ニュースレター

2021-08-25
Updates on Biometrics in the Workplace: Scanning the Legal Landscape in New York and Beyond
As businesses find useful new ways to harness the evolving technology that captures and analyzes human biometric data, legal regulation of such technology’s usage is also developing, responding to concerns about personal privacy and control over personally identifying information. With a few states—notably, Illinois, Texas, and Washington—having taken the lead on protecting individual rights and restricting the collection and use of biometric information by requiring notice and consent, New York City has also recently enacted new rules that limit the collection, storage, and dissemination of such personal data.

This Epstein Becker Green Insight discusses New York City’s new biometric ordinance, as well as proposed statewide legislation now under consideration in Albany. Further, placing these New York developments in context for employers, this Insight also reviews trends in other states’ legislation—including their enforcement mechanisms—and comments on some of the case law that has begun to emerge. As biometric technology takes on an increasingly prominent role in business and in the workplace, including for security purposes, it is imperative that companies and employers monitor this developing area of the law.

New York City Ordinance Now in Force
New York City recently passed the Biometric Identifier Information Ordinance (“Ordinance”) regulating the notification and sale of biometric information by certain commercial establishments.[1] New York City now joins California, Illinois, Texas, and Washington in proscribing notification requirements involving biometric identifying data, as New York State also considers a more robust statewide biometric privacy regulation additionally mandating consent as do Illinois, Washington, and Texas. Employers and businesses must be mindful of the patchwork of privacy and cybersecurity laws that affect their collection and use of biometric and other personal information, as part of their ongoing compliance efforts.

Effective July 9, 2021, the Ordinance requires certain commercial establishments with physical locations within New York City to notify customers about their use of biometric technology by posting signage near all customer entrances if the commercial establishments collect, share, or maintain biometric identifying information.[2] This signage, which is required to be “in a form and manner prescribed by the commissioner of consumer and worker protection by rule,” must provide notice that the customers’ biometric identifying information is being collected or otherwise processed and should convey this information with “simple language” in a “clear and conspicuous” manner.[3] Although the Ordinance does not require covered businesses to obtain advanced written consent before collecting biometric identifying information (in comparison to, e.g., Illinois’s Biometric Information Privacy Act (“BIPA”)), it does broadly prohibit covered businesses from any selling, trading, leasing, or sharing “in exchange for anything of value” or otherwise profiting from transacting the information collected. Thus, the sale and other use-for-profit prohibitions apparently reach all individual biometric information, including that of employees, contractors, or other non-customers, and apply independent of the notice requirement.[4] The Ordinance was intended to “address[] the increased collection and use of biometric identifier information, such as the use of facial recognition technology, by commercial establishments to track consumer activity” and “prohibits the sale of biometric identifier information.”

Significantly, the Ordinance provides a private right of action, with remedies that may include damages of $500 per violation for violations of the signage requirements, damages of $500 for each negligent sale or other profiting from the transaction of biometric identifying information, and damages of $5,000 for each intentional or reckless sale or other profiting. Prevailing parties in such actions may also recover reasonable attorneys’ fees and costs, including expert witness fees. With respect to notice violations only, the Ordinance requires that an aggrieved party notify the business of its violation in writing prior to commencing any action thereupon to provide an opportunity to cure (similar to the current version of the California Consumer Privacy Act). A covered business has 30 days from receipt of such notice to cure the violation and inform the customer, in writing, that (i) it cured the violation, and (ii) the violation will not occur again. There is no notice requirement or cure period for an action based upon an allegation that a business has sold or traded biometric data for monetary or other profit.

New York State Proposes a Broader Biometrics Law Requiring Advance Consent
In January 2021, Assembly Bill 27 (“AB27”), known as the Biometric Privacy Act, was introduced in the New York State Legislature. Under this proposed law, any “private entity,”[5] such as a business, would be required to notify individuals[6] in writing and acquire a written release before it collects, obtains, or purchases a biometric identifier or biometric information.[7] Such notice must disclose the specific purpose for obtaining such data and provide the length of time anticipated for the data to be collected, stored, and/or utilized. The notice and consent requirements would apply within the employment context under the terms of the statute. Specifically, to the extent that businesses obtain a biometric identifier or biometric information from an employee, they would be required to obtain an executed written release from the employee as a condition of employment.

As with the Ordinance, AB27 would broadly prohibit the sale, lease, trade, or profit from a person’s or customer’s biometric identifier or biometric information. With few exceptions, if a business seeks to share a person’s or customer’s biometric identifier or information with a third party, it would be required to obtain consent for the sharing from the identified person, regardless of whether the individual is a customer or employee, or from the individual’s legally authorized representative. Furthermore, AB27 would require that businesses safeguard the biometric information using the reasonable standard of care within the particular industry and using safeguards that are “the same as or more protective than” the manner in which the business protects other confidential and sensitive information. The New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) already requires businesses to adopt an information security program to protect biometric information and other private information, as our previous articles have highlighted. AB27, if passed, would effectively contextualize and heighten certain cybersecurity requirements under the organization’s information security program.

