New York City’s recently enacted biometric privacy law took effect July 9, 2021. While the law is vague as to exactly who must abide by certain subsections, it is undoubtedly consumer-focused. However, even if employers escape New York City’s biometric ordinance, a looming New York state law may soon impose more expansive biometric requirements on
As we discussed in Part I, the United States does not have a single, comprehensive federal law governing biometric data. However, we have recently seen an increasing number of states focusing on this issue. Part I summarized legislative activity on this issue in 2020. In this Part II, we discuss noteworthy legislation to monitor in 2021.
What to Expect in 2021
At least two states—New York and Maryland—have already introduced biometrics legislation in this first month of 2021.
New York – AB 27
On January 6, 2021, the New York Assembly introduced the Biometric Privacy Act (BPA), a New York state biometric law aimed at regulating businesses handling biometric data. BPA will prohibit businesses from collecting biometric identifiers or information without first receiving informed consent from the individual, prohibit profiting from the data, and will require a publicly available written retention and destruction policy. As proposed, the statute contains a private right of action; and if passed, it will permit consumers to sue businesses for improperly collecting and using their biometric data. The statute follows Illinois’s BIPA, allowing recovery of $1,000 per negligent violation and $5,000 per intentional violation, or actual damages, whichever is greater, along with attorney’s fees and costs, and injunctive relief.
Data privacy laws have made significant breakthroughs in recent years, making it a top priority for businesses. From the adoption of the European Union’s General Data Protection Regulation (GDPR) in 2016 to the enactment of the California Consumer Privacy Act (CCPA) in 2018 and the latest ballot approval of the California Privacy Rights Act (CPRA) in 2020, we continue to see data privacy laws develop and garner interest from consumers, businesses, and legislators alike.
Specific biometric privacy laws, in particular however, are often overshadowed by more general data privacy laws. As we discussed in our prior article, biometrics are physical and behavioral human characteristics (i.e., face, eye, fingerprint, and voice features) that can be used to digitally identify a person. As the collection and use of biometric data become more common in daily life and its applications in different industries continue to expand, new privacy considerations will emerge in this field. Biometrics laws, in their own right, require separate recognition because of the nuanced application of these specific laws.
The United States does not have a single, comprehensive federal law governing biometric data. Recently, we have seen an increasing number of individual states focus on this issue, and the recent introduction of legislation in a number of states specifically aimed at protecting the collection, retention, and use of biometric data. In Part I, we summarize some of the legislative activity on biometric laws from 2020. We will describe other noteworthy legislation to monitor for 2021 in Part II.
On October 13. 2020, White Castle System, Inc. petitioned the United States Court of Appeals for the Seventh Circuit for permission to seek an interlocutory appeal pursuant to 28 U.S.C. § 1292(b). This petition arises out of the United States District Court for the Northern District of Illinois’ opinion on White Castle’s motion for judgment on the pleadings issued on August 7, 2020. The matter hinged on whether repeated collection of the same biometric information from an employee without prior consent constituted separate violations of the Illinois Biometric Information Privacy Act (BIPA).
Summary of District Court’s Cothron v. White Castle Opinion
In the district court’s opinion, Judge Tharp held that “[a] party violates Section 15(b) [of the BIPA] when it collects, captures, or otherwise obtains a person’s biometric information without prior informed consent.” Judge Tharp continued, “[t]his is true the first time an entity scans a fingerprint or otherwise collects biometric information, but it is no less true with each subsequent scan or collection.” Similarly, Judge Tharp held that BIPA requires that dissemination of information without consent, even if to the same third party as previously disseminated, is an additional violation of the BIPA.
Does your phone immediately unlock for use after you glance at it? Have you visited your favorite social media platform only to find that you have been tagged in dozens of pictures? Or how about that time you scanned your fingerprints or eyes to open your phone, gain admittance to a theme park, or pass through airport security? These features all involve biometrics technology—the latest trend and high-growth area of technology used to help organizations provide consumers with a more effortless and interactive experience in exchange for personal information about your physical or behavioral attributes. Companies should be mindful in collecting this data and how they use and store that information.
Biometrics include facial, fingerprint, iris, gestures, and voice recognition. While biometrics technology is becoming more ubiquitous in daily life and being employed by more governmental agencies and service providers, new privacy considerations will continue to emerge as a result of the pieces of personal information shared by consumers to increase convenience.