Technology has its privacy risks. Biometric privacy laws are becoming increasingly common. Following the model of the Illinois Biometric Information Privacy Act, New York City’s biometric privacy law, which will become effective July 21, consumer establishments will have signs advising their patrons of their rights.

Summary of the New York City Law

The New York City law will cover all commercial establishments that retain, convert, store or share biometric information, which includes bars, restaurants, entertainment venues and retail stores. “Biometric information” will include retina scans, iris scans, fingerprint scans, voiceprints, hand scans, face geometry and face recognition, as well as other identifying characteristics. Commercial establishments using biometric information will be required to post conspicuous signage advising that such information is being retained, converted, stored or shared. Liability for failure to post a sign, however, will be subject to a 30-day notice to cure requirement. The New York City law provides for a private right of action and no actual damages are necessary for recovery of statutory damages.

The notice to cure requirement appears to be the only exception to strict liability under the municipal law. The law prohibits receiving anything of value in exchange for biometric information and prohibits the sale of such information. Violation of the law is subject to damages for $500 for each violation for failure to give notice, $500 for negligent violation prohibiting the exchange of the information for value, $5,000 for each intentional or reckless violation, and reasonable attorney fees and litigation expenses.

Learning From the Illinois Act

A recent decision by the Illinois Supreme Court in the case of West Bend Mutual Insurance v. Krishna Schaumburg Tan, — N.E.3d —- (2021), demonstrates the application of the biometric privacy laws. Klaudia Sekura filed a class action lawsuit against Krishna Schaumburg Tan, Inc. (Krishna), a tanning salon and franchisee of L.A. Tan. The complaint alleged that Krishna violated the Biometric Information Privacy Act provisions relating to the collection of biometric identifiers and biometric information when it scanned Sekura’s and its other customers’ fingerprints and violated the act’s provisions relating to the disclosure of biometric identifiers and information when it disclosed biometric information containing her fingerprints to an out-of-state third party vendor, SunLync. The fact pattern is not unusual under the Illinois Act, as more than 100 class actions have been filed with similar claims.

The underlying complaint alleged Sekura purchased a membership from Krishna that gave her access to L.A. Tan’s tanning salons. Sekura’s membership required Sekura to provide Krishna with her fingerprints. Sekura filed a three-count class action lawsuit. Count I alleged Krishna Tan systematically and automatically collected, used, stored, and disclosed their customers’ biometric identifiers or biometric information without first obtaining the required written release required by the act; Krishna Tan systematically disclosed the plaintiff’s and the class’ biometric identifiers and biometric information to SunLync, an out-of-state vendor: Krishna Tan does not provide a publicly available retention schedule or guidelines for permanently destroying its customers’ biometric identifiers and biometric information as specified by the act. Count II alleged unjust enrichment because Krishna failed to comply with the act and that Krishna should not be allowed to retain the money Sekura paid to Krishna. Count III alleged that Krishna was negligent when it breached its duty of reasonable care by violating the act. Sekura’s prayer for relief sought “statutory damages of $1,000 for each of Krishna Tan’s violations of the act.

Does Insurance Cover the Class Action Liability?

The issue for the Illinois Supreme Court was whether insurance was available to cover the liability. Krishna tendered Sekura’s lawsuit to West Bend Mutual Insurance Co. (West Bend), its insurer, and requested a defense. West Bend filed a declaratory judgment action against Krishna and Sekura contending that it did not owe a duty to defend Krishna against Sekura’s lawsuit. The Supreme Court held that the allegations in Sekura’s complaint fell potentially within West Bend’s polices’ coverage because the underlying complaint alleges that Sekura suffered a nonbodily personal injury or advertising injury (emotional upset, mental anguish, and mental injury). Krishna’s alleged sharing of Sekura’s biometric identifiers and biometric information with SunLync constitutes a “publication” within the purview of West Bend’s policies, and Krishna’s alleged sharing of Sekura’s biometric identifiers and biometric information (fingerprints) with SunLync potentially violated Sekura’s right to privacy.

Interestingly, the insurance policy excluded by separate rider the violation of certain analogous statutes that create liability for unwanted communications, such as the TCPA (telephone and faxes) and the CAN-SPAM Act (email). The Supreme Court concluded that these exclusions were not broad enough to exclude policy coverage.

What to Do Now

Consumer facing commercial establishments in New York City must adapt to the NYC law. For franchised and chain establishments, the brand must educate its participants and learn to avoid liability. Decisions must be made about how important the biometric identifiers are and how they are stored and used. Chainwide contracts need to be reviewed for proper indemnification by local operators and insurance coverage. Finally, look at current insurance coverage to determine the status of coverage or exclusions of biometric risk.

Expect the state of New York, and other states and municipalities to enact similar biometric privacy laws, and expect the courts to interpret the scope of such laws broadly. Privacy is in the interest of everyone, and expect to deal properly with such valuable and personal information.

Reprinted with permission from the May 25 issue of The Legal Intelligencer. (c) 2021 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.