Illinois General Assembly - Full Text of SB3053
Illinois General Assembly

Previous General Assemblies

Full Text of SB3053  100th General Assembly

SB3053sam002 100TH GENERAL ASSEMBLY

Sen. Bill Cunningham

Filed: 4/6/2018

 

 


 

 


 
10000SB3053sam002LRB100 19520 HEP 38183 a

1
AMENDMENT TO SENATE BILL 3053

2    AMENDMENT NO. ______. Amend Senate Bill 3053 by replacing
3everything after the enacting clause with the following:
 
4    "Section 5. The Biometric Information Privacy Act is
5amended by changing Sections 10, 15, 20, and 25 and by adding
6Section 35 as follows:
 
7    (740 ILCS 14/10)
8    Sec. 10. Definitions. In this Act:
9    "Biometric identifier" means a retina or iris scan,
10fingerprint, voiceprint, or scan of hand or face geometry that
11is linked by a private entity to the subject's confidential and
12sensitive information. Biometric identifiers do not include
13physical or digital photographs; video recordings; audio
14recordings; data generated from physical or digital
15photographs, video recordings, or audio recordings; writing
16samples; , written signatures; , photographs, human biological

 

 

10000SB3053sam002- 2 -LRB100 19520 HEP 38183 a

1samples used for valid scientific testing or screening; ,
2demographic data; , tattoo descriptions; , or physical
3descriptions such as height, weight, hair color, or eye color.
4Biometric identifiers do not include donated organs, tissues,
5or parts as defined in the Illinois Anatomical Gift Act or
6blood or serum stored on behalf of recipients or potential
7recipients of living or cadaveric transplants and obtained or
8stored by a federally designated organ procurement agency.
9Biometric identifiers do not include biological materials
10regulated under the Genetic Information Privacy Act. Biometric
11identifiers do not include information captured from a patient
12in a health care setting or information collected, used, or
13stored for health care treatment, payment, or operations under
14the federal Health Insurance Portability and Accountability
15Act of 1996. Biometric identifiers do not include an X-ray,
16roentgen process, computed tomography, MRI, PET scan,
17mammography, or other image or film of the human anatomy used
18to diagnose, prognose, or treat an illness or other medical
19condition or to further validate scientific testing or
20screening.
21    "Biometric information" means any information, regardless
22of how it is captured, converted, stored, or shared, based on
23an individual's biometric identifier that is linked by a
24private entity to the subject's confidential and sensitive
25information used to identify an individual. Biometric
26information does not include information derived from items or

 

 

10000SB3053sam002- 3 -LRB100 19520 HEP 38183 a

1procedures excluded under the definition of biometric
2identifiers.
3    "Confidential and sensitive information" means personal
4information that can be used to uniquely identify an individual
5or an individual's account or property. Examples of
6confidential and sensitive information include, but are not
7limited to, a genetic marker, genetic testing information, a
8unique identifier number to locate an account or property, an
9account number, a PIN number, a pass code, a driver's license
10number, or a social security number.
11    "Private entity" means any individual, partnership,
12corporation, limited liability company, association, or other
13group, however organized. A private entity does not include a
14State or local government agency. A private entity does not
15include any court of Illinois, a clerk of the court, or a judge
16or justice thereof.
17    "Written release" means informed written consent or, in the
18context of employment, a release executed by an employee as a
19condition of employment.
20(Source: P.A. 95-994, eff. 10-3-08.)
 
21    (740 ILCS 14/15)
22    Sec. 15. Retention; collection; disclosure; destruction.
23    (a) A private entity in possession of biometric identifiers
24or biometric information for more than 24 hours must develop a
25written policy, made available to the public, establishing a

 

 

10000SB3053sam002- 4 -LRB100 19520 HEP 38183 a

1retention schedule and guidelines for permanently destroying
2biometric identifiers and biometric information when the
3initial purpose for collecting or obtaining such identifiers or
4information has been satisfied or within 3 years of the
5individual's last interaction with the private entity,
6whichever occurs first. Absent a valid warrant or subpoena
7issued by a court of competent jurisdiction, a private entity
8in possession of biometric identifiers or biometric
9information must comply with its established retention
10schedule and destruction guidelines.
11    (b) No private entity may collect, capture, purchase,
12receive through trade, or otherwise obtain a person's or a
13customer's biometric identifier or biometric information and
14retain it for more than 24 hours, unless it first:
15        (1) informs the subject or the subject's legally
16    authorized representative in writing that a biometric
17    identifier or biometric information is being collected or
18    stored;
19        (2) informs the subject or the subject's legally
20    authorized representative in writing of the specific
21    purpose and length of term for which a biometric identifier
22    or biometric information is being collected, stored, and
23    used; and
24        (3) receives a written release executed by the subject
25    of the biometric identifier or biometric information or the
26    subject's legally authorized representative.

