Understanding the Scope of NYC’s Biometrics Law and its Implications for Businesses

 

The use of biometrics in the private sector has significantly expanded despite the disastrous fate of Clearview AI but in a more limited and cautious form.[1] Google has rolled out biometric verification to the Play Store using fingerprint and facial recognition technology on device, which users can set as their default form of verification.[2] Apple uses Face and Touch ID to protect devices and payment information. Both are entirely on device, and the only processing is the transmission from the sensor to the Secure Enclave, which encrypts and stores the user’s biometric information.[3] JPMorgan has also launched a biometrics payment program with several merchant pilots across the US.[4] JPMorgan has partnered with software firm PopID, which offers face-pay technology that PopID claims only uses “opt-in” and “affirmative” user consent to avoid conflict with local biometrics law.[5]

 

Supporters of biometrics claim that they are a robust method for preventing unauthorized access and, therefore, are very valuable from a cybersecurity perspective.[6] However, regulators remain concerned about granting enhanced surveillance capabilities to private entities.[7] Biometrics are also significantly less accurate at accurately identifying minorities, which can lead to unchecked bias.[8] As a result, state and local governments have rolled out restrictive biometric laws to avoid unauthorized surveillance without informed consent.[9]

 

NYC Biometrics Law (§ 22-1202(b)) provides that it “shall be unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”[10] § 22-1202(a) permits the “commercial use, collection, and retention of biometric information” if the customer is informed via conspicuous disclosure.[11] Understanding the scope of this law is crucial to determining the viability of biometric products in NYC.

 

The issue of the scope of § 1202(b) was litigated in Gross v. Madison Square Garden, a case that garnered a lot of media attention because it involved controversial Knicks owner James Dolan.[12] The determinative legal issue in the case was whether there was an “exchange for… value” or if MSG “otherwise profit[ed]” from an exchange of biometric information.[13] Plaintiffs alleged that “MSG unlawfully uses the biometric data it collects from consumers via facial recognition technology to selectively remove attorneys and their clients who have commenced litigation against MSG from its venues, thus profiting by deterring litigation and reducing its litigation expenses.”[14] The court was not persuaded by this argument as it found the profit alleged by the plaintiffs to be too “attenuated” to fall under the scope of § 1202(b), which narrowly prohibits “profit from the transaction itself.”[15] Moreover, this would invalidate § 1202(a), which allows commercial use of biometrics with proper notice to the consumer.[16] A broad interpretation of § 1202(b) outlawing any benefit, no matter how attenuated, would invalidate all uses of biometrics in NYC as no company would use biometrics without accruing some benefit.[17]

 

Another case involving the NYC Biometrics Law is Mallouk v. Amazon.com, Inc., which concerned the implementation of biometrics in Amazon Go stores.[18] Amazon’s “Just Walk Out” technology allows customers to enter the store using their palmprints and uses cameras to identify customers, track their movement, and detect which products customers walk out with, then charges their credit card.[19] This specific suit is regarding a combination Starbucks-Amazon Go location, which allows customers to pick up their Starbucks mobile order and also shop at Amazon Go on 59^th Street between Park and Lexington Avenue.[20]

 

Plaintiffs alleged that Amazon did not provide the required signage to inform consumers that biometric information was being collected and that Amazon failed to fix the problem within 30 days of being notified by mail per the requirements of § 22-1201(a).[21] Defendants argued that Plaintiffs consented to biometric collection and, therefore, did not have a legitimate case. The Court found this argument unpersuasive as the NYC biometrics law does not include a consent limitation and provides that businesses must post a “clear and conspicuous sign” by all entrances.[22] The fact that the consumers registered their palmprints does not imply that they consented to sharing other forms of biometric information. Therefore, the Court agreed that “NYC requires specific signage for adequate notice and consent to occur.”[23]

 

Plaintiffs also claimed that Amazon profited from sharing biometric information with Starbucks, violating § 22-1202(b).[24] According to Plaintiffs, the sharing of this information allowed Amazon to link biometric information to other forms of personal information (purchase history, credit cards information, etc.) “to make more targeted advertising, marketing, pricing, and promotional decisions.”[25] The Court held that this type of profit was too “attenuated” to violate 22-1202(b), much like in the MSG case.[26] Amazon has closed three Amazon Go stores, citing a lack of profitability in the face of rising rent and did not comment on the role the pending litigation played.[27]

 

In light of these cases, it remains unclear what kind of transactions involving biometric data is prohibited under the “otherwise profits” prong of § 22-1202(b), as there is no concrete example of what would constitute a profit that is not “too attenuated.” From a policy perspective, the recommendation from the Magistrate Judge seems sounder than Judge Kaplan’s ruling. Judge Kaplan’s interpretation of the “otherwise profits” prong to mean “profit from the transaction itself”[28] gives it the same meaning as the “exchange for value” prong, essentially folding the two definitions into one. Holding that “reducing litigation costs” counts as “otherwise profits” is more in line with the intention of the legislature to protect biometric data from being “sold, shared, or used in ways that the consumer does not understand or consent to.”[29]

 

