102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
SB3874

 

Introduced 1/21/2022, by Sen. Bill Cunningham

 

SYNOPSIS AS INTRODUCED:
 
740 ILCS 14/10
740 ILCS 14/15
740 ILCS 14/25
740 ILCS 14/35 new
820 ILCS 305/5  from Ch. 48, par. 138.5

    Amends the Biometric Information Privacy Act. Changes the definitions of "biometric identifier" and "written release". Defines "biometric lock", "biometric time clock", "electronic signature", "in writing", and "security purpose". Provides that if the biometric identifier or biometric information is collected or captured for the same repeated process, the private entity is only required to inform the subject or receive consent during the initial collection. Waives certain requirements for collecting, capturing, or otherwise obtaining a person's or a customer's biometric identifier or biometric information under certain circumstances relating to security purposes. Provides that nothing in the Act shall be construed to apply to information captured by a biometric time clock or biometric lock that converts a person's biometric identifier or biometric information to a mathematical representation. Requires the Department of Labor to provide information for employers regarding the requirements of the Act on its website. Amends the Workers' Compensation Act. Provides that nothing in the Act limits, prevents, or preempts a recovery by an employee under the Biometric Information Privacy Act. Effective immediately.


LRB102 24575 LNS 33809 b

 

 

A BILL FOR

 

SB3874LRB102 24575 LNS 33809 b

1    AN ACT concerning civil law.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Biometric Information Privacy Act is
5amended by changing Sections 10, 15, and 25 and by adding
6Section 35 as follows:
 
7    (740 ILCS 14/10)
8    Sec. 10. Definitions. In this Act:
9    "Biometric identifier" means a retina or iris scan,
10fingerprint, voiceprint, or scan of hand or face geometry.
11Biometric identifiers do not include writing samples, written
12signatures, photographs, human biological samples used for
13valid scientific testing or screening, demographic data,
14tattoo descriptions, or physical descriptions such as height,
15weight, hair color, or eye color. Biometric identifiers do not
16include donated organs, tissues, or parts as defined in the
17Illinois Anatomical Gift Act or blood or serum stored on
18behalf of recipients or potential recipients of living or
19cadaveric transplants and obtained or stored by a federally
20designated organ procurement agency. Biometric identifiers do
21not include biological materials regulated under the Genetic
22Information Privacy Act. Biometric identifiers do not include
23information captured from a patient in a health care setting

 

 

SB3874- 2 -LRB102 24575 LNS 33809 b

1or information collected, used, or stored for health care
2treatment, payment, or operations under the federal Health
3Insurance Portability and Accountability Act of 1996.
4Biometric identifiers do not include an X-ray, roentgen
5process, computed tomography, MRI, PET scan, mammography, or
6other image or film of the human anatomy used to diagnose,
7prognose, or treat an illness or other medical condition or to
8further validate scientific testing or screening. Biometric
9identifiers do not include information captured and converted
10to a mathematical representation, including, but not limited
11to, a numeric string or similar method that cannot be used to
12recreate the biometric identifier.
13    "Biometric information" means any information, regardless
14of how it is captured, converted, stored, or shared, based on
15an individual's biometric identifier used to identify an
16individual. Biometric information does not include information
17derived from items or procedures excluded under the definition
18of biometric identifiers.
19    "Biometric lock" means a device that is used to grant
20access to a person and converts the person's biometric
21identifier or biometric information to a mathematical
22representation, including, but not limited to, a numeric
23string or similar method that cannot be used to recreate the
24person's biometric identifier.
25    "Biometric time clock" means a device that is used for
26time management and converts a person's biometric identifier

 

 

