CSG Law Alert: First, There Was The New York Shield Act, and Now … The New York Biometric Privacy Act?
On January 6, 2021, the proposed Biometric Privacy Act (the “Act”) was introduced to the New York State legislature. If adopted as drafted, the Act will require:
- Any private entity that “possesses”¹ any biometric identifiers and/or information² (or “biometric data”) must have a written policy, publicly available³, establishing its retention and destruction schedule, as well as a secure means of destroying the data on the sooner of (i) when no longer needed for its original purpose of collection or (ii) after three years from the private entity’s interaction with the person providing the data.
- A private entity cannot acquire, collect, trade, store, purchase or capture biometric data, whether from the person themselves or a third party unless the entity first:
- Informs the subject that their data is being so collected, stored, captured, purchased and/or traded
- Informs the subject of the underlying legal purpose the data is being collected, stored and/or used
- Receives a written release4 from the person or their legal representative.
To be clear, this will apply whether the data is collected from an employee (consider a biometric time clock) or a customer (think thumb prints used at amusement parks and to unlock devices).
Further, the draft legislation proscribes:
- A private entity from selling, trading or otherwise profiting from a person’s biometric data. Note that the draft legislation does not address the sale of (e.g.) employment records or customer data in the context of a merger. As written, such a transfer may then be deemed prohibited without employee consent, as noted below.
- A private entity from sharing or otherwise disseminating any biometric data unless:
- The subject consents; or
- The disclosure completes a financial transaction requested by the subject; or
- The disclosure is compelled by law or by a warrant or subpoena.
While the private entity retains any biometric data, it must take proactive measures to protect the data in its possession – including at rest and when being transmitted.
Private Cause of Action
The draft legislation affords impacted individuals a private right of action against a private entity that breaches the law. For a “merely” negligent failure, the statutory award to the impacted individual is the greater of $1000 or actual damages; whereas for an intentional or reckless violation, the impacted subject can recover the greater of actual damages or $5000. Further, in either case, the individual can recover attorneys’ fees and also seek injunctive relief.
As such, any private entity that currently or in the future intends to collect biometric data from employees, customers or others, should anticipate that after Illinois and now New York, other states may follow suit.
Biometric data covered by the draft legislation would include retina or iris scan, fingerprints, voiceprints, hand scan, and face geometry. The act would not apply to handwriting samples, written signatures, photographs, biological samples used in testing or screening, demographic data, tattoo or physical descriptions (height, weight, hair or eye color). The act also does not apply to health records covered by HIPAA.
¹ The private entity’s regulated activity includes the collection, storage, transmission and dissemination of biometric data. Further, when no longer needed, the privacy entity must take measures to securely destroy the data.
² Biometric data covered by the draft legislation would include retina or iris scan, fingerprints, voiceprints, hand scan, and face geometry. The act would not apply to handwriting samples, written signatures, photographs, biological samples used in testing or screening, demographic data, tattoo or physical descriptions (height, weight, hair or eye color). The act also does not apply to health records covered by HIPAA.
³ The draft legislation does not address what “publicly available” may require, but impacted entities should prepare to make this policy available to any persons whose data may be collected prior to the collection.
4 For employees, the release may be required to be executed as a condition of employment. However, employers should be mindful as to what purpose(s) they disclose in the release for collecting the data, and not to use the data for other (undisclosed) purposes. As to non-employees (e.g. customers), the consent must be “informed”. Again, entities must be mindful not to use collected data for purposes not authorized by that consent.