New York City’s new biometrics privacy law takes effect

A new biometrics privacy ordinance has taken effect across New York City, putting new limits on what businesses can do with the biometric data they collect on their customers.

From Friday, businesses that collect biometric information — most commonly in the form of facial recognition and fingerprints — are required to conspicuously post notices and signs to customers at their doors explaining how their data will be collected. The ordinance applies to a wide range of businesses — retailers, stores, restaurants, and theaters, to name a few — which are also barred from selling, sharing, or otherwise profiting from the biometric information that they collect.

The move will give New Yorkers — and its millions of visitors each year — greater protections over how their biometric data is collected and used, while also serving to dissuade businesses from using technology that critics say is discriminatory and often doesn’t work.

Businesses can face stiff penalties for violating the law, but can escape fines if they fix the violation quickly.

The law is by no means perfect, as none of these laws ever are. For one, it doesn’t apply to government agencies, including the police. Of the businesses that the ordinance does cover, it exempts employees of those businesses, such as those required to clock in and out of work with a fingerprint. And the definition of what counts as a biometric will likely face challenges that could expand or narrow what is covered.

New York is the latest U.S. city to enact a biometric privacy law, after Portland, Oregon passed a similar ordinance last year. But the law falls short of stronger biometric privacy laws in effect.

Illinois, which has the Biometric Information Privacy Act, a law that grants residents the right to sue for any use of their biometric data without consent. Facebook this year settled for $650 million in a class-action suit that Illinois residents filed in 2015 after the social networking giant used facial recognition to tag users in photos without their permission.

Albert Fox Cahn, the executive director of the New York-based Surveillance Technology Oversight Project, said the law is an “important step” to learn how New Yorkers are tracked by local businesses.

“A false facial recognition match could mean having the NYPD called on you just for walking into a Rite Aid or Target,” he told TechCrunch. He also said that New York should go further by outlawing systems like facial recognition altogether, as some cities have done.

Read more:

An internal code repo used by New York State’s IT office was exposed online
Data breach at New York Sports Clubs owner exposed customer data
Microsoft pitched its facial recognition tech to the DEA, new emails show
US towns are buying Chinese surveillance tech tied to Uighur abuses