If passed, AB27 would also require businesses to develop and make public a written policy that outlines a retention schedule and establishes guidelines on how they intend to destroy permanently such information at the proper time. The proposed New York State law’s mandate that businesses publish their retention schedule and practices is similar to the publication requirements of the California Privacy Rights Act, which is set to become effective January 1, 2023, as our previous articles discuss. Businesses would be expected, under AB27, to destroy the biometric identifiers and information once the initial purpose for obtaining the data “has been satisfied,” or within three years of the individual’s last interaction with the business—whichever occurs first. This mandated time frame for data destruction would apply to both customers and employees under the proposed legislation.

Following along the lines of Illinois’s BIPA, AB27 has the potential in the United States to become the second state-level biometric privacy law that would permit a private right of action and award a successful party’s reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses, for failure to obtain written consent. The proposed law would grant liquidated damages of $1,000 or actual damages, whichever is greater, for negligent violations, and the greater of $5,000 or actual damages for reckless or intentional violations. AB27 currently awaits further review in the Assembly Committee. If enacted, New York will join Illinois, as well as Texas and Washington, as a state that enforces biometric privacy laws requiring both transparency and consent for biometric data collection.

The Larger Legal Landscape on Biometrics
As discussed above, both states and cities have continued to propose or enact legislation regulating the collection of biometric data. Although some of the requirements do not currently pertain to the employment relationship, more and more are beginning to do so. As a result, as with some other topics, such as sick time and the use of criminal history (so-called “ban-the-box” laws), states and localities have created differing obligations about which multi-jurisdictional employers must be mindful. Indeed, employers will need to continue to be vigilant when collecting, using, disclosing, and destroying biometric data.

Illinois enacted BIPA, the nation’s first biometric state statute, in 2008.[8] BIPA codified safeguards against the unlawful collection and storage of biometric information by private entities, including most employers. Under BIPA, customers and employees alike are entitled to notice regarding the collection of their biometric identifiers and information (as defined to exclude certain data) and must provide an informed written consent before businesses may collect, store, or use such identifiers and information. Employees are required to execute a written release as a condition of employment and, along with consumers, are entitled to a private right of action for any harm caused by an employer’s BIPA violations.

In 2009, Texas enacted its Capture or Use of Biometric Identifier Act (“CUBI”), which applies only to biometric identifiers captured for commercial purposes, although it does not apply to voiceprint data that financial institutions or their affiliates maintain. Similar to requirements under BIPA, customers and employees of covered entities must receive notification and give consent, prior to the collection of their biometric data. Moreover, CUBI contains certain requirements related to the disclosure of such data. CUBI also provides that a company’s justification for collecting an employee’s biometric data for security purposes is generally presumed to expire immediately upon the termination of the employment. Employers should follow sound data minimization principles and destroy employee biometric information when the employment relationship has ended or when the information is no longer needed for the identified purpose. In contrast to Illinois’s BIPA, employees and customers in Texas are not entitled to a private right of action if a CUBI violation occurs. Rather, in Texas, the state attorney general enforces the statute.

Washington’s Biometric Identifiers Law (“H.B. 1493”) was enacted in 2017. Under H.B. 1493, “providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose” is required for customers and employees before including a biometric identifier in a database for commercial purposes; however, the statute provides that the notice and consent “required to achieve compliance” can vary by context. The Washington statute generally prohibits commercial use of biometric data without an individual’s consent but provides for exceptions, including, but not limited to, disclosure related to certain financial transactions or other products or services authorized, subscribed to, or requested by the individual. In addition, the Washington law requires covered persons to use “reasonable care” to protect “against unauthorized access to and acquisition of biometric identifiers” and limits the retention of such data. The Washington law does not provide a private right of action, leaving its enforcement to the state attorney general.

More recently, in 2020, Maryland enacted H.B. 1202, which restricts employers from using specific kinds of facial recognition technology in interviews without the applicant’s written consent. This law, which does not provide any mechanism for enforcement, became effective October 1, 2020. For more information on H.B. 1202, click here.

Litigation Trends: “Injury in Fact”
One topic that has been the subject of biometrics-related litigation is whether a plaintiff needs to have suffered actual harm to bring a claim under the applicable law. In 2019, deciding Rosenbach v. Six Flags Entertainment Corp.,[9] the Supreme Court of Illinois held that a person need not have sustained actual damage beyond the violation of the person’s rights under Illinois’s BIPA in order to bring an action.

