The New York City Council recently enacted new biometric privacy legislation that restricts the collection of biometric information by all “commercial establishments” in New York City. While the new law ostensibly was enacted to target the undisclosed use of facial recognition technology in retail establishments, the law sweeps more broadly and shares several similarities with Illinois’ Biometric Information Privacy Act, which has gained national prominence after spawning over 800 class actions and billions of dollars in liability for companies that collect or use biometric information.
The New York City law, which was enacted by the City Council in December, was returned unsigned by Mayor de Blasio on January 11, 2021, and will take effect 180 days thereafter. Under the new law, any commercial establishment that collects, retains, converts, stores, or shares biometric information from customers must post a conspicuous sign near the establishment’s entrances notifying customers in plain language that their information is being collected, retained, converted, stored, or shared. Notably, “biometric information” is defined in broad terms to include a retina or iris scan, fingerprint or voice print, scan of hand, or face geometry, “or any other identifying characteristic.” The law also prohibits receiving anything of value in exchange for biometric information.
Any party that violates the law’s requirements is subject to damages of $500 for each violation of the provisions requiring notice to customers, $500 for each “negligent violation” of the prohibition against exchanging biometric information for value, and $5,000 for each “intentional or reckless” violation of that prohibition. In addition, violators can be liable for reasonable attorneys’ fees and litigation expenses. Importantly, however, before filing suit against a commercial establishment for failing to post a notice to consumers, the filing party must provide the commercial establishment with 30 days in which to cure the violation and inform the filing party that no further violations will occur. No such notice-and-cure period applies to entities that violate the prohibition against exchanging biometric information for value.
The New York City law comes on the heels of bipartisan biometric privacy legislation that has been proposed statewide in New York, which would allow a private right of action against entities that collect biometric information without consent. For details on the New York bill, please see our prior alert here. While the New York City law seems to have been targeted to retailers that use facial recognition technology for purposes of preventing retail theft, the law as written covers a much wider swath of biometric information and applies to restaurants and entertainment venues as well. Any company that does consumer-facing business in New York City would be wise to understand the scope and breadth of its provisions.