95TH GENERAL ASSEMBLY
State of Illinois
2007 and 2008
SB2400


 
Introduced 2/14/2008, by Sen. Terry Link
 
SYNOPSIS AS INTRODUCED:
 		













New Act










    Creates the Biometric Information Privacy Act. Provides that a public agency or private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the public agency or private entity.  Provides that absent a valid warrant or subpoena, a public agency or private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines. Provides that no public agency or private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first satisfies certain conditions. Provides that these provisions do not apply to a public agency engaged in criminal investigations or prosecutions or a public agency acting pursuant to a valid warrant or subpoena. Provides that a public agency in possession of biometric identifiers or biometric information shall store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the public agency stores, transmits, and protects other confidential and sensitive information. Provides that any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court. Preempts home rule. Contains other provisions.
















LRB095 19768 KBJ 46142 b

















FISCAL NOTE ACT MAY APPLY


HOME RULE NOTE ACT MAY APPLY
















 


 


A BILL FOR









 











SB2400

LRB095 19768 KBJ 46142 b






1
    AN ACT concerning health.

 
2
    Be it enacted by the People of the State of Illinois,
 
3
represented in the General Assembly:


 
4
    Section 1. Short title. This Act may be cited as the 
5
Biometric Information Privacy Act.
 
6
    Section 5. Legislative findings; intent.   The General 
7
Assembly finds all of the following:
8
    (a) The use of biometrics is growing in the business and 
9
security screening sectors and appears to promise streamlined 
10
financial transactions and security screenings.
11
    (b)  Major national corporations have selected the City of 
12
Chicago and other locations in this State as pilot testing 
13
sites for new applications of biometric-facilitated financial 
14
transactions, including "Pay By Touch" at banks, grocery 
15
stores, gas stations, and school cafeterias.
16
    (c)  Biometrics are unlike other unique identifiers that are 
17
used to access finances or other sensitive information.  For 
18
example, social security numbers, when compromised, can be 
19
changed.  Biometrics, however, are biologically unique to the 
20
individual; therefore, once compromised, the individual has no 
21
recourse, is at heightened risk for identity theft, and is 
22
likely to withdraw from biometric-facilitated transactions.
23
    (d) An overwhelming majority of members of the public are 
 


 






SB2400
- 2 -
LRB095 19768 KBJ 46142 b




1
opposed to the use of biometrics when such information is tied 
2
to personal finances and other personal information.
3
    (e)  Despite limited State law regulating the collection, 
4
use, safeguarding, and storage of biometric information, many 
5
members of the public are deterred from partaking in biometric 
6
identifier-facilitated facility transactions.
7
    (f)  The public welfare, security, and safety will be served 
8
by regulating the collection, use, safeguarding, handling, 
9
storage, retention, and destruction of biometric identifiers 
10
and information.

 
11
    Section 10. Definitions. In this Act:
12
    "Biometric identifier" means any indelible personal 
13
physical characteristic which can be used to uniquely identify 
14
an individual or pinpoint an individual at a particular place 
15
at a particular time.  Examples of biometric identifiers 
16
include, but are not limited to iris or retinal scans, 
17
fingerprints, voiceprints, and records of hand or facial 
18
geometry.  Biometric identifiers do not include writing 
19
samples, written signature, and photographs.
20
    "Biometric information" means any information, regardless 
21
of how it is captured, converted, stored, or shared, based on 
22
an individual's biometric identifier used to identify an 
23
individual.
24
    "Confidential and sensitive information" means personal 
25
information that can be used to uniquely identify an individual 
 


 






SB2400
- 3 -
LRB095 19768 KBJ 46142 b




1
or an individual's account or property include, but are not 
2
limited to a genetic marker, genetic testing information, a 
3
unique identifier number to locate an account or property, an 
4
account number, a PIN number, a pass code, a driver's license 
5
number, or a social security number.

6
    "Legally effective written release" means informed written 
7
consent.
8
    "Private entity" means any individual, partnership, 
9
corporation, limited liability company, association, or other 
10
group, however organized.

11
    "Public agency" means the State of Illinois and its various 
12
subdivisions and agencies, and all units of local government, 
13
school districts, and other governmental entities.

 
14
    Section 15. Retention; collection; disclosure; 
15
destruction. 
16
    (a) A public agency or private entity in possession of 
17
biometric identifiers or biometric information must develop a 
18
written policy, made available to the public, establishing a 
19
retention schedule and guidelines for permanently destroying 
20
biometric identifiers and biometric information when the 
21
initial purpose for collecting or obtaining such identifiers or 
22
information has been satisfied or within 3 years of the 
23
individual's last interaction with the public agency or private 
24
entity.  Absent a valid warrant or subpoena issued by a court of 
25
competent jurisdiction, a public agency or private entity in 
 


 






SB2400
- 4 -
LRB095 19768 KBJ 46142 b




1
possession of biometric identifiers or biometric information 
2
must comply with its established retention schedule and 
3
destruction guidelines.
4
    (b) No public agency or private entity may collect, 
5
capture, purchase, receive through trade, or otherwise obtain a 
6
person's or a customer's biometric identifier or biometric 
7
information, unless it first:
8
        (1) informs the subject in writing that a biometric 
9
    identifier or biometric information is being collected or 
10
    stored;
11
        (2) informs the subject in writing of the specific 
12
    purpose and length of term for which a biometric identifier 
13
    or biometric information is being collected, stored, and 
14
    used; and
15
        (3) receives a legally effective written release 
16
    executed by the subject of the biometric identifier or 
17
    biometric information or the subject's legally authorized 
18
    representative.


