Full Text of SB3782 102nd General Assembly
SB3782 102ND GENERAL ASSEMBLY |
| | 102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022 SB3782 Introduced 1/21/2022, by Sen. John Connor SYNOPSIS AS INTRODUCED: |
| 740 ILCS 14/10 | | 740 ILCS 14/15 | |
|
Amends the Biometric Privacy Information Act. Defines "security purpose" as the purpose of preventing retail theft, fraud, or any other misappropriation or theft of a thing of value, including protecting property from trespass, controlling access to property, protecting any person from harm, including stalking, violence, or harassment, and assisting a law enforcement investigation. Allows a private entity to collect, capture, or otherwise obtain a person's or customer's biometric identifier or biometric information without satisfying other specified requirements if: (1) the private entity collects, captures, or otherwise obtains a person's or customer's biometric identifier or biometric information for a security purpose; (2) the private entity uses the biometric identifier or biometric information only for a security purpose; (3) the private entity retains the biometric identifier or biometric information no longer than is reasonably necessary to satisfy a security purpose; and (4) the private entity documents a process and time frame to delete any biometric identifier or biometric information.
|
| |
| | A BILL FOR |
|
| | | SB3782 | | LRB102 24507 LNS 33741 b |
|
| 1 | | AN ACT concerning civil law.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 5. The Biometric Information Privacy Act is | 5 | | amended by changing Sections 10 and 15 as follows: | 6 | | (740 ILCS 14/10)
| 7 | | Sec. 10. Definitions. In this Act: | 8 | | "Biometric identifier" means a retina or iris scan, | 9 | | fingerprint, voiceprint, or scan of hand or face geometry. | 10 | | Biometric identifiers do not include writing samples, written | 11 | | signatures, photographs, human biological samples used for | 12 | | valid scientific testing or screening, demographic data, | 13 | | tattoo descriptions, or physical descriptions such as height, | 14 | | weight, hair color, or eye color. Biometric identifiers do not | 15 | | include donated organs, tissues, or parts as defined in the | 16 | | Illinois Anatomical Gift Act or blood or serum stored on | 17 | | behalf of recipients or potential recipients of living or | 18 | | cadaveric transplants and obtained or stored by a federally | 19 | | designated organ procurement agency. Biometric identifiers do | 20 | | not include biological materials regulated under the Genetic | 21 | | Information Privacy Act. Biometric identifiers do not include | 22 | | information captured from a patient in a health care setting | 23 | | or information collected, used, or stored for health care |
| | | SB3782 | - 2 - | LRB102 24507 LNS 33741 b |
|
| 1 | | treatment, payment, or operations under the federal Health | 2 | | Insurance Portability and Accountability Act of 1996. | 3 | | Biometric identifiers do not include an X-ray, roentgen | 4 | | process, computed tomography, MRI, PET scan, mammography, or | 5 | | other image or film of the human anatomy used to diagnose, | 6 | | prognose, or treat an illness or other medical condition or to | 7 | | further validate scientific testing or screening. | 8 | | "Biometric information" means any information, regardless | 9 | | of how it is captured, converted, stored, or shared, based on | 10 | | an individual's biometric identifier used to identify an | 11 | | individual. Biometric information does not include information | 12 | | derived from items or procedures excluded under the definition | 13 | | of biometric identifiers. | 14 | | "Confidential and sensitive information" means personal | 15 | | information that can be used to uniquely identify an | 16 | | individual or an individual's account or property. Examples of | 17 | | confidential and sensitive information include, but are not | 18 | | limited to, a genetic marker, genetic testing information, a | 19 | | unique identifier number to locate an account or property, an | 20 | | account number, a PIN number, a pass code, a driver's license | 21 | | number, or a social security number. | 22 | | "Private entity" means any individual, partnership, | 23 | | corporation, limited liability company, association, or other | 24 | | group, however organized.
A private entity does not include a | 25 | | State or local government agency. A private entity does not | 26 | | include any court of Illinois, a clerk of the court, or a judge |
| | | SB3782 | - 3 - | LRB102 24507 LNS 33741 b |
|
| 1 | | or justice thereof. | 2 | | "Security purpose" means the purpose of preventing or | 3 | | investigating retail theft, fraud, or any other | 4 | | misappropriation or theft of a thing of value, including | 5 | | protecting property from trespass, controlling access to | 6 | | property, protecting any person from harm including stalking, | 7 | | violence, or harassment, and assisting a law enforcement | 8 | | investigation. | 9 | | "Written release" means informed written consent or, in | 10 | | the context of employment, a release executed by an employee | 11 | | as a condition of employment.
