New York Senate Bill S4457 proposes the Biometric Privacy Act, mandating private entities holding biometric data to establish written policies [1]. These policies must detail retention schedules and permanent destruction guidelines, either when the initial collection purpose is fulfilled or within three years of the individual's last interaction, whichever occurs first [1].

Who does S4457 affect?

Private entities operating in New York that collect, obtain, or possess biometric identifiers or information are within scope. This includes organizations deploying AI systems for use cases such as facial recognition, employee authentication, access control, or customer identification. Relevant business functions encompass legal, compliance, privacy, risk management, and product development teams responsible for data handling and AI system design.

What is the current status of S4457?

As of the last published update, S4457 is at the "committee" stage, with bill status "In Assembly Committee".

Where can I find the primary source for S4457?

The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2023/S4457. AIGI publishes the full citation chain plus every approved brief on this bill.

NY, US · AI law tracker

S4457 — NY, US

S4457 is an AI governance legislation from NY, currently committee. This bill introduces a new requirement for private entities to develop a written policy governing biometric data lifecycle management [1]. AIGI tracks 1 primary-source update on this bill; the most recent was published on 2023-02-09.

Status & timeline

Regulatory stage: committee
Bill status: In Assembly Committee
Authority / governing body: New York State Senate
Chamber: Senate
Document type: legislation

Next deadline: No fixed deadline, as the bill is currently under review in the Assembly Committee on Consumer Affairs And Protection.

Subscriber only

Full obligation matrix

Actor	Obligation	Deadline	Source
deployer	Develop a written policy establishing a retention schedule for biometric identifiers and biometric information.	—	—
deployer	Develop a written policy establishing guidelines for permanently destroying biometric identifiers and biometric information.	—	—
deployer	Permanently destroy biometric identifiers and biometric information when the initial purpose for collection has been satisfied.	—	—
deployer	Permanently destroy biometric identifiers and biometric information within three years of the individual's last interaction with the private entity, whichever occurs first.	—	—

Subscriber only

Enforcement risk score

/ 100

Announced regulation; enforcement footprint still forming.

Subscriber only

Role-based compliance checklist

compliance_officer Monitor the status of New York S4457, the proposed Biometric Privacy Act.
general_counsel Assess current biometric data handling practices against proposed retention and destruction requirements.
data_scientist Review existing biometric data sets to identify those that would fall under the proposed retention and destruction requirements.
product_manager Evaluate products/services that collect or process biometric data for alignment with potential future privacy obligations.

Subscriber only

Vendor impact assessment

Vendor risk class: high
Procurement categories: security_tooling, hr_tech, customer_service_ai, other

Vendors providing services involving biometric data will need to demonstrate clear policies and technical capabilities for data retention limits and secure, permanent destruction to comply with potential future regulations.

Sample vendor questions

Does your solution collect, store, or process biometric identifiers or biometric information?
What is your policy and practice for retaining and destroying biometric data?
How do you ensure biometric data is permanently destroyed once its purpose is satisfied or after a specified period (e.g., three years)?
Are your data retention schedules and destruction guidelines transparent and auditable?

Intelligence briefs (1)

legislation In Assembly Committee 2/9/2023

NY S4457: Biometric Data Retention and Destruction Policy Mandate

This bill introduces a new requirement for private entities to develop a written policy governing biometric data lifecycle management [1].

This establishes specific data lifecycle obligations for AI systems processing biometric data, broadening privacy compliance requirements.

Deadline: No fixed deadline, as the bill is currently under review in the Assembly Committee on Consumer Affairs And Protection.

Primary source →

Frequently asked questions

What is S4457?: New York Senate Bill S4457 proposes the Biometric Privacy Act, mandating private entities holding biometric data to establish written policies [1]. These policies must detail retention schedules and permanent destruction guidelines, either when the initial collection purpose is fulfilled or within three years of the individual's last interaction, whichever occurs first [1]. Primary source →
Why does S4457 matter?: This establishes specific data lifecycle obligations for AI systems processing biometric data, broadening privacy compliance requirements. Primary source →
Who does S4457 affect?: Private entities operating in New York that collect, obtain, or possess biometric identifiers or information are within scope. This includes organizations deploying AI systems for use cases such as facial recognition, employee authentication, access control, or customer identification. Relevant business functions encompass legal, compliance, privacy, risk management, and product development teams responsible for data handling and AI system design. Primary source →
What are the key dates for S4457?: No fixed deadline, as the bill is currently under review in the Assembly Committee on Consumer Affairs And Protection. Primary source →
What is the current status of S4457?: As of the last published update, S4457 is at the "committee" stage, with bill status "In Assembly Committee". Primary source →
Where can I find the primary source for S4457?: The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2023/S4457. AIGI publishes the full citation chain plus every approved brief on this bill. Primary source →

Stay informed

Get briefs on every AI law, every morning.

Start 14-day trial →

Important — about this brief

This brief is published by AIGI as a regulatory intelligence service. It contains general information about AI laws, regulations, enforcement actions, and policy signals across jurisdictions. It is not legal, compliance, audit, or risk-management advice; it does not establish an attorney-client, advisory, or fiduciary relationship; and it should not be relied upon as a substitute for professional counsel applied to specific facts and circumstances. Where the brief identifies “Issues for Review,” those are observations of questions a reader in a particular role might raise with their own legal, compliance, or risk function — not recommendations to act. AIGI expressly disclaims liability for actions taken or not taken in reliance on this brief. Subscribers in regulated industries should consult licensed professionals authorized to practice in their jurisdiction.

Full disclosures →

Status & timeline

Intelligence briefs (1)

NY S4457: Biometric Data Retention and Destruction Policy Mandate

Frequently asked questions

Related

Get briefs on every AI law, every morning.