Laws & Statutes NY NY-S-01422
S-01422
NY · State · USA
NY
USA
● Pending
Proposed Effective Date
2025-04-09
New York Senate Bill 1422 — An Act to amend the general business law, in relation to biometric privacy (Biometric Privacy Act)
Establishes the Biometric Privacy Act as a new article 32-A of the New York General Business Law, imposing obligations on private entities that possess, collect, or handle biometric identifiers or biometric information. Requires written notice, disclosure of purpose and retention period, and written consent before collecting biometric identifiers. Prohibits sale, lease, or trade of biometric data and restricts disclosure except in narrow circumstances (consent, financial transaction completion, legal requirement, or valid warrant). Mandates a publicly available written retention and destruction policy with a maximum retention period of three years from the individual's last interaction. Enforced exclusively by the Attorney General with civil penalties of up to $20,000 per violation, restitution, disgorgement, and injunctive relief. Exempts government agencies, HIPAA-covered health care data, and financial institutions subject to the Gramm-Leach-Bliley Act.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-01-09 committee referral REFERRED TO CONSUMER PROTECTION
2026-01-07 committee referral REFERRED TO CONSUMER PROTECTION
Mapped Requirements
D-01 Automated Processing Rights & Data Controls
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Establishes the Biometric Privacy Act as a new article 32-A of the New York General Business Law, imposing obligations on private entities that possess, collect, or handle biometric identifiers or biometric information. Requires written notice, disclosure of purpose and retention period, and written consent before collecting biometric identifiers. Prohibits sale, lease, or trade of biometric data and restricts disclosure except in narrow circumstances (consent, financial transaction completion, legal requirement, or valid warrant). Mandates a publicly available written retention and destruction policy with a maximum retention period of three years from the individual's last interaction. Enforced exclusively by the Attorney General with civil penalties of up to $20,000 per violation, restitution, disgorgement, and injunctive relief. Exempts government agencies, HIPAA-covered health care data, and financial institutions subject to the Gramm-Leach-Bliley Act.

Enforcement & Penalties
Enforcement Authority
Attorney General enforcement. The AG may bring an action or special proceeding upon complaint or otherwise when it appears that any person has engaged in or is about to engage in unlawful acts under this article. The AG has rulemaking authority, subpoena power, and investigatory authority. No private right of action is created. Six-year statute of limitations from the date the AG became aware of the violation.
Penalties
Civil penalties of up to $20,000 per violation. Each instance of unlawful processing is a separate violation; unlawful processing of the personal data of more than one consumer counts as a separate violation as to each consumer; each provision violated counts as a separate violation. The AG may also obtain injunctive relief (including preliminary relief), restitution of moneys or property obtained by the violation, disgorgement of profits obtained by the violation, and any other relief the court deems proper. Failure to comply with an AG subpoena may result in an additional civil penalty of up to $1,000 per day of noncompliance. Court must consider nature and seriousness of misconduct, number of violations, persistence, duration, willfulness, and financial condition when assessing penalties.
Who Is Covered
"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity shall not include a state or local government agency or any court in the state, a clerk of the court, or a judge or justice thereof.
Compliance Obligations 5 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Gen. Bus. Law § 676-b(2)(a)-(c)
Plain Language
Before collecting, capturing, purchasing, or otherwise obtaining any person's biometric identifier or biometric information, a private entity must: (1) provide written notice that biometric data is being collected or stored; (2) provide written notice of the specific purpose and the length of the retention period; and (3) obtain a written release from the individual or their legally authorized representative. All three steps must be completed before any collection occurs. In the employment context, a written release executed as a condition of employment satisfies the consent requirement. This is an affirmative opt-in consent regime — no collection may proceed without prior written notice and consent.
Statutory Text
2. No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (a) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (b) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (c) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Gen. Bus. Law § 676-b(1)
Plain Language
Any private entity that possesses biometric identifiers or biometric information must create and publicly make available a written policy that establishes a retention schedule and guidelines for permanent destruction of that data. The data must be destroyed within a reasonable time — no later than 60 days — after the earlier of: (a) the data is no longer needed for the purpose identified in the notice or authorized by the individual, or (b) three years from the individual's last interaction with the entity. The entity must actually comply with its own retention schedule and destruction guidelines unless subject to a valid warrant or subpoena. This is a data minimization and lifecycle management obligation — entities must both publish the policy and adhere to it.
Statutory Text
1. A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information within a reasonable time, but in no event later than sixty days, after it is no longer necessary to maintain for the permissible purpose or purposes identified in the notice or for which the individual provided valid authorization or within three years of the individual's last interaction with the private entity, whichever occurs first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.
D-01 Automated Processing Rights & Data Controls · D-01.5 · Deployer · Biometrics
Gen. Bus. Law § 676-b(3)
Plain Language
Private entities are categorically prohibited from selling, leasing, trading, or otherwise profiting from any person's biometric identifier or biometric information. There are no exceptions to this prohibition — even with consent, monetization of biometric data is barred. This goes beyond a typical consent requirement and imposes an absolute ban on commercial exploitation of biometric data.
Statutory Text
3. No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.
D-01 Automated Processing Rights & Data Controls · Deployer · Biometrics
Gen. Bus. Law § 676-b(4)(a)-(d)
Plain Language
Private entities may not disclose, redisclose, or disseminate biometric identifiers or biometric information to third parties unless one of four narrow exceptions applies: (1) consent from the individual or their authorized representative, (2) completing a financial transaction the individual requested or authorized, (3) the disclosure is required by law, or (4) pursuant to a valid warrant or subpoena. This effectively creates a closed set of permissible disclosure scenarios — any disclosure not falling within one of these four categories is unlawful.
Statutory Text
4. No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (a) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (b) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (c) the disclosure or redisclosure is required by federal, state or local law or municipal ordinance; or (d) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Other · Biometrics
Gen. Bus. Law § 676-b(5)(a)-(b)
Plain Language
Private entities must protect biometric identifiers and biometric information during storage and transmission using at least the reasonable standard of care in their industry. Additionally, biometric data must be protected at a level equal to or greater than the entity's protections for other confidential and sensitive information (such as SSNs, account numbers, and genetic data). This establishes a dual-floor data security obligation: the industry standard of care and internal parity with other sensitive data, whichever is higher.
Statutory Text
5. A private entity in possession of a biometric identifier or biometric information shall: (a) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (b) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.