New York’s Biometric Ban:

Why New York's Biometric Ban Matters for School IT Directors

New York's Biometric Ban: What Schools Need to Know About the 2021 K–12 Data Law marks a major shift in educational technology privacy. For K-12 IT directors, understanding this law is critical.

Key Takeaways:

• Facial recognition is permanently banned in all New York schools.
• Other biometrics (fingerprint, voice) require local review and parental input.
• Fingerprinting for employee background checks is still permitted.
• Schools must inventory all tech and remove non-compliant systems.
• Secure data destruction is required for all collected biometric information.

The law's journey began in 2020 after the Lockport City School District's controversial purchase of a facial recognition system sparked outrage from parents and civil liberties groups over privacy and discrimination concerns.

In response, New York enacted State Technology Law Section 106-b in 2021, placing a moratorium on biometric technology in schools pending a state review. In September 2023, Commissioner Betty A. Rosa issued a final determination: a permanent ban on facial recognition, with a structured approval process for other biometric tools.

The law's broad definition of "biometric identifying technology" impacts many common school systems, including lunch payment, attendance tracking, and device authentication. For IT directors, this presents both a compliance challenge and an opportunity to reinforce student data protection.

What is New York's Biometric Technology Law?

New York passed State Technology Law Section 106-b in 2021 in direct response to growing concerns about student privacy and surveillance. The law initially halted all biometric technology use in K-12 schools—public, private, and charter—until a thorough study could be completed by the Office of Information Technology Services (ITS) and the New York State Education Department.

That study concluded on September 27, 2023, when Commissioner Betty A. Rosa delivered her final determination. The decision was unequivocal on one point: facial recognition technology is permanently banned in all New York schools. No exceptions are permitted.

For other types of biometric technology, such as fingerprint scanners or voice recognition, schools can still use them, but only after a careful local review. This process requires schools to assess privacy concerns, consider civil rights impacts, prove the technology's effectiveness, and get meaningful input from parents. The biometrics report that informed this decision provides the framework for this local review process.

The Catalyst: The Lockport City School District Case

Every major law has a backstory, and this one begins with the Lockport City School District. In 2020, the district activated a $2.75 million facial recognition system funded by New York's Smart Schools Bond Act. The use of taxpayer money for a widespread surveillance system drew immediate criticism from parents and civil rights groups like the New York Civil Liberties Union (NYCLU).

Concerns were not just about privacy but also about accuracy. Research showed that facial recognition systems often misidentify students of color and female students, raising serious discrimination issues. The Lockport case highlighted the risks of adopting controversial technology without sufficient community input or risk analysis, prompting state lawmakers to take decisive action.

Defining "Biometric Identifying Technology"

New York's law is challenging for administrators because it defines "biometric identifying technology" very broadly.

This definition covers a wide range of technologies:

• Facial characteristics and geometry
• Fingerprint scanners used for lunch payments or attendance
• Hand geometry readers
• Iris scanners
• Voice recognition systems

The law is comprehensive enough to include less common technologies like DNA sequencing and gait analysis. For school IT directors, the key takeaway is that any technology identifying students by their physical characteristics likely falls under this law and requires careful compliance review.

The Law's Ripple Effect on School Operations

New York's biometric ban has created ripple effects across school districts, impacting everyday operations in unexpected ways. The law's broad definition of biometric identifying technology means administrators must scrutinize systems far beyond security cameras. This comprehensive review underscores why strong Cybersecurity for Educational Institutions is more critical than ever.

What Schools Need to Know About the 2021 K–12 Data Law and Everyday Tech

New York's Biometric Ban: What Schools Need to Know About the 2021 K–12 Data Law affects many routine school activities:

• School lunch payments: Fingerprint scanners used in cafeterias now require the mandated local review process.
• Special education services: Assistive technologies using voice or facial analysis must be evaluated under the new law, even if they provide clear benefits.
• Attendance tracking: Systems using fingerprint or palm scanners are subject to the same rigorous review.
• Device authentication: Built-in features like fingerprint readers or facial recognition on school-issued devices fall under the law's scope.
• Temperature screening: Thermal cameras combined with facial recognition for identity verification during the pandemic now raise serious compliance issues.

