103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB3199

 

Introduced 2/17/2023, by Rep. Jeff Keicher

 

SYNOPSIS AS INTRODUCED:
 
740 ILCS 14/10
740 ILCS 14/15
740 ILCS 14/20
740 ILCS 14/21 new

    Amends the Biometric Information Privacy Act. Changes the term "written release" to "written consent". Allows written consent to be obtained by electronic means. Provides that a person aggrieved by a violation of the act may only commence an action after the aggrieved person provides a private entity 15 days' written notice identifying the specific provisions of the Act the aggrieved person alleges have been or are being violated. Provides that if, within the 15 days, the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. Provides that if a private entity continues to violate the Act in breach of the express written statement provided to the aggrieved person, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. Removes language providing that a prevailing party may recover for each violation of the Act. Requires the Department of Labor to include reference to any employer requirements under the Act in materials that the Department is required by law to provide employers in the State. Makes conforming changes.


LRB103 30904 LNS 57449 b

 

 

A BILL FOR

 

HB3199LRB103 30904 LNS 57449 b

1    AN ACT concerning civil law.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Biometric Information Privacy Act is
5amended by changing Sections 10, 15, and 20 and by adding
6Section 21 as follows:
 
7    (740 ILCS 14/10)
8    Sec. 10. Definitions. In this Act:
9    "Biometric identifier" means a retina or iris scan,
10fingerprint, voiceprint, or scan of hand or face geometry.
11Biometric identifiers do not include writing samples, written
12signatures, photographs, human biological samples used for
13valid scientific testing or screening, demographic data,
14tattoo descriptions, or physical descriptions such as height,
15weight, hair color, or eye color. Biometric identifiers do not
16include donated organs, tissues, or parts as defined in the
17Illinois Anatomical Gift Act or blood or serum stored on
18behalf of recipients or potential recipients of living or
19cadaveric transplants and obtained or stored by a federally
20designated organ procurement agency. Biometric identifiers do
21not include biological materials regulated under the Genetic
22Information Privacy Act. Biometric identifiers do not include
23information captured from a patient in a health care setting

 

 

HB3199- 2 -LRB103 30904 LNS 57449 b

1or information collected, used, or stored for health care
2treatment, payment, or operations under the federal Health
3Insurance Portability and Accountability Act of 1996.
4Biometric identifiers do not include an X-ray, roentgen
5process, computed tomography, MRI, PET scan, mammography, or
6other image or film of the human anatomy used to diagnose,
7prognose, or treat an illness or other medical condition or to
8further validate scientific testing or screening.
9    "Biometric information" means any information, regardless
10of how it is captured, converted, stored, or shared, based on
11an individual's biometric identifier used to identify an
12individual. Biometric information does not include information
13derived from items or procedures excluded under the definition
14of biometric identifiers.
15    "Confidential and sensitive information" means personal
16information that can be used to uniquely identify an
17individual or an individual's account or property. Examples of
18confidential and sensitive information include, but are not
19limited to, a genetic marker, genetic testing information, a
20unique identifier number to locate an account or property, an
21account number, a PIN number, a pass code, a driver's license
22number, or a social security number.
23    "Private entity" means any individual, partnership,
24corporation, limited liability company, association, or other
25group, however organized. A private entity does not include a
26State or local government agency. A private entity does not

 

 

HB3199- 3 -LRB103 30904 LNS 57449 b

1include any court of Illinois, a clerk of the court, or a judge
2or justice thereof.
3    "Written consent release" means informed written consent
4or, in the context of employment, a release executed by an
5employee as a condition of employment.
6(Source: P.A. 95-994, eff. 10-3-08.)
 
