New York City's Biometric Identifier Information Law (BII Law), which went into effect on July 9, 2021, addresses the collection and use of biometric identifier information (BII) by commercial establishments to track customer activity. "Commercial establishment" includes retail stores, food and drink establishments, and places of entertainment. Under the BII Law, covered businesses that use biometric identifying technology in their establishments are banned from selling biometric data and are required to notify customers by posting conspicuous signage. The BII Law creates a private right of action against violators and imposes statutory damages for each violation.
BII Law is Less Stringent than the Illinois Biometric Information Privacy Act
The BII Law (1) bans the sale of biometric data, and (2) imposes
a notice requirement on covered businesses that use biometric
identifying technology in their establishments. Notice must be
provided at commercial establishments only when biometric
information is collected from a customer. The Illinois Biometric
Information Privacy Act (BIPA), increasingly popular with the plaintiffs'
bar, prohibits the sale or sharing of biometric identifier
information and requires private entities that collect such data to
provide written notice explaining their retention period and why
they are collecting such data. Both the BII Law and BIPA include a
broad definition of BII, regulate the use, collection, and
retention of BII, and provide a private right of action for
individuals aggrieved. BIPA claimants can recover
potentially astronomical damages for a private
entity's inadvertent use or disclosure of biometric data.
Blanket comparisons to BIPA are not warranted because the BII Law
is less stringent than BIPA and BIPA is further reaching. Both the
BII Law and BIPA impart restrictions on the collection and use of
biometric data, including data such as fingerprints, face scans, or
voiceprints. However, BIPA generally applies to any "private
entity" and the BII Law regulates "commercial
establishments." BIPA's private entity is defined much
more broadly than the NYC BII Law's commercial establishment,
and thus regulates a greater range of establishments than NYC's
BII Law.
New York City's BII Law provides a 30-day cure period for
certain violations and permits the collection of biometric
data without written consent, which may result
in less litigation than Illinois' BIPA. Nonetheless, it is
essential for New York businesses subject to the BII Law to be
aware of its requirements and consider whether their current
insurance policy covers potential BII Law liabilities.
Insurance Policies May Cover NYC's BII Law-Related Claims
Insurance policies that may cover BII Law-related claims include
commercial general liability (CGL), employment practices liability
(EPL), and cyber insurance policies.
CGL policies provide defense and indemnity coverage for
"personal and advertising injury" the definition of which
may cover claims for BII Law violations. Policies cover employment
practices claims and often include coverage of claims for EPL
employment-related invasions of privacy, which may also extend to
cover BII Law-related claims. Cyber insurance policies frequently
cover liability arising out of technology-related wrongful acts.
Because there is a wide variation in the terms of cyber-insurance
coverage, these policies need to be reviewed carefully. In some
cases, the unlawful collection and disclosure of confidential
information can be excluded from cyber insurance policies.
How to Determine Your Protection
Policyholders should review their coverage and prior to securing a policy, seek advice as to what exactly their existing policy covers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
