|
|
|
|
SB2400 Engrossed |
|
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| AN ACT concerning health.
|
| 2 |
| Be it enacted by the People of the State of Illinois,
|
| 3 |
| represented in the General Assembly:
|
| 4 |
| Section 1. Short title. This Act may be cited as the |
| 5 |
| Biometric Information Privacy Act.
|
| 6 |
| Section 5. Legislative findings; intent. The General |
| 7 |
| Assembly finds all of the following: |
| 8 |
| (a) The use of biometrics is growing in the business and |
| 9 |
| security screening sectors and appears to promise streamlined |
| 10 |
| financial transactions and security screenings. |
| 11 |
| (b) Major national corporations have selected the City of |
| 12 |
| Chicago and other locations in this State as pilot testing |
| 13 |
| sites for new applications of biometric-facilitated financial |
| 14 |
| transactions, including "Pay By Touch" at banks, grocery |
| 15 |
| stores, gas stations, and school cafeterias. |
| 16 |
| (c) Biometrics are unlike other unique identifiers that are |
| 17 |
| used to access finances or other sensitive information. For |
| 18 |
| example, social security numbers, when compromised, can be |
| 19 |
| changed. Biometrics, however, are biologically unique to the |
| 20 |
| individual; therefore, once compromised, the individual has no |
| 21 |
| recourse, is at heightened risk for identity theft, and is |
| 22 |
| likely to withdraw from biometric-facilitated transactions. |
| 23 |
| (d) An overwhelming majority of members of the public are |
|
|
|
SB2400 Engrossed |
- 2 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| opposed to the use of biometrics when such information is tied |
| 2 |
| to personal finances and other personal information. |
| 3 |
| (e) Despite limited State law regulating the collection, |
| 4 |
| use, safeguarding, and storage of biometric information, many |
| 5 |
| members of the public are deterred from partaking in biometric |
| 6 |
| identifier-facilitated facility transactions. |
| 7 |
| (f) The public welfare, security, and safety will be served |
| 8 |
| by regulating the collection, use, safeguarding, handling, |
| 9 |
| storage, retention, and destruction of biometric identifiers |
| 10 |
| and information.
|
| 11 |
| Section 10. Definitions. In this Act: |
| 12 |
| "Biometric identifier" means any indelible personal |
| 13 |
| physical characteristic which can be used to uniquely identify |
| 14 |
| an individual or pinpoint an individual at a particular place |
| 15 |
| at a particular time. Examples of biometric identifiers |
| 16 |
| include, but are not limited to iris or retinal scans, |
| 17 |
| fingerprints, voiceprints, and records or scans of hand |
| 18 |
| geometry, facial geometry, or facial recognition. Biometric |
| 19 |
| identifiers do not include writing samples, written |
| 20 |
| signatures, photographs, tattoo descriptions, physical |
| 21 |
| descriptions, or human biological samples used for valid |
| 22 |
| scientific testing or screening. Biometric identifiers do not |
| 23 |
| include donated organs, tissues, or parts as defined in the |
| 24 |
| Illinois Anatomical Gift Act or blood or serum stored on behalf |
| 25 |
| of recipients or potential recipients of living or cadaveric |
|
|
|
SB2400 Engrossed |
- 3 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| transplants and obtained or stored by a federally designated |
| 2 |
| organ procurement agency. Biometric identifiers do not include |
| 3 |
| biological materials regulated under the Genetic Information |
| 4 |
| Privacy Act. Biometric identifiers do not include information |
| 5 |
| captured from a patient in a health care setting or information |
| 6 |
| collected, used, or stored for health care treatment, payment, |
| 7 |
| or operations under the federal Health Insurance Portability |
| 8 |
| and Accountability Act of 1996. Biometric identifiers do not |
| 9 |
| include an X-ray, roentgen process, computed tomography, MRI, |
| 10 |
| PET scan, mammography, or other image or film of the human |
| 11 |
| anatomy used to diagnose, prognose, or treat an illness or |
| 12 |
