A Model for Consumer-Facing Rules
Syracuse's Common Council voted 8-0 on May 18, 2026 to ban businesses open to the public — retailers, gyms, event venues — from collecting facial, fingerprint, iris/retina, voice, or gait biometric data through surveillance systems, carving out banks for robbery-prevention reasons. Enforcement runs through private civil suits rather than a regulator: anyone illegally scanned can sue for at least $1,000 per incident. Syracuse becomes the second New York municipality after Erie County to pass such a ban, and its council voted unanimously to ask Albany to adopt one statewide law rather than leave a "patchwork" of local ordinances — a push that followed Wegmans' January disclosure that it was collecting biometric data at some New York City stores.
The strongest case for a rule like this is straightforward: biometric identifiers are the one credential a person can never reissue. Councilor Corey Williams put it plainly — lose a credit card, get a new one; lose your faceprint, and it's compromised for life. A civil-suit model, instead of a criminal ban or a slow-moving new regulator, also lets a single city move without waiting for a state privacy authority to act. That's a defensible, proportionate design for a narrow, bounded problem: unregulated retail-sector biometric collection.
India's Larger, Unaddressed Version of the Same Problem
India's live biometric-surveillance debate isn't about supermarkets scanning shoppers — it's about the state's own deployment of facial recognition at police and national-security scale, with less legal scaffolding than New York's uncoordinated municipal patchwork.
The National Crime Records Bureau's Automated Facial Recognition System (AFRS), approved by the Home Ministry in 2020, is meant to build a searchable national database matching CCTV and crime-scene images against government photo records, at an estimated cost of ₹308 crore. A case-study review by the digital-rights research group Panoptic finds "no anchoring legislation which allows for and regulates the use of AFRS," no independent body imposing procedural safeguards on the underlying tender, and a revised requirements document that swapped a defined list of source databases for open-ended "dynamic police databases" — a textbook description of function creep.
Panoptic's review also flags a narrower proportionality problem: the AFRS tender was revised to drop a requirement for CCTV integration, yet it still lists "scene of crime" images as a data source — a category that can capture anyone present near a crime, not just identified suspects. Treating bystanders as searchable biometric subjects by default is exactly the kind of over-broad collection the Supreme Court's proportionality test was designed to catch — if a case testing AFRS directly had ever reached the Court, which it has not.
That gap matters because India's Supreme Court has already told the state what a lawful biometric program looks like. In its September 2018 Aadhaar verdict, the Court upheld the government's biometric identity scheme only after subjecting it to a proportionality test: restrictions on privacy must be backed by law, serve a legitimate aim, and go no further than necessary. AFRS, deployed by executive tender rather than statute, has never been tested against that standard — because there is no statute to test it against.
Parliament has had a fix sitting on the table since 2023: the Facial Recognition Technology (Regulation of Police Powers) Bill would require magistrate authorization before police could deploy FRT, and would bind its use to defined investigation categories. It's a private member's bill, and it has gone nowhere. Meanwhile, the Digital Personal Data Protection Act, 2023 — India's first general privacy statute — classifies facial and biometric data as sensitive personal data, but its Section 17 lets the central government exempt any agency from most of the Act's obligations for "security of the state" or "prevention of offences," with no independent authorization requirement comparable to the UK's Investigatory Powers Act judicial-warrant model. PRS Legislative Research flags this as the law's central unresolved tension: broad government carve-outs sitting beside consent rules that bind private companies tightly.
The Right Comparison Isn't Ban vs. No Ban
Syracuse's law and India's gap aren't the same instrument aimed at different scales — they're answers to different failure modes. Syracuse solved a private-sector transparency problem with a narrow ban plus a private right of action, an appropriately light-touch tool for a bounded harm. India's problem runs the other way: a state surveillance system operating in a legal vacuum, where even the Supreme Court's own proportionality doctrine has no statute to attach to.
The pro-innovation answer isn't to import Syracuse's blanket ban, which would needlessly foreclose legitimate uses — AFRS traces its origin to a 2018 Delhi Police pilot that used facial matching to help locate thousands of missing children, and that kind of application remains a real public good. The answer is to pass what is already drafted: bind police use of FRT to the pending bill's magistrate-authorization model, close the DPDPA's undefined national-security carve-out with the proportionality test the Supreme Court has already articulated, and give AFRS the "anchoring legislation" Panoptic says it still lacks. A biometric database that can identify any citizen from a CCTV frame is either constrained by law or it constrains everyone else. India has spent six years building the former without writing the latter.