2023 Will Continue the Trend of Creative Use of Existing Law to Plug Privacy Law Holes

In December 2022, several New York and New Jersey lawyers were removed in separate incidents from Radio City Music Hall and Madison Square Garden after being identified as part of routine use of facial recognition technology onsite. Madison Square Garden Entertainment (“MSGE”), the owner and operator of Madison Square Garden and Radio City Music Hall, among others, notified law firms involved in disputes against MSGE and its facilities that they were not welcome on site, and that MSGE would employ facial recognition at its venues to identify any visitors who were involved with any law firm litigating against MGSE. Since the purported ban went into effect in June, lawyers and employees of law firms have been removed from Rockettes performances, Knicks games and concerts. Law firms have filed at least three law suits in New York state court, challenging MSGE’s use of facial recognition to exclude visitors who work for entities adverse to MSGE.

Use of biometric identifiers and facial recognition is legal in New York, so long as companies that use the technology post notices in “simple language” to consumers regarding the use. Specifically, the law requires that a “commercial establishment,” post “clear and conspicuous signs” at customer entrances notifying customers that technologies are in use that can identify individuals by voice, eye, fingerprint, hand, face or other “identifying characteristic.”  “Commercial establishments” include places for public entertainment, retail stores, or food or drink establishments. New York only prohibits those covered commercial establishments from selling, leasing or trading biometric data in exchange for anything of value, or to profit from the transaction of biometric information.  

Because facial recognition is legal in New York, the plaintiff law firms must therefore maneuver around the statute. New York legislators are exploring a regulatory solution—disciplinary action against MSU as it relates to liquor license. The New York State Liquor Authority recently advised MSG that its premises must remain “open to the public” as a condition of its license, and that it cannot exclude groups or individuals “on the basis of criteria that are not directly related to [its] duties under [its liquor] license.”  

Whether intended or not, New York’s Liquor Authority appears to be following in the footsteps of other regulatory and law enforcement agencies around the country using other statutes and regulations to attempt to enforce consumer privacy. In November, for example, a group of state Attorneys General entered into a historic $395 million settlement with Google to resolve allegations that Google tracked user locations even when users believed they disabled location tracking. The Attorneys General used consumer protection statutes to argue that Google deceptively confused users about the scope of its location tracking technology. 

Similarly, consumer organizations and plaintiffs’ lawyers have cited HIPAA and the federal Video Protection Act to challenge Meta’s embedded Facebook Pixel tool that tracks a user's viewing of videos online. Two proposed class action lawsuits filed in the Northern District of California alleged that Meta, Facebook’s parent company, and major US hospitals violated HIPAA by sending private patient information over Pixel without consumers’ consent.

Until (and unless?) the federal government passes comprehensive federal privacy laws, we should expect state and other federal agencies to continue exploring how to use existing laws to enforce privacy. What will they think of next?