New York proposes purpose limitation bill on collecting and handling biometric data

New York state legislators have proposed a new bill setting out how private companies must handle biometric data.

The New York Assembly Bill 27 aims to amend the law in relation to biometric privacy. It was introduced today and referred to the Committee of Consumer Affairs and Protection.

If passed, the bill would require private companies collecting and handling biometric identifiers or information to publish a written policy that establishes how long biometric information will be held. They would also have to produce guidelines on how that data will be destroyed after the initial purpose for collecting the information has been satisfied, or within three years of the user’s last interaction with the company, whichever occurs first.

In order to legally obtain biometric data a private company must inform the subject in writing of the collection and storage of their data, the purpose of the collection, and how long it will be collected, stored and used.

The draft bill also suggests the individual’s “right to action,” which enables any person “aggrieved by a violation” of their protections, “a right of action in supreme court against an offending party.” Individuals who experience a breach may receive liquidated damages of up to five thousand dollars or actual damages, whichever is greater.

Currently, no federal biometric privacy laws are in place to protect the collection and handling of biometric data. In 2008, Illinois enacted its own national regulation of the collection and handling of biometric data, known as Biometric Information Privacy Act (BIPA). Texas followed in 2009, and Washington enacted its own protections in 2017.

Earlier this year, the National Biometric Information Privacy Act (NBIPA) was introduced by Senators Bernie Sanders and Jeff Merkley to broaden the protection of biometric data across the US.

“We can’t let companies scoop up or profit from people’s faces and fingerprints without their consent,” Senator Merkley said when NBIPA was introduced in August this year. “We have to fight against a ‘big brother’ surveillance state that eradicates our privacy and our controller of our own information, be it a threat from the government or from private companies.”

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox


The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.