On July 9, 2021, New York City enacted a new biometric ordinance regulating how businesses handle biometric identifier information. The new law is the first of its kind in New York and requires commercial establishments (including retail stores, places of entertainment, restaurants, food trucks, and other food and drink establishments) that use biometrics in order to identify their customers to post a clear and conspicuous sign notifying customers of the biometric collection activity. The ordinance also makes it unlawful to sell, lease or otherwise profit from biometric identifier information. Notably, NYC’s biometric ordinance also creates a private right of action for aggrieved individuals to sue for violations.
This alert summarizes the key provisions.
What is biometric identifier information?
The law regulates how businesses handle “biometric identifier information,” which is broadly defined as a “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to:
(i) a retina or iris scan,
(ii) a fingerprint or voiceprint,
(iii) a scan of hand or face geometry, or any other identifying characteristic.”
What types of businesses are covered?
The disclosure requirements apply to any “commercial establishment,” which is broadly defined as a “place of entertainment, a retail store, or a food and drink establishment.”
- Places of entertainment include any privately or publicly owned and operated entertainment facility, such as a theater, stadium, arena, racetrack, museum, amusement park, observatory, or other place where attractions, performances, concerts, exhibits, athletic games or contests are held.
- Retail stores include any establishment where consumer commodities are sold, displayed or offered for sale or where services are provided to consumers at retail.
- Food and drink establishments include any establishment that gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.
What is required?
The ordinance generally requires covered entities to (i) disclose how they use a customer’s biometric identifier information and (ii) refrain from selling or profiting from biometric identifier information.
Disclosure requirements:
- The law’s disclosure requirements apply to commercial establishments that handle – by collecting, retaining, converting, storing or sharing – customers’ biometric identifier information. “Customers” include present or prospective purchasers or lessees of goods or services.
- Covered businesses must disclose the collection, retention, sharing and use of biometric identifier information to customers by placing near all customer entrances “clear and conspicuous” signage using “plain, simple language” warning how customers’ biometric identifier information is being used.
- Pursuant to the ordinance, the commissioner of the New York City Department of Consumer and Worker Protection has prescribed the “form and manner” of the requisite disclosure and signage. A sample Biometric Identifier Disclosure Sign is available on the department’s website.
Prohibition on profiting from biometric identifier information:
- The law makes it unlawful to profit – by selling, leasing, trading or sharing in exchange for anything of value – from the transaction of biometric identifier information.
- Significantly, the prohibition on profiting from biometric identifier information appears to apply to a broader category of businesses, as this section of the ordinance is not limited to “commercial establishments.”
Are there exceptions?
- Government agencies and their employees or agents are excluded from the ordinance.
- Financial institutions (including banks, credit unions, broker-dealers and securities firms) are excluded from the disclosure requirements. However, financial institutions are still subject to the prohibition on profiting from biometric identifier information.
- The ordinance expressly exempts biometric identifier information collected through photographs or video recordings, if (i) they are not analyzed by software or applications that identify or assist in identifying individuals based on physiological or biological characteristics and (ii) they are not shared with, sold or leased to third parties other than law enforcement. In other words, the law does not apply to a business’s use of closed caption security cameras.
What are the potential consequences of noncompliance?
- The law creates a private right of action for any person “aggrieved by” a violation to file an action in a court of competent jurisdiction against an offending party. The meaning of “aggrieved by” is not provided.
- An aggrieved person may recover (i) damages of $500 for each uncured violation of the disclosure requirements; (ii) damages of $500 for each “negligent violation” of the prohibition on profiting from biometric identifier information; (iii) damages of $5,000 for each “intentional or reckless violation” of the prohibition on profiting from biometric identifier information; (iv) reasonable attorneys’ fees and costs, including litigation expenses; and (v) “other relief” the court deems appropriate, including an injunction.
- Importantly, the ordinance also includes a notice and cure provision for a violation of the disclosure requirements. Specifically, a potential plaintiff must first provide the offending commercial establishment with written notice and an opportunity to cure the violation. If, within 30 days, the commercial establishment cures the violation and provides the aggrieved customer with an “express written statement that the violation has been cured and that no further violations shall occur,” the customer may not initiate suit.
- By contrast, no pre-suit notice is required for alleged violations of the prohibition on profiting from biometric identifier information.
- The ordinance does not explicitly state whether an NYC agency may bring its own action against an offending commercial establishment. The commissioner of consumer and worker protection will issue separate rules, and the city’s chief privacy officer along with any other “relevant agency or office” will provide forthcoming guidance.
- A regulation containing similar damages provisions, Illinois’ Biometric Information Protection Act (BIPA), has generated significant litigation and spawned a number of class action lawsuits. NYC’s new biometric ordinance may also prove to be fertile ground for litigation.
What are the next steps for NYC businesses?
New York City businesses using biometric information should take steps now to comply with the new biometric ordinance, including the following:
- Determine whether your business is a “commercial establishment” covered by the law. The law defines this term broadly to include retail, entertainment and food establishments.
- Determine whether your business collects biometric identifier information, which is broadly defined and includes a catchall for “any other identifying characteristic.”
- Comply with the ordinance’s disclosure requirements to provide appropriate notice to customers with clear and conspicuous signage near all customer entrances.
- Update privacy policies and procedures to include a prohibition on selling, sharing or otherwise profiting from biometric identifier information.
- Develop procedures for responding to customer notices to cure potential violations, including by responding to customers within 30 days.