New York City Biometric Ordinance Effective July 9, Are You Ready?
New York City recently enacted a biometric ordinance that is set to come into effect July 9, 2021. With this ordinance, NYC joins other cities (like Portland) in regulating the use of biometric information. The ordinance may impact retailers, restaurants, and entertainment venues in the city that use security cameras with facial-recognition technology or otherwise collect biometric identifiers from their customers.
Applicability. The law applies to commercial establishments (like the type itemized above) that collect “biometric identifier information” from “customers.” Biometric identifier information is defined as physiological or biological characteristics that are used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic. Customers are purchasers, lessees, or prospective purchaser or lessees of goods or services from a commercial establishment. Thus, this ordinance does not apply to biometric information that may be collected from employees.
Requirements and Restrictions. The ordinance requires commercial establishments that collect, store, or share biometric information from customers to disclose the practice by posting a sign near all customer entrances. The sign must be in “plain, simple language” and a form to be prescribed by the City. Under the ordinance, commercial establishments are also prohibited from selling, leasing, trading, or sharing in exchange for anything of value, or otherwise profiting from the transaction of biometric identifier information.
Enforcement -Private Right of Action. There is a private right of action in the ordinance. For violations of the signage requirement, customers have to provide a business with written notice of the deficiency, and a 30-day opportunity to cure. If such alleged violation has been cured within that time, no action can be brought. No prior written notice is required for allegations of the “no sale” requirement. Plaintiffs can recover $500 per violation for uncured breaches of the notice requirement or any negligent violation of the prohibition on sale/sharing of biometric data, plus attorneys’ fees. For intentional or reckless violations of the sale/sharing prohibition, plaintiffs can recover $5,000 per violation.
Exemptions. The ordinance exempts the collection, storage, or sharing of biometric information by government agencies, employees, and agents entirely. Financial institutions are exempt from the signage requirement, but not the prohibition on sale. Further, commercial establishments that collect biometric information through photographs or video recordings, but do not use software or applications in order to identify, or assist with identifying individuals based on physiological or biological characteristics and do not share it with third parties (other than law enforcement), are also exempt from the signage requirement (but not the prohibition on sale).
Putting it into practice. Companies that operate a retail store, restaurant, or entertainment venue in New York City should evaluate if they are collecting or using biometric information as contemplated by the ordinance. Depending on how such technology is used, there may be obligations to post prominent signage of these practices.