Privacy Law Essentials: New York City Biometric Identifier Law Goes into Effect

July 13, 2021
Hinshaw Privacy & Cyber Bytes

Hinshaw summer associate Jenny Li contributed to the research and drafting of this alert.

On January 10, 2021, the New York City Council enacted a biometric identifier information law. The law went into effect on July 9, 2021.

What type of information is covered?

The law covers biometric identifier information, which is a physiological or biological characteristic used to identify an individual. Such biometric information includes, but is not limited to, a retina or iris scan, a fingerprint or voiceprint, or a hand or face geometry scan.

Biometric information collected through photographs or video recordings are not implicated if the images or videos collected are not analyzed by software that identifies individuals based on physiological or biological characteristics, and the images or videos are not shared with third parties who are not law enforcement agencies.

What obligations does the law impose, and to whom does the law apply?

The law imposes two obligations: a signage requirement and a prohibition on profiting from the exchange of biometric information.

The signage requirement only implicates commercial establishments that collect, retain, convert, store, or share customer biometric information. Under the signage requirement, a commercial establishment (defined as a place of entertainment, retail store, or food and drink establishment) must post a clear and conspicuous sign near all of its entrances. The signs must use plain, simple language to notify customers that the establishment collects, retains, converts, stores, or shares customer biometric information. The NYC Department of Consumer and Worker Protection has provided a sign for commercial establishments to use.

The prohibition applies more broadly than the signage requirement. The prohibition implicates any individual or entity who sells, leases, or trades biometric information or exchanges biometric information for anything of value.

Are there any exceptions to the law?

Government agencies, employees, or agents are exempt from all obligations of the law. Financial institutions are exempt only from the signage requirement.

How is the law enforced?

Individuals have a private right of action to sue over violations of the law. Individuals can recover $500 for each violation of a commercial establishment’s failure to post a clear and conspicuous sign, $500 for each negligent violation of the prohibition against profiting from the exchange of biometric information, and $5,000 for each intentional or reckless violation of the prohibition against profiting from the exchange of biometric information. Individuals may also recover attorneys’ fees and costs.

Individuals suing for violations of the signage requirement must give written notice to the commercial establishment at least 30 days before bringing suit. If within 30 days of receiving the written notice the commercial establishment cures the violation and sends a written statement that the violation has been cured and the violation will not occur again, then the individual cannot sue for that specific violation. However, no written notice or opportunity to cure is required before bringing suit for violations of the prohibition against profiting from the exchange of biometric information.