New York City’s Biometrics Law Has Teeth

Since 2021, the administrative code of the City of New York requires commercial establishments in New York City to post conspicuous signs by their entrances if these businesses are collecting customers’ biometric information -- NYC Admin Code §§ 22-1201-1205. If no signs are posted, following a 30-day notice to cure from would-be plaintiffs, the businesses could face private lawsuits with steep statutory damages.

New York City’s biometrics law regulates how retail stores, restaurants, places of entertainment, and other “commercial establishments,” as defined by the law, can collect and share biometric information. Notably, “financial institutions,” as defined by the law, are expressly excluded from the law’s scope. Biometrics subject to the law include facial scans, fingerprints and voiceprints, and other data elements defined in the New York City law.

The law shows its teeth in its enforcement mechanism: the law is enforced through a private right of action, with statutory damages of $500 for each negligent violation, and $5,000 for each intentional violations, plus reasonable attorneys’ fees and costs.

The law contains two substantive requirements:

  • Posted signs: Commercial establishments in New York City that collect biometrics must post conspicuous signs near their entrances, notifying customers that biometrics are being collected. New York City officials released form signage that satisfies the requirement of the law:
  • Prohibition on sale of biometrics: Commercial establishments cannot sell biometric identifier information.The law specifies that it is unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.

New York City’s biometrics law differs from the most impactful biometrics law in the United States, the Illinois Biometric Information Privacy Act (BIPA) in two material ways.  First, while New York City’s law requires mere notice by posting a conspicuous sign prior to capturing biometrics, BIPA requires signed consent from the person whose biometrics will be collected. This means that in New York City, commercial establishments can use facial recognition as a part of in-store surveillance (which is an important use case for retailers) so long as they post the required conspicuous signs and comply with the prohibition on sale of biometrics. In Illinois, however, BIPA makes use of facial recognition through surveillance cameras unfeasible because businesses have no reasonable way to obtain a signed consent from every person who may enter their premises or otherwise pass within the view of a surveillance camera capturing biometrics.  Second, New York City’s law contains a 30-day cure period prior to a plaintiff filing a lawsuit, while BIPA does not contain such a cure period, or any other grace period.

A few recommendations (or how not to get bitten):

  1. Determine if you are covered by the law. Companies that constitute “commercial establishments” and that operate in New York City should review all in-store activities to identify any use that might involve the capture of biometric identifier information. In addition to in-store video surveillance, common use cases that might involve capturing biometrics include virtual “try-ons” of clothing, glasses or make-up, screening calls for known fraudsters, and driver’s license scanning for identity verification.
  2. Post conspicuous signs if you are required to do so. A company that collects biometric identifier information that falls within the scope of the New York City law is required to post conspicuous signage, as required by the law.
  3. Do not sell biometrics. Companies should review their business practices to ensure that they are not violating the prohibition on the sale, lease, trade, or other profit from biometrics.
  4. Watch for cure notices. Covered companies should be on the lookout for cure notices, and, should they receive one, be ready to react quickly, since, under the law, failure to cure and give the would-be plaintiff notice of the cure within 30 days of the notice permits a private right of action to proceed against the company.

If you have any questions regarding the New York City law regarding biometric identifier information, other New York laws relating to the collection of biometrics, or any other privacy-related issues, please contact Kilpatrick Townsend’s Cybersecurity, Privacy & Data Governance team. You can also check out our Global Privacy & Cybersecurity Law blog for in-depth analysis of emerging privacy issues.

Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their