On July 9, 2021, New York City enacted a new biometric ordinance regulating how businesses handle biometric identifier information. The new law is the first of its kind in New York and requires commercial establishments (including retail stores, places of entertainment, restaurants, food trucks, and other food and drink establishments) that use biometrics in order to identify their customers to post a clear and conspicuous sign notifying customers of the biometric collection activity. The ordinance also makes it unlawful to sell, lease or otherwise profit from biometric identifier information. Notably, NYC's biometric ordinance also creates a private right of action for aggrieved individuals to sue for violations.
This alert summarizes the key provisions.
What is biometric identifier information?
The law regulates how businesses handle "biometric identifier information," which is broadly defined as a "physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to:
(i) a retina or iris scan,
(ii) a fingerprint or voiceprint,
(iii) a scan of hand or face geometry, or any other identifying characteristic."
What types of businesses are covered?
The disclosure requirements apply to any "commercial establishment," which is broadly defined as a "place of entertainment, a retail store, or a food and drink establishment."
- Places of entertainment include any privately
or publicly owned and operated entertainment facility, such as a
theater, stadium, arena, racetrack, museum, amusement park,
observatory, or other place where attractions, performances,
concerts, exhibits, athletic games or contests are held.
- Retail stores include any establishment where
consumer commodities are sold, displayed or offered for sale or
where services are provided to consumers at retail.
- Food and drink establishments include any establishment that gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.
What is required?
The ordinance generally requires covered entities to (i) disclose how they use a customer's biometric identifier information and (ii) refrain from selling or profiting from biometric identifier information.
Disclosure requirements:
- The law's disclosure requirements apply to commercial
establishments that handle – by collecting, retaining,
converting, storing or sharing – customers' biometric
identifier information. "Customers" include present or
prospective purchasers or lessees of goods or services.
- Covered businesses must disclose the collection, retention,
sharing and use of biometric identifier information to customers by
placing near all customer entrances "clear and
conspicuous" signage using "plain, simple language"
warning how customers' biometric identifier information is
being used.
- Pursuant to the ordinance, the commissioner of the New York City Department of Consumer and Worker Protection has prescribed the "form and manner" of the requisite disclosure and signage. A sample Biometric Identifier Disclosure Sign is available on the department's website.
Prohibition on profiting from biometric identifier information:
- The law makes it unlawful to profit – by selling,
leasing, trading or sharing in exchange for anything of value
– from the transaction of biometric identifier
information.
- Significantly, the prohibition on profiting from biometric identifier information appears to apply to a broader category of businesses, as this section of the ordinance is not limited to "commercial establishments."
Are there exceptions?
- Government agencies and their employees or agents are excluded
from the ordinance.
- Financial institutions (including banks, credit unions,
broker-dealers and securities firms) are excluded from the
disclosure requirements. However, financial institutions are still
subject to the prohibition on profiting from biometric identifier
information.
- The ordinance expressly exempts biometric identifier information collected through photographs or video recordings, if (i) they are not analyzed by software or applications that identify or assist in identifying individuals based on physiological or biological characteristics and (ii) they are not shared with, sold or leased to third parties other than law enforcement. In other words, the law does not apply to a business's use of closed caption security cameras.
What are the potential consequences of noncompliance?
- The law creates a private right of action for any person
"aggrieved by" a violation to file an action in a court
of competent jurisdiction against an offending party. The meaning
of "aggrieved by" is not provided.
- An aggrieved person may recover (i) damages of $500 for each
uncured violation of the disclosure requirements; (ii) damages of
$500 for each "negligent violation" of the prohibition on
profiting from biometric identifier information; (iii) damages of
$5,000 for each "intentional or reckless violation" of
the prohibition on profiting from biometric identifier information;
(iv) reasonable attorneys' fees and costs, including litigation
expenses; and (v) "other relief" the court deems
appropriate, including an injunction.
- Importantly, the ordinance also includes a notice and cure
provision for a violation of the disclosure requirements.
Specifically, a potential plaintiff must first provide the
offending commercial establishment with written notice and an
opportunity to cure the violation. If, within 30 days, the
commercial establishment cures the violation and provides the
aggrieved customer with an "express written statement that the
violation has been cured and that no further violations shall
occur," the customer may not initiate suit.
- By contrast, no pre-suit notice is required for alleged
violations of the prohibition on profiting from biometric
identifier information.
- The ordinance does not explicitly state whether an NYC agency
may bring its own action against an offending commercial
establishment. The commissioner of consumer and worker protection
will issue separate rules, and the city's chief privacy officer
along with any other "relevant agency or office" will
provide forthcoming guidance.
- A regulation containing similar damages provisions, Illinois' Biometric Information Protection Act (BIPA), has generated significant litigation and spawned a number of class action lawsuits. NYC's new biometric ordinance may also prove to be fertile ground for litigation.
What are the next steps for NYC businesses?
New York City businesses using biometric information should take steps now to comply with the new biometric ordinance, including the following:
- Determine whether your business is a "commercial
establishment" covered by the law. The law defines this term
broadly to include retail, entertainment and food
establishments.
- Determine whether your business collects biometric identifier
information, which is broadly defined and includes a catchall for
"any other identifying characteristic."
- Comply with the ordinance's disclosure requirements to
provide appropriate notice to customers with clear and conspicuous
signage near all customer entrances.
- Update privacy policies and procedures to include a prohibition
on selling, sharing or otherwise profiting from biometric
identifier information.
- Develop procedures for responding to customer notices to cure potential violations, including by responding to customers within 30 days.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.