A biometric privacy statute set to take effect next month in New York City is likely to usher in costly litigation against companies that fail to meet its requirements.
The law, which applies to commercial establishments, prohibits businesses from collecting biometric information—facial scans, fingerprints, and the like—without first posting a conspicuous sign at customer entrances.
The legislation comes amid growing criticism of facial recognition tools, with municipalities from Portland, Ore., to Portland, Maine, passing laws to curtail the technology’s use. Facial recognition technology violates citizens’ expectation to privacy and disproportionately misidentifies people of color, advocates argue.
The New York law’s private right of action can leave companies with hefty legal fees and penalties if they fail to adhere to the law’s requirements, but a cure period offers a reprieve if companies act in time, attorneys say.
“It’s something that New York companies using any type of biometric technology should be monitoring very closely,” said Beth Herrington, a privacy, data security, and class action partner at Morgan Lewis & Bockius LLP in Chicago. “This is a rapidly evolving area of the law, so companies really need to make sure their business practices are in full compliance with new biometric legislation.”
The law applies to commercial establishments—including entertainment venues, retail stores, restaurants, and bars—operating in the city.
It requires those companies that collect, retain, or share biometric information to post “clear and conspicuous” signs near all consumer entrances. The signs must notify customers in plain and simple language how biometric identifiers are being collected or processed, said Damon Silver, an attorney at Jackson Lewis P.C. in New York.
“It’s something that could trip up businesses that are unaware of the requirement or that have a lot of locations,” Silver said. “There’s going to be a lot of businesses that fall into the commercial establishment category.”
The law also prohibits covered companies from selling, leasing, trading, sharing, or otherwise profiting from that biometric information.
Luckily for businesses, the law doesn’t require businesses to seek written consent for use of biometric technology, Herrington said.
But there may be future litigation concerning what constitutes a “clear and conspicuous sign” under the law, she said.
The law “may have the impact of dissuading some businesses from using biometrics,” Herrington said.
Like Illinois’ Biometric Information Privacy Act, the New York law has a private right of action allowing consumers to sue over violations.
Unlike BIPA, however, the New York statute has a 30-day cure period that will likely stem the tide of litigation. Still, companies can be tripped up if they don’t act quickly enough, said Jenny Holmes, the Rochester, N.Y.-based deputy leader of Nixon Peabody LLP’s data privacy and cybersecurity team.
“Before you can file a lawsuit, you have to tell the business that they’ve violated the law,” Holmes said. “The company has 30 days to fix it and inform the other party that they’ve fixed it and no further violations will occur.”
That cure period, however, doesn’t apply to violations of the selling and sharing provision. Companies that seek to profit from the sale of customer biometric data won’t get that time reprieve to remedy possible violations, Silver said.
Litigation following alleged violations of these provisions can bring hefty penalties—up to $500 for each signage violation, up to $500 for each negligent sale violation, and up to $5,000 for each intentional or reckless sale violation.
BIPA by contrast calls for up to $1,000 for negligent violations of the law and up to $5,000 for intentional or reckless violations.
The law, which covers a wide range of New York businesses, exempts biometric identifier collection, storage, sharing, and use by government agencies and employees.
And the signage requirement doesn’t apply to financial institutions such as banks and credit unions, according to the statute text.
Setting up internal processes in advance—on what to do if a signage requirement isn’t being met at a particular location, for example—can help businesses act more nimbly and avoid litigation by curing any potential remedies during the 30-day cure period, Silver said.
Biometric information includes retina scans, fingerprints, voiceprints, handprints, and scans of face geometry, but companies should also heed the “other identifying characteristic” definition included in the law and take stock of their data collection processes more generally, Holmes said.
“How big is that catch-all?” she said. “How broadly does that apply?”
Companies operating retail locations in the city should conduct data mapping to understand what data they’re collecting and how they’re sharing or processing it, Silver said. Companies must also know how they’re interacting with outside parties to collect or manage biometric data, he added.
“We want contractual provisions in place that prevent vendors from using data in a way that’s not permissible,” Silver said.
Momentum is building for biometric privacy laws in New York and in other states, and this statute could be a “bellwether” for what’s next in other jurisdictions, said Melissa Pascualini, a workplace law associate at Jackson Lewis P.C. in Melville, N.Y.
It will continue to be best practice for businesses to understand what information they’re collecting and where it’s going as more legislation develops, said Bram Schumer, a technology, privacy, and cybersecurity associate at Goodwin Procter LLP in San Francisco.
“Laws like this are indicative of the direction that local governments are going in to protect privacy, give businesses rules of the road, and give consumers information about what’s being collected about them,” Schumer said.
Bloomberg Law subscribers can find related content on our In Focus: Biometrics page.