| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
1 | AN ACT concerning civil law.
| |||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||||
3 | represented in the General Assembly:
| |||||||||||||||||||||
4 | Section 5. The Biometric Information Privacy Act is | |||||||||||||||||||||
5 | amended by changing Sections 10 and 15 as follows: | |||||||||||||||||||||
6 | (740 ILCS 14/10)
| |||||||||||||||||||||
7 | Sec. 10. Definitions. In this Act: | |||||||||||||||||||||
8 | "Biometric identifier" means a retina or iris scan, | |||||||||||||||||||||
9 | fingerprint, voiceprint, or scan of hand or face geometry. | |||||||||||||||||||||
10 | Biometric identifiers do not include writing samples, written | |||||||||||||||||||||
11 | signatures, photographs, human biological samples used for | |||||||||||||||||||||
12 | valid scientific testing or screening, demographic data, | |||||||||||||||||||||
13 | tattoo descriptions, or physical descriptions such as height, | |||||||||||||||||||||
14 | weight, hair color, or eye color. Biometric identifiers do not | |||||||||||||||||||||
15 | include donated organs, tissues, or parts as defined in the | |||||||||||||||||||||
16 | Illinois Anatomical Gift Act or blood or serum stored on | |||||||||||||||||||||
17 | behalf of recipients or potential recipients of living or | |||||||||||||||||||||
18 | cadaveric transplants and obtained or stored by a federally | |||||||||||||||||||||
19 | designated organ procurement agency. Biometric identifiers do | |||||||||||||||||||||
20 | not include biological materials regulated under the Genetic | |||||||||||||||||||||
21 | Information Privacy Act. Biometric identifiers do not include | |||||||||||||||||||||
22 | information captured from a patient in a health care setting | |||||||||||||||||||||
23 | or information collected, used, or stored for health care |
| |||||||
| |||||||
1 | treatment, payment, or operations under the federal Health | ||||||
2 | Insurance Portability and Accountability Act of 1996. | ||||||
3 | Biometric identifiers do not include an X-ray, roentgen | ||||||
4 | process, computed tomography, MRI, PET scan, mammography, or | ||||||
5 | other image or film of the human anatomy used to diagnose, | ||||||
6 | prognose, or treat an illness or other medical condition or to | ||||||
7 | further validate scientific testing or screening. | ||||||
8 | "Biometric information" means any information, regardless | ||||||
9 | of how it is captured, converted, stored, or shared, based on | ||||||
10 | an individual's biometric identifier used to identify an | ||||||
11 | individual. Biometric information does not include information | ||||||
12 | derived from items or procedures excluded under the definition | ||||||
13 | of biometric identifiers. | ||||||
14 | "Confidential and sensitive information" means personal | ||||||
15 | information that can be used to uniquely identify an | ||||||
16 | individual or an individual's account or property. Examples of | ||||||
17 | confidential and sensitive information include, but are not | ||||||
18 | limited to, a genetic marker, genetic testing information, a | ||||||
19 | unique identifier number to locate an account or property, an | ||||||
20 | account number, a PIN number, a pass code, a driver's license | ||||||
21 | number, or a social security number. | ||||||
22 | "Private entity" means any individual, partnership, | ||||||
23 | corporation, limited liability company, association, or other | ||||||
24 | group, however organized.
A private entity does not include a | ||||||
25 | State or local government agency. A private entity does not | ||||||
26 | include any court of Illinois, a clerk of the court, or a judge |
| |||||||
| |||||||
1 | or justice thereof. | ||||||
2 | "Security purpose" means the purpose of preventing or | ||||||
3 | investigating retail theft, fraud, or any other | ||||||
4 | misappropriation or theft of a thing of value, including | ||||||
5 | protecting property from trespass, controlling access to | ||||||
6 | property, protecting any person from harm including stalking, | ||||||
7 | violence, or harassment, and assisting a law enforcement | ||||||
8 | investigation. | ||||||
9 | "Written release" means informed written consent or, in | ||||||
10 | the context of employment, a release executed by an employee | ||||||
11 | as a condition of employment.
