New York City’s Biometric Privacy Law will kick into force on July 9, 2021. The new law was largely spurred by concerns that retail stores were using biometric data to surveil customers. It will affect a broad swath of commercial establishments doing business in the City. The new legislation also creates a private right of action for consumers.
What Does NYC’s Biometric Privacy Law Require?
The new law imposes two core obligations and prohibitions on commercial establishments. First, if applicable, an establishment must post a sign near their entrance telling customers that they collect, retain, convert, store, or share biometric identifier information. Second, no commercial establishment can “sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”
Who Must Comply?
NYC’s biometric privacy law regulations apply to commercial establishments. This category includes places of entertainment, retail stores, or food and drink establishments. Further, the law defines “place of entertainment” as “any privately or publicly owned and operated entertainment facility.” This category includes theaters, stadiums, arenas, racetracks, museums, amusement parks, and observatories.
Per the new law, a “food and drink establishment” “gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.” The legislation also defines a retail establishment as an “establishment wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail.”
Who is Exempt?
Banks, credit unions, pension funds, and similar financial organizations are not subject to the new biometric law. Government properties are also exempt. Additionally, the law excuses certain biometric identifier information collected through photographs or video recordings. This data must meet certain criteria in order to bypass the obligations, mandates, or private right of action contained in the New York City law.
What Biometric Data Does the Law Protect?
The City’s Administrative Code houses the Biometric Privacy Law. Chapter 12: Biometric Identifier Information defines the term “biometric identifier information” as “a physiological or biological characteristic that is used by or on behalf of a commercial establishment…to identify, or assist in identifying, an individual. Types of biometric identifier information include retina scans, fingerprints or voiceprints, and hand or face geometry scans.
Consumers’ Private Right of Action
Significantly, this NYC ordinance allows commercial establishment customers to initiate an action for any violations of the law’s protections. The biometric law states that a “person who is aggrieved by a violation of this chapter may commence an action in a court of competent jurisdiction on his or her own behalf against an offending party.” Presumably, a “person” must be a customer of the offending establishment. A customer is defined here as “a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment.”
If, after the aggrieved person gives notice, the establishment resolves the violation within 30 days, the dispute ends there. If not, the person may initiate an action. Relief can include:
- A violation of subdivision A of section 22-1202 will incur damages of $500
- A negligent violation of subdivision B of section 22-1202 will incur damages of $500
- An intentional or reckless violation of subdivision B of section 22-1202 will incur damages of $5,000
- Reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses
- Other relief, including an injunction, as the court may deem appropriate
Biometric Law Trends
New York City was not the first U.S. city to enact a biometric privacy law. That distinction belongs to Portland, OR. In Portland, city officials went further and enacted a complete ban on private entities’ use of facial recognition technology.
At the state level, the Illinois Biometric Information Privacy Act (BIPA) is noteworthy for NYC and any other city’s future biometric laws. Like the NYC law, BIPA permits aggrieved individuals to bring civil actions against violators. Cities considering similar legislation will want to be clear in their definition of “aggrieved.” This is especially true following an Illinois Supreme Court ruling that “even allegations of mere technical violations of BIPA are sufficient for an individual to be “aggrieved by.” The ruling could open businesses up to actions for small things such as minor technicalities in the signage.
Cities crafting biometric definitions will also want to consider the definition in the California Consumer Privacy Act (CCPA). California’s definition varies some from the NYC definition. The CCPA includes biometric data in its personal information definition. The California biometric data definition is a bit more nuanced. In California, biometrics include “ … DNA[,] that can be used … to establish individual identity.” It also describes “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings.”
Even further, CCPA protects against any kind of “identifier template” that could extract identifying information. The expansive definition also names “keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”
These are issues that cities, states, and governments will want to consider when marching into biometric protection legislation territory.