In my recent roundup of top D&O stories, I identified privacy as among the top issues for concern in the corporate liability environment. In identifying privacy as a top concern, one specific thing I had in mind was the threat of class action litigation under the Illinois Biometric Privacy Act (BIPA). As if to underscore the significance of corporate exposure from privacy issues, on January 6, 2021, a bipartisan group of New York legislators introduced biometric privacy legislation that, notably, would include remedies along the lines of the Illinois statute. Although there may be reasons to question whether the proposed New York legislation will be enacted, even just its proposal is a concern and underscores the growing importance of privacy issues generally.
On January 6, 2021, a group of 17 Democrats and seven Republicans introduced A.B. 27, the “Biometric Privacy Act” (a copy of which can be found here). The proposed law prohibits private entities from capturing, collecting, or storing a person’s biometric identifiers or information without first implementing a policy and obtaining written consent.
The legislation defines biometric information to include retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and any information derived therefrom, and prohibits the collection of this informtion without first obtaining written consent from the individual or their authorized representative. The legislation excludes data such as writing samples, written signatures, photographs, physical descriptions such as height and weight and information gathered from a patient in a healthcare setting.
The legislation would prevent private entities in possession of biometric identifiers or biometric information from selling, leasing, trading or otherwise profiting from a person’s biometric identifier or information. Private entities in possession of biometric identifiers or information would also be required to develop a written policy establishing a retention schedule and guidelines for destroying the information.
Perhaps the most noteworthy aspect of the proposed New York legislation is that the Act, like the comparable Illinois statute, would provide for a private right of action with statutory damages of up to $1,000 for negligent violations and $5,000 for intentional or reckless violations, as well as reasonable attorneys fees.
The proposed New York legislation has been referred to the consumer affairs and protection committee for further review.
If the legislation were to be enacted, New York would become the fourth state, after Illinois, Texas, and Washington, to have passed biometric privacy laws. Significantly, if the proposed legislation passes, New York would become only the second state, along with Illinois, to have enacted privacy legislation providing for a private right of action. The Texas and Washington statutes are enforced solely by the states’ attorney general.
In assessing the potential significance of the proposed New York legislation, it is important to consider that the proposed New York Act is, as detailed in a January 9, 2021 post on the Workplace Class Action Blog (here), “identical to the Illinois BIPA.” The New York legislation is, according to the blog post, a “carbon copy” of BIPA, including “identical definitions of both biometric identifiers and biometric information.” In addition, the proposed New York bill “provides for identical remedies” in the form of the specified statutory damages per violation and in terms of the private right of action.
Although the new legislation undoubtedly presents reason for concern, there may substantial grounds on which to suspect that the proposed legislation will not pass into law. According to a January 6, 2021 Law360 article about the proposed legislation (here), “New York lawmakers have proposed biometric privacy bills three other times since 2018,” and in none of the prior legislative initiatives were successful. The question surrounding the newly proposed legislation is whether general growing concern about privacy issues will motivate the New York legislators to consider the new legislation in a different light than the earlier propose bills.
Even with this track record of prior failed attempts to pass similar legislation, the introduction of the proposed New York legislation is, according to the Workplace Class Action Blog, a “significant development.” According to the blog post, if the proposed legislation were to be enacted as currently drafted, “companies in New York can … expect to face an onslaught of biometric privacy litigation.”
The similarity of the proposed New York legislation, and, in particular, the similarity of its proposed remedies to the remedies in BIPA, raises the specter that companies in New York could face the same threat as Illinois companies face. As the Workplace Class Action Blog notes, “Illinois has seen an explosion of class action litigation over the past few years brought by employees and consumers alleging that their biometric data was improperly collected.” The blog post further notes that “between 2015 and 2020 alone, there were over 1,000 Illinois BIPA class action complaints filed across the United States.”
The threatening potential of BIPA claims was dramatically reinforced in July 2020 when Facebook agreed to settle BIPA claims related to the company’s use of facial recognition technology for $650 million. (The company had initially agreed to pay $550 million, but the trial court judge presiding over the case rejected the initial settlement proposal as too low.) The Facebook settlement underscores the menacing potential of the proposed New York legislation for New York companies.
In any event, whether or not the proposed New York legislation is enacted into law in its current form, the fact that a bipartisan group of legislators were motivated to introduce the proposed Act on the very first day of the New York legislature’s current term reinforces the point that I have been making for some time on this blog, which is that privacy-related issues represent a growing area of potential corporate liability. I expect that, whether or not the New York legislation passes into law, privacy issues will remain at the top of the agenda, and there will continue to be significant privacy-related developments in the months ahead.
One final note, in a recent post (here), I detailed the recent decision in the Nielsen Holdings securities class action lawsuit in which the court allowed the plaintiffs’ GDPR-related claims against the defendants to proceed, further reinforcing the potential corporate liability threat of privacy-related issues.