US-New York

What biometric data protections exist in New York?

2023
SHIELD Act effective date
10 days
Breach notice deadline
Private info
Biometric data classification
$5,000
Max civil penalty per violation
The Short Answer

New York does not have a comprehensive biometric privacy law like Illinois’ BIPA, but it regulates biometric data through the SHIELD Act and proposed legislation; biometric data is classified as 'private information' requiring reasonable safeguards.

What the Law Says

New York’s primary protection for biometric data comes from the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which amended the state’s data breach and information security laws. Under the SHIELD Act, biometric data — such as fingerprints, voiceprints, and retina scans — is explicitly defined as 'private information' when linked to an individual, triggering legal obligations for data holders.

The SHIELD Act requires any person or business owning or licensing computerized data that includes New York residents’ private information to implement and maintain 'reasonable safeguards' to protect the security, confidentiality, and integrity of that information.

If a breach occurs involving biometric data, businesses must notify affected New York residents without unreasonable delay — and in no case later than 10 days after determining the breach occurred and that private information was accessed or acquired by an unauthorized person.

Failure to comply with the SHIELD Act’s data security requirements can result in civil penalties of up to $5,000 per violation, enforced by the New York Attorney General.

Statutory Text

‘Private information’ means: (i) any information concerning a person’s medical history or diagnosis; (ii) social security number; (iii) driver’s license number or non-driver identification card number; (iv) account number, credit or debit card number, in combination with any required security code, access code, password or other authentication information that would permit access to a person’s financial account; or (v) biometric information, including but not limited to, fingerprints, voice prints, retina or iris images, or other unique physical representations.

N.Y. Gen. Bus. Law § 899-aa(1)(b) — Definitions
Statutory Text

Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information...

N.Y. Gen. Bus. Law § 899-bb(2)(a) — Reasonable Safeguards

What to Do

1

Identify whether your organization collects or stores biometric data (e.g., fingerprint time clocks, facial recognition systems, voice authentication).

2

Implement administrative, technical, and physical safeguards aligned with SHIELD Act guidance — e.g., encryption, access controls, employee training, and written security policies.

3

Maintain documentation of your data security program and update it regularly.

4

If a breach involving biometric data occurs, assess within 24–48 hours whether notification is required and send notices to affected individuals and the NY Attorney General within 10 days.

5

Monitor legislative developments — especially Senate Bill S6924-A (2024), which would impose consent, retention, and disclosure requirements similar to Illinois’ BIPA.

Sources

statuteN.Y. Gen. Bus. Law § 899-aa(1)(b) — DefinitionsstatuteN.Y. Gen. Bus. Law § 899-bb(2)(a) — Reasonable SafeguardsstatuteS6924-A (2024) — Biometric Privacy Act

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.