|
|
|
|
SB2400 Enrolled |
|
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| AN ACT concerning health.
|
| 2 |
| Be it enacted by the People of the State of Illinois,
|
| 3 |
| represented in the General Assembly:
|
| 4 |
| Section 1. Short title. This Act may be cited as the |
| 5 |
| Biometric Information Privacy Act.
|
| 6 |
| Section 5. Legislative findings; intent. The General |
| 7 |
| Assembly finds all of the following: |
| 8 |
| (a) The use of biometrics is growing in the business and |
| 9 |
| security screening sectors and appears to promise streamlined |
| 10 |
| financial transactions and security screenings. |
| 11 |
| (b) Major national corporations have selected the City of |
| 12 |
| Chicago and other locations in this State as pilot testing |
| 13 |
| sites for new applications of biometric-facilitated financial |
| 14 |
| transactions, including finger-scan technologies at grocery |
| 15 |
| stores, gas stations, and school cafeterias. |
| 16 |
| (c) Biometrics are unlike other unique identifiers that are |
| 17 |
| used to access finances or other sensitive information. For |
| 18 |
| example, social security numbers, when compromised, can be |
| 19 |
| changed. Biometrics, however, are biologically unique to the |
| 20 |
| individual; therefore, once compromised, the individual has no |
| 21 |
| recourse, is at heightened risk for identity theft, and is |
| 22 |
| likely to withdraw from biometric-facilitated transactions. |
| 23 |
| (d) An overwhelming majority of members of the public are |
|
|
|
SB2400 Enrolled |
- 2 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| weary of the use of biometrics when such information is tied to |
| 2 |
| finances and other personal information. |
| 3 |
| (e) Despite limited State law regulating the collection, |
| 4 |
| use, safeguarding, and storage of biometrics, many members of |
| 5 |
| the public are deterred from partaking in biometric |
| 6 |
| identifier-facilitated transactions. |
| 7 |
| (f) The full ramifications of biometric technology are not |
| 8 |
| fully known. |
| 9 |
| (g) The public welfare, security, and safety will be served |
| 10 |
| by regulating the collection, use, safeguarding, handling, |
| 11 |
| storage, retention, and destruction of biometric identifiers |
| 12 |
| and information.
|
| 13 |
| Section 10. Definitions. In this Act: |
| 14 |
| "Biometric identifier" means a retina or iris scan, |
| 15 |
| fingerprint, voiceprint, or scan of hand or face geometry. |
| 16 |
| Biometric identifiers do not include writing samples, written |
| 17 |
| signatures, photographs, human biological samples used for |
| 18 |
| valid scientific testing or screening, demographic data, |
| 19 |
| tattoo descriptions, or physical descriptions such as height, |
| 20 |
| weight, hair color, or eye color. Biometric identifiers do not |
| 21 |
| include donated organs, tissues, or parts as defined in the |
| 22 |
| Illinois Anatomical Gift Act or blood or serum stored on behalf |
| 23 |
| of recipients or potential recipients of living or cadaveric |
| 24 |
| transplants and obtained or stored by a federally designated |
| 25 |
| organ procurement agency. Biometric identifiers do not include |
|
|
|
SB2400 Enrolled |
- 3 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| biological materials regulated under the Genetic Information |
| 2 |
| Privacy Act. Biometric identifiers do not include information |
| 3 |
| captured from a patient in a health care setting or information |
| 4 |
| collected, used, or stored for health care treatment, payment, |
| 5 |
| or operations under the federal Health Insurance Portability |
| 6 |
| and Accountability Act of 1996. Biometric identifiers do not |
| 7 |
| include an X-ray, roentgen process, computed tomography, MRI, |
| 8 |
| PET scan, mammography, or other image or film of the human |
| 9 |
| anatomy used to diagnose, prognose, or treat an illness or |
| 10 |
| other medical condition or to further validate scientific |
| 11 |
| testing or screening. |
| 12 |
| "Biometric information" means any information, regardless |
| 13 |
| of how it is captured, converted, stored, or shared, based on |
| 14 |
| an individual's biometric identifier used to identify an |
| 15 |
| individual. Biometric information does not include information |
| 16 |
| derived from items or procedures excluded under the definition |
| 17 |
| of biometric identifiers. |
| 18 |
| "Confidential and sensitive information" means personal |
| 19 |
| information that can be used to uniquely identify an individual |
| 20 |
| or an individual's account or property. Examples of |
| 21 |
| confidential and sensitive information include, but are not |
| 22 |
| limited to, a genetic marker, genetic testing information, a |
| 23 |
| unique identifier number to locate an account or property, an |
| 24 |
| account number, a PIN number, a pass code, a driver's license |
| 25 |
| number, or a social security number. |
| 26 |
| "Private entity" means any individual, partnership, |
|
|
|
SB2400 Enrolled |
- 4 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| corporation, limited liability company, association, or other |
| 2 |
| group, however organized.
