November 29, 2021

Volume XI, Number 333

Advertisement
Advertisement

November 29, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

New York City Biometric Ordinance Effective July 9, Are You Ready?

New York City recently enacted a biometric ordinance that is set to come into effect July 9, 2021. With this ordinance, NYC joins other cities (like Portland) in regulating the use of biometric information. The ordinance may impact retailers, restaurants, and entertainment venues in the city that use security cameras with facial-recognition technology or otherwise collect biometric identifiers from their customers.

Applicability. The law applies to commercial establishments (like the type itemized above) that collect “biometric identifier information” from “customers.”  Biometric identifier information is defined as physiological or biological characteristics that are used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic. Customers are purchasers, lessees, or prospective purchaser or lessees of goods or services from a commercial establishment. Thus, this ordinance does not apply to biometric information that may be collected from employees.

Requirements and Restrictions. The ordinance requires commercial establishments that collect, store, or share biometric information from customers to disclose the practice by posting a sign near all customer entrances. The sign must be in “plain, simple language” and a form to be prescribed by the City. Under the ordinance, commercial establishments are also prohibited from selling, leasing, trading, or sharing in exchange for anything of value, or otherwise profiting from the transaction of biometric identifier information.

Enforcement -Private Right of Action. There is a private right of action in the ordinance. For violations of the signage requirement, customers have to provide a business with written notice of the deficiency, and a 30-day opportunity to cure. If such alleged violation has been cured within that time, no action can be brought. No prior written notice is required for allegations of the “no sale” requirement.  Plaintiffs can recover $500 per violation for uncured breaches of the notice requirement or any negligent violation of the prohibition on sale/sharing of biometric data, plus attorneys’ fees. For intentional or reckless violations of the sale/sharing prohibition, plaintiffs can recover $5,000 per violation.

Exemptions. The ordinance exempts the collection, storage, or sharing of biometric information by government agencies, employees, and agents entirely. Financial institutions are exempt from the signage requirement, but not the prohibition on sale. Further, commercial establishments that collect biometric information through photographs or video recordings, but do not use software or applications in order to identify, or assist with identifying individuals based on physiological or biological characteristics and do not share it with third parties (other than law enforcement), are also exempt from the signage requirement (but not the prohibition on sale).

Putting it into practice. Companies that operate a retail store, restaurant, or entertainment venue in New York City should evaluate if they are collecting or using biometric information as contemplated by the ordinance. Depending on how such technology is used, there may be obligations to post prominent signage of these practices.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 168
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Advertisement
Advertisement
Advertisement