RCBJ-Audible (Listen For Free)
|
New Law Applies To Commercial Establishments Including Retail, Entertainment And Restaurants
By Judith Bachman
Amazon uses your palm print for payment at Whole Foods. Disney requires your fingerprints when entering a park.
Biometrics. This is the next wave of personal information that businesses will soon require consumers to share. Biometric data is physiological or biological characteristic used to identify an individual, such as facial recognition, fingerprints, and retina/iris scans.
Personal information collected through biometric data will have to be secured by businesses that collect them.
New York has taken the first steps to ensure security for the collection of biometric data.
New York City recently passed an ordinance governing the use by commercial establishments of biometric data. The ordinance applies to commercial establishments in New York City which collects biometric identifier information. Such establishments include places of retail (stores, pharmacies, salons, etc.), entertainment (movie theaters, concert halls, stadiums, museums, etc.) and food or drink establishments (restaurants, cafes, food carts, grocery stores, etc.). It applies to both public and private places that deal with the public.
What does the ordinance require businesses to do or not do?
- Commercial establishments are required to post “clear and conspicuous” signs notifying the public in “simple language” that biometric data Is being collected, stored or shared. Such signs must be near every customer entrance.
- Commercial establishments are prohibited from profiting on biometric data. This includes profit by way of selling, leasing or sharing the data in exchange for anything of value. This prohibition applies to all biometric data whether that of customers, employees, contractors, vendors or anyone else.
In the event of non-compliance, an aggrieved person may sue for an injunction and $500 for each negligent violation and $5,000 for each intentional or reckless violation.
What can businesses do now to ensure compliance?
- Review data collection practices with regard to biometric data. What kind of data do you collect? What do you do with the data? How is it stored? How is it shared? In order to ensure compliance, you must first know what data your business is collecting and what is happening with such data.
- Prepare signs in compliance with the ordinance’s requirements. Make sure signs are written as plainly and simply as possible to notify customers of what data is being collected or stored or shared, as applicable to your business. Post these signs by every customer entrance to the establishment in a conspicuous spot.
- Notify all business employees, management, administrators, owners and service providers and financial advisors of the prohibition on profiting from any biometric data and draft a company policy prohibiting such profiting.
- Review contracts with vendors, suppliers, and independent contractors, in light of this ordinance, and ensure that such contractors are likewise in compliance with the ordinance. Enact a risk mitigation strategy to avoid non-compliance by virtue of third-party relationships.
- Update your privacy policy to put your customers (and others) on notice and to reflect compliance with the ordinance.
While this ordinance applies to commercial establishments in New York City only, keep an eye out for a similar regulation to be forthcoming at the county and state level.
Judith Bachman is the founder and principal of The Bachman Law Firm PLLC in New City. judith@thebachmanlawfirm.com 845-639-3210, thebachmanlawfirm.com