Bill > A06031

This bill establishes the Biometric Privacy Act, which creates comprehensive regulations for how private entities can collect, use, store, and destroy biometric identifiers and information. The law requires private businesses to develop a written public policy that outlines how they will handle biometric data, including a retention schedule that mandates destroying such data within 60 days after it is no longer necessary or within three years of a person's last interaction with the company, whichever comes first. Companies must obtain written consent before collecting biometric data, explicitly inform individuals about the purpose and duration of data collection, and are prohibited from selling, leasing, or trading biometric information. The bill defines biometric identifiers as retina or iris scans, fingerprints, voiceprints, and hand or face geometry, while specifically excluding certain types of data like photographs and medical imaging. The Attorney General is empowered to enforce the law, with the ability to bring actions against violators and impose civil penalties of up to $20,000 per violation. The law includes provisions protecting certain types of institutions like financial institutions and healthcare providers, and ensures that each instance of improper data handling can be considered a separate violation, giving the Attorney General significant enforcement capabilities.

Business and Industry

https://www.nysenate.gov/legislation/bills/2025/A6031