More states tackling biometric privacy: New York’s version of BIPA reintroduced

To start the year, New York lawmakers reintroduced the Biometric Privacy Act – Assembly Bill 27. The bill closely mirrors Illinois’ Biometric Information Privacy Act (BIPA), which has spawned compliance changes and hundreds of class action lawsuits, with some resulting in multimillion dollar settlements.

Of note, like BIPA, the draft New York law permits a private cause of action with penalties of $1,000 to $5,000 per violation for private entities that violate the law’s provisions related to collecting, using, storing and selling biometric information. Illinois courts have interpreted similar language to allow individuals to file suit against companies that violate any provision of the law without the need to prove any actual harm suffered as a result of the violation. We’ve written on this blog several times about those legal challenges and related insurance issues, including here, here and here.

New York’s proposed Biometric Privacy Act follows New York’s 2019 SHIELD Act, which expanded the definition of private information under New York’s security breach notification law to include biometric information.

The Biometric Privacy Act was referred to the Consumer Affairs and Protection Committee on Jan. 6, 2021. For reference, the SHIELD Act was referred to that same committee on Feb. 14, 2019 and signed by the governor on July 25, 2019. The Biometric Privacy Act would take effect 90 days after the governor signs it. So, if the legislature follows the same timeline, New York companies and those doing business in New York could be confronted with new compliance obligations by the end of 2021.

It should be noted that this is the fourth biometric privacy bill introduced in New York in the last three years, and similar bills have not been passed in other states, including Florida. Whether the Biometric Privacy Act passes this year or not, consistent debate in New York and elsewhere, paired with incremental legislation like the SHIELD Act, means that companies should be preparing for additional biometric privacy compliance obligations in the near future.