New York Gets Ready to Jump on the Biometric Bandwagon
Companies that do business in New York or with New Yorkers could soon face an onslaught of biometric privacy-related litigation, courtesy of New York Assembly Bill 27, the Biometric Privacy Act (“BPA”). Currently pending before the legislature, the bill is modeled on Illinois’ Biometric Information Privacy Act (“BIPA”) and, like that law, would impose a set of rules businesses must follow when collecting biometric information. Critically, the BPA would create a private right of action for those “aggrieved” by violations of the law.
The similar private right of action in Illinois’ BIPA has generated a tremendous volume of consumer class-action litigation, including against some of the most prominent companies in the country. The BIPA litigation in Illinois is driven in large part by the Illinois Supreme Court’s ruling that individuals do not have to suffer an actual, concrete injury in order to be “aggrieved” under the BIPA. While there is a split in authority—and standing in consumer class actions is an issue currently on the Supreme Court’s docket—some federal courts have also endorsed this view in the context of Article III standing, despite Supreme Court precedent to the contrary. A similar ruling regarding New York’s BPA would potentially lead to a similar flood of litigation, with individuals able to bring suit alleging only bare procedural violations of the statute. Businesses could face significant statutory liability, because the BPA includes provisions awarding statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. Those statutory damages are a powerful incentive to bring suit even in the absence of any real-world harm.
The scope of the legislation is broad, covering any “individual, partnership, corporation, limited liability company, association, or other group.” Thus, companies in New York that use biometric data should closely monitor the pending legislation, as it would impose several new obligations. Most significantly, the bill prohibits companies from collecting, capturing, purchasing, or receiving biometric information unless it provides written notice and receives written consent. That restriction also applies to employees; companies must obtain a release executed by the employee as a condition of employment in order to collect biometric information. Companies already in possession of such information are forbidden from selling, leasing, trading, or otherwise profiting from it. Furthermore, disclosure of biometric information to third parties would require consent, unless the disclosure was required by law or made pursuant to a valid warrant or subpoena. The bill also imposes a “reasonable standard of care” on companies that have biometric information. The precise contours of that standard of care will likely be a point of contention in any litigation under the BPA.
While the BPA is still making its way through the legislative process and previous versions of the bill have failed, with a Democratic supermajority in both state houses, the BPA seems likely to succeed and be enacted sometime in 2021 in a form substantially similar to the current proposal. In light of this imminent new law and the Illinois precedent, companies in New York that possess or collect biometric information should consider undertaking a review of the information they collect, and planning to implement any required changes to their policies to comply with the new law.
We will continue to monitor any developments with the BPA and ongoing biometric litigation in Illinois and elsewhere.