NYC Set to Enact Its First Biometric Privacy Law

New York City’s Biometric Privacy Law will kick into force on July 9, 2021. The new law was largely spurred by concerns that retail stores were using biometric data to surveil customers. It will affect a broad swath of commercial establishments doing business in the City. The new legislation also creates a private right of

NYC biometric privacy law

ByCarolyn Casey, J.D.


Published on June 23, 2021


Updated onJune 23, 2021

NYC biometric privacy law

New York City’s Biometric Privacy Law will kick into force on July 9, 2021. The new law was largely spurred by concerns that retail stores were using biometric data to surveil customers. It will affect a broad swath of commercial establishments doing business in the City. The new legislation also creates a private right of action for consumers.

What Does NYC’s Biometric Privacy Law Require?

The new law imposes two core obligations and prohibitions on commercial establishments. First, if applicable, an establishment must post a sign near their entrance telling customers that they collect, retain, convert, store, or share biometric identifier information. Second, no commercial establishment can “sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”

Who Must Comply?

NYC’s biometric privacy law regulations apply to commercial establishments. This category includes places of entertainment, retail stores, or food and drink establishments. Further, the law defines “place of entertainment” as “any privately or publicly owned and operated entertainment facility.” This category includes theaters, stadiums, arenas, racetracks, museums, amusement parks, and observatories.

Per the new law, a “food and drink establishment” “gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.” The legislation also defines a retail establishment as an “establishment wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail.”

Who is Exempt?

Banks, credit unions, pension funds, and similar financial organizations are not subject to the new biometric law. Government properties are also exempt. Additionally, the law excuses certain biometric identifier information collected through photographs or video recordings. This data must meet certain criteria in order to bypass the obligations, mandates, or private right of action contained in the New York City law.

What Biometric Data Does the Law Protect?

The City’s Administrative Code houses the Biometric Privacy Law. Chapter 12: Biometric Identifier Information defines the term “biometric identifier information” as “a physiological or biological characteristic that is used by or on behalf of a commercial establishment…to identify, or assist in identifying, an individual. Types of biometric identifier information include retina scans, fingerprints or voiceprints, and hand or face geometry scans.

Consumers’ Private Right of Action

Significantly, this NYC ordinance allows commercial establishment customers to initiate an action for any violations of the law’s protections. The biometric law states that a “person who is aggrieved by a violation of this chapter may commence an action in a court of competent jurisdiction on his or her own behalf against an offending party.” Presumably, a “person” must be a customer of the offending establishment. A customer is defined here as “a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment.”

If, after the aggrieved person gives notice, the establishment resolves the violation within 30 days, the dispute ends there. If not, the person may initiate an action. Relief can include:

  1. A violation of subdivision A of section 22-1202 will incur damages of $500
  2. A negligent violation of subdivision B of section 22-1202 will incur damages of $500
  3. An intentional or reckless violation of subdivision B of section 22-1202 will incur damages of $5,000
  4. Reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses
  5. Other relief, including an injunction, as the court may deem appropriate

Biometric Law Trends

New York City was not the first U.S. city to enact a biometric privacy law. That distinction belongs to Portland, OR. In Portland, city officials went further and enacted a complete ban on private entities’ use of facial recognition technology.


At the state level, the Illinois Biometric Information Privacy Act (BIPA) is noteworthy for NYC and any other city’s future biometric laws. Like the NYC law, BIPA permits aggrieved individuals to bring civil actions against violators. Cities considering similar legislation will want to be clear in their definition of “aggrieved.” This is especially true following an Illinois Supreme Court ruling that “even allegations of mere technical violations of BIPA are sufficient for an individual to be “aggrieved by.” The ruling could open businesses up to actions for small things such as minor technicalities in the signage.


Cities crafting biometric definitions will also want to consider the definition in the California Consumer Privacy Act (CCPA). California’s definition varies some from the NYC definition. The CCPA includes biometric data in its personal information definition. The California biometric data definition is a bit more nuanced. In California, biometrics include “ … DNA[,] that can be used … to establish individual identity.” It also describes “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings.”

Even further, CCPA protects against any kind of “identifier template” that could extract identifying information. The expansive definition also names “keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”


Unlike the New York Biometric Privacy Law, the Virginia Consumer Data Protection Act (CDPA) requires a company to get prior consent to collect or use biometric data.

These are issues that cities, states, and governments will want to consider when marching into biometric protection legislation territory.

Carolyn Casey, J.D.

Carolyn Casey, J.D.

Carolyn Casey is a seasoned professional with extensive experience in legal tech, e-discovery, and legal content creation. As Principal of WritMarketing, she combines her decade of Big Law experience with two decades in software leadership to provide strategic consulting in product strategy, content, and messaging for legal tech clients. Previously, Carolyn served as Legal Content Writer for Expert Institute, Sr. Director of Industry Relations at AccessData, and Director of Product Marketing at Zapproved, focusing on industry trends in forensic investigations, compliance, privacy, and e-discovery. Her career also includes roles at Iron Mountain as Head of Legal Product Management and Sr. Product Marketing Manager, where she led product and marketing strategies for legal services, and at Fios Inc as Sr. Marketing Manager, specializing in eDiscovery solutions.

Her early legal expertise was honed at Brobeck, Phleger & Harrison, where she developed legal strategies for mergers, acquisitions, and international finance matters. Carolyn's education includes a J.D. from American University Washington College of Law, where she was a Senior Editor for the International Law Journal and participated in a pioneering China Summer Law Program. She also holds an AB in Political Science with a minor in art history from Stanford University. Her diverse skill set encompasses research, creative writing, copy editing, and a deep understanding of legal product marketing and international legal trends.