NY, US · AI law tracker

S4457 — NY, US

S4457 is an AI governance legislation from NY, currently committee. The bill would mandate written policies for biometric data retention and destruction by private entities [1]. AIGI tracks 2 primary-source updates on this bill; the most recent was published on 2023-02-09.

Status & timeline

Regulatory stage
committee
Bill status
In Assembly Committee
Authority / governing body
New York State Senate
Chamber
Senate
Document type
legislation

Next deadline: No fixed deadline; the bill is currently in committee.

Subscriber only

Full obligation matrix

ActorObligationDeadlineSource
deployerDevelop a written policy establishing a retention schedule for biometric identifiers and biometric information.
deployerDevelop a written policy establishing guidelines for permanently destroying biometric identifiers and biometric information.
deployerPermanently destroy biometric identifiers and biometric information when the initial purpose for collection has been satisfied.
deployerPermanently destroy biometric identifiers and biometric information within three years of the individual's last interaction with the private entity, whichever occurs first.

Subscriber only

Enforcement risk score

25
/ 100

Announced regulation; enforcement footprint still forming.

Subscriber only

Role-based compliance checklist

  • compliance_officer Monitor the status of New York S4457, the proposed Biometric Privacy Act.
  • general_counsel Assess current biometric data handling practices against proposed retention and destruction requirements.
  • data_scientist Review existing biometric data sets to identify those that would fall under the proposed retention and destruction requirements.
  • product_manager Evaluate products/services that collect or process biometric data for alignment with potential future privacy obligations.

Subscriber only

Vendor impact assessment

Vendor risk class
high
Procurement categories
security_tooling, hr_tech, customer_service_ai, other

Vendors providing services involving biometric data will need to demonstrate clear policies and technical capabilities for data retention limits and secure, permanent destruction to comply with potential future regulations.

Sample vendor questions

  1. Does your solution collect, store, or process biometric identifiers or biometric information?
  2. What is your policy and practice for retaining and destroying biometric data?
  3. How do you ensure biometric data is permanently destroyed once its purpose is satisfied or after a specified period (e.g., three years)?
  4. Are your data retention schedules and destruction guidelines transparent and auditable?

Intelligence briefs (2)

legislation In Assembly Committee 2/9/2023

New York Biometric Privacy Act (S4457) Advances in Assembly Committee

New York S4457, establishing the Biometric Privacy Act, is now in the Assembly Committee on Consumer Affairs And Protection [1].

This development signals potential new data governance obligations for organizations handling biometric data in New York.

Deadline: No fixed deadline — effective upon enactment as drafted.

Primary source →

Frequently asked questions

What is S4457?
New York Senate Bill S4457 proposes a Biometric Privacy Act, obligating private entities holding biometric identifiers or information to create a written policy [1]. This policy must outline a retention schedule and guidelines for permanently destroying such data once its initial collection purpose is met, or within three years of the individual's last interaction with the entity, whichever occurs first [2]. Primary source →
Why does S4457 matter?
This development signals a potential new obligation for deployers of biometric AI systems in New York regarding data lifecycle management. Primary source →
Who does S4457 affect?
This legislation primarily affects private entities operating in New York State that collect, store, or process biometric identifiers or biometric information. Organizations utilizing AI systems for facial recognition, biometric identification, or other applications involving personal biometrics, such as for access control, workforce management, or customer verification, would be in scope. Compliance, legal, and privacy functions within these entities would typically be involved in developing the mandated written policies. Primary source →
What are the key dates for S4457?
No fixed deadline; the bill is currently in committee. Primary source →
What is the current status of S4457?
As of the last published update, S4457 is at the "committee" stage, with bill status "In Assembly Committee". Primary source →
Where can I find the primary source for S4457?
The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2023/S4457. AIGI publishes the full citation chain plus every approved brief on this bill. Primary source →

Stay informed

Get briefs on every AI law, every morning.

Start 14-day trial →