Erie County Becomes First County in New York State to Ban Collection of Biometric Data
May 1, 2026
By: Jessica L. Copeland Courtney Ryan
On April 30, 2026, Erie County enacted a new privacy law, the Biometrics Transparency and Privacy Act (the Act), which significantly restricts how commercial establishments may collect and use biometric data. Concerned about the rapid spread of biometric technologies in commercial settings, particularly in light of the uniquely sensitive nature of this type of data, Erie County is the first county in New York State to impose such a ban. The law shall take effect immediately upon filing with the New York Secretary of State.
Scope of Prohibition
The Act prohibits commercial establishments located in Erie County from collecting, storing, procuring, using, and selling or otherwise monetizing customer biometric identifier information. Biometric identifier information includes a broad range of data, including images or recordings of facial features, iris or retina scans, fingerprints or handprints, voice, genetics, and other characteristic movements or gestures (for example, gait or typing patterns). The law applies to any business operating in a commercial setting within the county, whether for profit or non-profit and regardless of industry.
Importantly, the law does not ban the use of ordinary security cameras where recordings are not analyzed by applications that identify individuals based on physiological or biological characteristics, and the recordings are not shared with third parties. The Act further provides exceptions for financial institutions, government agencies, disclosure pursuant to a valid warrant or subpoena, social media facial detection, and user verification purposes to access one’s own personal or employer-issued device.
Additionally, the law should not impact the collection or use of employee biometric data, even in commercial settings, as the ban is limited to customer biometric identifiers, with “customer” defined as “a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a Commercial Establishment in a Commercial Setting.” For example, many businesses utilize biometric fingerprint time clocks. The use of these and other similar tools which collect or use employee biometric information should remain unchanged by the Act.
Retroactive Impact
Notably, commercial establishments currently in possession of customer biometric information must provide written notice to the Director of the Erie County Department of Public Advocacy Division of Consumer Protection that they are in possession of such information no later than 30 days from the effective date of the Act, and must certify that such data has been permanently deleted or destroyed within 30 days of providing such notice. Notice must also be made available to the public, and clearly and conspicuously posted within the establishment. In addition, such businesses must establish a destruction policy that details the method and timing for permanent deletion or destruction of all previously collected biometric data.
Enforcement and Penalties
The Act provides a 30-day cure period for violating businesses to come into compliance. Beyond the cure period, civil penalties may be imposed - $1,000 per day for ongoing violations and $5,000 per day for failure to destroy biometric data already collected prior to the law’s effective date. The Director of the Erie County Department of Public Advocacy Division of Consumer Protection is granted enforcement power.
Key Takeaways for Businesses
Due to the Act’s broad scope, commercial enterprises of all sizes and in all industries must carefully evaluate their practices to ensure compliance with the Act.
- Review security systems and other technologies to determine whether such tools utilize, collect, store, or process biometric information. If you are uncertain whether a tool uses biometric data, contact the vendor directly and request written clarification.
- Disable or remove technology features that collect or process biometric data within the 30-day cure period.
- Review and update vendor contracts, if applicable, to ensure that all agreements require compliance with the Act and limit potential liability.
- Train staff and continuously monitor compliance, updating internal practices and policies as needed.
- If your business previously collected customer biometric information prior to the Act’s effective date, ensure that such data is destroyed in compliance with the law.
- For businesses that collect or use employee biometric data, such collection and use currently remains unaffected by the Act. However, it is important to continuously monitor updates to the law, as this may change in the future.
Bond, Schoeneck, & King provides a full range of legal services for businesses across all sectors. Our cybersecurity & data privacy team is available to assist with compliance reviews, risk assessments, and development of internal policies tailored to this new law. If you have any questions about this update, please contact Jessica Copeland, Courtney Ryan, or any Bond attorney with whom you work regularly.
