Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
July 7th, 2021
New York City Restricts Collection of Biometric Identifiers
Major US municipalities are lining up to regulate business use of technologies to collect biometric identifiers and information. For example, Portland, Oregon, banned the use of face recognition technologies earlier this year. Now, New York City businesses must comply with a new law too: Effective July 9, 2021, any commercial establishment in New York City that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such activity using clear and conspicuous signage near all customer entrances. Moreover, it will be unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information under the new NYC law.
Given these significant new restrictions, it is worth digging in to the requirements and consequences of the NYC law (New York City Administrative Code, Title 22, Chapter 12). First, what is biometric identifier information? Under the new law, it is a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic. What is a commercial establishment? Importantly, it includes:
- places of entertainment (such as theaters, stadiums, arenas, racetracks, museums, amusement parks, observatories, and other places where attractions, performances, concerts, exhibits, athletic games or contests are held, whether publicly or private owned);
- retail stores (i.e., establishments wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail); and
- food and drink establishments (establishments that give or offer for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle).
The signage requirements do not apply to financial institutions or biometric identifier information collected through photographs or video recordings, if: (i) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and (ii) the images or video are not shared with, sold or leased to third-parties other than law enforcement agencies.
The NYC law covers establishments of all sizes throughout the city, including those that may be using technology to automatically take temperatures if those scanners are capturing retina or iris scans or face geometry. Now is the time to look at the technology you are using and make sure you are either limiting the functionality as necessary or that you have the appropriate signage and are not going to share such information with anyone else for value or profit.
Penalties. The NYC law includes a private right of action (with a 30 day cure period) that allows an individual to seek $500 for each failure to provide notice, $500 for each negligent violation, and $5,000 for each intentional or reckless violation of the restriction on sales, sharing for value, or otherwise profiting from the transaction of the biometric identifier information. The plaintiff also has the right to recover “reasonable” attorneys’ fees.
NYC won’t be the last municipality to regulate collection of biometric identifiers either: in late May, the Baltimore City Council Public Safety and Government Operations Committee passed an ordinance (Council Bill 21-0001) that would bar the private sector from obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology. The Ordinance was approved by the City Council and sent to the Mayor on June 14.
If you have questions about the new New York City biometric identifier law, or about any other privacy and data security compliance matters, please contact Tanya Forsheit at (310) 579-9615 or tforsheit@fkks.com; Daniel Goldberg at (310) 579-9616 or dgoldberg@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Business Takeaways from the FTC $5 Billion Settlement with Facebook
On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. Read more.
July 26 2019
Are You Ready for the New York Cybersecurity Regulations’ September 3rd Deadline?
Financial institutions and insurance companies operating in New York have until September 3, 2018 to comply with the next phase of New York's Cybersecurity Regulations. Here's what you need to know to avoid regulatory scrutiny. Read more.
August 10 2018
New California Privacy Law Calls for Significant Changes
On the heels of the European General Data Protection Regulation (GDPR), California has now passed a digital privacy law that gives consumers more control over their personal information online. Read more.
June 29 2018