Regardless, businesses must still avoid directly paying for the collection of biometric information as this would likely violate § 22-1202(b) under the “exchange for…. value” prong.[30] This prevents the accumulation of biometric databases that are then sold for profit, like Clearview AI, but not contracting for a third party to process biometric information using their own database. Thus, there is significant wiggle room for third-party biometrics providers to sell their services. However, for all allowed uses, there must still be appropriate signage at all entrances under § 22-1202(a).[31]

 

---

[1] In Big Win, Settlement Ensures Clearview AI Complies With Groundbreaking Illinois Biometric Privacy Law, ACLU (May 9, 2022), https://www.aclu.org/press-releases/big-win-settlement-ensures-clearview-ai-complies-with-groundbreaking-illinois [https://perma.cc/P2CF-W47T].

[2] Cesar Cadenas, Google adds biometric verification to Play Store to keep your in-store wallet safe, Techradar (Apr. 16, 2024),https://www.techradar.com/computing/software/google-adds-biometric-verification-to-play-store-to-keep-your-in-store-wallet-safe [https://perma.cc/S4JJ-27QZ].

[3] Apple Platform Security, Apple, https://help.apple.com/pdf/security/en_GB/apple-platform-security-guide-b.pdf [https://perma.cc/573X-7Q5B] (last visited Nov. 13, 2024).

[4] Caitlin Mullen, JPMorgan to launch biometric checkout next year, Payments Dive (Mar. 11, 2024), https://www.paymentsdive.com/news/jpmorgan-payments-biometrics-checkout-face-palm-pay-popid/709844/ [https://perma.cc/SW4Q-QELC].

[5] Id.

[6] Evie Kim Sing, OBIM spokesperson gives rare comment on biometric identification as the baseline for cyber security, IdentityWeek (Nov. 11, 2024),https://identityweek.net/obim-spokesperson-gives-rare-comment-on-biometric-identification-as-the-baseline-for-cyber-security/ [https://perma.cc/JDB4-K8GM].

[7] FTC Warns About Misuses of Biometric Information and Harm to Consumers, FTC (May 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-warns-about-misuses-biometric-information-harm-consumers [https://perma.cc/RY69-LR82].

[8] Id.

[9] See 740 Ill. Comp. Stat. 14/1 (2008) (also known as the “Biometric Information Privacy Act”).

[10] N.Y.C. Admin. Code § 22-1202(b).

[11] N.Y.C. Admin. Code § 22-1202(a).

[12] Rich Calder, Judge greenlights NYC suit alleging MSG, James Dolan used tech to ban enemies, NY Post (Jan. 13, 2024), https://nypost.com/2024/01/13/metro/judge-oks-nyc-suit-over-msg-james-dolan-using-tech-to-ban-enemies/ [https://perma.cc/CS42-HUQE].

[13] Gross v. Madison Square Garden Ent. Corp., No. 23CV3380LAKJLC, 2024 WL 103235 (S.D.N.Y. Jan. 9, 2024), report and recommendation adopted in part, rejected in part, No. 23-CV-3380 (LAK) (JLC), 2024 WL 2055343 (S.D.N.Y. May 7, 2024) [hereinafter MSG Magistrate Opinion].

[14] Id.

[15] Gross v. Madison Square Garden Ent. Corp., No. 23-CV-3380 (LAK) (JLC), 2024 WL 2055343, at *1 (S.D.N.Y. May 7, 2024) (rejecting the recommendation by the Magistrate Judge that reducing litigation costs should fulfill the otherwise profits prong of the statute on the grounds that it would be too broad of an interpretation) [hereinafter MSG Kaplan Opinion].

[16] N.Y.C. Admin. Code § 22-1202(a).

[17] MSG Kaplan Opinion, 2024 WL 2055343, at *2.

[18] Mallouk v. Amazon.com, Inc., No. C23-852-RSM, 2024 WL 3511015 (W.D. Wash. July 23, 2024)

[19] Id. at *4-5.

[20] Starbucks, Starbucks Pickup and Amazon Go Collaborate to Launch New Store Concept in New York City

https://about.starbucks.com/press/2021/starbucks-pickup-and-amazon-go-collaborate-to-launch-new-store-concept-in-new-york-city/ (Nov. 13, 2024).

[21] Id. at *6.

[22] Id. at *9.

[23] Id. at *10.

[24] Mallouk, 2024 WL 3511015, at *13.

[25] Id. at *14.

[26] Id. at *15 citing MSG Kaplan Opinion, 2024 WL 2055343, at *1.

[27] Jessica Loder, Amazon Go closes 3 NYC stores, Retail Dive(Oct. 9, 2024), https://www.retaildive.com/news/3-amazon-go-stores-close-new-york/729336/ [https://perma.cc/W3TE-LPFX].

[28] MSG Kaplan Opinion, 2024 WL 2055343, at *1.

[29] MSG Magistrate Opinion, 2024 WL 103235, at *5 (quoting Committee Report at 12).

[30] N.Y.C. Admin. Code § 22-1202(b).

[31] N.Y.C. Admin. Code § 22-1202(a).