A private entity does not include a |
| 3 |
| State or local government agency. A private entity does not |
| 4 |
| include any court of Illinois, a clerk of the court, or a judge |
| 5 |
| or justice thereof. |
| 6 |
| "Written release" means informed written consent or, in the |
| 7 |
| context of employment, a release executed by an employee as a |
| 8 |
| condition of employment.
|
| 9 |
| Section 15. Retention; collection; disclosure; |
| 10 |
| destruction. |
| 11 |
| (a) A private entity in possession of biometric identifiers |
| 12 |
| or biometric information must develop a written policy, made |
| 13 |
| available to the public, establishing a retention schedule and |
| 14 |
| guidelines for permanently destroying biometric identifiers |
| 15 |
| and biometric information when the initial purpose for |
| 16 |
| collecting or obtaining such identifiers or information has |
| 17 |
| been satisfied or within 3 years of the individual's last |
| 18 |
| interaction with the private entity, whichever occurs first. |
| 19 |
| Absent a valid warrant or subpoena issued by a court of |
| 20 |
| competent jurisdiction, a private entity in possession of |
| 21 |
| biometric identifiers or biometric information must comply |
| 22 |
| with its established retention schedule and destruction |
| 23 |
| guidelines. |
| 24 |
| (b) No private entity may collect, capture, purchase, |
| 25 |
| receive through trade, or otherwise obtain a person's or a |
|
|
|
SB2400 Enrolled |
- 5 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| customer's biometric identifier or biometric information, |
| 2 |
| unless it first: |
| 3 |
| (1) informs the subject or the subject's legally |
| 4 |
| authorized representative in writing that a biometric |
| 5 |
| identifier or biometric information is being collected or |
| 6 |
| stored; |
| 7 |
| (2) informs the subject or the subject's legally |
| 8 |
| authorized representative in writing of the specific |
| 9 |
| purpose and length of term for which a biometric identifier |
| 10 |
| or biometric information is being collected, stored, and |
| 11 |
| used; and |
| 12 |
| (3) receives a written release executed by the subject |
| 13 |
| of the biometric identifier or biometric information or the |
| 14 |
| subject's legally authorized representative.
|
| 15 |
| (c) No private entity in possession of a biometric |
| 16 |
| identifier or biometric information may sell, lease, trade, or |
| 17 |
| otherwise profit from a person's or a customer's biometric |
| 18 |
| identifier or biometric information. |
| 19 |
| (d) No private entity in possession of a biometric |
| 20 |
| identifier or biometric information may disclose, redisclose, |
| 21 |
| or otherwise disseminate a person's or a customer's biometric |
| 22 |
| identifier or biometric information
unless: |
| 23 |
| (1) the subject of the biometric identifier or
|
| 24 |
| biometric information or the subject's legally authorized
|
| 25 |
| representative consents to the disclosure or redisclosure; |
| 26 |
| (2) the disclosure or redisclosure completes a |
|
|
|
SB2400 Enrolled |
- 6 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| financial transaction requested or authorized by the |
| 2 |
| subject of the biometric identifier or the biometric |
| 3 |
| information or the subject's legally authorized |
| 4 |
| representative; |
| 5 |
| (3) the disclosure or redisclosure is required by State |
| 6 |
| or federal law or municipal ordinance; or |
| 7 |
| (4) the disclosure is required pursuant to a valid |
| 8 |
| warrant or subpoena issued by a court of competent |
| 9 |
| jurisdiction.