An important amendment in January 2022 clarified that fingerprinting for employee background checks is exempt, preventing major disruptions to school hiring.

Ambiguities for Technology Providers and Administrators

The law's broad scope creates challenges for vendors and school administrators. A key question is whether devices with built-in but disabled biometric features are compliant. Standard features like iOS Face ID, Windows Hello, and Android face open up are now under scrutiny.

The law's language suggests that even the capability for biometric identification could be problematic. This uncertainty puts pressure on technology providers to offer clear ways to disable these features and clarify their data handling practices.

School administrators must now engage in detailed discussions with vendors about data collection, storage, and destruction policies. This requires a new level of technical and legal expertise, as highlighted in our guidance on AI in the Classroom: Balancing Innovation with Cybersecurity. Schools are ultimately responsible for ensuring their vendor contracts meet the state's strict privacy requirements.

A Compliance Roadmap for New York Schools

Navigating New York's Biometric Ban: What Schools Need to Know About the 2021 K–12 Data Law requires a clear compliance plan. The goal is not just to avoid penalties but to genuinely protect student privacy, a core component of K-12 Cybersecurity: Protecting Schools from Evolving Threats.

Here is a simple roadmap:

1. Conduct a Technology Inventory: Identify every piece of technology that could potentially collect, store, or process biometric data. This includes security systems, payment kiosks, and student devices.
2. Engage with Vendors: Ask technology providers specific questions about their data practices. Can biometric features be disabled? How is data stored, accessed, and destroyed?
3. Clarify Ambiguities: When in doubt about a device's compliance, seek explicit guidance from NYSED or legal counsel.
4. Update Policies: Revise student handbooks and acceptable use policies to reflect the ban on facial recognition and the review process for other biometrics.
5. Develop a Discontinuation Plan: For non-compliant technology, create a plan that includes the secure deletion or destruction of any previously collected biometric data.

Reporting Requirements and NYSED Guidance

The state's biometrics report and Commissioner Rosa's determination provide a clear framework. Before implementing any non-facial recognition biometric technology, schools must address four critical areas:

• Privacy implications: How will the technology impact the privacy of students, staff, and visitors?
• Civil rights impact: Could the technology disproportionately affect certain groups or lead to discrimination?
• Effectiveness: Does the technology reliably solve the problem it is intended to address?
• Parental input: Has the school actively sought and incorporated feedback from parents and guardians?

Schools retain local decision-making authority for most biometric tech, but only after thoroughly documenting this review process. A January 2022 amendment fixed a technical error, ensuring schools can continue using fingerprints for employee background checks.

What Schools Need to Know About the 2021 K–12 Data Law and Data Security

Biometric data is uniquely sensitive; unlike a password, it cannot be changed if stolen. This makes robust data security practices, as outlined in our Data Security and Privacy Plan, essential.

Key practices include data minimization (collecting only what's necessary), secure storage and access (strong encryption and access controls), and clear data destruction policies. Vendor agreements must also comply with state laws like Education Law 2-d, which mandates specific data protection provisions. The NIST Cybersecurity Framework offers a valuable model for managing these risks. Schools are ultimately responsible for safeguarding student data, even when it is handled by third-party vendors.

The Core Concerns: Student Privacy, Civil Rights, and Data Security

The push for New York's Biometric Ban: What Schools Need to Know About the 2021 K–12 Data Law stemmed from fundamental concerns over student rights. Biometric data is unlike other information schools handle. As detailed in our Sensitive Data Definition and Types guide, it is permanent and unchangeable. A data breach involving biometric information creates lifelong risks for students, including identity theft.

