Laws & Statutes NY NY-A-06031
A-06031
NY · State · USA
NY
USA
● Pending
Proposed Effective Date
2025-05-26
New York Assembly Bill 6031 — An Act to amend the general business law, in relation to biometric privacy (Biometric Privacy Act)
Establishes the Biometric Privacy Act in New York, imposing obligations on private entities that possess biometric identifiers or biometric information. Covered entities must develop and publish a written retention and destruction policy, provide written notice and obtain written consent before collecting biometric identifiers, and are prohibited from selling or profiting from biometric data. Disclosure to third parties is restricted to narrow exceptions (consent, financial transactions, legal process). Biometric data must be stored and protected at a standard at least as protective as other confidential information. Enforcement is exclusively through the Attorney General, with civil penalties of up to $20,000 per violation and no private right of action. Financial institutions subject to the Gramm-Leach-Bliley Act and government contractors acting on behalf of government agencies are exempt.
Passage Likelihood
Medium
Chamber No passage
Committee No action
Majority party Yes
Bipartisan Yes
Prior session None
Legislative History
2025-02-25 committee referral referred to consumer affairs and protection
2026-01-07 committee referral referred to consumer affairs and protection
Mapped Requirements
D-01 Automated Processing Rights & Data Controls
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Establishes the Biometric Privacy Act in New York, imposing obligations on private entities that possess biometric identifiers or biometric information. Covered entities must develop and publish a written retention and destruction policy, provide written notice and obtain written consent before collecting biometric identifiers, and are prohibited from selling or profiting from biometric data. Disclosure to third parties is restricted to narrow exceptions (consent, financial transactions, legal process). Biometric data must be stored and protected at a standard at least as protective as other confidential information. Enforcement is exclusively through the Attorney General, with civil penalties of up to $20,000 per violation and no private right of action. Financial institutions subject to the Gramm-Leach-Bliley Act and government contractors acting on behalf of government agencies are exempt.

Enforcement & Penalties
Enforcement Authority
Attorney General enforcement only. The Attorney General is authorized to bring actions or special proceedings upon complaint or otherwise to enjoin violations, obtain restitution, disgorgement, civil penalties, and other relief. The Attorney General has subpoena power and may compel compliance through the Supreme Court. No private right of action is created. Six-year statute of limitations running from the date the Attorney General became aware of the violation.
Penalties
Civil penalties of up to $20,000 per violation. Each instance of unlawful processing counts as a separate violation; unlawful processing of more than one consumer's data counts as a separate violation as to each consumer; each provision violated counts as a separate violation. Restitution of moneys or property obtained by the violation. Disgorgement of profits obtained by the violation. Injunctive relief including preliminary relief. Up to $1,000 per day civil penalty for noncompliance with an Attorney General subpoena. Court considers nature and seriousness of misconduct, number of violations, persistence, duration, willfulness, and financial condition when assessing penalties.
Who Is Covered
"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity shall not include a state or local government agency or any court in the state, a clerk of the court, or a judge or justice thereof.
Compliance Obligations 5 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Gen. Bus. Law § 676-b(2)(a)-(c)
Plain Language
Before collecting, capturing, purchasing, or otherwise obtaining any biometric identifier or biometric information from an individual, a private entity must: (1) provide written notice that biometric data is being collected or stored, (2) provide written notice of the specific purpose and duration of the collection, storage, and use, and (3) obtain a written release from the individual or their legally authorized representative. In the employment context, the written release may be executed as a condition of employment. All three steps must be completed before any collection occurs — retroactive notice and consent is insufficient.
Statutory Text
2. No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (a) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (b) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (c) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Gen. Bus. Law § 676-b(1)
Plain Language
Any private entity possessing biometric identifiers or biometric information must develop and make publicly available a written policy setting a retention schedule and destruction guidelines. Biometric data must be permanently destroyed within a reasonable time — and no later than 60 days — after the earlier of (a) the data is no longer necessary for the purpose identified in the original notice or authorization, or (b) three years from the individual's last interaction with the entity. The entity must comply with its own published schedule and destruction guidelines unless compelled by a valid warrant or subpoena. This is both a documentation obligation (create and publish the policy) and a substantive data minimization obligation (actually destroy the data on schedule).
Statutory Text
1. A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information within a reasonable time, but in no event later than sixty days, after it is no longer necessary to maintain for the permissible purpose or purposes identified in the notice or for which the individual provided valid authorization or within three years of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.
Other · Biometrics
Gen. Bus. Law § 676-b(3)
Plain Language
Private entities are categorically prohibited from selling, leasing, trading, or otherwise profiting from any person's biometric identifiers or biometric information. This is an absolute prohibition with no exceptions — there is no consent mechanism or opt-in that would permit commercialization of biometric data. This goes beyond typical data minimization requirements by entirely barring monetization of biometric data.
Statutory Text
3. No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.
Other · Biometrics
Gen. Bus. Law § 676-b(4)(a)-(d)
Plain Language
Private entities may not disclose, re-disclose, or disseminate biometric identifiers or biometric information except in four narrow circumstances: (1) the individual or their authorized representative consents, (2) the disclosure completes a financial transaction the individual requested or authorized, (3) the disclosure is required by law, or (4) the disclosure is required by a valid warrant or subpoena. Outside these four exceptions, sharing biometric data with any third party is prohibited. Note that unlike the collection consent requirement in § 676-b(2), this provision does not require that consent be in writing — though best practice would be to obtain written consent for evidentiary purposes.
Statutory Text
4. No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (a) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (b) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (c) the disclosure or redisclosure is required by federal, state or local law or municipal ordinance; or (d) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Other · Biometrics
Gen. Bus. Law § 676-b(5)(a)-(b)
Plain Language
Private entities must protect biometric identifiers and biometric information in storage and transit using two cumulative security standards: (1) the reasonable standard of care within the entity's industry, and (2) at least the same level of protection the entity applies to other confidential and sensitive information such as Social Security numbers, account numbers, and genetic data. The practical effect is that biometric data must receive the higher of industry-standard protection or the entity's own internal standard for its most sensitive data categories. Both storage and transmission are covered.
Statutory Text
5. A private entity in possession of a biometric identifier or biometric information shall: (a) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (b) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.