Continuing developments in biometric privacy law: New York’s proposed AB 27

Do you use your thumbprint or face to access your smart phone?  Those are examples of biometric technology which can quickly and accurately identify individual people.  As new technology is created to ensure security, recognize people, or prevent fraud, the use of biometric identifiers is becoming more commonplace.  Certain lawmakers, however, have growing concerns that the personal and powerful nature of biometric information warrants regulation. 

New York is the latest state to introduce legislation to specifically address those concerns.  On January 6, 2021, a bipartisan group of New York state lawmakers introduced Assembly Bill (“AB”) 27, the “Biometric Privacy Act”.  With the introduction of AB 27, the New York legislature is continuing the trend of adding biometric data to the landscape of privacy law.  If passed, New York would join Illinois, Texas, and Washington with regulation aimed specifically towards biometric data.  Numerous states already have biometric data regulations incorporated in their data breach notification laws.

AB 27

The purpose of AB 27 is to provide safeguards to individuals regarding the collection and use of their fingerprints, handprints, retina or iris scans, voiceprints, and other facial and hand recognition.  Under the proposed legislation, private entities (including any individual, partnership, corporation, limited liability company, association or other group) would be obligated to:

  • develop written retention policies for biometric data if it is in possession of biometric identifiers or information, and make those policies available to the public;
  • establish a retention schedule and guidelines for permanently destroying biometric data when (1) the purpose for obtaining the data "has been satisfied" or (2) within three years of the individuals last interaction with the organization, whichever occurs first;
  • obtain express written consent for the collection of biometric data prior to collecting or receiving the data;
  • provide technical and organizational safeguards to protect the biometric information; and
  • not sell, lease, trade or otherwise profit from a person’s or customer’s biometric information.

Private Right of Action

Importantly for insurers, AB 27 contains a private right of action for violations.  New York would only be the second state after Illinois to pass a biometric privacy law with a private right of action.  Through AB 27’s private right of action, a prevailing party may recover:

  • liquidated damages of one thousand dollars or actual damages, whichever is greater, for negligent violations;
  • liquidated damages of five thousand dollars or actual damages, whichever is greater, for intentional or reckless violations;
  • attorneys’ fees and costs, including expert witness fees and other litigation expenses and
  • other relief, including an injunction, as the court may deem appropriate

As discussed by our colleague John LaBarbera in his recent article, insurers should take careful note of biometric data laws with a private right of action.  In West Bend Mutual Insurance Co. v. Krishna Schaumburg Tan, Inc., 2020 IL App (1st) 191834 (March 20, 2020), the Appellate Court of Illinois, First District, held that an insurer had a duty to defend an underlying class action lawsuit alleging violation of the Illinois Biometric Information Privacy Act.  In the underlying action, the Plaintiff had her fingerprints scanned for the purpose of verifying her identity but was never provided a written release allowing disclosure of her biometric data to a third party. The Court found coverage under a “Business owners Liability Coverage Form" providing coverage for “personal injury”. The policy defined “personal injury,” in relevant part as “[o]ral or written publication of material that violates a person’s right of privacy.”  The Court also held that an exclusion which prohibited coverage for violation of “any statute, ordinance or regulation . . . that prohibits or limits the sending, transmitting, communication or distribution of material or information” did not apply. 

Comment

The violations of Biometric Privacy Acts can create large exposures. For example, the In re Facebook Biometric Information Privacy Litigation, a Biometric Information Privacy Act class action lawsuit in the Norther District of California, settled for $650 million.  Insurers may see claims submitted under Commercial General Liability policies as in West Bend, or to additional D&O, E&O, or cyber products, depending on the policy language.  Accordingly, as biometric data regulations continue to develop, insurers should be acutely aware of biometric privacy laws allowing a private right of action, and to appropriately address this risk in their products and in risk selection.