At the close of 2020, New York enacted a new law prohibiting the use and purchase of biometric identifying technology in all elementary and secondary schools, both public and private. The ban, effective December 22, 2020, is in place until the latter of July 1, 2022 or when the Commissioner of Education issues a report facilitating the creation of a statewide regulatory system governing the use of such technology.
Hailed by many as a much-needed facial recognition ban, State Technology Law § 106-b was a response to concerns raised about student and employee privacy; the high rates of misidentification for women, young people, and minorities; and the safety and security of the biometric data collected by schools.
While its aims may be admirable, the law’s potential scope is far broader than the legislature likely intended, creating a compliance quagmire for schools.
Definition of Biometric Information and Biometric Identification Technology
Under the law, “biometric information” encompasses a wide array of biometric features beyond just facial scans, including fingerprints, hand and eye characteristics, vocal sounds, gait, and any other physical, physiological, or behavioral characteristic that may be used to identify a person. “Biometric identifying technology” is any tool that uses an automated or semi-automated process to verify a person’s identity based on biometric information.
Whether schools use it or not, biometric identifying technology is a common feature in almost every type of modern IT equipment schools have, including tablets and computer operating systems.
The use of biometric technology is also integrated into many school processes to help reduce administrative headaches, such as using facial recognition rather than passwords to unlock tablets and fingerprints rather than PIN codes to track cafeteria purchases.
The law may also impact the use of voice recognition software for special needs students and fitness trackers for after-school activities. A broad interpretation of the law could even make sharing a student’s photograph on Facebook or other social media sites illegal, as such sites may utilize facial recognition on uploaded photographs to automatically identify and tag an individual in a photo.
Key Issues Left Unanswered
The law does not clearly answer whether schools can continue using IT equipment capable of collecting biometric data so long as the features are turned off. It does not address the use of such technology in special needs cases. It also does not address whether schools are required to delete any biometric data collected prior to the law’s enactment.
Another problematic aspect of the law is that the Commissioner of the State Education Department is now required to approve purchases of biometric technology made by all institutions — including private schools whose budgets and administration have traditionally been bifurcated from state oversight. It remains to be seen whether the state will actually exert such regulatory supervision on private schools.
The law requires the Commissioner to hold public hearings to seek feedback from teachers, school administrators, parents, and individuals with expertise in school safety, data privacy, and civil liberties prior to it issuing its final report and recommendations.
As of the date of this alert, the Commissioner has not yet announced the exact time and nature of these hearings. While schools struggle to align their practices with the law, stakeholders are likely to raise more questions regarding how to implement it while avoiding unintended negative consequences for students and school staff.
Our Privacy, Cybersecurity, and Data Management team will continue to monitor this law and other data privacy developments impacting the education industry across the country.