Algorithmic Bias and Student Civil Rights

A primary driver of the ban was the documented accuracy problems and biases in facial recognition technology. Studies show these systems often struggle with inaccuracies and biases, particularly when identifying students of color, girls, and younger children.

For example, research shows facial recognition software misidentifies Black women at alarmingly high rates. In New York, where over half the students are people of color, these error rates pose a significant civil rights threat. The problem often originates from biased training datasets, which can perpetuate and amplify existing societal inequalities.

Beyond misidentification, critics worried about creating a "surveillance environment" that could stifle student expression and trust. The potential for school biometric data to be linked with law enforcement or immigration databases also raised serious concerns. The discrimination these systems can cause is contrary to the mission of creating safe and equitable learning environments.

Comparing New York's Law to Other States

New York's approach—a full ban on facial recognition with local review for other biometrics—is a national leader in protecting student privacy.

• Illinois has the Biometric Information Privacy Act (BIPA), one of the nation's strongest privacy laws, which requires consent before private entities collect biometric data.
• Florida has also passed laws restricting biometric data collection in schools.
• New York City has its own code requiring businesses to disclose the use of biometric technology.

Currently, there is no comprehensive federal law specifically addressing biometrics in schools, leaving a patchwork of state and local regulations. New York's law stands out for its specific focus on the K-12 environment, setting a potential model for other states to follow.

Frequently Asked Questions about NY's K-12 Biometric Law

Here are answers to common questions about New York's Biometric Ban: What Schools Need to Know About the 2021 K–12 Data Law.

What specific technology is banned in NY schools?

Facial recognition technology is completely banned for purchase or use in all New York K-12 schools (public, private, and charter). The state determined that the privacy and civil rights risks are too great.

Other biometric technologies like fingerprint scanners or voice identification are not banned outright. However, schools must first conduct a thorough local review that assesses privacy implications, civil rights impact, effectiveness, and incorporates meaningful parental input before they can be used.

Does this law affect how schools conduct background checks on new employees?

No. A January 2022 amendment to the law created a specific exception for this purpose. Schools can continue to use fingerprinting for prospective employee background checks as required by Education Law.

What should our school do with existing technology that has biometric features?

First, conduct a technology inventory to identify all systems with biometric capabilities. For any facial recognition systems, you must discontinue their use immediately and securely destroy all data collected.

For other biometric features (e.g., fingerprint readers on laptops), contact the vendor to see if the feature can be permanently disabled. If so, you must implement and enforce a policy prohibiting its use. If a system cannot be made compliant, it must be replaced, and any associated sensitive data must be securely destroyed. Because biometric data is permanent, its proper destruction is critical to protecting students and staff.

Conclusion: Securing the Future of Education in New York

New York's Biometric Ban: What Schools Need to Know About the 2021 K–12 Data Law is a landmark regulation that redefines the intersection of technology and student privacy. It sends a clear message: facial recognition has no place in schools, and any other use of biometrics must be carefully vetted with community input. This law is a roadmap for building more trustworthy learning environments.

For school administrators, this is an opportunity to build trust with parents and students by demonstrating a commitment to protecting their most sensitive data. This commitment is a cornerstone of a modern cybersecurity strategy. The EdTech landscape is constantly evolving, but as we note in Schools are Prime Targets for Cyber Attacks: The Urgent Need for Stronger Cybersecurity, so are the threats.

Student safety and data protection depend on cybersecurity awareness. Your staff and students are a critical line of defense, but they need the right training to recognize threats like phishing. Building this human firewall requires more than a one-time seminar; it needs ongoing, engaging education.

CyberNut provides specialized cybersecurity training for K-12 institutions, using automated, gamified micro-trainings that are effective and easy to manage. Our approach is custom to the unique challenges schools face.

Ready to strengthen your school's cybersecurity posture? Get a free phishing audit for your school today to identify your vulnerabilities. Then explore our resources to learn more about building a comprehensive cybersecurity culture.