By Karla Grossenbacher, Thomas E. Ahlering, and Andrew R. Cockroft
Seyfarth Synopsis: Both Portland and New York City have followed the example set by Illinois’ Biometric Information Privacy Act (“BIPA”), a statute that has spawned thousands of cookie-cutter class action suits regarding the alleged collection of biometric information. Like BIPA, these new ordinances create a private right of action for individuals that could subject local businesses to potentially millions of dollars in liability. Businesses in these cities should carefully review these new ordinances as well as any technology they be using that has the potential to collect biometric information.
For several years now, businesses operating in Illinois have become well accustomed to the myriad lawsuits being filed, and harsh and unwavering penalties being imposed, under Illinois’ Biometric Information Privacy Act (“BIPA”). Despite the toll on businesses imposed by the ever-increasing class action and appellate litigation brought on by the statute, other jurisdictions have enacted similar legislation.
As of January 1, 2021, Portland, OR and New York City have become the newest jurisdictions to pass laws placing restrictions on the collection and/or use of biometric technology by businesses. Although the Portland and New York City ordinances differ from each other (as well as BIPA) in significant ways, they each share a common feature: a private right of action. Accordingly, these new laws have the potential to bring on a rash of high-stakes class action litigation in each of these cities.
The specifics of each ordinance are detailed below:
Portland’s ordinance bans private entities from using any “facial recognition technology” in any “places of public accommodation,” with limited exceptions, such as when it is necessary to comply with federal, state, or local laws, for individuals to access their smart devices (like facial recognition on iPhones) and for use in social media applications.
The ordinance creates a private right of action “against the Private Entity in any court of competent jurisdiction for damages sustained as a result of the violation or $1,000 per day for each day of violation, whichever is greater and such other remedies as may be appropriate,” as well as attorneys’ fees to a prevailing party.
While at first reading it may appear that the law only covers the use of facial recognition in public places, the ordinance is not so narrowly drafted. Private entities are subject to the ordinance if they constitute a “place of public accommodation,” which is defined in the ordinance to include “any place or service offering to the public accommodations, advantages, facilities, or privileges whether in the nature of goods, services, lodgings, amusements, transportation or otherwise” but excludes “an institution, bona fide club, private residence, or place of accommodation that is in its nature distinctly private.”
Accordingly, if a facility constitutes a “place of public accommodation,” then it could be liable for facial recognition technology employed anywhere in the facility regardless of whether it is public facing. Although a narrower reading of the statute may be more reasonable, courts in Illinois have routinely broadened the scope of BIPA and it is possible Portland courts would do the same.
New York City
New York City’s newly passed biometric privacy legislation has been pending before the city council for several years. Indeed, Seyfarth previously detailed this ordinance while it was still pending legislation.
The ordinance orders that “[a]ny commercial establishment” that collects biometric information from “customers” must disclose such collection “by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language” that customers’ biometric information is being collected. The ordinance further makes it “unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”
The law provides that individuals “aggrieved by” a violation of the ordinance may file a private right of action, but places some conditions on this right.
- If the individual alleges the business collected their biometric information without making the required disclosures, the individual can only initiate a private action if they first provide written notice to the business of their intent to sue and provide the business 30 days to cure the violation by placing clear and conspicuous notice at their establishment. If the business does not cure within 30 days, the individual may sue and recover $500 for “each” violation.
- If the individual alleges the business shared their biometric information in exchange for something of value or otherwise profited from the “transaction,” then the individual may sue without any prior notice to the business. The individual may recover $500 for “each” negligent violation of this section and may recover $5,000 for “each” intentional or reckless violation of this section.
Only the biometric information of “customers” is protected under the law and the law also makes clear that “‘customer’ means a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment.”
Businesses in Portland, OR, and New York City should be mindful of these new laws and act accordingly. Such businesses with compliance questions should contact a member of Seyfarth’s Biometric Privacy Compliance & Litigation Practice Group.