Effective July 9, 2021, certain retail and hospitality businesses that collect and use “biometric identifier information” from customers will need to post conspicuous notices near all customer entrances to their facilities.  These businesses will also be barred from selling, leasing, trading, sharing or otherwise profiting from the biometric identifier information they collect from customers.  Customers will have a private right of action to remedy violations, subject to a 30-day notice and cure period, with damages ranging from $500 to $5,000 per violation, along with attorneys’ fees.

These new requirements, which are set forth in an amendment to Title 22 of the NYC Admin. Code (the “Amendment”), apply to “commercial establishments,” a three-pronged category that includes:

  1. Food and drink establishments: Establishments that give or offer for sale to the public food or beverages for consumption or use on or off the premises, or on or off a pushcart, stand or vehicle.
  2. Places of entertainment: Privately or publicly owned and operated entertainment facilities, such as a theaters, stadiums, arenas, racetracks, museums, amusement parks, observatories, or other places where attractions, performances, concerts, exhibits, athletic games or contests are held.
  3. Retail stores: Establishments wherein consumer commodities are sold, displayed or offered for sale, or where services are provided to consumers at retail.

The Amendment broadly defines “biometric identifier information” as a physiological or biological characteristic used to identify an individual including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.

The Amendment will take effect amidst a flurry of data privacy and security activity in New York.

  • Last year, the New York Department of Financial Services (“DFS”) filed its first enforcement action under New York’s Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500 (“Reg 500”). DFS also announced a $1.5 million settlement with a residential mortgage services provider earlier this year.
  • In another recent development, the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), which took effect in March 2020, requires organizations that own or license private information related to New York residents to, among other things, develop, implement, and maintain reasonable safeguards to protect that information, which includes biometric information.
  • Building on the momentum from Reg 500 and the SHIELD Act, several additional privacy bills are currently under consideration:
  • One is the Biometric Privacy Act, which, if enacted could make New York the next hotbed of class action litigation over biometric privacy.
  • Another is the Tenant Privacy Act, which, among other things, would require owners of “smart access” buildings – i.e., those that use key fobs, mobile apps, biometric identifiers, or other digital technologies to grant access to their buildings – to provide privacy policies to their tenants prior to collecting certain types of data from them, as well as to strictly limit (a) the categories and scope of data that the building owner collects from tenants, (b) how it uses that data (including a prohibition on data sales), and (c) how long it retains the data.
  • Additionally, New York is considering two bills – S567 and A680 – which would grant consumers sweeping privacy rights, comparable to those available under the CCPA in California and CDPA in Virginia.

Jackson Lewis’ Privacy, Data & Cybersecurity Group has been closely monitoring these fast-moving developments and is available to assist organizations with their compliance and risk mitigation efforts.