Steven Stransky writes:
On July 9, the New York City biometric data protection law entered into force with anticipated impacts on local businesses and restaurants, many of which are still addressing COVID-19 health and safety protocols. The law requires certain businesses to post formal notices if they collect biometric data, and it expressly prohibits them from using such data for transactional purposes. The law also creates a private right of action enabling aggrieved parties to collect statutory damages — ranging from $500 to $5,000 — per violation. Interestingly, the New York general assembly is considering a state-wide biometric privacy law (Assembly Bill 27), which contains more onerous requirements than the local New York City biometric law and also has a private right of action for noncompliance
Read more on IAPP.
In related coverage, Andrew Paul has a commentary: NYC’s new biometric privacy laws are a good start, but not enough. Let me pull out just one section to quote here:
Businesses can still technically collect and use biometric data after providing customers with a notice written in “plain, simple language,” although guidelines on that front are still forthcoming from the state legislature. NYC’s Biometric Identifier Information law also offers a potential loophole hypothetically allowing for biometric data sharing between corporate affiliates if “nothing of value is exchanged,” according to JD Supra.
Cue the countdown to Key Food’s attempts at justifying how New Yorkers’ retinal scans count as “nothing of value.”