New York State Introduced Biometric Privacy Act with Private Right of Action (NYBPA)

January 29, 2021

Every day our personal information is being mined, constantly being collected, sorted, shared, and analyzed. From social media tags to website cookies to facial-recognition cameras, the data that is collected is stored en masse at the enterprise and corporate levels. Companies have more control over their data than an individual does, but for them, the problem surrounds the security systems that can fail when safeguarding their data. 

Since the early 2010’s, data breaches, cyberattacks, and their fallout have grown more prevalent and less predictable. There’s debate whether government-backed privacy legislation, such as the NYBPA, helps or hurts companies stay vigilant and protect personal data.

For the third time since its initial proposal in 2018, the New York state legislature introduced the New York Biometric Privacy Act (BPA) on January 6, 2021. The proposed bill is the latest version of privacy legislation that will protect individuals’ biometric data, defined as fingerprints, voiceprints, retina or iris scans, and scans of face or hand geometry, as well as information based on such identifiers, used to identify an individual.

The NYBPA prohibits the following:

  1. collecting, capturing, purchasing, receiving through trade, or otherwise obtaining an individual’s biometric identifiers or information, without first: (a) informing the subject in writing that a biometric identifier or information is being collected or stored; (b) informing the subject in writing of the specific purpose and length of time for which the identifier or information is being collected, stored, or used; and (c) receiving a written release.
  2. disclosing or otherwise disseminating an individual’s biometric identifiers or information unless: (a) the entity obtains the individual’s consent, (b) the disclosure completes a financial transaction requested or authorized by the individual, or the disclosure is required by (c) law or (d) a court; and
  3. selling, leasing, trading, or otherwise profiting from an individual’s biometric identifiers or biometric information.

In other words, companies that collect biometric information must inform subjects in writing of their collection activities, obtain subject consent before disclosing information, and refrain from selling or profiting in any way from biometrics.

This is a significant move by the NY legislature and is sure to be met with pushback and varied reactions. BPA mirrors the Illinois Biometric Information Privacy Act (BIPA), which was also met with several lawsuits after it was passed on October 3, 2018.

These two state legislatures are generating momentum in regulation surrounding biometric and other personally identifiable information protection which can set an example for other states. Companies that collect these kinds of data have a responsibility to be vigilant and stay one step ahead of their compliance to ensure they are properly handling customer data and dedicating appropriate efforts and resources to data protection.

We understand what’s at stake for our clients, and that we, as their vendor, adopt some of that risk, and share some of our own. We prioritize information security so that law firms and legal departments can focus on what they do best. Counself is a cloud-based platform and ISO 27001 certified regularly audited by an independent firm to ensure that we give the best security to your data. Learn more about us here and reach out to us here.

News Regulation Information Security

What Else Are You Interested In?

We love research and would be happy to share our finding with you