Proposed NY Biometric Privacy Act Would Allow Private Right of Action

New York may become the latest state to allow consumers to sue companies for improperly collecting, retaining or using certain biometric data. Earlier this week, a bipartisan slate of state legislators (17 Democrats, 7 Republicans) introduced Assembly Bill 27, which seeks to amend New York’s General Business Law to add a new article known as the ​“Biometric Privacy Act.” Of primary interest here is the bill’s grant to individual consumers of a right to sue companies that violate the terms of this potential new law.

What the Law Would Cover. Currently, Illinois is the only state with a biometric privacy statute that provides for a similar private right of action. Illinois’s Biometric Information Privacy Act, commonly known as BIPA, has been the subject of previous discussion here. The requirements of the proposed New York law largely mirror BIPA. For example, both have a private right of action and substantially similar definitions of ​“biometric identifiers” and ​“biometric information,” prohibitions regarding the collection, storage, and transfer of such information, and penalty provisions. Should the law pass, the trends and jurisprudence that have emerged from the litigation in Illinois will be particularly instructive to New York companies.

New York’s proposed bill applies to ​“biometric identifiers” such as retina or iris scans, fingerprints, voiceprints, hand or face geometry scans used to identify an individual, and ​“biometric information” that is used to identify an individual based on his biometric identifier(s). The bill specifically excludes certain data from its scope, including writing samples, written signatures, photographs, human biological samples used for valid scientific purposes, demographic data, tattoo descriptions, and physical descriptions such as height, weight, hair color, and eye color. (We note that the proposed law would be consistent with New York SHIELD Act​’s expanded definition of ​“private information.”)

What the Law Would Require. The proposed law requires private entities in possession of biometric identifiers orbiometric information (collectively referred to herein as ​“biometric data”) to develop public, written policies establishing a data retention schedule and destruction guidelines. It also prohibits private entities from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person’s biometric data unless it first:

(1) informs the subject in writing that biometric data is being collected or stored, (2) the specific purpose of the collection and the length of time for which it is being collected, stored and used, and (3) obtains a written release from the subject.

The bill also prohibits private entities from selling, leasing, trading, or otherwise profiting from a person’s biometric data. Further, a private entity that discloses or otherwise disseminatesa person’s biometric data may do so only:

(1) upon obtaining the subject’s consent; (2) to complete a financial transaction at the subject’s request, (3) if such disclosure is required by federal, state or local law or ordinance, or (4) if a valid warrant or subpoena requires such disclosure.

Private Right of Action. Significantly, the proposed bill includes a private right of action in New York supreme court for any violation of the statute’s requirements. Where a violation is found, the prevailing consumer may recover the greater of actual damages or liquidated damages per violation of up to $1,000 for a negligent violation and up to $5,000 for an intentional or reckless violation. The statute also includes provisions that allow for recovery of attorneys’ fees and costs. There is no bar on aggregated or class claims.

​In Illinois, BIPA has been the catalyst for an active stream of consumer lawsuits in both state and federal court. Such claims were bolstered by an Illinois Supreme Court holding that even mere technical violations of the statute were sufficient to warrant consumer recovery. Rosenbach v. Six Flags Ent’r Corp., 129 N.E. 3d 1197 (Il. 2019). Illinois experience with private consumer litigation is instructive for the scope that it has reached. Thus far, litigants have used it to raise various hot-button issues, including questions around companies’ employment practices such as the use of fingerprints for timekeeping records and retailers’ use of facial recognition technology in their store security measures.

Assembly Bill 27 has been referred to the Consumer Affairs and Protection Committee. We will continue to monitor its status and other laws/litigation related to biometric privacy.

If you have questions about your pending or potential litigation risks arising from use, storage, or sale of personal information, please reach out to a member of our team.