Regulations governing biometric data collection, use, and processing have already been complex and strict with Illinois’ Biometric Information Privacy Act (“BIPA”) as well as the biometrics laws in Washington and Texas. BIPA, which has a private right of action, has generated a flood of class action litigation. New York City has recently added to the mix by passing two new biometrics laws, the Tenant Data Privacy Act (“TDPA”) and an amendment to the New York City Administrative Code (“NYC Administrative Code”), both of which set forth requirements when it comes to the processing of biometric data that expand consumers’ rights and impose obligations on processing biometric data.

The TDPA, is narrower in scope than other biometric laws we are already familiar with in that it is limited to regulating biometric data collected and used for granting entry into certain dwellings that use keyless entry systems. However, it includes in the scope of regulated data not only biometric information but also radio frequency access devices. The NYC Administrative Code now regulates biometric data collection by commercial establishments, which includes places of entertainment, retail stores, and food and drink establishments.

Those collecting and processing biometric data should evaluate their data practices in consideration of these new laws to determine if they apply to their practices and, if so, come into compliance especially since both set forth a private right of action. At the same time, those collecting and processing data should be mindful of the new the California Privacy Rights Act (“CPRA”) and Virginia Consumer Data Protection Act (“CDPA”) which will also have implications on biometric collection and use once they go into effect in January 2023.

The TDPA

• Scope

The TDPA, effective at the end of July 2021 (but not enforceable until Jan. 1, 2023), regulates “smart access systems” by owners of a “smart access building.” A smart access building is a Class A multiple dwelling − a multiple dwelling that is occupied, as a rule, for permanent residence purposes and includes tenements, flat houses, maisonette apartments, apartment houses, apartment hotels, bachelor apartments, studio apartments, duplex apartments, kitchenette apartments, garden-type maisonette dwelling projects, and all other multiple dwellings except Class B multiple dwellings [1] − that uses a smart access system. Smart access system is broadly defined to include various types of digital technology that grant entry into a class A multiple dwelling, including radiofrequency devices (e.g., key fobs), mobile apps, and biometric data. Therefore, the TDPA is limited in scope and does not apply in contexts such as online identity verification for consumer rights requests or employee time clocks, but rather strictly to biometric and other smart access data collected in relation to access controls for certain multi-family dwelling units.

• Key Compliance Obligations

Among other requirements, the TDPA requires owners to obtain express consent (in writing or through a mobile app) to collect data for use in granting entry into a class A multiple dwelling.  Since a resident could refuse to provide consent, owners would need to provide a method of entry into the apartment community that does involve the use of digital technology, such as providing an actual key to the building.

Owners are also required to provide tenants with a written privacy policy that describes, at a minimum, the:

1. Data elements to be collected by the smart access system;

2. Names of any entities or third parties the owner will share such data elements with, and the privacy policies of any such entities or third parties;

3. Protocols and safeguards the owner will provide for protecting such data elements;

4. Retention schedule of such data;

5. Protocols the owner will follow to address any suspected or actual unauthorized access to or disclosure of such data elements, including notification of users;

6. Guidelines for permanently destroying or anonymizing such data or removing such data from the smart access system; and

7. Process used to add and remove persons who have provided written consent on a temporary basis to the smart access system.

Considering these requirements, owners of smart access buildings should consider whether to either prepare a notice and consent tailored for data subject to the TDPA and a separate notice and consent that meets the standards of BIPA for its non-access control biometrics, such as for employee time cards, or alternatively, a single notice and consent that complies with the various biometrics laws can be developed and implemented.

• Data Retention Limitations

The TDPA also sets data retention limitations. Authentication data (which is data collected in connection with granting a user entry to a smart access building, through such building’s smart access system) collected from a smart access system must be destroyed no later than 90 days after such data has been collected, except if it is retained in an anonymized format. Reference data (which is information against which authentication data is verified to grant a user entry to a smart access building) collected solely for the operation of such smart access system for a tenant who has permanently vacated a smart access building must be destroyed no later than 90 days after a tenant has permanently vacated a smart access building or has withdrawn authorization from the owner of such smart access building or a third party. The TDPA sets forth some exceptions to destroying data, such as if it is needed to detect security incidents or comply with the law.

