As businesses find useful new ways to harness the evolving technology that captures and analyzes human biometric data, legal regulation of such technology’s usage is also developing, responding to concerns about personal privacy and control over personally identifying information. With a few states—notably, Illinois, Texas, and Washington—having taken the lead on protecting individual rights and restricting the collection and use of biometric information by requiring notice and consent, New York City has also recently enacted new rules that limit the collection, storage, and dissemination of such personal data.
This Epstein Becker Green Insight discusses New York City’s new biometric ordinance, as well as proposed statewide legislation now under consideration in Albany. Further, placing these New York developments in context for employers, this Insight also reviews trends in other states’ legislation—including their enforcement mechanisms—and comments on some of the case law that has begun to emerge. As biometric technology takes on an increasingly prominent role in business and in the workplace, including for security purposes, it is imperative that companies and employers monitor this developing area of the law.
New York City Ordinance Now in Force
New York City recently passed the Biometric Identifier Information Ordinance (“Ordinance”) regulating the notification and sale of biometric information by certain commercial establishments. New York City now joins California, Illinois, Texas, and Washington in proscribing notification requirements involving biometric identifying data, as New York State also considers a more robust statewide biometric privacy regulation additionally mandating consent as do Illinois, Washington, and Texas. Employers and businesses must be mindful of the patchwork of privacy and cybersecurity laws that affect their collection and use of biometric and other personal information, as part of their ongoing compliance efforts.
Effective July 9, 2021, the Ordinance requires certain commercial establishments with physical locations within New York City to notify customers about their use of biometric technology by posting signage near all customer entrances if the commercial establishments collect, share, or maintain biometric identifying information. This signage, which is required to be “in a form and manner prescribed by the commissioner of consumer and worker protection by rule,” must provide notice that the customers’ biometric identifying information is being collected or otherwise processed and should convey this information with “simple language” in a “clear and conspicuous” manner. Although the Ordinance does not require covered businesses to obtain advanced written consent before collecting biometric identifying information (in comparison to, e.g., Illinois’s Biometric Information Privacy Act (“BIPA”)), it does broadly prohibit covered businesses from any selling, trading, leasing, or sharing “in exchange for anything of value” or otherwise profiting from transacting the information collected. Thus, the sale and other use-for-profit prohibitions apparently reach all individual biometric information, including that of employees, contractors, or other non-customers, and apply independent of the notice requirement. The Ordinance was intended to “address the increased collection and use of biometric identifier information, such as the use of facial recognition technology, by commercial establishments to track consumer activity” and “prohibits the sale of biometric identifier information.”
Significantly, the Ordinance provides a private right of action, with remedies that may include damages of $500 per violation for violations of the signage requirements, damages of $500 for each negligent sale or other profiting from the transaction of biometric identifying information, and damages of $5,000 for each intentional or reckless sale or other profiting. Prevailing parties in such actions may also recover reasonable attorneys’ fees and costs, including expert witness fees. With respect to notice violations only, the Ordinance requires that an aggrieved party notify the business of its violation in writing prior to commencing any action thereupon to provide an opportunity to cure (similar to the current version of the California Consumer Privacy Act). A covered business has 30 days from receipt of such notice to cure the violation and inform the customer, in writing, that (i) it cured the violation, and (ii) the violation will not occur again. There is no notice requirement or cure period for an action based upon an allegation that a business has sold or traded biometric data for monetary or other profit.
New York State Proposes a Broader Biometrics Law Requiring Advance Consent
In January 2021, Assembly Bill 27 (“AB27”), known as the Biometric Privacy Act, was introduced in the New York State Legislature. Under this proposed law, any “private entity,” such as a business, would be required to notify individuals in writing and acquire a written release before it collects, obtains, or purchases a biometric identifier or biometric information. Such notice must disclose the specific purpose for obtaining such data and provide the length of time anticipated for the data to be collected, stored, and/or utilized. The notice and consent requirements would apply within the employment context under the terms of the statute. Specifically, to the extent that businesses obtain a biometric identifier or biometric information from an employee, they would be required to obtain an executed written release from the employee as a condition of employment.
As with the Ordinance, AB27 would broadly prohibit the sale, lease, trade, or profit from a person’s or customer’s biometric identifier or biometric information. With few exceptions, if a business seeks to share a person’s or customer’s biometric identifier or information with a third party, it would be required to obtain consent for the sharing from the identified person, regardless of whether the individual is a customer or employee, or from the individual’s legally authorized representative. Furthermore, AB27 would require that businesses safeguard the biometric information using the reasonable standard of care within the particular industry and using safeguards that are “the same as or more protective than” the manner in which the business protects other confidential and sensitive information. The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) already requires businesses to adopt an information security program to protect biometric information and other private information, as our previous articles have highlighted. AB27, if passed, would effectively contextualize and heighten certain cybersecurity requirements under the organization’s information security program.
