The new year has already brought new compliance challenges to New York employers. Another one may be looming on the horizon. On January 6, 2021 a bi-partisan group of NY state legislators introduced A.B. 27, the Biometric Privacy Act. It is a virtual copy of the Illinois’ Biometric Information Privacy Act of 2008 (“BIPA”). Over the past dozen years since BIPA’s passage, Illinois has seen a slew of consumer and employee class actions alleging improper collection of biometric information by companies and employers. New York could be the next hot spot for these kinds of class action lawsuits.
Statutory Prohibitions
The proposed statutory language defines biometric information and biometric identifiers broadly and includes retina or iris scans, fingerprints, voiceprints and facials scans. The language specifically excludes from the definition of biometric information writing samples, written signatures, photographs as well as certain patient information collected in a medical setting, etc.
The law would prohibit private entities from collecting, capturing, purchasing or receiving a person’s or customer’s biometric identifier or biometric information (as defined in the proposed act) absent informed consent about purpose, duration and type of information collected. It would also mandate the creation of written policies which are available to the public about the collecting company’s retention schedules and destruction guidelines.
The proposed act further prohibits the sale, leasing or trading or profiting from a person’s or customers biometric identifier or biometric information. It would also prohibit disclosure or re-disclosure of same absent consent or obligation to disclose under state, federal or municipalities and a few other exceptions. Lastly, it provides for a private right of action like its Illinois predecessor. The two other states that have enacted biometric privacy laws, Texas and Washington, provide for enforcement only by the respective states’ attorneys general.
Implications for Employers
As is the case under BIPA, the proposed New York law would require employers to obtain a written release from the employee as a condition of employment prior to collecting biometric information (e.g., fingerprints) from employees for various employment-related purposes, be it time-keeping, security access or benefits/training tracking.
While the passage of New York’s Biometric Privacy Act is not guaranteed as NY legislators have proposed biometric privacy legislation several times since 2018, employers should remain vigilant about this development and consider engaging in several proactive steps to be ahead of the curve should this proposal become law:
- Employers should review their biometric collection capabilities, policies, and vulnerabilities with their Operations and IT departments, to better understand where, how, and of whom, biometric data is collected in the workplace.
- Be prepared to update cyber security policies and practices with this newfound information.
- Work with Human Resources to become prepared to implement written releases for employees (current, and newly hired), if and when the proposed act becomes law.