prohibition against selling or sharing biometric information exempts sharing with law enforcement. However, the law does not delineate what, if any, specific conditions need to be met for sharing with law enforcement to be permissible.
Penalties for Noncompliance
The Law provides a private right of action for violations of both the signage requirement and the prohibition on selling or sharing biometric information. Fortunately for businesses, the Law has a 30-day notice and cure provision for the signage requirement. Individuals can only file a claim after giving notice to the business of the claimed violation and allowing the business 30 days to state in writing that a notice has been posted and no future violations will occur. Significantly, however, there is no waiting period for filing suit based on an alleged violation of the prohibition on sharing or selling information.
Prevailing plaintiffs may recover $500 in damages for violations of the signage requirement. Violations for the prohibition on selling or sharing biometric identifier information are $500 in the event of a negligent violation and $5,000 if the violation is found to be willful or intentional. Also, a prevailing plaintiff can recover attorneys’ fees and other costs.
What Should a Business Do?
Although a violation of the signage requirement is not actionable until after the expiration of the cure period, businesses that do collect biometric data should act expeditiously to post the required signage. Of note is the concern that plaintiffs will send mass notices of signage violations to multiple businesses, starting a 30-day clock for businesses to post signs and provide written notice that no further violations will occur. In the event the business does not do these two things within 30 days from receipt of the notice, the aggrieved individual may bring suit and the business may be exposed to the damages and fees mentioned above.
The Law is silent on whether it applies retroactively, but to be safe any business even arguably engaged in collecting, using, selling or sharing biometric information should heed the ordinance’s requirements.
The potential for increased litigation, particularly the proliferation of class action suits seen in the years since the enactment of the Illinois BIPA, is definitely a concern. However, the NYC Law is distinct from its Illinois predecessor in two key ways. First, it does not require businesses to obtain written releases prior to collecting any biometric data. Rather, it allows businesses to freely collect such data upon providing notice via a conspicuously-posted sign. While the Law does ban selling or sharing the data collected, simply collecting the data is not prohibited. Additionally, BIPA permits recovery based solely on the collection of data, whereas the NYC Law appears to mitigate the risk of litigation by providing businesses with a cure period for signage and creating automatic liability only when the biometric information gets into the hands of third parties.
Finally, the Law’s 30-day cure period may not provide a shield for businesses in the long run. Because the Law does not define what constitutes “notice,” it is possible that that businesses may be subjected to arguments that they were given constructive notice of violations, creating potential multiple-litigation and class action risks for businesses that do not take appropriate steps to comply with the signage requirement upon receipt of the first notice.
Additional Takeaways for Businesses
While not particularly onerous for businesses on its face, the NYC Law can have serious implications if the requirements imposed are not heeded. The requirements for signage and on selling or sharing biometric information may be problematic for businesses that currently collect biometric data and are unsure whether the data they collect may constitute “biometric identifier information” under the Law. Because the Law provides an expansive definition of “biometric identifier information,” it appears it arguably covers current COVID-19 temperature checks as a form of “any other identifying characteristic,” assuming an individual’s temperature is an “identifying characteristic.” If a business is collecting COVID-19 temperature data, it may be appropriate to post the required notices and then consult with counsel to determine whether they are able to share temperature data with the CDC or local governments for contact tracing purposes. The Law’s carveout for sharing data with third parties is currently limited to law enforcement, but it is possible that there will be an amendment to permit sharing for public health purposes. Businesses are encouraged to review their current policies for data collection to ensure they stay aware of what information is collected and how that information is subsequently used in order to avoid lawsuits.
Although the signage requirement is mitigated by the 30-day cure period, businesses that collect biometric data should stay abreast of the Law and ensure that prompt and prominent signs are posted by the time the Law is effective in a few weeks. In the interim, businesses should review their policies and be aware of whether biometric identification data is even arguably being collected and if so, determine what is done with the data. Businesses should be mindful of who is affected by their collection policies, what exactly is collected, and what is done with the data after collection. It is advisable to make biometric information collection policies flexible and adaptable in light of ambiguities in the current law and similar legislation potentially being introduced on the state and federal levels in the future.
Lewis Brisbois has been on the cutting edge of BIPA litigation defense and compliance services and established the country’s first dedicated BIPA practice, chaired by Chicago Partners Mary Smigielski and Josh Kantrow. For more information about BIPA, the NYC Law, or how biometric laws are developing in other areas of the country, contact the authors or editors of this alert. Visit our Illinois BIPA Practice page for more alerts on this topic.
Brian Pete, Partner
Peter T. Shapiro, Partner
Colby Berman, Associate
Mary A. Smigielski, Partner
Josh M. Kantrow, Partner