On January 6, 2021, a bipartisan group of New York State lawmakers introduced Assembly Bill 27, the latest version of proposed privacy legislation that would allow consumers to sue companies for improperly using or retaining their biometric data. Better known as the Biometric Privacy Act (the “BPA”), the bill, if enacted, would impose significant compliance requirements for companies handling biometric data. The BPA would make New York State only the second state with a private right of action that includes statutory damages against entities that improperly use or retain biometric data. If the BPA is signed into law, it would likely bring a flood of class action litigation, similar to that seen in Illinois under Illinois’ Biometric Information Privacy Act (the “Illinois BIPA”).
Overview of the BPA
New York’s BPA will regulate private entities’ use and retention of “biometric identifiers” and “biometric information.” “Biometric identifiers” include things such as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. “Biometric information” includes “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.” Effectively, the BPA would require private entities that engage in the collection of biometric identifiers or biometric information (collectively, “biometric data”) to:
- Develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information;
- Inform the subject or the subject’s legally authorized representative in writing that the entity will collect or store the subject’s biometric identifier or biometric information;
- Inform the subject or the subject’s legally authorized representative in writing of the specific purpose and length of time the entity will collect, store and use the biometric identifier or biometric information; and
- Receive written consent from the subject or the subject’s legally authorized representative to use the subject’s biometric identifier or biometric information.
The BPA would also prohibit private entities from selling, leasing, trading, or otherwise profiting from an individual’s biometric data and would put strict restrictions on private entities’ ability to disclose such information without the individual’s consent. Companies in possession of biometric data would also need to safeguard such data in the same manner, or a more protective manner, in which they store, transmit and protect other confidential and sensitive information.
BPA’s Private Right of Action
New York’s BPA, similar to the Illinois BIPA, provides a private right of action for any individual “aggrieved” by a violation of the law, and would allow such individual to recover damages of up to $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, as well as attorneys’ fees and costs. The BPA does not define the word “aggrieved” in the statute itself. However, we anticipate that courts in New York would look to decisions in Illinois under Illinois’ BIPA. There, the Illinois Supreme Court has held that an individual need not allege an actual injury or adverse effect to be “aggrieved.” Rather, an individual can be aggrieved simply by alleging an entity’s failure to follow the statute’s notice and consent requirements. Rosenbach v. Six Flags Entertainment Corporation et al., 2019 IL 123186 (Ill. 2019).
Employer Implications and Next Steps
Since 2018, New York lawmakers have proposed similar biometric privacy laws on three occasions. While previous bills have been unsuccessful, there has been a general trend in New York, several other states, and the Federal government towards strengthening biometric privacy rights. For example, in 2019, New York enacted the SHIELD Act, which expanded on the types of data companies need to safeguard, including biometric information. Several other states, such as Illinois, Texas and Washington have laws regulating the use and collection of biometric information, though only Illinois currently allows for a private right of action.
The BPA is still in the early stages of the legislative process and it remains to be seen if it will be signed into law. If enacted, New York’s BPA would go into effect 90 days after passage. As currently drafted, employers and companies doing business in New York who collect such information should begin to take proactive steps to ensure compliance. In particular, businesses should review their current policies, practices and procedures related to the use, collection and storage of biometric data, provide written notice to, and obtain consent from, individuals prior to the time any biometric data is collected. Alternatively, businesses should allow individuals to opt out of such data use or collection. Additionally, employers should maintain data security measures to safeguard an individual’s biometric data, by, for example, establishing limits on who is authorized to access, collect, disclose, save, and destroy the data and implementing appropriate encryption measures. We will continue to monitor the status of the BPA and provide updates as more information becomes available.