Skip to Main Content
News & Events: Client Advisories

New York City Biometrics Privacy Law Allows Private Right of Action Against Companies for Improperly Using or Retaining Customers' Biometric Data


On July 9, 2021, New York City’s new biometric privacy law went into effect, providing customers greater protection over their biometric identifier information. “Biometric identifier information” is defined in the new biometric privacy law as “a physiological or biological characteristic” that may be used to identify an individual.[1] Biometric identifier information includes, but is not limited to: a retina or iris scan, a fingerprint or voiceprint, a scan of hand or face.

There are three key components to New York City’s new biometric privacy law:

First, New York City commercial establishments must provide public notice if the commercial establishment is collecting, retaining, storing, or sharing customers’ biometric information.[2] “Commercial establishment” is defined to include: food and drink establishments, places of entertainment (such as theaters, stadiums, museums, parks, and other attractions), and retail stores. New York City businesses that are affected by the new biometric privacy law can provide the required notice “by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language,” that customers’ biometric information is being collected, retained, stored or shared, as applicable.

Second, although the use of biometric identifier information is permitted with the required notice above, the biometric privacy law prohibits businesses from selling or otherwise profiting from the sharing of customers’ biometric identifier information.[3]

Finally, individual customers may bring a private right of action and sue businesses for violating the new biometric privacy law.[4] The aggrieved party bringing the action must first provide written notice to the commercial establishment setting forth the allegations at least thirty (30) days prior to initiating action. If the business fails to cure the violation, the prevailing aggrieved party may recover:

  • Damages of $500 for each violation of failing to provide notice to the public;
  • Damages of $500 for each negligent violation of unlawfully selling or sharing customers’ biometric identifier information;
  • Damages of $5,000 for each intentional or reckless violation of unlawfully selling or sharing customers’ biometric identifier information;
  • Reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and
  • Other relief, including an injunction.

New York City businesses that use customers’ biometric identifier information and data, such as facial recognition or fingerprint scanning technology, should take steps to create a compliance program or plan to ensure compliance with the quickly-evolving biometric privacy laws and to limit potential liability.


[1] N.Y.C. Admin. Code § 22-1201.

[2] N.Y.C. Admin. Code § 22-1202(a).

[3] N.Y.C. Admin. Code § 22-1202(b).

[4] N.Y.C. Admin. Code § 22-1203.

©2024 Masuda, Funai, Eifert & Mitchell, Ltd. All rights reserved. This publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended solely for informational purposes and you should not act or rely upon information contained herein without consulting a lawyer for advice. This publication may constitute Advertising Material.