The lawyers at Lewis, Brisbois, Bisgaard, & Smith LLP have written a brief primer that explains the potential ramifications of New York City’s new Biometric Identifier Information Law. The law will formally go into effect on July 9, and addresses both the collection and the distribution of biometric information in commercial establishments.
More specifically, the law bars commercial establishments (a category that includes restaurants, retail outlets, and entertainment venues) from selling or sharing biometric information with third parties. However, they are still allowed to collect that information, provided that they post clear signage to inform their customers that they are doing so. The businesses do not need to obtain any other form of consent when colleting biometric data.
In that regard, the New York City law differs from the Biometric Information Privacy Act (BIPA) in Illinois, which gives the public the right to bring a lawsuit against any company that simply collects biometric without consent. New York residents will not be able to take private action until information is shared, or if a business does not have the proper notification.
With that in mind, the lawyers believe that the New York law will not generate a wave of class action lawsuits like the one that has been observed in Illinois, though they warned that businesses that fail to comply could still face significant liabilities. Plaintiffs can collect $500 damages from companies that fail to post signs, and up to $5,000 in damages (plus legal fees) from those that intentionally violate the data sharing clause. In the case of the signs, businesses are given 30 days to comply, and can head off any legal action if they do so within that window.
The law does have a few exceptions that allow the sharing of biometric data in certain situations. Most notably, businesses are allowed to share biometric data with law enforcement, and the lawyers theorize that a similar exemption could be created for public health initiatives, including those associated with COVID-19. The law also seems to allow the use of security cameras (even without signs), provided that the business is not analyzing that footage to identify customers. Financial institutions and government agencies are similarly exempt from the signage rule, though they still cannot share any biometric information.
The law defines a biometric identifier as any characteristic that can be used to identify an individual, covering everything from iris scans to face, voice, and fingerprint recognition, in addition to other unnamed modalities. The lawyers warn that it could apply to COVID-19 temperature checks, although it’s unclear if someone’s temperature is robust enough to identify them without any supplemental information.
Senators Jeff Merkley and Bernie Sanders have tried to advance a biometric data protection law at the federal level, though they are yet to make much progress on that front. Companies have now paid hundreds of millions of dollars to settle BIPA lawsuits, with Facebook’s $650 million settlement standing as the largest action thus far.
July 1, 2021 – by Eric Weiss