On January 6, 2021, a bipartisan group of state legislators introduced the “Biometric Privacy Act,” (Assembly Bill 27), which would make New York only the second state with a private right of action against entities that improperly use or retain biometric information. This is the third time that New York lawmakers have proposed such a bill.
The bill would protect individuals’ biometric identifiers, defined as fingerprints, voiceprints, retina or iris scans, and scans of face or hand geometry, as well as information based on such identifiers used to identify an individual.[1]
Under the bill, private entities in possession of biometric identifiers or information would need to develop and comply with publicly available written policies establishing retention schedules and guidelines for permanently destroying the identifiers or information when the initial purpose for collecting or obtaining them has been satisfied or within three years of the individual’s last interaction with the entity, whichever occurs first. Private entities would also be required to store, transmit, and protect from disclosure all biometric identifiers and information using the reasonable standard of care in their industry, and in a manner that is the same as or more protective than the manner in which they store, transmit, and protect other confidential and sensitive information.
Covered entities would be prohibited from:
- (1) collecting, capturing, purchasing, receiving through trade, or otherwise obtaining an individual’s biometric identifiers or information, without first: (a) informing the subject in writing that a biometric identifier or information is being collected or stored; (b) informing the subject in writing of the specific purpose and length of time for which the identifier or information is being collected, stored, or used; and (c) receiving a written release;
- (2) disclosing or otherwise disseminating an individual’s biometric identifiers or information unless: (a) the entity obtains the individual’s consent, (b) the disclosure completes a financial transaction requested or authorized by the individual, or the disclosure is required by (c) law or (d) a court; and
- (3) selling, leasing, trading, or otherwise profiting from an individual’s biometric identifiers or biometric information.
With respect to private rights of action, the proposed legislation would allow individuals aggrieved by a violation of the act to recover (a) the greater of actual damages or $1,000 for negligent violations of the statute, or (b) the greater of actual damages or $5,000 for intentional or reckless violations. Aggrieved parties would also be able to recover attorneys’ fees and costs.
The text of the bill is almost identical to that of the Illinois Biometric Information Privacy Act (“BIPA”), which has spawned scores of lawsuits, and has forced some companies to pay hefty sums. Most notably, in 2020, Facebook agreed to a $650 million settlement to resolve a class action lawsuit under BIPA stemming from its facial recognition technology feature called “Tag Suggestions.”
Prior precedent we have previously discussed under Illinois’s BIPA may foreshadow how New York courts might address private actions if the proposed bill becomes law:
- For example, as a matter of state law, the Illinois Supreme Court held that plaintiffs “need not allege some actual injury or adverse effect” in order to seek damages against private entities under BIPA.
- The Seventh Circuit held that, as a matter of Article III (federal) standing (which can differ from state standing requirements), a plaintiff can assert a claim under BIPA merely by alleging a failure to receive adequate disclosure or provide informed consent, without alleging any economic loss or data breach. The Seventh Circuit later made clear that a violation of BIPA’s “unlawful retention” provision can also confer Article III standing. Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146, 1155 (7th Cir. 2020)
- The Ninth Circuit affirmed class certification and found that an alleged violation of individuals’ privacy rights under BIPA stemming from Facebook’s use of facial recognition technology was sufficient to confer Article III standing. The Supreme Court later denied a writ of certiorari. The Second Circuit, in contrast, affirmed the dismissal of a class action lawsuit under BIPA for lack of Article III standing on the ground that plaintiffs alleged only a procedural violation.
- An Illinois appellate court held that an employee’s BIPA claims did not qualify as “wage or hour” claims that were subject to an arbitration agreement, even though the employee’s fingerprint was collected and used for time keeping purposes.
As these precedent show, if New York’s Biometric Privacy Act passes, a flood of litigation may follow. Companies that collect biometric information of New York customers, or even employees, should track these developments closely and be prepared to begin compliance efforts if the proposed bill, or a similar proposal, becomes law.
[1] The bill carves out other types of information such as photographs, writing samples, written signatures, demographic data, human biological samples used for valid scientific testing or screening, physical descriptions (i.e. height, weight, eye color), tattoo descriptions, and information captured from a patient in a healthcare setting.