SB3856 104TH GENERAL ASSEMBLY

104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026
SB3856

Introduced 2/6/2026, by Sen. John F. Curran

SYNOPSIS AS INTRODUCED:

`740 ILCS 14/10`
`740 ILCS 14/15`

Amends the Biometric Information Privacy Act. Defines "security purpose" to mean for the purpose of preventing or investigating retail theft, fraud, or any other misappropriation or theft of a thing of value. Provides that security purpose includes protecting property from trespass, controlling access to property, or protecting any person from harm, including stalking, violence, or harassment, and includes assisting a law enforcement investigation. Waives certain requirements for collecting, capturing, or otherwise obtaining a person's or a customer's biometric identifier or biometric information under certain circumstances relating to security purposes. Effective immediately.

LRB104 17142 JRC 30561 b

A BILL FOR

SB3856

LRB104 17142 JRC 30561 b

1 AN ACT concerning civil law.

2 Be it enacted by the People of the State of Illinois,

3 represented in the General Assembly:

4 Section 5. The Biometric Information Privacy Act is

5 amended by changing Sections 10 and 15 as follows:

6 (740 ILCS 14/10)

7 Sec. 10. Definitions. In this Act:

8 "Biometric identifier" means a retina or iris scan,

9 fingerprint, voiceprint, or scan of hand or face geometry.

10 Biometric identifiers do not include writing samples, written

11 signatures, photographs, human biological samples used for

12 valid scientific testing or screening, demographic data,

13 tattoo descriptions, or physical descriptions such as height,

14 weight, hair color, or eye color. Biometric identifiers do not

15 include donated organs, tissues, or parts as defined in the

16 Illinois Anatomical Gift Act or blood or serum stored on

17 behalf of recipients or potential recipients of living or

18 cadaveric transplants and obtained or stored by a federally

19 designated organ procurement agency. Biometric identifiers do

20 not include biological materials regulated under the Genetic

21 Information Privacy Act. Biometric identifiers do not include

22 information captured from a patient in a health care setting

23 or information collected, used, or stored for health care

SB3856

- 2 -

LRB104 17142 JRC 30561 b

1 treatment, payment, or operations under the federal Health

2 Insurance Portability and Accountability Act of 1996.

3 Biometric identifiers do not include an X-ray, roentgen

4 process, computed tomography, MRI, PET scan, mammography, or

5 other image or film of the human anatomy used to diagnose,

6 prognose, or treat an illness or other medical condition or to

7 further validate scientific testing or screening.

8 "Biometric information" means any information, regardless

9 of how it is captured, converted, stored, or shared, based on

10 an individual's biometric identifier used to identify an

11 individual. Biometric information does not include information

12 derived from items or procedures excluded under the definition

13 of biometric identifiers.

14 "Confidential and sensitive information" means personal

15 information that can be used to uniquely identify an

16 individual or an individual's account or property. Examples of

17 confidential and sensitive information include, but are not

18 limited to, a genetic marker, genetic testing information, a

19 unique identifier number to locate an account or property, an

20 account number, a PIN number, a pass code, a driver's license

21 number, or a social security number.

22 "Electronic signature" means an electronic sound, symbol,

23 or process attached to or logically associated with a record

24 and executed or adopted by a person with the intent to sign the

25 record.

26 "Private entity" means any individual, partnership,

SB3856

- 3 -

LRB104 17142 JRC 30561 b

1 corporation, limited liability company, association, or other

2 group, however organized. A private entity does not include a

3 State or local government agency. A private entity does not

4 include any court of Illinois, a clerk of the court, or a judge

5 or justice thereof.

6 "Security purpose" means for the purpose of preventing or

7 investigating retail theft, fraud, or any other

8 misappropriation or theft of a thing of value. "Security

9 purpose" includes protecting property from trespass,

10 controlling access to property, or protecting any person from

11 harm, including stalking, violence, or harassment, and

12 includes assisting a law enforcement investigation.