| other medical condition or to further valid scientific testing |
| 13 |
| or screening. |
| 14 |
| "Biometric information" means any information, regardless |
| 15 |
| of how it is captured, converted, stored, or shared, based on |
| 16 |
| an individual's biometric identifier used to identify an |
| 17 |
| individual. Biometric information does not include information |
| 18 |
| derived from items or procedures excluded under the definition |
| 19 |
| of biometric identifiers. Biometric information does not |
| 20 |
| include information captured from a patient in a health care |
| 21 |
| setting or information collected, used, or stored for health |
| 22 |
| care treatment, payment, or operations under the federal Health |
| 23 |
| Insurance Portability and Accountability Act of 1996. |
| 24 |
| "Confidential and sensitive information" means personal |
| 25 |
| information that can be used to uniquely identify an individual |
| 26 |
| or an individual's account or property. Examples of |
|
|
|
SB2400 Engrossed |
- 4 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| confidential and sensitive information include, but are not |
| 2 |
| limited to, a genetic marker, genetic testing information, a |
| 3 |
| unique identifier number to locate an account or property, an |
| 4 |
| account number, a PIN number, a pass code, a driver's license |
| 5 |
| number, or a social security number. |
| 6 |
| "Legally effective written release" means informed written |
| 7 |
| consent or a release executed by an employee as a condition of |
| 8 |
| employment. |
| 9 |
| "Private entity" means any individual, partnership, |
| 10 |
| corporation, limited liability company, association, or other |
| 11 |
| group, however organized.
A private entity does not include a |
| 12 |
| public agency. A private entity does not include any court of |
| 13 |
| Illinois, a clerk of the court, or a judge or justice thereof. |
| 14 |
| "Public agency" means the State of Illinois and its various |
| 15 |
| subdivisions and agencies, and all units of local government, |
| 16 |
| school districts, and other governmental entities.
A public |
| 17 |
| agency does not include any court of Illinois, a clerk of the |
| 18 |
| court, or a judge or justice thereof.
|
| 19 |
| Section 15. Retention; collection; disclosure; |
| 20 |
| destruction. |
| 21 |
| (a) A public agency or private entity in possession of |
| 22 |
| biometric identifiers or biometric information must develop a |
| 23 |
| written policy, made available to the public, establishing a |
| 24 |
| retention schedule and guidelines for permanently destroying |
| 25 |
| biometric identifiers and biometric information when the |
|
|
|
SB2400 Engrossed |
- 5 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| initial purpose for collecting or obtaining such identifiers or |
| 2 |
| information has been satisfied or within 3 years of the |
| 3 |
| individual's last interaction with the public agency or private |
| 4 |
| entity, whichever occurs first. Absent a valid warrant or |
| 5 |
| subpoena issued by a court of competent jurisdiction, a public |
| 6 |
| agency or private entity in possession of biometric identifiers |
| 7 |
| or biometric information must comply with its established |
| 8 |
| retention schedule and destruction guidelines. |
| 9 |
| (b) No public agency or private entity may collect, |
| 10 |
| capture, purchase, receive through trade, or otherwise obtain a |
| 11 |
| person's or a customer's biometric identifier or biometric |
| 12 |
| information, unless it first: |
| 13 |
| (1) informs the subject in writing that a biometric |
| 14 |
| identifier or biometric information is being collected or |
| 15 |
| stored; |
| 16 |
| (2) informs the subject in writing of the specific |
| 17 |
| purpose and length of term for which a biometric identifier |
| 18 |
| or biometric information is being collected, stored, and |
| 19 |
| used; and |
| 20 |
| (3) receives a legally effective written release |
| 21 |
| executed by the subject of the biometric identifier or |
| 22 |
| biometric information or the subject's legally authorized |
| 23 |
| representative.
