Welcome to the third issue of Decoded for 2023.
We hope you enjoy this issue and, as always, thank you for reading.
Nicholas P. Mooney II, Co-Editor of Decoded, Chair of Spilman's Technology Practice Group, and Co-Chair of the Cybersecurity & Data Protection Practice Group
and
Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group
Amazon Sued for Not Telling New York Store Customers about Tracking Biometrics
“Thanks to a 2021 law, New York is the only major American city to require businesses to post signs letting customers know they’re tracking biometric information.”
Why this is important: Biometric identifiers are unique to every individual. They include your fingerprints, facial structure, and even how you walk. In recent editions of Decoded, we have discussed in depth the Illinois Biometric Information Protection Act (“BIPA”), and the biometric protection bills currently working their ways through the legislatures in Maryland and Mississippi. We now turn to two unique biometric laws that were passed by the New York City Council in 2021 that regulate the collection of customers and renters’ biometric data in NYC.
NYC’s Biometric Identifier Information Law (“BII”), NYC Admin. Code §§ 22-1201 – 1205, regulates businesses' collection and processing of “biometric identifier information,” which is defined as a “physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual.” It bars the use of biometric data for transactional purposes to sell, trade, or otherwise profit from the transaction of biometric information. Businesses that utilize biometric information are required to notify patrons of the business’ collection of biometric data by posting formal notices near all physical entrances to the business. BII defines biometric identifier information as a physiological or biological characteristic that is used to identify an individual, "including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic." This would include facial recognition systems used by in-store security. The regulation covers "commercial establishments," which include places of entertainment, retail stores, restaurants, and bars. A customer is defined as "a purchaser or lessee, of goods or services from a commercial establishment." Therefore, unlike the BIPA, the BII does not apply to the collection of employees’ biometric data. However, it does prohibit the sale of both customers' and employees’ biometric data. The BII provides for a private right of action. The BII also provides for statutory damages of $500 to $5,000 per violation, plus attorney’s fees, expert fees, and costs. A business can avoid a suit by providing an express written statement within 30 days of a complaint that the violation has been remedied.
NYC’s Tenant Data Privacy Act (“TDPA”), NYC Admin. Code §§ 26-3001 – 3007, prohibits landlords from selling, leasing or otherwise disclosing tenants’ data, including biometric data, collected by smart access systems. This includes smart access systems that provide access to buildings, common areas, or individual apartments. A smart access building is defined as one that uses a keyless entry system, including electronic or computerized technology through the use of key fob, RFID cards, mobile apps, biometric information, or other digital technology to grant access to a building or a part of a building. This includes buildings that provide access through facial recognition, fingerprint, or hand scan systems. The TDPA provides an aggrieved tenant with a private right of action. The TDPA allows for the recovery of statutory damages of $200 to $1,000 per tenant, in addition to the recovery of attorney’s fees.
Recently, a class action lawsuit was filed against Amazon related to alleged violations of the BII due Amazon’s collection of customer palm prints at its Amazon Go stores in NYC. The Amazon Go stores do not have a traditional check-out when a customer purchases items, and instead tracks customers and their purchases as they move through the store, and charges their Amazon accounts when they leave the store. The putative class alleges that Amazon violated the BII because it only recently began posting signs informing their NYC customers that it was using biometric recognition technology despite the fact that the BII has been in effect for over a year. The complaint alleges that in order to make the no check-out process work in their stores that Amazon has to track customers in the store, including scanning the palms of some customers. Amazon states that it does not utilize biometric surveillance to monitor shoppers, but instead other technology to monitor shoppers that does not constitute biometric technology. Amazon states that purchasing via palm scan is only one of various ways customers can complete their purchases, and that all of the privacy disclosure information is provided at the time of enrollment. Because of the lack of a federal data privacy law, states, and even local jurisdictions are beginning to pass their own data privacy laws, like the BII. If you need help navigating the different data privacy laws in the jurisdictions in which you do business, please contact a member of Spilman’s Technology Practice Group. --- Alexander L. Turner