Bans the use of biometric data by any state agency, local agency, division of state police, police agency, police officer, peace officer or any employee thereof.
STATE OF NEW YORK
________________________________________________________________________
10036
IN ASSEMBLY
April 29, 2022
___________
Introduced by M. of A. GONZALEZ-ROJAS -- read once and referred to the
Committee on Governmental Operations
AN ACT to amend the executive law, in relation to banning the use of
biometric data by certain state agencies
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The executive law is amended by adding a new section 170-f
2 to read as follows:
3 § 170-f. Use of biometric recognition technology prohibited. 1. For
4 the purposes of this section, the following terms shall have the follow-
5 ing meanings:
6 (a) "Biometric data" shall mean any measurable physiological, biolog-
7 ical or behavioral characteristics that are attributable to a person,
8 including facial characteristics, fingerprint characteristics, hand
9 characteristics, eye characteristics, genetic characteristics, vocal
10 characteristics or thermal characteristics that can be used, either
11 singularly or in combination with each other or can be paired or
12 combined with other information, to establish individual identity.
13 (b) "Biometric recognition technology" shall mean either or both (i)
14 any automated or semi-automated process or processes by which a person
15 is identified or attempted to be identified based on their biometric
16 data, including identification of known or unknown individuals or
17 groups; and/or (ii) any automated or semi-automated process or processes
18 that generates or assists in generating, information about any individ-
19 ual based on their biometric data, including but not limited to emotion,
20 affect, or behavior detection.
21 (c) "Equity impact assessment" shall mean an audit and report address-
22 ing, at a minimum, the following:
23 (i) Evaluation of potential benefits, harms, and impacts on persons or
24 groups of persons who are protected from discrimination as set forth in
25 article fifteen of this chapter, including specific considerations based
26 on a person's ethnic and racial background. Such evaluation shall also
27 include, although not be limited to the disproportionate collection and
28 use of such technology on ethnic and racial minorities in New York
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD14858-01-2
A. 10036 2
1 state, the disproportionate use of such technology in locations where
2 ethnic and racial minorities reside, and the disproportionate represen-
3 tation of particular ethnic and racial minorities in any underlying
4 datasets used to develop and/or implement such technology;
5 (ii) Evaluation of the efficacy and accuracy of the biometric recogni-
6 tion technology, including the accuracy of such technology in identify-
7 ing persons who belong to a group or groups protected from discrimi-
8 nation as set forth in article fifteen of this chapter and a description
9 of the methodology of such evaluation, including whether such evaluation
10 involved a controlled or real-world study;
11 (iii) Steps taken or planned by the state or local agency to address
12 and to reduce any disparities or inaccuracies identified in subpara-
13 graphs (i) or (ii) of this paragraph, along with the state or local
14 agency's reasoning for continuing to use the biometric recognition tech-
15 nology despite the disparate impact or inaccuracy;
16 (iv) Procedures to address and challenge false results and protective
17 measures and preventative checks against such occurrences, and an
18 assessment of the adequacy of such procedures;
19 (v) What protections are put in place for due process, privacy, free
20 speech and association, and racial, gender, and religious equity;
21 (vi) Whether the state or local agency considered a less-intrusive
22 alternative prior to utilizing the technology, and if so, a description
23 of such an explanation for why such alternative was not ultimately used;
24 and
25 (vii) Costs associated with the use of the technology and storage of
26 relevant data, including any maintenance costs, administrative costs or
27 other costs incurred.
28 2. (a) Unless explicitly required by other provisions of state law, it
29 shall be unlawful for any state or local agency to:
30 (i) Acquire, access, or use any biometric recognition technology or
31 any biometric data; or
32 (ii) Direct the use of any biometric recognition technology or the
33 collection of any biometric data by a third party.
34 (b) To the extent that any state or local agency is currently using
35 any biometric recognition technology or collecting any biometric data
36 and such use or collection is not otherwise required by any other
37 provision of state law, such state or local agency shall immediately
38 stop using such technology or data.