SB3874- 3 -LRB102 24575 LNS 33809 b

1or biometric information to a mathematical representation,
2including, but not limited to, a numeric string or similar
3method that cannot be used to recreate the person's biometric
4identifier.
5    "Confidential and sensitive information" means personal
6information that can be used to uniquely identify an
7individual or an individual's account or property. Examples of
8confidential and sensitive information include, but are not
9limited to, a genetic marker, genetic testing information, a
10unique identifier number to locate an account or property, an
11account number, a PIN number, a pass code, a driver's license
12number, or a social security number.
13    "Electronic signature" means a signature in electronic
14form attached to or logically associated with an electronic
15record.
16    "In writing" includes, but is not limited to, electronic
17communications or notices.
18    "Private entity" means any individual, partnership,
19corporation, limited liability company, association, or other
20group, however organized. A private entity does not include a
21State or local government agency. A private entity does not
22include any court of Illinois, a clerk of the court, or a judge
23or justice thereof.
24    "Security purpose" means for the purpose of preventing or
25investigating retail theft, fraud, or any other
26misappropriation or theft of a thing of value. "Security

 

 

SB3874- 4 -LRB102 24575 LNS 33809 b

1purpose" includes protecting property from trespass,
2controlling access to property, or protecting any person from
3harm, including stalking, violence, or harassment, and
4includes assisting a law enforcement investigation.
5    "Written release" means informed written consent or, in
6the context of employment, a release executed by an employee
7as a condition of employment. Written release includes
8electronic communications, and such a release or communication
9by electronic signature of the employee as provided under
10Section 5-120 of the Electronic Commerce Security Act.
11(Source: P.A. 95-994, eff. 10-3-08.)
 
12    (740 ILCS 14/15)
13    Sec. 15. Retention; collection; disclosure; destruction.
14    (a) A private entity in possession of biometric
15identifiers or biometric information must develop a written
16policy, made available to the public, establishing a retention
17schedule and guidelines for permanently destroying biometric
18identifiers and biometric information when the initial purpose
19for collecting or obtaining such identifiers or information
20has been satisfied or within 3 years of the individual's last
21interaction with the private entity, whichever occurs first.
22Absent a valid warrant or subpoena issued by a court of
23competent jurisdiction, a private entity in possession of
24biometric identifiers or biometric information must comply
25with its established retention schedule and destruction

 

 

SB3874- 5 -LRB102 24575 LNS 33809 b

1guidelines.
2    (b) No private entity may collect, capture, purchase,
3receive through trade, or otherwise obtain a person's or a
4customer's biometric identifier or biometric information,
5unless it first:
6        (1) informs the subject or the subject's legally
7    authorized representative in writing that a biometric
8    identifier or biometric information is being collected or
9    stored;
10        (2) informs the subject or the subject's legally
11    authorized representative in writing of the specific
12    purpose and length of term for which a biometric
13    identifier or biometric information is being collected,
14    stored, and used; and
15        (3) receives a written release executed by the subject
16    of the biometric identifier or biometric information or
17    the subject's legally authorized representative.
18    (b-5) If the biometric identifier or biometric information
19is collected or captured for the same repeated process, the
20private entity is only required to inform the subject or
21receive consent pursuant paragraphs (1), (2), and (3) of
22subsection (b) during the initial collection.
23    (b-10) A private entity may collect, capture, or otherwise
24obtain a person's or a customer's biometric identifier or
25biometric information without satisfying the requirements of
26subsection (b) if:

 

 

SB3874- 6 -LRB102 24575 LNS 33809 b

1        (1) the private entity collects, captures, or
2    otherwise obtains a person's or a customer's biometric
3    identifier or biometric information for a security
4    purpose;
5        (2) the private entity uses the biometric identifier
6    or biometric information only for a security purpose;
7        (3) the private entity retains the biometric
8    identifier or biometric information no longer than is
9    reasonably necessary to satisfy a security purpose; and
10        (4) the private entity documents a process and time
11    frame to delete any biometric information used for the
12    purposes identified in this subsection.
13    (c) No private entity in possession of a biometric
14identifier or biometric information may sell, lease, trade, or
15otherwise profit from a person's or a customer's biometric
16identifier or biometric information.
17    (d) No private entity in possession of a biometric
18identifier or biometric information may disclose, redisclose,
19or otherwise disseminate a person's or a customer's biometric
20identifier or biometric information unless:
21        (1) the subject of the biometric identifier or
22    biometric information or the subject's legally authorized
23    representative consents to the disclosure or redisclosure;
24        (2) the disclosure or redisclosure completes a
25    financial transaction requested or authorized by the
26    subject of the biometric identifier or the biometric

