Skip to main content

NYC Businesses: Do you have your “biometric identifier collection” notice up?

As previewed in Mintz’s earlier post, New York City’s Biometric Identifier Information Law (the “NYC Law”) is now in force, effective Friday, July 9th.  The NYC Law requires that places of entertainment, retail stores and food and drink establishments that collect biometric identifying information, including from customers and employees, post a “clear and conspicuous” notice to that effect near customer entrances.  Further, the NYC Law prohibits the establishment from selling the information or exchanging it for value.  Financial institutions are exempt from the signage requirement but not the prohibition on sale.  Businesses who have CCTV’s are not required to post a notice, provided that: i) they do not analyze the footage to collect biometric identifying information, such as facial recognition; and ii) they do not share the footage except with law enforcement.  Notably, the NYC Law provides a private right of action, but the potential plaintiff must give the business 30 days’ written notice before commencing an action for violation of the signage requirement, during which time the business may cure.  There is no cure period for violations of the sale requirement.

The NYC Law also provides that the NYC Department of Consumer Affairs issue regulations regarding the signage, but as of Monday, July 12, the regulations have not yet been published.  Since the NYC Law is in effect, covered businesses that collect the broad scope of “biometric information” should post some notice today.

Subscribe To Viewpoints

Authors

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.

Michael Graif