New York City skyline and buildings viewed from above

TL;DR:

  • The bill: New York Senate Bill S1422 establishes a Biometric Privacy Act modeled on Illinois’s BIPA. It cleared the Senate Consumer Protection Committee and was recommitted to the Internet and Technology Committee on May 12, 2026. [1][2]
  • What it does: Requires written informed consent before collecting biometric data, bans the sale of biometric identifiers, mandates retention and destruction policies, and (critically) creates a private right of action with $1,000 per negligent violation and $5,000 per intentional violation, plus attorney fees. [1][3]
  • Why it matters: Illinois BIPA generated over $2 billion in settlements from companies like Meta ($650M), TikTok ($92M), and Google ($100M). New York has 20 million residents, more Fortune 500 headquarters than any other state, and vastly more biometric data collection. The litigation exposure would be enormous. [4]
  • Running in parallel: The Facial Recognition Technology Study Act (S3699) already passed the full Senate and awaits Assembly action. If both pass, New York gets a study commission AND an enforcement mechanism. [5]
  • The clock: The legislative session has a key deadline approaching. S1422 needs to clear the Internet and Technology Committee and reach the Senate floor before the session ends. [2]

What the Bill Actually Requires

S1422 would create Article 32-A of New York’s General Business Law. Here’s what it mandates for any private entity that collects biometric data:

  • Written consent: Companies must obtain written, informed consent before collecting any biometric identifier. Not buried-in-a-terms-of-service consent. Not implied consent. Written and informed. [1][3]
  • No selling biometric data: An absolute ban on selling, leasing, trading, or sharing biometric identifiers for profit. [3]
  • Retention limits: Companies must publish a written policy for how long they keep biometric data and must destroy it when the initial purpose is satisfied or within three years of the person’s last interaction, whichever comes first. [1][3]
  • Security standards: Biometric data must be protected using industry-standard security measures. [3]

The biometric identifiers covered: fingerprints, voiceprints, retina and iris scans, hand geometry, palm geometry, face geometry scans, and gait patterns. [3]

That last one, gait patterns, matters. Surveillance systems that identify people by how they walk are being deployed in airports and shopping centers. S1422 would cover them.

The Private Right of Action Is the Whole Game

Plenty of states have biometric privacy laws. Most of them are enforced exclusively by the attorney general. That means enforcement depends on one office’s priorities, resources, and political appetite.

S1422 copies BIPA’s most powerful feature: any individual can sue. The damages structure: [3]

  • Negligent violation: $1,000 in liquidated damages or actual damages, whichever is greater
  • Intentional or reckless violation: $5,000 in liquidated damages or actual damages, whichever is greater
  • Attorney fees: The losing company pays the plaintiff’s legal costs

That attorney-fee provision is what makes class actions viable. Lawyers take the cases because they know they’ll be compensated if they win. In Illinois, that mechanism produced a tidal wave of litigation: over 1,500 BIPA lawsuits since 2019. [4]

Now imagine that same mechanism in New York. More people. More companies. More biometric collection points. More lawyers.

What Illinois Produced, and What New York Could

Illinois BIPA was signed in 2008. It sat mostly unused until 2015, when the first major class actions were filed. Then it exploded. [4]

The numbers so far:

  • Meta/Facebook: $650 million (2020) for Tag Suggestions facial recognition, plus $1.4 billion to Texas under state law
  • TikTok/ByteDance: $92 million (2021)
  • Google: $100 million (2022) for Google Photos face grouping
  • Clearview AI: $51 million (pending)
  • Total BIPA litigation: Over 1,500 lawsuits since 2019, with billions in combined settlements [4]

Illinois has about 12.5 million residents. New York has 20 million. Illinois has 36 Fortune 500 companies. New York has 54. [6]

Every major tech company operates in New York. Every major retailer has stores there. Every major employer has offices there. The number of entities collecting biometric data from New Yorkers (through time clocks, security cameras, payment systems, building access, customer analytics) is staggering.

A BIPA-style law in New York wouldn’t just replicate Illinois’s litigation wave. It would amplify it.

