New York Biometric Privacy Laws: Collection, Consent & Penalties (2026)

New York has built a layered approach to biometric privacy protection. No single statute covers the full landscape. Instead, a combination of state law, city ordinance, financial regulation, and labor law creates overlapping obligations for businesses that collect fingerprints, facial geometry scans, retina images, or other biometric data.

For businesses operating in New York, understanding each layer is critical. A company in Manhattan faces different rules than one in Buffalo, and a bank faces stricter requirements than a retail store. This guide walks through every applicable law so you know exactly what applies to your situation.

The SHIELD Act: New York's Foundation for Biometric Data Protection

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), signed into law on July 25, 2019, forms the backbone of New York's biometric data protections. Codified in General Business Law Sections 899-aa and 899-bb, the SHIELD Act expanded the state's existing breach notification law to bring biometric information under its umbrella.

What the SHIELD Act Covers

Before the SHIELD Act, New York's data breach notification law applied only to traditional personal identifiers like Social Security numbers and financial account numbers. The SHIELD Act added several new categories of protected data, including biometric information.

Under GBL 899-aa, "private information" now includes:

• Biometric information (fingerprints, voiceprints, retina or iris images, and other unique physical measurements)
• Social Security numbers
• Driver's license numbers
• Financial account numbers
• Username or email address combined with a password or security question
• Medical and health insurance information (added by the December 2024 amendment)

The 30-Day Breach Notification Rule

On December 24, 2024, Governor Kathy Hochul signed an amendment to GBL 899-aa that replaced the old "most expedient time possible" standard with a firm 30-day deadline. Businesses that experience a breach involving biometric data must now notify affected New York residents within 30 days of discovering the breach.

The amendment also requires notification to the New York Attorney General, the Department of State, and the State Police. Entities regulated by the New York Department of Financial Services must also notify DFS.

Reasonable Safeguards Requirement

GBL 899-bb requires any person or business that owns or licenses private information, including biometric data, to develop, implement, and maintain reasonable safeguards. These safeguards fall into three categories:

Administrative safeguards include designating one or more employees to coordinate the security program, identifying reasonably foreseeable internal and external risks, training employees on security practices, and vetting service providers.

Technical safeguards include assessing risks in network and software design, monitoring systems for unauthorized access, detecting and responding to attacks, and regularly testing system effectiveness.

Physical safeguards include assessing risks in data storage and disposal, preventing unauthorized physical access, and properly disposing of information so it cannot be read or reconstructed.

Small Business Accommodation

The SHIELD Act recognizes that smaller organizations have fewer resources. A business qualifies for the small business accommodation if it has fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three fiscal years, or less than $5 million in year-end total assets. Small businesses must still implement reasonable safeguards, but those safeguards are assessed based on the size and complexity of the business.

SHIELD Act Penalties

The New York Attorney General enforces the SHIELD Act. Penalties include:

• Up to $20 per failed notification, capped at $250,000
• Up to $5,000 per violation for failure to maintain reasonable safeguards
• Injunctive relief and restitution

The SHIELD Act does not create a private right of action. Only the Attorney General can bring enforcement actions.

NYC Local Law 3: Biometric Rules for Commercial Establishments

New York City enacted Local Law 3 of 2021, which took effect on July 9, 2021. This city-level ordinance goes significantly beyond the SHIELD Act by requiring affirmative notice to customers and creating a private right of action.

Who Must Comply

Local Law 3 applies to "commercial establishments" within New York City, defined as:

• Places of entertainment (theaters, arenas, concert venues, stadiums)
• Retail stores
• Food and drink establishments (restaurants, bars, cafes)

The law does not apply to government agencies or financial institutions regulated by state or federal law.

