Biometric privacy rules arrive in New York


The latest US biometric privacy law went into effect in New York on July 9. While state laws have largely focused on the use of facial recognition and other biometrics by law enforcement, and many have been blocked or rejected, the steadily rising bills to the study includes some other attempts to limit the use of technology by businesses. The New York City Ordinance could be the start of a trend, or just an outlier, but every business in the city should be aware of.

What is the prescription?

New York City’s new biometric ordinance went into effect this month on Friday, July 9. The ordinance regulates the use of “biometric identification information” in “commercial establishments”. It is the first law of its kind in New York State.

  • “Biometric identifying information” is broadly defined to mean “a physiological or biological characteristic” used “by or on behalf of” a “business establishment” to “identify or help identify an individual”. This includes, “without limitation”, retinal or iris scans, fingerprints or voice prints, hand or face geometry scans and any other identifying feature.
  • “Commercial establishment” is broadly defined to include any place of entertainment, retail store or catering establishment.
  • An entertainment venue is “any entertainment facility owned and operated by the private or public sector” and includes theaters, stadiums, arenas, racetracks, museums, amusement parks, observatories and other places where performances, concerts are held. , exhibitions, games or contests. This definition is broad and can extend to places as large as Madison Square Garden and as small as an arthouse theater.
  • Retail stores include any establishment where “consumer products are sold, displayed or offered for sale”. The law will therefore apply to retailers as large as commercial grocery, clothing or household goods chains and as small as corner bodegas and gas stations.
  • Eating establishments include establishments of all kinds that sell food or drink, such as restaurants that serve food “on the spot” as well as “shopping trolleys”.[s], support[s], or vehicle[s]. “This definition captures the local hot dog stalls, neighborhood ice cream trucks and popular artisan food trucks parked along the downtown side streets.

Why is the prescription important?

Over the past few years, retailers, restaurants and many other types of businesses have increasingly used biometric-based systems to control customer access, monitor shoplifting and learn more. on the behavior of customers in their establishments. Entry into gyms, amusement parks, and entertainment and sports venues based on fingerprints and handprints, as well as facial recognition systems in stores, are increasingly common. The rapid advancements in this technology and the increasingly small size and popularity of recording devices and similar tools make such use more likely in the future. The New York City ordinance is likely to impact these and other increasingly popular uses of biometric technology.

The broad definition of “commercial establishment” means that retailers, restaurants and entertainment venues that use cameras to photograph or video consumers, then use software or other tools to analyze the characteristics of the individuals captured in order to to identify them specifically seem to be subject to this ordinance.

What does the prescription require?

If you operate a “business establishment” that collects “biometric identification information” in New York City, you must comply with the new ordinance. As a rule, the ordinance obliges the entities concerned to:

  • Disclose the collection, retention, sharing and use of biometric credentials to consumers by placing clear and visible signage near all customer entrances and exits.
  • Make sure that the required signage is written in clear and simple language. The New York City Consumer and Worker Protection Commissioner may issue specific language or other guidelines regarding signage. Such guidelines, once published, will likely be published here.
  • Make sure that the required signage is written in clear and simple language. The New York Consumer and Worker Protection Commissioner has released specific language for signage, which is posted on the commissioner’s website here under “Signing for businesses using biometric credentials.”
  • Refrain from selling, renting, exchanging, sharing in exchange for value, or “otherwise for profit[ing]From the biometric identifier information. It is not clear what “otherwise profit” means in this context. Other privacy regulations, such as the Illinois Biometric Information Protection Act (BIPA) and the California Consumer Protection Act (CCPA), have sparked significant litigation and debate, especially regarding the meaning of “selling” data. The interpretation of the language here will depend on the text and the history of the law in question. Many have argued that “selling” or “profiting” from data should mean some transfer of data for value. Others have attempted to argue that its scope should be broader and include the for-profit sale of devices that collect data. The question is not yet settled.

