Proposed New York Biometric Privacy Act Allows Private Right of Action

The New York General Assembly introduced Assembly Bill 27, entitled the Biometric Privacy Act (BPA), on Jan. 6, 2021. The BPA follows the form of Illinois' Biometric Information Privacy Act (BIPA), widely considered to be the most punitive biometrics statute in the nation. New York's proposed law applies to private entities that collect biometric identifiers or information, and it aims to provide consumers with greater control over their biometric information.

Under the BPA, "biometric identifiers" include "a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry." The BPA defines biometric information as "any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual."

Requirements

If passed, the BPA would require entities that engage in the collection of biometric data to:

• develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collection has been satisfied, or within three years of collection, whichever occurs first
• inform the subject in writing that the entity will collect or store the subject's biometric data
• inform the subject in writing of the specific purpose of the data collection as well as the length of time the entity will store the data
• receive written consent from the subject to use their biometric data

Entities would be required to complete these steps prior to collecting a subject's biometric data. The bill also would prohibit private entities from selling, leasing, trading or otherwise profiting from a subject's biometric data.

Private Right of Action

New York's BPA provides a private right of action allowing affected consumers to collect uncapped actual damages, or liquidated damages per violation of up to $1,000 for a negligent violation and up to $5,000 for an intentional or reckless violation. The BPA also allows aggrieved parties to collect attorney's fees and does not prohibit aggregated claims or class claims.

Takeaways

• Entities that collect individuals' biometric data without strict compliance with the BPA would be at risk for litigation including class actions.
• Entities should develop a comprehensive biometrics policy that addresses retention and destruction schedules and guidelines.
• Entities should delete biometric data when the initial purpose for collection has been satisfied or within three years of collection, whichever occurs first.
• Entities should be sure to obtain written consent from consumers. The consent should provide individuals with the purpose of collection, and the retention information.
• Entities should not engage in the selling, leasing, trading or otherwise profiting from a subject's biometric data.

For more information, contact the authors or another member of Holland & Knight's Data Strategy, Security & Privacy Team.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.