Goodwin Insights February 26, 2021

New York Proposes Consent For Collection Of Biometric Data, Backed By Private Right Of Action

New York State Legislature Proposes Biometric Privacy Act

On January 6, 2021, the New York state legislature proposed the Biometric Privacy Act (AB 27) to regulate the collection of biometric information by companies doing business in the state. The bill is currently in committee, and if enacted, New York would become the fourth state in the U.S. — behind Illinois, Texas, and Washington — to enact a specific biometric privacy law requiring disclosures and consent for the collection of biometric identifiers or information, such as fingerprints, voiceprints, and retina scans.

Under the proposed bill, biometric identifiers include biometric data that can identify an individual person — such as retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry. Biometric identifiers do not include other personal characteristics, such as writing samples, photographs, and physical descriptions (e.g. height and weight). Biometric information means any information based on an individual’s biometric identifier used to identify an individual.

If enacted, AB 27 would become only the second biometric privacy act in the U.S. to provide a private right of action and plaintiffs’ attorneys’ fees for successful litigants. Like Illinois' Biometric Information Privacy Act (BIPA), which AB 27 mirrors very closely, the New York law would allow consumers to sue businesses for actual or statutory damages of up to $1,000 for each negligent violation, and $5,000 for each intentional or reckless violation. This is a significant development for companies operating in New York, particularly in light of the recent rise in class action litigation over workplace privacy issues.

The proposed bill would prohibit companies from collecting, purchasing, or otherwise obtaining biometric identifiers or information without first notifying individuals in writing and obtaining a written release prior to collection. This notice must include the specific purpose and length of time for which the data will be collected, stored, and used. Similarly, companies in possession of biometric data would generally be prohibited from selling, leasing, trading, and profiting from the biometric identifiers or information that they hold. The disclosure of biometric identifiers or information to third parties would generally require the consent of the identified consumer.

AB 27 would require companies that hold biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying the biometric identifiers or information. 

The bill would also require companies to safeguard biometric identifiers or information using measures that are the same or more protective than those that the subject organization maintains for other confidential or sensitive information. Further, the law would require the destruction of biometric identifiers and information when the initial purpose for obtaining such data “has been satisfied,” or within three years of the individual’s last interaction with the organization, whichever occurs first.

Takeaways for Companies

Companies should be proactive in reviewing policies and procedures relating to the identification, collection, retention, and disposal of biometric identifiers and information. Because AB 27 has a private right of action similar to BIPA, the passage of AB 27 would likely lead to class action litigation over a broad range of business practices that involve collection of biometric information, from the use of facial recognition technology on photographs to the supply of biometric time-keeping services to employers. Companies that offer these types of products and services should closely monitor the trajectory of AB 27.

Companies should also review their business practices to determine whether they collect data that may qualify as a biometric identifier or information, and ensure that they are obtaining proper consent for such collection. Companies should consider inventorying and documenting the sources and storage locations of any biometric information or identifiers they collect, as well as accessed by any third parties.

Companies should also be sure to comply with other state and federal laws that may impose obligations relevant to the processing of biometric data. These obligations could include other state privacy laws that may require disclosure or consent, as well as obtaining parental consent for collection of biometric data of minors.

For example, New York enacted the SHIELD Act in 2019. This Act both broadened the definition of personal information for purposes of the state’s data breach statute, and required that companies safeguard certain biometric information. Further, in December of 2020, New York Governor Andrew Cuomo signed legislation suspending the use of facial recognition technology in the state’s schools, in response to a growing push to limit the use of biometric surveillance due to privacy concerns.

Several other states, including Massachusetts, Hawaii, Florida, and Arizona are also considering biometric privacy legislation. California already regulates biometric information, and provides a limited private right of action under the California Consumer Privacy Act (CCPA) in the event that biometric information is compromised in a data breach.

Goodwin's Chambersand Legal 500 ranked Data, Privacy and Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs.