On January 6, 2021, a bipartisan group of the New York Legislature introduced Assembly Bill 27 (“AB 27”), which proposes to enact the New York Biometric Privacy Act (“NY BPA”). If enacted, the NY BPA would provide strict privacy protections for New York residents’ biometric information. The NY BPA is substantially the same as the Illinois Biometric Information Privacy Act (“IL BIPA”), which was enacted in 2008 and has spawned over a thousand class action lawsuits—and billions of dollars in liability exposure—in Illinois.
Under the currently proposed NY BPA, private entities that possess or obtain certain biometric data (as defined in the statute) from any individual (consumer or employee) would be required to: (a) develop and comply with a written, publicly available policy establishing a retention schedule for securely storing, and eventually destroying, an individual’s biometric data; (b) prior to collection, notify in writing the individuals from whom they intend to collect the information about the specific purpose and length of time the data will be collected, stored, and used; and (c) obtain a written release prior to collection. The NY BPA also would prohibit companies from disclosing or profiting from biometric information without written consent and impose obligations on companies to handle any such information with the same or a higher level of care than is used with other sensitive information. “Biometric Information” includes fingerprints, voiceprints, retina scans, and scans of hand or face geometry, as well as any information derived from those biometric identifiers that is used to identify an individual. Violators of the NY BPA would be subject to $1000 in statutory damages for each negligent violation and $5000 in statutory damages for each reckless or intentional violation plus reasonable attorneys’ fees. The availability of statutory damages and attorneys’ fees will be an incentive to the plaintiffs’ bar to investigate and file lawsuits, as has occurred in Illinois.
If enacted, New York would be the fourth state to pass a law directly regulating the collection and use of biometric data, following Illinois, Texas, and Washington; however, only the IL BIPA currently allows for a private right of action and statutory damages, plus attorneys’ fees. If the NY BPA is enacted, companies can expect to see a flurry of class action lawsuits on behalf of New York residents who have had their biometric information collected without providing written consent. In Illinois, the majority of these cases have been filed against employers that scan hourly employees’ fingers or hands for purposes of clocking in and out of work. Nonetheless, the law has been the subject of numerous class action cases in other contexts as well, including biometric device vendors and entities that use facial recognition or voice recognition technology. Most notably, Facebook is currently completing the claims process on a $650 million settlement arising from approximately six million Illinois residents who used the “tagging” feature for photographs uploaded to Facebook. Given the potential for class action exposure, companies doing business in New York that use any form of biometric technology should keep a close watch on AB 27.
The good news is that avoiding potential liability under NY BPA would be relatively straightforward. NY companies that collect biometric information should work with their counsel to establish a written policy for the retention and destruction of biometric information and develop a process for providing written notice and obtaining written consent prior to collecting any biometric information. Considering this latest effort to pass biometric privacy legislation, as well as recent efforts to pass a national biometric law based on the IL BPA, companies that do business in New York may want to consider taking proactive steps in advance of the passage of state or federal legislation.