Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
July 7th, 2021
New York City Restricts Collection of Biometric Identifiers
Major US municipalities are lining up to regulate business use of technologies to collect biometric identifiers and information. For example, Portland, Oregon, banned the use of face recognition technologies earlier this year. Now, New York City businesses must comply with a new law too: Effective July 9, 2021, any commercial establishment in New York City that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such activity using clear and conspicuous signage near all customer entrances. Moreover, it will be unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information under the new NYC law.
Given these significant new restrictions, it is worth digging in to the requirements and consequences of the NYC law (New York City Administrative Code, Title 22, Chapter 12). First, what is biometric identifier information? Under the new law, it is a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic. What is a commercial establishment? Importantly, it includes:
- places of entertainment (such as theaters, stadiums, arenas, racetracks, museums, amusement parks, observatories, and other places where attractions, performances, concerts, exhibits, athletic games or contests are held, whether publicly or private owned);
- retail stores (i.e., establishments wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail); and
- food and drink establishments (establishments that give or offer for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle).
The signage requirements do not apply to financial institutions or biometric identifier information collected through photographs or video recordings, if: (i) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and (ii) the images or video are not shared with, sold or leased to third-parties other than law enforcement agencies.
The NYC law covers establishments of all sizes throughout the city, including those that may be using technology to automatically take temperatures if those scanners are capturing retina or iris scans or face geometry. Now is the time to look at the technology you are using and make sure you are either limiting the functionality as necessary or that you have the appropriate signage and are not going to share such information with anyone else for value or profit.
Penalties. The NYC law includes a private right of action (with a 30 day cure period) that allows an individual to seek $500 for each failure to provide notice, $500 for each negligent violation, and $5,000 for each intentional or reckless violation of the restriction on sales, sharing for value, or otherwise profiting from the transaction of the biometric identifier information. The plaintiff also has the right to recover “reasonable” attorneys’ fees.
NYC won’t be the last municipality to regulate collection of biometric identifiers either: in late May, the Baltimore City Council Public Safety and Government Operations Committee passed an ordinance (Council Bill 21-0001) that would bar the private sector from obtaining, retaining, accessing, or using certain face surveillance technology or any information obtained from certain face surveillance technology. The Ordinance was approved by the City Council and sent to the Mayor on June 14.
If you have questions about the new New York City biometric identifier law, or about any other privacy and data security compliance matters, please contact Daniel Goldberg at (310) 579-9616 or dgoldberg@fkks.com, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
New York Regulator Says Even One Access Control Failure Can Invalidate Years of Compliance Certifications
The New York Department of Financial Services (“NYDFS”) recently entered into a Consent Order (the “Consent Order”) with EyeMed Vision Care LLC (“EyeMed”) over violations of the agency’s Cybersecurity Requirements (23 NY CRR Part 500) (“Part 500”). Read more.
October 26 2022
Privacy News for Q2 2022
A summary of privacy news and trends we have seen in the first half of 2022. Read more.
June 2 2022
Does Your Loyalty Program Violate the CCPA?
California Attorney General Rob Bonta tweeted and released a statement that his office has sent warning letters to businesses in a variety of industries for alleged failure to comply with CCPA. Read more.
February 3 2022
