On June 5, 2026, New York State’s first such county-level “ban” on collection, storage, use or sale of biometric information went into effect.1 The law, also known as the Biometrics Transparency and Privacy Act (BTPA), applies to certain businesses in Erie County that process physical, biological or behavioral information.2 Businesses that may be subject to the BTPA, should be prepared to comply with its disclosure and deletion requirements as described in this alert.
While some comprehensive privacy laws, such as the California Consumer Privacy Act and the New York Stop Hacks and Improve Electronic Data Security Act, may govern biometric information, several jurisdictions have enacted standalone biometric laws. These include Illinois’s Biometric Information Privacy Act (BIPA), Texas’s Capture or Use of Biometric Identifier Act (CUBI), Washington’s Biometric Identifiers Law (RCW 19.375), and New York City’s Biometric Identifier Information Law of 2021 (Local Law 3). Given the sensitive nature of biometric information, these laws typically require, in varying combinations, advance notice and/or affirmative consent requirements, restrictions on third-party sharing, and prohibitions on monetization of such information, among other requirements. Violations of these laws may result in significant regulatory fines, reputational damage and class action damages from private litigants.
In many ways, Erie County’s BTPA is more restrictive than other biometric laws as it states, “Commercial Establishments are prohibited from Collecting, storing, procuring, Using, and Selling or otherwise monetizing a Customer’s Biometric Identifier Information in Commercial Settings.”3
The BTPA governs “Biometric Identifier Information” or “Biometric Information,” defined as “data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body regardless of how it is captured, converted, stored, or Shared.”4 These may include “depictions, images, descriptions, or recordings of an individual’s facial features, iris or retina, finger or handprints, voice, genetics, or characteristic movements or gestures (e.g., gait or typing pattern).”5
The BTPA’s definition of biometric information is generally broader than those found in other standalone biometric laws. Unlike Illinois’ BIPA and Texas’ CUBI, which focus on identifiers such as hand and face geometry and do not extend to derived data, the BTPA also encompasses information generated from or derived from biometric characteristics if it can be reasonably used to identify an individual.6 In addition, while Illinois’ BIPA excludes photographs and Washington’s RCW 19.375 excludes physical or digital photographs, videos or audio recordings, the BTPA expressly includes these types of materials within its purview.7
The law applies to any “Commercial Establishment,” defined as any person, firm, partnership, company, organization or other entity operating a place of business, within Erie County that offers goods or services to the public, whether for profit or not-for-profit. However, it excludes government agencies and certain types of institutions, bona fide clubs, private residences and other places that are “distinctly private in nature.”8
BTPA thus applies more broadly than the neighboring New York City’s Local Law 3, which narrowly applies to biometric information processing by places of entertainment, retail stores, or food or drink establishments.9
In addition to exemptions for certain types of establishments, BTPA also exempts certain types of biometric information processing, such as the collection to the extent necessary to comply with federal, state or local laws, user verification to access personal or employer-issued communication and electronic devices, automatic face detection services in social media applications, and other circumstances.10
Any Commercial Establishment that already possesses customer Biometric Information must, among other things:11
(a) Provide written notice within 30 days from the effective date to the Director of the Erie County Department of Public Advocacy Division of Consumer Protection (“Director”) with information regarding Biometric Identifier Information in its possession and its plan for permanent destruction of such information. The notice must be made publicly available, including through conspicuous in store posting and website publication, and may be submitted via the County’s webform or written submission process.
(b) Establish a destruction policy that meets the minimum requirements set forth in the law.
(c) Protect and prevent transmission of such information to third parties.
(d) Submit an affidavit to the Director certifying permanent deletion of such information within 30 days of providing the above-referenced notice, with destruction rendering the information irrecoverable.
The Director may issue notices of noncompliance, after which the commercial establishment is provided with a cure period of 30 days to take corrective action.12 Failure to comply after the cure period may result in a civil penalty of $1,000 per day, with such penalties accruing only after the expiration of the cure period. Violations of the law’s pre-effective date obligations (i.e., failures to provide required notice or delete biometric information already in a business’ possession) may be subject to a higher penalty of $5,000 per day. Meanwhile, other standalone biometric laws impose penalties per violation, not per day, in amounts between $1,000 and $25,000. Illinois’ BIPA and New York City’s Local Law 3 ($1,000-$5,000 and $500-$5,000 per violation, respectively) reflect this framework.13
The Director may also refer violations to the Erie County Attorney or the New York State Attorney General’s Office, which may commence court proceedings to recover monetary penalties or seek other relief to enforce the law. Crucially, unlike Illinois’ BIPA, which affirmatively grants an aggrieved person a private right of action, the BTPA expressly preserves a customer’s right to commence a separate civil action for damages, injunctive relief and other appropriate relief in law or equity against a commercial establishment that violates the BTPA’s provisions.
Given the pre-effective date obligations, organizations should not delay in determining whether the law applies to them and what, if anything, they must do to comply.
Phillips Lytle Summer Associate Pilar Julia Pascual contributed significantly to the research and drafting of this client alert.
Additional Assistance
For more information, please contact a member of our Data Privacy and Cybersecurity Industry Team or the Phillips Lytle attorney with whom you have a relationship.
Receive firm communications, legal news and industry alerts delivered to your inbox.
Subscribe Now