New York Assembly Bill A6031 proposes the Biometric Privacy Act, mandating that private entities possessing biometric identifiers or information implement a written policy [1]. This policy must outline a retention schedule and procedures for permanent destruction of such data once its initial collection purpose is fulfilled or within three years of an individual's last interaction, whichever occurs first [1]. The bill is currently in the Assembly Committee on Consumer Affairs and Protection.

Who does A6031 affect?

Private entities operating within New York State that collect, store, or process biometric identifiers or information are within scope. This includes organizations deploying AI systems for identity verification, access control, timekeeping, or other functions reliant on biometric data, necessitating formalized data retention and destruction protocols.

What is the current status of A6031?

As of the last published update, A6031 is at the "committee" stage, with bill status "In Assembly Committee".

Where can I find the primary source for A6031?

The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2025/A6031. AIGI publishes the full citation chain plus every approved brief on this bill.

NY, US · AI law tracker

A6031 — NY, US

A6031 is an AI governance legislation from NY, currently committee. New York A6031 proposes establishing a Biometric Privacy Act requiring private entities to develop data policies [1]. AIGI tracks 1 primary-source update on this bill; the most recent was published on 2025-02-25.

Status & timeline

Regulatory stage: committee
Bill status: In Assembly Committee
Authority / governing body: New York State Senate
Chamber: Assembly
Document type: legislation

Next deadline: No fixed deadline — currently under legislative review.

Subscriber only

Full obligation matrix

Actor	Obligation	Deadline	Source
private entities	Develop a written policy establishing a retention schedule for biometric identifiers and biometric information.	—	—
private entities	Develop a written policy establishing guidelines for permanently destroying biometric identifiers and biometric information.	—	—
private entities	Permanently destroy biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied.	When purpose satisfied	—
private entities	Permanently destroy biometric identifiers and biometric information within three years of the individual's last interaction with the private entity, whichever occurs first.	P3Y (from last interaction)	—

Subscriber only

Enforcement risk score

/ 100

Announced regulation; enforcement footprint still forming.

Subscriber only

Role-based compliance checklist

compliance_officer Monitor the status of New York Assembly Bill A6031 in the state legislature.
general_counsel Assess current practices for collecting, retaining, and destroying biometric identifiers and information within the organization.
compliance_officer Begin drafting a comprehensive written biometric data retention and destruction policy, if one is not already in place.
cto Develop and implement technical processes and systems to ensure the permanent destruction of biometric data according to the drafted policy.

Subscriber only

Vendor impact assessment

Vendor risk class: high
Procurement categories: hr_tech, security_tooling, other

Vendors providing services that involve the collection, processing, or storage of biometric data will need to demonstrate robust policies and technical capabilities for data retention and permanent destruction in line with this act's proposed requirements. Organizations should conduct thorough due diligence.

Sample vendor questions

Does your system collect, process, or store biometric identifiers or information?
What is your documented policy and process for the retention and permanent destruction of biometric data?
How do you ensure biometric data is destroyed when its initial purpose is satisfied or within three years of an individual's last interaction?
Can you provide evidence or documentation of your biometric data retention schedule and destruction guidelines to ensure compliance with this act?

Intelligence briefs (1)

legislation In Assembly Committee 2/25/2025

New York A6031: Proposed Biometric Privacy Act Mandates Data Policy

New York A6031 proposes establishing a Biometric Privacy Act requiring private entities to develop data policies [1].

This proposal aligns with evolving state-level biometric data governance, shaping deployer obligations for AI systems utilizing such data.

Deadline: No fixed deadline — currently under legislative review.

Primary source →

Frequently asked questions

What is A6031?: New York Assembly Bill A6031 proposes the Biometric Privacy Act, mandating that private entities possessing biometric identifiers or information implement a written policy [1]. This policy must outline a retention schedule and procedures for permanent destruction of such data once its initial collection purpose is fulfilled or within three years of an individual's last interaction, whichever occurs first [1]. The bill is currently in the Assembly Committee on Consumer Affairs and Protection. Primary source →
Why does A6031 matter?: This proposal aligns with evolving state-level biometric data governance, shaping deployer obligations for AI systems utilizing such data. Primary source →
Who does A6031 affect?: Private entities operating within New York State that collect, store, or process biometric identifiers or information are within scope. This includes organizations deploying AI systems for identity verification, access control, timekeeping, or other functions reliant on biometric data, necessitating formalized data retention and destruction protocols. Primary source →
What are the key dates for A6031?: No fixed deadline — currently under legislative review. Primary source →
What is the current status of A6031?: As of the last published update, A6031 is at the "committee" stage, with bill status "In Assembly Committee". Primary source →
Where can I find the primary source for A6031?: The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2025/A6031. AIGI publishes the full citation chain plus every approved brief on this bill. Primary source →

Stay informed

Get briefs on every AI law, every morning.

Start 14-day trial →

Important — about this brief

This brief is published by AIGI as a regulatory intelligence service. It contains general information about AI laws, regulations, enforcement actions, and policy signals across jurisdictions. It is not legal, compliance, audit, or risk-management advice; it does not establish an attorney-client, advisory, or fiduciary relationship; and it should not be relied upon as a substitute for professional counsel applied to specific facts and circumstances. Where the brief identifies “Issues for Review,” those are observations of questions a reader in a particular role might raise with their own legal, compliance, or risk function — not recommendations to act. AIGI expressly disclaims liability for actions taken or not taken in reliance on this brief. Subscribers in regulated industries should consult licensed professionals authorized to practice in their jurisdiction.

Full disclosures →

Status & timeline

Intelligence briefs (1)

New York A6031: Proposed Biometric Privacy Act Mandates Data Policy

Frequently asked questions

Related

Get briefs on every AI law, every morning.