Definition of Biometric Identifier Information

Under Local Law 3, "biometric identifier information" means a physiological, biological, or behavioral characteristic used to identify or assist in identifying an individual. This includes:

• Retina or iris scans
• Fingerprints
• Voiceprints
• Scans of hand, palm, or face geometry
• Gait or movement patterns

The Signage Requirement

Every commercial establishment that collects, retains, converts, stores, or shares biometric identifier information must post a clear and conspicuous sign near all customer entrances. The sign must be in plain, simple language notifying customers that biometric data is being collected.

The NYC Department of Consumer and Worker Protection (DCWP) provides a standardized disclosure sign that businesses can download and display.

Prohibition on Sale of Biometric Data

Local Law 3 makes it unlawful for any commercial establishment to sell, lease, trade, or share biometric identifier information in exchange for anything of value. This is an absolute prohibition with no exceptions.

Private Right of Action and Damages

Unlike the SHIELD Act, Local Law 3 gives individuals the right to sue. Damages include:

• Failure to post signage: $500 per violation (with a 30-day cure period after written notice)
• Negligent sale or sharing of biometric data: $500 per violation
• Intentional or reckless sale or sharing: $5,000 per violation
• Attorney fees and costs are recoverable in all cases

For signage violations, the business gets 30 days to fix the problem after receiving written notice. If the business corrects the violation within that window, no lawsuit can proceed. For violations of the sales prohibition, there is no cure period, and individuals can file suit immediately.

Enforcement in Practice

Local Law 3 has generated notable litigation. In one high-profile case, a concert attendee sued Madison Square Garden over its use of facial recognition technology to screen patrons. The case tested the boundaries of what constitutes a "commercial establishment" and how the law applies to security-related biometric scanning at entertainment venues.

The Pending NY Biometric Privacy Act (S1422/A6031)

The most significant proposed change to New York's biometric privacy landscape is the NY Biometric Privacy Act, introduced in the 2025-2026 legislative session as Senate Bill S1422 (sponsored by Senator Liu) and Assembly Bill A6031. The bill is modeled closely on the Illinois Biometric Information Privacy Act (BIPA), which has produced billions of dollars in settlements since its passage.

Current Status

As of March 2026, S1422 sits in the Senate Consumer Protection Committee. A6031 was referred to the Assembly Committee on Consumer Affairs and Protection on February 25, 2025. The bill has not yet advanced to a floor vote in either chamber.

New York legislators have introduced versions of this bill in multiple prior sessions (including S4457 in 2023 and A27 in 2021) without passage, but growing national attention to biometric privacy and the success of Illinois BIPA litigation continue to build momentum.

What the Bill Would Require

If enacted, the NY Biometric Privacy Act would create Article 32-A of the General Business Law and impose the following requirements on private entities:

Written retention and destruction policy. Every private entity possessing biometric identifiers or biometric information must develop a written policy, made publicly available, establishing a retention schedule and guidelines for permanent destruction. Destruction must occur when the initial collection purpose has been satisfied or within three years of the individual's last interaction with the entity, whichever comes first.

Written consent before collection. No entity may collect, capture, purchase, or trade an individual's biometric data unless the entity first informs the person in writing and receives written consent.

Prohibition on sale. Entities cannot sell, lease, trade, or otherwise profit from biometric identifiers or biometric information.

Security standards. Entities must store, transmit, and protect biometric data using the reasonable standard of care within their industry. Protections must be at least as strong as those used for other confidential and sensitive information.

Definitions Under the Bill

The bill defines "biometric identifier" as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.

Excluded from this definition are writing samples, written signatures, photographs, demographic data, tattoo descriptions, physical descriptions, donated organs and tissues, blood and serum stored for transplant purposes, and medical imaging and healthcare information.

"Biometric information" is defined as any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual.

Private Right of Action and Damages

The bill would create a private right of action allowing individuals to sue directly in Supreme Court. A prevailing party could recover:

• Negligent violations: Liquidated damages of $1,000 or actual damages, whichever is greater
• Intentional or reckless violations: Liquidated damages of $5,000 or actual damages, whichever is greater
• Attorney fees and costs, including expert witness fees
• Injunctive relief as the court deems appropriate

This private right of action is what distinguishes the proposed bill from the existing SHIELD Act and would make New York one of only a few states allowing individuals to sue over biometric privacy violations.

