On January 6th, the first day of the New York legislature’s 2021 session, NY lawmakers proposed Assembly Bill 27 (AB 27), the Biometric Privacy Act. The legislative purpose of AB 27 is to provide safeguards for consumers regarding their biometric identifiers, such as fingerprints, handprints, retina or iris scans, voiceprints, and other facial and hand recognition. Effectively, the proposed Act would require private (non-governmental) organizations that possess a biometric identifier or biometric information (i.e., information “based on” a biometric identifier) (collectively “biometric data”) to develop a written retention policy setting forth the time period for information containing biometric data, as well as guidelines for permanently destroying such biometric data either when: (i) the initial purpose for obtaining such information “has been satisfied,” or (ii) within three years of the individual’s last interaction with the private entity, whichever happens first.
AB 27 would also require organizations to obtain individuals’ express written consent for the collection of their biometric data prior to collecting or otherwise obtaining such data. In addition, the proposed Act would prohibit organizations from selling or otherwise profiting from the biometric data which they possess, and separately mandate organizations to provide technical and organizational safeguards around biometric data that are the same or more protective than the measures it maintains for other confidential and/or sensitive information.
If implemented, AB 27 would be the fourth biometric-specific state legislation. Currently, Illinois, Texas, and Washington have laws that specifically regulate the collection and use of biometric information. Of those three states, only Illinois allows a private right of action under its Biometric Information Privacy Act (BIPA). (For more information on BIPA’s impact on the privacy landscape, please see our previous blog posts here and here.) With AB 27, New York now stands to join Illinois in allowing a private right of action, potentially awarding statutory damages of up to $1,000 for each negligent violation and $5,000 for each intentional or reckless violation.
Notably, this is not the first time New York has proposed similar biometric privacy laws. In fact, NY lawmakers have proposed at least three other biometric privacy bills since 2018. Although these previous bills have been unsuccessful, it is clear there is a general trend towards strengthening biometric privacy rights. In 2019, New York enacted the SHIELD Act, which expanded on the types of data companies need to protect, which included biometric information. Additionally, in response to an increasing demand for privacy rights, New York Governor Cuomo suspended the use of facial recognition technology in the state’s schools. Outside of New York, several other states have proposed similar biometric privacy laws, including Massachusetts, Florida, and Arizona. In addition, California regulates biometric data, and provides a limited private right of action under the California Consumer Privacy Act (CCPA) in the event biometric data is subject to a data breach.
Comment
In order to mitigate the risk of private rights of actions arising from the New York Biometric Privacy Act, as well as other similarly contemplated proposed and enacted state laws and local ordinances, organizations should be proactive and apply lessons learned not only from BIPA compliance, but also from other privacy laws related to biometric data, such as the CCPA. In particular, organizations should focus their efforts on refreshing their policies and procedures related to the identification, collection, retention and disposal of personal information, data security measures applicable to that data — and specifically with respect to biometric data.