On July 9, 2021, New York City's Biometric Identifier Information law went into effect, implementing a host of regulations regarding the collection, use and sale of biometric data by commercial establishments in the five boroughs. Most notably, the new law bans the sale of biometric data by commercial establishments and imposes requirements to post conspicuous notices of the establishment's use of biometric identifying technologies, with the failure to do so potentially resulting in fines and/or a private right of action by a commercial establishment's customer. New York City businesses must be aware of and comply with this new law, or face potentially significant liability in the form of civil claims and class actions, similar to what companies have been dealing with for years in Illinois under a similar biometric law.
The businesses most affected by the new law are those that typically require some form of biometric identification to gain entry or access to parts of a building, such as establishments in the Diamond District who grant temporary access to customers through a fingerprint scan. However, recent technology trends in other industries, such as McDonald’s use of voice recognition technology for drive-thru ordering and ExxonMobil’s use of Amazon’s Alexa to offer voice-activated purchases of gasoline at the pump, have brought the use and regulation of biometric identifying technologies to the fore, prompting similar legislation in the State of Illinois and Portland, Oregon.
Scope and Application
The new law defines "biometric identifier information" as a "physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic." The provisions of the law only apply to "commercial establishment" which includes "food and drink establishments"; "places of entertainment"; and "retail stores" as follows:
- Food and drink establishment means an establishment that gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.
- Place of entertainment means any privately or publicly owned and operated entertainment facility, such as a theater, stadium, arena, racetrack, museum, amusement park, observatory, or other place where attractions, performances, concerts, exhibits, athletic games or contests are held.
- Retail store means an establishment wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail.
Financial institutions are not included in the definition of "commercial establishment" and are specifically excluded from the provisions of the Biometric Identifier Information law at large. Further, the law does not apply to biometric information "collected through photographs or video recordings, if: (i) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and (ii) the images or video are not shared with, sold or leased to third-parties other than law enforcement agencies." In this regard, businesses who have CCTV or other security cameras do not have to post notices thereof under the law, so long as the videos are not analyzed by software or applications that identify or assist with the identification of individuals using biometric characteristics.
There is also an important distinction between "customers" and "employees" of commercial establishments insofar as the outright ban on the sale of biometric information does not limit its application to only customers and the definition of "biometric identifier information" includes any individual, whereas the requirement to post notices of the use of biometric identifying technologies only applies to customers. Accordingly, there is no affirmative duty on the commercial establishment to post conspicuous notices of its use of biometric identifying technologies if they are only collecting the biometric information of the establishment's employees. However, the sale of such employees' biometric data is expressly prohibited.
Content and Posting of Notices
As for the placement of notice, the law dictates that any commercial establishment that collects, retains, converts, stores or shares biometric identifier information must post a clear and conspicuous sign near all of the customer entrances notifying customers that their biometric identifier information is being collected, retained, converted, stored or shared. In terms of the content of the notice, the Division of Consumer Affairs has now posted the template notice that commercial establishments should use, see link. The last section of the law also states that further guidance will be posted on City of New York websites, or through other means, to inform commercial establishments of the requirements of the law.
Enforcement and Fines
With respect to the posting of notices, a customer whose biometric identifier information was collected by a commercial establish which did not post the appropriate notice may maintain a private cause of action if certain procedural requirements are met. Specifically, the person aggrieved must provide written notice to the commercial establishment of its non-compliance with the law, which commences a 30-day cure period. On or before the expiration of that 30-day cure period, the commercial establishment must do the following: (i) post the appropriate notices; and (ii) provide the aggrieved person an “express written statement” that the violation has been cured and that no further violations shall occur. In the event the commercial establishment fails to complete the above within that 30-day period, the aggrieved person may file a lawsuit in a court of competent jurisdiction. As to the sale of biometric identifier information, there is no cure period and an aggrieved person may file a lawsuit as soon as the commercial establishment “sells, leases, trades, or shares in exchange anything of value or otherwise profit from the transaction of [his/her/their] biometric identifier information.”
In terms of statutory penalties, a prevailing party whose claims are based on the failure to post notices may recover $500 per violation, including reasonable attorneys’ fees and costs, expert witness fees and other litigation expenses. Meanwhile, for each “negligent” violation of the ban on selling biometric identifier information, a party may recover $500 per violation, and for each “intentional or reckless” violation of the ban, a party can recover $5,000, in addition to the aforementioned attorneys’ fees and litigation costs. The prevailing party may also be entitled to an injunction or other relief as determined by the Court.
Notably, the law does not set forth any fine or penalty enforceable by a regulatory body or other City of New York agency for the failure to post notices and/or selling biometric identifier information. Accordingly, the monetary penalties set forth in the law only apply in the instance of a private right of action asserted by an aggrieved person.
As set forth above, commercial establishments must post the template notice from the Division of Consumer Affairs at all customer entrances in a clear and conspicuous manner. Further, to the extent a commercial establishment fails to post the notice and receives a written complaint, they must be mindful of the law’s requirements that, within 30 days, they must not only post the appropriate notice, but also advise the complaining party, in writing, that the notice has been posted and that no further violations of the law shall occur. In this regard, businesses would be wise to include with such letter to the complaining party pictures of the notice(s) posted at the establishment to demonstrate their compliance with the law. Lastly, the law’s provisions as to the sale of biometric identifier information are unequivocal and, to the extent any commercial establishments were selling or otherwise profiting from the transfer of biometric identifier information, those transactions must cease immediately.
WSHB’s Cybersecurity and Data Privacy team is ready to assist New York City employers comply with this new law and to respond as needed should claims be brought alleging violations of same.