Establishes the biometric identifier privacy act; requires private entities in possession of biometric identifiers or biometric information to develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within three years of the individual's last interaction with the private entity, whichever occurs first.
STATE OF NEW YORK
________________________________________________________________________
1422--A
2025-2026 Regular Sessions
IN SENATE
January 9, 2025
___________
Introduced by Sen. LIU -- read twice and ordered printed, and when
printed to be committed to the Committee on Consumer Protection --
recommitted to the Committee on Consumer Protection in accordance with
Senate Rule 6, sec. 8 -- reported favorably from said committee and
committed to the Committee on Internet and Technology -- committee
discharged, bill amended, ordered reprinted as amended and recommitted
to said committee
AN ACT to amend the general business law, in relation to biometric iden-
tifier privacy
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The general business law is amended by adding a new article
2 32-A to read as follows:
3 ARTICLE 32-A
4 BIOMETRIC IDENTIFIER PRIVACY ACT
5 Section 676. Short title.
6 676-a. Definitions.
7 676-b. Retention; collection; disclosure; destruction.
8 676-c. Regulatory authority and enforcement.
9 676-d. Construction with other laws.
10 676-e. Severability.
11 § 676. Short title. This article shall be known and may be cited as
12 the "biometric identifier privacy act".
13 § 676-a. Definitions. As used in this article: 1. "Biometric identifi-
14 er" means the data generated by measurements or other analysis of an
15 individual's biological or behavioral characteristics such as a face-
16 print, fingerprint, voiceprint, gait, retina or iris image, DNA, or any
17 other biological characteristic that can be used for automated recogni-
18 tion of a known or unknown individual. "Biometric identifier" does not
19 include:
20 (a) a writing sample of written signature;
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD04356-02-6
S. 1422--A 2
1 (b) a photograph or video, except "biometric identifier" includes data
2 generated, captured, or collected from the biological characteristics of
3 a person depicted in a photograph or video;
4 (c) a human biological sample used for valid scientific testing or
5 screening;
6 (d) demographic data;
7 (e) a physical description, including height, weight, hair color, eye
8 color, or a tattoo description;
9 (f) any donated portion of a human body stored on behalf of a recipi-
10 ent or potential recipient of a living cadaveric transplant and obtained
11 or stored by a federally designated organ procurement agency, including
12 an organ, tissue, an eye, a bone, an artery, blood, and any other fluid
13 or serum;
14 (g) information collected, used, or stored for health care treatment,
15 payment, or operations under the federal Health Insurance Portability
16 and Accountability Act of 1996;
17 (h) any image or film of the human anatomy used to diagnose, provide a
18 prognosis for, or treat an illness or other medical condition or to
19 further validate scientific testing or screening including an x-ray, a
20 roentgen process, computed tomography, a magnetic resonance imaging
21 image, a positron emission tomography scan, and mammography; or
22 (i) information collected, used, or disclosed for human subject
23 research that is conducted in accordance with the federal policy for the
24 protection of human subjects, 45 C.F.R. Part 46, or other similar
25 research ethics laws, or with the good clinical practice guidelines
26 issued by the International Council for Harmonisation of Technical
27 Requirements for Pharmaceuticals for Human Use.
28 2. "Biometric information" means any information, regardless of how it
29 is captured, converted, stored, or shared, based on an individual's
30 biometric identifier used to identify an individual. Biometric informa-
31 tion shall not include information derived from items or procedures
32 excluded under the definition of biometric identifiers.
33 3. "Confidential and sensitive information" means personal information
34 that can be used to uniquely identify an individual or an individual's
35 account or property which shall include, but shall not be limited to, a
36 genetic marker, genetic testing information, a unique identifier number
37 to locate an account or property, an account number, a personal iden-
38 tification number, a pass code, a driver's license number, or a social
39 security number.
40 4. "Private entity" means any individual, partnership, corporation,
41 limited liability company, association, or other group, however organ-
42 ized. A private entity shall not include a state or local government
43 agency or any court in the state, a clerk of the court, or a judge or
44 justice thereof.
45 5. "Written release" means:
46 (a) in any context other than employment: informed written consent,
47 including written consent provided by electronic means. A valid written
48 release may not be secured through a general release or user agreement.
49 (b) in the context of employment: a release executed by an employee as
50 a condition of employment, provided that the private entity has first
51 determined, and documented in writing, that the collection, storage, or
52 use of the employee's biometric identifier or biometric information is
53 strictly necessary to:
54 (i) accomplish essential functions of the employee's position that
55 cannot reasonably be accomplished by non-biometric means;
S. 1422--A 3
1 (ii) enable business operations of the private entity that cannot
2 reasonably be accomplished by non-biometric means; or
3 (iii) protect the health, safety, or security of employees, the phys-
4 ical security of the employer's facilities, or the security of the
5 employer's software or computer networks.
