New York Assembly Bill A27 (2021-2022) seeks to establish a biometric privacy act [1]. The proposed legislation mandates private entities possessing biometric identifiers or information to develop a written policy. This policy must include a retention schedule and guidelines for the permanent destruction of such data [1]. Destruction is required either when the initial collection purpose is satisfied or within three years of an individual's last interaction, whichever occurs first [1].

This proposed legislation affects private entities operating within New York State that collect, possess, or process biometric identifiers or information. This includes organizations utilizing facial recognition for security, fingerprint scanning for access control, or voice biometrics for authentication purposes. Business functions such as human resources, physical security, customer service, and product development, particularly those employing AI-powered biometric systems, could be within scope.

What is the current status of A27?

As of the last published update, A27 is at the "committee" stage, with bill status "In Assembly Committee".

Where can I find the primary source for A27?

The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2021/A27. AIGI publishes the full citation chain plus every approved brief on this bill.

NY, US · AI law tracker

A27 — NY, US

A27 is an AI governance legislation from NY, currently committee. New York Assembly Bill A27 introduces requirements for private entities regarding biometric data retention and destruction policies [1]. AIGI tracks 1 primary-source update on this bill; the most recent was published on 2020-12-22.

Status & timeline

Regulatory stage: committee
Bill status: In Assembly Committee
Authority / governing body: New York State Senate
Chamber: Assembly
Document type: legislation

Next deadline: No fixed deadline — currently in Assembly Committee (Consumer Affairs And Protection).

Subscriber only

Full obligation matrix

Actor	Obligation	Deadline	Source
private_entity	Develop a written policy establishing a retention schedule for biometric identifiers and biometric information.	Upon enactment (implied)	—
private_entity	Develop written guidelines for permanently destroying biometric identifiers and biometric information.	Upon enactment (implied)	—
private_entity	Permanently destroy biometric identifiers and biometric information when the initial purpose for collection has been satisfied.	Whichever occurs first (purpose satisfied or 3 years)	—
private_entity	Permanently destroy biometric identifiers and biometric information within three years of the individual's last interaction with the private entity.	Whichever occurs first (purpose satisfied or 3 years)	—

Subscriber only

Enforcement risk score

/ 100

Announced regulation; enforcement footprint still forming.

Subscriber only

Role-based compliance checklist

compliance_officer Track the status of NY A27 through the legislative process.
general_counsel Assess potential legal implications for the organization if NY A27 is enacted, particularly regarding biometric data handling.
data_scientist Identify all systems and processes that collect, store, or process biometric identifiers or information.
privacy_officer Begin drafting a conceptual data retention and destruction policy for biometric data, anticipating requirements for specific schedules and destruction guidelines.

Subscriber only

Vendor impact assessment

Vendor risk class: medium
Procurement categories: security_tooling, hr_tech, other

Vendors providing services that involve biometric data (e.g., timekeeping systems, access control, identity verification) will need to demonstrate capabilities for granular data retention and destruction in line with proposed New York requirements.

Sample vendor questions

Does your service collect, store, or process biometric identifiers or information from individuals in New York?
How do you assist us in complying with biometric data retention schedules and destruction requirements?
Do you have a clear policy for the permanent destruction of biometric data once its purpose is fulfilled or a specified retention period expires?
What contractual provisions do you offer to indemnify us against liabilities arising from non-compliance with biometric privacy laws?

Intelligence briefs (1)

legislation In Assembly Committee 12/22/2020

New York A27 Proposes Biometric Data Privacy Act Requirements

New York Assembly Bill A27 introduces requirements for private entities regarding biometric data retention and destruction policies [1].

This development bears on the expanding scope of state-level biometric data governance and deployer obligations for AI systems utilizing such data.

Deadline: No fixed deadline — currently in Assembly Committee (Consumer Affairs And Protection).

Primary source →

Frequently asked questions

What is A27?: New York Assembly Bill A27 (2021-2022) seeks to establish a biometric privacy act [1]. The proposed legislation mandates private entities possessing biometric identifiers or information to develop a written policy. This policy must include a retention schedule and guidelines for the permanent destruction of such data [1]. Destruction is required either when the initial collection purpose is satisfied or within three years of an individual's last interaction, whichever occurs first [1]. Primary source →
Why does A27 matter?: This development bears on the expanding scope of state-level biometric data governance and deployer obligations for AI systems utilizing such data. Primary source →
Who does A27 affect?: This proposed legislation affects private entities operating within New York State that collect, possess, or process biometric identifiers or information. This includes organizations utilizing facial recognition for security, fingerprint scanning for access control, or voice biometrics for authentication purposes. Business functions such as human resources, physical security, customer service, and product development, particularly those employing AI-powered biometric systems, could be within scope. Primary source →
What are the key dates for A27?: No fixed deadline — currently in Assembly Committee (Consumer Affairs And Protection). Primary source →
What is the current status of A27?: As of the last published update, A27 is at the "committee" stage, with bill status "In Assembly Committee". Primary source →
Where can I find the primary source for A27?: The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2021/A27. AIGI publishes the full citation chain plus every approved brief on this bill. Primary source →

Stay informed

Get briefs on every AI law, every morning.

Start 14-day trial →

Important — about this brief

This brief is published by AIGI as a regulatory intelligence service. It contains general information about AI laws, regulations, enforcement actions, and policy signals across jurisdictions. It is not legal, compliance, audit, or risk-management advice; it does not establish an attorney-client, advisory, or fiduciary relationship; and it should not be relied upon as a substitute for professional counsel applied to specific facts and circumstances. Where the brief identifies “Issues for Review,” those are observations of questions a reader in a particular role might raise with their own legal, compliance, or risk function — not recommendations to act. AIGI expressly disclaims liability for actions taken or not taken in reliance on this brief. Subscribers in regulated industries should consult licensed professionals authorized to practice in their jurisdiction.

Full disclosures →

Status & timeline

Intelligence briefs (1)

New York A27 Proposes Biometric Data Privacy Act Requirements

Frequently asked questions

Related

Get briefs on every AI law, every morning.