39 (c) Nothing in this subdivision shall be construed to prevent a state
40 or local agency or an employee of a state or local agency from:
41 (i) Obtaining or possessing any device equipped with biometric recog-
42 nition technology, provided such device is being held as evidence and
43 the state or local agency or the employee of such agency does not access
44 or use the biometric recognition technology of such device;
45 (ii) Acquiring, accessing, or using any biometric recognition technol-
46 ogy on a device owned by the state or local agency or an employee of
47 such agency, for the sole purpose of user authentication of agency
48 employees provided that the agency does not access or use such biometric
49 recognition technology for any other purpose other than user authentica-
50 tion and provided that no biometric data of individuals not employed by
51 such agency are intentionally entered, retained, or processed by such
52 technology;
53 (iii) Accessing or using a technology or service not owned by the
54 state or local agency or an employee of such agency but which is oper-
55 ated by a third party, provided that the agency or an employee of the
56 agency does not process, use, request, or retain any information created
A. 10036 3
1 by the biometric recognition technology and that no biometric data of
2 individuals not employed by such agency are intentionally entered, or
3 processed by such technology; or
4 (iv) Acquiring, accessing, or using an automated or semi-automated
5 process for the purpose of redacting a recording for release or disclo-
6 sure outside the state or local agency to protect the privacy of a
7 subject depicted in the recording, provided that the process does not
8 generate or result in the retention of any biometric data.
9 (d) Nothing in this subdivision shall be construed to prevent a public
10 health or public education agency from acquiring, accessing, or using
11 biometric recognition technology or biometric data for purposes related
12 to public health, research, or education, provided that such biometric
13 recognition technologies or biometric data are not shared with a law
14 enforcement agency.
15 (e) Nothing in this subdivision shall be construed to prevent a state
16 or local agency from:
17 (i) Collecting a genetic or fingerprint sample or samples that are
18 abandoned at the scene of an alleged criminal offense and is not
19 collected from the person of a criminal suspect; or
20 (ii) Collecting genetic samples from an individual who is alleged to
21 be the victim of a crime and who consents to such collection.
22 3. On or before May first, two thousand twenty-two, and annually ther-
23 eafter, any state or local agency using or acquiring for use biometric
24 recognition technology or biometric data as explicitly required by any
25 other provision of state law shall:
26 (a) Transmit a report to the governor, the temporary president of the
27 senate, the speaker of the assembly, the minority leader of the senate,
28 and the minority leader of the assembly detailing each biometric recog-
29 nition technology or type of biometric data it intends to acquire,
30 access, use, collect or analyze. Each state or local agency required to
31 file a report shall also publish such report on the state or local agen-
32 cy's website. Such report shall also include, but not be limited to, the
33 following:
34 (i) The type of biometric data;
35 (ii) The type and vendor of biometric recognition technology;
36 (iii) The state law that, in the state or local agency's view, explic-
37 itly requires such acquisition, access, use, collection, or analysis or
38 biometric recognition technology or biometric data;
39 (iv) The time period, if any, that the biometric data will be retained
40 and the reasons the specific biometric data will be retained for during
41 the designated time period;
42 (v) Whether any biometric data will be shared with another individual
43 or entity and if so, with what individuals or entities it will be
44 shared, and whether explicit authorization exists for such data to be
45 shared;
46 (vi) The risk of an unauthorized access to or breach of retained biom-
47 etric data, safeguards or security measures designed to mitigate any
48 such risk, and appropriate consequences for failure to adhere to such
49 safeguards or security measures in the event of unauthorized access or a
50 breach; and
51 (vii) Related to any unauthorized breaches of retained biometric data
52 since May first of the previous year, a description of: (1) any such
53 breaches; (2) the results of any completed investigations of any such
54 breaches; (3) any attempts to notify anyone impacted by any such breach
55 or whose biometric data may have been unlawfully accessed; and
A. 10036 4
1 (4) any actions the state or local agency has taken to address any
2 breaches.
