New York Biometric Identifier Information Act: Are You Covered? | Kelley Drye & Warren LLP


New York City’s Biometric Identification Information Act (BII), which came into effect July 9, 2021, addresses the collection and use of biometric identification information (BII) by business establishments to track customer activity. “Commercial establishment” includes retail stores, food establishments and places of entertainment. Under the BII Act, covered businesses that use biometric identification technology in their establishments are not permitted to sell biometric data and are required to notify customers by displaying prominent signage. The BII Act creates a private right of action against violators and imposes statutory damages for each violation.

BII Act Is Less Strict Than Illinois’ Biometric Information Privacy Act

The BII law (1) prohibits the sale of biometric data and (2) imposes a notification obligation on covered companies that use biometric identification technology in their establishments. Notice should be provided in business establishments only when biometric information is collected from a customer. The Illinois Biometric Information Privacy Act (BIPA), increasingly popular with the plaintiff bar, prohibits the sale or sharing of biometric identifying information and requires private entities that collect that data to provide written notice explaining their retention period and why they collect this data. . The BII and BIPA include a broad definition of BII, regulate the use, collection and storage of BII, and provide for a private right of action for injured parties. BIPA applicants can recover potentially astronomical damages for the inadvertent use or disclosure of biometric data by a private entity.

General comparisons with the BIPA are not justified because the BII law is less strict than the BIPA and the BIPA goes further. Both BII and BIPA impose restrictions on the collection and use of biometric data, including data such as fingerprints, face scans, or voice prints. However, the BIPA generally applies to any “private entity” and the BII Act regulates “commercial establishments”. BIPA’s private entity is defined much more broadly than the NYC BII business establishment, and therefore regulates more establishments than NYC BII.

New York City’s BII Act provides a 30-day processing period for certain violations and allows collection of biometric data without written consent, which may result in less litigation than the Illinois BIPA. Nonetheless, it is essential that New York businesses subject to the BII Act are aware of its requirements and consider whether their current insurance policy covers the potential liabilities of the BII Act.

Insurance policies can cover NYC BII related claims

Insurance policies that can cover claims related to the BII Act include Commercial Liability (CGL), Professional Liability (EPL) and cyber insurance policies.

CGL policies provide defense and compensation coverage for “personal injury and advertising” the definition of which may cover claims for violations of the BII Act. The policies cover claims related to employment practices and often include coverage for claims for EPL employment-related privacy breaches, which may also extend to cover claims related to the BII Act. Cyber ​​insurance policies frequently cover liability arising from wrongdoing in technology. Since there is a wide variation in the terms of cyber insurance coverage, these policies should be considered carefully. In some cases, the illegal collection and disclosure of confidential information may be excluded from cyber insurance policies.

How to determine your coverage

Policyholders should review their coverage and before purchasing a policy, seek advice on what exactly their existing policy covers.

[View source.]


Leave A Reply