On January 6, 2021, The New York General Assembly introduced Assembly Bill 27, the “Biometric Privacy Act” (BPA). The proposed law prohibits private entities from collecting a user’s biometric identifiers or information without first implementing a policy and obtaining written consent.
Under the BPA, “biometric identifiers” include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” The BPA defines biometric information as “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual.”
What are the requirements?
If passed, the Biometric Privacy Act would require entities that engage in the collection of biometric data to:
- Develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collection has been satisfied, or within three years of collection
- Informs the subject in writing that biometric data is being collected or stored
- The specific purpose of the collection and the length of time for which it is being collected, stored and used, and
- Obtain a written release from the subject.
The bill also prohibits private entities from selling, leasing, trading, or otherwise profiting from a person’s biometric data. A private entity that discloses or otherwise disseminates a person’s biometric data may do so only:
- complete a financial transaction at the subject’s request,
- if such disclosure is required by federal, state or local law or ordinance, or
- if a valid warrant or subpoena requires such disclosure.
What would happen if the legislation passes?
Perhaps the most noteworthy aspect of the proposed New York legislation is that the Act, would provide for a private right of action with statutory damages of up to $1,000 for negligent violations and $5,000 for intentional or reckless violations, as well as reasonable attorneys fees.
Companies that collect individuals’ biometric data without strict compliance with the Biometric Privacy Act would be at risk for litigation including class actions.
If the legislation were to be enacted, New York would become the fourth state, after Illinois, Texas, and Washington, to have passed biometric privacy laws. Significantly, if the proposed legislation passes, New York would become only the second state, along with Illinois, to have enacted privacy legislation providing for a private right of action.