3 (b) Transmit an equity impact assessment as defined in subdivision one
4 of this section to the governor, the temporary president of the senate,
5 the speaker of the assembly, the minority leader of the senate, and the
6 minority leader of the assembly as well as publishing such assessment to
7 the state agency, police agency, or the state police's own web page.
8 (c) Transmit an equity impact assessment as defined in subdivision one
9 of this section to the civil rights bureau of the office of the attorney
10 general, which shall review such assessment and make recommendations or
11 take other action as may be appropriate with respect to any disparity or
12 inaccuracy identified in such assessment.
13 § 2. The executive law is amended by adding a new section 235 to read
14 as follows:
15 § 235. Use of biometric recognition technology prohibited. 1. For the
16 purposes of this section the following terms shall have the following
17 meanings:
18 (a) "Biometric data" shall mean any measurable physiological, biolog-
19 ical or behavioral characteristics that are attributable to a person,
20 including facial characteristics, fingerprint characteristics, hand
21 characteristics, eye characteristics, genetic characteristics, vocal
22 characteristics, thermal characteristics that can be used, either singu-
23 larly or in combination with each other or can be paired or combined
24 with other information, to establish individual identity.
25 (b) "Biometric recognition technology" shall mean either or both (i)
26 any automated or semi-automated process or processes by which a person
27 is identified or attempted to be identified based on their biometric
28 data, including identification of known or unknown individuals or
29 groups; and/or (ii) any automated or semi-automated process or processes
30 that generates or assists in generating, information about any individ-
31 ual based on their biometric data, including but not limited to emotion,
32 affect, or behavior detection.
33 (c) "Equity impact assessment" shall mean an audit and report address-
34 ing, at a minimum, the following:
35 (i) Evaluation of potential benefits, harms, and impacts on persons or
36 groups of persons who are protected from discrimination as set forth in
37 article fifteen of this chapter, including specific considerations based
38 on a person's ethnic and racial background. Such evaluation shall also
39 include, although not be limited to the disproportionate collection and
40 use of such technology on ethnic and racial minorities in New York
41 state, the disproportionate use of such technology in locations where
42 ethnic and racial minorities reside, and the disproportionate represen-
43 tation of particular ethnic and racial minorities in any underlying
44 datasets used to develop and/or implement such technology;
45 (ii) Evaluation of the efficacy and accuracy of the biometric recogni-
46 tion technology, including the accuracy of such technology in identify-
47 ing persons who belong to a group or groups protected from discrimi-
48 nation as set forth in article fifteen of this chapter, and a
49 description of the methodology of such evaluation, including whether
50 such evaluation involved a controlled or real-world study;
51 (iii) Steps taken or planned by the division of state police to
52 address and to reduce any disparities or inaccuracies identified in
53 subparagraphs (i) or (ii) of this paragraph, along with the agency's
54 reasoning for continuing to use the biometric recognition technology
55 despite the disparate impact or inaccuracy;
A. 10036 5
1 (iv) Procedures to address and challenge false results and protective
2 measures and preventative checks against such occurrences, and an
3 assessment of the adequacy of such procedures;
4 (v) What protections are put in place for due process, privacy, free
5 speech and association, and racial, gender, and religious equity;
6 (vi) Whether the division of state police considered a less-intrusive
7 alternative prior to utilizing the technology, and if so, a description
8 of such an explanation for why such alternative was not ultimately used;
9 and
10 (vii) Costs associated with the use of the technology and storage of
11 relevant data, including any maintenance costs, administrative costs or
12 other costs incurred.
13 2. (a) Unless explicitly required by other provisions of state law, it
14 shall be unlawful for any member of the division of state police to:
15 (i) Acquire, access, or use any biometric recognition technology or
16 any biometric data; or
17 (ii) Direct the use of any biometric recognition technology or the
18 collection of any biometric data by a third party.
19 (b) To the extent that the division of state police is currently using
20 any biometric recognition technology or collecting any biometric data
21 and such use or collection is not otherwise required by any other
22 provision of state law, the division of state police shall immediately
23 stop using such technology or data.