13 "Written release" means informed written consent,

14 electronic signature, or, in the context of employment, a

15 release executed by an employee as a condition of employment.

16 (Source: P.A. 103-769, eff. 8-2-24.)

17 (740 ILCS 14/15)

18 Sec. 15. Retention; collection; disclosure; destruction.

19 (a) A private entity in possession of biometric

20 identifiers or biometric information must develop a written

21 policy, made available to the public, establishing a retention

22 schedule and guidelines for permanently destroying biometric

23 identifiers and biometric information when the initial purpose

24 for collecting or obtaining such identifiers or information

25 has been satisfied or within 3 years of the individual's last

SB3856

- 4 -

LRB104 17142 JRC 30561 b

1 interaction with the private entity, whichever occurs first.

2 Absent a valid warrant or subpoena issued by a court of

3 competent jurisdiction, a private entity in possession of

4 biometric identifiers or biometric information must comply

5 with its established retention schedule and destruction

6 guidelines.

7 (b) No private entity may collect, capture, purchase,

8 receive through trade, or otherwise obtain a person's or a

9 customer's biometric identifier or biometric information,

10 unless it first:

11 (1) informs the subject or the subject's legally

12 authorized representative in writing that a biometric

13 identifier or biometric information is being collected or

14 stored;

15 (2) informs the subject or the subject's legally

16 authorized representative in writing of the specific

17 purpose and length of term for which a biometric

18 identifier or biometric information is being collected,

19 stored, and used; and

20 (3) receives a written release executed by the subject

21 of the biometric identifier or biometric information or

22 the subject's legally authorized representative.

23 (b-5) A private entity may collect, capture, or otherwise

24 obtain a person's or a customer's biometric identifier or

25 biometric information without satisfying the requirements of

26 subsection (b) if:

SB3856

- 5 -

LRB104 17142 JRC 30561 b

1 (1) the private entity collects, captures, or

2 otherwise obtains a person's or a customer's biometric

3 identifier or biometric information for a security

4 purpose;

5 (2) the private entity uses the biometric identifier

6 or biometric information only for a security purpose;

7 (3) the private entity retains the biometric

8 identifier or biometric information no longer than is

9 reasonably necessary to satisfy a security purpose; and

10 (4) the private entity documents a process and time

11 frame to delete any biometric information used for the

12 purposes identified in this subsection.

13 (c) No private entity in possession of a biometric

14 identifier or biometric information may sell, lease, trade, or

15 otherwise profit from a person's or a customer's biometric

16 identifier or biometric information.

17 (d) No private entity in possession of a biometric

18 identifier or biometric information may disclose, redisclose,

19 or otherwise disseminate a person's or a customer's biometric

20 identifier or biometric information unless:

21 (1) the subject of the biometric identifier or

22 biometric information or the subject's legally authorized

23 representative consents to the disclosure or redisclosure;

24 (2) the disclosure or redisclosure completes a

25 financial transaction requested or authorized by the

26 subject of the biometric identifier or the biometric

SB3856

- 6 -

LRB104 17142 JRC 30561 b

1 information or the subject's legally authorized

2 representative;

3 (3) the disclosure or redisclosure is required by

4 State or federal law or municipal ordinance; or

5 (4) the disclosure is required pursuant to a valid

6 warrant or subpoena issued by a court of competent

7 jurisdiction.

8 (e) A private entity in possession of a biometric

9 identifier or biometric information shall:

10 (1) store, transmit, and protect from disclosure all

11 biometric identifiers and biometric information using the

12 reasonable standard of care within the private entity's

13 industry; and

14 (2) store, transmit, and protect from disclosure all

15 biometric identifiers and biometric information in a

16 manner that is the same as or more protective than the

17 manner in which the private entity stores, transmits, and

18 protects other confidential and sensitive information.

19 (Source: P.A. 95-994, eff. 10-3-08.)

20 Section 99. Effective date. This Act takes effect upon

21 becoming law.