Cameras seem to be everywhere in New York City, but there is new citywide regulation affecting cameras operated by commercial establishments. On July 9, New York City’s administrative code was amended to include § 22-1201 - 22-1205, which covers biometric identifier information. The new BII law will protect New York City’s approximately 8 million residents and nearly 65 million yearly visitors from the collection, storing, sharing or using of biometric identifiers by commercial establishments without first notifying individuals. The new BII law also has a private right of action, meaning individuals can bring actions against commercial establishments that violate the law.

New York City’s BII law comes into effect as more cities and states enact biometric privacy acts. It’s worth considering what the BII law mandates, how its language compares to provisions in existing biometrics laws and why the BII law may be indicative of a trend of biometric laws going forward. 

Biometric information under BII law

Under the BII law, biometric identifier information is a “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual” through identifying characteristics not limited to:

  • A retina or iris scan.
  • A fingerprint.
  • Voiceprint.
  • Scan of hand or face geometry.

Who needs to comply?

New York City-based commercial establishments that “collect, retain, convert, store or share biometric identifier information of customers” must comply with the BII law. A commercial establishment is defined as a “place of entertainment, a retail store, or a food and drink establishment.”

However, the law does not apply to biometric identifier information that is collected, stored, shared, or used by “government agencies, employees or agents.” Thus, the roughly 15,000 surveillance cameras in New York City used by the New York Police Department are not covered. 

How do businesses comply?

The law sets out two main obligations. The first one, in Section 22-1202(a), states any commercial establishment that “collects, retains, converts, stores or shares biometric identifier information of customers” must disclose those activities by placing a “clear and conspicuous sign” written in “plain, simple language” near all customer entrances to notify customers of the establishment’s policy on biometric identifiers.

The disclosure requirement does not apply in two situations. First, financial institutions do not need to disclose their policies. Second, any biometric identifier information collected with photos or videos not run through identification software and not shared, sold, or leased to third parties besides law enforcement does not require a disclosure. Thus, commercial establishments that merely have a camera recording incoming patrons but does not identify or analyze the footage with software or applications do not need to have a sign.

The second potential violation, in Section 22-1202(b), states it is generally “unlawful to sell, lease, trade, (or) share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”

Private right of action and cure provision

The BII law provides for a private right of action, but if a violation of Section 22-1202(a) occurs, a special cure provision procedure must be followed before an action may be brought. First, the aggrieved party must send a written notice to the commercial establishment detailing the allegations at least 30 days before initiating an action in court. Second, the establishment has 30 days to “cure” the violation and provide “the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur.”

If the establishment does not cure the violation and does not provide a written statement to the aggrieved party stating the violation was cured and will not happen again, the aggrieved party may commence an action. If the establishment cures the violation, sends the statement and does not further violate the BII law, then the aggrieved party cannot commence an action. 

An important caveat, however, is violations of Section 22-1202(b) are not subject to the right to cure and as a result, where a commercial establishment sells, leases, trades, or shares the collected biometric identifier information, no written notice is required before an individual may bring an action.

Damages

Depending on the type of violation, damages may range from $500 to $5,000 per violation, cost of attorneys and litigation, and other relief as the court determines.

Language comparison to BIPA and CCPA provisions

There are language similarities between the BII law, Illinois’s Biometric Information Privacy Act and the California Consumer Privacy Act. The language commonalities highlight emerging trends in biometrics laws.

For example, the BII law’s definition of biometric identifier information resembles BIPA’s definition, which defines biometric identifiers as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Going forward, state and local laws may reuse this or a similar definition.

Another area where the BII law may have taken language inspiration is the cure provision. The BII law’s cure provision is like the CCPA’s cure provision. Under the CCPA, an action may be brought if the “consumer provides a business 30 days’ written notice identifying the specific provision … violated.” The business then has 30 days to cure the violation and provide written notice back to the consumer about the cure, after which the consumer cannot bring an action. This type of 30-day notice window is seen in New York City’s BII law, which suggests more laws going forward may also use similar cure provision language.

Biometric privacy laws going forward

New York City’s BII law is part of a growing number of biometric privacy acts or facial recognition technology acts. The acts vary in scope. Some laws, like the BII law, apply to private commercial establishments but provide a carve-out for government agencies and law enforcement.

There are also laws like Maine’s facial recognition law, which applies to law enforcement by prohibiting “a department, public employee or public official” from using or obtaining a facial surveillance system except in specific situations. Virginia’s law is even more specific as it only bans local and campus law enforcement from purchasing and using facial recognition technology. Additionally, there are ordinances like the one in Baltimore, Maryland, which prohibits the city from purchasing or obtaining a “face surveillance system” and mandates that all persons in the city may not “obtain, retain, access, or use” face surveillance systems or information obtained from one.

Currently, there is no federal biometric privacy act or facial recognition technology act, but there may be a federal law on the horizon. In June, U.S. Sen. Edward Markey, D-Mass., introduced the Facial Recognition and Biometric Technology Moratorium Act of 2021. If passed, it could prohibit the federal government, states and local governments from “engag(ing) in biometric surveillance” without “explicit statutory authorization.”

Conclusion

It remains to be seen which type of biometric privacy law will become the prevailing model for states and local governments or if a federal law will be enacted. The New York City BII law may provide a blueprint for other cities, both large and small, to enact local biometric privacy acts.

Photo by Matthew Henry on Unsplash