 

 

10000SB3053sam002- 5 -LRB100 19520 HEP 38183 a

1    (c) No private entity in possession of a biometric
2identifier or biometric information may sell, lease, trade, or
3otherwise exchange for financial consideration profit from a
4person's or a customer's biometric identifier or biometric
5information.
6    (d) No private entity in possession of a biometric
7identifier or biometric information may disclose, redisclose,
8or otherwise disseminate a person's or a customer's biometric
9identifier or biometric information unless:
10        (1) the subject of the biometric identifier or
11    biometric information or the subject's legally authorized
12    representative consents to the disclosure or redisclosure;
13        (2) the disclosure or redisclosure completes a
14    financial transaction requested or authorized by the
15    subject of the biometric identifier or the biometric
16    information or the subject's legally authorized
17    representative;
18        (3) the disclosure or redisclosure is required by State
19    or federal law or municipal ordinance; or
20        (4) the disclosure is required pursuant to a valid
21    warrant or subpoena issued by a court of competent
22    jurisdiction.
23    (e) A private entity in possession of a biometric
24identifier or biometric information shall:
25        (1) store, transmit, and protect from disclosure all
26    biometric identifiers and biometric information using the

 

 

10000SB3053sam002- 6 -LRB100 19520 HEP 38183 a

1    reasonable standard of care within the private entity's
2    industry; and
3        (2) store, transmit, and protect from disclosure all
4    biometric identifiers and biometric information in a
5    manner that is the same as or more protective than the
6    manner in which the private entity stores, transmits, and
7    protects other confidential and sensitive information.
8    (f) It is not unlawful under this Act for any user to
9collect, capture, otherwise obtain, or possess a biometric
10identifier or biometric information on a personal device,
11unless the biometric identifier or biometric information is
12used for the purpose of committing a criminal or tortious act.
13It is not unlawful under this Act for a private entity to
14create or make available a device, software, or other
15functionality that collects, captures, otherwise obtains, or
16possesses biometric identifiers or biometric information on a
17personal device. It is not unlawful under this Act for a cloud
18service provider to take any action at the direction of or on
19behalf of a user of the cloud service.
20(Source: P.A. 95-994, eff. 10-3-08.)
 
21    (740 ILCS 14/20)
22    Sec. 20. Right of action. Any person aggrieved by a
23violation of this Act that occurs in this State shall have a
24right of action in a State circuit court or as a supplemental
25claim in federal district court against an offending party. A

 

 

10000SB3053sam002- 7 -LRB100 19520 HEP 38183 a

1prevailing party may recover for each violation:
2        (1) against a private entity that negligently violates
3    a provision of this Act, liquidated damages of $1,000 or
4    actual damages, whichever is greater;
5        (2) against a private entity that intentionally or
6    recklessly violates a provision of this Act, liquidated
7    damages of $5,000 or actual damages, whichever is greater;
8        (3) reasonable attorneys' fees and costs, including
9    expert witness fees and other litigation expenses; and
10        (4) other relief, including an injunction, as the State
11    or federal court may deem appropriate.
12(Source: P.A. 95-994, eff. 10-3-08.)
 
13    (740 ILCS 14/25)
14    Sec. 25. Construction.
15    (a) Nothing in this Act shall be construed to impact the
16admission or discovery of biometric identifiers and biometric
17information in any action of any kind in any court, or before
18any tribunal, board, agency, or person.
19    (b) Nothing in this Act shall be deemed to apply in any
20manner to a private entity that complies construed to conflict
21with the X-Ray Retention Act, the federal Health Insurance
22Portability and Accountability Act of 1996 as amended by the
23Health Information Technology for Economic and Clinical Health
24Act of 2009, the Personal Information Protection Act, and the
25rules promulgated under those Acts either Act.

 

 

10000SB3053sam002- 8 -LRB100 19520 HEP 38183 a

1    (c) Nothing in this Act shall be deemed to apply in any
2manner to a financial institution or an affiliate of a
3financial institution that is subject to Title V of the federal
4Gramm-Leach-Bliley Act of 1999 and the rules promulgated
5thereunder.
6    (d) Nothing in this Act shall be construed to conflict with
7the Private Detective, Private Alarm, Private Security,
8Fingerprint Vendor, and Locksmith Act of 2004 and the rules
9promulgated thereunder.
10    (e) Nothing in this Act shall be construed to apply to a
11contractor, subcontractor, or agent of a State agency or local
12unit of government when working for that State agency or local
13unit of government.
14    (f) Nothing in this Act shall be deemed to apply to a
15private entity collecting, storing, or transmitting biometric
16information if:
17        (1) the biometric information is used exclusively for:
18            (A) employment, human resources, compliance,
19        identification, or authentication purposes;
20            (B) preventing or investigating acts of terrorism,
21        human trafficking, kidnapping, or violence; or
22            (C) safety, security, or fraud prevention
23        purposes;
24        (2) the private entity does not sell, lease, or trade
25    the biometric identifier or biometric information
26    collected; and

 

 

10000SB3053sam002- 9 -LRB100 19520 HEP 38183 a

1        (3) the private entity documents a process and time
2    frame to delete any biometric information used for the
3    purposes identified in paragraph (1).
4(Source: P.A. 95-994, eff. 10-3-08.)
 
5    (740 ILCS 14/35 new)
6    Sec. 35. Department of Labor website. The Illinois
7Department of Labor shall provide on its website information
8for employers regarding the requirements of this Act.".