|
|
||||
| Public Act 095-0994 |
||||
| ||||
| ||||
AN ACT concerning health.
| ||||
Be it enacted by the People of the State of Illinois,
| ||||
represented in the General Assembly:
| ||||
Section 1. Short title. This Act may be cited as the | ||||
Biometric Information Privacy Act. | ||||
Section 5. Legislative findings; intent. The General | ||||
Assembly finds all of the following: | ||||
(a) The use of biometrics is growing in the business and | ||||
security screening sectors and appears to promise streamlined | ||||
financial transactions and security screenings. | ||||
(b) Major national corporations have selected the City of | ||||
Chicago and other locations in this State as pilot testing | ||||
sites for new applications of biometric-facilitated financial | ||||
transactions, including finger-scan technologies at grocery | ||||
stores, gas stations, and school cafeterias. | ||||
(c) Biometrics are unlike other unique identifiers that are | ||||
used to access finances or other sensitive information. For | ||||
example, social security numbers, when compromised, can be | ||||
changed. Biometrics, however, are biologically unique to the | ||||
individual; therefore, once compromised, the individual has no | ||||
recourse, is at heightened risk for identity theft, and is | ||||
likely to withdraw from biometric-facilitated transactions. | ||||
(d) An overwhelming majority of members of the public are | ||||
weary of the use of biometrics when such information is tied to | ||
finances and other personal information. | ||
(e) Despite limited State law regulating the collection, | ||
use, safeguarding, and storage of biometrics, many members of | ||
the public are deterred from partaking in biometric | ||
identifier-facilitated transactions. | ||
(f) The full ramifications of biometric technology are not | ||
fully known. | ||
(g) The public welfare, security, and safety will be served | ||
by regulating the collection, use, safeguarding, handling, | ||
storage, retention, and destruction of biometric identifiers | ||
and information.
| ||
Section 10. Definitions. In this Act: | ||
"Biometric identifier" means a retina or iris scan, | ||
fingerprint, voiceprint, or scan of hand or face geometry. | ||
Biometric identifiers do not include writing samples, written | ||
signatures, photographs, human biological samples used for | ||
valid scientific testing or screening, demographic data, | ||
tattoo descriptions, or physical descriptions such as height, | ||
weight, hair color, or eye color. Biometric identifiers do not | ||
include donated organs, tissues, or parts as defined in the | ||
Illinois Anatomical Gift Act or blood or serum stored on behalf | ||
of recipients or potential recipients of living or cadaveric | ||
transplants and obtained or stored by a federally designated | ||
organ procurement agency. Biometric identifiers do not include | ||
biological materials regulated under the Genetic Information | ||
Privacy Act. Biometric identifiers do not include information | ||
captured from a patient in a health care setting or information | ||
collected, used, or stored for health care treatment, payment, | ||
or operations under the federal Health Insurance Portability | ||
and Accountability Act of 1996. Biometric identifiers do not | ||
include an X-ray, roentgen process, computed tomography, MRI, | ||
PET scan, mammography, or other image or film of the human | ||
anatomy used to diagnose, prognose, or treat an illness or | ||
other medical condition or to further validate scientific | ||
testing or screening. | ||
"Biometric information" means any information, regardless | ||
of how it is captured, converted, stored, or shared, based on | ||
an individual's biometric identifier used to identify an | ||
individual. Biometric information does not include information | ||
derived from items or procedures excluded under the definition | ||
of biometric identifiers. | ||
"Confidential and sensitive information" means personal | ||
information that can be used to uniquely identify an individual | ||
or an individual's account or property. Examples of | ||
confidential and sensitive information include, but are not | ||
limited to, a genetic marker, genetic testing information, a | ||
unique identifier number to locate an account or property, an | ||
account number, a PIN number, a pass code, a driver's license | ||
number, or a social security number. | ||
"Private entity" means any individual, partnership, | ||
corporation, limited liability company, association, or other | ||
group, however organized.
