This article originally appeared in the September 2021 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
Several of my prior columns have addressed the use of biometrics, analyzing such issues as the Illinois Biometric Information Privacy Act, facial recognition use by large retailers, New York’s SHIELD Act, a trial facial recognition program to protect the White House, and using biometrics to return to work after COVID-19
Why do I write on this topic so frequently? Because the law in this area is quickly evolving – and if security companies and integrators do not stay current, there could be serious consequences for them and their customers.
New York City Passes New Biometric Law
The latest legal development in biometrics is a New York City law that took effect in July 2021 that applies to retail stores, places of entertainment, and food and drink establishments. The new law requires that businesses notify customers if they use biometric identifier technology, and it also prohibits them from selling biometric identifier information.
While security professionals are not directly targeted by this law (unless they host retail customers in their stores), they are sellers and installers of the equipment that collects this biometric information; therefore, it is critical that they be aware of the law and make their customers aware. Educating yourself and your employees on these developments in the law is important and just one more way to protect your customers.
At the core of this new law are three basic requirements:
- Any commercial establishment (which the law defines as “a place of entertainment, a retail store, or a food and drink establishment”) that collects, retains, converts, stores or shares biometric identifier information of customers must place a “clear and conspicuous” sign near all of the customer entrances notifying customers (in a form and manner prescribed by NYC) that their biometric identifier information is being collected, retained, converted, stored or shared.
- It is unlawful to sell, lease, trade or share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.
- The creation of a private right of action for any person “aggrieved” by a violation of the law.
What Is Biometric Identifier Information Under This New Law?
The new law defines a variety of terms, including commercial establishment, place of entertainment, retail store, etc. Those definitions are generally what you would expect – so I am omitting them here.
However, one of the key definitions in the law is “biometric identifier information.” This is defined as a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, “to identify, or assist in identifying,” an individual. This includes, but specifically is not limited to: Retina or iris scans; fingerprint or voiceprint; or a scan of hand or face geometry, or any other identifying characteristic.
Who is a Customer?
Under this new law, a customer is not only an individual who actually purchases (or leases) goods or services from a commercial establishment, but also a prospective purchaser or lessee; thus, if someone enters a retail store, for example, and merely browses the product offerings, the law applies to that person as much as any paying customer.
What is a Private Right of Action?
As I wrote in 2019 explaining the Illinois Biometric Privacy Act, a private right of action allows people (as opposed to the government) to bring lawsuits claiming that a violation of the law entitles them to money damages. This is a very significant part of the law – as, just as in Illinois, it could lead to a flurry of litigation by private individuals against any business covered by this law.
The right to file a lawsuit is not limited to New York City or even New York state residents; instead, any “aggrieved” person can bring a lawsuit if they think a commercial establishment violated the law.
The damages for violating the law range from $500 (per violation) to $5,000 (for specified “intentional or reckless” violations). Significantly, the law authorizes a “prevailing party” to recover reasonable attorney fees and costs, including expert witness fees and other litigation expenses. That can cut in both directions – possibly deterring baseless lawsuits, but also adding to the damages and exposure of commercial establishments that fail to comply.
To Whom Does This Law Not Apply?
The collection, storage, sharing, or use of biometric identifier information by government agencies is not prohibited by this law. Thus, the police, for example, can still collect your biometric information and not disclose it to you – subject to their own forms of regulation.
Also excluded from the disclosure requirements are financial institutions, which include banks, trust companies, savings and loan associations, credit unions, securities brokers, and securities dealers.
Finally, the law excludes commercial establishments that collect biometric identifier information through photographs or video recordings where (a) such information is not analyzed by biometric recognition software, and (b) the biometric data is not shared with, sold, or leased to third parties other than law enforcement agencies.
The intent of this law is to protect the privacy of consumers. It is a well-intentioned law; however, because it grants a private right of action, carries heavy penalties (for repeat violations), and allows for attorney fees and costs, it poses great risk to businesses in New York City who collect biometric information. There is no doubt that this law will result in an abundance of lawsuits – and that many of those lawsuits will be purely opportunistic and exploitative.
Timothy J. Pastore, Esq., is a Partner in the New York office of Montgomery McCracken Walker & Rhoads LLP (www.mmwr.com), where he is Vice-Chair of the Litigation Department. Before entering private practice, Mr. Pastore was an officer and Judge Advocate General (JAG) in the U.S. Air Force and a Special Assistant U.S. Attorney with the U.S. Department of Justice. Reach him at (212) 551-7707 or by e-mail at [email protected].