The information provided on this blog post does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this blog post are for general informational purposes only. Information on this blog post may not constitute the most up-to-date legal or other information.
Perhaps, you’ve heard about the new Biometrics Privacy Law enacted in New York City which governs the collection, use and retention of biometric identifier information by commercial establishments. Here’s a quick overview of the key takeaways.
Which organizations are impacted?
Any business that captures biometric data to identify, or assist in identifying, an individual, by different identifying characteristics, including fingerprints and facial biometrics. This includes retail stores, places of entertainment and food and drink establishments).
What does compliance look like?
Any commercial establishment that uses biometrics in order to identify its customers is required to:
- Notify its customers of the biometric collection activity, by placing a clear and conspicuous sign near any of its customers’ entrances; and
- Refrain from sale or profiting from Identifier Information.
Are any organizations or use cases exempted?
Yes. The law does not apply to financial institutions (such as banks, credit unions or securities firms), and to personal identifiable information collected through photographs or video recordings, if they: (a) are not analyzed by software or applications that identify, or that assist with the identification of, individuals, and (b) are not shared with, sold or leased to third-parties other than law enforcement agencies.
In addition, the Law does not extend to collection of employee biometrics by employers and it explicitly exempts government agencies and their employees or agents.
What are the repercussions of non-compliance?
The Law creates a private right of action for any person aggrieved by a violation of the Law to file an action in a court against the offending commercial establishment, if such offending party did not cure this violation within 30 days as of the aggrieved person’s notice.
- Damages of $500 for each violation of failing to provide notice to the public;
- Damages of $500 for each negligent violation of unlawfully selling or sharing customers’ biometric identifier information;
- Damages of $5,000 for each intentional or reckless violation of unlawfully selling or sharing customers’ biometric identifier information;
- Reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and
- Other relief, including an injunction.
IMPORTANT NOTE: The information provided is purely for informational purposes only and shall not be construed as legal advice.The actual language you use should be vetted by your own legal counsel.
What should the signage say?
The actual verbiage used at your business needs to be vetted by your own internal counsel, but here are a few suggestions to consider.
You could opt for a simple sign but it needs to be clear that your establishment collects biometric data.
NOTICE
Video surveillance and facial recognition in use on these premises to identify known shoplifters and security threats.
Longer Version
Some establishments in New York may opt to provide more details to their customers. There is some value in providing greater context, but it remains a question whether your visitors will actually read or notice with a longer format.
[RETAILER NAME] CUSTOMERS
[Retailer Name] is using video surveillance with face-based recognition to identify known shoplifters and security threats.
Pictures from the video of all store visitors are being captured and compared to a defined list of known security threats. Video surveillance is just one of many tools that we use to identify security threats. Please note that these videos will be deleted immediately after the matching process occurs for all non-watchlist individuals so no personal, identifiable information is retained. Videos of individuals who are on the watchlist will be retained for security purposes.
We take security and data privacy seriously. For more information about how we safeguard data, use facial recognition, and retain data to better protect the safety and identities of our customers, please visit www.[retailername].com/securitymeasures.
Do you need to update your Terms of Use?
Though the law does not require organizations to update their Terms of Use, we think it makes practical sense. We recommend adding verbiage that not only addresses the capture of biometric information but explains how your organization uses facial recognition and its data retention policies to provide some peace of mind to your customers.
Sample Terms of Service Addendum
Biometric Identifier Information Law of New York
[Company Name] conforms with New York’s Biometric Identifier Information Law and notifies customers and potential customers that biometric information is captured as part of our video surveillance security measures. [Company name] utilizes video surveillance and face-based recognition to protect the safety of our customers and personnel. We have placed clear and conspicuous signs near all of the physical entrances which notify our customers that we capture their biometric information as part of our ongoing security measures.
We utilize the services of a third-party facial recognition software only to identify individuals that are known shoplifters or security threats — individuals that we have included in an online watchlist. When customers visit our commercial establishments, we compare their face-based biometrics to the biometrics of those on the watchlist. The facial recognition software analyzes all video footage to find potential matches and any facial images from video footage of non-watchlist individuals is deleted after the matching process is performed. Videos of individuals who are on the watchlist will be retained for security purposes.
[Company name] or its third-party solution provider does not sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.
At AnyVision, we actually welcome these types of privacy laws. We see this ordinance as a positive action towards standardizing the use of biometrics in public spaces. Ideally, we can start to develop more standard guidelines at a national level vs. having a patchwork of state-level regulations which often have subtle differences between them. These differences make it more difficult for commercial establishments to comply when they operate across multiple states or countries.
That said, we hope this post clarified the new law for New York-based businesses and outlined the required steps to ensure compliance with the quickly-evolving biometric privacy laws and to limit potential liability.