Businesses that use biometric data are in the crosshairs of local Erie County government. On Tuesday, May 26, Erie County Executive Mark C. Poloncarz signed the Biometric Transparency and Privacy Act (BTPA) into law. The BTPA bars any commercial establishment from collecting and retaining biometric data.
Biometric Data
The federal government defines biometric as “the automated recognition of individuals based on their biological and behavioral characteristics from which distinguishing, repeatable biometric features can be extracted for the purpose of biometric recognition.”
Put more simply, biometric data includes things like fingerprints, voiceprints, iris scans, and facial recognition systems. The idea from businesses who use it is it’s a digital identity verification process. For example, how Apple has Face ID to login to your iPhone.
What the New Local Law Says
The Erie County Biometrics Transparency and Privacy Act makes it illegal for commercial establishments to collect, store, or sell customer biometric data, including facial recognition, fingerprints, voice recognition, and iris (eye) scans and gestures. Unlike some other States that have legislation, it appears as though Erie County’s law has a zero-tolerance policy.
In a press release, the County Executive’s office stated:
Any establishment that already collects and stores any type of biometric data must disclose that to Erie County’s Division of Consumer Protection and explain how they plan to permanently erase/delete/destroy all biometric information, afterwards an affidavit must be issued within 30 days stating that all biometric data was permanently deleted or destroyed.
States such as Illinois, Colorado, Texas, and Washington have similar legislation. However, the big difference is that each of those States allows for businesses to have – and store – biometric data with consumer consent.
As of now, Erie County’s makes no mention of consent. It appears, then, the law is zero-tolerance.
New York attempted to join those other States last year with a similar proposed law, but it didn’t make it through the Legislature.
How the BTPA Works
The County Executive defined the companies the law applies to as “all businesses and organizations that provide goods and services to the public and [it] applies to both for-profit and nonprofit entities.” This means that governments and their agencies, including public schools and police departments, are exempt.
In terms of location, it appears as though their jurisdiction is limited to for-profit and non-profit companies located in Erie County, because that’s the reach of county government.
How To Comply with the BTPA
Companies, including non-profits, that violate the BTPA will be notified of any violations and given 30 days to take corrective action. If the company fails to correct its wrongdoing, it may be hit with penalties of $1,000 per day.
Likewise, if a company fails to destroy biometric data it already possesses, it may be fined up to $5,000 per day.
To comply with the BTPA, companies in possession of biometric information have 30 days from the effective date of the BTPA, which was Tuesday, May 26, 2026, to provide written notice to the Director of the Erie County Division of Consumer Protection. They can do so here. They also then must file an affidavit with the Erie County Director of Consumer Protection certifying the permanent deletion or destruction of all biometric information in their possession. They can do so here.
Companies are well-advised to work with legal counsel before making disclosures and filings
Why Erie County Enacted the BTPA
“This law creates a safer community for all by protecting a person’s most basic and unique features: their face and biometric data,” said County Executive Poloncarz. “I again thank County Legislator Lawrence Dupre for sponsoring the bill and also thank the members of the Democratic Caucus who voted in favor of the legislation.”
Republican lawmakers opposed the BTPA in favor of something less burdensome. They called it “the largest county mandate imposed on businesses since the COVID-19 pandemic.”
While it’s unclear how aggressively the BTPA will be enforced, the County appears steadfast in its goal of protecting local consumers from businesses owning and sharing their data.
“This started with a simple question: does a store have the right to scan your face, keep it in a database and sell it for profit” said Erie County Legislator Lawrence Dupre. “The answer today in Erie County is that no one can take your biometrics without permission, and no one can sell them. Your body is not a data point for a corporation to collect and sell. A sign on the door was never enough protection. You can reset a password. You can cancel a credit card. You cannot reset your face. As of today, in Erie County, no corporation can own a piece of you. That is the law.”
Practice Pointers
If your business or non-profit serves the public in Erie County, don’t assume this law doesn’t apply to you.
It might.
Start by asking a simple question: are we collecting, using, storing, or benefiting from biometric data in any way? That means more than facial recognition. It may include fingerprints, voice recognition, eye scans, gesture recognition, security systems, customer-identification tools, visitor-management systems, or vendor software that collects biometric information in the background.
Next, check your vendors.
Many organizations don’t collect biometric data directly. But their vendors might. That includes security companies, timekeeping vendors, point-of-sale systems, membership platforms, access-control systems, and surveillance providers. Ask the question directly: does this system collect, process, store, compare, or retain biometric information?
Get the answer in writing.
Also, don’t assume consent solves the problem. Erie County’s law doesn’t appear to work like some other biometric privacy laws. At least for now, this looks more like a prohibition – what we called zero-tolerance above – than a notice-and-consent law.
If your organization already has biometric data, don’t ignore it. The law requires notice to the Erie County Division of Consumer Protection and certification that the biometric information has been permanently deleted or destroyed. That’s not something to handle casually. You’ll want to preserve proof of compliance without continuing to keep the data the law says must be destroyed.
Finally, train the people who need to know.
This isn’t just an IT issue. HR, front desk staff, security, facilities, membership teams, managers, and anyone dealing with the public should know that biometric data now creates legal risk in Erie County. The bottom line is simple: if you’re using biometric technology in Erie County, stop and get advice before you keep going.
This law is new. Enforcement may evolve. But the risk is real, and the penalties are meaningful.
Call us with questions and to help you navigate this new duty.
We’re here to help.