What New York Already Has (and Why It’s Not Enough)

New York isn’t starting from zero. It has a patchwork of biometric protections that, collectively, leave enormous gaps:

  • SHIELD Act: Requires breach notification within 30 days and “reasonable” security measures. But enforcement is AG-only: no private right of action. [3]
  • NYC Local Law 3 (2021): Requires commercial establishments to post signs when collecting biometric data and bans selling it. Has a private right of action ($500 per negligent violation, $5,000 per intentional) but only applies to commercial establishments in New York City. [3]
  • Labor Law Section 201-a: Limits employer fingerprinting but doesn’t cover facial recognition or other biometrics. [3]

The gap: NYC Local Law 3 only covers commercial establishments in the city. A facial recognition system at a Buffalo grocery store? Not covered. A voiceprint collected by a call center in Syracuse? Not covered. A gait-recognition system at a Long Island mall? Not covered.

S1422 would extend biometric privacy protections statewide, to all private entities, with real enforcement teeth.

The Study Commission Running Alongside

While S1422 works through committee, a companion measure has already passed the full Senate.

The Facial Recognition Technology Study Act (S3699), sponsored by Senator James Sanders Jr., creates a task force to study how facial recognition is deployed across New York and recommend regulatory frameworks. Members would be appointed by the governor, Senate president, Assembly speaker, and the Office of Information Technology Services. They’d have one year to produce findings and recommendations. [5]

S3699 now awaits Assembly action. It doesn’t ban anything, restrict anything, or create any new rights. It’s a study commission.

But if S3699 and S1422 both pass, New York gets a rare combination: a study commission mapping the problem AND an enforcement law with teeth to address it. Most states get one or the other. Usually just the study.

What Companies Are Doing

The business community is watching S1422 closely. Illinois BIPA taught them what a private right of action means for their bottom line.

After Illinois passed BIPA, companies responded in predictable ways:

  • Meta disabled Tag Suggestions in Illinois (but kept it everywhere else)
  • Google restricted Google Photos face grouping in Illinois (but kept it everywhere else)
  • Clearview AI stopped selling to private companies (but kept selling to law enforcement)

If New York passes S1422, companies can’t just carve out one more state. At some point, the compliance cost of maintaining different biometric practices in different states exceeds the cost of just getting consent everywhere. BIPA forced that calculation in Illinois. A New York equivalent would accelerate it nationally.

The 2024 BIPA amendment (which limited damages to one claim per biometric collection method rather than per-scan) has already reduced filing volumes from 300+ class actions per year to roughly 150 in 2025. [4] Companies will lobby hard for similar language in S1422. Whether New York’s legislature weakens the bill before passage is the key question.

What Happens Next

S1422 is in the Senate Internet and Technology Committee. From there, it needs to:

  1. Clear the Internet and Technology Committee
  2. Pass the full Senate
  3. Pass the Assembly (where a companion bill, A6031, has been introduced)
  4. Be signed by the governor

Each step is a kill zone. The bill could be amended into irrelevance, stuck in committee indefinitely, or passed in one chamber and ignored by the other. We’ve seen how easily privacy bills die.

But S1422 has momentum that similar bills in previous sessions lacked. The nationwide wave of biometric privacy litigation, from Disney’s facial recognition lawsuits to the Texas AG’s investigation into Meta glasses, is creating pressure on legislators who don’t want their state left behind.

What You Can Do

  • If you’re in New York: Contact your state senator and Assembly member. Tell them to support S1422 without weakening the private right of action. The bill number is S1422 in the Senate, A6031 in the Assembly
  • If you’re in NYC: Local Law 3 already gives you rights. If a store or restaurant is collecting your biometric data without posting a sign, you can sue for $500-$5,000 per violation
  • If you’re an employer: Start auditing your biometric data practices now. If you use fingerprint time clocks, facial recognition access systems, or voiceprint authentication, S1422 would require written consent and published retention policies
  • Track the bill: S1422 on the NY Senate website shows real-time committee status
  • If your state has no biometric privacy law: Use S1422 as a model. The ACLU, EPIC, and EFF can help connect you with advocacy organizations in your state

Sources

  1. FastDemocracy: New York S 1422 Bill Tracking (2025-2026 Session)
  2. NY State Senate: S1422: Establishes the Biometric Privacy Act
  3. RecordingLaw: New York Biometric Privacy Laws: Collection, Consent & Penalties (2026)
  4. Epstein Becker Green: Biometric Backlash: The Rising Wave of Litigation Under BIPA and Beyond
  5. NY State Senate: Passage of Facial Recognition Technology Study Act
  6. Fortune 500 Company Rankings