New York State legislators have proposed a private right to action with Assembly Bill 27–a proposed amendment to New York’s General Business Law (GBL). This amendment–also called the Biometric Privacy Act (BPA) –would allow consumers to sue companies for improperly collecting or using certain biometric data. Here’s our analysis:
What Qualifies As Biometric Data?
BPA takes GDPR’s lead in granting special protections to “biometric identifiers”–biometric data that can reveal the identity of data subjects. The bill explicitly states that this encompasses fingerprints, voiceprints, and scans of hands, faces or eyes. It does not include samples used for valid scientific testing or screening, donated body parts, or handwriting samples.
The law doesn’t just apply to the identifiers. It also protects against the misuse of biometric information– any information based on the listed identifiers that can be used to identify the subject, regardless of how it is captured, converted, or stored.
When Can Customers Sue?
Companies will be held liable if caught in violation of any principles listed in the bill. Primarily, it would set the precedent that biometric data should be subject to the same standard of care as all other confidential information.
Any private entity with biometric data must have a clear retention schedule, including guidelines for how to destroy the data when necessary. Companies must dispose of data once the initial purpose for collection has been satisfied or within three years of their last interaction with the subject, whichever comes first. This approach must be outlined in a written policy accessible to the public.
In order to obtain a customer’s biometric data, companies must inform the subject of the purpose and length of the activity. Once they do this, the subject must sign a release consenting to the use of their data.
The bill also prohibits entities from profiting off of biometric data without the subject’s consent. Without consent, companies can only sell, lease or trade such data in cases where the disclosure is required by a law or warrant, or if it is necessary to complete a transaction authorized by the subject.
What Kind of Penalties are in Play?
Consumers are entitled to recover damages for each violation, with the size of the penalty depending on the situation.
For negligent violations, customers are entitled to the greater of $1,000 or the actual damages incurred. For intentional or reckless violations, the minimum payout is $5,000.
Guilty parties are also expected to cover the legal costs of those involved, including expert witness fees and other litigation expenses. In some cases, the court may issue an injunction against the violating entity.
The Bill Would Put Make New York A Data Privacy Leader
While the private right to action is nothing new, it is far from the standard for state-level privacy legislation. Impacted consumers may only privately seek damages for privacy violations in five other states: South Carolina, New Jersey, Maryland, California, and Illinois. The latter three only include a private right to action for security violations, meaning that customers have no legal ground if the incident doesn’t qualify as a “breach.”
However, only South Carolina and Illinois have laws specifically pertaining to biometric information that also include a private right to action. New York’s proposed law is similar on paper, so keep an eye on those two states to anticipate how it will be applied and enforced in New York.
If Illinois is anything to go by, consumers may be entitled to liquidated damages for minor technical mishaps. In the past five years, there have been over 1,000 class action complaints filed under Illinois’ Biometric Information Privacy Act (BIPA) for consumers alleging that their biometric data was collected and retained for timekeeping, security and consumer transactions in violation with the law. Many of these involved no actual damages.
Companies that collect biometric data from consumers in New York should err on the side of caution. If this applies to you, begin reworking your policies and issuing appropriate audits to avoid the cost of non-compliance in the future.