Last month, NYC’s new biometric data protection law became effective. The law applies to many local commercial establishments including stores, entertainment venues, and restaurants. The law requires the posting of a sign giving notice of biometric data collection and prohibits transacting in biometric data.
Covered establishments are required to post notices if they collect, retain or share “biometric identifier information” — “physiological or biological characteristic[s] … used by or on behalf of a commercial establishment … to identify, or assist in identifying, an individual.” Examples include a retina or iris scan, a fingerprint or voiceprint, a scan of hand or face geometry “or any other identifying characteristic.”
A sign providing notice of biometric data collection should be clear and conspicuous, written in plain language, and be posted near all customer entrances. The establishment can still collect biometric data, and there is no requirement that it obtain written consumer consent. Generally, businesses collecting biometric data through photography or video recording are not covered unless they store, analyze or share this info.
In addition, the new law prohibits covered establishments from transacting in biometric data (selling, sharing) in exchange for anything of value or otherwise profiting from such transaction.
The law does not apply to governmental entities and financial institutions are not subject to the notice requirement.
Damages and fines for noncompliance can be high; a commercial establishment that fails to post the required sign can be fined $500 per violation, another $500 for transacting in biometric data, and $5000 for an “intentional or reckless” violation.
The law contains a private right of action, which means an individual can sue the establishment for violations. For failure to post notice there is a “cure” period during which a business must be given a chance to correct the violation.
The notice requirement does not apply to data of employees who are acting in their employment contexts, but the law’s prohibition on commercial establishments using data for transactional purposes does apply to employees’ biometric data. This would include use of employee biometric data by third-party data processing services on behalf of the employer, such as for time records.
Given the potential for steep fines and litigation, commercial establishments subject to NYC’s new biometric law should take steps to avoid violations. Businesses should also ensure that they are in compliance with other applicable data protection law, such as the SHIELD Act (which imposes date security requirements on businesses).
The NYS legislature is considering a state-wide biometric privacy law, which contains more burdensome requirements than NYC’s law and also has a private right of action for noncompliance.
Now is the time for businesses of all sizes to take stock of their data practices and data protection obligations.
The information contained in this column is provided for informational purposes only and should not be construed as legal advice.
By Gille Ann Rabbin, Esq., CIPP/US, CIPP/E