New York proposes a narrow biometrics privacy law
The list of states unwilling or unable to wait for the federal government to create nationwide biometric privacy laws continues to grow. New York state legislators have now introduced a fairly limited bill that would regulate some aspects of the way private organizations handle biometric data.
Among other provisions, organizations holding biometric identifiers would not be allowed to profit in any way from the use of the data.
Introduction of Assembly Bill 27 is expected January 6 and it will be sent to the body’s consumer affairs and protection committee. Its fate is not known beyond that.
The act would compel all non-governmental organizations holding biometric identifiers or information to formalize how they handle the materials.
It would mandate that written policies be created for how long information can be retained and how it will be permanently destroyed.
Entities storing the biometrics also would have to dispose of the data after the original reason for collecting or otherwise obtaining the biometrics has been “satisfied” or three years after the person last interacted with the organization, whichever comes first.
For this bill, biometric identifiers would be restricted to recorded data about a person’s retinas, irises, fingerprints, voice and face and hand geometries. It would not matter how the data is captured, stored, converted or shared.
Identifiers would be entirely off limits for private use unless the person is alerted in writing about how and for how long the data will be used, and the person agrees in writing to its use. There would be similar restrictions on disclosing or redisclosing a person’s biometric identifiers.
Executives would also have to afford a person’s data the same level of privacy protection, or more, that they apply to their own organization’s proprietary information.
The bill also includes a right of private action, so people feeling their privacy has been violated could take the matter to the state’s supreme court, seeking damages of up to $5,000 per violation.
The damages clause closely follows similar remedies in the landmark Biometric Information Privacy Act (BIPA) passed in Illinois in 2008. It is proving difficult for state legislatures to enact laws allowing people to sue for damages, however.