Amazon is the latest major corporation to be hit with what could amount to a multi-million-dollar lawsuit based on its alleged non-compliance with a biometric privacy law – in this case, with a relatively new law. The proposed class-action lawsuit was filed in federal court in Manhattan, and argues that Amazon has run afoul of the New York City Biometric Privacy Act. If certified, the lawsuit would allow thousands of Amazon customers to pursue countless claims of violations against Amazon, which could amount to “tens of millions of dollars” according to the plaintiffs’ attorney, Albert Fox Cahn, the founder of a local advocacy organization called Surveillance Technology Oversight Project.
This appears to be the first lawsuit of its kind related to New York City’s Biometric Privacy Act, which became effective in August 2021. The 30-page complaint alleges that Alfredo Rodriguez Perez went into an “Amazon Go Store” where customers can “just walk out” with the merchandise of their choice. Amazon tracks customers’ behaviors and movements and then charges a customer’s Amazon account for the goods that they leave the store with. After shopping at one such location, Mr. Perez sent a letter to the store, notifying it that the store did not post any disclosure regarding the collection of biometric information. Amazon allegedly ignored Mr. Perez’s letter and failed to post any new signs until the story was picked up and reported by the New York Times. While the store did post a sign after the New York Times story was released, the Complaint alleges that the sign was nonetheless not in compliance with the New York Biometric Privacy Act.
Specifically, the sign stated that “[t]his business uses an Amazon One device that collects and stores customers’ biometric information.” The sign further reads “[i]f you use Amazon One, your biometric information will be used to help identify you,” and “[n]o biometric information will be collected from customers who do not use an Amazon One palm scanner.” However, the lawsuit alleges that the sign was placed too far from the entrance, that the sign is difficult to read, and that in spite of the sign, Amazon tracks and collects biometric information of customers who choose not to use the palm scanner.
A private right of action in New York City’s law
New York City’s Biometric Privacy law applies to commercial establishments and prohibits businesses from collecting biometric identifiable information (BII) – facial scans, finger prints, etc. – without first posting a conspicuous sign at customer entrances. The signs must notify customers in plain and simple language how biometric identifiers are being collected or processed. The law also prohibits covered companies from selling leasing, trading, sharing, or otherwise profiting from that biometric information. Under the law, commercial establishments may face harsh penalties: up to $500 for each signage violation, up to $500 for each negligent sale violation, and up to $5,000 for each intentional or reckless sale violation.
“Like the Illinois Biometric Privacy Act (“BIPA”), the New York City law creates a private right of action; however, it contains a 30-day notice-and-cure provision which has likely prevented the onslaught of class-action lawsuits seen in Illinois.”
Like the Illinois Biometric Privacy Act (“BIPA”), the New York City law creates a private right of action; however, it contains a 30-day notice-and-cure provision, which has likely prevented the onslaught of class-action lawsuits seen in Illinois. The recent case against Amazon makes clear that strict adherence to the statute is required, because a commercial establishment that attempts to cure but does so ineffectively still may be liable under the statute. As the case against Amazon plays out, we likely will see arguments over what constitutes a “clear and conspicuous sign” under the law.
While BIPA is the most consumer-friendly biometric privacy law, other states and municipalities beyond New York City also have passed laws to protect BII. The New York State legislature is considering a bill to enact a law similar to BIPA that may include a private right of action. Other states, such as Washington, California, and Texas have passed biometric privacy laws that do not contain a private right of action, but rather are enforced by the state’s attorney general. Indeed, companies in states with biometric privacy laws that do not include a private right should still worry as state Attorneys General have aggressively pursued violations. Most notably, the Texas Attorney General recently announced that Meta, Facebook’s parent company, could be liable for billions of dollars’ worth of damages under the state’s Capture or Use of Biometric Identifier Act (“CUBI”). Many other states across the nation are considering bills on biometric privacy.
Watch for new BII exclusions in liability insurance policies
As more state biometric privacy laws are passed, the risks for companies using BII continues to grow. And more BII liability risk means more insurance coverage disputes are sure to follow. While insurance companies’ attempts to deny coverage for biometric claims on the basis of existing exclusions in liability policies have mostly failed, these companies are beginning to introduce more specific exclusions into general liability and employment practices liability policies. When purchasing and renewing their insurance policies, businesses at risk of liability under biometric privacy laws need to scrutinize their existing liability coverage and be wary of insurance companies adding such exclusions or making other impactful changes to policy language that may endanger coverage for biometric privacy claims.
To download the PDF, click here.
CORT T. MALONE is a shareholder in the New York and Stamford, Connecticut, offices of Anderson Kill and practices in the Insurance Recovery and the Corporate and Commercial Litigation departments. He is an experienced litigator, focusing on insurance coverage litigation and dispute resolution, with an emphasis on commercial general liability, directors and officers, employment practices liability, advertising injury, and property insurance issues.
JADE W. SOBH is an attorney in Anderson Kill's New York office. Jade focuses his practice on insurance recovery, exclusively on behalf of policyholders, as well as regulatory and complex commercial litigation matters.