Amazon Sued in First Major Biometric Privacy Lawsuit Under NYC Biometric Privacy Law

• Amazon is the first major corporation to be sued under New York City’s Biometric Privacy Act.
• Like Illinois’ notorious BIPA, the NYC law creates a private right of action, so if certified, the suit could enable thousands to pursue claims.
• The suit underscores that strict adherence to the statute is required, as it alleges that Amazon’s attempt to cure was inadequate.

Amazon is the latest major corporation to be hit with what could amount to a multi-million-dollar lawsuit based on its alleged non-compliance with a biometric privacy law – in this case, with a relatively new law. The proposed class-action lawsuit was filed in federal court in Manhattan, and argues that Amazon has run afoul of the New York City Biometric Privacy Act. If certified, the lawsuit would allow thousands of Amazon customers to pursue countless claims of violations against Amazon, which could amount to “tens of millions of dollars” according to the plaintiffs’ attorney, Albert Fox Cahn, the founder of a local advocacy organization called Surveillance Technology Oversight Project.

Specifically, the sign stated that “[t]his business uses an Amazon One device that collects and stores customers’ biometric information.” The sign further reads “[i]f you use Amazon One, your biometric information will be used to help identify you,” and “[n]o biometric information will be collected from customers who do not use an Amazon One palm scanner.” However, the lawsuit alleges that the sign was placed too far from the entrance, that the sign is difficult to read, and that in spite of the sign, Amazon tracks and collects biometric information of customers who choose not to use the palm scanner.

A private right of action in New York City’s law

New York City’s Biometric Privacy law applies to commercial establishments and prohibits businesses from collecting biometric identifiable information (BII) – facial scans, finger prints, etc. – without first posting a conspicuous sign at customer entrances. The signs must notify customers in plain and simple language how biometric identifiers are being collected or processed. The law also prohibits covered companies from selling leasing, trading, sharing, or otherwise profiting from that biometric information. Under the law, commercial establishments may face harsh penalties: up to $500 for each signage violation, up to $500 for each negligent sale violation, and up to $5,000 for each intentional or reckless sale violation.

“Like the Illinois Biometric Privacy Act (“BIPA”), the New York City law creates a private right of action; however, it contains a 30-day notice-and-cure provision which has likely prevented the onslaught of class-action lawsuits seen in Illinois.”

Like the Illinois Biometric Privacy Act (“BIPA”), the New York City law creates a private right of action; however, it contains a 30-day notice-and-cure provision, which has likely prevented the onslaught of class-action lawsuits seen in Illinois. The recent case against Amazon makes clear that strict adherence to the statute is required, because a commercial establishment that attempts to cure but does so ineffectively still may be liable under the statute. As the case against Amazon plays out, we likely will see arguments over what constitutes a “clear and conspicuous sign” under the law.

While BIPA is the most consumer-friendly biometric privacy law, other states and municipalities beyond New York City also have passed laws to protect BII. The New York State legislature is considering a bill to enact a law similar to BIPA that may include a private right of action. Other states, such as Washington, California, and Texas have passed biometric privacy laws that do not contain a private right of action, but rather are enforced by the state’s attorney general. Indeed, companies in states with biometric privacy laws that do not include a private right should still worry as state Attorneys General have aggressively pursued violations. Most notably, the Texas Attorney General recently announced that Meta, Facebook’s parent company, could be liable for billions of dollars’ worth of damages under the state’s Capture or Use of Biometric Identifier Act (“CUBI”). Many other states across the nation are considering bills on biometric privacy.

Watch for new BII exclusions in liability insurance policies

As more state biometric privacy laws are passed, the risks for companies using BII continues to grow. And more BII liability risk means more insurance coverage disputes are sure to follow. While insurance companies’ attempts to deny coverage for biometric claims on the basis of existing exclusions in liability policies have mostly failed, these companies are beginning to introduce more specific exclusions into general liability and employment practices liability policies. When purchasing and renewing their insurance policies, businesses at risk of liability under biometric privacy laws need to scrutinize their existing liability coverage and be wary of insurance companies adding such exclusions or making other impactful changes to policy language that may endanger coverage for biometric privacy claims.

To download the PDF, click here.