David J. Oberly |
New York City (“NYC”) has quickly become one of the newest hotbeds of biometric privacy legislative activity, having enacted several laws since the start of 2021 that directly govern the collection and use of biometric data.
In addition to the New York City Tenant Data Privacy Act (“TDPA”), which regulates the use of biometric data by owners and operators of “smart access buildings,” New York City Council also enacted the nation’s first municipal-level biometric privacy law regulating “commercial establishments” (the “NYC Biometrics Ordinance”), which went into effect on July 9, 2021.
Because the NYC Biometrics Ordinance will almost certainly not be the last of its kind, commercial establishments that utilize biometric data in their business operations—even those located beyond the borders of the Big Apple—should take proactive steps to implement robust biometric privacy compliance programs to ensure continued compliance with current and anticipated biometrics laws to mitigate potential liability exposure.
Overview
- Scope/Applicability: The NYC Biometrics Ordinance applies to the collection and use of “biometric identifier information” by “commercial establishments.”
- “Biometric Identifier Information”: Biometric identifier information is defined in broad terms as any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”
- “Commercial Establishment”: Commercial establishment is broadly defined to mean “a place of entertainment, a retail store, or a food and drink establishment.”
Exemptions
- Financial Institutions: Financial institutions are partially exempted from the NYC Biometric Ordinance’s notice requirement, but must still comply with the ordinance’s ban on selling or otherwise profiting from biometric identifier information.
- Biometric Identifier Information Collected through Photos or Video Recordings: Biometric identifier information collected through photos or video recordings are exempted if two conditions are met: (1) the images/videos are not used for identification purposes; and (2) the images/videos are not shared with, sold, or leased to third parties other than law enforcement agencies.
Core Compliance Requirements
- Notice/Signage: Any commercial establishment that “collects, retains, converts, stores, or shares” customers’ biometric identifier information must post clear and conspicuous signage near all customer entrances providing notice that biometric identifier information is being collected, retained, converted, stored, or shared (as applicable).
- Prohibition on Selling, Trading, Sharing, or Otherwise Profiting from Biometric Identifier Information: The NYC Biometric Ordinance strictly prohibits selling, leasing, trading, sharing in exchange for anything of value, or otherwise profiting from any transaction involving biometric identifier information.
Penalties & Enforcement
- Private Right of Action: Any person “aggrieved” by a violation of the ordinance may pursue class action litigation against the offending commercial establishment.
- Partial Cure Period Provision: For violations of the NYC Biometrics Ordinance’s notice requirement, commercial establishments must be given notice of any purported violations of the law at least 30 days before litigation can be commenced. If the establishment cures the violation and provides a written statement that the violation has been cured and no further violations will occur within the 30-day period, the aggrieved individual is barred from initiating legal action in connection with the alleged violations.
- Recoverable Damages: A prevailing party may recover: (1) $500 for each violation of the ordinance’s notice requirement; (2) $500 for each negligent violation, and $5,000 for each intentional or reckless violation, of the ordinance’s ban on selling or profiting from biometric data; (3) attorney’s fees and litigation expenses; and (4) any other relief, including an injunction, that the court may deem appropriate.
Practical Compliance Tips & Best Practices
- Develop and Implement Signage to Provide Notice
- Develop and place clear and conspicuous signage near all customer ingress/egress points that provides unambiguous notice regarding any collection, retention, conversion, storage, or sharing of customer biometric identifier information.
- Ensure that the signage is written in plain, simple language. The NYC Department of Consumer and Worker Protection has issued suggested language that satisfies the notice requirement of the ordinance:
| BIOMETRIC IDENTIFIER INFORMATION DISCLOSURE [Business Name] This Business collects, retains, converts, stores, or shares customers’ biometric identifier information, which is information that can be used to identify or help identify you. Examples of biometric identifier information are eye scans and voiceprints. |
- Implement a Strict Ban on Selling, Trading, Sharing, or Otherwise Profiting from Biometric Identifier Information
- Implement mechanisms to ensure the company, its employees, and any vendors do not sell, trade, share for value, or otherwise profit from biometric identifier information.
- At this time, the NYC Department of Consumer and Worker Protection has yet to issue any guidance for interpreting the “otherwise profit[ing]” language of the ordinance. This has been a hot-button topic with other consumer and biometric privacy laws, such as the Illinois Biometric Information Privacy Act (“BIPA”) and the California Consumer Privacy Act of 2018 (“CCPA”). Courts have interpreted the “otherwise profiting” language contained in BIPA to mean the transfer or exchange of biometric data or the sharing of access to biometric data in return for some benefit. However, others argue that the phrase should encompass the sale of any devices that are equipped with the ability to collect and use such data. As this issue remains unsettled at this time, companies should keep abreast of any developments as they relate to defining this key phrase, especially related to any guidance issued by the NYC Department of Consumer and Worker Protection on this matter.
The Final Word
NYC businesses that fall under the scope of this new law must take immediate action to come into compliance if they have not already done so. At the same time, commercial establishments operating outside of NYC should also take note of the NYC Biometric Ordinance, as it is likely similar laws will be enacted in other parts of the country sooner rather than later.