Bill Text: NY S01933 | 2021-2022 | General Assembly | Amended
Bill Title: Establishes the biometric privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs later.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2022-01-05 - REFERRED TO CONSUMER PROTECTION [S01933 Detail]
Download: New_York-2021-S01933-Amended.html
STATE OF NEW YORK ________________________________________________________________________ 1933--A 2021-2022 Regular Sessions IN SENATE January 16, 2021 ___________ Introduced by Sen. RITCHIE -- read twice and ordered printed, and when printed to be committed to the Committee on Consumer Protection -- committee discharged, bill amended, ordered reprinted as amended and recommitted to said committee AN ACT to amend the general business law, in relation to biometric privacy The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. The general business law is amended by adding a new article 2 32-A to read as follows: 3 ARTICLE 32-A 4 BIOMETRIC PRIVACY ACT 5 Section 676. Short title. 6 676-a. Definitions. 7 676-b. Retention; collection; disclosure; destruction. 8 676-c. Right of action. 9 676-d. Construction with other laws. 10 § 676. Short title. This article shall be known and may be cited as 11 the "biometric privacy act". 12 § 676-a. Definitions. As used in this article: 1. "Biometric identifi- 13 er" means a retina or iris scan, fingerprint, voiceprint, or scan of 14 hand or face geometry. Biometric identifiers shall not include writing 15 samples, written signatures, photographs, human biological samples used 16 for valid scientific testing or screening, demographic data, tattoo 17 descriptions, or physical descriptions such as height, weight, hair 18 color, or eye color. Biometric identifiers shall not include donated 19 body parts as defined in section forty-three hundred of the public 20 health law or blood or serum stored on behalf of recipients or potential 21 recipients of living or cadaveric transplants and obtained or stored by 22 a federally designated organ procurement agency. Biometric identifiers 23 do not include information captured from a patient in a health care EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD02422-04-1S. 1933--A 2 1 setting or information collected, used, or stored for health care treat- 2 ment, payment, or operations under the federal Health Insurance Porta- 3 bility and Accountability Act of 1996. Biometric identifiers do not 4 include an X-ray, roentgen process, computed tomography, magnetic reso- 5 nance imaging, positron-emission tomography scan, mammography, or other 6 image or film of the human anatomy used to diagnose, prognose, or treat 7 an illness or other medical condition or to further validate scientific 8 testing or screening. 9 2. "Biometric information" means any information, regardless of how it 10 is captured, converted, stored, or shared, based on an individual's 11 biometric identifier used to identify an individual. Biometric informa- 12 tion shall not include information derived from items or procedures 13 excluded under the definition of biometric identifiers. 14 3. "Confidential and sensitive information" means personal information 15 that can be used to uniquely identify an individual or an individual's 16 account or property which shall include, but shall not be limited to, a 17 genetic marker, genetic testing information, a unique identifier number 18 to locate an account or property, an account number, a personal iden- 19 tification number, a pass code, a driver's license number, or a social 20 security number. 21 4. "Private entity" means any individual, partnership, corporation, 22 limited liability company, association, or other group, however organ- 23 ized. A private entity shall not include a state or local government 24 agency or any court in the state, a clerk of the court, or a judge or 25 justice thereof. 26 5. "Written release" means informed written consent or, in the context 27 of employment, a release executed by an employee as a condition of 28 employment. 29 § 676-b. Retention; collection; disclosure; destruction. 1. A private 30 entity in possession of biometric identifiers or biometric information 31 must develop a written policy establishing a retention schedule and 32 guidelines for permanently destroying biometric identifiers and biome- 33 tric information when the initial purpose for collecting or obtaining 34 such identifiers or information has been satisfied or within three years 35 of the individual's last interaction with the private entity, whichever 36 occurs later. Absent a valid warrant or subpoena issued by a court of 37 competent jurisdiction, a private entity in possession of biometric 38 identifiers or biometric information must comply with its established 39 retention schedule and destruction guidelines. 