|
| 24 |
| (c) Subsections (a) and (b) of this Section do not apply to |
| 25 |
| a public agency: |
| 26 |
| (1) engaged in criminal investigations, arrests, |
|
|
|
SB2400 Engrossed |
- 6 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| prosecutions, or law enforcement; |
| 2 |
| (2) overseeing pretrial detention, post-trial |
| 3 |
| commitment, corrections or incarceration, civil |
| 4 |
| commitment, probation services, or parole services; |
| 5 |
| (3) serving as the State central repository of |
| 6 |
| biometrics for criminal identification and investigation |
| 7 |
| purposes; |
| 8 |
| (4) furnishing biometric identifiers or biometric |
| 9 |
| information to a State or federal repository of biometrics |
| 10 |
| pursuant to State or federal law or municipal ordinance; |
| 11 |
| (5) receiving biometric identifiers or biometric |
| 12 |
| information pursuant to State or federal law or municipal |
| 13 |
| ordinance; |
| 14 |
| (6) acting pursuant to a valid warrant or subpoena |
| 15 |
| issued by a court of competent jurisdiction; |
| 16 |
| (7) issuing driver's licenses, driver's permits, |
| 17 |
| identification cards issued pursuant to the Illinois |
| 18 |
| Identification Card Act, or occupational licenses; or |
| 19 |
| (8) performing employee background checks in |
| 20 |
| accordance with the public agency's hiring policies or |
| 21 |
| statutory obligations. |
| 22 |
| Nothing in subsections (a) and (b) of this Section shall be |
| 23 |
| construed to conflict with the retention and collection |
| 24 |
| practices for fingerprints, other biometric identifiers, or |
| 25 |
| biometric information under the Criminal Identification Act, |
| 26 |
| the Illinois Uniform Conviction Information Act, or the federal |
|
|
|
SB2400 Engrossed |
- 7 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| National Crime Prevention and Privacy Compact. Subsection (a) |
| 2 |
| of this Section does not apply to school districts; however, a |
| 3 |
| school district that collects biometric identifiers or |
| 4 |
| biometric information must adopt retention schedules and |
| 5 |
| destruction policies in accordance with the School Code. |
| 6 |
| Subsection (a) of this Section does not apply to a fingerprint |
| 7 |
| vendor or fingerprint vendor agency; however, a fingerprint |
| 8 |
| vendor or fingerprint vendor agency must adopt retention |
| 9 |
| schedules and destruction policies in accordance with the |
| 10 |
| Private Detective, Private Alarm, Private Security, |
| 11 |
| Fingerprint Vendor, and Locksmith Act of 2004. |
| 12 |
| (d) No public agency or private entity in possession of a |
| 13 |
| biometric identifier or biometric information may sell, lease, |
| 14 |
| trade, or otherwise profit from a person's or a customer's |
| 15 |
| biometric identifier or biometric information. |
| 16 |
| (e) No public agency or private entity in possession of a |
| 17 |
| biometric identifier or biometric information may disclose, |
| 18 |
| redisclose, or otherwise disseminate a person's or a customer's |
| 19 |
| biometric identifier or biometric information
unless: |
| 20 |
| (1) the subject of the biometric identifier or
|
| 21 |
| biometric information or the subject's legally authorized
|
| 22 |
| representative consents to the disclosure or redisclosure; |
| 23 |
| (2) the disclosure or redisclosure completes a |
| 24 |
| financial transaction requested or authorized by the |
| 25 |
| subject of the biometric identifier or the biometric |
| 26 |
| information; |
|
|
|
SB2400 Engrossed |
- 8 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| (3) the disclosure or redisclosure is required by State |
| 2 |
| or federal law or municipal ordinance; or |
| 3 |
| (4) the disclosure is required pursuant to a valid |
| 4 |
| warrant or subpoena issued by a court of competent |
| 5 |
| jurisdiction.
