October 25, 2021

Volume XI, Number 298

Advertisement
Advertisement

October 22, 2021

Subscribe to Latest Legal News and Analysis

New York City Introduces Biometric Identifier Information Act

The Biometric Identifier Information Act (Act) went into effect in New York City as of July 9, 2021, pursuant to New York City Administrative Code, §22-1201-1205. The new law sets forth strict requirements for commercial establishments that collect, use or retain biometric identifier information about their clients, customers or patrons. A “commercial establishment” means a place of entertainment, a retail store, or a food and drink establishment.

Overview

Biometric identifier information as defined by the Act means a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify or assist in identifying an individual, including but not limited to a retina or iris scan, a fingerprint or voiceprint, a scan of hand or face geometry, or any other identifying characteristic.

The Act covers any actual or prospective purchaser or lessee of goods and services from a commercial establishment. Examples of persons covered by the Act are those who attend a concert or sporting event in a large stadium, visit an amusement park, browse a shopping mall and go to a restaurant.

Limitations on Use and Disclosure of Biometric Information

The Act makes it unlawful to sell, lease, trade, share in exchange for anything of value, or otherwise profit from the transaction of biometric identifier information. However, biometric identifier information collected through photographs or video records are exempt from the disclosure requirements. Photos and videos will fall outside the scope of the Act so long as they are not analyzed by software applications that identify or assist with identification of individuals, and the images or video is not shared with, sold or leased to third parties other than law enforcement agencies. 

Private Right of Action and Enforcement

The Act has “teeth” insofar as aggrieved individuals can sue establishments for purported violations of the new law, in addition to seeking statutory damages.

The Act establishes damages that plaintiffs may recover if they prevail in a legal action against the establishment deemed to be in violation of these requirements. These statutory damages range from $500 to $5,000 per violation. In addition, individuals may seek to recover their reasonable attorneys’ fees and costs, including expert witness fees and litigation expenses, and such other relief as the court may deem appropriate.

At least 30 days prior to initiating a legal action, the aggrieved party must notify the establishment in writing of the purported violation. If the establishment cures the violation within that 30-day period, no action may be initiated against it for such violation. However, if the establishment fails to cure the violation or makes no effort to do so, then the aggrieved individual may initiate a lawsuit. Notably, alleged violations that include the sale, lease or trade of biometric identifier information do not require any written notice prior to initiating an action against the offending establishment.

New York State Biometric Privacy Law on the Horizon

Of further note, the State of New York currently has a bill, A27 (Bill), in committee that would establish a state-wide biometric privacy act. If passed, this legislation would impose sweeping requirements for private entities in possession of biometric identifiers and information to develop a written policy, retention schedule and guidelines for destruction of biometric information after such information has served its purpose. The proposed Bill defines private entities as any individual, partnership, corporation, limited liability company, association or other group, however organized. The proposed Bill does not cover state or local government agencies or financial institutions or their affiliates.

The proposed state law indicates that private entities must inform individuals in writing that they collect and store biometric identifiers or information, the specific purpose for which they do so and the length of time they retain the identifiers or information; in addition, a written release (informed written consent, or a release executed by an employee as a condition of employment) must be executed by the individual in order for the private entity to collect and store such identifiers or information. Entities that collect biometric identifiers must permanently destroy them when the initial purpose for collecting and maintaining the information has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever occurs first.

Under the proposed state legislation, private entities will be barred from profiting through the sale, lease or trade of biometric identifiers or information. They also will be barred from sharing or disclosing the information absent prior written authorization by the individual or their authorized representative, or unless otherwise required to do so by law. Additionally, private entities will be held to a reasonable standard of care applicable to their industry for the storage, transmission and protection of the information. This standard of care must meet or exceed the care with which they store, transmit and protect other confidential or sensitive information.

The proposed legislation allows any person aggrieved by a violation to have a right of action in the New York State Supreme Court against an offending party for each violation. The aggrieved shall be entitled, as the court may deem appropriate, to the greater of actual damages or liquidated damages of $1,000 for negligent violations, the greater of actual damages or liquidated damages of $5,000 for intentional or reckless violations, reasonable attorneys’ fees and costs (including expert witness fees and other litigation expenses), and other relief including an injunction.

Conclusion

Businesses covered under New York City’s Biometric Identifier Information Act should ensure that they are taking all necessary steps and precautions to comply with the Act, or risk facing litigation and statutory damages. The New York City Act is only a precursor to what is to come if the State of New York passes its own comprehensive biometric privacy law.

Businesses can help mitigate the risk of liability exposure by taking reasonable proactive measures, such as:

  • Developing and implementing robust internal data collection and retention policies

  • Obtaining written consent from those whom such data is collected

  • Ensuring the secure storage and transmission of records

  • Limiting the collection, use and access of customer data to what is needed to conduct business

  • Clearly disclosing these practices to consumers.

© 2021 Wilson ElserNational Law Review, Volume XI, Number 230
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Donald J. Brewer Jr. Attorney Privacy Frameworks Wilson Elser Detroit
Associate

Donald J. Brewer Jr. is a member of a team of attorneys who advise on a variety of complex privacy frameworks, including those created under HIPAA/HITECH, FERPA, GLBA, BSA, GDPR and state privacy laws. He has experience working in health care information technology, including responding to data breaches as well as day-to-day cyber threats.

Donald has handled matters involving data privacy and cybersecurity, including incident response, privacy risk management and regulatory compliance. He also assists clients on all aspects of data incidents,...

313-327-3127
Anjali C. Das, Wilson Elser, professional liability insurance lawyer, shareholder obligations attorney, illinois
Partner

With nearly two decades of experience, Anjali Das represents insurers in connection with professional liability insurance coverage matters and claims involving accounting, finance and other complex business issues. She is a coordinating partner for the firm’s Directors & Officers practice and a member of the Diversity Committee.

Anjali represents the interests of U.S., London and Bermuda-based primary and excess insurers in high-exposure claims against directors and officers of public and private companies, non-profit boards, financial...

312.821.6164
Advertisement
Advertisement
Advertisement