 

 

SB3874- 7 -LRB102 24575 LNS 33809 b

1    information or the subject's legally authorized
2    representative;
3        (3) the disclosure or redisclosure is required by
4    State or federal law or municipal ordinance; or
5        (4) the disclosure is required pursuant to a valid
6    warrant or subpoena issued by a court of competent
7    jurisdiction.
8    (e) A private entity in possession of a biometric
9identifier or biometric information shall:
10        (1) store, transmit, and protect from disclosure all
11    biometric identifiers and biometric information using the
12    reasonable standard of care within the private entity's
13    industry; and
14        (2) store, transmit, and protect from disclosure all
15    biometric identifiers and biometric information in a
16    manner that is the same as or more protective than the
17    manner in which the private entity stores, transmits, and
18    protects other confidential and sensitive information.
19(Source: P.A. 95-994, eff. 10-3-08.)
 
20    (740 ILCS 14/25)
21    Sec. 25. Construction.
22    (a) Nothing in this Act shall be construed to impact the
23admission or discovery of biometric identifiers and biometric
24information in any action of any kind in any court, or before
25any tribunal, board, agency, or person.

 

 

SB3874- 8 -LRB102 24575 LNS 33809 b

1    (b) Nothing in this Act shall be construed to conflict
2with the X-Ray Retention Act, the federal Health Insurance
3Portability and Accountability Act of 1996 and the rules
4promulgated under either Act.
5    (c) Nothing in this Act shall be deemed to apply in any
6manner to a financial institution or an affiliate of a
7financial institution that is subject to Title V of the
8federal Gramm-Leach-Bliley Act of 1999 and the rules
9promulgated thereunder.
10    (d) Nothing in this Act shall be construed to conflict
11with the Private Detective, Private Alarm, Private Security,
12Fingerprint Vendor, and Locksmith Act of 2004 and the rules
13promulgated thereunder or information captured by an alarm
14system as defined by that Act installed by a person licensed
15under that Act and the rules adopted thereunder.
16    (e) Nothing in this Act shall be construed to apply to a
17contractor, subcontractor, or agent of a State agency or local
18unit of government when working for that State agency or local
19unit of government.
20    (f) Nothing in this Act shall be construed to apply to
21information captured by a biometric time clock or biometric
22lock that converts a person's biometric identifier or
23biometric information to a mathematical representation,
24including, but not limited to, a numeric string or similar
25method that cannot be used to recreate the person's biometric
26identifier or biometric information.

 

 

SB3874- 9 -LRB102 24575 LNS 33809 b

1(Source: P.A. 95-994, eff. 10-3-08.)
 
2    (740 ILCS 14/35 new)
3    Sec. 35. Department of Labor website. The Department of
4Labor shall provide on its website information for employers
5regarding the requirements of this Act.
 
6    Section 10. The Workers' Compensation Act is amended by
7changing Section 5 as follows:
 
8    (820 ILCS 305/5)  (from Ch. 48, par. 138.5)
9    Sec. 5. Damages; minors; third-party liability.
10    (a) Except as provided in Section 1.2, no common law or
11statutory right to recover damages from the employer, his
12insurer, his broker, any service organization that is wholly
13owned by the employer, his insurer or his broker and that
14provides safety service, advice or recommendations for the
15employer or the agents or employees of any of them for injury
16or death sustained by any employee while engaged in the line of
17his duty as such employee, other than the compensation herein
18provided, is available to any employee who is covered by the
19provisions of this Act, to any one wholly or partially
20dependent upon him, the legal representatives of his estate,
21or any one otherwise entitled to recover damages for such
22injury.
23    However, in any action now pending or hereafter begun to

 

 