The Mayor’s Office for Information Privacy has also posted an FAQ on its website that details the requirements of the ordinance, available here.

Are there any exceptions to the prescription?

Yes. The order includes a number of important exceptions and exclusions. For example:

  • Government agencies, government employees and government officials are excluded from the ordinance.
  • Financial institutions are also excluded. It means banks; savings and loan associations; credit unions; branches of foreign banks; public pension and retirement funds and systems; and stock brokers, dealers and businesses are all excluded from the ordinance. This exclusion does not include establishments that primarily sell goods and services and also issue credit cards or store financing. For example, a furniture chain that offers financing or a store credit card will not benefit from the financial institutions exemption and will have to meet the requirements set out below if it uses biometrics to identify consumers.
  • The ordinance expressly exempts video and photographic images if they (1) are not browsed or analyzed by software or applications that identify or help identify individuals based on physiological or biological characteristics; and (2) not shared, sold or rented to third parties other than law enforcement agencies. This should mean that when a commercial establishment uses closed circuit television (CCTV) systems to monitor shoplifting or the entry and exit of consumers, but does not employ any identification tools or software on the images and does not sell or share the images with third parties other than law enforcement, this conduct is not governed by the ordinance.
  • Since the ordinance only covers the collection of biometric credentials from customers, it does not extend to biometric clocks and other biometric data collection of employees by employers.

Are there penalties for non-compliance?

Yes. The order includes a private right of action, which means that individual consumers can sue for violations. More specifically, any consumer “aggrieved” by an alleged violation of the order can bring an action in a competent court. The meaning of “injured by” is not defined. (The ordinance does not explicitly state whether a New York City agency can bring its own action against an infringing business establishment, but it does stipulate that the Consumer and Worker Protection Commissioner will issue rules relating to the ‘ordinance and will also task the city’s privacy officer to facilitate awareness and education regarding the ordinance, in relation to any other “relevant body”.)

The damages range from $ 500 per “negligent violation” to $ 5,000 per “reckless violation”. What constitutes a “violation” is not defined.

Dominant plaintiffs may also recover reasonable attorney fees and costs, as well as other remedies the court deems appropriate.

It is important to note that the new ordinance also includes a “notice and remedy” provision. Under this provision, a potential plaintiff cannot take legal action on the basis of the alleged failure to display clear signage unless the plaintiff first provides written notice to the offending business establishment. After receipt of the written notification, the establishment has 30 days to remedy any defect or breach of the order. This 30-day notice and processing period may alleviate the order’s private right of action for businesses trying to comply with the order or responding quickly to consumer complaints. No prior notice is required for alleged violations of the prohibition on the sale, rental, exchange or sharing of biometric credentials for valuable consideration.

What should New York City businesses be doing now?

All businesses that use facial recognition and other biometric identification tools and technologies, and that have locations and establishments in New York City, should consult an experienced attorney to determine whether this order applies to their businesses. If the order applies, businesses can work with a lawyer to explore changes to their practices, internal and external privacy policies, and consumer notices that should be made to comply with legal requirements.

About the Author

Perkins Coie is an international law firm with an experienced team of biometric lawyers with extensive experience advising clients on facial recognition technologies and biometric data and biometric privacy litigation. Perkins Coie attorneys also have experience advising clients on New York City’s own privacy laws and regulations, including the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which came into effect a year ago. one year this month.

DISCLAIMER: Biometric Update Industry Information is submitted content. The opinions expressed in this article are those of the author and do not necessarily reflect those of Biometric Update.

Articles topics

access control | biometric data | biometrics | data collection | data protection | facial recognition | legislation | New York | confidentiality | regulation | retail biometrics


About Roberto Frank

Check Also

Lenovo ThinkPad P15v 2022 with Ryzen 7 6800H launched in China

Lenovo ThinkPad P15v 2022 Ryzen Edition Lenovo offers a top-of-the-line selection of high-end laptops under …

Leave a Reply

Your email address will not be published.