Although the Rosenbach case did not revolve around an employment relationship, courts within the Seventh Circuit have cited to it in deciding a string of cases related to employers’ collection and use of biometric data and alleged violations of BIPA. Against this backdrop, the Seventh Circuit heard Fox v. Dakkota Integrated Systems, LLC.[10] In that case, the employee alleged, among other things, that the employer unlawfully retained biometric data after the employment relationship had concluded. The Seventh Circuit held that a failure to adhere to restrictions on biometric data retention imparts as concrete an injury to a person as does a violation of restrictions on biometric data collection, again causing the “injury in fact” required for standing to bring a federal action on claims based in state law.

Looking Forward
Lawsuits against employers that violate these laws are on the rise, but given the developing legal landscape and evolving changes in biometric technology and usage, relevant jurisprudence is still unfolding. As more employers begin to use this relatively new and evolving technology in the workplace, including in connection with hiring, cybersecurity, and timekeeping, they should not overlook the rules surrounding its use and the collection, storage, transaction, disclosure, and destruction of biometric information and identifiers.

What Employers Should Do Now
New York City employers should determine whether they qualify as a “commercial establishment” (as defined in the Ordinance) and, if so, adhere to the Ordinance’s prohibition on selling, trading, leasing, or otherwise profiting from the transaction of any biometric information collected on their staff.

In addition, to the extent that staff can purchase goods or services, New York City employers should ensure that they are meeting the notice requirement for all their customers (including any employees).

Employers and businesses throughout New York State should continue to monitor the results of AB27, especially if they currently collect or utilize biometric information, or intend to do so.

Employers within New York State should also be cognizant of the prohibitions of New York Labor Law Section 201-a, prohibiting employers (with certain exceptions, e.g., hospitals, and except as otherwise provided by law) from fingerprinting employees as a condition of employment, and determine whether the prohibitions apply to any contemplated employee finger scanning.

Given the trends in legislation and court cases, employers with multiple offices nationwide—specifically in regions that have yet to weigh in on the matter—should continue monitoring the legal landscape of biometrics laws, especially when making decisions on the use or collection of such data.

Employers in California, Illinois, Texas, and Washington should ensure that their biometric data notification, collection, and use practices comply with current and anticipated requirements in their states.

All employers and businesses should take care regarding data security and prevent unauthorized access, transmission, distribution, sharing, trading, or selling, or any unlawful commoditizing, of biometric data, including conducting a risk analysis and adopting a written information security program containing reasonable safeguards.
****

For more information about this Insight, please contact:

Susan Gross Sholinsky
New York
212-351-4789
sgross@ebglaw.com

Shawndra G. Jones
New York
212-351-4663
sjones@ebglaw.com

Brian G. Cesaratto
New York
212-351-4921
bcesaratto@ebglaw.com

America Garza, a Summer Associate (not admitted to the practice of law) in Epstein Becker Green’s New York office, also contributed to the preparation of this Insight.

2021-08-25
セクシャルハラスメント防止研修の重要性
「愛情やユーモアの表現が誤解された」
「自分自身の考えでは一線を越えたことはない。ただ、その線が引かれている場所がどれだけ変わっていたかということを認識していなかった。世代的、文化的な変化があり、私自身はそれを完全には理解していなかった」
この発言に聞き覚えはあるでしょうか?

これは、先日、辞意を表明したニューヨーク州のクオモ知事の発言です。クオモ知事は州政府の複数の職員にセクシャルハラスメント行為を行った疑いがあり、調査が進められていましたが、最終的にニューヨーク州の司法長官がセクシャルハラスメントを行っていたと結論づける報告書を発表しました。報告書の発表を受け、バイデン大統領もクオモ知事は辞職すべきだという考えを示し、セクシャルハラスメント行為を許容しないという断固とした姿勢が示されました。

クオモ知事と被害を訴える州政府職員の間に何が起きていたのでしょうか?報告書の内容はThe New York Timesのホームページでも公開されています。
https://www.nytimes.com/interactive/2021/08/03/nyregion/cuomo-sexual-harassment-report.html

クオモ知事はセクシャルハラスメント行為を否定していますが、被害者が性的な発言を受けたり、不適切に触れられたという細かな状況の記述があり、既にご覧になった方もあるかと思います。また、各メディアの報道する一連の出来事に、今の時代にまだこのようなセクシャルハラスメントが起きるのかという印象を持った方もあったようです。