A private entity does not include a | ||
State or local government agency. A private entity does not | ||
include any court of Illinois, a clerk of the court, or a judge | ||
or justice thereof. | ||
"Written release" means informed written consent or, in the | ||
context of employment, a release executed by an employee as a | ||
condition of employment. | ||
Section 15. Retention; collection; disclosure; | ||
destruction. | ||
(a) A private entity in possession of biometric identifiers | ||
or biometric information must develop a written policy, made | ||
available to the public, establishing a retention schedule and | ||
guidelines for permanently destroying biometric identifiers | ||
and biometric information when the initial purpose for | ||
collecting or obtaining such identifiers or information has | ||
been satisfied or within 3 years of the individual's last | ||
interaction with the private entity, whichever occurs first. | ||
Absent a valid warrant or subpoena issued by a court of | ||
competent jurisdiction, a private entity in possession of | ||
biometric identifiers or biometric information must comply | ||
with its established retention schedule and destruction | ||
guidelines. | ||
(b) No private entity may collect, capture, purchase, | ||
receive through trade, or otherwise obtain a person's or a | ||
customer's biometric identifier or biometric information, | ||
unless it first: | ||
(1) informs the subject or the subject's legally | ||
authorized representative in writing that a biometric | ||
identifier or biometric information is being collected or | ||
stored; | ||
(2) informs the subject or the subject's legally | ||
authorized representative in writing of the specific | ||
purpose and length of term for which a biometric identifier | ||
or biometric information is being collected, stored, and | ||
used; and | ||
(3) receives a written release executed by the subject | ||
of the biometric identifier or biometric information or the | ||
subject's legally authorized representative.
| ||
(c) No private entity in possession of a biometric | ||
identifier or biometric information may sell, lease, trade, or | ||
otherwise profit from a person's or a customer's biometric | ||
identifier or biometric information. | ||
(d) No private entity in possession of a biometric | ||
identifier or biometric information may disclose, redisclose, | ||
or otherwise disseminate a person's or a customer's biometric | ||
identifier or biometric information
unless: | ||
(1) the subject of the biometric identifier or
| ||
biometric information or the subject's legally authorized
| ||
representative consents to the disclosure or redisclosure; | ||
(2) the disclosure or redisclosure completes a | ||
financial transaction requested or authorized by the | ||
subject of the biometric identifier or the biometric | ||
information or the subject's legally authorized | ||
representative; | ||
(3) the disclosure or redisclosure is required by State | ||
or federal law or municipal ordinance; or | ||
(4) the disclosure is required pursuant to a valid | ||
warrant or subpoena issued by a court of competent | ||
jurisdiction.
| ||
(e) A private entity in possession of a biometric | ||
identifier or biometric information shall: | ||
(1) store, transmit, and protect from disclosure all | ||
biometric identifiers and biometric information using the | ||
reasonable standard of care within the private entity's | ||
industry; and
| ||
(2) store, transmit, and protect from disclosure all | ||
biometric identifiers and biometric information in a | ||
manner that is the same as or more protective than the | ||
manner in which the private entity stores, transmits, and | ||
protects other confidential and sensitive information.
| ||
Section 20. Right of action. Any person aggrieved by a | ||
violation of this Act shall have a right of action in a State | ||
circuit court or as a supplemental claim in federal district | ||
court against an offending party. A prevailing party may | ||
recover for each violation: | ||
(1) against a private entity that negligently violates | ||
a provision of this Act, liquidated damages of $1,000 or | ||
actual damages, whichever is greater; | ||
(2) against a private entity that intentionally or | ||
recklessly violates a provision of this Act, liquidated | ||
damages of $5,000 or actual damages, whichever is greater; | ||
(3) reasonable attorneys' fees and costs, including | ||
expert witness fees and other litigation expenses; and | ||
(4) other relief, including an injunction, as the State | ||
or federal court may deem appropriate.
| ||
Section 25. Construction. | ||
(a) Nothing in this Act shall be construed to impact the | ||
admission or discovery of biometric identifiers and biometric | ||
information in any action of any kind in any court, or before | ||
any tribunal, board, agency, or person. | ||
(b) Nothing in this Act shall be construed to conflict with | ||
the X-Ray Retention Act, the federal Health Insurance | ||
Portability and Accountability Act of 1996 and the rules | ||
promulgated under either Act. | ||
(c) Nothing in this Act shall be deemed to apply in any | ||
manner to a financial institution or an affiliate of a | ||
financial institution that is subject to Title V of the federal | ||
Gramm-Leach-Bliley Act of 1999 and the rules promulgated | ||
thereunder. | ||
(d) Nothing in this Act shall be construed to conflict with | ||
the Private Detective, Private Alarm, Private Security, | ||
Fingerprint Vendor, and Locksmith Act of 2004 and the rules | ||
promulgated thereunder. | ||
(e) Nothing in this Act shall be construed to apply to a | ||
contractor, subcontractor, or agent of a State agency or local | ||
unit of government when working for that State agency or local | ||
unit of government.
| ||
Section 30. Biometric Information Privacy Study Committee. | ||
(a) The Department of Human Services, in conjunction with | ||
Central Management Services, subject to appropriation or other | ||
funds made available for this purpose, shall create the | ||
Biometric Information Privacy Study Committee, hereafter | ||
referred to as the Committee. The Department of Human Services, | ||
in conjunction with Central Management Services, shall provide | ||
staff and administrative support to the Committee. The | ||
Committee shall examine (i) current policies, procedures, and | ||
practices used by State and local governments to protect an | ||
individual against unauthorized disclosure of his or her | ||
biometric identifiers and biometric information when State or | ||
local government requires the individual to provide his or her | ||
biometric identifiers to an officer or agency of the State or | ||
local government; (ii) issues related to the collection, | ||
destruction, security, and ramifications of biometric | ||
identifiers, biometric information, and biometric technology; | ||
and (iii) technical and procedural changes necessary in order | ||
to implement and enforce reasonable, uniform biometric | ||
safeguards by State and local government agencies. | ||
(b) The Committee shall hold such public hearings as it | ||
deems necessary and present a report of its findings and | ||
recommendations to the General Assembly before January 1, 2009. | ||
The Committee may begin to conduct business upon appointment of | ||
a majority of its members. All appointments shall be completed | ||
by 4 months prior to the release of the Committee's final | ||
report. The Committee shall meet at least twice and at other | ||
times at the call of the chair and may conduct meetings by | ||
telecommunication, where possible, in order to minimize travel | ||
expenses. The Committee shall consist of 27 members appointed | ||
as follows: | ||
(1) 2 members appointed by the President of the Senate; | ||
(2) 2 members appointed by the Minority Leader of the | ||
Senate; | ||
(3) 2 members appointed by the Speaker of the House of | ||
Representatives; | ||
(4) 2 members appointed by the Minority Leader of the | ||
House of Representatives; | ||
(5) One member representing the Office of the Governor, | ||
appointed by the Governor; | ||
(6) One member, who shall serve as the chairperson of | ||
the Committee, representing the Office of the Attorney | ||
General, appointed by the Attorney General; | ||
(7) One member representing the Office of the Secretary | ||
of the State, appointed by the Secretary of State; | ||
(8) One member from each of the following State | ||
agencies appointed by their respective heads: Department | ||
of Corrections, Department of Public Health, Department of | ||
Human Services, Central Management Services, Illinois | ||
Commerce Commission, Illinois State Police, Department of | ||
Revenue; | ||
(9) One member appointed by the chairperson of the | ||
Committee, representing the interests of the City of | ||
Chicago; | ||
(10) 2 members appointed by the chairperson of the | ||
Committee, representing the interests of other | ||
municipalities; | ||
(11) 2 members appointed by the chairperson of the | ||
Committee, representing the interests of public hospitals; | ||
and | ||
(12) 4 public members appointed by the chairperson of | ||
the Committee, representing the interests of the civil | ||
liberties community, the electronic privacy community, and | ||
government employees. | ||
(c) This Section is repealed January 1, 2009. | ||
Section 99. Effective date. This Act takes effect upon | ||
becoming law. | ||