7    (740 ILCS 14/15)
8    Sec. 15. Retention; collection; disclosure; destruction.
9    (a) A private entity in possession of biometric
10identifiers or biometric information must develop a written
11policy, made available to the public, establishing a retention
12schedule and guidelines for permanently destroying biometric
13identifiers and biometric information when the initial purpose
14for collecting or obtaining such identifiers or information
15has been satisfied or within 3 years of the individual's last
16interaction with the private entity, whichever occurs first.
17Absent a valid warrant or subpoena issued by a court of
18competent jurisdiction, a private entity in possession of
19biometric identifiers or biometric information must comply
20with its established retention schedule and destruction
21guidelines.
22    (b) No private entity may collect, capture, purchase,
23receive through trade, or otherwise obtain a person's or a
24customer's biometric identifier or biometric information,
25unless it first:

 

 

HB3199- 4 -LRB103 30904 LNS 57449 b

1        (1) informs the subject or the subject's legally
2    authorized representative in writing that a biometric
3    identifier or biometric information is being collected or
4    stored;
5        (2) informs the subject or the subject's legally
6    authorized representative in writing of the specific
7    purpose and length of term for which a biometric
8    identifier or biometric information is being collected,
9    stored, and used; and
10        (3) receives a written consent release executed by the
11    subject of the biometric identifier or biometric
12    information or the subject's legally authorized
13    representative.
14    Written consent may be obtained by electronic means.
15    (c) No private entity in possession of a biometric
16identifier or biometric information may sell, lease, trade, or
17otherwise profit from a person's or a customer's biometric
18identifier or biometric information.
19    (d) No private entity in possession of a biometric
20identifier or biometric information may disclose, redisclose,
21or otherwise disseminate a person's or a customer's biometric
22identifier or biometric information unless:
23        (1) the subject of the biometric identifier or
24    biometric information or the subject's legally authorized
25    representative provides written consent consents to the
26    disclosure or redisclosure;

 

 

HB3199- 5 -LRB103 30904 LNS 57449 b

1        (2) the disclosure or redisclosure completes a
2    financial transaction requested or authorized by the
3    subject of the biometric identifier or the biometric
4    information or the subject's legally authorized
5    representative;
6        (3) the disclosure or redisclosure is required by
7    State or federal law or municipal ordinance; or
8        (4) the disclosure is required pursuant to a valid
9    warrant or subpoena issued by a court of competent
10    jurisdiction.
11    (e) A private entity in possession of a biometric
12identifier or biometric information shall:
13        (1) store, transmit, and protect from disclosure all
14    biometric identifiers and biometric information using the
15    reasonable standard of care within the private entity's
16    industry; and
17        (2) store, transmit, and protect from disclosure all
18    biometric identifiers and biometric information in a
19    manner that is the same as or more protective than the
20    manner in which the private entity stores, transmits, and
21    protects other confidential and sensitive information.
22(Source: P.A. 95-994, eff. 10-3-08.)
 
23    (740 ILCS 14/20)
24    Sec. 20. Right of action. Any person aggrieved by a
25violation of this Act shall have a right of action in a State

 

 

HB3199- 6 -LRB103 30904 LNS 57449 b

1circuit court or as a supplemental claim in federal district
2court against an offending party, which shall be commenced
3only after the aggrieved person provides a private entity 15
4days' written notice identifying the specific provisions of
5this Act the aggrieved person alleges have been or are being
6violated. If, within the 15 days, the private entity actually
7cures the noticed violation and provides the aggrieved person
8an express written statement that the violation has been cured
9and that no further violations shall occur, no action for
10individual statutory damages or class-wide statutory damages
11may be initiated against the private entity. If a private
12entity continues to violate this Act in breach of the express
13written statement provided to the aggrieved person under this
14Section, the aggrieved person may initiate an action against
15the private entity to enforce the written statement and may
16pursue statutory damages for each breach of the express
17written statement and any other violation that postdates the
18written statement. A prevailing party in any such action may
19recover for each violation:
20        (1) against a private entity that negligently violates
21    a provision of this Act, liquidated damages of $1,000 or
22    actual damages, whichever is greater;
23        (2) against a private entity that intentionally or
24    recklessly violates a provision of this Act, liquidated
25    damages of $5,000 or actual damages, whichever is greater;
26        (3) reasonable attorneys' fees and costs, including

 

 

HB3199- 7 -LRB103 30904 LNS 57449 b

1    expert witness fees and other litigation expenses; and
2        (4) other relief, including an injunction, as the
3    State or federal court may deem appropriate.
4(Source: P.A. 95-994, eff. 10-3-08.)
 
5    (740 ILCS 14/21 new)
6    Sec. 21. Department of Labor requirement. The Department
7of Labor shall include reference to any employer requirements
8under this Act in materials, including handbooks, that the
9Department of Labor is required by law to provide employers in
10this State.