24 (c) Nothing in this subdivision shall be construed to prevent the
25 state police or a member of the state police from:
26 (i) Obtaining or possessing any device equipped with biometric recog-
27 nition technology, provided such device is being held as evidence and
28 the division of state police or the employee of the division of state
29 police does not access or use the biometric recognition technology of
30 such device;
31 (ii) Acquiring, accessing, or using any biometric recognition technol-
32 ogy on a device owned by the division of state police or an employee of
33 the division of state police, for the sole purpose of user authentica-
34 tion of agency employees provided that the division of state police does
35 not access or use such biometric recognition technology for any other
36 purpose other than user authentication and provided that no biometric
37 data of individuals not employed by the division of state police are
38 intentionally entered, retained, or processed by such technology;
39 (iii) Accessing or using a technology or service not owned by the
40 division of state police or an employee of the division of state police
41 but which is operated by a third party, provided that the division of
42 state police or an employee of the division of state police does not
43 process, use, request, or retain any information created by the biome-
44 tric recognition technology and that no biometric data of individuals
45 not employed by the division of state police are intentionally entered,
46 or processed by such technology; or
47 (iv) Acquiring, accessing, or using an automated or semi-automated
48 process for the purpose of redacting a recording for release or disclo-
49 sure outside the division of state police to protect the privacy of a
50 subject depicted in the recording, provided that the process does not
51 generate or result in the retention of any biometric data.
52 (d) Nothing in this subdivision shall be construed to prevent the
53 division of state police or members of the division of state police
54 from:
A. 10036 6
1 (i) Collecting a genetic or fingerprint sample or samples that are
2 abandoned at the scene of an alleged criminal offense and is not
3 collected from the person of a criminal suspect; or
4 (ii) Collecting genetic samples from an individual who is alleged to
5 be the victim of a crime and who consents to such collection.
6 3. On or before May first, two thousand twenty-two and annually there-
7 after, any division of state police using or acquiring for use biometric
8 recognition technology or biometric data as explicitly required by any
9 other provision of state law shall:
10 (a) Transmit a report to the governor, the temporary president of the
11 senate, the speaker of the assembly, the minority leader of the senate,
12 and the minority leader of the assembly detailing each biometric recog-
13 nition technology or type of biometric data it intends to acquire,
14 access, use, collect or analyze. Each division of state police required
15 to file a report shall also publish such report on the division of state
16 police's website. Such report shall also include, but not be limited to,
17 the following:
18 (i) The type of biometric data;
19 (ii) The type and vendor of biometric recognition technology;
20 (iii) The state law that, in the division of state police's view,
21 explicitly requires such acquisition, access, use, collection, or analy-
22 sis or biometric recognition technology or biometric data;
23 (iv) The time period, if any, that the biometric data will be retained
24 and the reasons the specific biometric data will be retained for during
25 the designated time period;
26 (v) Whether any biometric data will be shared with another individual
27 or entity and if so, with what individuals or entities it will be
28 shared, and whether explicit authorization exists for such data to be
29 shared;
30 (vi) The risk of an unauthorized access to or breach of retained biom-
31 etric data, safeguards or security measures designed to mitigate any
32 such risk, and appropriate consequences for failure to adhere to such
33 safeguards or security measures in the event of unauthorized access or a
34 breach; and
35 (vii) Related to any unauthorized breaches of retained biometric data
36 since May first of the previous year, a description of: (1) any such
37 breaches; (2) the results of any completed investigations of any such
38 breaches; (3) any attempts to notify anyone impacted by any such breach
39 or whose biometric data may have been unlawfully accessed; and (4) any
40 actions the agency has taken to address any breaches.
41 (b) Transmit an equity impact assessment as defined in subdivision one
42 of this section to the governor, the temporary president of the senate,
43 the speaker of the assembly, the minority leader of the senate, and the
44 minority leader of the assembly as well as publishing such assessment to
45 the state agency, police agency, or the division of state police's own
46 web page.