|
| 10 |
| (e) A private entity in possession of a biometric |
| 11 |
| identifier or biometric information shall: |
| 12 |
| (1) store, transmit, and protect from disclosure all |
| 13 |
| biometric identifiers and biometric information using the |
| 14 |
| reasonable standard of care within the private entity's |
| 15 |
| industry; and
|
| 16 |
| (2) store, transmit, and protect from disclosure all |
| 17 |
| biometric identifiers and biometric information in a |
| 18 |
| manner that is the same as or more protective than the |
| 19 |
| manner in which the private entity stores, transmits, and |
| 20 |
| protects other confidential and sensitive information.
|
| 21 |
| Section 20. Right of action. Any person aggrieved by a |
| 22 |
| violation of this Act shall have a right of action in a State |
| 23 |
| circuit court or as a supplemental claim in federal district |
| 24 |
| court against an offending party. A prevailing party may |
| 25 |
| recover for each violation: |
|
|
|
SB2400 Enrolled |
- 7 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| (1) against a private entity that negligently violates |
| 2 |
| a provision of this Act, liquidated damages of $1,000 or |
| 3 |
| actual damages, whichever is greater; |
| 4 |
| (2) against a private entity that intentionally or |
| 5 |
| recklessly violates a provision of this Act, liquidated |
| 6 |
| damages of $5,000 or actual damages, whichever is greater; |
| 7 |
| (3) reasonable attorneys' fees and costs, including |
| 8 |
| expert witness fees and other litigation expenses; and |
| 9 |
| (4) other relief, including an injunction, as the State |
| 10 |
| or federal court may deem appropriate.
|
| 11 |
| Section 25. Construction. |
| 12 |
| (a) Nothing in this Act shall be construed to impact the |
| 13 |
| admission or discovery of biometric identifiers and biometric |
| 14 |
| information in any action of any kind in any court, or before |
| 15 |
| any tribunal, board, agency, or person. |
| 16 |
| (b) Nothing in this Act shall be construed to conflict with |
| 17 |
| the X-Ray Retention Act, the federal Health Insurance |
| 18 |
| Portability and Accountability Act of 1996 and the rules |
| 19 |
| promulgated under either Act. |
| 20 |
| (c) Nothing in this Act shall be deemed to apply in any |
| 21 |
| manner to a financial institution or an affiliate of a |
| 22 |
| financial institution that is subject to Title V of the federal |
| 23 |
| Gramm-Leach-Bliley Act of 1999 and the rules promulgated |
| 24 |
| thereunder. |
| 25 |
| (d) Nothing in this Act shall be construed to conflict with |
|
|
|
SB2400 Enrolled |
- 8 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| the Private Detective, Private Alarm, Private Security, |
| 2 |
| Fingerprint Vendor, and Locksmith Act of 2004 and the rules |
| 3 |
| promulgated thereunder. |
| 4 |
| (e) Nothing in this Act shall be construed to apply to a |
| 5 |
| contractor, subcontractor, or agent of a State agency or local |
| 6 |
| unit of government when working for that State agency or local |
| 7 |
| unit of government.
