Proposed NYC biometric data privacy law could lead to deluge of lawsuits

Legislators in New York City are expected to consider a bill this year which would amend municipal laws to include similar rules for biometric data collection and use to Illinois’ controversial Biometric Information Privacy Act (BIPA), and the National Law Review reports that it could lead to “a deluge of individual and class action suits.”

The law was proposed in October of last year by Councillor Ritchie Torres, and the Review reports that it is yet to be heard by a committee, which would have to approve it before the law was considered for a vote by council. If it does, it would require every business in New York City that uses facial recognition to meet standards for clear notification of the technology’s use, along with details about the storage, retention period, and use of biometric data. Companies would also be required to draft policies to govern their use of the technology.

The bill is particularly intended to address concerns about facial recognition, but turns on the phrase “biometric identifier information,” which it defines as also including iris, fingerprint, voiceprint, and hand geometry biometrics. The bill does not include a consent or opt-out requirement, but specifically allows for a “private right of enforcement,” meaning individuals can bring lawsuits, which is a key difference between Illinois’ legislation and that of other states, such as Washington and Texas, which also have biometric privacy laws.

The decision by the Illinois State Supreme Court clarified the criteria of harm under BIPA, but the proposed rules for NYC leave no room for doubt, explicitly noting that individuals have standing for legal action based on any violation. While the city would be able to levy fines of $500 for violations, individuals can seek damages of $1,000 to $5,000, as in BIPA.

Based on a 2011 estimate of just over 6.9 million Facebook users in Illinois, the social media giant could face damages totaling anywhere from $6.9 billion to $34.5 billion in its BIPA suit.

Article Topics

biometrics  |  BIPA  |  data collection  |  data protection  |  data storage  |  facial recognition  |  legislation  |  privacy