Businesses Face New Litigation Risk Over Biometric Information

Social media has played an oversized role in lawsuits under state and local biometric privacy laws, including especially the Illinois Biometric Information Privacy Act (BIPA). See, e.g., Thornley v. Clearview AI, Inc., 984 F.3d 1241 (7th Cir. 2021) (plaintiffs alleged that defendant used a proprietary algorithm to “scrape” pictures from social media sites such as Facebook, Twitter, Instagram, LinkedIn, and Venmo); K.F.C. v. Snap, Inc., No. 3:21-cv-9-DWD (S.D. Ill. June 10, 2021) (plaintiff alleged that two Snapchat features, “Lenses” and “Filters,” use scans of facial geometry and violated her rights under BIPA); Vance v. Amazon.com, Inc., No. C20-1084JLR (W.D. Wash. March 15, 2021) (plaintiffs alleged that Flickr, through its parent company Yahoo!, compiled hundreds of millions of photographs posted on its platform into a dataset that it then made publicly available to “help improve the accuracy and reliability of facial recognition technology”). Of course, in addition to the litigation expenses and executive time required to defend these suits, settlements can be quite costly. See, e.g., In re Facebook Biometric Info. Privacy Litig., No. 15-cv-03747-JD (N.D. Cal. Feb. 26, 2021) (approving $650 million Facebook biometric information privacy settlement).

Now, a New York City law that took effect early last month is likely to significantly expand the range of biometric-related litigation beyond social media companies to a new group of defendants: retail stores, places of entertainment, and food and drink establishments doing business in New York City. See https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=3704369&GUID=070402C0-43F0-47AE-AA6E-DEF06CDF702A.

The Essentials

The new city law – groundbreaking and the first of its kind in New York State – was introduced in the New York City Council in October 2018 and finally was adopted on January 10, 2021. In short, it requires that businesses notify customers if they use biometric identifier technology, and it also prohibits them from selling biometric identifier information. The new law has three principal provisions.

First, Section 22-1202(a) provides that any commercial establishment that collects, retains, converts, stores, or shares biometric identifier information of customers must disclose such collection, retention, conversion, storage, or sharing by placing a “clear and conspicuous” sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language, in a form and manner prescribed by the New York City Commissioner of Consumer and Worker Protection, that their biometric identifier information is being collected, retained, converted, stored, or shared, as the case may be. (A sample sign is available at https://www1.nyc.gov/assets/dca/downloads/pdf/businesses/Biometric-Identifier-Information-Disclosure-Sign.pdf.)

Second, Section 22-1202(b) of the law makes it unlawful to sell, lease, trade, or share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information. The “value” or “profit” factor suggests that corporate affiliates may share this information between or among themselves without violating this provision of the law.

Finally, Section 22-1203 creates a private right of action for any person “aggrieved” by a violation of the law. (A private right of action also exists under BIPA and under the facial recognition law enacted recently by the City of Portland, Oregon.)

Key Definitions

Section 22-1201 contains important definitions. For example, the law defines “commercial establishment” as “a place of entertainment, a retail store, or a food and drink establishment.”

A “place of entertainment” is broadly defined as “any privately or publicly owned and operated entertainment facility,” such as a theater, stadium, arena, racetrack, museum, amusement park, observatory, or other place where attractions, performances, concerts, exhibits, athletic games, or contests are held.

A “retail store” is an establishment that sells, displays, or offers consumer commodities for sale, or where services are provided to consumers at retail. (“Consumer commodities” are any article, good, merchandise, product, or commodity of any kind or class produced, distributed, or offered for retail sale for consumption by individuals, or for personal, household, or family purposes.)

And a “food or drink establishment” is one that gives or offers for sale food or beverages to the public for consumption or use on or off the premises, or on or off a pushcart, stand, or vehicle.

Importantly, under the law, a customer is not only an individual who actually purchases goods or services from a commercial establishment; the term also includes a prospective purchaser or lessee, as well as a lessee, of such items.

One of the key definitions in the law, of course, is “biometric identifier information.” It means a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, “to identify, or assist in identifying,” an individual. This includes, but specifically is not limited to:

• A retina or iris scan;
• A fingerprint or voiceprint;
• A scan of hand or face geometry, or any other identifying characteristic.

