Compliance With Forthcoming Biometric Laws in New York City

Two bills are scheduled to be introduced at the New York City (NYC) council meeting on April 27th that would amend NYC’s administrative code to more heavily regulate the collection and storage of biometric data by businesses and owners of residential buildings. Biometric data is defined broadly in these bills and includes scans of the face, iris or retina; fingerprints; voice recognition; and any similar characteristics that can be used to identify an individual.

Regulations concerning the use and collection of biometric data are not new to NYC. In 2019, NYC enacted the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which requires businesses that collect personal data, including biometric data, to implement heightened security measures. The proposed bill aimed at regulating the biometric technology practices of businesses amends a prior law (2021 NYC Local Law No. 3, NYC Admin. Code §§ 22-1201–22-1205), passed on July 9, 2021, which regulates how businesses may gather and share biometric data, such as requiring that businesses place “a clear and conspicuous sign” near the entranceway to notify customers of the collection of their biometric data. NYC officials have provided form signage that satisfies this law online. However, this local law currently applies only to “commercial establishments,” which are limited to places of entertainment, retail stores, and food and drink establishments.

On July 29, 2021, the Tenant Data Privacy Act (TDPA), which restricts the use of biometric data by residential building owners in NYC, went into effect. TDPA requires owners of “smart access buildings” (i.e., buildings that use keyless entry systems, including those that use facial recognition and fingerprint scans for building access) to obtain consent before using biometric data and provide tenants with a retention and privacy policy. The TDPA also limits the biometric data that owners may collect to the minimum amount necessary to enable use of the smart access system.

One of NYC’s proposed bills would expand the scope of NYC’s existing local law to apply to all “places or providers of public accommodation” (i.e., restaurants, hotels, retail stores, museums, stadiums, etc.) and would preclude such establishments from using biometric recognition technology to verify or identify a customer without first obtaining their written consent. Under the proposed new law, all places or providers of public accommodation must develop a written policy, available upon request, that includes guidance regarding the retention and destruction of such biometric data. Customers must be afforded the opportunity to request that their data be erased. Further, businesses will not be able to disclose, sell, trade or otherwise profit from the biometric data they have collected. If the proposed bill is enacted, it would be prudent for landlords to include a specific covenant in their commercial leases to require applicable tenants to comply with these requirements.

The second proposed bill would amend the TDPA to make it illegal for an owner of a “multiple dwelling” (i.e., residential buildings that are occupied, or will be occupied, by three or more families living independently of each other) to install, activate or employ any biometric recognition technology that identifies tenants or their guests without first obtaining their written consent or their consent through a mobile application. Landlords should be aware that installation of Ring, Google Home or similar devices that incorporate facial recognition technology would be implicated by this proposed law. Landlords should also ensure that their policies and practices regarding the use and collection of biometric data comply with the NYC Human Rights Law, which prohibits landlords from discriminating against individuals based on certain protected characteristics, such as race, gender, disability and marital status.

At least three states have passed comprehensive biometric privacy laws: Illinois, Texas and Washington. The private right of action in Illinois’ Biometric Information Privacy Act has made headlines recently for leading to substantial settlements and judgments that have cost businesses hundreds of millions of dollars. Many cities and local governments also ban facial recognition software or other uses of biometric data to some extent, including, for example, San Francisco; Oakland; Boston; Portland, Oregon; Portland, Maine; and Jackson, Mississippi. Further, comprehensive privacy laws passed in California, Virginia, Colorado, Utah, Connecticut and Iowa all classify biometric data as “sensitive personal information” that is entitled to heightened protection. All six of these state privacy laws require either affirmative consent from the individual or notice and opportunity to opt out, before a business can collect biometric data.

As biometric technology continues to advance and concerns regarding its use continue to grow, we may well see more regulations aimed at increasing transparency and accountability. Businesses should be cognizant of these laws in order to avoid potential liability and financial penalties. Please reach out to the Kramer Levin privacy and real estate teams for advice on how to best navigate the biometric data legal landscape.