Insights: AlertNew York City's Biometrics Law Has TeethApril 17, 2023 Since 2021, the administrative code of the City of New York requires commercial establishments in New York City to post conspicuous signs by their entrances if these businesses are collecting customers' biometric information -- NYC Admin Code §§ 22-1201-1205. If no signs are posted, following a 30-day notice to cure from would-be plaintiffs, the businesses could face private lawsuits with steep statutory damages. New York City's biometrics law regulates how retail stores, restaurants, places of entertainment, and other “commercial establishments,” as defined by the law, can collect and share biometric information. Notably, “financial institutions,” as defined by the law, are expressly excluded from the law's scope. Biometrics subject to the law include facial scans, fingerprints and voiceprints, and other data elements defined in the New York City law. The law shows its teeth in its enforcement mechanism: the law is enforced through a private right of action, with statutory damages of $500 for each negligent violation, and $5,000 for each intentional violations, plus reasonable attorneys' fees and costs. The law contains two substantive requirements:
New York City's biometrics law differs from the most impactful biometrics law in the United States, the Illinois Biometric Information Privacy Act (BIPA) in two material ways. First, while New York City's law requires mere notice by posting a conspicuous sign prior to capturing biometrics, BIPA requires signed consent from the person whose biometrics will be collected. This means that in New York City, commercial establishments can use facial recognition as a part of in-store surveillance (which is an important use case for retailers) so long as they post the required conspicuous signs and comply with the prohibition on sale of biometrics. In Illinois, however, BIPA makes use of facial recognition through surveillance cameras unfeasible because businesses have no reasonable way to obtain a signed consent from every person who may enter their premises or otherwise pass within the view of a surveillance camera capturing biometrics. Second, New York City's law contains a 30-day cure period prior to a plaintiff filing a lawsuit, while BIPA does not contain such a cure period, or any other grace period. A few recommendations (or how not to get bitten):
If you have any questions regarding the New York City law regarding biometric identifier information, other New York laws relating to the collection of biometrics, or any other privacy-related issues, please contact Kilpatrick Townsend's Cybersecurity, Privacy & Data Governance team. You can also check out our Global Privacy & Cybersecurity Law blog for in-depth analysis of emerging privacy issues. Related People![]() John M. Brigagliano
jbrigagliano@ktslaw.com ![]() Vita E. Zeltser
vzeltser@ktslaw.com |


