March 30, 2023

Volume XIII, Number 89


March 30, 2023

Subscribe to Latest Legal News and Analysis

March 29, 2023

Subscribe to Latest Legal News and Analysis

March 28, 2023

Subscribe to Latest Legal News and Analysis

New York Proposes Biometric Privacy Act With Private Right of Action

On January 6, 2021, a bipartisan group of New York State lawmakers introduced Assembly Bill 27, the latest version of proposed privacy legislation that would allow consumers to sue companies for improperly using or retaining their biometric data. Better known as the Biometric Privacy Act (the “BPA”), the bill, if enacted, would impose significant compliance requirements for companies handling biometric data. The BPA would make New York State only the second state with a private right of action that includes statutory damages against entities that improperly use or retain biometric data. If the BPA is signed into law, it would likely bring a flood of class action litigation, similar to that seen in Illinois under Illinois’ Biometric Information Privacy Act (the “Illinois BIPA”).

Overview of the BPA

New York’s BPA will regulate private entities’ use and retention of “biometric identifiers” and “biometric information.” “Biometric identifiers” include things such as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. “Biometric information” includes “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” Effectively, the BPA would require private entities that engage in the collection of biometric identifiers or biometric information (collectively, “biometric data”) to:

  • Develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information;

  • Inform the subject or the subject’s legally authorized representative in writing that the entity will collect or store the subject’s biometric identifier or biometric information;

  • Inform the subject or the subject’s legally authorized representative in writing of the specific purpose and length of time the entity will collect, store and use the biometric identifier or biometric information; and

  • Receive written consent from the subject or the subject’s legally authorized representative to use the subject’s biometric identifier or biometric information.

The BPA would also prohibit private entities from selling, leasing, trading, or otherwise profiting from an individual’s biometric data and would put strict restrictions on private entities’ ability to disclose such information without the individual’s consent. Companies in possession of biometric data would also need to safeguard such data in the same manner, or a more protective manner, in which they store, transmit and protect other confidential and sensitive information.

BPA’s Private Right of Action

New York’s BPA, similar to the Illinois BIPA, provides a private right of action for any individual “aggrieved” by a violation of the law, and would allow such individual to recover damages of up to $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, as well as attorneys’ fees and costs. The BPA does not define the word “aggrieved” in the statute itself. However, we anticipate that courts in New York would look to decisions in Illinois under Illinois’ BIPA. There, the Illinois Supreme Court has held that an individual need not allege an actual injury or adverse effect to be “aggrieved.” Rather, an individual can be aggrieved simply by alleging an entity’s failure to follow the statute’s notice and consent requirements. Rosenbach v. Six Flags Entertainment Corporation et al., 2019 IL 123186 (Ill. 2019).

Employer Implications and Next Steps

Since 2018, New York lawmakers have proposed similar biometric privacy laws on three occasions. While previous bills have been unsuccessful, there has been a general trend in New York, several other states, and the Federal government towards strengthening biometric privacy rights. For example, in 2019, New York enacted the SHIELD Act, which expanded on the types of data companies need to safeguard, including biometric information. Several other states, such as Illinois, Texas and Washington have laws regulating the use and collection of biometric information, though only Illinois currently allows for a private right of action.

The BPA is still in the early stages of the legislative process and it remains to be seen if it will be signed into law. If enacted, New York’s BPA would go into effect 90 days after passage. As currently drafted, employers and companies doing business in New York who collect such information should begin to take proactive steps to ensure compliance. In particular, businesses should review their current policies, practices and procedures related to the use, collection and storage of biometric data, provide written notice to, and obtain consent from, individuals prior to the time any biometric data is collected. Alternatively, businesses should allow individuals to opt out of such data use or collection. Additionally, employers should maintain data security measures to safeguard an individual’s biometric data, by, for example, establishing limits on who is authorized to access, collect, disclose, save, and destroy the data and implementing appropriate encryption measures. We will continue to monitor the status of the BPA and provide updates as more information becomes available.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 27

About this Author

James Hays, Legal Specialist, management of labor and employment law

 Mr. Hays is a partner in the Labor & Employment Practice Group in the firm's New York office and co-chairs the firm's Traditional Labor Law Team.

Areas of Practice

Mr. Hays' practice focuses on management labor and employment law. He represents clients in collective bargaining negotiations, labor arbitrations, and all stages of the labor election process, including election campaigns and hearings before the National Labor Relations Board. He also represents clients in employment litigation in federal and state courts, as well as...

Jamie Moelis Labor & Employment Attorney Sheppard Mullin New York, NY

Jamie Moelis is an associate in the Labor and Employment Practice Group in the firm's New York office. 

Areas of Practice

Jamie’s practice focuses on representing employers in a wide array of labor and employment subject areas including: wage/hours claims, the defense of single plaintiff and class action discrimination, sexual harassment, hostile work environment, retaliation, wrongful termination, and related claims. Jamie also regularly advises and counsels clients on various employment practices, such as new hire issues, employee handbooks, leaves of...

Kevin J. Smith, Labor Law Lawyer, Sheppard Mullin Law Firm
Special Counsel

Kevin Smith is a special counsel in the Labor and Employment and Litigation Practice Groups in the firm's New York office.

Areas of Practice

Mr. Smith acts as trial and litigation counsel for all types of civil litigation, including employment, commercial, securities, and class action litigation before arbitral forums, state and federal courts, and local administrative and regulatory agencies.

In the labor and employment arena, Mr. Smith routinely represents management in discrimination, harassment, retaliation, whistleblower and compensation disputes...