NYC Passes Biometric Data Protection Laws Aimed At Businesses, Smart Access Building Owners – Privacy – United States
New York City has set its sights on biometric data protection this summer, passing two laws regulating the use of biometric information within the same month.
The New York City Council amended its administrative code on July 9, 2021, to include a new regulation covering the use of biometric identifier information (BII) used by businesses within the city. (See NYC Admin. Code §§ 22-1201 – 1205.) The new law regulates how commercial establishments may gather, use, share and store biometric identifiers concerning New York City residents or visitors. Soon after, on July 29, the council passed the Tenant Data Privacy Act (TDPA) to place additional limits on the use of biometric information by “smart access” building owners in the five boroughs. (See NYC Admin. Code §§ 26-3001 – 3007.)
In passing both laws, New York City joins a growing number of cities and states who have implemented privacy laws limiting the use of BII, reflecting an accelerating trend in restricting the collection and use of biometric information.
New Limitations on Use of Biometric Information
The city’s biometric information privacy law, effective July 9, prohibits the use of BII for transactional purposes to sell, lease, trade or otherwise profit from the transaction of biometric information. It also requires businesses that utilize BII to notify customers of collection practices by posting formal notices near all physical entrances of the business.
Similarly, the TDPA prohibits building owners from selling, leasing or otherwise disclosing tenant data collected by smart access systems, including biometric information, with the exception of vendors for the purpose of operating such systems. It imposes limits on a building owner’s ability to use smart access technology and biometric information for access into buildings, common areas or individual dwelling units. The act imposes restrictions on the categories of tenant data that building owners can collect, generate or use through smart access systems.
Following a grace period ending on Jan. 1, 2023, owners of smart access buildings must implement policies and practices to address new requirements involving individual express consent, clear privacy policies, security safeguards and data destruction.
Scope of the Regulations
While the applicability of the city’s biometric identifier law is limited to commercial businesses, the TDPA governs the data usage of all smart access buildings, including those utilizing key fobs, phone apps and radio-frequency identification (RFID) cards.