New York State Assembly Proposes “Biometric Privacy Act”
On January 6, 2021, a bipartisan group of 24 legislators proposed Assembly Bill 27, known as the “New York Biometric Privacy Act.” The Bill is essentially the same as the Illinois Biometric Information Privacy Act, which is considered the vanguard of legislation protecting citizen’s biometric data. While well meaning, such a law in New York would create significant challenges for entities doing business in New York.
In case you need a reminder, biometric data is any aspect of your person that can used to identify you. For example, fingerprints, retina scans, DNA, or even your face. The legislation in Illinois has already generated a cottage industry for privacy-related class action lawsuits in Illinois and could mean billions for the plaintiffs’ bar if enacted in New York.
Notably, New York introduced some privacy protections for biometric data when it passed the New York SHIELD Act, less than two years ago. However, the SHIELD specifically denied a private right of action of affected citizens. Instead, it expanded the definition of a data breach to include unauthorized access (as opposed to unauthorized acquisition) of protected data, defined specific actions to be taken when a data breach occurs, and created affirmative requirements to reasonably safeguard private information (including biometric data).
New York is unique in the way its “reasonable safeguards” requirement is applied. For example, in California, such affirmative requirements only apply to entities with more $25 million in gross revenue, or who are in the business of buying and selling consumer data. New York created an affirmative duty for all entities, regardless of size and location, who store New York residents’ private information. That said, the SHIELD creates enumerated requirements for mid-to-large sized businesses, while still demanding “reasonable” safeguards even for small businesses.
Assembly Bill 27 now proposes that entities in possession of certain biometric data should be required to develop and comply with a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first. Such entities would be required to notify the individuals from whom they intend to collect the information about the specific purpose and length of time the data will be collected, stored, and used prior to its collection. Last, the entities would have to obtain a written release prior to collection, which is likely to take the form of fine-print in a click-thru agreement that no consumer will actually read.
These requirements may be onerous for small businesses, but in many cases are not necessarily unreasonable. However, more troubling, the New York proposal would include a private right of action in the case of violations of the law. As any attorney who spent any time litigating mass torts and class actions will tell you (wink wink), once the floodgates for plaintiffs’ attorneys open up, a litigation industry is inevitable and good companies, along with the bad actors, will get swept up in the lawsuits.
Illinois has shown us how even harmless errors can have big consequences. For example, in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), the Illinois Supreme Court found that a plaintiff need not show actual damages to proceed with a lawsuit under its biometric privacy act. A similar ruling in New York could spell disaster for a lot of businesses who are already struggling to comply with the SHIELD act. In Illinois, it took several years to see a rise in class actions as a result of the law, but by 2019, 161 new class actions were counted within a six month period from January to June.
So far, the bill has been referred to the consumer affairs and protection committee. Given its bipartisan sponsorship, some version of this bill has a good chance at passage. We will continue to track developments and keep you aprised. In the meantime, The Long Law Firm will work towards developing effective and affordable solutions for small to mid-size businesses to comply with all new and existing privacy and cybersecurity laws. Stay tuned! Feel free to shoot me an email with any questions, concerns, or news that you have.