| ||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||
1 | AN ACT concerning civil law. | |||||||||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois, | |||||||||||||||||||||||||||
3 | represented in the General Assembly: | |||||||||||||||||||||||||||
4 | Section 5. The Biometric Information Privacy Act is | |||||||||||||||||||||||||||
5 | amended by changing Sections 5, 10, 15, 20, and 25 as follows: | |||||||||||||||||||||||||||
6 | (740 ILCS 14/5) | |||||||||||||||||||||||||||
7 | Sec. 5. Legislative findings; intent. The General Assembly | |||||||||||||||||||||||||||
8 | finds all of the following: | |||||||||||||||||||||||||||
9 | (a) The use of biometrics is growing in the business and | |||||||||||||||||||||||||||
10 | security screening sectors and appears to promise streamlined | |||||||||||||||||||||||||||
11 | financial transactions and security screenings. | |||||||||||||||||||||||||||
12 | (b) Major national corporations have selected the City of | |||||||||||||||||||||||||||
13 | Chicago and other locations in this State as pilot testing | |||||||||||||||||||||||||||
14 | sites for new applications of biometric-facilitated financial | |||||||||||||||||||||||||||
15 | transactions, including finger-scan technologies at grocery | |||||||||||||||||||||||||||
16 | stores, gas stations, and school cafeterias. | |||||||||||||||||||||||||||
17 | (c) Biometrics are unlike other unique identifiers that | |||||||||||||||||||||||||||
18 | are used to access finances or other sensitive information. | |||||||||||||||||||||||||||
19 | For example, social security numbers, when compromised, can be | |||||||||||||||||||||||||||
20 | changed. Biometrics, however, are biologically unique to the | |||||||||||||||||||||||||||
21 | individual; therefore, once compromised, the individual has no | |||||||||||||||||||||||||||
22 | recourse, is at heightened risk for identity theft, and is | |||||||||||||||||||||||||||
23 | likely to withdraw from biometric-facilitated transactions. |
| |||||||
| |||||||
1 | (d) An overwhelming majority of members of the public are | ||||||
2 | wary weary of the use of biometrics when such information is | ||||||
3 | tied to finances and other personal information. | ||||||
4 | (e) Despite limited State law regulating the collection, | ||||||
5 | use, safeguarding, and storage of biometrics, many members of | ||||||
6 | the public are deterred from partaking in biometric | ||||||
7 | identifier-facilitated transactions. | ||||||
8 | (f) The full ramifications of biometric technology are not | ||||||
9 | fully known. | ||||||
10 | (g) The public welfare, security, and safety will be | ||||||
11 | served by regulating the collection, use, safeguarding, | ||||||
12 | handling, storage, retention, and destruction of biometric | ||||||
13 | identifiers and information. | ||||||
14 | (Source: P.A. 95-994, eff. 10-3-08.) | ||||||
15 | (740 ILCS 14/10) | ||||||
16 | Sec. 10. Definitions. In this Act: | ||||||
17 | "Biometric identifier" means a retina or iris scan, | ||||||
18 | fingerprint, voiceprint, or scan of hand or face geometry. | ||||||
19 | Biometric identifiers do not include writing samples, written | ||||||
20 | signatures, photographs, human biological samples used for | ||||||
21 | valid scientific testing or screening, demographic data, | ||||||
22 | tattoo descriptions, or physical descriptions such as height, | ||||||
23 | weight, hair color, or eye color. Biometric identifiers do not | ||||||
24 | include donated organs, tissues, or parts as defined in the | ||||||
25 | Illinois Anatomical Gift Act or blood or serum stored on |
| |||||||
| |||||||
1 | behalf of recipients or potential recipients of living or | ||||||
2 | cadaveric transplants and obtained or stored by a federally | ||||||
3 | designated organ procurement agency. Biometric identifiers do | ||||||
4 | not include biological materials regulated under the Genetic | ||||||
5 | Information Privacy Act. Biometric identifiers do not include | ||||||
6 | information captured from a patient in a health care setting | ||||||
7 | or information collected, used, or stored for health care | ||||||
8 | treatment, payment, or operations under the federal Health | ||||||
9 | Insurance Portability and Accountability Act of 1996. | ||||||
10 | Biometric identifiers do not include an X-ray, roentgen | ||||||
11 | process, computed tomography, MRI, PET scan, mammography, or | ||||||
12 | other image or film of the human anatomy used to diagnose, | ||||||
13 | prognose, or treat an illness or other medical condition or to | ||||||
14 | further validate scientific testing or screening. | ||||||
15 | "Biometric information" means any information, regardless | ||||||
16 | of how it is captured, converted, stored, or shared, based on | ||||||
17 | an individual's biometric identifier used to identify an | ||||||
18 | individual. Biometric information does not include information | ||||||
19 | derived from items or procedures excluded under the definition | ||||||