Other forms of biometric identification, highlighted in an October 7, 2019, report to the City Council, include voice recognition, DNA tests, and facial recognition as well as newer biometric identification methods such as brain signal identification, heart pattern recognition, and finger vein pattern recognition. The same report pointed out that there are two main classes of biometrics data that can be collected on individuals: behavioral characteristics, and physiological characteristics. Behavioral biometrics include an individual’s keystroke, signature, and voice recognition. Physiological biometrics include facial recognition, fingerprint scanning, hand geometry, iris scanning, and DNA. Facial recognition systems use an individual’s physiological information such as facial structure, eye color, size, and shape to identify an individual. As the report observed, fingerprint scanning, facial recognition, and iris scanning are used in everyday technologies such as cell phones, ATM machines, retail stores, concert halls, and even for building access. See https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=3704369&GUID=070402C0-43F0-47AE-AA6E-DEF06CDF702A.)

Private Right of Action

As noted above, the new law creates a private right of action for a person “aggrieved” by a violation of the law. The law does not limit the private right of action to New York City or even New York State residents but seemingly grants a private right of action to any aggrieved person.

Notably, the law provides for a “cure” period – at least with respect to the disclosure requirement.

Under the law, at least 30 days prior to initiating any action against a commercial establishment for a violation of the disclosure requirement in Section 22-1202(a), a putative plaintiff must provide written notice to the commercial establishment setting forth the alleged violation. If, within 30 days, the commercial establishment cures the violation and provides the putative plaintiff with an express written statement that the violation has been cured and that no further violations shall occur, “no action may be initiated against the commercial establishment for such violation.”

If a commercial establishment continues to violate the disclosure requirement of Section 22-1202(a), the aggrieved person may initiate an action against it.

The law specifically provides that no prior written notice is required for actions alleging a violation of Section 22-1202(b), and thus it does not include a cure period for an alleged violation of this section.

The damages for violating the law can mount up. The law provides for damages of $500 for each violation of Section 22-1202(a) and for each negligent violation of Section 22-1202(b). It also provides for damages of $5,000 for each “intentional or reckless” violation of Section 22-1202(b).

Moreover, the law authorizes a “prevailing party” to recover reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses. A court also may order other relief, including an injunction, as it may deem appropriate.

Exclusions

Perhaps unsurprisingly, the new law does not apply to the collection, storage, sharing, or use of biometric identifier information by government agencies, employees, or agents.

In addition, the law states that the disclosure required by Section 22-1202(a) does not apply to financial institutions, which include banks, trust companies, savings and loan associations, credit unions, securities brokers, and securities dealers but which does not include a commercial establishment whose primary business is the retail sale of goods and services to customers even if it provides limited financial services such as the issuance of credit cards or in-store financing to customers. (It should be noted that financial institutions are not exempt from the provisions of Section 22-1203, which by its terms is not limited to commercial establishments.)

The law also states that the Section 22-1202(a) disclosure requirement does not apply to commercial establishments that collect biometric identifier information through photographs or video recordings, if (i) the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and (ii) the images or video are not shared with, sold, or leased to third parties other than law enforcement agencies. So, for example, a store need not notify customers that it uses a closed-circuit television (CCTV) system unless it analyzes those recordings using software or applications within the meaning of the exclusion. By contrast, a store would have to provide notice to customers if it uses a facial recognition program to scan its customers, whether to identify shoplifters or for marketing, sales, or other purposes.

Conclusion

There are a number of steps that counsel should consider advising their New York City business clients to take to limit their potential liability under the city’s new biometric privacy law.

First, clients should decide whether they are commercial establishments within the meaning of the law. If so, they should determine if they collect biometric identifier information. Then, they should consider whether to post signs as provided by the law.

Companies also should make certain that they know how to reply to customer notices about potential breaches of the law’s signage provisions within 30 days.

Finally, it is important for all businesses in the city subject to Section 22-1203 of the new law to adopt policies prohibiting the sale or sharing of biometric identifier information.

If the experience under BIPA is any indication, we can expect to see plaintiffs begin to bring lawsuits under New York City’s new biometric privacy law against small, medium, and large enterprises operating in New York City in the very near future.