6 § 676-b. Retention; collection; disclosure; destruction. 1. A private
7 entity in possession of biometric identifiers or biometric information
8 must develop a written policy, made available to the public, establish-
9 ing a retention schedule and guidelines for permanently destroying biom-
10 etric identifiers and biometric information within a reasonable time,
11 but in no event later than sixty days, after it is no longer necessary
12 to maintain for the permissible purpose or purposes identified in the
13 notice or for which the individual provided valid authorization or with-
14 in one year of the individual's last interaction with the private enti-
15 ty, whichever occurs first. Absent a valid warrant or subpoena issued by
16 a court of competent jurisdiction, a private entity in possession of
17 biometric identifiers or biometric information must comply with its
18 established retention schedule and destruction guidelines.
19 2. No private entity may collect, capture, purchase, receive through
20 trade, or otherwise obtain a person's or a customer's biometric identi-
21 fier or biometric information, unless it first:
22 (a) informs the subject or the subject's legally authorized represen-
23 tative in writing that a biometric identifier or biometric information
24 is being collected or stored;
25 (b) informs the subject or the subject's legally authorized represen-
26 tative in writing of the specific purpose and length of term for which a
27 biometric identifier or biometric information is being collected,
28 stored, and used; and
29 (c) receives a written release executed by the subject of the biome-
30 tric identifier or biometric information or the subject's legally
31 authorized representative.
32 3. No private entity in possession of a biometric identifier or biome-
33 tric information may sell, lease, trade, or otherwise profit from a
34 person's or a customer's biometric identifier or biometric information.
35 4. No private entity in possession of a biometric identifier or biome-
36 tric information may disclose, redisclose, or otherwise disseminate a
37 person's or a customer's biometric identifier or biometric information
38 unless:
39 (a) the subject of the biometric identifier or biometric information
40 or the subject's legally authorized representative consents to the
41 disclosure or redisclosure;
42 (b) the disclosure or redisclosure completes a financial transaction
43 requested or authorized by the subject of the biometric identifier or
44 the biometric information or the subject's legally authorized represen-
45 tative;
46 (c) the disclosure or redisclosure is required by federal, state or
47 local law or municipal ordinance; or
48 (d) the disclosure is required pursuant to a valid warrant or subpoena
49 issued by a court of competent jurisdiction.
50 5. A private entity in possession of a biometric identifier or biome-
51 tric information shall:
52 (a) store, transmit, and protect from disclosure all biometric identi-
53 fiers and biometric information using the reasonable standard of care
54 within the private entity's industry; and
55 (b) store, transmit, and protect from disclosure all biometric identi-
56 fiers and biometric information in a manner that is the same as or more
S. 1422--A 4
1 protective than the manner in which the private entity stores, trans-
2 mits, and protects other confidential and sensitive information.
3 6. A private entity may not:
4 (a) condition the provision of a good or service on the collection,
5 use, disclosure, transfer, sale, retention, or processing of biometric
6 identifiers unless biometric identifiers are strictly necessary to
7 provide the good or service; or
8 (b) charge different prices or rates for goods or services or provide
9 a different level of quality of a good or service to any individual who
10 exercises the individual's rights under this subtitle.
11 § 676-c. Regulatory authority and enforcement. 1.(a) The attorney
12 general is authorized and empowered to adopt, promulgate, amend and
13 rescind suitable rules and regulations to carry out the provisions of
14 this article, including rules governing the form and content of any
15 disclosures or communications required by this article.
16 (b) Whenever it appears to the attorney general, either upon
17 complaint or otherwise, that any person or persons has engaged in or
18 is about to engage in any of the acts or practices stated to be unlaw-
19 ful under this article, the attorney general may bring an action or
20 special proceeding in the name and on behalf of the people of the state
21 of New York to enjoin any violation of this article, to obtain restitu-
22 tion of any moneys or property obtained directly or indirectly by any
23 such violation, to obtain disgorgement of any profits obtained
24 directly or indirectly by any such violation, to obtain civil penalties
25 of not more than twenty thousand dollars per violation, and to obtain
26 any such other and further relief as the court may deem proper, includ-
27 ing preliminary relief.
28 (c) Each instance of unlawful processing counts as a separate
29 violation. Unlawful processing of the personal data of more than one
30 consumer counts as a separate violation as to each consumer. Each
31 provision of this article that is violated counts as a separate
32 violation.
33 (d) In assessing the amount of penalties, the court must consider
34 anyone or more of the relevant circumstances presented by any of
35 the parties, including, but not limited to, the nature and seriousness
36 of the misconduct, the number of violations, the persistence of the
37 misconduct, the length of time over which the misconduct occurred, the
38 willfulness of the violator's misconduct, and the violator's finan-
39 cial condition.
