Modeled after the Illinois Biometric Information Privacy Act, New York City’s biometric privacy law requires consumer establishments to post signs advising patrons of their rights.
Summary of the New York City Law
The New York City law covers all commercial establishments (including bars, restaurants, entertainment venues and retail stores) that retain, convert, store or share biometric information. “Biometric information” will include retina scans, iris scans, fingerprint scans, voiceprints, hand scans, face geometry and face recognition, as well as other identifying characteristics. Commercial establishments using biometric information will be required to post conspicuous signage advising that such information is being retained, converted, stored, or shared. Liability for failure to post a sign, will be subject to a 30-day notice-to-cure requirement.
The law prohibits the sale of or receiving anything of value in exchange for biometric information. Damages for violations range from $500 for each violation for failing to post notice and for exchanging of the information for value, and $5,000 for each intentional or reckless violation. The New York City law provides for a private right of action and no actual damages are necessary for recovery of statutory damages.
Learning From the Illinois Act
A recent decision by the Illinois Supreme Court in West Bend Mutual Insurance v. Krishna Schaumburg Tan, N.E.3d (2021), demonstrates the application of biometric privacy laws. Klaudia Sekura filed a class action lawsuit against Krishna Schaumburg Tan, Inc. (Krishna), a franchisee of L.A. Tan tanning salons. The complaint alleged that Krishna violated Biometric Information Privacy Act provisions relating to the collection of biometric information when it scanned customers’ fingerprints and disclosed this information to an out-of-state third party vendor, SunLync.
Sekura purchased a membership from Krishna that gave her access to L.A. Tan’s tanning salons. The membership required Sekura to provide Krishna with her fingerprints. Sekura’s class action lawsuit alleged Krishna systematically collected, used, stored, and disclosed customers’ biometric information without first obtaining a written release as required by the act; Krishna systematically disclosed biometric information to SunLync, an out-of-state vendor; Krishna does not provide a publicly available guidelines for its retention or destruction of customers’ biometric information as specified by the act. Additional counts claim unjust enrichment and negligence: Krishna failed to comply with the act so should not be allowed to retain any money received for the biometric information, and that Krishna breached its duty of reasonable care by violating the act. Sekura’s prayer for relief sought statutory damages of $1,000 for each alleged violation.
Does Insurance Cover the Class Action Liability?
The issue for the Illinois Supreme Court was whether insurance was available to cover Krishna’s liability. Krishna tendered the lawsuit to its insurer, West Bend Mutual Insurance Co. (West Bend), requesting a defense. West Bend contended that it did not owe a duty to defend Krishna against Sekura’s lawsuit. The Supreme Court held that the allegations in Sekura’s complaint fell potentially within West Bend’s coverage because the complaint alleges that Sekura suffered nonbodily personal injury or advertising injury. Krishna’s alleged sharing of Sekura’s biometric information with SunLync constitutes a “publication” within the purview of West Bend’s policies, and Krishna’s alleged sharing of Sekura’s biometric information (fingerprints) with SunLync potentially violated Sekura’s right to privacy.
Krishna’s policy excluded, by separate rider coverage, the violation of certain analogous statutes that create liability for unwanted communications, such as the TCPA (telephone and faxes) and the CAN-SPAM Act (email). The Supreme Court concluded that these riders were not broad enough to exclude policy coverage here.
What to Do Now
Consumer facing establishments in NYC must adapt to the new law. For franchised and chain establishments, the brand must educate its participants and learn to avoid liability. Decisions must be made about how important the biometric identifiers are and how they are stored and used. Chainwide contracts need to be reviewed for proper indemnification by local operators and insurance coverage. Finally, look at current insurance coverage to determine the status of coverage or exclusions of biometric risk.
Expect states and other municipalities to enact similar biometric privacy laws and that courts will interpret the scope of these laws broadly. Privacy is in the interest of everyone. Expect to deal properly with such valuable and personal information.
The full article, which first appeared in The Legal Intelligencer, in its original form can be found here.
Craig R. Tractenberg (LAW ’81) is a partner at Fox Rothschild (Philadelphia and New York offices). He has a broad business practice, with strong focuses on franchise, insolvency and infrastructure transactions.