UPDATE: Subsequent to the introduction of the New York City Council biometric privacy bill, on March 5, 2019 members of the Florida legislature introduced the “Florida Biometric Information Privacy Act” (SB 1270). The statute generally follows the Illinois Biometric Information Privacy Act (BIPA) regarding notice and consent requirements and notably provides for a private right of action and the availability of statutory damages. As with the New York City bill, we will follow the progress of the Florida bill, as well as other pending biometric privacy legislation (e.g., Montana’s HB 645, which was introduced on March 1, 2019 and is another BIPA-like bill, but only allows enforcement by the state attorney general).
UPDATE: Both the Florida and Montana bills died in committee this past spring.
In light of the recent decision by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), it is worth remembering that late last year, New York City Council members Ritchie Torres (and additional co-sponsors) introduced a bill for the city council to consider that would regulate the use of biometric technology in New York City. Bill Int. No. 1170 (the “Bill”) would amend Section 1, Chapter 5 of Title 20 of the Administrative Code of the City of New York and require businesses (but not governmental actors) to give notice to customers if they are collecting “biometric identifier information.” The Bill, which contains some similar provisions to the Illinois Biometric Information Privacy Act (“BIPA”), includes a private right of enforcement but avoids the statutory standing issue litigated in Rosenbach by providing that “any person who[se] biometric identifier information was collected, retained, converted, stored or shared in violation of [the law] may commence an action.” If enacted, this bill could lead to a deluge of individual and class action suits in New York based on biometric activity.
Under the Bill, any commercial establishment that collects, retains, converts, stores or shares biometric identifier information must disclose such practices in the following ways:
- By placing a clear and conspicuous sign near all of the commercial establishment’s entrances notifying in plain, simple language, in a form and manner prescribed by the commissioner by rule, that biometric identifier information is being collected, retained, converted, stored or shared; and
- By making available online:
- The amount of time for which they retain or store the information.
- The kind of information collected.
- Whether they share the information with third parties.
The Bill defines “biometric identifier information” as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, any of which is collected, retained, converted, stored or shared to identify an individual. Agency rulemaking regarding the form and manner of conspicuous notice is also contemplated under the Bill.
Interestingly, this Bill only contemplates notice and does not require obtaining consent or establishing any opt-out mechanisms for consumers once they learn of the collection of their biometric data.
The Bill’s notice requirements are seemingly influenced by the Federal Trade Commission’s (the “FTC”) October 2012 guidance “Best Practices for Common uses of Facial Recognition Technologies.” Most relevant to the Bill, the FTC was particularly concerned with facial recognition technology being used in contexts that consumers would not reasonably expect, such as signs or other elements of a public place. When discussing various types of facial recognition technology that can be used in signs or other items that a consumer may not expect, the FTC guidance states that clear notice should be provided to consumers before they come into contact with a sign because they can choose to avoid it (known as the “walk away choice”). The chosen method may be a prominent notice at the entrance to a store, which is the requirement contemplated by the Bill, the entrance to the section where the sign is located, or on or near the sign itself. The guidance suggests that a notice should clearly state the purpose of the technology and indicate how consumers can find out more information about the technology and the practices of the company operating the signs in that venue.
There are two proposed methods of enforcement under the Bill. First, the commissioner of the New York City Department of Consumer Affairs office may implement a civil penalty of $500 per day for a violation. Second, as noted above, the Bill provides a private right of action for any person whose biometric identifier information was collected, retained, converted, stored or shared in violation of the Bill. Similar to the provisions of BIPA, a prevailing party may recover damages of $1,000 per violation against a private entity that negligently violates the proposed law, or damages of $5,000 per violation against a private entity that intentionally or recklessly violates the proposed law.
The Bill has yet to come before a committee hearing, and we will post an update on any additional action by the City Council. If enacted in its current form, it is reasonable to expect significant biometrics-related litigation in New York.