| 12 | | (Source: P.A. 95-994, eff. 10-3-08.) | 13 | | (740 ILCS 14/15)
| 14 | | Sec. 15. Retention; collection; disclosure; destruction. | 15 | | (a) A private entity in possession of biometric | 16 | | identifiers or biometric information must develop a written | 17 | | policy, made available to the public, establishing a retention | 18 | | schedule and guidelines for permanently destroying biometric | 19 | | identifiers and biometric information when the initial purpose | 20 | | for collecting or obtaining such identifiers or information | 21 | | has been satisfied or within 3 years of the individual's last | 22 | | interaction with the private entity, whichever occurs first. | 23 | | Absent a valid warrant or subpoena issued by a court of | 24 | | competent jurisdiction, a private entity in possession of | 25 | | biometric identifiers or biometric information must comply |
| | | SB3782 | - 4 - | LRB102 24507 LNS 33741 b |
|
| 1 | | with its established retention schedule and destruction | 2 | | guidelines. | 3 | | (b) No private entity may collect, capture, purchase, | 4 | | receive through trade, or otherwise obtain a person's or a | 5 | | customer's biometric identifier or biometric information, | 6 | | unless it first: | 7 | | (1) informs the subject or the subject's legally | 8 | | authorized representative in writing that a biometric | 9 | | identifier or biometric information is being collected or | 10 | | stored; | 11 | | (2) informs the subject or the subject's legally | 12 | | authorized representative in writing of the specific | 13 | | purpose and length of term for which a biometric | 14 | | identifier or biometric information is being collected, | 15 | | stored, and used; and | 16 | | (3) receives a written release executed by the subject | 17 | | of the biometric identifier or biometric information or | 18 | | the subject's legally authorized representative.
| 19 | | (b-5) A private entity may collect, capture, or | 20 | | otherwise obtain a person's or customer's biometric | 21 | | identifier or biometric information without satisfying the | 22 | | requirements of subsection (b) if: | 23 | | (1) the private entity collects, captures, or | 24 | | otherwise obtains a person's or customer's biometric | 25 | | identifier or biometric information for a security | 26 | | purpose; |
| | | SB3782 | - 5 - | LRB102 24507 LNS 33741 b |
|
| 1 | | (2) the private entity uses the biometric | 2 | | identifier or biometric information only for a | 3 | | security purpose; | 4 | | (3) the private entity retains the biometric | 5 | | identifier or biometric information no longer than is | 6 | | reasonably necessary to satisfy a security purpose; | 7 | | and | 8 | | (4) the private entity documents a process and | 9 | | time frame to delete any biometric identifier or | 10 | | biometric information used for the purposes identified | 11 | | in this subsection. | 12 | | (c) No private entity in possession of a biometric | 13 | | identifier or biometric information may sell, lease, trade, or | 14 | | otherwise profit from a person's or a customer's biometric | 15 | | identifier or biometric information. | 16 | | (d) No private entity in possession of a biometric | 17 | | identifier or biometric information may disclose, redisclose, | 18 | | or otherwise disseminate a person's or a customer's biometric | 19 | | identifier or biometric information
unless: | 20 | | (1) the subject of the biometric identifier or
| 21 | | biometric information or the subject's legally authorized
| 22 | | representative consents to the disclosure or redisclosure; | 23 | | (2) the disclosure or redisclosure completes a | 24 | | financial transaction requested or authorized by the | 25 | | subject of the biometric identifier or the biometric | 26 | | information or the subject's legally authorized |
| | | SB3782 | - 6 - | LRB102 24507 LNS 33741 b |
|
| 1 | | representative; | 2 | | (3) the disclosure or redisclosure is required by | 3 | | State or federal law or municipal ordinance; or | 4 | | (4) the disclosure is required pursuant to a valid | 5 | | warrant or subpoena issued by a court of competent | 6 | | jurisdiction.
| 7 | | (e) A private entity in possession of a biometric | 8 | | identifier or biometric information shall: | 9 | | (1) store, transmit, and protect from disclosure all | 10 | | biometric identifiers and biometric information using the | 11 | | reasonable standard of care within the private entity's | 12 | | industry; and
| 13 | | (2) store, transmit, and protect from disclosure all | 14 | | biometric identifiers and biometric information in a | 15 | | manner that is the same as or more protective than the | 16 | | manner in which the private entity stores, transmits, and | 17 | | protects other confidential and sensitive information.
| 18 | | (Source: P.A. 95-994, eff. 10-3-08.)
|
|