New York Bill S1933, titled the "Biometric Privacy Act," has been introduced to establish regulations for biometric data. It proposes that private entities in possession of biometric identifiers or information must develop a written policy. This policy would detail a retention schedule and guidelines for permanently destroying such data once its initial collection purpose is satisfied, or within three years of an individual's last interaction, whichever is later [1].

Who does S1933 affect?

This proposed legislation targets private entities operating within New York State that collect, store, or process biometric identifiers or biometric information. This includes organizations utilizing technologies such as facial recognition for access control, timekeeping systems employing fingerprint scans, or voice recognition for customer service. Businesses in sectors like retail, healthcare, financial services, and hospitality are typically within scope due to their frequent interaction with individuals' biometric data.

What is the current status of S1933?

As of the last published update, S1933 is at the "committee" stage.

Where can I find the primary source for S1933?

The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2021/S1933. AIGI publishes the full citation chain plus every approved brief on this bill.

NY, US · AI law tracker

S1933 — NY, US

S1933 is an AI governance legislation from NY, currently committee. New York Bill S1933 proposes establishing a Biometric Privacy Act, mandating private entities create written biometric data retention and destruction policies [1]. AIGI tracks 2 primary-source updates on this bill; the most recent was published on 2021-01-16.

Status & timeline

Regulatory stage: committee
Authority / governing body: New York State Senate
Chamber: Senate
Document type: legislation

Next deadline: No fixed deadline — bill is currently in Senate Committee.

Subscriber only

Full obligation matrix

Actor	Obligation	Deadline	Source
deployer	Develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information.	Upon effective date of the act (if enacted)	—
deployer	Permanently destroy biometric identifiers and biometric information.	When the initial purpose for collection is satisfied or within three years of the individual's last interaction with the private entity, whichever occurs later.	—

Subscriber only

Enforcement risk score

/ 100

Announced regulation; enforcement footprint still forming.

Subscriber only

Role-based compliance checklist

compliance_officer Monitor the legislative progress of NY S1933, especially if it advances out of committee.
compliance_officer Begin preliminary assessment of current biometric data handling practices against proposed requirements for retention and destruction policies.
general_counsel Evaluate the potential legal implications of the proposed Biometric Privacy Act for the organization's operations in New York.

Subscriber only

Vendor impact assessment

Vendor risk class: high
Procurement categories: hr_tech, security_tooling, customer_service_ai

Vendors handling biometric data for New York-based entities will need to demonstrate clear policies and technical capabilities for data retention and permanent destruction in line with this proposed act. This applies to HR systems, physical access controls, and customer-facing biometric authentication.

Sample vendor questions

What biometric data, if any, do you collect, store, or process on our behalf?
Do you have a written policy for biometric data retention and destruction that aligns with proposed NY state requirements?
How do you ensure the permanent destruction of biometric data according to specified retention schedules?
What contractual assurances can you provide regarding compliance with biometric privacy regulations?

Intelligence briefs (2)

legislation 1/16/2021

NY S1933: Biometric Privacy Act Mandates Data Retention Policies

New York Bill S1933 proposes establishing a Biometric Privacy Act, mandating private entities create written biometric data retention and destruction policies [1].

This development bears on the scope of biometric data governance and deployer obligations, aligning with emerging US state privacy frameworks.

Deadline: No fixed deadline — bill is currently in Senate Committee.

Primary source →

legislation 1/16/2021

NY Bill S1933: Biometric Privacy Act Introduces Data Retention, Destruction Rules

The proposed bill mandates written policies for biometric data retention and destruction by private entities [1].

This introduces a state-level biometric data governance framework in New York, affecting data lifecycle management and privacy compliance.

Deadline: No fixed deadline — currently in Senate Committee.

Primary source →

Frequently asked questions

What is S1933?: New York Bill S1933, titled the "Biometric Privacy Act," has been introduced to establish regulations for biometric data. It proposes that private entities in possession of biometric identifiers or information must develop a written policy. This policy would detail a retention schedule and guidelines for permanently destroying such data once its initial collection purpose is satisfied, or within three years of an individual's last interaction, whichever is later [1]. Primary source →
Why does S1933 matter?: This development bears on the scope of biometric data governance and deployer obligations, aligning with emerging US state privacy frameworks. Primary source →
Who does S1933 affect?: This proposed legislation targets private entities operating within New York State that collect, store, or process biometric identifiers or biometric information. This includes organizations utilizing technologies such as facial recognition for access control, timekeeping systems employing fingerprint scans, or voice recognition for customer service. Businesses in sectors like retail, healthcare, financial services, and hospitality are typically within scope due to their frequent interaction with individuals' biometric data. Primary source →
What are the key dates for S1933?: No fixed deadline — bill is currently in Senate Committee. Primary source →
What is the current status of S1933?: As of the last published update, S1933 is at the "committee" stage. Primary source →
Where can I find the primary source for S1933?: The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2021/S1933. AIGI publishes the full citation chain plus every approved brief on this bill. Primary source →

Stay informed

Get briefs on every AI law, every morning.

Start 14-day trial →

Important — about this brief

This brief is published by AIGI as a regulatory intelligence service. It contains general information about AI laws, regulations, enforcement actions, and policy signals across jurisdictions. It is not legal, compliance, audit, or risk-management advice; it does not establish an attorney-client, advisory, or fiduciary relationship; and it should not be relied upon as a substitute for professional counsel applied to specific facts and circumstances. Where the brief identifies “Issues for Review,” those are observations of questions a reader in a particular role might raise with their own legal, compliance, or risk function — not recommendations to act. AIGI expressly disclaims liability for actions taken or not taken in reliance on this brief. Subscribers in regulated industries should consult licensed professionals authorized to practice in their jurisdiction.

Full disclosures →

Status & timeline

Intelligence briefs (2)

NY S1933: Biometric Privacy Act Mandates Data Retention Policies

NY Bill S1933: Biometric Privacy Act Introduces Data Retention, Destruction Rules

Frequently asked questions

Related

Get briefs on every AI law, every morning.