New York City’s Biometric Identifier Information Law (the “BII Law”), which went into effect on July 9, 2021, bans the sale of biometric data and imposes notice requirements on covered businesses that use biometric identifying technology in their establishments.
While comparisons have been made to the Illinois Biometric Information Privacy Act (“BIPA”), New York City’s new BII Law — providing a cure period for certain violations and permitting collection of biometric data without written consent — is far less stringent and is not expected to produce the maelstrom of litigation precipitated by BIPA. That said, policyholders still should be aware of the BII Law’s requirements and consider potential insurance coverage implications.
The new BII Law imposes two main requirements. First, covered businesses may not sell, lease, share for value, or otherwise profit from the transmission of biometric identifier information. Second, covered businesses that collect, retain, convert, store, or share biometric identifier information must post conspicuous signage at all customer entrances disclosing that such information is being collected.
The BII Law defines “biometric identifier information” as any “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan; (ii) a fingerprint or voiceprint; (iii) a scan of hand or face geometry; or (iv) any other identifying characteristic.”
The new BII Law applies to “commercial establishments” in New York City, defined as places of entertainment, retail stores, and food and drink establishments. Financial institutions are exempt from the posting requirement, while government entities, employees, and agents are exempt entirely.
Notably, as long as notice is posted, businesses may collect biometric information without violating the BII Law. Written consent is not required before collecting such information. Moreover, a business may use CCTV systems that collect biometric information, as long as the footage is (i) not analyzed to identify persons based on “biological characteristics” (e.g., with facial recognition software), and (ii) not sold or shared with third parties.
The BII Law provides a private right of action to parties “aggrieved” by violations, but includes a 30-day cure period for businesses accused of violating the posting requirement. Further, any party alleging a posting violation must provide written notice to the business before bringing its claim. Importantly, however, written notice is not required before bringing claims for the illegal sale or sharing of biometric information, and there is no cure period for such claims. Prevailing claimants can recover $500 per posting violation, $500 per negligent selling violation, and $5,000 per intentional or reckless selling violation.
While claims involving the BII Law have yet to be litigated, one important insurance concept involved is that of invasion of privacy. The Personal and Advertising Injury Coverage within general liability policies includes coverage for invasion of privacy. This insurance applies to “personal injury,” which typically is defined as “injury, other than ‘bodily injury’, arising out of . . . [o]ral or written publication of material that violates a person’s right of privacy.”
The first round of Illinois insurance coverage decisions under BIPA, including West Bend Mutual Ins. Co. v. Krishna Schaumburg Tan, 2021 IL 125978 (2021), favored policyholders and provided precedent that coverage for violations of the BII Law should be available under similar general liability policy language.
Biometric measures are regularly used in various work environments, and many employee biometric claims have been brought under BIPA. These claims may be covered under employment practices insurance policies. Claims under the BII Law may also trigger coverage under Directors’ and Officers’ and cyber policies. It will be critical for policyholders to examine all potentially responsive insurance in the face of claims under New York City’s BII Law.
The biggest hurdles for companies seeking insurance coverage for biometric liability, under any type of policy, are potential exclusions for disclosure of confidential information and data-related liabilities. Many insurance companies have begun adding these exclusions to their policies in recent years. Business owners should be aware of these exclusions as they renew or place coverage, especially if their business collects biometric information.
New York City has joined jurisdictions across the country in attempting to safeguard the use of biometric information. While the new BII Law provides a private right of action, several caveats differentiate it from the more onerous BIPA. New York City business owners collecting biometric information should review their insurance policies and consider potential exposure under the new BII Law when renewing or placing coverage.