On July 9, 2021, New York City’s Biometric Identifier Information Law went into effect, implementing a host of regulations regarding commercial establishments’ collection, use and sale of biometric data. Most notably, the new law bans these establishments from selling biometric data and requires them to post conspicuous notices about how the business uses biometric identifying technologies. New York City businesses that do not comply with this new law face potentially significant liability in the form of civil claims and class actions.
The businesses most affected by this measure typically require some form of biometric identification to access parts of a building, such as establishments in the Diamond District that grant temporary access to customers through a fingerprint scan. However, recent technology trends have made the use and regulation of biometric identification technologies more common across industries. For example, McDonald’s now uses voice recognition technology for drive-through ordering and ExxonMobil uses Amazon’s Alexa for voice-activated gas purchases at the pump. This has prompted legislation across the country, including in the state of Illinois, the city of Portland, Oregon, and now New York City.
Scope and Application
New York’s law defines “biometric identifier information” as a “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: 1) a retina or iris scan, 2) a fingerprint or voiceprint, 3) a scan of hand or face geometry, or any other identifying characteristic.” The provisions of the law only apply to the following businesses:
- Food and drink establishments: Businesses that sell food or beverages to the public for consumption on or off the premises, or on or off a pushcart, stand or vehicle
- Places of entertainment: Privately or publicly owned and operated entertainment facilities, such as theaters, stadiums, arenas, racetracks, museums, amusement parks, observatories, or other places where attractions, performances, concerts, exhibits, athletic games or contests are held
- Retail stores: Establishments wherein consumer goods are sold or where services are provided for purchase
Financial institutions are specifically excluded from the law’s provisions. Further, the law does not apply to biometric information “collected through photographs or video recordings, if: 1) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and 2) the images or video are not shared with, sold or leased to third-parties other than law enforcement agencies.” So businesses that have closed-circuit television or other security cameras do not have to post notices under the law, so long as the videos are not analyzed by software or applications that identify or assist in identifying individuals using biometric characteristics.
There is also an important distinction between commercial establishments’ customers and employees, since the ban on selling biometric information is not limited to only customers. “Biometric identifier information” pertains to any individual, whereas the requirement to post notices of using biometric identifying technologies only applies to customers. Accordingly, businesses have no affirmative duty to post conspicuous notices of biometric identifying technologies in use if they only collect employees’ biometric information. However, the law expressly prohibits selling employees’ biometric data.
Content and Posting Notices
The law dictates that any commercial establishment that collects, retains, converts, stores or shares biometric identifier information must post a clear and conspicuous sign near all customer entrances notifying customers that the business is doing so. In terms of the notice’s content, the Division of Consumer Affairs has now posted a template notice that commercial establishments should use and further guidance will be posted on City of New York websites, or through other means, to inform commercial establishments of the law’s requirements.
Enforcement and Fines
A customer whose biometric identifier information was collected by a commercial establishment that did not post the appropriate notice may maintain a private cause of action if they meet certain procedural requirements. Specifically, the aggrieved person must provide written notice to the commercial establishment of its non-compliance with the law, which commences a 30-day cure period.
On or before the expiration of that 30-day period, the commercial establishment must: 1) post the appropriate notices, and 2) provide the aggrieved person an “express written statement” that the violation has been cured and that no further violations shall occur. If the commercial establishment fails to complete these within the 30 days, the aggrieved person may file suit. There is no cure period for the sale of biometric identifier information, and an aggrieved person may file a lawsuit as soon as the commercial establishment “sells, leases, trades, or shares in exchange anything of value or otherwise profits from the transaction of [his/her/their] biometric identifier information.”
For a failure to post notices, prevailing parties may recover $500 per violation, plus reasonable attorneys’ fees and costs, expert witness fees and other litigation expenses. Meanwhile, for each “negligent” violation of the ban on selling biometric identifier information, parties may recover $500 per violation. For each “intentional or reckless” violation, parties can recover $5,000, in addition to reasonable attorneys’ fees and litigation costs.
Notably, the law does not set forth any regulatory fines or penalties for failing to post notices and/or selling biometric identifier information. Thus, the only monetary penalties for noncompliance stem from an aggrieved person suing the business.
Implications for Other Jurisdictions
With increases in both the use of biometric technology and litigation over it, businesses in jurisdictions outside of New York City should also carefully monitor regulatory developments around this technology. Portland, Oregon, painted a potentially wide brushstroke of liability earlier this year, banning facial recognition altogether and applying it to private companies doing business in any place of public accommodation. This means that any person may have a private right of action against a business violating the law and could recover $1,000 per day as a result.
The Supreme Court of Illinois caused further concern for businesses there when it ruled that actual injury was not necessary to recover damages—violation alone was enough. The Illinois Biometric Information Privacy Act allows for $1,000 per day for violations, or $5,000 per day for violations proved intentional or reckless. These steep fines could quickly become a financial catastrophe for businesses that fail to comply.