|
| 8 |
| Section 30. Biometric Information Privacy Study Committee. |
| 9 |
| (a) The Department of Human Services, in conjunction with |
| 10 |
| Central Management Services, subject to appropriation or other |
| 11 |
| funds made available for this purpose, shall create the |
| 12 |
| Biometric Information Privacy Study Committee, hereafter |
| 13 |
| referred to as the Committee. The Department of Human Services, |
| 14 |
| in conjunction with Central Management Services, shall provide |
| 15 |
| staff and administrative support to the Committee. The |
| 16 |
| Committee shall examine (i) current policies, procedures, and |
| 17 |
| practices used by State and local governments to protect an |
| 18 |
| individual against unauthorized disclosure of his or her |
| 19 |
| biometric identifiers and biometric information when State or |
| 20 |
| local government requires the individual to provide his or her |
| 21 |
| biometric identifiers to an officer or agency of the State or |
| 22 |
| local government; (ii) issues related to the collection, |
| 23 |
| destruction, security, and ramifications of biometric |
| 24 |
| identifiers, biometric information, and biometric technology; |
| 25 |
| and (iii) technical and procedural changes necessary in order |
|
|
|
SB2400 Enrolled |
- 9 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| to implement and enforce reasonable, uniform biometric |
| 2 |
| safeguards by State and local government agencies. |
| 3 |
| (b) The Committee shall hold such public hearings as it |
| 4 |
| deems necessary and present a report of its findings and |
| 5 |
| recommendations to the General Assembly before January 1, 2009. |
| 6 |
| The Committee may begin to conduct business upon appointment of |
| 7 |
| a majority of its members. All appointments shall be completed |
| 8 |
| by 4 months prior to the release of the Committee's final |
| 9 |
| report. The Committee shall meet at least twice and at other |
| 10 |
| times at the call of the chair and may conduct meetings by |
| 11 |
| telecommunication, where possible, in order to minimize travel |
| 12 |
| expenses. The Committee shall consist of 27 members appointed |
| 13 |
| as follows: |
| 14 |
| (1) 2 members appointed by the President of the Senate; |
| 15 |
| (2) 2 members appointed by the Minority Leader of the |
| 16 |
| Senate; |
| 17 |
| (3) 2 members appointed by the Speaker of the House of |
| 18 |
| Representatives; |
| 19 |
| (4) 2 members appointed by the Minority Leader of the |
| 20 |
| House of Representatives; |
| 21 |
| (5) One member representing the Office of the Governor, |
| 22 |
| appointed by the Governor; |
| 23 |
| (6) One member, who shall serve as the chairperson of |
| 24 |
| the Committee, representing the Office of the Attorney |
| 25 |
| General, appointed by the Attorney General; |
| 26 |
| (7) One member representing the Office of the Secretary |
|
|
|
SB2400 Enrolled |
- 10 - |
LRB095 19768 KBJ 46142 b |
|
|
| 1 |
| of the State, appointed by the Secretary of State; |
| 2 |
| (8) One member from each of the following State |
| 3 |
| agencies appointed by their respective heads: Department |
| 4 |
| of Corrections, Department of Public Health, Department of |
| 5 |
| Human Services, Central Management Services, Illinois |
| 6 |
| Commerce Commission, Illinois State Police, Department of |
| 7 |
| Revenue; |
| 8 |
| (9) One member appointed by the chairperson of the |
| 9 |
| Committee, representing the interests of the City of |
| 10 |
| Chicago; |
| 11 |
| (10) 2 members appointed by the chairperson of the |
| 12 |
| Committee, representing the interests of other |
| 13 |
| municipalities; |
| 14 |
| (11) 2 members appointed by the chairperson of the |
| 15 |
| Committee, representing the interests of public hospitals; |
| 16 |
| and |
| 17 |
| (12) 4 public members appointed by the chairperson of |
| 18 |
| the Committee, representing the interests of the civil |
| 19 |
| liberties community, the electronic privacy community, and |
| 20 |
| government employees. |
| 21 |
| (c) This Section is repealed January 1, 2009.
|
| 22 |
| Section 99. Effective date. This Act takes effect upon |
| 23 |
| becoming law. |