New York Labor Law Section 201-a: Employee Fingerprinting

New York Labor Law Section 201-a predates modern biometric privacy concerns but remains directly relevant. The statute provides a straightforward rule: no person, as a condition of securing employment or continuing employment, shall be required to be fingerprinted.

Limited Exceptions

The prohibition applies "except as otherwise provided by law." This means fingerprinting is permitted only where another state or federal law specifically requires it. Common exceptions include:

• Law enforcement officers
• Employees of certain financial institutions (under federal banking regulations)
• Healthcare workers in specific settings
• Childcare workers (under the Social Services Law)
• School employees (under the Education Law)
• Security guards (under the General Business Law)

Practical Impact for Employers

This law means that most New York employers cannot require fingerprint-based timekeeping systems as a mandatory condition of employment. Employers may offer fingerprint scanning on a voluntary basis, and some have turned to hand geometry scanning (which measures the shape and dimensions of the hand without capturing a fingerprint) as an alternative that falls outside the statute's scope.

NYDFS Cybersecurity Regulation (23 NYCRR 500)

The New York Department of Financial Services Cybersecurity Regulation applies to banks, insurance companies, and other financial services entities licensed in New York. Under 23 NYCRR 500, biometric records fall within the definition of "nonpublic information" that covered entities must protect.

Key Requirements for Biometric Data

Financial institutions must maintain a cybersecurity program that protects the confidentiality, integrity, and availability of their information systems, including those that store biometric records.

As of November 1, 2025, covered entities can no longer transmit unencrypted nonpublic information (including biometric data) over external networks. All biometric data in transit must be encrypted.

DFS-regulated entities must also designate a Chief Information Security Officer, conduct regular penetration testing and vulnerability assessments, maintain audit trails, and implement access controls that limit who can view biometric records.

Penalties

DFS can impose civil monetary penalties for violations of 23 NYCRR 500. In serious cases, DFS has the authority to revoke or suspend a company's license to operate in New York.

Employer Obligations: A Practical Checklist

New York employers face requirements from multiple overlapping laws. Here is what you need to do depending on your location and industry:

All New York Employers

1. Comply with the SHIELD Act by implementing reasonable administrative, technical, and physical safeguards for any biometric data you hold.
2. Notify affected individuals within 30 days if biometric data is compromised in a breach, and report the breach to the Attorney General, Department of State, and State Police.
3. Do not require fingerprinting as a condition of employment unless a specific law authorizes it (Labor Law 201-a).

New York City Employers Operating Commercial Establishments

4. Post the required biometric identifier disclosure sign at all customer entrances if you collect any biometric data from customers.
5. Never sell, lease, trade, or share customer biometric data in exchange for anything of value.

Financial Services Companies

6. Comply with 23 NYCRR 500 by encrypting biometric data in transit, maintaining audit trails, and conducting regular security assessments.
7. Designate a CISO responsible for overseeing biometric data protections.

All Employers Using Biometric Timekeeping

8. Offer non-biometric alternatives for employees who decline to use fingerprint or hand-scan systems.
9. Develop a written data retention and destruction policy for biometric records.
10. Do not share biometric data with third-party timekeeping vendors without clear employee notice and consent.

More New York Laws

• New York Data Privacy Laws
• New York Whistleblower Laws
• New York Recording Laws
• New York Recording Laws
• New York Recording Laws
• New York Recording Laws
• New York Recording Laws
• New York Recording Laws

For a broader look at data privacy protections in New York, see the parent guide on New York Data Privacy Laws.

This article provides general legal information about New York biometric privacy laws and is current as of March 2026. It is not legal advice. Consult a licensed New York attorney for guidance on your specific situation.