19
    (c) Subsections (a) and (b) of this Section do not apply to 
20
a public agency engaged in criminal investigations or 
21
prosecutions.  Subsections (a) and (b) of this Section do not 
22
apply to a public agency acting pursuant to a valid warrant or 
23
subpoena issued by a court of competent jurisdiction.
24
    (d) No public agency or private entity in possession of a 
25
biometric identifier or biometric information may sell, lease, 
26
trade, or otherwise profit from a person's or a customer's 
 


 






SB2400
- 5 -
LRB095 19768 KBJ 46142 b




1
biometric identifier or biometric information.


2
    (e) Nothing in subsection (d) of this Section shall be 
3
construed to prohibit or inhibit a public agency engaged in 
4
criminal investigations or prosecutions from:

5
        (1) sharing biometric identifiers or biometric 
6
    information with another public agency engaged in criminal 
7
    investigations or prosecutions to further such criminal 
8
    investigations or prosecutions;

9
        (2) sharing biometric identifiers or biometric 
10
    information pursuant to federal law or regulation; or

11
        (3) sharing biometric identifiers or biometric 
12
    information pursuant to a valid warrant or subpoena issued 
13
    by a court of competent jurisdiction.


14
    (f) No public agency, private entity, or person in 
15
possession of a biometric identifier or biometric information 
16
may disclose, redisclose, or otherwise disseminate a person's 
17
or a customer's biometric identifier or biometric information, 
18
unless:
19
        (1)  the subject of the biometric identifier or 
20
    biometric information or the subject's legally authorized 
21
    representative consents to the disclosure or redisclosure;
22
        (2)  the disclosure or redisclosure completes a 
23
    financial transaction requested or authorized by the 
24
    subject of the biometric identifier or the biometric 
25
    information;
26
        (3)  the disclosure or redisclosure is required under 
 


 






SB2400
- 6 -
LRB095 19768 KBJ 46142 b




1
    federal law; and
2
        (4)  the disclosure is required pursuant to a valid 
3
    warrant or subpoena issued by a court of competent 
4
    jurisdiction.


5
    (g) A public agency in possession of biometric identifiers 
6
or biometric information shall store, transmit, and protect 
7
from disclosure all biometric identifiers and biometric 
8
information in a manner that is the same as or more protective 
9
than the manner in which the public agency stores, transmits, 
10
and protects other confidential and sensitive information.


11
    (h) A private entity in possession of a biometric 
12
identifier or biometric information shall:
13
        
(1) store, transmit, and protect from disclosure all 
14
    biometric identifiers and biometric information using the 
15
    reasonable standard of care within the private entity's 
16
    industry; and

17
        (2)  store, transmit, and protect from disclosure all 
18
    biometric identifiers and biometric information in a 
19
    manner that is the same as or more protective than the 
20
    manner in which the private entity stores, transmits, and 
21
    protects other confidential and sensitive information.


22
    (i) All information and records held by a public agency 
23
pertaining to biometric identifiers and biometric information 
24
shall be confidential and exempt from copying and inspection 
25
under the Freedom of Information Act to all except to the 
26
subject of the biometric identifier or biometric information.  
 


 






SB2400
- 7 -
LRB095 19768 KBJ 46142 b




1
The subject of the biometric identifier or biometric 
2
information held by a public agency shall be permitted to copy 
3
and inspect only their own biometric identifiers and biometric 
4
information.


 
5
    Section 20. Right of action. 
6
    (a) Any person aggrieved by a violation of this Act shall 
7
have a right of action in a State circuit court or as a 
8
supplemental claim in federal district court against an 
9
offending party.  A prevailing party may recover for each 
10
violation:
11
        (1) against any public agency or private entity that 
12
    negligently violates a provision of this Act, liquidated 
13
    damages of $1,000 or actual damages, whichever is greater;
14
        (2) against any public agency or private entity that 
15
    intentionally or recklessly violates a provision of this 
16
    Act, liquidated damages of $5,000 or actual damages, 
17
    whichever is greater;
18
        (3) reasonable attorneys' fees and costs, including 
19
    expert witness fees and other litigation expenses; and
        
20
        (4) other relief, including an injunction, as the State 
21
    or federal court may deem appropriate.

22
    (b) For the purpose of this Act, "prevailing party" 
23
includes any party:
(i) who obtains some of his or her 
24
requested relief through a judicial judgment in his or her 
25
favor;
(ii) who obtains some of his or her requested relief 
 


 






SB2400
- 8 -
LRB095 19768 KBJ 46142 b




1
through any settlement agreement approved by the court; or

2
(iii) whose pursuit of a non-frivolous claim was a catalyst for 
3
a unilateral change in position by the  opposing party relative 
4
to the relief sought.



 
5
    Section 25. Home rule. The corporate authorities of a 
6
municipality or other unit of local government may enact 
7
ordinances, standards, rules, or regulations that protect 
8
biometric identifiers and biometric information in a manner or 
9
to an extent equal to or greater than the protection provided 
10
in this Act. This Section is a limitation on the concurrent 
11
exercise of home rule power under subsection (i) of Section 6 
12
of Article VII of the Illinois Constitution.