NYC's new biometric privacy laws are a good start, but not enough

As usual, regulation is having to play catch up to innovation.


Pushback against biometric data harvesting has gained a lot of momentum over the past couple of years, but a new law going into effect this week could potentially have some of the broadest consequences yet. Today marks the implementation of New York City’s new Biometric Identifier Information law, which aims to protect individuals from private businesses’ selling or exchanging their “physiological or biological” data between corporate entities.

According to the legal fine print, there’s a pretty broad definition of what falls under this umbrella, including “(i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”

Of course, because this is a steep uphill battle everyone’s facing, the law is far from comprehensive. Businesses can still technically collect and use biometric data after providing customers with a notice written in “plain, simple language,” although guidelines on that front are still forthcoming from the state legislature. NYC’s Biometric Identifier Information law also offers a potential loophole hypothetically allowing for biometric data sharing between corporate affiliates if “nothing of value is exchanged,” according to JD Supra.

Cue the countdown to Key Food’s attempts at justifying how New Yorkers’ retinal scans count as “nothing of value.”

The fines are pretty steep — Despite the new law’s numerous caveats, there are at least some pretty steep penalties for failure to abide by the regulations. Individuals could be awarded $500 per violation if a business hasn’t posted the “plain, simple” notice, along with $500 for unwarranted sale or sharing of their data.

Additionally, each “intentional or reckless violation” of sharing biometric information could result in a $5,000 fine. Individuals can also sue companies for these violations, although they must provide a 30-day written notice, during which time a business may correct the error. If the latter party does so, lawsuits are off the table. That said, the same stipulation will not apply to businesses’ willful sales of private data.

At the very least, these sorts of guardrails are reassuring given companies like Amazon want us to use our palms as payment devices, and you can bet it won’t be the last company that sees biometrics as the next step in reducing friction in process of separating us from our money.

Guess who the law doesn’t cover — Unsurprisingly, New York City’s law does not cover government agencies or their employees, along with financial institutions and businesses utilizing CCTV camera systems as long as they don’t store, analyze, and / or share those recordings and images.

However, this may still affect those organizations, given that some currently use timekeeping systems reliant on biometric data collection like fingerprint and retina scans. Overall, it’s definitely a step forward for one of the country’s most populous and influential cities, although we have a long way to go when it comes to meaningfully protect citizens’ data privacy more broadly.