By: Lucia Argento
On January 6th, 2021, New York Legislators proposed the new Biometric Privacy Act (“BIPA”), aka Assembly Bill 27. The purpose of this bill is to provide safeguards for consumers in regard to biometric identifiers. Biometric identifiers recognize things like fingerprints, facial patterns, and voice or typing sequences. This bill, if enacted, would require private organizations possessing biometric identifiers or biometric information to develop policies that set forth time periods for information containing biometric data.
This policy would include guidelines on destroying the individual’s data permanently either when the purpose for obtaining the biometric data has been satisfied or by three years of the persons last exchange with the private entity. Whichever event happens first will be the deciding factor. Largely, the proposed New York BIPA would limit how businesses collect or disclose biometric identifiers and information, mandate notice and consent to individuals whose data is collected, force businesses to take security measures on the storage of the data, and provide private rights of action.
This bill is not the first of its kind with Texas, Illinois, and Washington already having their own state Biometric Information Privacy Act. BIPA allows an express private right of action for a consumer claiming their biometric privacy rights have been violated. In light of the three states enacting these laws, it has prompted many others to follow along, take note, and start or continue to develop comprehensive frameworks concerning biometric privacy. This bill specifically posed by New York would only pertain to biometric identifiers and biometric information. It would not include writing samples, signatures, photos, tattoo descriptions, physical descriptions, or anything of that sort. This bill would specifically prohibit private entities and employers from selling, leasing, trading, or profiting off individuals’ biometric data.
Disclosing the relevant biometric data would only be allowed under four certain instances: the individual or someone who represents them consents to the disclosure; disclosure is required by federal, state, local law or municipal ordinances; disclosure is needed in pursuit of a valid warrant or subpoena issued by the courts; and disclosure of the information completes a financial transaction by the person or authorized person whose data is being shared.
Moreover, the law would shift control of the biometric data strictly to whom the data belongs to. Assembly Bill 27 is different than New York’s already enacted SHIELD Act, which presumably increases obligations from businesses that handle private information to notify affected consumers in the event of a security breach. The SHIELD Act broadens the definition of “data breach” to include unauthorized access to private information, with “private information” being expanded to include biometric information and data. But unlike Assembly Bill 27, the SHIELD Act does not allow private rights of action. Without a private right of action, class action litigation will not be available to individuals.
A big incentive of allowing a private right of action for individuals is to create the opportunity for the aggrieved to obtain damages, injunctive relief, and attorney costs or fees in negligent or intentional/reckless violations. Both liquated and actual damages could be obtained, with negligent violations in liquidated damages capped at $1,000.00 and intentional or reckless violations capped at $5,000.00 in liquidated damages.
Back in 2020, the number of states granting consumers and employees biometric privacy rights expanded greatly so now is an important time for state organizations and businesses to get on board and be proactive about drafting or amending biometric data policies. Unfortunately for businesses, this type of legislation poses more of an issue for employers rather than the consumers since the consumer may bring a private right of action with the BIPA, therefore New York employers should keep an eye out on this legislation passing. Companies should start thinking how to mitigate the risks of litigation and class actions now. Allocating costs towards preventative measures will be far less expensive than responding to legal matters spawning from a BIPA violation. Particularly, companies could look to their existing written policies regarding how they store, collect, use, and delete biometric data and see how those practices are reflected in a retention schedule and how secure that specific data is within company systems.
An employer should evaluate what kind of notice or consent structures they have in place, if any, for obtaining biometric data from employees and consumers. Lastly, organizations should fully examine current and anticipated uses for the collected data. The organization should think about and ask third party vendors interacting with the data what their purposes and intentions are in using the data to ensure vigilance and responsibility.
Assembly Bill 27 is still a long way from becoming law but eventually, this bill or a similar biometric privacy law will be enacted in the state of New York and businesses will not be exempt from the bill’s requirements. This specific bill grants companies 90 days to bring themselves into compliance if passed so now is the time for employers to start familiarizing themselves with biometric privacy legislation. Companies need to look over this proposal and research into the three other states who already have BIPA-like legislation to find out what this would mean for the privacy and security of their consumers. To mitigate the risks of lawsuits arising against employers, companies should be proactive and start shifting their focus on fixing or applying procedures relating to the privacy of their biometric data before they find themselves in an avoidable, costly predicament.
Student Bio: Lucia Argento is currently a second-year law student at Suffolk University Law School and a Staff Member of the Journal of High Technology Law. She received a Bachelor’s in Criminal Justice with a minor in Legal Studies from the University of Central Florida in 2017.
Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.
