Spread the News: NYC Joins in Regulating the Use of Biometric Data

Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective

Spread the News: NYC Joins in Regulating the Use of Biometric Data.  In about six weeks from now, New York City (not State) will join the states of Illinois, Texas, Washington and California in regulating the collection and dissemination of “biometric identifier information” – at least for some businesses. 

“Biometric Identifier Information” – What is it?: Under NYC Administrative Code Chapter 12, the term “biometric identifier information” generally covers any information used by or on behalf of a commercial establishment to identify a person.  Think retina or iris scans, fingerprints or voiceprint, hand scans, scans of face geometry, or any other identifying physiological or biological characteristics.

Prohibition on “Profiting” from “Transactions” in Bio-ID Info:  Starting on July 9, 2021, it shall be “unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”

Collecting Bio-ID Info? Signs required: Further, all “commercial establishments” in NYC that collect biometric identifier information must disclose their practices to customers, by posting a “clear and conspicuous sign” near all their customer entrances which informs customers “in plain, simple language” that their biometric information is being collected -- and what will be done with it. 

Aimed at Street Traffic: The new ordinance only applies to “commercial establishments” – which the ordinance defines as retail stores, places of entertainment, and bars and restaurants. “Commercial establishments” specifically don’t include banks or other financial institutions, and the ordinance also exempts activities of government agencies. But much else is also exempt by being outside the definition – such as office buildings or churches, to name a few.  

Other Exemptions:  The new ordinance won’t apply to photos or video recordings if they aren’t (in effect) analyzed by facial-recognition software, and aren’t shared with, sold, or leased to anyone except law enforcement. 

A Private Right of Action: Like Illinois (but not Texas, Washington or California), the new ordinance will include a private right of action. Anyone “aggrieved” by unannounced collection – provided it is still uncured after 30 days’ written notice – may sue for each violation. If the establishment “shares” the bio-ID info in return for value or otherwise “profits” from it in some way, then no notice or opportunity to cure is required and an “aggrieved” plaintiff may sue straightaway.  Attorneys’ fees are recoverable, and statutory damages are $500 per each negligent violation, or $5,000 per each “intentional or reckless” violation.

You may read the entire ordinance by clicking on the following link:

https://codelibrary.amlegal.com/codes/newyorkcity/latest/NYCadmin/0-0-0-42626

Interesting Questions:  The new ordinance leaves some interesting open questions:

  • “Each?”  The statutory damages apply to “each” violation.  If a store fails to post a sign for a day, or two, or thirty, is “each” day “one” “violation?” Or are “violations” measured by the number of customers surveilled without notice?

  • “On his or her account?”   The ordinance says anyone “aggrieved” may sue “on his or her account.”  Will that forestall group or class actions?

  • “Plain and Simple” to whom?  The signs must use “plain and simple” words.  New Yorkers speak every language in the world. In order to be “plain and simple” to New Yorkers, must the signs include multiple languages?  How many languages will be enough?  Which ones?  Will it vary by neighborhood? What about Midtown?

  • What about your “Friendly Neighborhood Shoplifter?Like storeowners (and certainly casino owners) everywhere, NYC storeowners often share with each other warnings, descriptions, and pictures of shoplifters and worse. May they continue to do this, or will this ordinance mean they now must go through NYPD for everything?

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

Hosch & Morris https://hoschmorris.com
Previous

“Cyber Pearl Harbor,” Cybersecurity Executive Order, Pipeline Security Directive, and More
Next

Antitrust Takes Center Stage in China?