NY, US · AI law tracker
S4457 — NY, US
S4457 is an AI governance legislation from NY, currently committee. The bill would mandate written policies for biometric data retention and destruction by private entities [1]. AIGI tracks 2 primary-source updates on this bill; the most recent was published on 2023-02-09.
Status & timeline
- Regulatory stage
- committee
- Bill status
- In Assembly Committee
- Authority / governing body
- New York State Senate
- Chamber
- Senate
- Document type
- legislation
Next deadline: No fixed deadline; the bill is currently in committee.
Subscriber only
Full obligation matrix
| Actor | Obligation | Deadline | Source |
|---|---|---|---|
| deployer | Develop a written policy establishing a retention schedule for biometric identifiers and biometric information. | — | — |
| deployer | Develop a written policy establishing guidelines for permanently destroying biometric identifiers and biometric information. | — | — |
| deployer | Permanently destroy biometric identifiers and biometric information when the initial purpose for collection has been satisfied. | — | — |
| deployer | Permanently destroy biometric identifiers and biometric information within three years of the individual's last interaction with the private entity, whichever occurs first. | — | — |
Subscriber only
Enforcement risk score
Announced regulation; enforcement footprint still forming.
Subscriber only
Role-based compliance checklist
- compliance_officer Monitor the status of New York S4457, the proposed Biometric Privacy Act.
- general_counsel Assess current biometric data handling practices against proposed retention and destruction requirements.
- data_scientist Review existing biometric data sets to identify those that would fall under the proposed retention and destruction requirements.
- product_manager Evaluate products/services that collect or process biometric data for alignment with potential future privacy obligations.
Subscriber only
Vendor impact assessment
- Vendor risk class
- high
- Procurement categories
- security_tooling, hr_tech, customer_service_ai, other
Vendors providing services involving biometric data will need to demonstrate clear policies and technical capabilities for data retention limits and secure, permanent destruction to comply with potential future regulations.
Sample vendor questions
- Does your solution collect, store, or process biometric identifiers or biometric information?
- What is your policy and practice for retaining and destroying biometric data?
- How do you ensure biometric data is permanently destroyed once its purpose is satisfied or after a specified period (e.g., three years)?
- Are your data retention schedules and destruction guidelines transparent and auditable?
Intelligence briefs (2)
NY S4457: Biometric Privacy Act Mandates Data Retention & Destruction Policies
The bill would mandate written policies for biometric data retention and destruction by private entities [1].
This development signals a potential new obligation for deployers of biometric AI systems in New York regarding data lifecycle management.
Deadline: No fixed deadline; the bill is currently in committee.
Primary source →New York Biometric Privacy Act (S4457) Advances in Assembly Committee
New York S4457, establishing the Biometric Privacy Act, is now in the Assembly Committee on Consumer Affairs And Protection [1].
This development signals potential new data governance obligations for organizations handling biometric data in New York.
Deadline: No fixed deadline — effective upon enactment as drafted.
Primary source →Frequently asked questions
- What is S4457?
- New York Senate Bill S4457 proposes a Biometric Privacy Act, obligating private entities holding biometric identifiers or information to create a written policy [1]. This policy must outline a retention schedule and guidelines for permanently destroying such data once its initial collection purpose is met, or within three years of the individual's last interaction with the entity, whichever occurs first [2]. Primary source →
- Why does S4457 matter?
- This development signals a potential new obligation for deployers of biometric AI systems in New York regarding data lifecycle management. Primary source →
- Who does S4457 affect?
- This legislation primarily affects private entities operating in New York State that collect, store, or process biometric identifiers or biometric information. Organizations utilizing AI systems for facial recognition, biometric identification, or other applications involving personal biometrics, such as for access control, workforce management, or customer verification, would be in scope. Compliance, legal, and privacy functions within these entities would typically be involved in developing the mandated written policies. Primary source →
- What are the key dates for S4457?
- No fixed deadline; the bill is currently in committee. Primary source →
- What is the current status of S4457?
- As of the last published update, S4457 is at the "committee" stage, with bill status "In Assembly Committee". Primary source →
- Where can I find the primary source for S4457?
- The primary source for the most recent update is at https://legislation.nysenate.gov/bills/2023/S4457. AIGI publishes the full citation chain plus every approved brief on this bill. Primary source →
Related
Stay informed