New York moved aggressively on two privacy fronts this week. The Senate passed S 1422, the Biometric Identifier Privacy Act — requiring opt-in consent before businesses can collect facial geometry, fingerprints, retina scans, or other biometric identifiers. Separately, the Assembly passed the AI Training Data Transparency Act, which would require companies to disclose what categories of personal data were used to train their AI systems.
Neither bill is law yet. Both need to pass the other chamber and be signed by the governor. But their simultaneous passage signals growing momentum in Albany for privacy protections that would make New York the country’s most aggressive state on biometric and AI data rights.
The Biometric Identifier Privacy Act (S 1422)
Illinois has had the Biometric Information Privacy Act — BIPA — since 2008, and it has generated over a billion dollars in settlements against companies including Facebook, Google, Snapchat, TikTok, and White Castle. The core of BIPA is simple: before you collect someone’s biometric data, you need their written consent. If you don’t get it, consumers can sue — and the statutory damages are significant enough to make the litigation viable.
New York’s S 1422 follows the BIPA model with some modifications for the current landscape.
What qualifies as biometric data. The bill covers facial geometry, fingerprints, palm prints, iris and retina scans, voiceprints, and any other unique physical or behavioral identifier. This is broader than some state laws, and importantly, it includes the underlying data generated by facial recognition systems — not just the captured image, but the geometric map derived from it.
Opt-in is the standard. Unlike weaker privacy frameworks that allow collection unless a consumer opts out, S 1422 requires affirmative opt-in consent before collection begins. You have to actively agree, not merely fail to disagree.
Private right of action. Consumers can sue. This is the provision that makes BIPA powerful and that makes industry groups nervous. Without a private right of action, biometric privacy laws depend on underfunded state agencies for enforcement. With it, the plaintiff’s bar becomes a parallel enforcement mechanism.
Damages. The bill establishes statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys’ fees. These numbers are intentionally designed to make class action litigation economically viable.
Why Biometric Data Deserves Special Protection
You can change your password. You cannot change your face.
Biometric identifiers are permanent. Once your facial geometry is mapped and stored in a database that gets breached, sold, or subpoenaed, there is no remediation available. You cannot opt out of having a face. The asymmetry between the collector’s convenience and the consumer’s exposure is stark.
The commercial deployment of facial recognition has accelerated dramatically. Retail stores are using it to identify known shoplifters — and making errors that result in wrongful detentions. Landlords have deployed it in apartment buildings. Employers use it for access control. Police departments run face searches against driver’s license databases and social media photos. In most states, there is no requirement to inform consumers this is happening, let alone to obtain their consent.
New York’s law, if passed, would change that calculus in the largest media market and financial center in the country. Companies that do business in New York — which is to say, most significant companies — would need to audit every biometric touchpoint and establish consent infrastructure.
The AI Training Data Transparency Act
The second bill addresses a different but related problem: the opacity of what personal data trains AI systems.
When you interact with a customer service chatbot, a content recommendation algorithm, a hiring screening tool, or a credit scoring model, you’re interacting with a system that was shaped by data. Whose data? What kind? Was it collected legally? Did the people whose data was used consent to it being used for AI training?
Currently, none of these questions have answers you’re entitled to. The AI Training Data Transparency Act would change that.
Required disclosures. Companies deploying covered AI systems would need to publish information about what categories of personal data were used in training — whether it included location data, health information, financial records, social media activity, biometric data, or other sensitive categories.
Consumer inquiry rights. Individuals could submit requests asking whether their data was used to train a specific AI system. Companies would have defined timelines for responding.
No requirement to delete. The bill does not create an automatic right to have your data removed from AI training sets — a technically complex proposition for data that has been used to shape model weights rather than stored discretely. But it creates the transparency foundation from which deletion rights might later be built.
Covered systems. The transparency requirements apply to AI systems used in consequential contexts: employment, housing, credit, education, and public services. Not every AI product everywhere — but the domains where AI-driven decisions have the highest stakes for individual consumers.
The Connection Between the Two Bills
Read together, S 1422 and the AI Training Data Transparency Act form a coherent privacy architecture for the AI era.
Biometric data is increasingly used to train AI systems — facial recognition models are trained on faces, voice systems on voice prints, emotion recognition systems on behavioral signals. The combination of these two bills would require consent before that biometric data is collected and disclosure when it’s used for AI training purposes.
That’s a genuinely meaningful protection. It doesn’t prevent the use of AI. It doesn’t ban biometric recognition technology. It creates a consent and transparency layer that allows consumers to make informed decisions and regulators to identify violations.
What Still Has to Happen
Both bills need to complete their respective chamber crossings. The Senate-passed biometric bill needs an Assembly vote. The Assembly-passed AI training transparency bill needs a Senate vote. Governor Hochul then has to sign them.
Governor Hochul has been cautious on tech regulation in the past, and significant lobbying pressure from the tech and financial services industries is expected on both bills. The biometric bill in particular draws opposition from retailers and employers who have invested in biometric access and security systems.
The legislative session clock is also a factor. New York’s legislature has a defined schedule, and bills that don’t complete passage before session ends typically need to restart the process in the next session.
The Broader Stakes
If both bills pass, New York becomes the most significant privacy jurisdiction in the United States for AI and biometric regulation — more protective than California, more comprehensive than Illinois on AI, and with enforcement mechanisms designed to work.
For companies, that means New York compliance becomes the de facto national standard for any organization that operates at scale. The cost of building New York-compliant biometric consent and AI disclosure systems is high. The cost of building different systems for different states is higher. Market pressure typically resolves in favor of the most protective standard when that standard comes from a market that can’t be ignored.
For consumers, it means that if you live in or interact with businesses that serve New York, your face — and the data that trained the AI making decisions about you — may finally be covered by meaningful legal protections.
That’s not nothing. It may be the beginning of something significant.
