New York Rings in the New Year by Introducing Proposed Biometric Privacy Bill with Private Right of Action
New York lawmakers rang in the new year by introducing sweeping biometric privacy legislation that would impose a carbon copy of Illinois’ stringent Biometric Information Privacy Act (BIPA) to the Apple State.
Known as the New York Biometric Privacy Act (BPA) (AB 27), the bill—if enacted—would impose significant compliance burdens on companies handling biometric data. More importantly, the bill, which provides for a private right of action, would likely bring with it a tsunami of class action litigation akin to that seen with BIPA since 2019.
From a broader perspective, if successful, the BPA could generate a sizeable shift in the current legal landscape of biometric privacy law by encouraging other states to enact similar laws of their own.
Overview of Biometric Data
Biometric data generally encompasses unique, measurable human biological or behavioral characteristics—including fingerprints, voiceprints, and scans of hand or face geometry—that are used primarily for identification and authentication purposes. Importantly, biometric data is different from Social Security numbers and other forms of personally identifiable information (PII) because once compromised, biometric data has forever lost its ability to be used as a secure identifying mechanism.
Current Legal Landscape
The number of biometric privacy bills introduced across the country by state and municipal lawmakers increased significantly in 2020 as compared to the previous year. Based on a legislative shift to focus on the COVID-19 pandemic, however, only a small number of bills implicating biometrics made their way into law last year.
As the current pandemic subsides in 2021, legislators are expected to resume—if not increase—their efforts toward enacting new biometric privacy laws. Consequently, it is anticipated legislators will not only pick up where they left off, but will also introduce a flurry of new bills during the 2021 legislative cycle.
The New York Biometric Privacy Act
The first state to propose new biometric privacy legislation in 2021 is New York, with the introduction of its proposed Biometric Privacy Act. The BPA is a carbon copy of Illinois’ BIPA, and would require companies to adhere to the following requirements:
- privacy policies and guidelines/schedules for the retention and destruction of biometric data;
- notice;
- written releases/consent;
- a ban on selling or profiting from biometric data; and
- data security requirements.
In addition, the BPA would—like Illinois’ BIPA—provide a private right of action for any individual “aggrieved” by a violation of the law, and further, would allow such individuals to recover $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, as well as attorney fees.
In January 2019 the Illinois Supreme Court in Rosenbach v. Six Flags Ent., 2019 IL 123186 (Ill. 2019), interpreted the term “aggrieved” to mean a mere violation of an individual’s privacy rights—without more—was sufficient to pursue a class action. In doing so, the Rosenbach decision eliminated the essential requirement of having to demonstrate actual injury or harm for alleged BIPA violations.
Not surprisingly, Rosenbach opened the floodgates to a tremendous wave of bet-the-company litigation against Illinois companies (and even many located beyond the Prairie State), with damages figures that greatly exceed the nature and extent of the violations at issue. As just one example, in 2020 tech giant Facebook agreed to pay $650 million to settle a longstanding BIPA lawsuit involving its allegedly improper use of facial recognition technology as part of its photo-tagging feature.
What This Means for Companies Using Biometric Data
First, legislators are expected to resume their 2020 legislative backlog, while at the same time introducing additional new bills in 2021 designed to place more regulation over the use of biometrics.
Second, significant developments in 2020 will likely further motivate legislators to make biometric privacy laws a reality, as compared to prior years.
The COVID-19 pandemic—and companies’ resulting increased reliance on biometric technologies—has magnified the need for regulation over biometric data. While the safety benefits of such touchless technologies like facial recognition are obvious, biometrics also received negative news coverage stemming from undisclosed, controversial, and questionable uses of such data.