| ||||||
12 | (Source: P.A. 95-994, eff. 10-3-08.) | ||||||
13 | (740 ILCS 14/15)
| ||||||
14 | Sec. 15. Retention; collection; disclosure; destruction. | ||||||
15 | (a) A private entity in possession of biometric | ||||||
16 | identifiers or biometric information must develop a written | ||||||
17 | policy, made available to the public, establishing a retention | ||||||
18 | schedule and guidelines for permanently destroying biometric | ||||||
19 | identifiers and biometric information when the initial purpose | ||||||
20 | for collecting or obtaining such identifiers or information | ||||||
21 | has been satisfied or within 3 years of the individual's last | ||||||
22 | interaction with the private entity, whichever occurs first. | ||||||
23 | Absent a valid warrant or subpoena issued by a court of | ||||||
24 | competent jurisdiction, a private entity in possession of | ||||||
25 | biometric identifiers or biometric information must comply |
| |||||||
| |||||||
1 | with its established retention schedule and destruction | ||||||
2 | guidelines. | ||||||
3 | (b) No private entity may collect, capture, purchase, | ||||||
4 | receive through trade, or otherwise obtain a person's or a | ||||||
5 | customer's biometric identifier or biometric information, | ||||||
6 | unless it first: | ||||||
7 | (1) informs the subject or the subject's legally | ||||||
8 | authorized representative in writing that a biometric | ||||||
9 | identifier or biometric information is being collected or | ||||||
10 | stored; | ||||||
11 | (2) informs the subject or the subject's legally | ||||||
12 | authorized representative in writing of the specific | ||||||
13 | purpose and length of term for which a biometric | ||||||
14 | identifier or biometric information is being collected, | ||||||
15 | stored, and used; and | ||||||
16 | (3) receives a written release executed by the subject | ||||||
17 | of the biometric identifier or biometric information or | ||||||
18 | the subject's legally authorized representative.
| ||||||
19 | (b-5) A private entity may collect, capture, or otherwise | ||||||
20 | obtain a person's or customer's biometric identifier or | ||||||
21 | biometric information without satisfying the requirements of | ||||||
22 | subsection (b) if: | ||||||
23 | (1) the private entity collects, captures, or | ||||||
24 | otherwise obtains a person's or customer's biometric | ||||||
25 | identifier or biometric information for a security | ||||||
26 | purpose; |
| |||||||
| |||||||
1 | (2) the private entity uses the biometric identifier | ||||||
2 | or biometric information only for a security purpose; | ||||||
3 | (3) the private entity retains the biometric | ||||||
4 | identifier or biometric information no longer than is | ||||||
5 | reasonably necessary to satisfy a security purpose; and | ||||||
6 | (4) the private entity documents a process and time | ||||||
7 | frame to delete any biometric identifier or biometric | ||||||
8 | information used for the purposes identified in this | ||||||
9 | subsection. | ||||||
10 | (c) No private entity in possession of a biometric | ||||||
11 | identifier or biometric information may sell, lease, trade, or | ||||||
12 | otherwise profit from a person's or a customer's biometric | ||||||
13 | identifier or biometric information. | ||||||
14 | (d) No private entity in possession of a biometric | ||||||
15 | identifier or biometric information may disclose, redisclose, | ||||||
16 | or otherwise disseminate a person's or a customer's biometric | ||||||
17 | identifier or biometric information
unless: | ||||||
18 | (1) the subject of the biometric identifier or
| ||||||
19 | biometric information or the subject's legally authorized
| ||||||
20 | representative consents to the disclosure or redisclosure; | ||||||
21 | (2) the disclosure or redisclosure completes a | ||||||
22 | financial transaction requested or authorized by the | ||||||
23 | subject of the biometric identifier or the biometric | ||||||
24 | information or the subject's legally authorized | ||||||
25 | representative; | ||||||
26 | (3) the disclosure or redisclosure is required by |
| |||||||
| |||||||
1 | State or federal law or municipal ordinance; or | ||||||
2 | (4) the disclosure is required pursuant to a valid | ||||||
3 | warrant or subpoena issued by a court of competent | ||||||
4 | jurisdiction.
| ||||||
5 | (e) A private entity in possession of a biometric | ||||||
6 | identifier or biometric information shall: | ||||||
7 | (1) store, transmit, and protect from disclosure all | ||||||
8 | biometric identifiers and biometric information using the | ||||||
9 | reasonable standard of care within the private entity's | ||||||
10 | industry; and
| ||||||
11 | (2) store, transmit, and protect from disclosure all | ||||||
12 | biometric identifiers and biometric information in a | ||||||
13 | manner that is the same as or more protective than the | ||||||
14 | manner in which the private entity stores, transmits, and | ||||||
15 | protects other confidential and sensitive information.
| ||||||
16 | (Source: P.A. 95-994, eff. 10-3-08.)
|