NYC’s Biometric Data Ordinance Goes Into Effect in July

Back in January, the New York State legislature introduced a biometric data privacy bill modeled after the Illinois Biometric Information Privacy Act (BIPA), which I wrote about last year. The NY State bill is still in committee, but the City of New York has jumped ahead and passed a biometric data ordinance of their own (link here), which will go into effect in just over three weeks on July 9th. Here’s what it entails.


“The term ‘biometric identifier information’ means a physiological or biological characteristic that is used by or on behalf of a commercial establishment, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to: (i) a retina or iris scan, (ii) a fingerprint or voiceprint, (iii) a scan of hand or face geometry, or any other identifying characteristic.”

Scope of the biometric data ordinance:

The biometric data ordinance applies to commercial establishments, including places of entertainment, retail stores, and food and drink establishments.

Collection, Use, and Retention of biometric identifier information (writer’s emphasis in bold):

Any commercial establishment that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such collection, retention, conversion, storage or sharing, as applicable, by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language… that customers’ biometric identifier information is being collected, retained, converted, stored or shared, as applicable. It shall be unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.


The ordinance states damages of $500 for each failure to notify customers of biometric data collection and for each negligent use of that data for profit. If the sale or profiting from consumer data is shown to be intentional or reckless, damages will be $5,000. Damages can also include reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses, as well as “other relief, including an injunction, as the court may deem appropriate.”

Exemptions (writer’s emphasis in bold):

Government agencies, employees or agents are completely exempt when it comes to the collection, storage, sharing or use of biometric identifier information.

The disclosure requirement doesn’t apply to financial institutions.

And biometric identifier information collected through photographs or video recordings is fine if: “the images or videos collected are not analyzed by software or applications that identify, or that assist with the identification of, individuals based on physiological or biological characteristics, and the images or video are not shared with, sold or leased to third-parties other than law enforcement agencies.”

So, what do you think of NYC’s biometric data ordinance? The trend of privacy laws and ordinances will no doubt continue to grow, but will they have the teeth as a deterrent to be effective? Also, how will they affect legal and compliance departments?

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply