|
| | 103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB2259 Introduced 2/14/2023, by Rep. Dan Ugaste SYNOPSIS AS INTRODUCED:
|
| 740 ILCS 14/10 | | 740 ILCS 14/15 | |
|
Amends the Biometric Privacy Information Act. Defines "security purpose" as the purpose of preventing retail theft, fraud, or any other misappropriation or theft of a thing of value, including protecting property from trespass, controlling access to property, protecting any person from harm, including stalking, violence, or harassment, and assisting a law enforcement investigation. Allows a private entity to collect, capture, or otherwise obtain a person's or customer's biometric identifier or biometric information without satisfying other specified requirements if: (1) the private entity collects, captures, or otherwise obtains a person's or customer's biometric identifier or biometric information for a security purpose; (2) the private entity uses the biometric identifier or biometric information only for a security purpose; (3) the private entity retains the biometric identifier or biometric information no longer than is reasonably necessary to satisfy a security purpose; and (4) the private entity documents a process and time frame to delete any biometric identifier or biometric information.
|
| |
| | A BILL FOR |
|
|
| | HB2259 | | LRB103 30733 LNS 57209 b |
|
|
| 1 | | AN ACT concerning civil law.
|
| 2 | | Be it enacted by the People of the State of Illinois,
|
| 3 | | represented in the General Assembly:
|
| 4 | | Section 5. The Biometric Information Privacy Act is |
| 5 | | amended by changing Sections 10 and 15 as follows:
|
| 6 | | (740 ILCS 14/10)
|
| 7 | | Sec. 10. Definitions. In this Act: |
| 8 | | "Biometric identifier" means a retina or iris scan, |
| 9 | | fingerprint, voiceprint, or scan of hand or face geometry. |
| 10 | | Biometric identifiers do not include writing samples, written |
| 11 | | signatures, photographs, human biological samples used for |
| 12 | | valid scientific testing or screening, demographic data, |
| 13 | | tattoo descriptions, or physical descriptions such as height, |
| 14 | | weight, hair color, or eye color. Biometric identifiers do not |
| 15 | | include donated organs, tissues, or parts as defined in the |
| 16 | | Illinois Anatomical Gift Act or blood or serum stored on |
| 17 | | behalf of recipients or potential recipients of living or |
| 18 | | cadaveric transplants and obtained or stored by a federally |
| 19 | | designated organ procurement agency. Biometric identifiers do |
| 20 | | not include biological materials regulated under the Genetic |
| 21 | | Information Privacy Act. Biometric identifiers do not include |
| 22 | | information captured from a patient in a health care setting |
| 23 | | or information collected, used, or stored for health care |
|
| | HB2259 | - 2 - | LRB103 30733 LNS 57209 b |
|
|
| 1 | | treatment, payment, or operations under the federal Health |
| 2 | | Insurance Portability and Accountability Act of 1996. |
| 3 | | Biometric identifiers do not include an X-ray, roentgen |
| 4 | | process, computed tomography, MRI, PET scan, mammography, or |
| 5 | | other image or film of the human anatomy used to diagnose, |
| 6 | | prognose, or treat an illness or other medical condition or to |
| 7 | | further validate scientific testing or screening. |
| 8 | | "Biometric information" means any information, regardless |
| 9 | | of how it is captured, converted, stored, or shared, based on |
| 10 | | an individual's biometric identifier used to identify an |
| 11 | | individual. Biometric information does not include information |
| 12 | | derived from items or procedures excluded under the definition |
| 13 | | of biometric identifiers. |
| 14 | | "Confidential and sensitive information" means personal |
| 15 | | information that can be used to uniquely identify an |
| 16 | | individual or an individual's account or property. Examples of |
| 17 | | confidential and sensitive information include, but are not |
| 18 | | limited to, a genetic marker, genetic testing information, a |
| 19 | | unique identifier number to locate an account or property, an |
| 20 | | account number, a PIN number, a pass code, a driver's license |
| 21 | | number, or a social security number. |
| 22 | | "Private entity" means any individual, partnership, |
| 23 | | corporation, limited liability company, association, or other |
| 24 | | group, however organized.
A private entity does not include a |
| 25 | | State or local government agency. A private entity does not |
| 26 | | include any court of Illinois, a clerk of the court, or a judge |
|
| | HB2259 | - 3 - | LRB103 30733 LNS 57209 b |
|
|
| 1 | | or justice thereof. |
| 2 | | "Security purpose" means the purpose of preventing or |
| 3 | | investigating retail theft, fraud, or any other |
| 4 | | misappropriation or theft of a thing of value, including |
| 5 | | protecting property from trespass, controlling access to |
| 6 | | property, protecting any person from harm including stalking, |
| 7 | | violence, or harassment, and assisting a law enforcement |
| 8 | | investigation. |
| 9 | | "Written release" means informed written consent or, in |
| 10 | | the context of employment, a release executed by an employee |
| 11 | | as a condition of employment.
|
| 12 | | (Source: P.A. 95-994, eff. 10-3-08.)
|
| 13 | | (740 ILCS 14/15)
|
| 14 | | Sec. 15. Retention; collection; disclosure; destruction. |
| 15 | | (a) A private entity in possession of biometric |
| 16 | | identifiers or biometric information must develop a written |
| 17 | | policy, made available to the public, establishing a retention |
| 18 | | schedule and guidelines for permanently destroying biometric |
| 19 | | identifiers and biometric information when the initial purpose |
| 20 | | for collecting or obtaining such identifiers or information |
| 21 | | has been satisfied or within 3 years of the individual's last |
| 22 | | interaction with the private entity, whichever occurs first. |
| 23 | | Absent a valid warrant or subpoena issued by a court of |
| 24 | | competent jurisdiction, a private entity in possession of |
| 25 | | biometric identifiers or biometric information must comply |
|
| | HB2259 | - 4 - | LRB103 30733 LNS 57209 b |
|
|
| 1 | | with its established retention schedule and destruction |
| 2 | | guidelines. |
| 3 | | (b) No private entity may collect, capture, purchase, |
| 4 | | receive through trade, or otherwise obtain a person's or a |
| 5 | | customer's biometric identifier or biometric information, |
| 6 | | unless it first: |
| 7 | | (1) informs the subject or the subject's legally |
| 8 | | authorized representative in writing that a biometric |
| 9 | | identifier or biometric information is being collected or |
| 10 | | stored; |
| 11 | | (2) informs the subject or the subject's legally |
| 12 | | authorized representative in writing of the specific |
| 13 | | purpose and length of term for which a biometric |
| 14 | | identifier or biometric information is being collected, |
| 15 | | stored, and used; and |
| 16 | | (3) receives a written release executed by the subject |
| 17 | | of the biometric identifier or biometric information or |
| 18 | | the subject's legally authorized representative.
|
| 19 | | (b-5) A private entity may collect, capture, or otherwise |
| 20 | | obtain a person's or customer's biometric identifier or |
| 21 | | biometric information without satisfying the requirements of |
| 22 | | subsection (b) if: |
| 23 | | (1) the private entity collects, captures, or |
| 24 | | otherwise obtains a person's or customer's biometric |
| 25 | | identifier or biometric information for a security |
| 26 | | purpose; |
|
| | HB2259 | - 5 - | LRB103 30733 LNS 57209 b |
|
|
| 1 | | (2) the private entity uses the biometric identifier |
| 2 | | or biometric information only for a security purpose; |
| 3 | | (3) the private entity retains the biometric |
| 4 | | identifier or biometric information no longer than is |
| 5 | | reasonably necessary to satisfy a security purpose; and |
| 6 | | (4) the private entity documents a process and time |
| 7 | | frame to delete any biometric identifier or biometric |
| 8 | | information used for the purposes identified in this |
| 9 | | subsection. |
| 10 | | (c) No private entity in possession of a biometric |
| 11 | | identifier or biometric information may sell, lease, trade, or |
| 12 | | otherwise profit from a person's or a customer's biometric |
| 13 | | identifier or biometric information. |
| 14 | | (d) No private entity in possession of a biometric |
| 15 | | identifier or biometric information may disclose, redisclose, |
| 16 | | or otherwise disseminate a person's or a customer's biometric |
| 17 | | identifier or biometric information
unless: |
| 18 | | (1) the subject of the biometric identifier or
|
| 19 | | biometric information or the subject's legally authorized
|
| 20 | | representative consents to the disclosure or redisclosure; |
| 21 | | (2) the disclosure or redisclosure completes a |
| 22 | | financial transaction requested or authorized by the |
| 23 | | subject of the biometric identifier or the biometric |
| 24 | | information or the subject's legally authorized |
| 25 | | representative; |
| 26 | | (3) the disclosure or redisclosure is required by |
|
| | HB2259 | - 6 - | LRB103 30733 LNS 57209 b |
|
|
| 1 | | State or federal law or municipal ordinance; or |
| 2 | | (4) the disclosure is required pursuant to a valid |
| 3 | | warrant or subpoena issued by a court of competent |
| 4 | | jurisdiction.
|
| 5 | | (e) A private entity in possession of a biometric |
| 6 | | identifier or biometric information shall: |
| 7 | | (1) store, transmit, and protect from disclosure all |
| 8 | | biometric identifiers and biometric information using the |
| 9 | | reasonable standard of care within the private entity's |
| 10 | | industry; and
|
| 11 | | (2) store, transmit, and protect from disclosure all |
| 12 | | biometric identifiers and biometric information in a |
| 13 | | manner that is the same as or more protective than the |
| 14 | | manner in which the private entity stores, transmits, and |
| 15 | | protects other confidential and sensitive information.
|
| 16 | | (Source: P.A. 95-994, eff. 10-3-08.)
|