Fake IDs may soon be a relic of the past, with businesses increasingly adopting digital age verification tools. While using technology may be more accurate, it also raises serious privacy and data security concerns.

States like New York are among the first to regulate the use of biometric age verification. A proposed bill would allow establishments like bars and restaurants to rely on the technology, while imposing requirement for how biometric data must be handled.

Age Verification Goes Digital

Many different types of businesses are tasked with "age gating," the process of asking website visitors to confirm that they are old enough to use the site's products or services before continuing. Examples include sports betting sites, online alcohol retailers, gaming platforms, social media apps, and cannabis sellers. In many cases, users are simply required to enter their birthdate. Because nothing is done to verify the information provided by the website visitor, age gates are easy to get around.

When operating both online and in person, businesses are increasingly relying on high-tech solutions to conduct customer age verification. Some biometric systems require users to pre-enroll, which can generally be done through a mobile app. Amazon relies on palm recognition while CLEAR uses facial recognition. Both are being used in sports stadiums to allow patrons to bypass having to show their ID to purchase alcohol. In some stadiums, you can even order a beer directly to your seat.

Other age verification technologies don't require users to submit any information, and instead use neural networks to estimate the age of the person looking at the screen at a checkout. For instance, a system called MyCheckr "takes an image of your face, analyzes that image, and returns whether or not you're over the 'challenge age,'" according to a recent Axios article.

New York Biometric Identity Verification Legislation

New York lawmakers are currently considering legislation that greenlights the use of biometric identity verification devices for the purchase of alcoholic beverages and tobacco products. According to sponsors, "Biometric age verification will help consumers and businesses by allowing people to enter their favorite establishments, or make alcohol or tobacco purchases quickly and without having to present photo identification, or even give their names and dates of birth."

Senate Bill S6656 authorizes a licensee, its agent or employee to determine a person's age when purchasing alcoholic beverages or tobacco products by use of a biometric identity verification device. It further amends § 1399-cc of the Public Health Law to include biometric age verification as an affirmative defense to the sale of tobacco products to an underage individual.

The legislation defines a "biometric identity verification device" as a "commercial device that instantly verifies the identity and age of a person by an electronic scan of a biometric of such person, via a fingerprint, iris image, facial image, or other biometric, which is referenced against any record described in the bill (license, passports, etc.), where 1.) the authenticity of the record was previously verified by an electronic authentication process, 2.) The identity of the record holder was previously verified through a commercially available knowledge based electronic authentication process, and 3.) The authenticated record was securely linked to biometrics contemporaneously collected from the verified record holder and stored on a centralized, highly secured, encrypted biometric database.

New York City's Biometrics Law

New York City already regulate the collection of biometric data by commercial establishments. Under New York City's biometric privacy ordinance, which took effect on July 9, 2021, businesses must post notices and signs at their doors informing customers how their data will be collected. Failing to comply with the notice requirement can result in costly penalties.

New York City's biometric data privacy ordinance specifically requires any commercial establishment that collects, retains, converts, stores or shares biometric identifier information of customers to disclose such activity by placing a "clear and conspicuous" sign near all of the commercial establishment's customer entrances. The disclosure must notify customers in "plain, simple language" that customers' biometric identifier information is being collected, retained, converted, stored or shared, as applicable. New York City has provided a sample sign, which is available here: https://www.nyc.gov/assets/dca/downloads/pdf/businesses/Biometric-Identifier-Information-Disclosure-Sign.pdf

The ordinance also makes it "unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information." Notably, none of the categories of biometric identifier information are excluded from this requirement.

Much like the Illinois Biometric Information Privacy Act (BIPA), New York City's biometric privacy ordinance establishes a private right of action. A prevailing party may recover damages of $500 for each violation of the notice requirement, as well as for each negligent violation of the prohibition of the sale/sharing of biometric data. For each intentional or reckless violation of the provision prohibiting the sale/sharing of biometric data, damages of $5,000 may be awarded. Courts are also authorized to award a prevailing party reasonable attorneys' fees and costs, including expert witness fees and other litigation expenses.

Key Takeaway

Biometrics are increasingly being used for age verification. Like all new technology, it will take some time for regulators to catch up. We encourage businesses that elect to use biometric identity verification systems to work with experienced counsel to ensure that you are addressing any potential legal risks and obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.