2021 could be another record year for new and pending privacy legislation, including laws either banning outright or placing limits on the use of technology involving biometric information. Just this year, Portland, Oregon implemented a ban on facial recognition technology beginning January 1. Although the New York State Legislature failed to pass a broad biometric privacy law for the third session in a row, New York City recently adopted its own biometrics privacy legislation that is set to take effect on July 9, 2021.
New York City’s Biometric Identifier Information Law
New York City’s law is a broad prohibition on the sale or exchange of biometric identifier information, defining it as any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.” The law does, however, permit the collection, use, and retention of biometric identifying data if there is a posted notice to customers. The notice must be in “plain, simple language” and the NYC Commissioner of Consumer and Worker Protection is expected to issue further guidance detailing the exact requirements that businesses must follow to comply with the law. Further, the law does not prohibit the sharing of information if nothing of value is exchanged, so data can be shared, for example, between affiliates of a large corporation.
Once in effect, the new law applies to any business operating a “place of entertainment, a retail store, or a food and drink establishment” in New York City, if that business collects biometric identifying information from individuals. As written, the ban on the sale or exchange of biometric identifier information applies to all individuals, including employees.
Under the law, a “place of entertainment” is defined as any privately or publicly owned and operated entertainment facility, including theaters, stadiums, arenas, racetracks, museums, amusement parks, observatories, or other places where attractions, performances, concerts, exhibits, athletic games or contests are held. A “retail store” is considered an establishment where consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail. And a “food and drink establishment” is a business that gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.
Exemptions
Government agencies, employees, and agents are entirely exempted from the law’s requirements and prohibitions. Financial institutions and businesses that use traditional CCTV security cameras are exempt from the signage requirement, provided that:
-
They do not use any software to analyze the photos or videos collected; and
-
They do not sell or exchange the images or videos with third-parties, except law enforcement.
The widespread adoption of new technology, however, may force changes in some of these exemptions. For example, some employers already use biometric data collection technology in the form of time clocks that use fingerprint or retina scans to keep time records. This could be worrisome for businesses that have or are considering deploying such systems.
Violations
The fines for violating the statute are quite steep and could hit small businesses hard. The law also allows a private right of action: individuals can recover damages of $500 per violation for an establishment’s failure to post a conspicuous notice, $500 for each negligent violation of the ban on the sale or sharing of biometric data, and $5,000 for each intentional or reckless violation of the ban on selling or sharing biometric identifier information.
To understand how this right to sue could impact businesses, a useful example is an existing privacy law that allows individuals to sue privately, the Illinois’ Biometric Information Privacy Act, or BIPA. Like New York City’s law, BIPA also regulates a private entity’s use of biometric identifying information. Unfortunately for New York City businesses, BIPA has led to increased litigation, due to the private right of action. Just this year, BIPA litigation produced an undisclosed settlement-in-principal against Shutterfly, Inc., a photography and image sharing company, for its collection without consent of biometric data from its facial recognition technology. And TikTok recently agreed to a proposed $92 million settlement in a class action suit that alleged that TikTok had collected, without consent, its users’ facial geometric scans.
The New York City law has a limited cure provision: before an individual can sue under the law for the failure to post a conspicuous notice, he or she must give at least 30 days written notice to the business. If within that time the business cures the violation within and sends written notice that the violation was cured and will not occur again, the individual is prohibited from filing a lawsuit for that specific violation. This cure provision only applies to the signage requirement -- no written notice is required to sue for a violation of the ban against selling or exchanging of biometric data.
Uncertainty
Until New York City releases guidance detailing the exact requirements for complying with this law, there is much uncertainty.