BILL
S.2539-A (Myrie)
SUBJECT
Requires Retailers to Post Biometric Warning Signs
DATE
Oppose
The Business Council opposes S.2539-A (Myrie), which would require retailers to post conspicuous warning signs at each entrance when they track customers through electronic devices or collect biometric identifier information. The bill as currently drafted contains several significant drafting deficiencies that would produce unintended and harmful consequences.
The Prohibition on Sharing Biometric Data Should Be Qualified to Permit Consent-Based and Service-Driven Uses
Section 2(b) categorically prohibits retailers from selling, leasing, trading, sharing, or otherwise profiting from the transfer of biometric identifier information, with no exception for situations in which a consumer has consented to such sharing or in which the sharing is necessary to provide a product or service the consumer has requested. To better focus the scope of the bill, we believe Section 2(b) should be qualified to include “without consent” of the consumer to permit the sharing of biometric data to the extent necessary to provide a product or service the consumer has requested.
Section 2(b) categorically prohibits retailers from selling, leasing, trading, sharing, or otherwise profiting from the transfer of biometric identifier information, with no exception for situations in which a consumer has consented to such sharing or in which the sharing is necessary to provide a product or service the consumer has requested. To better focus the scope of the bill, we believe Section 2(b) should be qualified to include “without consent” of the consumer to permit the sharing of biometric data to the extent necessary to provide a product or service the consumer has requested.
The Security Exemption Should Be Broadened to Cover Theft Prevention and Consumer-Requested Services
Section 4 exempts from the bill’s requirements cameras and other technology “solely intended for video surveillance to ensure the security of a store.” This exemption is too narrow in two respects.
Section 4 exempts from the bill’s requirements cameras and other technology “solely intended for video surveillance to ensure the security of a store.” This exemption is too narrow in two respects.
First, the exemption’s reference to “security” does not expressly encompass theft prevention, investigation, or prosecution of unlawful acts — all of which are legitimate purposes that the exemption should cover. We recommend expanding the exemption to read “to ensure the safety and security of a store, including the prevention, investigation, or prosecution of theft or other unlawful acts.”
Second, Section 4 contains no exemption for technologies deployed to provide services or products that a consumer has requested. Retailers can use advanced technologies — including biometric-adjacent tools — to process payments or verify identification, for example, and otherwise fulfill consumer requests. Section 4 should be broadened to exempt these products and services.
The Definition of “Tracking” Is Overbroad and Should Be Narrowed
Section 5(d) defines “tracking” to include, without limitation, situations where retailers track a person’s movement throughout the establishment “for purposes of storing or selling” such information. The inclusion of “storing” as an independent trigger for the definition is overly broad and could capture entirely routine and beneficial consumer interactions.
Section 5(d) defines “tracking” to include, without limitation, situations where retailers track a person’s movement throughout the establishment “for purposes of storing or selling” such information. The inclusion of “storing” as an independent trigger for the definition is overly broad and could capture entirely routine and beneficial consumer interactions.
For example, a consumer who uses their cell phone to access a retailer’s mobile application while in-store to redeem coupons or access a loyalty program could arguably be subject to location data storage by the retailer’s app during that interaction. Under the current definition, that routine use could constitute “tracking,” triggering the bill’s warning sign requirements — even though the consumer has chosen to use the app and the data storage is incidental to the service.
Subsection (iv) of the “Biometric Identifier Information” Definition Is Ambiguous and Departs from Spirit of the Bill
Section 5(e) defines “biometric identifier information” as a physiological or biological characteristic used to identify an individual and provides a non-exhaustive list of examples: retina or iris scans, fingerprints or voiceprints, scans of hand or face geometry, and “any other identifying characteristic.”
Section 5(e) defines “biometric identifier information” as a physiological or biological characteristic used to identify an individual and provides a non-exhaustive list of examples: retina or iris scans, fingerprints or voiceprints, scans of hand or face geometry, and “any other identifying characteristic.”
This catch-all reference to “any other identifying characteristic” is ambiguous to the point of rendering the definition meaningless as a limiting principle. Read broadly, it could encompass virtually any data point that could be used to identify an individual — including a customer’s name, email address, loyalty card number, or purchasing history. This result is plainly not within the spirit of a bill focused on biometric data, and it would expose retailers to compliance obligations and enforcement risk with respect to data that bears no resemblance to the biometric identifiers enumerated elsewhere in the definition.
The Enforcement Provision Should Expressly Preclude a Private Right of Action
Section 3 establishes a civil penalty framework enforced by municipal consumer affairs offices, town attorneys, city corporation counsel, and other municipal designees. However, the bill is silent as to whether it creates — or forecloses — a private right of action by individual consumers. Given the bill’s silence, we believe it is not the intent of the sponsor to create a new private right of action, and therefore, recommend including express language clarifying that this section does not create, and shall not be construed to create, a private right of action under this section or any other law.
Section 3 establishes a civil penalty framework enforced by municipal consumer affairs offices, town attorneys, city corporation counsel, and other municipal designees. However, the bill is silent as to whether it creates — or forecloses — a private right of action by individual consumers. Given the bill’s silence, we believe it is not the intent of the sponsor to create a new private right of action, and therefore, recommend including express language clarifying that this section does not create, and shall not be construed to create, a private right of action under this section or any other law.
Additional Suggestions
We strongly suggest that the bill contains explicit pre-emption language recognizing that compliance with NYC Local Law 3 constitutes compliance with provisions of this proposed law (S.2593-A). New York businesses are too often subject to similar or duplicative laws and regulations at federal, state, and local levels.
We strongly suggest that the bill contains explicit pre-emption language recognizing that compliance with NYC Local Law 3 constitutes compliance with provisions of this proposed law (S.2593-A). New York businesses are too often subject to similar or duplicative laws and regulations at federal, state, and local levels.
Further, as this bill applies to businesses, big and small, we further recommend that the bill contains a 30-day right to cure provision to allow businesses to fix signage issues before facing a lawsuit or fine.
Conclusion
As currently drafted, this legislation contains drafting deficiencies that would produce unintended consequences — prohibiting consumer-driven and service-driven data uses, chilling beneficial technological innovation, and sweeping in data and conduct well beyond the bill’s apparent intent. For these reasons, The Business Council opposes S.2539-A (Myrie) and urges the Legislature to reject its passage.
As currently drafted, this legislation contains drafting deficiencies that would produce unintended consequences — prohibiting consumer-driven and service-driven data uses, chilling beneficial technological innovation, and sweeping in data and conduct well beyond the bill’s apparent intent. For these reasons, The Business Council opposes S.2539-A (Myrie) and urges the Legislature to reject its passage.