Open for Business: Are You Prepared for New York City’s Biometric Identifier Information Law?

Starting next month, businesses in New York City that collect biometric identifier information may be required to provide individuals with notice and be prohibited from selling or profiting from such information. New York City’s biometric privacy law (2021 NYC Local Law No. 3, NYC Admin. Code §§ 22-1201–22-1205) takes effect on July 9, 2021 and regulates the “collection, use, and retention” of biometric identifier information.  To avoid potential liability, businesses should evaluate both whether they are “commercial establishments” subject to the law and if any technology they use collects biometric identifier information.

How does the law define biometric identifier information?

The NYC law broadly defines biometric identifier information as “a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including but not limited to:   

(i) a retina or iris scan,

(ii) a fingerprint or voiceprint,

(iii) a scan of hand or face geometry, or any other identifying characteristic.”

What does the law require?

The law requires commercial establishments that collect, retain, convert, store, or share customers’ biometric identifier information, to place a “clear and conspicuous sign” by all customer entrances. This signage must provide customers with notice “in plain, simple language . . . that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable.” Written consent is not required, however, to collect and use customers’ biometric identifier information. The law further states that the language of the required signage must be “in a form and manner prescribed by the commissioner of consumer and worker protection by rule.” The New York City Department of Consumer Affairs has yet to provide these regulations.

The law also prohibits businesses from selling, leasing, trading, or sharing biometric identifier information “in exchange for anything of value,” or from profiting from the sale of biometric identifier information that the business has collected.

The law creates a private right of action and statutory damages for individuals “aggrieved by” violation(s) of the law, but provides a 30-day cure period for businesses that collect biometric identifier information and fail to meet the disclosure requirements. Customers seeking redress for a disclosure failure must first provide the business with written notice of their claim. The business has 30 days to cure the violation and it must also provide the customer with “an express written statement that the violation has been cured and that no further violations shall occur.” If the business fails to cure the violation within 30 days, the customer can sue and recover $500 for each violation.

Written notice is not required for customers to bring claims that a business is selling or profiting from the sale of biometric identifier information. Prevailing individuals can recover $500 per negligent violation and $5,000 for each intentional or reckless violation of the prohibition on selling customers’ biometric identifier information.

Customers will also be eligible to recover reasonable attorneys’ fees and costs and other relief that the court may decide is appropriate.

To which entities does the law apply?

The law applies to commercial establishments, defined as retail stores, places of entertainment, and food and drink establishments, which include any business “that gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.” Customers include purchasers and lessees, as well as prospective purchasers of goods or services.

The law does not apply to government agencies, employees, or agents’ collection and use of biometric identifier information, and the disclosure requirement does not apply to financial institutions.

Commercial establishments are not subject to the disclosure requirement if they collect biometric identifier information from video recordings or photographs that are “not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics” as long as the information is also not shared with, sold, or leased to third parties other than law enforcement agencies. Therefore, commonly used CCTV systems will not trigger applicability unless the business further analyzes the recordings, but a retail location that uses facial recognition software to scan shoppers, identify suspected shoplifters, and alert security will need to provide notice. 

What are the implications for businesses?

Businesses should consider whether they are commercial establishments subject to the law, and if so, whether they use technology that collects biometric identifier information, while being mindful that biometric identifier information is defined to include scans of “any other identifying characteristic.” To minimize litigation risk, businesses considered commercial establishments under the law should proactively follow the law’s signage requirements.

While other cities have enacted narrower facial recognition laws, including Boston, San Francisco, Pittsburgh, and Portland, only Portland’s new facial recognition ban, which went into effect January 1, 2021 applies to private businesses and provides a private right of action like the New York law.

Several states have also passed laws related to the collection and use of biometric information, including Illinois, Texas, and Washington, which all passed new comprehensive laws governing such information. Of these, only Illinois’ Biometric Information Privacy Act (BIPA) provides for a private right of action, which has spurred a large volume of consumer class-action litigation.[1]

Businesses should keep an eye on pending New York Assembly Bill 27, the Biometric Privacy Act (BPA; available here). If passed in its current form, BPA would require written consent for collecting biometric information and prohibit its sale. This legislation is modeled on BIPA and like its Illinois counterpart, would create a private right of action for individuals “aggrieved by” violations of the law.

[1] Tiffany Cheung et al., Privacy Litigation 2020 Year in Review: BIPA Litigation, Morrison & Foerster Client Alert (Jan. 12, 2021).