New York lawmakers are moving ahead with their own privacy legislation to regulate how private companies handle biometric data.
If enacted, the Biometric Privacy Act, Assembly Bill 27 would compel all non-governmental organizations holding biometric identifiers or information to publish written policies on how long the data would be retained and how it will be destroyed. The organizations would also be required to dispose of the data after the original reason for collecting the biometrics has been “satisfied,” or three years after the person last interacted with the organization, whichever happened first.
The bill defined biometric identifiers narrowly, focusing on recorded data about a person’s fingerprints, handprints, retina or iris scans, voiceprints, and other facial and hand recognition. The person’s biometrics must have the same level, or more, of protection as the organization’s proprietary information.
The bill also outlined clear consent requirements, as organizations would need to obtain informed consent before collecting the data, and to develop security and confidentiality safeguards. The data would also be off-limits for private use unless both conditions are met: the person the data belongs to is alerted in writing about how the data would be used and for how long it will be used; and the person agrees in writing to allow that use.
Organizations would not be allowed to profit in any way from the use of biometric data.
States Moving Ahead
The proposed legislation was introduced in New York State Assembly and is currently with the Consumer Affairs and Protection Committee. It isn’t clear what kind of changes the bill would undergo in committee, or if it would even gain traction to come up for vote, but it underscores the fact that state legislators are proceeding with their own laws in the absence of Congressional action.
If this bill becomes law, New York will join Illinois, Texas, and Washington in having laws that specifically regulate the collection and use of biometric information. Washington’s law limits how the government can use biometric facial recognition. California regulates biometric data and provides a limited private right of action under the California Consumer Privacy Act (CCPA) if a data breach includes biometric data.
New York’s law, as currently proposed, is “virtually identical” to the Biometric Information Privacy Act, 740 ILCS 14 et seq, enacted by Illinois in 2018, as it allows a right of private action, Joseph J. Lazzarotti, a principal at Jackson Lewis P.C., wrote on the law firm’s Workplace Privacy blog. The right of private action means that people who feel their privacy has been violated could go to the state’s supreme court and seek damages of at least $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation—or actual damages, if the amount is greater.
Don't Delay Compliance
The Illinois law “triggered thousands of class action” litigation in Illinois, and a similar situation could happen in New York if the bill passes, Lazzarotti predicted. In Illinois, the lawsuits were brought by employees and consumers alleging their biometric information was improperly collected for various purposes, including timekeeping, security, and consumer transactions.
Companies should be reviewing how they obtain and use biometric information even before the bill becomes law to avoid potential lawsuits once the bill becomes law. Even if New York doesn't wind up passing this bill, the right to private action exists in Illinois, and other states may soon follow with similar laws. Organizations should look at how consent is obtained to collect biometrics and also on how it is shared and used. They need to ensure they have written policies on retention and destruction and be proactive about addressing the gaps, before the lawsuits or regulators start coming.
This isn’t New York’s first action on biometric data. State legislators have proposed at least three other biometric privacy bills since 2018, but were unsuccessful. In December, Governor Mario Cuomo signed a bill prohibiting the use of biometric identifying technology in schools at least until July 1, 2022. New York’s SHIELD Act, enacted in 2019, expanded the types of data companies are required to protect to include biometric data.
While New York's bill is a long way from passage, the fact that state legislators are moving ahead with their own privacy and security legislation means enterprises will have to navigate an increasingly complex web of laws and regulations around biometrics data. Much like how the absence of a nationwide breach notification law led to a patchwork of state laws that made it difficult for organizations to keep up with different requirements, privacy legislation focused on biometrics seem to be headed down a similar path.