If passed, AB27 would also require businesses to develop and make public a written policy that outlines a retention schedule and establishes guidelines on how they intend to destroy permanently such information at the proper time. The proposed New York State law’s mandate that businesses publish their retention schedule and practices is similar to the publication requirements of the California Privacy Rights Act, which is set to become effective January 1, 2023, as our previous articles discuss. Businesses would be expected, under AB27, to destroy the biometric identifiers and information once the initial purpose for obtaining the data “has been satisfied,” or within three years of the individual’s last interaction with the business—whichever occurs first. This mandated time frame for data destruction would apply to both customers and employees under the proposed legislation.
Following along the lines of Illinois’s BIPA, AB27 has the potential in the United States to become the second state-level biometric privacy law that would permit a private right of action and award a successful party’s reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses, for failure to obtain written consent. The proposed law would grant liquidated damages of $1,000 or actual damages, whichever is greater, for negligent violations, and the greater of $5,000 or actual damages for reckless or intentional violations. AB27 currently awaits further review in the Assembly Committee. If enacted, New York will join Illinois, as well as Texas and Washington, as a state that enforces biometric privacy laws requiring both transparency and consent for biometric data collection.
The Larger Legal Landscape on Biometrics
As discussed above, both states and cities have continued to propose or enact legislation regulating the collection of biometric data. Although some of the requirements do not currently pertain to the employment relationship, more and more are beginning to do so. As a result, as with some other topics, such as sick time and the use of criminal history (so-called “ban-the-box” laws), states and localities have created differing obligations about which multi-jurisdictional employers must be mindful. Indeed, employers will need to continue to be vigilant when collecting, using, disclosing, and destroying biometric data.
Illinois enacted BIPA, the nation’s first biometric state statute, in 2008. BIPA codified safeguards against the unlawful collection and storage of biometric information by private entities, including most employers. Under BIPA, customers and employees alike are entitled to notice regarding the collection of their biometric identifiers and information (as defined to exclude certain data) and must provide an informed written consent before businesses may collect, store, or use such identifiers and information. Employees are required to execute a written release as a condition of employment and, along with consumers, are entitled to a private right of action for any harm caused by an employer’s BIPA violations.
In 2009, Texas enacted its Capture or Use of Biometric Identifier Act (“CUBI”), which applies only to biometric identifiers captured for commercial purposes, although it does not apply to voiceprint data that financial institutions or their affiliates maintain. Similar to requirements under BIPA, customers and employees of covered entities must receive notification and give consent, prior to the collection of their biometric data. Moreover, CUBI contains certain requirements related to the disclosure of such data. CUBI also provides that a company’s justification for collecting an employee’s biometric data for security purposes is generally presumed to expire immediately upon the termination of the employment. Employers should follow sound data minimization principles and destroy employee biometric information when the employment relationship has ended or when the information is no longer needed for the identified purpose. In contrast to Illinois’s BIPA, employees and customers in Texas are not entitled to a private right of action if a CUBI violation occurs. Rather, in Texas, the state attorney general enforces the statute.
Washington’s Biometric Identifiers Law (“H.B. 1493”) was enacted in 2017. Under H.B. 1493, “providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose” is required for customers and employees before including a biometric identifier in a database for commercial purposes; however, the statute provides that the notice and consent “required to achieve compliance” can vary by context. The Washington statute generally prohibits commercial use of biometric data without an individual’s consent but provides for exceptions, including, but not limited to, disclosure related to certain financial transactions or other products or services authorized, subscribed to, or requested by the individual. In addition, the Washington law requires covered persons to use “reasonable care” to protect “against unauthorized access to and acquisition of biometric identifiers” and limits the retention of such data. The Washington law does not provide a private right of action, leaving its enforcement to the state attorney general.
More recently, in 2020, Maryland enacted H.B. 1202, which restricts employers from using specific kinds of facial recognition technology in interviews without the applicant’s written consent. This law, which does not provide any mechanism for enforcement, became effective October 1, 2020. For more information on H.B. 1202, click here.
