The Biometric Identifier Information Act (Act) went into effect in New York City as of July 9, 2021, pursuant to New York City Administrative Code, §22-1201-1205. The new law sets forth strict requirements for commercial establishments that collect, use or retain biometric identifier information about their clients, customers or patrons. A “commercial establishment” means a place of entertainment, a retail store, or a food and drink establishment.

Overview

Biometric identifier information as defined by the Act means a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify or assist in identifying an individual, including but not limited to a retina or iris scan, a fingerprint or voiceprint, a scan of hand or face geometry, or any other identifying characteristic.

The Act covers any actual or prospective purchaser or lessee of goods and services from a commercial establishment. Examples of persons covered by the Act are those who attend a concert or sporting event in a large stadium, visit an amusement park, browse a shopping mall and go to a restaurant.

Limitations on Use and Disclosure of Biometric Information

The Act makes it unlawful to sell, lease, trade, share in exchange for anything of value, or otherwise profit from the transaction of biometric identifier information. However, biometric identifier information collected through photographs or video records are exempt from the disclosure requirements. Photos and videos will fall outside the scope of the Act so long as they are not analyzed by software applications that identify or assist with identification of individuals, and the images or video is not shared with, sold or leased to third parties other than law enforcement agencies. 

Private Right of Action and Enforcement

The Act has “teeth” insofar as aggrieved individuals can sue establishments for purported violations of the new law, in addition to seeking statutory damages.

The Act establishes damages that plaintiffs may recover if they prevail in a legal action against the establishment deemed to be in violation of these requirements. These statutory damages range from $500 to $5,000 per violation. In addition, individuals may seek to recover their reasonable attorneys' fees and costs, including expert witness fees and litigation expenses, and such other relief as the court may deem appropriate.

At least 30 days prior to initiating a legal action, the aggrieved party must notify the establishment in writing of the purported violation. If the establishment cures the violation within that 30-day period, no action may be initiated against it for such violation. However, if the establishment fails to cure the violation or makes no effort to do so, then the aggrieved individual may initiate a lawsuit. Notably, alleged violations that include the sale, lease or trade of biometric identifier information do not require any written notice prior to initiating an action against the offending establishment.

New York State Biometric Privacy Law on the Horizon

Of further note, the State of New York currently has a bill, A27 (Bill), in committee that would establish a state-wide biometric privacy act. If passed, this legislation would impose sweeping requirements for private entities in possession of biometric identifiers and information to develop a written policy, retention schedule and guidelines for destruction of biometric information after such information has served its purpose. The proposed Bill defines private entities as any individual, partnership, corporation, limited liability company, association or other group, however organized. The proposed Bill does not cover state or local government agencies or financial institutions or their affiliates.

The proposed state law indicates that private entities must inform individuals in writing that they collect and store biometric identifiers or information, the specific purpose for which they do so and the length of time they retain the identifiers or information; in addition, a written release (informed written consent, or a release executed by an employee as a condition of employment) must be executed by the individual in order for the private entity to collect and store such identifiers or information. Entities that collect biometric identifiers must permanently destroy them when the initial purpose for collecting and maintaining the information has been satisfied, or within three years of the individual's last interaction with the private entity, whichever occurs first.

Under the proposed state legislation, private entities will be barred from profiting through the sale, lease or trade of biometric identifiers or information. They also will be barred from sharing or disclosing the information absent prior written authorization by the individual or their authorized representative, or unless otherwise required to do so by law. Additionally, private entities will be held to a reasonable standard of care applicable to their industry for the storage, transmission and protection of the information. This standard of care must meet or exceed the care with which they store, transmit and protect other confidential or sensitive information.

The proposed legislation allows any person aggrieved by a violation to have a right of action in the New York State Supreme Court against an offending party for each violation. The aggrieved shall be entitled, as the court may deem appropriate, to the greater of actual damages or liquidated damages of $1,000 for negligent violations, the greater of actual damages or liquidated damages of $5,000 for intentional or reckless violations, reasonable attorneys' fees and costs (including expert witness fees and other litigation expenses), and other relief including an injunction.

Conclusion

Businesses covered under New York City's Biometric Identifier Information Act should ensure that they are taking all necessary steps and precautions to comply with the Act, or risk facing litigation and statutory damages. The New York City Act is only a precursor to what is to come if the State of New York passes its own comprehensive biometric privacy law.

Businesses can help mitigate the risk of liability exposure by taking reasonable proactive measures, such as:

  • Developing and implementing robust internal data collection and retention policies
  • Obtaining written consent from those whom such data is collected
  • Ensuring the secure storage and transmission of records
  • Limiting the collection, use and access of customer data to what is needed to conduct business
  • Clearly disclosing these practices to consumers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.