New York’s Biometric Privacy Law The Latest To Curb Facial Recognition

Companies should take steps now to minimize risk in a rapidly evolving legal landscape governing the use of biometric technology, which is sure to see many significant changes over the course of 2021.

The New York City Council started its 2021 legislative cycle in grand fashion by enacting a new biometric privacy law that requires businesses to provide public notice to customers of the use of facial recognition or other biometric technologies and prohibits the sale of facial template data to third parties, and which will go into effect on July 9, 2021.

The New York City law is the latest in a string of new laws specifically targeting the use of facial recognition biometrics by private entities, and parallels the sentiment of a number of other cities and states that have voiced their concerns regarding facial biometrics and its potential for misuse.

Because the New York City ordinance certainly will not be the last of its kind, companies utilizing facial recognition technology as part of their business operations are well advised to take proactive steps to build out and refine their facial biometrics compliance programs to ensure continued compliance with the ever-expanding web of biometric privacy laws targeting facial recognition and to mitigate potential liability exposure.

Facial recognition technology involves the process of using “biometrics” (i.e., individual physical characteristics) to digitally map an individual’s facial “geometry.”  These measurements are then used to create a mathematical formula known as a “facial template” or “facial signature.” This stored template or signature is then used to compare the physical structure of an individual’s face to confirm their identity or to uniquely identify that individual.

Recent Challenges Regarding Facial Biometrics

While facial biometrics offers a myriad of benefits to companies across all industries, its use has also been marred by a string of troubling events.

Recently, incidents have come to light on a regular basis regarding commercial establishments—such as retailers and convenience stores—utilizing facial recognition technology for security and surveillance purposes, but failing to provide any notice to consumers and patrons that they are being watched as they shop for clothes or buy a bag of chips.

Facial recognition has also received sizable criticism over its accuracy and bias problems. Of particular concern is the fact that some facial recognition software is much less accurate in identifying people of color and women, thereby creating an enhanced risk of misidentification of minorities.

Unfortunately, this is not simply an unfounded, theoretical fear. Just the opposite, in fact, as at least three individuals were wrongfully arrested for purportedly committing crimes they had no part in after being misidentified by facial recognition algorithms in 2020 alone.

As a result of these shortcomings, privacy advocates and social justice groups have increased their calls for greater regulation over the use of this particular form of biometrics. This, in turn, has put significant pressure on lawmakers at all levels of government to make greater facial recognition regulation a reality sooner than later.

A New Biometric Privacy Law

New York City Council heeded the call for greater regulation over biometrics by starting out 2021 with the enactment of a new biometric privacy law of its own that directly impacts the use of facial recognition software. While the law addresses all types of biometric data, it is clear that legislators had facial recognition technology in mind as the primary focus of this regulation, even singling out the technology by name in the text of the law.

The law—which applies to “commercial establishments” and goes into effect on July 9, 2021—bans selling, sharing or otherwise profiting from consumers’ biometric data, and also requires commercial establishments to post visible signage near all customer entrances notifying customer of the use of facial recognition technology. In addition, the law also features a private right of action that allows for the recovery of statutory damages by “aggrieved” consumers—$500 for violations of the law’s signage requirement and for negligent violations relating to the sale or sharing of facial template data, and $5,000 for intentional or reckless violations relating to the ban on selling/sharing facial template data, as well as attorney’s fees and costs/expenses.

Implications for Other States

Importantly, the New York City law continues the recent trend of legislatures seeking to impose targeted requirements and restrictions over facial biometrics. New York City’s law comes on the footsteps of the enactment of first-of-its kind legislation by the City of Portland, Oregon, which goes well beyond New York City by imposing an outright ban on the use of facial recognition technology by private entities.

Combined, the success seen by Portland and New York City in enacting strict regulation over the use of facial recognition technology may encourage lawmakers in other cities to follow suit by enacting similar laws of their own to stringently govern the use of facial biometrics.

With that said, cities are not the only ones looking to clamp down on the use of facial recognition. States, too, are also actively looking for ways to impose greater regulation over the use of facial template data as well. In 2020 alone, several states introduced bills that directly targeted facial biometrics—including Idaho (HB 492), California (AB 2261), Maryland (HB 1578), and Louisiana (HB 662). Although none of these bills were enacted in 2020, state lawmakers’ awareness of the need for regulation over facial biometrics is clear.

Finally, activity has also recently increased in the nation’s capital to put in place a federal law that would uniformly regulate the use of facial biometrics across all 50 states. Like their state-level counterparts, however, lawmakers in Washington D.C. also came up short in enacting facial recognition legislation in 2020. With that said, the new Democratic administration now occupying the White House, along with Democratic majorities in both houses of Congress, substantially raises the likelihood that the enactment of a federal facial recognition law will become a reality over the course of the next 12 months as compared to previous years.

Compliance Tips

With the inclusion of a private right of action and the ability to pursue class action litigation, it is likely that the New York City biometrics law will quickly become a favorite of plaintiff’s attorneys, who will use the regulation as a vehicle to pursue what they consider to be “easy money” in the form of statutory damages. As such, companies with operations in New York City should take immediate action to come into compliance with the law’s new requirements and restrictions regarding the collection and use of facial template data and other forms of biometric data.

From a broader perspective, it is clear that both state and municipal legislatures—as well as Congress—will continue to look for new-and-improved ways to impose greater regulation over the use of facial recognition in the coming months and years. In addition, the Federal Trade Commission (“FTC”) also just recently announced that policing facial recognition practices will be a “top priority” for the FTC for the foreseeable future. Thus, companies that do not fall under the scope of New York City’s new biometrics law should not simply assume they do not have to take any action at this time in order to mitigate their biometric privacy liability exposure risk.

Importantly, with more jurisdictions seeking to enact targeted facial recognition laws of their own, it is imperative that companies utilizing this technology devote the necessary time, effort and resources not only to comply with the laws that are currently on the books, but also the additional laws that are anticipated to be enacted in the immediate future.

Done properly, companies of all types can put themselves in a position to be able to adeptly respond to the rapidly evolving legal landscape governing the use of facial recognition technology, which is sure to see many significant changes over the course of 2021.

As the country returns to its “old normal” after putting the Covid-19 pandemic in its collective rear-view mirror in 2021, companies should anticipate the enactment of a new wave of biometric privacy laws that will make current compliance challenges even more burdensome and complex. Many of these new laws and ordinances will likely single out facial recognition technology to put draconian limitations and requirements over the use of this technology or, alternatively, across-the-board bans on its use by private entities.

As such, now is the time for companies that utilize facial recognition technology in their day-to-day operations to take proactive measures to put in place flexible, adaptable biometric privacy compliance programs that will provide the ability not only to satisfy current legal obligations, but also to adeptly respond to the ever-changing legal landscape of biometric privacy laws, which is sure to see many noteworthy changes—especially in the area of facial recognition—over the course of the next year.

David J. Oberly
David J. Oberly is an attorney in the Cincinnati office of Blank Rome LLP and is a member of the firm’s Biometric Privacy, Privacy Class Action Defense, and Cybersecurity & Data Privacy groups. David’s practice encompasses both defending clients in high-stakes, high-exposure biometric privacy, privacy, and data breach class action litigation, as well as counseling and advising clients on a wide range of biometric privacy, privacy, and data protection/cybersecurity matters. He can be reached at doberly@blankrome.com.