Overview:
New York City’s law has two broad aims. First, it imposes a notice and disclosure requirement on businesses that collect consumer biometric information. Second, it prohibits the exchange of consumer biometric information for anything of value.
Key terminology:
Under this new law, “‘biometric identifier information’ means a physiological or biological characteristic that is used by or on behalf of a commercial establishment . . . to identify, or assist in identifying, an individual.” The definition also provides a non-exhaustive list of examples, including “(i) a retina or iris scan, (ii) a fingerprint or voiceprint, [and] (iii) a scan of hand or face geometry, or any other identifying characteristic.” Further, the law is applicable to any “commercial establishment,” or “place of entertainment, a retail store, or a food and drink establishment.” Interestingly, a “place of entertainment” is broadly defined as “any privately or publicly owned and operated entertainment facility such as a theatre, stadium, arena, racetrack, museum, amusement park and observatory, or other place where attractions, performances, concerts, exhibits, athletic games or contests are held.” The law also encompasses consumer retail stores and restaurants (including food trucks and/or food vendors).
Notably, a “‘customer’ means a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment[,]” and is applicable to any consumer (not just a New York City or New York State resident).
Scope:
The below will briefly outline some of the key requirements and prohibitions imposed by New York City’s law.
1. Collection notice requirement:
A commercial establishment that “collects, retains, converts, stores or shares biometric identifier information of customers” must place a “clear and conspicuous sign” near all consumer entrances that, in plain language, discloses the collection, retention, or sharing of biometric information. This notice is required even if an establishment does not actively collect biometric identifier information.
This provision is not applicable to financial institutions, which are broadly defined but is applicable to “commercial establishment[s]” that primarily sell goods and services, where the issuance of credit cards or in-store financing is incidental or limited. Likewise, it is inapplicable to instances where the biometric information is not “analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics” and is not sold or leased to third parties (unless the third-party is a law enforcement agency).
2. Sale prohibition:
In addition to the notice provision, it is unlawful to “sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.” Interestingly, this provision does not appear to be limited to commercial establishments. For example, financial institutions are not specifically exempted, employee information may arguably be subject to the prohibition, and the law is silent on sharing biometric information absent any form of compensation.
3. Enforcement and damages:
As stated, the most notable risk is an “aggrieved” consumer’s private right of action. More specifically, “[a]ny person who is aggrieved by a violation by this chapter” is entitled to commence an action to enforce its protections. Significantly, although the law provides a 30-day cure period where a business does not comply with the notice requirement, there is no corollary cure period where a business violates the prohibition on the sale of biometric identifier information. In terms of the scope of damages, there is a $500 fine where a business violates the notice requirement or negligently violates the sale prohibition. However, if the violation of the sale prohibition is intentional or reckless, there is a $5,000 fine. Further, in addition to the availability of equitable relief (an injunction), a prevailing plaintiff may also recover attorneys’ fees, costs, and whatever other relief a court may deem appropriate.
We note that the availability of a private right of action does create an avenue for potential class litigation, and it will be interesting to see the evolution of theories in response to the law.
4. Exclusions:
“[G]overnmental agencies, employers, or agents” are expressly excluded from compliance with any provision of this law.
What’s next?
In the absence of federal and New York State-specific legislation, we are continuing to monitor and assess the potential impact of this law, along with other biometrics-specific law in New York City. Another recent development in this space is the Tenant Data Privacy Act, which requires owners of multifamily smart access buildings to provide tenants with privacy policies and restrict the usage of data gathered from keyless entry systems. Enacted on May 28, 2021, and due to go into effect 60 days thereafter (note: this law will pass after Mayor de Blasio neither signed nor vetoed it on June 1, 2021), this act provides a grace period for existing smart access building owners until January 1, 2023.
Our Biometrics team is uniquely positioned to assist New York City businesses and real estate owners in evaluating the potential impacts of these laws and assessing the next steps to comply as New York City fully reopens.
Client Alert 2021-170