どの時代でもどんな形であれ、セクシャルハラスメントは断じて許されるものではありませんが、確かに、多くの方が認識するセクシャルハラスメントの代表例のような行為が目立つ為、このような意見が出てくるのも頷けますし、中には、自分はこんな過ちを絶対に犯さないと思った方も少なからずあると思います。
では、「自分は絶対にセクシャルハラスメント行為を行わない」という方が現実に加害者になることはないのか?と言われるとそうでもありません。

セクシャルハラスメント行為を絶対に行わないという意思は言うまでもなく大事なのですが、まずはその行為が日本の認識と大きく異なるという点を理解する必要があるからです。このニュースレターをご覧頂いている方のほとんどが日本での勤務経験もお持ちだと思いますが、日本でのセクシャルハラスメント行為の認識をベースに行動しようとすると、ほぼ間違いなく、思わぬ落とし穴が待ち受けています。

私自身も日本での勤務経験もありましたが、アメリカで初めて研修を受けた時に、セクシャルハラスメント行為に該当する行為の広範さや認識の違いに驚いたことを思い出します。

実際に弊社のセクシャルハラスメント防止研修を受講頂いた方のご感想には、
「セクシャルハラスメント行為の認識が大きく変わった」
「普段の何気ないコミュニケーションを改めるきっかけになった」
など、セクシャルハラスメント行為自体への認識の変化があったり、

「在宅勤務なので、セクシャルハラスメントは起きにくいと思っていた」
というセクシャルハラスメントが起き得る状況や場所への認識の変化があったり、
「多様性が認められる時代だからこその注意点が勉強になった」
といったセクシャルハラスメント行為の被害者になり得る対象者についての感想をお寄せいただいた方もありました。

冒頭のクオモ知事のように「表現が誤解された」「世代的、文化的な変化があったことを完全に理解していなかった」という発言が事実であっても、被害者が存在する以上、「知らなかった」は通用しません。

セクシャルハラスメント防止研修が既に義務化されている州では、法律の観点からも研修を行う必要があります。ですので、「罰金を払いたくないから」とか「従業員に訴えられたくないから」という目的で、研修を実施されている雇用主の方もあるかと思います。それはもちろん大事なことです。

ですが、本来の研修の目的は、従業員全員がセクシャルハラスメントに対しての共通認識を持ち、お互いが気持ちよく仕事に集中できる環境作りをするという点であるべきだと考えます。過去何年間も問題が起きなかったから、今後も大丈夫ということは絶対になく、もしかすると、今も被害が起きているのに、被害者が職場での雰囲気を悪くしない為に我慢しているといった状況があるかもしれません。ここ数年、特に2017年にアリッサ・ミラノさんのSNSの書き込みから始まったMeToo Movementにより、被害を受けている方が声を上げやすい環境が整ってきています。

企業が新陳代謝を繰り返しながら、変化していくさまを生物に例える方がありますが、ここアメリカでは特に転職者も多いので、1~2年前に勤務していた従業員と現在の従業員の顔ぶれが大幅に変わっているということは頻繁にあります。そんな事情からも定期的に研修を行う事で、セクシャルハラスメント全般に対しての認識や、会社の姿勢を常に最新の状態にしておくことが雇用主には求められます。

私の個人的な言葉の受け止め方の問題と言われればそうかもしれませんが、日本ではセクハラ・パワハラ・マタハラといった略語で深刻な事態が表現されることがあり、言葉の響きによって罪の深刻さが失われている気がします。セクシャルハラスメントは性をベースにした差別行為であり、加害者は厳しく処分されます。ニューヨーク州、カリフォルニア州、イリノイ州を中心とした州で研修の義務化や違反者への罰則の強化の流れが毎年加速しておりましたが、この流れにこれまでは縁のなかったテキサス州でも、セクシャルハラスメント関連の法律を厳格化するという動きが進んでおり、今後、全米に広がっていくことが想像できます。

適切な研修を定期的に行う事でセクシャルハラスメント行為が社内で起きないようにすることがまずは一番大事なことですが、万が一、発生してしまった場合に、その状況を即座に会社に報告するための通報制度の仕組みや、会社としての姿勢や違反者の処分を定めておくポリシー作成なども、雇用主として従業員を守るためにできる防衛手段の一部です。

「やらなければならないことはわかっているが、何から始めればいいのかわからない」
こんな方もいらっしゃるかと思います。そんな時には、各地域の営業担当がサポートさせて頂きますので、お気軽にご相談下さい。

ニューヨーク州担当:成瀬寛美
E-mail: hnaruse@actus-usa.com / Tel: 917-653-4427
ニュージャージー州・ミシガン州・カリフォルニア州担当:菱沼誉支
E-mail: thishinuma@actus-usa.com / Tel: 267-984-0642
イリノイ州・テキサス州担当:山田明宏
E-mail: ayamada@actus-usa.com / Tel: 214-930-1237