On July 9, the New York City biometric data protection law entered into force with anticipated impacts on local businesses and restaurants, many of which are still addressing COVID-19 health and safety protocols. The law requires certain businesses to post formal notices if they collect biometric data, and it expressly prohibits them from using such data for transactional purposes. The law also creates a private right of action enabling aggrieved parties to collect statutory damages — ranging from $500 to $5,000 — per violation. Interestingly, the New York general assembly is considering a state-wide biometric privacy law (Assembly Bill 27), which contains more onerous requirements than the local New York City biometric law and also has a private right of action for noncompliance.

Background

The New York City biometric law was introduced in the city council in 2018 and council members continuously moved the bill forward, including during the COVID-19 shutdown, until its enactment in January 2021. In December 2020, the New York City Council Committee on Consumer Affairs and Business Licensing issued a formal report describing the purpose and intent of the law. The report primarily focused on facial recognition technology’s use of biometric data and its corresponding accuracy, security and privacy concerns. For example, the 2020 report notes “[f]acial recognition technology is an evolving scientific and diagnostic tool and, therefore is limited in its accuracy and reliability,” which is particularly concerning “for women, children, African Americans and Asians for whom the existing facial recognition algorithms are known to be less accurate.” The report also concluded databases that retain biometric data are subject to security failures and breaches, which is particularly concerning because unlike traditional usernames and passwords, biometric data cannot be easily changed, updated or altered once compromised.

Scope of the law

The New York City biometric law applies to the collection and processing of “biometric identifier information,” which is defined broadly to mean a “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual.” The law identifies a retina or iris scan, a fingerprint or voiceprint, and a scan of hand or face geometry as examples of biometric identifier information. Importantly, the law only applies to a “commercial establishment,” defined as a place of entertainment, a retail store, or a food and drink establishment. This law does not apply to governmental entities and its notice requirement does not apply to financial institutions because, according to the 2020 report, they “already adhere to various disclosure requirements in terms of the collection of personal information.” However, it is unclear why this exemption for financial institutions is explicitly stated in the law given these institutions are not considered “commercial establishments” and therefore are not subject to the notice requirement in the first place. In addition, the law’s notice requirement does not apply in certain, limited situations where biometric data is collected via photographs or video recordings.

New legal requirements

There are two primary legal requirements in the New York City biometric law. First, commercial establishments that collect, retain or share a customer’s biometric identifier information must disclose these activities “by placing a clear and conspicuous sign near all  … customer entrances notifying customers in plain, simple language.” The law does not require commercial establishments to obtain any type of written consent from consumers either before or even after their biometric data is collected. Second, the law makes it unlawful to “sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.” Interestingly, the law does not expressly authorize such transactional activity if undertaken at the request of, or if formally approved by, the applicable individual.

Information security requirements

Unlike other data protection laws, the New York City biometric law does not limit the retention period biometric identifier information can be retained, require the implementation of internal data processing policies, or require businesses to adhere to any specific security protocols. However, such legal requirements likely already apply to commercial establishments pursuant to the New York Stop Hacks and Improve Electronic Data Security Act.

What about employee data?

The New York City biometric law’s notice requirement does not apply to individuals acting in the traditional employment context. More specifically, the requirement that commercial establishments provide notice of their biometric data processing activities only applies when they collect biometric identifier information from a “customer,” which is defined as a “purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment.” However, the law’s transactional prohibition (i.e., the selling, leasing, trading or sharing biometric data for profit or in exchange for anything of value) is not expressly limited to the customer context. This is important for commercial establishments that collect and retain their employees’ biometric data for health, security and administrative purposes (e.g., timekeeping) and use third-party data processing services. These businesses should ensure their contracts properly limit the scope in which service providers can access and use such data to ensure these arrangements do not implicate the law’s transactional prohibition.

Private right of action

The New York City biometric law creates two separate frameworks where individuals may bring a claim against commercial establishments for noncompliance. First, with respect to individuals who were not furnished proper notice by a commercial establishment regarding its biometric data processing, at least 30 days prior to commencing legal action they must provide written notice of this violation to the applicable commercial establishment. If the commercial establishment cures the violation within 30 days of receiving such notice and provides the individual a written statement that (1) the violation has been cured and (2) no further violations shall occur, then the individual is prohibited from commencing legal action. If, on the other hand, a commercial establishment does not resolve the violation in accordance with this framework, then the individual may bring suit. Second, commercial establishments are not given a notice and cure period for violating the law’s transactional prohibition, and aggrieved individuals may bring such claims at any time.

As noted above, businesses are subject to statutory damages ranging from $500 to $5,000 based on whether their violations of the law were from negligence or were intentional, and whether the violations were related to the notice requirement or the prohibition of engaging in transactional activities. The law clearly establishes the prevailing party in such a suit is entitled to reasonable attorney fees and costs, including expert witness fees and other litigation expenses. Given the significant amount of