New York City’s recently enacted biometric privacy law took effect July 9, 2021. While the law is vague as to exactly who must abide by certain subsections, it is undoubtedly consumer-focused. However, even if employers escape New York City’s biometric ordinance, a looming New York state law may soon impose more expansive biometric requirements on all private entities operating in the state, including employers.
New York City’s Biometric Privacy Law
On July 9, 2021, New York City’s biometric privacy law became effective. The law has two main requirements: Section 22-1202 a. and b.
Section 22-1202 a. provides that any “commercial establishment” that collects, retains, converts, stores or shares biometric identifier information of customers must disclose its practice to customers by placing a clear and conspicuous sign near all customer entrances. This requirement is clearly limited to “commercial establishments” — which the law defines as “a place of entertainment, a retail store, or a food and drink establishment” — and such establishments’ customers.
The applicability of Section 22-1202 b. is less clear. This subsection simply provides:
It shall be unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.
Without the clear “commercial establishment” qualifier, subsection b. could be interpreted to apply to employers. This is notable because New York City’s law provides aggrieved individuals with a private right of action to recoup $500 for each violation and $5,000 for each intentional or reckless violation, as well as attorneys’ fees and costs.
However, legislative history indicates that all aspects of the law are intended to be limited to commercial establishments and their customers, not employees. For example, New York City Council meeting minutes reflect that the law’s purpose is to make it “unlawful ‘to sell, lease, trade, share in exchange for anything of value or otherwise profit’ from the exchange of customer’s biometric identifier information that these establishments have used to identify individuals.”
The law’s definition of “biometric identifier information” also reflects the intended narrow application. “Biometric identifier information” is defined within the law as:
a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.
The inclusion of “commercial establishment” thus limits which type of entity all portions of the law, including subsection b., could apply to. Therefore, at most, subsection b. could apply to “commercial establishment” employers, if it applies to employers at all.
New York City’s Chief Privacy Officer will post guidance for those entities likely to be impacted by the new law. It is anticipated that such guidance will clarify whether the law applies to employers.
New York State’s Proposed Biometric Privacy Law
Even if New York City’s law does not apply to employers, a proposed statewide biometric privacy bill, if enacted, would impose more expansive requirements on all private entities operating in New York state, including employers.
New York state’s Biometric Privacy Act, AB 27 (BPA), was introduced earlier this year and has bipartisan support. The BPA is very similar to Illinois’ Biometric Information Privacy Act (BIPA), which has recently become notorious for generating numerous large class action settlements and a variety of appellate issues.
Like Illinois’ BIPA, New York’s proposed BPA generally requires all private entities in possession of biometric identifiers or biometric information to do the following.
- Develop a publicly available written policy establishing a retention schedule and guidelines for permanently destroying said data when the initial purpose is satisfied, or within three years of the biometric subject’s last interaction with the private entity, whichever occurs first.
- Satisfy several other preconditions prior to collecting biometric identifiers or information, including:
- informing the subject in writing that the biometric data is being collected or stored;
- informing the subject in writing of the purpose and length of time for which the data is being collected; and
- obtaining a written release signed by the subject of the data being collected.
Additionally, the BPA provides requirements for storing and destroying biometrics, including that biometrics must be stored in at least the same manner that other confidential information is kept and using the industry’s reasonable standard of care.
Also like Illinois’ BIPA, New York’s BPA will undoubtedly spur a flurry of single plaintiff and class action cases against employers. As currently drafted, the BPA provides for a private right of action allowing plaintiffs to recover the greater of actual damages or $1,000 for each negligent violation, and actual damages or $5,000 for each intentional or reckless violation. In addition, plaintiffs are entitled to reasonable attorney's fees, costs and other relief, including an injunction.
What Should Employers Do Now?
While it remains to be seen whether the proposed BPA will become law, if enacted in its current form, New York employers are sure to face increased litigation regarding any biometric timekeeping or security practices they utilize. Accordingly, while these biometric laws loom, New York employers should consider proactively adopting biometrics policies and obtaining written releases from employees whose biometric data is being collected. Employers should also adhere to general data collection principles, including confidentiality and security measures.
For assistance monitoring and complying with New York’s biometrics privacy and other employment laws, please contact the authors, other members of the McGuireWoods labor and employment team, or your McGuireWoods contact.