NYC’s Biometric Identifier Information Law: Are You Covered?

Kelley Drye Client Advisory

New York City’s Biometric Identifier Information Law (BII Law), which went into effect on July 9, 2021, addresses the collection and use of biometric identifier information (BII) by commercial establishments to track customer activity.  Commercial establishment” includes retail stores, food and drink establishments, and places of entertainment.  Under the BII Law, covered businesses that use biometric identifying technology in their establishments are banned from selling biometric data and are required to notify customers by posting conspicuous signage. The BII Law creates a private right of action against violators and imposes statutory damages for each violation.
BII Law is Less Stringent than the Illinois Biometric Information Privacy Act
The BII Law (1) bans the sale of biometric data, and (2) imposes a notice requirement on covered businesses that use biometric identifying technology in their establishments.  Notice must be provided at commercial establishments only when biometric information is collected from a customer.  The Illinois Biometric Information Privacy Act (BIPA), increasingly popular with the plaintiffs’ bar, prohibits the sale or sharing of biometric identifier information and requires private entities that collect such data to provide written notice explaining their retention period and why they are collecting such data.  Both the BII Law and BIPA include a broad definition of BII, regulate the use, collection, and retention of BII, and provide a private right of action for individuals aggrieved.  BIPA claimants can recover potentially astronomical damages for a private entity’s inadvertent use or disclosure of biometric data.

Blanket comparisons to BIPA are not warranted because the BII Law is less stringent than BIPA and BIPA is further reaching.  Both the BII Law and BIPA impart restrictions on the collection and use of biometric data, including data such as fingerprints, face scans, or voiceprints.  However, BIPA generally applies to any private entity” and the BII Law regulates commercial establishments.”  BIPA’s private entity is defined much more broadly than the NYC BII Law’s commercial establishment, and thus regulates a greater range of establishments than NYC’s BII Law.

New York City’s BII Law provides a 30-day cure period for certain violations and permits the collection of biometric data without written consent, which may result in less litigation than Illinois’ BIPA.  Nonetheless, it is essential for New York businesses subject to the BII Law to be aware of its requirements and consider whether their current insurance policy covers potential BII Law liabilities. 

Insurance Policies May Cover NYC’s BII Law-Related Claims

Insurance policies that may cover BII Law-related claims include commercial general liability (CGL), employment practices liability (EPL), and cyber insurance policies.

CGL policies provide defense and indemnity coverage for personal and advertising injury” the definition of which may cover claims for BII Law violations.  Policies cover employment practices claims and often include coverage of claims for EPL employment-related invasions of privacy, which may also extend to cover BII Law-related claims.  Cyber insurance policies frequently cover liability arising out of technology-related wrongful acts.  Because there is a wide variation in the terms of cyber-insurance coverage, these policies need to be reviewed carefully.  In some cases, the unlawful collection and disclosure of confidential information can be excluded from cyber insurance policies.

How to Determine Your Protection

Policyholders should review their coverage and prior to securing a policy, seek advice as to what exactly their existing policy covers.

Kelley Drye’s Insurance Recovery and Counseling group is closely following developments in this area.  Please click here if you would like to be kept abreast of current developments.  Additionally, Kelley Drye actively tracks cases and developments related to the BII-Law and provides practical compliance and litigation counsel to help companies effectively use biometric information and mitigate business and liability risk.