On January 6, 2021, a bipartisan group of New York state lawmakers released a copy of Assembly Bill 27 (AB 27), the New York Biometric Privacy Act. If New York passes AB 27, it will join Illinois, Texas, and Washington as states that have adopted laws that strictly regulate the notice, collection, and handling of biometric information. Significantly, however, it would join Illinois as only the second state to provide a private right of action with statutory damages for violations.
The proposed bill is similar to the three other states with biometric-specific bills in that it would prohibit businesses from collecting biometric identifiers or information—defined to include retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and any information derived therefrom—without first receiving written consent from the individual or their authorized representative. AB 27 would also prohibit businesses from selling, leasing, trading, or otherwise profiting from a person’s biometric information, as well as require businesses to develop a publicly available written retention and destruction policy. Notably, AB 27 follows the Illinois model of enforcement by affording individuals a private of action with statutory damages of up to $1,000 for negligent violations and $5,000 for intentional or reckless violations, as well as reasonable attorneys’ fees. As we have discussed in other posts involving lawsuits under the Illinois law, these types of statutory damages can lead to significant amounts quickly when violations involve large numbers of individuals.
This is not the first time New York lawmakers have attempted to pass a biometric privacy bill. Indeed, there have been no fewer than three attempts since 2018, none of which have succeeded. There is therefore reason to believe that AB 27 will face similar fate. However, businesses should pay close attention, as its passage would have serious consequences.