July 29, 2021

Volume XI, Number 210

Advertisement

July 28, 2021

Subscribe to Latest Legal News and Analysis

July 27, 2021

Subscribe to Latest Legal News and Analysis

July 26, 2021

Subscribe to Latest Legal News and Analysis

Get Ready for New York City’s New Biometric Identifier Information Law

2021 could be another record year for new and pending privacy legislation, including laws either banning outright or placing limits on the use of technology involving biometric information.  Just this year, Portland, Oregon implemented a ban on facial recognition technology beginning January 1.  Although the New York State Legislature failed to pass a broad biometric privacy law for the third session in a row, New York City recently adopted its own biometrics privacy legislation that is set to take effect on July 9, 2021.

New York City’s Biometric Identifier Information Law

New York City’s law is a broad prohibition on the sale or exchange of biometric identifier information, defining it as any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”  The law does, however, permit the collection, use, and retention of biometric identifying data if there is a posted notice to customers.  The notice must be in “plain, simple language” and the NYC Commissioner of Consumer and Worker Protection is expected to issue further guidance detailing the exact requirements that businesses must follow to comply with the law.  Further, the law does not prohibit the sharing of information if nothing of value is exchanged, so data can be shared, for example, between affiliates of a large corporation.

Once in effect, the new law applies to any business operating a “place of entertainment, a retail store, or a food and drink establishment” in New York City, if that business collects biometric identifying information from individuals.  As written, the ban on the sale or exchange of biometric identifier information applies to all individuals, including employees.  

Under the law, a “place of entertainment” is defined as any privately or publicly owned and operated entertainment facility, including theaters, stadiums, arenas, racetracks, museums, amusement parks, observatories, or other places where attractions, performances, concerts, exhibits, athletic games or contests are held.  A “retail store” is considered an establishment where consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail.  And a “food and drink establishment” is a business that gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.

Exemptions

Government agencies, employees, and agents are entirely exempted from the law’s requirements and prohibitions. Financial institutions and businesses that use traditional CCTV security cameras are exempt from the signage requirement, provided that:

  • They do not use any software to analyze the photos or videos collected; and

  • They do not sell or exchange the images or videos with third-parties, except law enforcement.

The widespread adoption of new technology, however, may force changes in some of these exemptions.  For example, some employers already use biometric data collection technology in the form of time clocks that use fingerprint or retina scans to keep time records.  This could be worrisome for businesses that have or are considering deploying such systems.

Violations

The fines for violating the statute are quite steep and could hit small businesses hard. The law also allows a private right of action: individuals can recover damages of $500 per violation for an establishment’s failure to post a conspicuous notice, $500 for each negligent violation of the ban on the sale or sharing of biometric data, and $5,000 for each intentional or reckless violation of the ban on selling or sharing biometric identifier information.  

To understand how this right to sue could impact businesses, a useful example is an existing privacy law that allows individuals to sue privately, the Illinois’ Biometric Information Privacy Act, or BIPA.  Like New York City’s law, BIPA also regulates a private entity’s use of biometric identifying information.  Unfortunately for New York City businesses, BIPA has led to increased litigation, due to the private right of action.  Just this year, BIPA litigation produced an undisclosed settlement-in-principal against Shutterfly, Inc., a photography and image sharing company, for its collection without consent of biometric data from its facial recognition technology.  And TikTok recently agreed to a proposed $92 million settlement in a class action suit that alleged that TikTok had collected, without consent, its users’ facial geometric scans.

The New York City law has a limited cure provision: before an individual can sue under the law for the failure to post a conspicuous notice, he or she must give at least 30 days written notice to the business.  If within that time the business cures the violation within and sends written notice that the violation was cured and will not occur again, the individual is prohibited from filing a lawsuit for that specific violation. This cure provision only applies to the signage requirement -- no written notice is required to sue for a violation of the ban against selling or exchanging of biometric data. 

Uncertainty

Until New York City releases guidance detailing the exact requirements for complying with this law, there is much uncertainty.

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume XI, Number 173
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

617-348-1732
Michael Greis, Mintz Levin Law Firm, Intellectual Property Law Attorney, New York
Member

Michael is an intellectual property attorney whose practice encompasses trademark and copyright enforcement, technology and licensing transactions, patent and trademark portfolio management, and counseling clients on intellectual property issues that arise in business deals. He also has extensive experience in cybersecurity, privacy, and social media law. His clients range from start-ups to Fortune 500 companies in a broad range of industries, including technology, manufacturing, sports & entertainment, and digital & social media.

The...

212-692-6287
Advertisement
Advertisement