August 19, 2021

NYC Passes Biometric Data Protection Laws Aimed at Businesses, Smart Access Building Owners

Holland & Knight Cybersecurity and Privacy Blog
Sophie Kletzien | Mark H. Francis

New York City has set its sights on biometric data protection this summer, passing two laws regulating the use of biometric information within the same month.

The New York City Council amended its administrative code on July 9, 2021, to include a new regulation covering the use of biometric identifier information (BII) used by businesses within the city. (See NYC Admin. Code §§ 22-1201 – 1205.) The new law regulates how commercial establishments may gather, use, share and store biometric identifiers concerning New York City residents or visitors. Soon after, on July 29, the council passed the Tenant Data Privacy Act (TDPA) to place additional limits on the use of biometric information by "smart access" building owners in the five boroughs. (See NYC Admin. Code §§ 26-3001 – 3007.)

In passing both laws, New York City joins a growing number of cities and states who have implemented privacy laws limiting the use of BII, reflecting an accelerating trend in restricting the collection and use of biometric information.

New Limitations on Use of Biometric Information

The city's biometric information privacy law, effective July 9, prohibits the use of BII for transactional purposes to sell, lease, trade or otherwise profit from the transaction of biometric information. It also requires businesses that utilize BII to notify customers of collection practices by posting formal notices near all physical entrances of the business.

Similarly, the TDPA prohibits building owners from selling, leasing or otherwise disclosing tenant data collected by smart access systems, including biometric information, with the exception of vendors for the purpose of operating such systems. It imposes limits on a building owner's ability to use smart access technology and biometric information for access into buildings, common areas or individual dwelling units. The act imposes restrictions on the categories of tenant data that building owners can collect, generate or use through smart access systems.

Following a grace period ending on Jan. 1, 2023, owners of smart access buildings must implement policies and practices to address new requirements involving individual express consent, clear privacy policies, security safeguards and data destruction.  

Scope of the Regulations

While the applicability of the city's biometric identifier law is limited to commercial businesses, the TDPA governs the data usage of all smart access buildings, including those utilizing key fobs, phone apps and radio-frequency identification (RFID) cards.

Biometric Identifier Information Law

"Biometric identifier information" under the city's BII law is defined as a physiological or biological characteristic that is used to identify an individual, "including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic." The definition's focus on the ability to identify an individual indicates that while the use of facial recognition technology by store security cameras may be regulated, use of thermometers to take customers' temperature in restaurants is not.

The regulation governs "commercial establishments," which include places of entertainment, retail stores and food and drink establishments. Accordingly, the city's theaters, shops and restaurants must all comply, bringing a wide range of businesses within the purview of the regulation.

The requirement that notice be provided at commercial establishments applies only when biometric information is collected from a customer, defined as "a purchaser or lessee, of goods or services from a commercial establishment." Accordingly, the BII law does not apply to individuals in the traditional employment context. However, the law's prohibition on the sale or sharing of biometric data is not limited to customers and does cover employee biometric data that is retained by employers, including fingerprint or hand scan authentications for punch clocks. Employers of commercial establishments must therefore be mindful of their collection and retention practices of employees' biometric information.

The city's BII law is similar to the Illinois Biometric Information Privacy Act (BIPA), which also regulates the collection, use and retention of biometric identifiers. BIPA prohibits the sale or sharing of BII and requires private entities that collect BII to provide written notice to all subjects that explains the purpose of collection and retention length. "Private entity" is defined more broadly than "commercial establishment" and includes any individual, partnership, corporation, limited liability company (LLC), association or other group "however organized." The Illinois BIPA law is therefore broader in scope and regulates a greater range of establishments than that of New York City.

Tenant Data Privacy Act

The TDPA governs landlords and building owners of smart access buildings. A smart access building is defined as one that uses keyless entry systems, including electronic or computerized technology (e.g., a key fob), RFID cards, mobile apps, biometric information or other digital technology to grant access to a space. The act covers buildings that allow access via facial recognition and fingerprint or hand scans.

Enforcement

Both laws afford a private right of action to "aggrieved" individuals whose data is unlawfully sold by noncompliant entities.

The city's biometric information law provides statutory damages ranging from $500 to $5,000 per violation. The law also provides a limited cure option for noncompliance with the signage requirement: a business may avoid suit by curing the violation within 30 days of the complaint and providing an express written statement that the violation has been remedied.

The TDPA's private right of action extends to tenants whose data was improperly sold or exchanged under the statute. Tenants exercising this right of action can seek compensatory damages or statutory damages ranging from $200 to $1,000 per tenant, in addition to attorney's fees.

Related Insights