New York City’s Biometrics Identification Information Ordinance Began July 9, 2021
New York City commercial establishments who use biometrics to identify their customers, whether through security cameras, fingerprint scans, or otherwise, should prepare for big damage awards if they do not comply with New York City’s new ordinance, Local Law 2021/003. The ordinance, effective July 9, 2021, impacts NYC retailers, restaurants and entertainment venues, among others, that collect biometric identifier information (BII). The ordinance essentially has two goals. First, it establishes an on-premise signage requirement to notify customers that a business collects BII. Second, it prohibits a business from profiting from the use of BII.
Private individuals are authorized to sue any business they believe is not in compliance with the ordinance’s requirements for monetary damages of $500 or $5,000 per violation—and, if they prevail, to recover their attorneys’ fees and litigation expenses.
NYC’s ordinance regulates commercial establishments’ use of BII. A commercial establishment, per the ordinance, includes places of entertainment, retail stores, and food or drink establishments. The ordinance uses these terms broadly.
- Entertainment Facilities, regardless of whether owned publicly or privately, are covered, including any theater, stadium, arena, racetrack, museum, amusement park, observatory, or other place where attractions, performances, concerts, exhibits, athletic games or contests are held.
- Retail stores include any establishment that displays, offers for sale, or sells consumer commodities, including car dealerships and pharmacies, or a place where goods or services are provided to consumers at retail.
- Food or drink establishments refer to any place that gives or sells food or beverages to the public, including restaurants, cafes, food trucks or carts, supermarkets, and liquor stores.
The ordinance defines BII as “a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual.” Examples include: fingerprints, handprints, voiceprints, retina or iris scans, and facial scans. This definition is sufficiently broadly worded to encompass not only existing technology but also any new identifying technologies that may become commonplace in the future.
The ordinance enacts a signage requirement that could apply to a panoply of venues that use BII. Any commercial establishment, within the scope of the ordinance, that “collects, retains, converts, stores or shares biometric identifier information of customers” must post “clear and conspicuous” signs. These signs should be located near all of its customer entrances. Such signs must notify customers in “plain, simple language” that “biometric identifier information is being collected, retained, converted, stored or shared, as applicable.” The ordinance empowers the Commissioner of Consumer and Worker Protection to dictate the “form and manner” of the signage disclosures.
Prohibition on Profiting
The ordinance makes it illegal for any entity or person—not just the otherwise identified commercial establishments—“to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”
Unlike the signage requirement, this prohibition is not limited to customer BII. Instead, the scope of the ordinance suggests that companies and individuals cannot transact in any BII, whether collected from customers or employees, contractors, suppliers, or any other parties.
Violation Consequences and a Possible Defense
The ordinance creates a private right of action, allowing any “aggrieved person” to file “on his or her own behalf” a lawsuit against any entity or person that violates either of the ordinance’s subparts.
For violations of the signage requirement, an aggrieved person can obtain an injunction and recover damages of $500 for each violation, in addition to reasonable attorneys’ fees and costs (including expert witness fees and other litigation expenses). At least thirty days before filing a lawsuit, however, the aggrieved person must provide the noncompliant commercial establishment written notice of the alleged violation. If, within 30 days, the establishment cures the violation and informs the aggrieved person, in writing, that the violation has been cured and that no further violations shall occur, the consumer may not initiate a lawsuit.
For violations of the no profiting rules, an aggrieved person can obtain an injunction and recover damages of $500 for each negligent violation, and $5,000 for each intentional or reckless violation, in addition to reasonable attorneys’ fees and costs. Unlike signage violations, the aggrieved person need not provide any prior written notice to the business before filing a lawsuit based on a claim of profiting from BII.
Neither of the ordinance’s provisions applies to the collection, storage, sharing or use of biometric identifier information by the government. In addition, financial institutions (such as banks and credit unions) are exempt from the ordinance’s signage requirement, though they are still prohibited from profiting from BII. Likewise, no signage is required in connection with collecting videos or photos that do not use BII software identification and that are not shared with third parties outside law enforcement.
NYC’s ordinance is closely modeled on Illinois’ Biometric Information Privacy Act (“BIPA”). Illinois enacted that statute in 2008 and, like NYC’s new law, it created a private cause of action for individuals and authorized a prevailing party to recover both liquidated damages and attorneys’ fees. In contrast to BIPA, however, NYC’s law contains additional signage provisions applicable only to commercial establishments. NYC’s ordinance also shares some similarities with Portland, Oregon’s biometrics ordinance that went into effect January 1, 2021. (Other biometrics laws exist at the state level in Texas and Washington.)
Both Portland’s and New York City’s ordinances create a private cause of action and apply to public-facing businesses (“commercial establishments” in NYC and “places of public accommodation” in Portland). Portland’s ban on biometrics, however, prohibits only facial recognition technologies, while NYC’s ordinance covers a broader range of biometric identifiers but allows collection and use as long as it is properly disclosed.
Illinois has been the focus of class actions involving BIPA. This trend increased sharply after a 2019 Illinois Supreme Court decision against Six Flags Entertainment, operator of amusement parks, holding that actual injury is not a prerequisite to an Illinois Biometric Information Privacy Act suit. In June 2021, Six Flags announced that it settled that lawsuit over use of its fingerprint scanners at its Illinois theme park for $36 million.
Time will tell whether class action lawsuits could be successful pursuant to the New York City ordinance (or if New York State enacts pending legislation at the state level). Regardless, the similarity of NYC’s ordinance to BIPA may be a harbinger of a flood of consumer lawsuits in New York City.
For now, it is urgent that all NYC businesses who collect or use BII:
- Review their BII collection practices and prepare new privacy policies explaining those practices;
- Prepare to comply immediately with the ordinance’s signage requirement and provide appropriate notice to consumers;
- Enact a strict prohibition on selling, sharing or otherwise profiting from any biometric data;
- Audit their vendors’ use of BII and review their contracts with vendors with an eye toward compliance and risk mitigation;
With new legislation also pending at the state level in New York and Maryland, businesses need to act proactively. Biometrics consumer data is likely to continue to create compliance problems issues for companies collecting data on their customers. As the emerging statutes empower consumers with private causes of action, companies using BII need a steady and thoughtful risk mitigation strategy.
For further information, contact Kyle-Beth Hilfer Dasha Chestukhin, or your CLL attorney.
Email | 212.790.9200
Kyle-Beth Hilfer has over thirty years’ experience providing legal counsel to advertising, marketing, promotions, intellectual property, and new media clients. Leveraging her deep understanding of branding, Kyle-Beth ensures regulatory compliance for her clients’ advertising and marketing campaigns.
Email | 212.790.9251
Dasha’s practice encompasses a broad range of intellectual property matters, including trademarks, copyrights, domain names, unfair competition and patents.