New York City’s Biometric Identifier Information Law, effective July 9, 2021, has changed the data privacy landscape for businesses operating in the City. The law imposes two broad mandates on commercial establishments. First, it prohibits covered establishments from selling, leasing, trading, sharing in exchange for value, or “otherwise profit[ing]” from biometric identifier information. Second, it provides that if biometric identifying data is collected, used and retained, a notice must be posted to consumers advising them of these activities. Biometric information is a physiological or biological characteristic, such as: a retina or iris scan, a fingerprint or voiceprint, or a scan of hand or face geometry.
The law applies to any business in the City that is operating a “place of entertainment, a retail store, or a food and drink establishment.” Government agencies, employees and agents are entirely exempt from the law’s requirements, and financial institutions are exempt from the signage requirements. Businesses may use traditional photographs and CCTV security cameras without complying with the signage requirement, provided that:
- They do not use any software to analyze the photos or videos collected based on physiological or biological characteristics.
- They do not sell or share the images or videos with third-parties, except law enforcement.
Penalties for failure to comply with the law could be substantial. The law allows a private right of action, which permits individuals to recover damages of $500 per violation for an establishment’s failure to post a conspicuous notice; $500 for each negligent violation of the ban on the sale or sharing of biometric data; and $5,000 for each intentional or reckless violation of the ban on selling or sharing biometric data. Significantly, the law also allows prevailing plaintiffs to recover reasonable attorneys’ fees and costs.
Businesses can take some comfort in the fact that the law includes a “notice-and-cure” provision, which requires a potential plaintiff to provide a commercial establishment with written notice of intent to bring a lawsuit based on the signage requirement. After receiving the written notice, the establishment has 30 days to cure the violation and to provide the aggrieved person with an express written statement that the violation has been cured and that no further violation shall occur. For alleged violations of the prohibition on the sale, lease, trade or sharing of biometric information, no pre-suit notice is required.
Litigation and class actions alleging violations of biometric laws in other jurisdictions have been on the rise in recent years and have resulted in the payment of substantial damages by noncompliant businesses. For example, the Illinois’ Biometric Information Privacy Act (BIPA) precludes the sale or exchange of data and requires notice and consent to individuals before biometric data is collected. Like New York City’s law, BIPA also provides for a private right of action. Since it was enacted, BIPA has generated hundreds of class action lawsuits. TikTok recently agreed to a proposed $92 million settlement in a class action suit that alleged that TikTok had collected its users’ facial geometric scans without consent. Additionally, Facebook recently settled a BIPA class action for $650 million for the use of its facial recognition software.
For better or worse, BIPA is significantly broader than New York City’s law. Specifically, BIPA applies to all private entities rather than only commercial establishments, it requires both notice and consent before collecting data, and it does not allow for an opportunity to cure. Thus, a similar deluge of litigation for New York City businesses is unlikely.
Key takeaways from New York City’s new law include:
- Businesses that collect biometric data should immediately post compliant signage.
- Businesses must refrain from selling, leasing, exchanging or “otherwise profiting” from the transaction of biometric identifier information. The term “otherwise profit” is not defined, and the definition of “sale” has been contested under other jurisdictions’ biometric privacy laws. This could potentially expose businesses to litigation.
- Businesses dealing in biometric information should consult with experienced privacy counsel to ensure compliance.