SB3874- 10 -LRB102 24575 LNS 33809 b

1enforce a common law or statutory right to recover damages for
2negligently causing the injury or death of any employee it is
3not necessary to allege in the complaint that either the
4employee or the employer or both were not governed by the
5provisions of this Act or of any similar Act in force in this
6or any other State. Moreover, nothing in this Act limits,
7prevents, or preempts a recovery by an employee under the
8Biometric Information Privacy Act.
9    Any illegally employed minor or his legal representatives
10shall, except as hereinafter provided, have the right within 6
11months after the time of injury or death, or within 6 months
12after the appointment of a legal representative, whichever
13shall be later, to file with the Commission a rejection of his
14right to the benefits under this Act, in which case such
15illegally employed minor or his legal representatives shall
16have the right to pursue his or their common law or statutory
17remedies to recover damages for such injury or death.
18    No payment of compensation under this Act shall be made to
19an illegally employed minor, or his legal representatives,
20unless such payment and the waiver of his right to reject the
21benefits of this Act has first been approved by the Commission
22or any member thereof, and if such payment and the waiver of
23his right of rejection has been so approved such payment is a
24bar to a subsequent rejection of the provisions of this Act.
25    (b) Where the injury or death for which compensation is
26payable under this Act was caused under circumstances creating

 

 

SB3874- 11 -LRB102 24575 LNS 33809 b

1a legal liability for damages on the part of some person other
2than his employer to pay damages, then legal proceedings may
3be taken against such other person to recover damages
4notwithstanding such employer's payment of or liability to pay
5compensation under this Act. In such case, however, if the
6action against such other person is brought by the injured
7employee or his personal representative and judgment is
8obtained and paid, or settlement is made with such other
9person, either with or without suit, then from the amount
10received by such employee or personal representative there
11shall be paid to the employer the amount of compensation paid
12or to be paid by him to such employee or personal
13representative including amounts paid or to be paid pursuant
14to paragraph (a) of Section 8 of this Act.
15    Out of any reimbursement received by the employer pursuant
16to this Section the employer shall pay his pro rata share of
17all costs and reasonably necessary expenses in connection with
18such third-party claim, action or suit and where the services
19of an attorney at law of the employee or dependents have
20resulted in or substantially contributed to the procurement by
21suit, settlement or otherwise of the proceeds out of which the
22employer is reimbursed, then, in the absence of other
23agreement, the employer shall pay such attorney 25% of the
24gross amount of such reimbursement.
25    If the injured employee or his personal representative
26agrees to receive compensation from the employer or accept

 

 

SB3874- 12 -LRB102 24575 LNS 33809 b

1from the employer any payment on account of such compensation,
2or to institute proceedings to recover the same, the employer
3may have or claim a lien upon any award, judgment or fund out
4of which such employee might be compensated from such third
5party.
6    In such actions brought by the employee or his personal
7representative, he shall forthwith notify his employer by
8personal service or registered mail, of such fact and of the
9name of the court in which the suit is brought, filing proof
10thereof in the action. The employer may, at any time
11thereafter join in the action upon his motion so that all
12orders of court after hearing and judgment shall be made for
13his protection. No release or settlement of claim for damages
14by reason of such injury or death, and no satisfaction of
15judgment in such proceedings shall be valid without the
16written consent of both employer and employee or his personal
17representative, except in the case of the employers, such
18consent is not required where the employer has been fully
19indemnified or protected by Court order.
20    In the event the employee or his personal representative
21fails to institute a proceeding against such third person at
22any time prior to 3 months before such action would be barred,
23the employer may in his own name or in the name of the
24employee, or his personal representative, commence a
25proceeding against such other person for the recovery of
26damages on account of such injury or death to the employee, and

 

 

SB3874- 13 -LRB102 24575 LNS 33809 b

1out of any amount recovered the employer shall pay over to the
2injured employee or his personal representatives all sums
3collected from such other person by judgment or otherwise in
4excess of the amount of such compensation paid or to be paid
5under this Act, including amounts paid or to be paid pursuant
6to paragraph (a) of Section 8 of this Act, and costs,
7attorney's fees and reasonable expenses as may be incurred by
8such employer in making such collection or in enforcing such
9liability.
10(Source: P.A. 101-6, eff. 5-17-19.)
 
11    Section 99. Effective date. This Act takes effect upon
12becoming law.