New York Legislators Introduce a Biometric Privacy Act
On January 6, 2021, a group of New York lawmakers introduced a Biometric Privacy Act to the state legislature (NY A00027). The proposed Act is modeled on the Illinois Biometric Information Privacy Act (BIPA).
The New York law would define “biometric information” as any information “based on an individual’s biometric identifier used to identify an individual.” A “biometric identifier,” in turn, is defined as a “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”
If enacted, the New York law would require private entities to (1) develop a publicly available written policy establishing a retention schedule and guidelines for permanently destroying biometric information, (2) inform data subject that biometric data is collected and stored; (3) inform data subject of the specific purpose and length of term for which biometric information is collected, stored, and used; (4) obtain written consent from data subject before collecting biometric information; and (5) use a reasonable standard of care in storing, transmitting, and protecting biometric information from disclosure.
Furthermore, private entities would not be permitted to disclose biometric information unless they obtain data subject’s consent or the disclosure is required for certain enumerated purposes, such as to complete a financial transaction or to comply with a subpoena. Finally, it would prohibit private entities from selling, leasing, trading, or otherwise profiting from biometric information.
Similar to the BIPA, the New York law would provide for a private right of action which entitles successful plaintiffs to recover (1) $1,000 or actual damages, whichever is greater, for negligent violations, or (2) $5,000 or actual damages, whichever is greater, for intentional or reckless violations. Notably, there have already been over 200 BIPA class actions filed in state and federal courts for alleged violations of individuals’ biometric privacy rights.
The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which went into effect in March of 2020, already requires businesses that license or own biometric information of New York residents to establish “reasonable safeguards” to protect the security, confidentiality, and integrity of such information. To comply with this regulation, companies must implement a data security program which includes certain administrative, technical, and organizational safeguards to protect the data from unauthorized access or acquisition.
As the use of biometrics is increasingly regulated, organizations that collect, use, and share biometric data must make sure that it is incorporated into their privacy and data security frameworks and should develop and enhance the protections and controls they offer to their data subjects. A failure to comply with the emerging regulatory requirements, as well as security failures leading to unauthorized access and disclosure of biometric data, might subject companies to substantial penalties and costly litigation.