By Gerald L. Maatman, Jr.Thomas E. Ahlering and Andrew R. Cockroft

Seyfarth Synopsis: New York City’s new biometric privacy ordinance creates a private right of action for individuals that could subject local businesses to potentially millions of dollars in liability.  Employers who do business in New York City should carefully review this new ordinance as well as any technology they be using that has the potential to collect biometric information.  

As Seyfarth previously blogged, on January 1, 2021, New York City passed a new biometric privacy ordinance.  The ordinance, found here, goes into effect on July 9, 2021.

Overview Of New York City’s Ordinance

The ordinance places new obligations on businesses to notify customers and potential customers if they collect biometric information.  It holds that “[a]ny commercial establishment” that collects “biometric identifier information” from “customers” must disclose such collection “by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language” that customers’ biometric information is being collected.  A “commercial establishment” is a place of entertainment, a retail store, or a food or drink establishment and a “customer” is a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment.

The ordinance further makes it “unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”

The law provides that individuals “aggrieved by” a violation of the ordinance may file a private right of action, but places some conditions on this right.

If the individual alleges the business collected their biometric information without making the required disclosures, the individual can only initiate a private action if they first provide written notice to the business of their intent to sue and provide the business 30 days to cure the violation by placing clear and conspicuous notice at their establishment.  If the business does not cure within 30 days, the individual may sue and recover $500 for “each” violation.

If the individual alleges the business shared their biometric information in exchange for something of value or otherwise profited from the “transaction,” then the individual may sue without any prior notice to the business.  The individual may recover $500 for “each” negligent violation of this section and may recover $5,000 for “each” intentional or reckless violation of this section.

Implications For Companies

While the ordinance appears to be straight forward, there are potential areas for expansive interpretation of the law.  For starters, the ordinance’s “aggrieved by” language may permit civil actions over small, technical violations.  Illinois’ Biometric Information Privacy Act (“BIPA”) also limits the private right of action to individuals “aggrieved by” a violation of that Act.  Yet, the Illinois Supreme Court has held that even allegations of mere technical violations of BIPA are sufficient for an individual to be “aggrieved by” a violation.

Furthermore, while the ordinance provides businesses an opportunity to cure, this opportunity  only applies if the individual limits their allegation to the improper collection of biometric information.  If the individual alleges that the business also “shared” the biometric information for “anything of value,” then no notice is required before an individual can assert a claim.  In Illinois, most (if not all) plaintiffs routinely allege both improper collection and improper dissemination as a matter of course.  Accordingly, the opportunity to cure may not prevent many of these actions from ultimately being filed.

*****

Businesses in New York City should be mindful of this new ordinance and act accordingly.  Such businesses with compliance questions should contact a member of Seyfarth Shaw’s Biometric Privacy Compliance & Litigation Practice Group.