Rule status: Adopted
Effective date: January 15, 2022
Proposed Rule Full Text
Adopted Rule Full Text
Adopted rule summary:
The Department of Consumer and Worker Protection (“DCWP” or “Department”) is adding a new rule to implement Local Law 3 of 2021 (“LL 3”). This new law requires, among other things, certain businesses to notify customers of the use of biometric identifier information and prohibits the sale of such information. LL 3 directs the Commissioner of DCWP to prescribe the form and manner of the sign to be used by businesses to notify customers that biometric identifier information is being collected, retained, converted, stored, or shared. This new rule mandates that covered commercial establishments post a custom sign or a sign provided by the Department on its website in a particular size and manner to comply with LL 3.
Online comments: 2
The New York Civil Liberties Union (“NYCLU”) respectfully submits the following testimony regarding the new rules to implement Local Law 3 of 2021. The NYCLU, the New York affiliate of the American Civil Liberties Union, is a not-for-profit, non-partisan organization with eight offices throughout the state and more than 180,000 members and supporters. The NYCLU’s mission is to defend and promote the fundamental principles, rights, and values embodied in the Bill of Rights, the U.S. Constitution, and the Constitution of the State of New York. The NYCLU works to expand the right to privacy, increase the control individuals have over their personal information, and ensure civil liberties are enhanced rather than compromised by technological innovation.
Biometric surveillance technologies, which include face, voice, and gait recognition, enable the invasive power to track who we are, where we go, and who we meet. But they are also highly flawed and rely on racially-biased systems. The widespread use of these technologies presents a clear danger to all New Yorkers’ civil liberties and threatens to erode our fundamental rights to privacy, protest, and equal treatment under the law.
In recognition of these harms, the New York City Council enacted Local Law 3 of 2021 (“LL 3”) as a first step to diagnose the spread and use of these surveillance technologies in businesses. The law, which came into effect on July 9, 2021, takes a rudimentary approach to biometric surveillance technology, requiring certain “commercial establishments” that collect, use, or retain “biometric identifier information” from their customers to post notices at all customer entrances in a form prescribed by the New York City Department of Consumer and Worker Protection (“DCWP” or “Department”). In order for this law to not just be a mere rubber stamp on the use of biometric surveillance, it is incumbent on the Department to promulgate rules that, at the very least, give the public basic information about the technologies in use and any privacy policies that govern them.
Unfortunately, the proposed rules by the DCWP fall far short of that goal. The rules as drafted would not disclose any meaningful information and fail to notify customers in plain and simple language about the use and implications of biometric surveillance technologies.
The DCWP published a Biometric Identifier Information Disclosure sign template on its website, which businesses simply have to add their names to and post at every entrance to fulfill the notice requirement. The 35-word notice is so ambiguous that it actively obscures any information value whatsoever from the disclosure. It lacks any specificity about the type of biometric data collection occurring, and does not include privacy policies covering the use, access, retention, deletion, sharing, and security measures governing that data – or where to find them. Further, the sign template lists only two examples of biometric identifier information: eye scans and voiceprints. Notably absent is any mention of facial recognition, which is the most prominent and newsworthy type of biometric data collection – and was the primary target of the Council in passing the underlying legislation. This focus on facial recognition can be seen in the legislative history, including in LL3/Intro. 1170-2018’s summary, Committee reports, and minutes of the Council’s Stated Meeting. Deliberately excluding the most widely known type of biometric identifier thwarts transparency and weakens the notice’s potential impact.
It’s also critical that businesses clearly disclose the specific types of biometric data collection they deploy, particularly as these technologies are notoriously inaccurate and racially biased. Numerous studies have shown that face surveillance technologies are particularly inaccurate for women and people of color. And misidentifications have led to harassments, removals from establishments, arrests, and jail time.
It has been practically impossible to find out whether businesses deploy biometric recognition technologies. In 2018, the ACLU asked some of the biggest retailers whether they use facial recognition: of nineteen retailers, only two answered. In contrast to this, people clearly want transparency and control over their data: a recent survey shows that 69% of Americans believe that stores should inform customers about the use of facial recognition and 65% would want to have the choice to opt-out. This becomes ever-more important as corporate and retail surveillance expand and allow for further data collection, correlation, and analysis, e.g. by combining someone’s biometric data with other information such as their credit card, smartphone (through WiFi, Bluetooth, or other identifiers), customer loyalty card, other NFC-enabled devices, or even online activities.
The mere collection and storage of biometric information can also be harmful and lead to unforeseen consequences. Any database of sensitive information is vulnerable to hacking and misuse. Unlike a password or credit card number, biometric data cannot be changed if there is a security breach. And what we have witnessed so far should inspire little confidence in many companies’ ability to adequately guard against misuse. Disclosing data policies and creating appropriate security mechanisms should be the baseline for anyone handling biometric data.