Litigation Trends: “Injury in Fact”
One topic that has been the subject of biometrics-related litigation is whether a plaintiff needs to have suffered actual harm to bring a claim under the applicable law. In 2019, deciding Rosenbach v. Six Flags Entertainment Corp., the Supreme Court of Illinois held that a person need not have sustained actual damage beyond the violation of the person’s rights under Illinois’s BIPA in order to bring an action.
Although the Rosenbach case did not revolve around an employment relationship, courts within the Seventh Circuit have cited to it in deciding a string of cases related to employers’ collection and use of biometric data and alleged violations of BIPA. Against this backdrop, the Seventh Circuit heard Fox v. Dakkota Integrated Systems, LLC. In that case, the employee alleged, among other things, that the employer unlawfully retained biometric data after the employment relationship had concluded. The Seventh Circuit held that a failure to adhere to restrictions on biometric data retention imparts as concrete an injury to a person as does a violation of restrictions on biometric data collection, again causing the “injury in fact” required for standing to bring a federal action on claims based in state law.
Lawsuits against employers that violate these laws are on the rise, but given the developing legal landscape and evolving changes in biometric technology and usage, relevant jurisprudence is still unfolding. As more employers begin to use this relatively new and evolving technology in the workplace, including in connection with hiring, cybersecurity, and timekeeping, they should not overlook the rules surrounding its use and the collection, storage, transaction, disclosure, and destruction of biometric information and identifiers.
What Employers Should Do Now
- New York City employers should determine whether they qualify as a “commercial establishment” (as defined in the Ordinance) and, if so, adhere to the Ordinance’s prohibition on selling, trading, leasing, or otherwise profiting from the transaction of any biometric information collected on their staff.
- In addition, to the extent that staff can purchase goods or services, New York City employers should ensure that they are meeting the notice requirement for all their customers (including any employees).
- Employers and businesses throughout New York State should continue to monitor the results of AB27, especially if they currently collect or utilize biometric information, or intend to do so.
- Employers within New York State should also be cognizant of the prohibitions of New York Labor Law Section 201-a, prohibiting employers (with certain exceptions, e.g., hospitals, and except as otherwise provided by law) from fingerprinting employees as a condition of employment, and determine whether the prohibitions apply to any contemplated employee finger scanning.
- Given the trends in legislation and court cases, employers with multiple offices nationwide—specifically in regions that have yet to weigh in on the matter—should continue monitoring the legal landscape of biometrics laws, especially when making decisions on the use or collection of such data.
- Employers in California, Illinois, Texas, and Washington should ensure that their biometric data notification, collection, and use practices comply with current and anticipated requirements in their states.
- All employers and businesses should take care regarding data security and prevent unauthorized access, transmission, distribution, sharing, trading, or selling, or any unlawful commoditizing, of biometric data, including conducting a risk analysis and adopting a written information security program containing reasonable safeguards.
For more information about this Insight, please contact:
America Garza, a Summer Associate (not admitted to the practice of law) in Epstein Becker Green’s New York office, also contributed to the preparation of this Insight.
 The term “commercial establishment” means “a place of entertainment, a retail store, or a food and drink establishment.” A “place of entertainment” is “any privately or publicly owned and operated entertainment facility, such as a theater, stadium, arena, racetrack, museum, amusement park, observatory, or other place where attractions, performances, concerts, exhibits, athletic games or contests are held.” A “retail store” means “an establishment wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail.” A “food and drink establishment” is “an establishment that gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.”
 Note that this notice requirement does not apply to either financial institutions or biometric identifier information “collected through photographs or video recordings, if: (i) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and (ii) the images or video are not shared with, sold or leased to third-parties other than law enforcement agencies.”
 (emphasis added). The term “biometric identifier information” means “a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”
 The term “customer” means “a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment.”
 “[P]rivate entity” includes “any individual, partnership, corporation, limited liability company, association, or other group, however organized.” The term does not include “a state or local government agency or any court in the state, a clerk of the court, or a judge or justice thereof.”
 Under AB27, the term “individuals” would include customers, employees, and any other person subject to biometric scanning, fingerprinting, or voice printing or whose biometric identifier or information is added to a company’s biometric data collection system.
 Under AB27, “biometric information” means “any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifier used to identify an individual” (emphasis added). It does not include “information derived from items or procedures excluded under the definition of ‘biometric Identifiers.’” In this regard, a “biometric identifier” means “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Biometric identifiers do not include “writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.” They also do not include donated body parts, blood, or serum “stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency.” Also not included is any health care information “captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations” under HIPAA, or any information obtained through “an x-ray, roentgen process, computed tomography, [MRI], positron-emission tomography scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.”