New York City’s Biometric Identifier Information Law has been in force since 2021, but now, as more and more businesses and venues are collecting and using biometric information, the City has proposed some amendments to the law.
The proposed city laws (Bill Nos.1014-2023 & 1024-2023) will amend the current NYC law in three ways: the proposed laws would (1) expand coverage of the law to all “place[s] or provider[s] of public accommodation”; (2) regulate how those “place[s] or provider[s] of public accommodation” use biometric recognition technology, including requiring written consent for most uses; and (3) prohibit the use of biometric recognition technology by owners of multiple dwellings (landlords).[1]
New York City Biometric Identifier Information Law
As we summarized in our June 2023 advisory relating to biometric data laws in New York and elsewhere, New York City’s Biometric Identifier Information Law, N.Y.C. Admin. Code § 22-1201 et seq., was enacted in 2021 and currently applies to any commercial establishment that collects, retains, converts, stores, or shares biometric identifier information of customers. It requires that businesses disclose to customers such collection, retention, conversion, storage, or sharing of their biometric data by placing a clear and conspicuous sign in plain and simple language near all customer entrances to serve as notice. It prohibits the selling, leasing, or profiting from consumers’ biometric data. The law also provides for a private right of action and allows for damages of $500 for each violation and negligent violation of the regulation, $5,000 for each intentional or reckless violation of the regulation, attorneys’ fees and other related costs and expenses, and other forms of relief including an injunction. However, the law also requires that commercial establishments be given written notice with a 30-day cure period. If the establishment corrects any violation provides the aggrieved individual an express written statement that the violation was cured, then the establishment avoids all liability for the cured violation.
The Proposed Amendments: Bill Nos. 1014-2023 & 1024-2023
Bill No. 1014-2023 broadens the scope of the law beyond “commercial establishments” and instead would apply the NYC Biometric Identifier Information Law to “any place or provider of public accommodation,” as defined in the Administrative Code section pertaining to civil rights. The proposed law exempts businesses if they are “place[s] or provider[s] of public accommodation” that are subject to other cybersecurity regulations specific to certain industries. The law as amended would then apply to all places of public accommodation, including retail stores and concert and sports venues, but would not apply to financial institutions and other entities that are already subject to (i) regulations promulgated pursuant to Title V of the Financial Services Modernization act of 1999; (ii) regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009; or (iii) the New York Department of Financial Services Cybersecurity Regulations (23 N.Y.C.R.R. 500 et seq.).
The bill expands the definition of “biometric identifier information” to include a person’s gait or movement patterns as well as a catch-all provision. The bill also expands the law’s coverage to all use of “biometric recognition technology,” which would include facial recognition technology. Notably, the bill then provides that “any place or provider of public accommodation” is prohibited from using biometric recognition technology for the purpose of identifying or verifying a customer. This change would outlaw the use of biometric recognition technology to refuse service to certain customers.
The new law would strengthen suits similar to the one filed against Madison Square Garden Entertainment Corp., which alleged that MSG had used facial recognition technology to identify and ban customers.[2]
Bill No. 1014-2023 would impose other new requirements for covered businesses:
- For any place or provider of public accommodation where the service offered to the customer requires collecting and processing biometric data, the customer must enter into a written agreement to use that service, which would constitute written consent to the collection and use of biometric data and would also under those circumstances be sufficient for the conspicuous notice requirement under the current NYC Biometric Identifier Information Law.
- Any place or provider of public accommodation that is in possession of biometric data must create a publicly available written policy that outlines retention programs and which must provide for the permanent deletion of biometric data after the initial purpose for the data has ended, or two years from the customer’s last interaction with the business, whichever is earlier.
- Any place or provider of public accommodation that collects, retains, converts, stores, shares, or otherwise obtains biometric data must “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” of biometric data. Those systems must include at least: (1) regular risk assessments and testing of the effectiveness of the security system, and (2) the implementation of both pre-emptive protective measures and responses to cyberattacks and system failures.
- Customers must be given the opportunity to request that their biometric identifier information be erased. The proposed law also prohibits covered businesses from retaliating in any manner against customers who exercise their rights under the NYC Biometric Identifier Information Law, including refusing to consent to the use and collection of biometric data.
Finally, the proposed law leaves intact the provision making it unlawful to trade biometric data for profit, while also forbidding any disclosure to any third party. The bill also maintains the same private right of action and remedies subject to the 30-day cure period.
As for Bill 1024-2023, it would prohibit any “owner of a multiple dwelling” from using any “biometric recognition technology” that can be used to “identif[y] tenants or the guest of a tenant.” The bill also prohibits owners of “smart access buildings” from collecting “the [occupant’s] biometric identifier information if such smart access system utilizes biometric identifier information.”[3] With this language, the bill can be understood as a complete ban of biometric recognition technology for multiple dwelling building landlords.
These bills will need to be voted on by the City Council’s Committee on Technology before they are considered by the full City Council. The measures in Bill 1014-2023 would take effect 180 days after signed into law, and the measures in Bill 1024-2023 would take effect 120 days after signed into law. Of course, these bills still may undergo some revisions and, as drafted, may need some interpretive guidance to clarify issues regarding applicability and exemptions.
Final Thoughts
Owners and operators of New York City businesses and places of public accommodation should assess whether they are in compliance with the current Biometric Identifier Information Law. In addition, they should monitor the progress of the proposed amendments. It is imperative that entities that collect or maintain biometric data understand their obligations and have policies in place to ensure compliance.
* * *
[1] See the New York City Council Legislative Research Center site for the text of Bill No.1014-2023 and Bill No. 1024-2023, plus any updates on the bills’ progress, committee hearings, and legislative history, etc.
[2] See generally Arnel v. Madison Square Garden Entertainment Corp., Docket No. 1:23-cv-05537 (S.D.N.Y. Jun 28, 2023), Court Docket, (bloomberglaw.com)).
[3] See N.Y.C. Admin. Code § 26-3002(a)(4).
Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. © 2023 Carter Ledyard & Milburn LLP.