Earlier this year, New York City passed a law restricting the collection and/or use of biometric technology by certain businesses. The new law went into effect July 9, meaning applicable businesses must now meet the law's requirements.
Businesses need only look to similar laws in other states, particularly Illinois, for a glimpse at the litigation that may come should they fail to abide by the new law’s provisions.
New York City Biometric Privacy Law: What Entities Are Covered?
Any “commercial establishment” collecting, retaining, storing, or sharing its customers’ biometric identifier information are covered under the law. This includes:
- (a) places of entertainment, such as a theater, stadium, arena, racetrack, museum, amusement park, and observatory; (b)
- retail stores; and
- (c) food or drink establishments.
“Biometric identifier information” is defined as a physiological or biological characteristic used to identify, or assist in identifying, an individual, such as an eye scan, fingerprint, voiceprint, or facial scan. Importantly, there is an exception for biometric identifier information collected through photographs or video that is not analyzed or sold to a third-party. In other words, security camera footage is not subject to the law’s requirements.
Government institutions are entirely exempt from the act and financial institutions are explicitly excluded from the notice provision (discussed below) but may be subject to the sale provision (also discussed below). Unlike the notice provision, the sale provision fails to delineate which entities are, or are not, subject to its prohibitions and is likely to be tested by the courts at some point.
What Does the Act Prohibit?
The act’s notice provision prohibits “commercial establishments” from collecting, retaining, storing, or sharing its customers’ biometric identifier information without disclosure. Disclosure is accomplished by placing a “clear and conspicuous” sign near each of the establishment’s customer entrances disclosing what information is being captured and what the establishment is doing with such information.
The act also has a sale provision which makes it “unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.” The qualification that the exchange of information must be for “anything of value” likely means an establishment sharing information with its subsidiaries or parent companies without remuneration is permitted.
What Are The Repercussions of Violating the Law?
If an entity violates the notice provision, prior to bringing suit, an aggrieved person must first provide the entity with written notice of the violation. The entity then has 30 days to cure the violation and provide written notice to the aggrieved person of the cure and a promise that no further violations shall occur. If the entity fails to cure the violation and provide notice of the cure within 30 days, the aggrieved person may bring a suit against the entity. No prior written notice is required for an aggrieved person to bring suit against an entity for violating the sale provision.
A plaintiff is entitled to $500 of statutory damages for each violation of the notice provision, $500 for each negligent violation of the sales provision, and $5,000 for each intentional or reckless violation of the sales provision.
If Illinois’s biometric privacy law is any indication of what’s to come in New York, a dizzying array of class action suits should be expected.
We will continue to and report on this evolving issue.
Authors is a partner at Patterson Belknap Webb & Tyler LLP, a law firm in New York that has a Privacy and Data Security Practice. Read more Patterson Belknap blogs here.