Considering the differing retention periods permitted under BIPA and the TDPA, those processing biometric data need to decide if they want to apply the 90-day retention limitation to only data subject to the TDPA, or instead to all biometric data they maintain. If a single retention policy is preferred, 90-day retention limitation should be applicable to not only data subject to the TDPA, but BIPA covered data as well. Alternatively, if one decides to apply it only to data subject to the TDPA, the conservative approach would be to apply BIPA retention limitations to all other data.

• Restrictions on Sale

In addition, the TDPA restricts selling, leasing, or otherwise disclosing data with limited exceptions, such as to a third party that operators the smart access system, provided that the user has given express written authorized and in advance of the authorization has received: (1) the name of the third party, (ii) the intended use of such by such third party, and (3) any privacy policy of such third party.

• Security Measures, PRoA, and Ramp Up Period

The TDPA also requires that a smart access system implement stringent security measures and safeguards to protect data. The law has a private right of action that permits compensatory and punitive damages for unlawful sale of data, or at the election of each occupant, damages ranging from $200 to $1,000. It also allows for attorneys’ fees and costs. The TDPA takes effect at the end of July 2021; however, existing owners have an 18-month grace period, until Jan. 1, 2023, to come into compliance.

New York City Administrative Code

New York City’s amendment to its Administrative Code creates notice requirements and usage limitations for commercial establishments that collect customers’ biometric data. An example of this law’s applicability is where a coffee shop captures a customer’s face geometry at the point of sale and associates it with the drink they purchased, and then the next time that customer visits the coffee shop, the coffee shop recalls the drink they ordered on their prior visit based on a scan of their face geometry.

This ordinance, which goes into effect on July 9, 2021, will require commercial establishments that collect, retain, convert, store, or share “biometric identifier information” (defined as a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic) to place clear and conspicuous notice near all customer entrances that biometric identifier information is being collected, retained, converted, stored or shared, as applicable.

It also prohibits commercial establishments from selling, leasing, trading, sharing in exchange for anything of value or otherwise profiting from the transaction of biometric identifier information. Further, the ordinance provides a private right of action with damages of $500 for negligent violations and $5000 for intentional or reckless violations, as well as reasonable attorneys’ fees and costs, with a 30-day cure period for the commercial establishment.

Implication of the CPRA and CDPA

The CPRA and CPDA, which will provide new consumer rights and business obligations as of Jan. 1, 2023, will also affect biometric data collection and use. Both the CPRA and the CDPA have proportionality requirements, meaning the collection and use of biometric data must be reasonably necessary and proportionate to achieve the purposes for which it was collected. Further, biometric data may be subject to an opt-out under the CPRA and an opt-in under the CDPA.

Under the CPRA, the processing of biometric information for the purpose of uniquely identifying a consumer constitutes sensitive personal information and sensitive personal information is subject to an opt-out that is triggered in certain circumstances. The opt-out might not be triggered by certain uses of biometric data considering the security and safety exceptions set forth in the law, however, the CPRA directs the California Privacy Protection Agency to issue regulations that balance the interest of privacy and business use. Therefore, it is not entirely clear whether biometric data use will be subject to an opt-out under the CPRA.

Under the CDPA, the processing of biometric data for the purpose of uniquely identifying a natural person constitutes sensitive data that will be subject to an opt-in requirement and subject to a data protection assessment requirement. However, the CDPA sets forth security exceptions to the opt-in requirement, which is potentially applicable to certain biometrics use cases.

With regard to the collection of fingerprints for biometric time cards in particular, the CPRA may make this use case subject to the sensitive personal information opt-out right if this use is not deemed reasonably necessary to ensure security and integrity, as clearly there are less intrusive alternatives. The CPDA will not impact time cards since employees are not covered under Virginia law.

Between now and 2023, other states may pass comprehensive privacy laws. As we reported last week, Colorado passed SB 21-190, the Colorado Privacy Act, which (unless vetoed in the allotted time) will become the third state omnibus privacy law and will regulate biometric data as sensitive data that requires opt-in consent to process, subject to certain exceptions. In addition, various states and local governments have been considering biometric-specific legislation (e.g., Maryland). Businesses that process biometric data should keep up-to-date on these privacy laws and design their compliance programs accordingly.

[1] NYC Housing Maintenance Code § 27-2004.