New York City’s Biometric Identifier Information Law (BII Law), which went into effect on July 9, 2021, bans the sale of biometric data and imposes notice requirements on covered businesses that use biometric identifying technology in their establishments. While comparisons have been made to the Illinois Biometric Information Privacy Act (BIPA), New York City’s new BII Law—which provides a cure period for certain violations and permitting collection of biometric data without written consent—is far less stringent and is not expected to produce the maelstrom of litigation precipitated by BIPA. That said, policyholders still should be aware of the BII Law’s requirements and consider potential insurance coverage implications.
The new BII Law imposes two main requirements. First, covered businesses may not sell, lease, share for value, or otherwise profit from the transmission of biometric identifier information. Second, covered businesses that collect, retain, convert, store or share biometric identifier information must post conspicuous signage at all customer entrances disclosing that such information is being collected.
The BII Law defines “biometric identifier information” as any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: a retina or iris scan; a fingerprint or voiceprint; a scan of hand or face geometry; or any other identifying characteristic.”
The new BII Law applies to commercial establishments in New York City, defined as places of entertainment, retail stores, and food and drink establishments. Financial institutions are exempt from the posting requirement, while government entities, employees and agents are exempt entirely.
Notably, as long as notice is posted, businesses may collect biometric information without violating the law. Written consent is not required before collecting such information. Moreover, a business may use CCTV systems that collect biometric information, as long as the footage is not analyzed to identify persons based on “biological characteristics” (e.g., with facial recognition software), and not sold or shared with third parties.
The BII Law provides a private right of action to parties “aggrieved” by violations, but includes a 30-day cure period for businesses accused of violating the posting requirement. Further, any party alleging a posting violation must provide written notice to the business before bringing its claim. Importantly, however, written notice is not required before bringing claims for the illegal sale or sharing of biometric information, and there is no cure period for such claims. Prevailing claimants can recover $500 per posting violation, $500 per negligent selling violation, and $5,000 per intentional or reckless selling violation.
While claims involving the BII Law have yet to be litigated, one important insurance concept involved is that of invasion of privacy. The personal and advertising injury coverage within general liability policies includes coverage for invasion of privacy. This insurance applies to “personal injury,” which typically is defined as “injury, other than ‘bodily injury’, arising out of…oral or written publication of material that violates a person’s right of privacy.”
The first round of Illinois insurance coverage decisions under BIPA, including West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan, favored policyholders and provided precedent that coverage for violations of the BII Law should be available under similar general liability policy language. In Krishna, a customer accused a tanning salon of violating BIPA by storing and distributing its patrons’ fingerprint data to a vendor without consent. The policyholder sought coverage under a provision covering claims arising from the “written publication of material that violates a person’s right of privacy.” The insurance company argued no “publication” occurred because the fingerprint data was never widely disseminated. The court disagreed and found coverage, and the Illinois Supreme Court affirmed the decision this past May.
Biometric measures are regularly used in various work environments, and many employee biometric claims have been brought under BIPA. These claims may be covered under employment practices insurance policies. Claims under the BII Law may also trigger coverage under directors’ and officers’ and cyber policies. It will be critical for policyholders to examine all potentially responsive insurance in the face of claims under New York City’s BII Law.
Among the hurdles for companies seeking insurance coverage for biometric liability, under any type of policy, are potential exclusions for disclosure of confidential information and data-related liabilities. Many insurance companies have begun adding these exclusions to their policies in recent years. In addition, recent incarnations of EPL and other policies have incorporated new exclusions specifically tied to the alleged retention or collection of “biometric Identifiers.” Business owners must be aware of these exclusions as they renew or place coverage, especially if their business collects biometric information.