The DCWP proposed rules also give more leeway to businesses for the place of posting the sign than, for example, restaurants have for the posting of letter grade cards. Restaurants are required to post letter grade cards in a “conspicuous place where it is visible to passersby […] on the front window, door or exterior wall […] within five feet of the front door or other opening to the establishment where customers enter from the street, at a vertical height no less than four feet and no more than six feet from the ground or floor.” Additionally, letter grade cards have a much higher visibility and recognizability, given their colorful, conspicuous, large design elements; all qualities lacking in the Biometric Identifier Disclosure template sign, which is likely to not attract much attention and is designed to blend in.
Let’s be clear; a sign is not a sufficient tool to reign in on facial recognition and other biometric surveillance tools by businesses. There’s no substitute for individual, informed opt-in consent. But in the absence of other protections at the local, state, and federal level, the rules for the implementation of LL3 need to be tailored towards giving people the information they need to make an informed choice about the stores they frequent.
In conclusion, the NYCLU thanks the Department of Consumer and Worker Protection for the opportunity to provide testimony. The Department’s rulemaking is instrumental in ensuring a productive implementation of Local Law 3. We urge the Department to amend and strengthen the proposed rules to require businesses to disclose the types of biometric recognition technologies and their privacy policies – and do so in a way that will be clearly noticeable and recognizable by passersby. Without meaningful levels of detail and specificity, the rules risk to desensitize people to the sign and normalize pernicious data collection in the everyday lives of New Yorkers.Comment attachment
Good morning, my name is Mahima Arya, and I am a Computer Science Fellow at the Surveillance Technology Oversight Project (“S.T.O.P.”), a New York-based privacy and civil rights group. Thank you for the opportunity to testify today about DCWP’s proposed rule in furtherance of Local Law 3 of 2021 (the “Proposed Rule”). While I commend the Department for moving forward with this process under trying conditions, the current draft of the Proposed Rule is manifestly incompatible with the purpose and intended impact of Local Law 3.
The New York City Council and Mayor enacted Local Law 3 in the hopes of addressing the unprecedented privacy and safety risks posed by biometric tracking tools. Systems like facial recognition, iris scans, and gait detection can transform our own bodies into tracking devices for store owners. Even worse, these biased systems often are more error-prone for Black and Latinx New Yorkers, putting them at heightened risk of profiling by stores and even false arrest by police.
Store owners increasingly rely on automated surveillance systems to alert police to suspected shoplifters and other customers who are barred from the premises. Biometric tracking puts BIPOC New Yorkers at risk, fueling dangerous police encounters that are sparked simply by the color of a customer’s face. Not only can these systems facilitate segregation of places of public accommodation (in violation of New York City Human Rights Laws), not only do they violate customers’ privacy, but they can increase the risks of police violence.
In passing Local Law 3, the New York City Council sought to provide public notice on a scale commensurate with biometric tracking’s risk. While S.T.O.P. urges the Council and DCWP to go further, banning all biometric surveillance in stores, we recognize that public notice is an important first step to an eventual ban on the technology. Sadly, rather than enabling Local Law 3, the Proposed Rule would eviscerate its intended impact, making compliance an empty gesture that is all but guaranteed to hide (not show) how customers’ bodies are being tracked.
A. DCWP’s Proposed Design Will Make Meaningful Implementation Impossible
When New Yorkers enter a store, they are faced with an array of ads, merchandise, and government-mandated signage, all competing for their attention. In this visually crowded space, which can include information on everything from health codes, energy usage, COVID-19 protocols, and more, the Proposed rule would add a single sheet of white letter-sized paper with black text posted in a “clear and conspicuous manner.” To be frank, there is perhaps no form of signage that could be more inconspicuous.
Such a small signage and typography is all-but-guaranteed to let this sign fade into the visual background. Rather than serving as a crucial, first-in-the-country effort to educate the public about biometric tracking, the sign would become a formality that goes completely unobserved to all but the most eagle-eyed inspector. Even worse, the model warning provided by the Department uses single-spaced Arial, a sans-serif font that will be even less attention-grabbing than a wide array of freely available alternative.
At a minimum, the size of the warning poster must be increased to at least 11 inches by 17 inches, although a full poster size of 24 inches by 36 inches would be even better aligned with the legislative intent of Local Law 3. The poster must include the word “warning” in red text, against a white background, in no less than 100-point font on the poster’s top line. We also suggest incorporating a yellow caution sign as part of the design as well. The body of the poster should be in at least 36-point font. Lastly, the Department should provide stock images for store owners to use in representing each type of biometric tracking, including facial recognition, iris scans, and fingerprint readers. Adding a graphical representation of each tracking system is not only indispensable as a way to draw customers’ attention to the sign, but it’s also an essential accessibility measure for staff and customers who do not readily communicate in English.
DCWP has a tremendous opportunity to inform, empower, and protect New York’s customers and workers, but only if you act. If the Department updates the Proposed Rule to incorporate basic design and communications principles and ensure that New Yorkers receive proper notice about biometric tracking, you will help transform New York City into a leader in biometric transparency. Alarmingly, if the Department finalizes the Proposed Rule as currently drafted, you will undermine the City Council’s intent and further help normalize biometric surveillance technology, directly undermining the goal you were tasked with accomplishing. I hope that you will adjust course in light of this feedback and do what is needed to protect New Yorkers.Comment attachment