New technologies can expand business opportunities but may be abused. New York City enacted a new business and commercial law that prohibits commercial establishments from collecting facial scans, fingerprints and other biometric information to protect consumer privacy.
Municipalities across the country have enacted laws restricting the use of the facial recognition technology. Advocates claim that this technology violates privacy expectations and disproportionally misidentifies people of color.
New York City’s law takes effect in July and will apply to its entertainment venues, retail stores, restaurants, bars, and other commercial establishments Biometric information under the law includes retina scans, fingerprints, voiceprints, handprints, scans of face geometry and other identifying characteristics.
Companies that collect, keep, or share biometric information must display clear and conspicuous signs near all their commercial entrances. The signs should contain plain and uncomplicated language describing how biometric identifiers are being used or processed.
Companies may not sell, lease, trade, share or profit from the biometric information. But businesses do not have to ask for written consent for use of biometric technology.
Companies may face penalties up to $500 for each signage violation, up to $500 for each negligent sale and up to $5,000 for each intentional or reckless sale violation.
The law exempts biometric identifier collection, storage, sharing and use by government agencies and employees. Banks, credit unions and other financial institutions do not have to comply with the signage requirements.
The law will allow consumers to sue over violations. But it also contains a 30-day cure period in which aggrieved consumers must notify the business that it violated the law before they can file a lawsuit. The business can correct the violation within that 30-day period and inform the consumer that the violations was corrected and will not occur again.
Companies that try to profit from sale of this data do not receive this reprieve, however. The 30-day cure period will not govern violations for selling and sharing data.
Business should prepare signs and set up internal procedures on how it will promptly address violations, such as lacking signs, within the 30-day cure period. They should review their biometric collecting processes.
Companies with retail locations in New York City need to prepare data mapping to comprehend that data being collected and how it is being shared or processed. Companies should understand how they deal with outside parties collecting or managing this data and impose contract terms that prevent vendors from using data illegally.
Attorneys can assist businesses with preparing and complying with this law. They can also help protect their interests during civil and enforcement actions.