47 (c) Transmit an equity impact assessment as defined in subdivision one
48 of this section to the civil rights bureau of the office of the attorney
49 general, which shall review such assessment and make recommendations or
50 take other action as may be appropriate with respect to any disparity or
51 inaccuracy identified in such assessment.
52 § 3. The executive law is amended by adding a new section 837-x to
53 read as follows:
54 § 837-x. Use of biometric recognition technology prohibited. 1. For
55 the purposes of this section the following terms shall have the follow-
56 ing meanings:
A. 10036 7
1 (a) "Biometric data" shall mean any measurable physiological, biolog-
2 ical or behavioral characteristics that are attributable to a person,
3 including facial characteristics, fingerprint characteristics, hand
4 characteristics, eye characteristics, genetic characteristics, vocal
5 characteristics, thermal characteristics that can be used, either singu-
6 larly or in combination with each other or can be paired or combined
7 with other information, to establish individual identity.
8 (b) "Biometric recognition technology" shall mean either or both (i)
9 any automated or semi-automated process or processes by which a person
10 is identified or attempted to be identified based on their biometric
11 data, including identification of known or unknown individuals or
12 groups; and/or (ii) any automated or semi-automated process or processes
13 that generates or assists in generating, information about any individ-
14 ual based on their biometric data, including but not limited to emotion,
15 affect, or behavior detection.
16 (c) "Equity impact assessment" shall mean an audit and report address-
17 ing, at a minimum, the following:
18 (i) Evaluation of potential benefits, harms, and impacts on persons or
19 groups of persons who are protected from discrimination as set forth in
20 article fifteen of this chapter, including specific considerations based
21 on a person's ethnic and racial background. Such evaluation shall also
22 include, although not be limited to the disproportionate collection and
23 use of such technology on ethnic and racial minorities in New York
24 state, the disproportionate use of such technology in locations where
25 ethnic and racial minorities reside, and the disproportionate represen-
26 tation of particular ethnic and racial minorities in any underlying
27 datasets used to develop and/or implement such technology;
28 (ii) Evaluation of the efficacy and accuracy of the biometric recogni-
29 tion technology, including the accuracy of such technology in identify-
30 ing persons who belong to a group or groups protected from discrimi-
31 nation as set forth in article fifteen of this chapter, and a
32 description of the methodology of such evaluation, including whether
33 such evaluation involved a controlled or real-world study;
34 (iii) Steps taken or planned by the agency to address and to reduce
35 any disparities or inaccuracies identified in subparagraphs (i) or (ii)
36 of this paragraph, along with the police agency, police officer or peace
37 officer's reasoning for continuing to use the biometric recognition
38 technology despite the disparate impact or inaccuracy;
39 (iv) Procedures to address and challenge false results and protective
40 measures and preventative checks against such occurrences, and an
41 assessment of the adequacy of such procedures;
42 (v) What protections are put in place for due process, privacy, free
43 speech and association, and racial, gender, and religious equity;
44 (vi) Whether the police agency, police officer or peace officer
45 considered a less-intrusive alternative prior to utilizing the technolo-
46 gy, and if so, a description of such an explanation for why such alter-
47 native was not ultimately used; and
48 (vii) Costs associated with the use of the technology and storage of
49 relevant data, including any maintenance costs, administrative costs or
50 other costs incurred.
51 2. (a) Unless explicitly required by other provisions of state law, it
52 shall be unlawful for any police agency, police officer or peace officer
53 to:
54 (i) Acquire, access, or use any biometric recognition technology or
55 any biometric data; or
A. 10036 8
1 (ii) Direct the use of any biometric recognition technology or the
2 collection of any biometric data by a third party.
3 (b) To the extent that any police agency, police officer or peace
4 officer is currently using any biometric recognition technology or
5 collecting any biometric data and such use or collection is not other-
6 wise required by any other provision of state law, such police agency,
7 police officer or peace officer shall immediately stop using such tech-
8 nology or data.
