Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
July 7th, 2021
New York City Restricts Collection of Biometric Identifiers
Major US municipalities are lining up to regulate business use of technologies to collect biometric identifiers and information. For example, Portland, Oregon, banned the use of face recognition technologies earlier this year. Now, New York City businesses must comply with a new law too: Effective July 9, 2021, any commercial establishment in New York City that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such activity using clear and conspicuous signage near all customer entrances. Moreover, it will be unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information under the new NYC law.
Given these significant new restrictions, it is worth digging in to the requirements and consequences of the NYC law (New York City Administrative Code, Title 22, Chapter 12). First, what is biometric identifier information? Under the new law, it is a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic. What is a commercial establishment? Importantly, it includes:
- places of entertainment (such as theaters, stadiums, arenas, racetracks, museums, amusement parks, observatories, and other places where attractions, performances, concerts, exhibits, athletic games or contests are held, whether publicly or private owned);
- retail stores (i.e., establishments wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail); and
- food and drink establishments (establishments that give or offer for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle).
The signage requirements do not apply to financial institutions or biometric identifier information collected through photographs or video recordings, if: (i) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and (ii) the images or video are not shared with, sold or leased to third-parties other than law enforcement agencies.
The NYC law covers establishments of all sizes throughout the city, including those that may be using technology to automatically take temperatures if those scanners are capturing retina or iris scans or face geometry. Now is the time to look at the technology you are using and make sure you are either limiting the functionality as necessary or that you have the appropriate signage and are not going to share such information with anyone else for value or profit.
Penalties. The NYC law includes a private right of action (with a 30 day cure period) that allows an individual to seek $500 for each failure to provide notice, $500 for each negligent violation, and $5,000 for each intentional or reckless violation of the restriction on sales, sharing for value, or otherwise profiting from the transaction of the biometric identifier information. The plaintiff also has the right to recover “reasonable” attorneys’ fees.
NYC won’t be the last municipality to regulate collection of biometric identifiers either: in late May, the Baltimore City Council Public Safety and Government Operations Committee passed an ordinance (Council Bill 21-0001) that would bar the private sector from obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology. The Ordinance was approved by the City Council and sent to the Mayor on June 14.
If you have questions about the new New York City biometric identifier law, or about any other privacy and data security compliance matters, please contact Daniel Goldberg at (310) 579-9616 or dgoldberg@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. Read more.
August 1 2023
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. Read more.
June 21 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023