In particular, news broke at the start of 2020 regarding the practices of facial recognition startup Clearview AI, which built a massive database of facial templates of millions of individuals across the world and then sold access to its database to both law enforcement and private entities. Just recently, a New Jersey man filed suit against law enforcement after being wrongfully arrested based on facial recognition software similar to that developed by Clearview AI in connection with a shoplifting incident that did not involve the man. The misidentification caused by the biometrics software resulted in the man spending 10 days in jail, including a week in “functional solitary confinement.”
In addition, other companies have also made headlines after reports surfaced regarding their purported practices involving the deployment of facial recognition technology for security/surveillance purposes—oftentimes in low-income areas—without disclosing their use of the software to customers/patrons.
2020 also brought a new type of biometric privacy law: the outright ban of certain types of biometric technologies. In September of last year, Portland, Ore. became the first jurisdiction to enact a blanket prohibition over the use of facial recognition software by the private sector. Importantly, the Portland law may provide strong encouragement to lawmakers who may not have an appetite for passing an outright ban to push forward with strict regulation paralleling that of BIPA—just as New York has done.
Critically, should New York prevail in enacting its BPA it may trigger a domino effect whereby other states quickly follow suit.
Action Step: Proactive Compliance Measures
The BPA is in the early stages of the legislative process; if enacted, it will not go into effect until 90 days after passage.
New York is certainly not the only state that will try its hand at enacting new biometric privacy regulation over the next 12 months. As such, companies are well-advised to take proactive action to implement flexible, adaptable biometric privacy programs that will enable them to adeptly respond to the ever-changing legal landscape of biometric privacy law. Specifically, companies using biometric data in their operations—even if they do not conduct business in New York—should consider implementing the following compliance practices:
- Privacy Policy: Develop a publicly-available, detailed biometrics-specific privacy policy that provides clear notice that biometric data is being collected, as well as information regarding the purposes for which the data is used and the company’s schedule and guidelines for the retention and destruction of this data.
- Written Notice: Provide written notice—prior to the time any biometric data is collected—which clearly informs individuals that biometric data is being used by the company; how that data will be used and/or shared; and the length of time over which the data will be retained until it is destroyed.
- Written Release: Obtain a signed written release from all individuals prior to the time any biometric data is collected that permits the company to collect/use the individual’s biometric data and disclose the data to third parties for business purposes.
- Opt-Out: For facial recognition technology, allow individuals to opt out of the collection of their facial template data.
- Data Security: Maintain data security measures to safeguard biometric data that satisfies the reasonable standard of care applicable to the company’s given industry and which protects biometric data in a manner that is the same or more protective than the manner in which the company protects other forms of sensitive personal information.
- Explicit Prohibition on Selling or Otherwise Profiting From Biometric Data: Enforce a strict ban that prohibits the company, its employees, and any vendors from selling or otherwise profiting from individuals’ biometric data.
- Explicit Prohibition on Using Technology for Discriminatory Purposes: Maintain an explicit policy strictly barring the use of biometric technologies by employees, contractors, or vendors to unlawfully discriminate against individuals or groups of individuals.
Conclusion
It is only a matter of time before biometric privacy laws are the norm, and not the exception, across the country in the United States. While the particulars of these anticipated new laws are anyone’s guess at this juncture, companies can be reasonably certain that the majority of these new statutes will incorporate many of the same overarching privacy principles that serve as the foundation for the current body of law governing biometric data. As such, companies can get ahead of the compliance curve by taking a proactive approach and embedding these common core privacy principles as the foundation of their biometric privacy compliance programs.
Importantly, developing tailored, comprehensive biometric privacy compliance programs can ensure continued, ongoing compliance not just with current biometrics regulation, but with future laws as well—allowing companies to always stay a step ahead of today’s constantly-evolving biometric privacy regulation.
“New York Rings in the New Year by Introducing Proposed Biometric Privacy Bill with Private Right of Action,” by Jeffrey N. Rosenthal and David J. Oberly was published in the New York Law Journal on January 21, 2021.
Reprinted with permission from the January 21, 2021, edition of the New York Law Journal © 2021 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com.