20 | of biometric identifiers , including information derived from | ||||||
21 | biometric information that cannot be used to recreate the | ||||||
22 | original biometric identifier . | ||||||
23 | "Confidential and sensitive information" means personal | ||||||
24 | information that can be used to uniquely identify an | ||||||
25 | individual or an individual's account or property. Examples of | ||||||
26 | confidential and sensitive information include, but are not |
| |||||||
| |||||||
1 | limited to, a genetic marker, genetic testing information, a | ||||||
2 | unique identifier number to locate an account or property, an | ||||||
3 | account number, a PIN number, a pass code, a driver's license | ||||||
4 | number, or a social security number. | ||||||
5 | "Private entity" means any individual, partnership, | ||||||
6 | corporation, limited liability company, association, or other | ||||||
7 | group, however organized. A private entity does not include a | ||||||
8 | State or local government agency. A private entity does not | ||||||
9 | include any court of Illinois, a clerk of the court, or a judge | ||||||
10 | or justice thereof. | ||||||
11 | "Written consent release " means informed written consent | ||||||
12 | or, in the context of employment, a release executed by an | ||||||
13 | employee as a condition of employment . | ||||||
14 | (Source: P.A. 95-994, eff. 10-3-08.) | ||||||
15 | (740 ILCS 14/15) | ||||||
16 | Sec. 15. Retention; collection; disclosure; destruction. | ||||||
17 | (a) A private entity in possession of biometric | ||||||
18 | identifiers or biometric information must develop a written | ||||||
19 | policy, made available to the person from whom biometric | ||||||
20 | information is to be collected or was collected public , | ||||||
21 | establishing a retention schedule and guidelines for | ||||||
22 | permanently destroying biometric identifiers and biometric | ||||||
23 | information when the initial purpose for collecting or | ||||||
24 | obtaining such identifiers or information has been satisfied | ||||||
25 | or within 3 years of the individual's last interaction with |
| |||||||
| |||||||
1 | the private entity, whichever occurs first. Absent a valid | ||||||
2 | order, warrant , or subpoena issued by a court of competent | ||||||
3 | jurisdiction or a local or federal governmental agency , a | ||||||
4 | private entity in possession of biometric identifiers or | ||||||
5 | biometric information must comply with its established | ||||||
6 | retention schedule and destruction guidelines. | ||||||
7 | (b) No private entity may collect, capture, purchase, | ||||||
8 | receive through trade, or otherwise obtain a person's or a | ||||||
9 | customer's biometric identifier or biometric information, | ||||||
10 | unless it first: | ||||||
11 | (1) informs the subject or the subject's legally | ||||||
12 | authorized representative in writing that a biometric | ||||||
13 | identifier or biometric information is being collected or | ||||||
14 | stored; | ||||||
15 | (2) informs the subject or the subject's legally | ||||||
16 | authorized representative in writing of the specific | ||||||
17 | purpose and length of term for which a biometric | ||||||
18 | identifier or biometric information is being collected, | ||||||
19 | stored, and used; and | ||||||
20 | (3) receives a written consent release executed by the | ||||||
21 | subject of the biometric identifier or biometric | ||||||
22 | information or the subject's legally authorized | ||||||
23 | representative. | ||||||
24 | Written consent may be obtained by electronic means. | ||||||
25 | (c) No private entity in possession of a biometric | ||||||
26 | identifier or biometric information may sell, lease, trade, or |
| |||||||
| |||||||
1 | otherwise profit from a person's or a customer's biometric | ||||||
2 | identifier or biometric information. | ||||||
3 | (d) No private entity in possession of a biometric | ||||||
4 | identifier or biometric information may disclose, redisclose, | ||||||
5 | or otherwise disseminate a person's or a customer's biometric | ||||||
6 | identifier or biometric information unless: | ||||||
7 | (1) the subject of the biometric identifier or | ||||||
8 | biometric information or the subject's legally authorized | ||||||
9 | representative provides written consent consents to the | ||||||
10 | disclosure or redisclosure; | ||||||
11 | (2) the disclosure or redisclosure completes a | ||||||
12 | financial transaction requested or authorized by the | ||||||
13 | subject of the biometric identifier or the biometric | ||||||
14 | information or the subject's legally authorized | ||||||
15 | representative; | ||||||
16 | (3) the disclosure or redisclosure is required by | ||||||
17 | State or federal law or municipal ordinance; or | ||||||
18 | (4) the disclosure is required pursuant to a valid | ||||||
19 | warrant or subpoena issued by a court of competent | ||||||
20 | jurisdiction. | ||||||
21 | (e) A private entity in possession of a biometric | ||||||
