NYC Biometrics Law: What Businesses Need to Know

New Biometric Privacy Regulations in New York City

A recently enacted ordinance is now in effect throughout New York City, establishing new restrictions on how businesses manage the biometric data they gather from customers.

New Requirements for Businesses

Effective from Friday, any business collecting biometric information – frequently through methods like facial recognition and fingerprint scanning – is obligated to prominently display notices and signage. These must clearly inform customers about the data collection process.

This ordinance encompasses a broad spectrum of commercial entities. This includes retailers, stores, restaurants, and theaters, among others. Furthermore, these businesses are prohibited from selling, sharing, or monetizing the biometric information they collect.

Enhanced Protections for Individuals

This legislation aims to provide increased safeguards for New Yorkers, as well as the millions of annual visitors, regarding the collection and utilization of their biometric data.

It also intends to discourage the adoption of technologies that have been criticized for being discriminatory and unreliable.

Enforcement and Penalties

Violations of this law may result in substantial penalties for businesses. However, fines can be avoided if any issues are promptly rectified.

Limitations of the Ordinance

The law isn't without its limitations. It does not extend to government agencies, including law enforcement.

Additionally, employees of covered businesses are exempt, specifically those utilizing fingerprint scanning for timekeeping purposes. The precise definition of what constitutes biometric data may also be subject to legal challenges, potentially broadening or narrowing its scope.

National Context

New York joins other U.S. cities, such as Portland, Oregon, in enacting biometric privacy legislation. However, its provisions are less comprehensive than those found in other states.

Comparison to Illinois Law

Illinois’s Biometric Information Privacy Act (BIPA) is a more robust law. It grants residents the right to legal recourse for any unauthorized use of their biometric data.

Notably, Facebook recently settled a class-action lawsuit in Illinois for $650 million. This stemmed from allegations that the company used facial recognition to tag users in photos without obtaining proper consent, dating back to 2015.

Expert Commentary

Albert Fox Cahn, Executive Director of the Surveillance Technology Oversight Project, characterized the New York City ordinance as a “important step” in understanding how businesses track individuals.

He explained to TechCrunch that a mistaken facial recognition match could lead to unwarranted police intervention, even during routine activities like shopping at stores such as Rite Aid or Target.

Cahn advocates for even stricter measures, suggesting a complete ban on systems like facial recognition, mirroring actions taken by some other cities.

• Key takeaway: Businesses must now be transparent about their biometric data collection practices.
• Important note: The law does not currently apply to government agencies.