9 (c) Nothing in this subdivision shall be construed to prevent a police
10 agency, police officer or peace officer from:
11 (i) Obtaining or possessing any device equipped with biometric recog-
12 nition technology, provided such device is being held as evidence and
13 the police agency, police officer or peace officer does not access or
14 use the biometric recognition technology of such device; or
15 (ii) Acquiring, accessing, or using any biometric recognition technol-
16 ogy on a device owned by the police agency, police officer or peace
17 officer for the sole purpose of user authentication of police agency
18 employees, police officers or peace officers provided that the police
19 agency does not access or use such biometric recognition technology for
20 any other purpose other than user authentication and provided that no
21 biometric data of individuals not employed by the police agency are
22 intentionally entered, retained, or processed by such technology; or
23 (iii) Accessing or using a technology or service not owned by the
24 police agency, police officer or peace officer but which is operated by
25 a third party, provided that the police agency, police officer or peace
26 officer does not process, use, request, or retain any information
27 created by the biometric recognition technology and that no data of
28 individuals not employed by the police agency are intentionally entered,
29 or processed by such technology; or
30 (iv) Acquiring, accessing, or using an automated or semi-automated
31 process for the purpose of redacting a recording for release or disclo-
32 sure outside the police agency to protect the privacy of a subject
33 depicted in the recording, provided that the process does not generate
34 or result in the retention of any biometric data.
35 (d) Nothing in this subdivision shall be construed to prevent a police
36 agency, police officer or peace officer from:
37 (i) Collecting a genetic or fingerprint sample or samples that are
38 abandoned at the scene of an alleged criminal offense and is not
39 collected from the person of a criminal suspect; or
40 (ii) Collecting genetic samples from an individual who is alleged to
41 be the victim of a crime and who consents to such collection.
42 3. On or before May first, two thousand twenty-two and annually there-
43 after, any police agency using or acquiring for use biometric recogni-
44 tion technology or biometric data as explicitly required by any other
45 provision of state law shall:
46 (a) Transmit a report to the governor, the temporary president of the
47 senate, the speaker of the assembly, the minority leader of the senate,
48 and the minority leader of the assembly detailing each biometric recog-
49 nition technology or type of biometric data it intends to acquire,
50 access, use, collect or analyze. Each police agency required to file a
51 report shall also publish such report on the police agency's website.
52 Such report shall also include, but not be limited to, the following:
53 (i) The type of biometric data;
54 (ii) The type and vendor of biometric recognition technology;
A. 10036 9
1 (iii) The state law that, in the police agency's view, explicitly
2 requires such acquisition, access, use, collection, or analysis or biom-
3 etric recognition technology or biometric data;
4 (iv) The time period, if any, that the biometric data will be retained
5 and the reasons the specific biometric data will be retained for during
6 the designated time period;
7 (v) Whether any biometric data will be shared with another individual
8 or entity and if so, with what individuals or entities it will be
9 shared, and whether explicit authorization exists for such data to be
10 shared;
11 (vi) The risk of an unauthorized access to or breach of retained biom-
12 etric data, safeguards or security measures designed to mitigate any
13 such risk, and appropriate consequences for failure to adhere to such
14 safeguards or security measures in the event of unauthorized access or a
15 breach; and
16 (vii) Related to any unauthorized breaches of retained biometric data
17 since May first of the previous year, a description of: (1) any such
18 breaches; (2) the results of any completed investigations of any such
19 breaches; (3) any attempts to notify anyone impacted by any such breach
20 or whose biometric data may have been unlawfully accessed; and (4) any
21 actions the agency has taken to address any breaches.
22 (b) Transmit an equity impact assessment as defined in subdivision one
23 of this section to the governor, the temporary president of the senate,
24 the speaker of the assembly, the minority leader of the senate, and the
25 minority leader of the assembly as well as publishing such assessment to
26 the state agency, police agency, or the state police's own web page.
27 (c) Transmit an equity impact assessment as defined in subdivision one
28 of this section to the civil rights bureau of the office of the attorney
29 general, which shall review such assessment and make recommendations or
30 take other action as may be appropriate with respect to any disparity or
31 inaccuracy identified in such assessment.
32 § 4. This act shall take effect immediately.