Since July 9, 2021, New York City’s businesses have been subject to the requirements of a new biometrics law. Businesses operating in New York City should consider both their potential liability under these new requirements and whether their current insurance program protects them against associated risks.
The new law imposes two limitations on the use of “biometric identifier information,” which is defined as “a physiological or biological characteristic that is used … singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”
- First, the law imposes a disclosure obligation on all “commercial establishment[s].” Any such establishment—defined to include “a place of entertainment, a retail store, or a food and drink establishment”—that “collects, retains, converts, stores or shares biometric identifier information of customers” must disclose that use “by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances” that notifies customers of the use “in plain, simple language[.]” A subset of biometric information is excepted from this disclosure requirement. Disclosure of photographs or video recording is not required “if: (i) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and (ii) the images or video are not shared with, sold or leased to third-parties other than law enforcement agencies.”
- Second, the law also makes it unlawful to “to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.” No category of biometric identifier information is excepted from this requirement.
Like the Illinois Biometric Information Privacy Act (BIPA), the New York City law creates a private right of action for violations of the law’s requirements. If a commercial establishment violates the law’s disclosure obligations, a consumer can bring suit 30 days after giving the establishment written notification of the alleged violation—unless the commercial establishment provides “an express written statement that the violation has been cured and that no further violations shall occur.” No prior notice is required before a consumer can bring suit for violation of the prohibition on selling biometric identifier information.
Covered businesses face separate potential liability under both facets of the new law. A commercial establishment must pay damages of $500 for “each violation” of the disclosure requirement. Damages of $500 may be recovered for each negligent violation of the prohibition on the sale of biometric identifier information and $5,000 for each intentional or reckless violation. The statute also authorizes the recovery of attorneys’ fees, costs and injunctive relief.
The fact that the statute authorizes the recovery of attorneys’ fees could lead to the filing of substantial and costly class action lawsuits, comparable to those filed under Illinois’ BIPA. Six Flags recently paid $36 million to settle a class action lawsuit suit brought under the Illinois law for the alleged unauthorized collection of fingerprint scans to confirm the identity of season pass holders. In February, Facebook settled a privacy class action lawsuit brought for the alleged unauthorized collection of digital facial scans for $650 million.
Although New York courts have yet to address this recent enactment, the Illinois Supreme Court recently found that personal injury and advertising injury provisions in business insurance policies provide coverage for claims brought under Illinois’ BIPA. These risk may also fall within companies’ cyber insurance policies. Competent coverage counsel can help New York policyholders analyze their business insurance policies for potential coverage for privacy claims, before deciding when and how to submit a claim or draft pleadings or other dispute-related documents. Policyholders should also keep an eye open for specific privacy claim exclusions in future policies, which are already appearing in some policies, and negotiate to include that coverage (if possible), to the extent they are exposed to risk of those claims.
The Duty to Defend a Privacy Claim Arises from Even Limited Publication of Biometric Identifiers