On July 9, the New York City Biometric Data Protection Law became effective (NYC Admin Code §22 et seq.) The new law applies to most commercial retail establishments (excluding financial institutions that already are covered by strict federal and state privacy laws), which are defined to include “a place of entertainment, a retail store, or a food and drink establishment.” The law requires such businesses that collect, share or store biometric information from customers to provide a prominent disclosure, as below. Biometric information is defined as: “a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.
The disclosure requires “placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language, in a form and manner prescribed by the commissioner of consumer and worker protection by rule, that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable.”
The new law provides for a private right of action for an aggrieved person, subject to first giving the effected establishment 30 days advance notice of the allegations and the opportunity to cure such violation, with the establishment to then provide timely written confirmation of the cure and a representation that no further violations shall occur. Statutory damages are provided, ranging from $500 for each violation to $5,000 for “each intentional or reckless violation,” as well as reasonable attorneys’ fees and costs, expert fees, and other litigation costs.
For more information, please contact:
Barry Werbin at +1 212 592 1418 or bwerbin@herrick.com