Dubbed the “Biometric Privacy Act,” New York Assembly Bill 27 (“BPA”) is virtually identical to the Biometric Information Privacy Act in Illinois, 740 ILCS 14 et seq. (BIPA). Enacted in 2008, BIPA only recently triggered thousands of class actions in Illinois. If the BPA is enacted in New York, it likely will not take as long for litigation to begin under the new privacy law. Interestingly, late last year, Governor Cuomo signed AB A6787D which, among other things, prohibited the use of biometric identifying technology in schools at least until July 1, 2022.
Just like BIPA, the BPA would establish a comprehensive set of rules for companies possessing and/or collecting “biometric identifiers” and “biometric information” of a person, such as:
- Development of a publicly available policy establishing retention and destruction guidelines
- Informed consent required prior to collection
- Limited right to disclose without consent
- Mandated security and confidentiality safeguards
- Prohibiting private entities from profiting from the data
Most important, the BPA also would create a private right of action for persons “aggrieved” by violations of BPA, using the same language as under BIPA, permitting persons to recover the greater of (i) statutory damages of at least $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, and (ii) actual damages.
We know the Illinois Supreme Court decided that, in general, persons bringing suit under BIPA do not need to allege actual injury or adverse effect, beyond a violation of his/her rights under BIPA, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages, attorneys’ fees and costs, and injunctive relief under the BIPA. See Rosenbach v. Six Flags Entertainment Corp.
Of course, the BPA is not currently the law in New York. However, if enacted, companies should immediately take steps to comply. That is, they should review their time management, point of purchase, physical security, or other systems that obtain, use, or disclose biometric information (any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry used to identify an individual) against the requirements under the BPA. In the event they find technical or procedural gaps in compliance – such as not providing written notice, obtaining a release from the subject of the biometric information, obtaining consent to provide biometric information to a third party, or maintaining a policy and guidelines for the retention and destruction of biometric information – they need to quickly remedy those gaps.
It is unclear whether courts in New York will interpret the availability of remedies under BPA, if enacted, the same as the Illinois Supreme Court in Rosenbach. However, if they do, the duties imposed on private entities subject to the law regarding the collection, retention, disclosure, and destruction of a person’s biometric identifiers or biometric information will define the statutory rights of persons protected by the law. Accordingly, when a private entity fails to comply with one of the BPA requirements, that violation could constitute an invasion, impairment, or denial of a right under the BPA resulting in the person being “aggrieved” and entitled to seek recovery.