Christopher Seusing
New England Managing Partner with Wood Smith Henning & Berman, LLP

Chris Seusing oversees WSHB’s Boston and Connecticut offices and leads the firm’s national Cybersecurity & Data Privacy team. With nearly 15 years of collective experience in cyber, professional and management liability areas, Chris represents companies and professionals in complex litigation matters around the country. He counsels clients on responding to data breach incidents and regulatory inquiries and investigations, oversees forensic investigations of incidents, drafts information management policies and procedures in compliance with privacy regulations, and collaborates with case teams to implement cost-effective processes using state-of-the-art litigation tools, including analytics and technology-assisted review. He also leads WSHB’s National Cyber Incident Team which is available 24/7 to respond to cyber incidents and suspected data breaches, and is part of an international legal team focused on data protection and cybersecurity which is regularly called upon by public and private entities to navigate emerging challenges.

 

Sameer Ponkshe
Senior Counsel with Wood Smith Henning & Berman, LLP

Sameer Ponkshe focuses his practice on cybersecurity and data privacy matters, including breach response cases, state/federal enforcement of data privacy statutes, and review of information transfer agreements as a member of the Cybersecurity and Data Privacy Team. Sameer also handles employment, professional liability, and commercial and business litigation.  His impressive experience provides a strong foundation for understanding a wide variety of subject matters and for developing techniques for navigating complex cases to resolution through early settlement discussions, alternative dispute resolutions or trial.  Sameer is licensed to practice law in New York and New Jersey.

 

Why This Case is Important

Businesses in New York who utilize biometric data such as voice recognition, fingerprint scanning, facial recognition, iris recognition, etc. should take note of the new legal requirements that went into effect on July 9, 2021, with the implementation of New York City’s Biometric Identifier Information law. This law details new regulations regarding the collection, use and sale of biometric data by commercial establishments in the five boroughs. Most importantly, the new law bans the sale of biometric data by commercial establishments and imposes requirements to post conspicuous notices of the establishment’s use of biometric identifying technologies.  The failure to do will now potentially result in fines and/or a private right of action by a commercial establishment’s customer. It is of utmost importance that businesses in New York City be aware of and comply with this new law, or face potentially significant liability in the form of civil claims and class actions, similar to what companies have been dealing with for years in Illinois under a similar biometric law.

The businesses most impacted by the new law are those that require biometric identification to gain entry or access to parts of a building, such as establishments in the Diamond District who grant temporary access to customers through a fingerprint scan.  However, recent technology trends in other industries, such as McDonald’s use of voice recognition technology for drive-thru ordering and ExxonMobil’s use of Amazon’s Alexa to offer voice-activated purchases of gasoline at the pump, have brought the use and regulation of biometric identifying technologies into the spotlight, prompting similar legislation in the State of Illinois and Portland, Oregon.

Reach and Implementation

The new law defines “biometric identifier information” as a “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.” The provisions of the law only apply to “commercial establishment” which includes “food and drink establishments”; “places of entertainment”; and “retail stores” as follows:

  • Food and drink establishment means an establishment that gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.
  • Place of entertainment means any privately or publicly owned and operated entertainment facility, such as a theater, stadium, arena, racetrack, museum, amusement park, observatory, or other place where attractions, performances, concerts, exhibits, athletic games or contests are held.
  • Retail store means an establishment wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail.

Financial institutions are not included in the definition of “commercial establishment” and are specifically excluded from the provisions of the Biometric Identifier Information law at large. Further, the law does not apply to biometric information “collected through photographs or video recordings, if: (i) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and (ii) the images or video are not shared with, sold or leased to third-parties other than law enforcement agencies.” In this regard, businesses who have CCTV or other security cameras do not have to post notices thereof under the law, so long as the videos are not analyzed by software or applications that identify or assist with the identification of individuals using biometric characteristics.

There is also an important distinction made in the statute between “customers” and “employees” of commercial establishments as it relates to the outright ban on the sale of biometric information in that it does not limit its application to only customers. The definition of “biometric identifier information” includes any individual, whereas the requirement to post notices of the use of biometric identifying technologies only applies to customers.  Thus, there is no affirmative duty on businesses to post conspicuous notices of its use of biometric identifying technologies if they are only collecting the biometric information of the establishment’s employees. However, the sale of such employees’ biometric data is expressly prohibited.

Notice Requirements

As to the physical location of notice, the law dictates that any commercial establishment that collects, retains, converts, stores or shares biometric identifier information must post a clear and conspicuous sign near all of the customer entrances notifying customers that their biometric identifier information is being collected, retained, converted, stored or shared.  In terms of the content of the notice, the Division of Consumer Affairs has now posted the template notice that businesses should use at the following link:

https://www1.nyc.gov/site/dca/businesses/signs.page#biometric

The final section of the law further states that additional guidance will be posted on City of New York websites, or through other means, to inform commercial establishments of the requirements of the law.

Implementation and Penalties

A customer whose biometric identifier information was collected by a commercial establish that did not post the appropriate notice may maintain a private cause of action if certain procedural requirements are met. Specifically, the person aggrieved must provide written notice to the commercial establishment of its non-compliance with the law, which commences a 30-day cure period. On or before the expiration of that 30-day cure period, the commercial establishment must do the following: (i) post the appropriate notices; and (ii) provide the aggrieved person an “express written statement” that the violation has been cured and that no further violations shall occur. In the event the commercial establishment fails to complete the above within that 30-day period, the aggrieved person may file a lawsuit in a court of competent jurisdiction. As to the sale of biometric identifier information, there is no cure period and an aggrieved person may file a lawsuit as soon as the commercial establishment “sells, leases, trades, or shares in exchange anything of value or otherwise profit from the transaction of [his/her/their] biometric identifier information.”

In respect to statutory penalties, a prevailing party whose claims are based on the failure to post notices may recover $500 per violation, including reasonable attorneys’ fees and costs, expert witness fees and other litigation expenses. Meanwhile, for each “negligent” violation of the ban on selling biometric identifier information, a party may recover $500 per violation, and for each “intentional or reckless” violation of the ban, a party can recover $5,000, in addition to the aforementioned attorneys’ fees and litigation costs.  The successful party may also be entitled to an injunction or other relief as determined by the Court.

The law does not set forth any fine or penalty that is enforceable by a regulatory body or other City of New York agency for the failure to post notices and/or selling biometric identifier information.  Accordingly, the monetary penalties set forth in the law only apply in the instance of a private right of action asserted by an aggrieved person.

Key Takeaways

  • Commercial establishments must post the template notice from the Division of Consumer Affairs at all customer entrances in a clear and conspicuous manner.
  • If the commercial establishment fails to post the notice and receives a written complaint, they must be mindful of the law’s requirements that, within 30 days, they must not only post the appropriate notice, but also advise the complaining party, in writing, that the notice has been posted and that no further violations of the law shall occur.  Businesses would be wise to include with such letter to the complaining party pictures of the notice(s) posted at the establishment to demonstrate their compliance with the law.
  • The law’s provisions as to the sale of biometric identifier information are unequivocal and, to the extent any commercial establishments were selling or otherwise profiting from the transfer of biometric identifier information, those transactions must cease immediately.

About the Firm:

WSHB’s Cybersecurity and Data Privacy team is ready to assist New York City employers comply with this new law and to respond as needed should claims be brought alleging violations of same.

Cybersecurity and data privacy issues are constantly evolving and becoming more pronounced in today’s business and market climate. WSHB understands and stands prepared to assist businesses as they navigate the evolving legal climate in the area of data privacy and protection.