On January 6, 2021, New York legislators introduced the Biometric Privacy Act ("BPA") to protect the rights of New York residents whose biometric information has been collected, used, or stored by a private entity. Not surprisingly, BPA does not apply to state or local government entities. BPA imposes new requirements on private entities that collect, store, and use biometric data; as well as provides individuals a private right of action to enforce a private entity's noncompliance with BPA. For those familiar with Illinois' Biometric Information Privacy Act, New York's proposed BPA is essentially copied verbatim.

Who Does BPA Apply To?

BPA requires any private entity, an individual or a business, that collects, uses, or stores biometric data of New York residents to comply with its requirements. Similar to New York's S.H.I.E.L.D. Act, there is no territorial scope.

Retention Policy

BPA requires private entities that collect, use, or store biometric data to create a written retention policy that states how long biometric data is retained. Further, the policy must be made available to the public. BPA states biometric data must be destroyed when the initial purpose for its collection has been satisfied or, at most, three (3) years after an individual's last interaction with the private entity.

Requirements to Collect Biometric Data

Prior to collecting biometric data, a private entity must satisfy three (3) obligations:

  1. The individual must be informed in writing of the biometric data to be collected;
  2. The individual must be informed in writing of the specific purpose for which the biometric data will be used and the length of time for which it will be stored; and
  3. The private entity must receive written consent from the individual.

Security Requirement

BPA includes a vague security requirement that states the private entity must protect biometric data both at-rest and in-transit.

Additional Provisions

  • The private entity cannot profit from the disclosure of biometric data.
  • The private entity cannot disclose biometric data without the individual's consent, unless the disclosure is required to complete a financial transaction.
  • Biometric data collection/use that would otherwise be governed by HIPAA is exempt from BPA.

What Does This Mean?

If BPA is enacted in its proposed form, many businesses that have been collecting, using, and storing biometric data will have to implement operational procedures to obtain the consent from those individuals.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.