February 28, 2021

Volume XI, Number 59

Advertisement

February 26, 2021

Subscribe to Latest Legal News and Analysis

New York Could Become the Next Hotbed of Class Action Litigation Over Biometric Privacy

Dubbed the “Biometric Privacy Act,” New York Assembly Bill 27 (“BPA”) is virtually identical to the Biometric Information Privacy Act in Illinois, 740 ILCS 14 et seq. (BIPA). Enacted in 2008, BIPA only recently triggered thousands of class actions in Illinois. If the BPA is enacted in New York, it likely will not take as long for litigation to begin under the new privacy law. Interestingly, late last year, Governor Cuomo signed AB A6787D which, among other things, prohibited the use of biometric identifying technology in schools at least until July 1, 2022.

Just like BIPA, the BPA would establish a comprehensive set of rules for companies possessing and/or collecting “biometric identifiers” and “biometric information” of a person, such as:

  • Development of a publicly available policy establishing retention and destruction guidelines

  • Informed consent required prior to collection

  • Limited right to disclose without consent

  • Mandated security and confidentiality safeguards

  • Prohibiting private entities from profiting from the data

Most important, the BPA also would create a private right of action for persons “aggrieved” by violations of BPA, using the same language as under BIPA, permitting persons to recover the greater of (i) statutory damages of at least $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, and (ii) actual damages.

We know the Illinois Supreme Court decided that, in general, persons bringing suit under BIPA do not need to allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the BIPA. See Rosenbach v. Six Flags Entertainment Corp.

Of course, the BPA is not currently the law in New York. However, if enacted, companies should immediately take steps to comply. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric information (any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual) against the requirements under the BPA. In the event they find technical or procedural gaps in compliance – such as not providing written notice, obtaining a release from the subject of the biometric information, obtaining consent to provide biometric information to a third party, or maintaining a policy and guidelines for the retention and destruction of biometric information – they need to quickly remedy those gaps.

It is unclear whether courts in New York will interpret the availability of remedies under BPA, if enacted, the same as the Illinois Supreme Court in Rosenbach. However, if they do, the duties imposed on private entities subject to the law regarding the collection, retention, disclosure, and destruction of a person’s biometric identifiers or biometric information will define the statutory rights of persons protected by the law. Accordingly, when a private entity fails to comply with one of the BPA requirements, that violation could constitute an invasion, impairment, or denial of a right under the BPA resulting in the person being “aggrieved” and entitled to seek recovery.

Advertisement
Jackson Lewis P.C. © 2020National Law Review, Volume XI, Number 14
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Advertisement
Advertisement