40 2. Any action or special proceeding brought by the attorney general
41 pursuant to this section must be commenced within six years of the date
42 on which the attorney general became aware of the violation.
43 3. In connection with any proposed action or special proceeding under
44 this section, the attorney general is authorized to take proof and make
45 a determination of the relevant facts, and to issue subpoenas in accord-
46 ance with the civil practice law and rules. The attorney general may
47 also require such other data and information as the attorney general may
48 deem relevant and may require written responses to questions under
49 oath. Such power of subpoena and examination shall not abate or termi-
50 nate by reason of any action or special proceeding brought by the
51 attorney general under this article.
52 4. Any person, within or outside the state, who the attorney general
53 believes may be in possession, custody, or control of any books, papers,
54 or other things, or may have information, relevant to acts or practices
55 stated to be unlawful in this article is subject to the service of a
56 subpoena issued by the attorney general pursuant to this section.
S. 1422--A 5
1 Service may be made in any manner that is authorized for service of a
2 subpoena or a summons by the state in which service is made.
3 5.(a) Failure to comply with a subpoena issued pursuant to this
4 section without reasonable cause tolls the applicable statutes of limi-
5 tations in any action or special proceeding brought by the attorney
6 general against the noncompliant person that arises out of the attorney
7 general's investigation.
8 (b) If a person fails to comply with a subpoena issued pursuant to
9 this section, the attorney general may move in the supreme court to
10 compel compliance. If the court finds that the subpoena was authorized,
11 it shall order compliance and may impose a civil penalty of up to one
12 thousand dollars per day of noncompliance.
13 (c) Such tolling and civil penalty shall be in addition to any other
14 penalties or remedies provided by law for noncompliance with a subpoena.
15 6. This section shall apply to all acts declared to be unlawful under
16 this article, whether or not subject to any other law of this state, and
17 shall not supersede, amend or repeal any other law of this state under
18 which the attorney general is authorized to take any action or conduct
19 any inquiry.
20 7. An individual alleging a violation of this subtitle may bring a
21 civil action against the offending private entity in a court of compe-
22 tent jurisdiction. A prevailing plaintiff may recover for each
23 violation:
24 (a) against a private entity that negligently violates a provision of
25 this article, liquidated damages of one thousand dollars or actual
26 damages, whichever is greater;
27 (b) against a private entity that intentionally or recklessly violates
28 a provision of this article, liquidated damages of five thousand dollars
29 or actual damages, whichever is greater;
30 (c) reasonable attorneys' fees and costs: the court shall assess
31 reasonable attorneys' fees and other litigation costs reasonably
32 incurred by such person in any case under the provisions of this
33 section, including expert witness fees and other litigation expenses, in
34 which such person has prevailed; and
35 (d) such other relief, including an injunction or declaration, as the
36 court may deem appropriate.
37 8. One or more persons aggrieved by a violation of this article may
38 bring a class action on behalf of all similarly situated persons pursu-
39 ant to article nine of the civil practice law and rules. For purposes of
40 class certification under article nine, violations of this article aris-
41 ing from a private entity's common policy or practice of collecting,
42 storing, using, or disclosing biometric identifiers or biometric infor-
43 mation without a valid written release shall be presumed to present
44 common questions of law or fact. Nothing in this subdivision shall be
45 construed to limit any procedural right otherwise available to a class
46 or its members under the civil practice law and rules.
47 9. For purposes of this article, the negligent recapturing of the
48 identical biometric identifier from the identical subject for the iden-
49 tical use as a prior capturing and use of a biometric identifier does
50 not constitute a separate and distinct violation of this article.
51 § 676-d. Construction with other laws. 1. Nothing in this article
52 shall be construed to impact the admission or discovery of biometric
53 identifiers and biometric information in any action of any kind in any
54 court, or before any tribunal, board, agency, or person.
55 2. Nothing in this article shall be construed to conflict with the
56 federal Health Insurance Portability and Accountability Act of 1996.
S. 1422--A 6
1 3. Nothing in the article shall be deemed to apply in any manner to a
2 financial institution or an affiliate of a financial institution that is
3 subject to Title V of the federal Gramm-Leach-Bliley Act of 1999.
4 4. Nothing in this article shall be construed to apply to a contrac-
5 tor, subcontractor, or agent of a state agency of local government when
6 working for that state agency of local government.
7 § 676-e. Severability. If any provision of this article, or any appli-
8 cation of any provision of this article, is held to be invalid, that
9 shall not affect the validity or effectiveness of any other provision of
10 this article, or of any other application of any provision of this arti-
11 cle, which can be given effect without that provision or application;
12 and to that end, the provisions and applications of this article are
13 severable.
14 § 2. This act shall take effect on the ninetieth day after it shall
15 have become a law.