|
| 6 |
| (f) Nothing in subsections (d) or (e) of this Section shall |
| 7 |
| be construed to prohibit or inhibit a public agency (i) engaged |
| 8 |
| in criminal investigations, arrests, prosecutions, or law |
| 9 |
| enforcement, (ii) overseeing pretrial detention, post-trial |
| 10 |
| commitment, corrections or incarceration, civil commitment, |
| 11 |
| probation services, or parole services, (iii) serving as the |
| 12 |
| State central repository of biometrics for criminal |
| 13 |
| identification and investigation purposes, (iv) furnishing |
| 14 |
| biometric identifiers or biometric information to a State or |
| 15 |
| federal repository of biometrics pursuant to State or federal |
| 16 |
| law, or (v) issuing driver's licenses, driver's permits, or |
| 17 |
| identification cards pursuant to the Illinois Identification |
| 18 |
| Card Act from:
|
| 19 |
| (1) sharing biometric identifiers or biometric |
| 20 |
| information with another public agency engaged in criminal |
| 21 |
| investigations, arrests, prosecutions, or law enforcement |
| 22 |
| to further such criminal investigations, arrests, |
| 23 |
| prosecutions, or law enforcement;
|
| 24 |
| (2) sharing biometric identifiers or biometric |
| 25 |
| information with another public agency overseeing pretrial |
| 26 |
| detention, post-trial commitment, corrections or |
|
|
|
SB2400 Engrossed |
- 9 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| incarceration, civil commitment, probation services, or |
| 2 |
| parole services; |
| 3 |
| (3) sharing biometric identifiers or biometric |
| 4 |
| information pursuant to, or required by, State or federal |
| 5 |
| law; or
|
| 6 |
| (4) sharing biometric identifiers or biometric |
| 7 |
| information pursuant to a valid warrant or subpoena issued |
| 8 |
| by a court of competent jurisdiction.
|
| 9 |
| (g) Nothing in subsections (d) or (e) of this Section shall |
| 10 |
| be construed to conflict with the reporting and sharing |
| 11 |
| practices for fingerprints, other biometric identifiers, or |
| 12 |
| biometric information under the Criminal Identification Act, |
| 13 |
| the Illinois Uniform Conviction Information Act, and the |
| 14 |
| federal National Crime Prevention and Privacy Compact. Nothing |
| 15 |
| in subsection (d) of this Section shall be construed to |
| 16 |
| conflict with the reporting and sharing practices of a |
| 17 |
| fingerprint vendor or fingerprint vendor agency under the |
| 18 |
| Private Detective, Private Alarm, Private Security, |
| 19 |
| Fingerprint Vendor, and Locksmith Act of 2004. |
| 20 |
| (h) Nothing in subsections (d) or (e) of this Section shall |
| 21 |
| be construed to prohibit or inhibit a public agency that issues |
| 22 |
| occupational licenses from: |
| 23 |
| (1) sharing biometric identifiers or biometric |
| 24 |
| information pursuant to or when required by State or |
| 25 |
| federal law; or |
| 26 |
| (2) sharing biometric identifiers or biometric |
|
|
|
SB2400 Engrossed |
- 10 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| information pursuant to a valid warrant or subpoena issued |
| 2 |
| by a court of competent jurisdiction. |
| 3 |
| (i) Nothing in subsections (d) or (e) of this Section shall |
| 4 |
| be construed to prohibit a public agency from performing |
| 5 |
| employee background checks in accordance with the public |
| 6 |
| agency's hiring policies or statutory obligations. |
| 7 |
| (j) A public agency in possession of biometric identifiers |
| 8 |
| or biometric information shall store, transmit, and protect |
| 9 |
| from disclosure all biometric identifiers and biometric |
| 10 |
| information in a reasonable manner that is the same as or more |
| 11 |
| protective than the manner in which the public agency stores, |
| 12 |
| transmits, and protects other similar confidential and |
| 13 |
| sensitive information specific to that public agency.