22 | identifier or biometric information shall: | ||||||
23 | (1) store, transmit, and protect from disclosure all | ||||||
24 | biometric identifiers and biometric information using the | ||||||
25 | reasonable standard of care within the private entity's | ||||||
26 | industry; and |
| |||||||
| |||||||
1 | (2) store, transmit, and protect from disclosure all | ||||||
2 | biometric identifiers and biometric information in a | ||||||
3 | manner that is the same as or more protective than the | ||||||
4 | manner in which the private entity stores, transmits, and | ||||||
5 | protects other confidential and sensitive information. | ||||||
6 | (Source: P.A. 95-994, eff. 10-3-08.) | ||||||
7 | (740 ILCS 14/20) | ||||||
8 | Sec. 20. Right of action. Any person aggrieved by a | ||||||
9 | violation of this Act shall have a right of action in a State | ||||||
10 | circuit court or as a supplemental claim in federal district | ||||||
11 | court against an offending party , which shall be commenced | ||||||
12 | within one year after the cause of action accrued if, prior to | ||||||
13 | initiating any action against a private entity, the aggrieved | ||||||
14 | person provides a private entity 30 days' written notice | ||||||
15 | identifying the specific provisions of this Act the aggrieved | ||||||
16 | person alleges have been or are being violated. If, within the | ||||||
17 | 30 days, the private entity actually cures the noticed | ||||||
18 | violation and provides the aggrieved person an express written | ||||||
19 | statement that the violation has been cured and that no | ||||||
20 | further violations shall occur, no action for individual | ||||||
21 | statutory damages or class-wide statutory damages may be | ||||||
22 | initiated against the private entity. If a private entity | ||||||
23 | continues to violate this Act in breach of the express written | ||||||
24 | statement provided to the aggrieved person under this Section, | ||||||
25 | the aggrieved person may initiate an action against the |
| |||||||
| |||||||
1 | private entity to enforce the written statement and may pursue | ||||||
2 | statutory damages for each breach of the express written | ||||||
3 | statement and any other violation that postdates the written | ||||||
4 | statement . A prevailing party in any such action may recover | ||||||
5 | for each violation : | ||||||
6 | (1) against a private entity that negligently violates | ||||||
7 | a provision of this Act, liquidated damages of $1,000 or | ||||||
8 | actual damages , whichever is greater ; | ||||||
9 | (2) against a private entity that willfully | ||||||
10 | intentionally or recklessly violates a provision of this | ||||||
11 | Act, actual damages plus liquidated damages up to the | ||||||
12 | amount of actual damages of $5,000 or actual damages, | ||||||
13 | whichever is greater ; | ||||||
14 | (3) reasonable attorneys' fees and costs, including | ||||||
15 | expert witness fees and other litigation expenses; and | ||||||
16 | (4) other relief, including an injunction, as the | ||||||
17 | State or federal court may deem appropriate. | ||||||
18 | (Source: P.A. 95-994, eff. 10-3-08.) | ||||||
19 | (740 ILCS 14/25) | ||||||
20 | Sec. 25. Construction. | ||||||
21 | (a) Nothing in this Act shall be construed to impact the | ||||||
22 | admission or discovery of biometric identifiers and biometric | ||||||
23 | information in any action of any kind in any court, or before | ||||||
24 | any tribunal, board, agency, or person. | ||||||
25 | (b) Nothing in this Act shall be construed to conflict |
| |||||||
| |||||||
1 | with the X-Ray Retention Act, the federal Health Insurance | ||||||
2 | Portability and Accountability Act of 1996 and the rules | ||||||
3 | promulgated under either Act. | ||||||
4 | (c) Nothing in this Act shall be deemed to apply in any | ||||||
5 | manner to a financial institution or an affiliate of a | ||||||
6 | financial institution that is subject to Title V of the | ||||||
7 | federal Gramm-Leach-Bliley Act of 1999 and the rules | ||||||
8 | promulgated thereunder. | ||||||
9 | (d) Nothing in this Act shall be construed to conflict | ||||||
10 | with the Private Detective, Private Alarm, Private Security, | ||||||
11 | Fingerprint Vendor, and Locksmith Act of 2004 and the rules | ||||||
12 | promulgated thereunder. | ||||||
13 | (e) Nothing in this Act shall be construed to apply to a | ||||||
14 | contractor, subcontractor, or agent of a State or federal | ||||||
15 | agency or local unit of government when working for that State | ||||||
16 | or federal agency or local unit of government. | ||||||
17 | (f) Nothing in this Act shall be construed to apply to a | ||||||
18 | private entity if the private entity's employees are covered | ||||||
19 | by a collective bargaining agreement that provides for | ||||||
20 | different policies regarding the retention, collection, | ||||||
21 | disclosure, and destruction of biometric information. | ||||||
22 | (Source: P.A. 95-994, eff. 10-3-08.) |