March 1, 2021
As we await a robust federal legislation on data privacy, states and local municipalities are filling the void with new privacy bills introduced every legislative session. New York City recently passed a biometric privacy law aimed at giving consumers notice regarding the biometric data New York City businesses are collecting when they visit stores and limiting use of that biometric data.
On January 10, 2021, New York City Council bill Int. No. 1170-A, which imposes new requirements on certain New York City businesses that gather biometric information on customers, became law (“NYC Biometric Law”). The NYC Biometric Law rolls in with the wave of new consumer data privacy and biometric privacy legislations from New York State earlier in January, including the New York Biometric Privacy Act (“NYBPA”) and the pending New York Privacy Act (“NYPA”).1 The NYC Biometric Law is applicable to a narrow set of NYC businesses but it provides insight in to how legislators may look to regulate all businesses in this area.
The NYC Biometric Law doesn’t become effective until July 10, 2021, giving covered NYC businesses limited time to prepare appropriate compliance measures.
A. In Focus: New York City’s Biometric Identifier Technology Notification Law
The NYC Biometric Law applies to “commercial establishments” in the City, particularly food and drink establishments, retail stores, and places of entertainment (e.g., theater, stadium, arena, museum, etc.), with a physical presence that collect customers’ “biometric identifier information.” “Biometric identifier information” includes retina or iris scan, fingerprint or voiceprint, a scan of hand or face geometry, or any other identifying characteristic used to identify an individual.2 This would generally cover any type of facial recognition technology used by commercial establishments.
The NYC Biometric Law requires these brick-and-mortar businesses to provide a conspicuous sign near the applicable business’s entrance to notify the customers that their biometric identifier information is being collected, retained, converted, stored or shared. The notice must be in simple language, and in a prescribed form and manner by the Commissioner of Consumer and Worker Protection. Those guidelines have not yet been issued. Additionally, these commercial establishments are strictly prohibited from profiting from transactions involving their customers’ biometric identifier information (e.g., leasing or selling customers’ biometric identifier information).
B. In Context: NYC Biometric Law and NYS Privacy Legislative Bills
In relation to the New York State privacy bills and laws, the New York City biometric privacy bill defines “biometric identifier information” in a similar but not the same manner as the current state law and proposed bills. For instance, the New York Biometric Privacy Act introduced in the New York Assembly on January 6, 2021 defines “biometric identifiers” such that it includes only retinal or iris scan, fingerprint, voiceprint, or scan of hand or face geometry; and defines “biometric information,” the subject matter of NYBPA, as the exhaustive biometric identifiers that are used to identify an individual by the covered entities. However, NYC Biometric Law uses a much broader and non-exhaustive definition of “biometric identifier information” that covers any “physiological or biological characteristics” of an individual, which is not limited the items exhaustively listed as “biometric identifiers” under NYBPA. Thus, it remains to be seen whether New York City Council will amend the non-exhaustive definition to curb NYC commercial establishments’ non-compliance exposures under this law.
Also, the NYC Biometric Law grants customers with a very limited private right of action. Under the NYC Biometric Law, customers may sue a commercial establishment that violates the Law’s obligations—$500 for statutory violations or $5,000 for intentional violations by conducting and profiting from customers’ biometric transactions. However, the NYC Biometric Law, like the California Consumer Privacy Act (“CCPA”), requires aggrieved customers to provide a written notice to the commercial establishment and grant it 30-days opportunity to cure the violation. While similar to the CCPA, this is a unique feature to New York law as no New York State privacy legislations have opted to grant businesses such opportunity to cure violations.
The New York privacy laws—both of the City and the State—may set the bar for other state privacy legislations in 2021. All commercial establishments, not just those in food and drink establishments, retail stores, or entertainment places, would be well-served to consult with counsel to review applicable data privacy policies and practices, and prepare for these new privacy legislations and compliance obligations.
Please contact Jason E. Johnson at (212) 554-7661 / jjohnson@MOSESSINGER.COM or Kiyong Song at (212) 554-7561 / ksong@MOSESSINGER.COM if you have any questions regarding the New York City biometric identifier technology notification law or the New York State consumer and biometric data privacy bills.
1 On January 6, 2021, the New York State legislatures introduced three new state privacy bills: New York Biometric Privacy Act (AB 27), New York Privacy Act (AB 680), and the “New York CCPA” (SB 567). These New York State privacy bills are robust legislations that are aimed at guaranteeing a set of consumer rights against covered entities, imposing transparency obligations relating to privacy policies and data sharing or usage by a covered businesses, and creating a certain private right of action with enforcement authority vested in the state Attorney General or, in the case of California, a state consumer privacy agency.
2 The New York City biometric privacy law defines “biometric identifier information” as: “physiological or biological characteristics that is used by or on behalf of a commercial establishment, singly or in combination, to identify or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a finger print or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.” Int. No. 1170-A. New York Biometric Privacy Act (or AB 27) defines “biometric identifier” as “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” N.Y. Gen. Bus. Law. § 32A-676a.