The |
| 14 |
| storage, transmittal, and protection from disclosure standards |
| 15 |
| under this subsection (j) are solely the choice of the public |
| 16 |
| agency to adopt in accordance with this Act, other applicable |
| 17 |
| State or federal law, evolving advances in technology, budget |
| 18 |
| constraints, and comparable practices specific to that public |
| 19 |
| agency. |
| 20 |
| (k) A private entity in possession of a biometric |
| 21 |
| identifier or biometric information shall: |
| 22 |
| (1) store, transmit, and protect from disclosure all |
| 23 |
| biometric identifiers and biometric information using the |
| 24 |
| reasonable standard of care within the private entity's |
| 25 |
| industry; and
|
| 26 |
| (2) store, transmit, and protect from disclosure all |
|
|
|
SB2400 Engrossed |
- 11 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| biometric identifiers and biometric information in a |
| 2 |
| manner that is the same as or more protective than the |
| 3 |
| manner in which the private entity stores, transmits, and |
| 4 |
| protects other confidential and sensitive information.
|
| 5 |
| (l) All information and records held by a public agency |
| 6 |
| pertaining to biometric identifiers and biometric information |
| 7 |
| shall be confidential and exempt from copying and inspection |
| 8 |
| under the Freedom of Information Act to all except to the |
| 9 |
| subject of the biometric identifier or biometric information. |
| 10 |
| The subject of the biometric identifier or biometric |
| 11 |
| information held by a public agency shall be permitted to copy |
| 12 |
| and inspect only their own biometric identifiers and biometric |
| 13 |
| information.
|
| 14 |
| Section 20. Right of action. Any person aggrieved by a |
| 15 |
| violation of this Act shall have a right of action in a State |
| 16 |
| circuit court or as a supplemental claim in federal district |
| 17 |
| court against an offending party. A prevailing party may |
| 18 |
| recover for each violation: |
| 19 |
| (1) against any public agency or private entity that |
| 20 |
| negligently violates a provision of this Act, liquidated |
| 21 |
| damages of $1,000 or actual damages, whichever is greater; |
| 22 |
| (2) against any public agency or private entity that |
| 23 |
| intentionally or recklessly violates a provision of this |
| 24 |
| Act, liquidated damages of $5,000 or actual damages, |
| 25 |
| whichever is greater; |
|
|
|
SB2400 Engrossed |
- 12 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| (3) reasonable attorneys' fees and costs, including |
| 2 |
| expert witness fees and other litigation expenses; and |
| 3 |
| (4) other relief, including an injunction, as the State |
| 4 |
| or federal court may deem appropriate.
|
| 5 |
| Section 25. Construction. Nothing in this Act shall be |
| 6 |
| construed to impact the admission or discovery of biometric |
| 7 |
| identifiers and biometric information in any action of any kind |
| 8 |
| in any court, or before any tribunal, board, agency, or person. |
| 9 |
| Nothing in this Act shall be construed to conflict with the |
| 10 |
| X-Ray Retention Act or the federal Health Insurance Portability |
| 11 |
| and Accountability Act of 1996. Subcontractors or agents of a |
| 12 |
| public agency must comply with this Act to the extent and |
| 13 |
| manner this Act applies to that public agency.
|
| 14 |
| Section 30. Home rule. Any home rule unit of local |
| 15 |
| government, any non-home rule municipality, or any non-home |
| 16 |
| rule county within the unincorporated territory of the county |
| 17 |
| may enact ordinances, standards, rules, or regulations that |
| 18 |
| protect biometric identifiers and biometric information in a |
| 19 |
| manner or to an extent equal to or greater than the protection |
| 20 |
| provided in this Act. This Section is a limitation on the |
| 21 |
| concurrent exercise of home rule power under subsection (i) of |
| 22 |
| Section 6 of Article VII of the Illinois Constitution.
|
| 23 |
| Section 95. Applicability. This Act applies to private |