Beginning July 9, 2021, New York City commercial establishments must meet new requirements regarding any collection, sale, or exchange of consumer’s biometric identifier information. The New York City Biometric Identifier Information Law is an important step forward in safeguarding consumer privacy and individuals should know their rights. Businesses also must be aware of their new obligations to avoid liability.
New York City commercial establishments are prohibited from selling, leasing, trading, sharing in exchange for anything of value, or otherwise profiting from a customer’s biometric identifier information. Such information includes (but is not limited to) a retina or iris scan, a fingerprint or voiceprint, a scan of hand or face geometry, or any other identifying characteristic.
However, businesses can collect, retain, convert, store, or share (if nothing of value is exchanged) consumer’s biometric identifier information so long as they provide consumers with a clear and conspicuous notice posted near all customer entrances. The notice must be in “plain, simple language” and comply with rules prescribed by the Commissioner of Consumer and Worker Protection. Such rules have not been released as yet.
Notably, the notice requirement only applies to collection of biometric identifying information of customers, not employees. A customer is defined as a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment. However, the no-selling provision is not expressly limited to customers and could apply more broadly to employees.
The law applies to commercial establishments, defined as “a place of entertainment, a retail store, or a food and drink establishment.” The meaning of those terms is set forth in the statute.
The law does not apply to government agencies, employees, or agents. Further, financial institutions are exempt from the notice requirements discussed above. This includes banks, trust companies, savings and loan associations, credit unions, public pension funds, securities brokers, and similar parties. However, financial institutions are prohibited from selling or profiting from biometric information.
There is also an exemption for businesses collecting photographs or video recordings if: (i) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and (ii) the images or video are not shared with, sold, or leased to third-parties other than law enforcement agencies. In these circumstances, businesses are not required to give customers notice under the law.
Customers who have been injured by a business’s failure to comply with the law can sue for damages, but there are various requirements. In the case of a violation of the notice requirement, the customer must first provide the business with written notice of its violation. The business then has 30 days to cure the violation. If the business does cure and sends written notice that the violation was cured and will not occur again, the customer cannot sue. However, customers are not required to give such notice to a business that breaches the no-selling requirement.
A customer may be awarded damages of $500 per violation if a business failed to comply with the notice provision or negligently violated the no-selling provision. Where a business intentionally violated the no selling requirement, a customer can obtain $5,000 per violation. Customers can also recover reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses as well as obtain injunctive relief, as appropriate.
Additional details regarding the form of notice that must be given by businesses should be forthcoming. In the meantime, businesses should consult an attorney to discuss their collection of biometric data and their risks of liability under the new law.