In January of 2021, a bipartisan group of New York State lawmakers proposed a comprehensive policy that places restrictions on the collection of biometric information by companies operating in the state. Assembly Bill 27, the Biometric Privacy Act, would allow for consumers to sue companies that improperly use or retain an individual’s biometric information. New York’s biometric act follows suit behind Illinois’ Biometric Information Privacy Act (BIPA), the first and most robust state law that guards against the unlawful collection and storing of biometric information. Like BIPA, Assembly Bill 27 was created to place regulations on a company’s handling of biometric data, such as fingerprints, voiceprints, retina scans, and scans of the hand and face geometry. Assembly Bill 27, however, does not cover writing samples, written signatures, photographs, or physical descriptions.
What Is Included?
The Biometric Privacy Act requires businesses collecting biometric identifiers or information to develop a written policy establishing a retention schedule and guidelines for permanently destroying the biometric data. The destruction of the data must occur when the initial purpose for collecting the biometric data has been “satisfied,” or within three years of the individual’s last interaction with the company, whichever occurs first. This bill also includes a private right of action that would allow consumers to sue businesses for statutory damages up to $1000 for each negligent violation and $5,000 for each intentional or reckless violation.
Further, AB 27 requires companies to obtain written consent from individuals before collecting, purchasing, or obtaining biometric information and provide notification to those individuals about the specific purpose and length of time the data will collected, stored, and used. Companies are prohibited from selling, leasing, trading, and profiting from biometric information and strict restraints are placed on a business’s ability to disclose biometric information to a third party without consumer consent.
The Impact of Biometrics on Future Legislation
With the increased volume of biometric information being used by companies leveraging biometric-driven timekeeping systems and other technologies, the push for biometric privacy policies that govern the use of these technologies and promotes safeguards for employees is gaining momentum. Several states are also looking to amend their breach notification and security laws to include biometric identifiers. For example, New York State’s SHIELD Act, the breach notification law enacted in 2019, has already been expanded to include biometric data in its definition of private information.
At Beckage, we have a team of highly skilled lawyers that stay up to date on proposed and enacted legislation. With states looking to implement biometric privacy laws similar to BIPA, it is important to have legal tech counsel to address compliance with these emerging laws. Our team can help assist your company in assessing and mitigating risks associated with emerging technologies.
*Attorney Advertising. Prior results do not guarantee similar outcomes. *