New York Biometric Privacy Update: Scanning Your Face as You Walk the City?

New York’s recent steps to protect biometric privacy are well worth your attention. The “Biometric Identifier Information” Law (BIIL) was passed by the New York City Council and will be effective July 9, 2021 in New York City. The “Biometric Privacy Act” (BPA) has been sponsored by a bipartisan group of lawmakers and is moving through the New York State Legislature. BIIL and BPA (if passed) means that companies collecting the biometric information of New York residents can expect similar types compliance risk and requirements seen in Illinois after that state passed its Biometric Information Privacy Act. Notably, both BIIL and BPA contain private rights of action.

Starting with BIIL, New York City’s law is a brief one page and applies to “commercial establishments,” which capture individuals’ “biometric identifier information.” BIIL, unlike BPA, is very limited in scope. “Commercial establishments” means a place of entertainment, retail store, or food and drink establishment. As such, BIIL is targeted towards physical locations in the city and is focused on preventing individuals from being tracked without their knowledge, by requiring commercial establishments to disclose their collection in plain language via a conspicuous sign. BIIL also restricts commercial establishments from selling, trading, sharing, or otherwise exchanging biometric identifier information for anything of value. While BIIL does contain a private right of action for individuals with statutory damages, it requires potential claimants to provide commercial establishments with 30 days’ notice and the opportunity to cure before initiating an action. In practice, this 30-day notice and opportunity to cure provision will dramatically reduce the litigation risk for commercial establishments in New York City.

The proposed BPA takes a decidedly different approach. New York’s BPA is a comprehensive approach to biometric information protection and privacy in New York and applies to private entities who collect and use “biometric identifiers” (facial geometry, voiceprints, etc.) and “biometric information” (information based on biometric identifiers used to identify an individual). Financial Institutions and their affiliates regulated by the Gramm-Leach-Bliley Act are exempt, and so are state agencies or local governments and their contractors and agents. In summary, BPA requires private entities that collect biometric identifiers and information to:

(1) develop a publicly available written policy outlining the private entity’s retention schedule and guidelines for the destruction of biometric identifiers and information;

(2) not collect, capture, purchase, or otherwise obtain a person’s biometric identifiers or information without first providing notice and obtaining their written informed consent, which requires providing disclosures about the purpose and length of use of the information;

(3) not sell, lease, trade, or otherwise profit from a person’s biometric identifier or information;

(4) not disclose or re-disclose a person’s biometric identifier or information without written consent or otherwise meeting a permitted exception; and

(5) follow reasonable security requirements (no less protective than other confidential and sensitive information protected by the private entity) relating to the storage, transmittal, and protection of persons’ biometric identifiers and information.

Individuals are provided a private right of action in BPA, which includes statutory damages of $1,000 per violation for negligent violations and $5,000 per violation for intention or reckless violations. Individuals may also recover reasonable fees and costs and seek injunctive relief. This private right of action will likely motivate class actions, as seen with Illinois’ BIPA.

In concert, BIIL and BPA (if passed) will bring New York into the growing list of states with highly specific and restrictive laws regulating the collection, use, and retention of biometric data.