40 2. No private entity may collect, capture, purchase, receive through 41 trade, or otherwise obtain a person's or a customer's biometric identi- 42 fier or biometric information, unless it first: 43 (a) informs the subject or the subject's legally authorized represen- 44 tative in writing that a biometric identifier or biometric information 45 is being collected or stored; 46 (b) informs the subject or the subject's legally authorized represen- 47 tative in writing of the specific purpose and length of term for which a 48 biometric identifier or biometric information is being collected, 49 stored, and used; and 50 (c) receives a written release executed by the subject of the biome- 51 tric identifier or biometric information or the subject's legally 52 authorized representative. 53 (d) The provisions of this subdivision shall not apply to a private 54 entity which obtained informed written consent to collect or store a 55 person or customer's biometric identifier or biometric information prior 56 to the effective date of this article, provided such consent wasS. 1933--A 3 1 obtained from the person or customer in a manner that would otherwise 2 satisfy the requirements set forth in paragraphs (a), (b) and (c) of 3 this subdivision. 4 3. No private entity in possession of a biometric identifier or biome- 5 tric information may sell, lease, trade, or otherwise profit from a 6 person's or a customer's biometric identifier or biometric information. 7 4. No private entity in possession of a biometric identifier or biome- 8 tric information may disclose, redisclose, or otherwise disseminate a 9 person's or a customer's biometric identifier or biometric information 10 unless: 11 (a) the subject of the biometric identifier or biometric information 12 or the subject's legally authorized representative consents to the 13 disclosure or redisclosure; 14 (b) the disclosure or redisclsoure completes a financial transaction 15 requested or authorized by the subject of the biometric identifier or 16 the biometric information or the subject's legally authorized represen- 17 tative; 18 (c) the disclosure or redisclosure is required by federal, state or 19 local law or municipal ordinance; or 20 (d) the disclosure is required pursuant to a valid warrant or subpoena 21 issued by a court of competent jurisdiction. 22 5. A private entity in possession of a biometric identifier or biome- 23 tric information shall: 24 (a) store, transmit, and protect from disclosure all biometric identi- 25 fiers and biometric information using the reasonable standard of care 26 within the private entity's industry; and 27 (b) store, transmit, and protect from disclosure all biometric identi- 28 fiers and biometric information in a manner that is the same as or more 29 protective than the manner in which the private entity stores, trans- 30 mits, and protects other confidential and sensitive information. 31 § 676-c. Right of action. Any person aggrieved by a violation of this 32 article who has sustained actual damages as a result of such violation 33 shall have a right of action in supreme court against an offending 34 party. A prevailing party may recover for each violation: 35 1. against a private entity that negligently violates a provision of 36 this article, liquidated damages of one thousand dollars or actual 37 damages, whichever is greater; 38 2. against a private entity that intentionally or recklessly violates 39 a provision of this article, liquidated damages of five thousand dollars 40 or actual damages, whichever is greater; 41 3. reasonable attorneys' fees and costs, including expert witness fees 42 and other litigation expenses; and 43 4. other relief, including an injunction, as the court may deem appro- 44 priate. 45 § 676-d. Construction with other laws. 1. Nothing in this article 46 shall be construed to impact the admission or discovery of biometric 47 identifiers and biometric information in any action of any kind in any 48 court, or before any tribunal, board, agency, or person. 49 2. Nothing in this article shall be construed to conflict with the 50 federal Health Insurance Portability and Accountability Act of 1996. 51 3. Nothing in the article shall be deemed to apply in any manner to a 52 financial institution or an affiliate of a financial institution that is 53 subject to Title V of the federal Gramm-Leach-Bliley Act of 1999. 54 4. Nothing in this article shall be construed to apply to a contrac- 55 tor, subcontractor, or agent of a state agency of local government when 56 working for that state agency of local government.S. 1933--A 4 1 5. Nothing in this article shall be construed to conflict with any 2 federal law, rule, regulation, or licensing requirement to the contrary. 3 § 2. This act shall take effect on the ninetieth day after it shall 4 have become a law.
