Full Text of SB3782 102nd General Assembly
SB3782 102ND GENERAL ASSEMBLY
|
| | 102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
SB3782 Introduced 1/21/2022, by Sen. John Connor SYNOPSIS AS INTRODUCED:
|
| 740 ILCS 14/10 | | 740 ILCS 14/15 | |
|
Amends the Biometric Privacy Information Act. Defines "security purpose" as the purpose of preventing retail theft, fraud, or any other misappropriation or theft of a thing of value, including protecting property from trespass, controlling access to property, protecting any person from harm, including stalking, violence, or harassment, and assisting a law enforcement investigation. Allows a private entity to collect, capture, or otherwise obtain a person's or customer's biometric identifier or biometric information without satisfying other specified requirements if: (1) the private entity collects, captures, or otherwise obtains a person's or customer's biometric identifier or biometric information for a security purpose; (2) the private entity uses the biometric identifier or biometric information only for a security purpose; (3) the private entity retains the biometric identifier or biometric information no longer than is reasonably necessary to satisfy a security purpose; and (4) the private entity documents a process and time frame to delete any biometric identifier or biometric information.
|
| |
| | A BILL FOR |
|
| | | SB3782 | | LRB102 24507 LNS 33741 b |
|
| | 1 | | AN ACT concerning civil law.
| | 2 | | Be it enacted by the People of the State of Illinois,
| | 3 | | represented in the General Assembly:
| | 4 | | Section 5. The Biometric Information Privacy Act is | | 5 | | amended by changing Sections 10 and 15 as follows:
| | 6 | | (740 ILCS 14/10)
| | 7 | | Sec. 10. Definitions. In this Act: | | 8 | | "Biometric identifier" means a retina or iris scan, | | 9 | | fingerprint, voiceprint, or scan of hand or face geometry. | | 10 | | Biometric identifiers do not include writing samples, written | | 11 | | signatures, photographs, human biological samples used for | | 12 | | valid scientific testing or screening, demographic data, | | 13 | | tattoo descriptions, or physical descriptions such as height, | | 14 | | weight, hair color, or eye color. Biometric identifiers do not | | 15 | | include donated organs, tissues, or parts as defined in the | | 16 | | Illinois Anatomical Gift Act or blood or serum stored on | | 17 | | behalf of recipients or potential recipients of living or | | 18 | | cadaveric transplants and obtained or stored by a federally | | 19 | | designated organ procurement agency. Biometric identifiers do | | 20 | | not include biological materials regulated under the Genetic | | 21 | | Information Privacy Act. Biometric identifiers do not include | | 22 | | information captured from a patient in a health care setting | | 23 | | or information collected, used, or stored for health care |
| | | SB3782 | - 2 - | LRB102 24507 LNS 33741 b |
|
| | 1 | | treatment, payment, or operations under the federal Health | | 2 | | Insurance Portability and Accountability Act of 1996. | | 3 | | Biometric identifiers do not include an X-ray, roentgen | | 4 | | process, computed tomography, MRI, PET scan, mammography, or | | 5 | | other image or film of the human anatomy used to diagnose, | | 6 | | prognose, or treat an illness or other medical condition or to | | 7 | | further validate scientific testing or screening. | | 8 | | "Biometric information" means any information, regardless | | 9 | | of how it is captured, converted, stored, or shared, based on | | 10 | | an individual's biometric identifier used to identify an | | 11 | | individual. Biometric information does not include information | | 12 | | derived from items or procedures excluded under the definition | | 13 | | of biometric identifiers. | | 14 | | "Confidential and sensitive information" means personal | | 15 | | information that can be used to uniquely identify an | | 16 | | individual or an individual's account or property. Examples of | | 17 | | confidential and sensitive information include, but are not | | 18 | | limited to, a genetic marker, genetic testing information, a | | 19 | | unique identifier number to locate an account or property, an | | 20 | | account number, a PIN number, a pass code, a driver's license | | 21 | | number, or a social security number. | | 22 | | "Private entity" means any individual, partnership, | | 23 | | corporation, limited liability company, association, or other | | 24 | | group, however organized.
A private entity does not include a | | 25 | | State or local government agency. A private entity does not | | 26 | | include any court of Illinois, a clerk of the court, or a judge |
| | | SB3782 | - 3 - | LRB102 24507 LNS 33741 b |
|
| | 1 | | or justice thereof. | | 2 | | "Security purpose" means the purpose of preventing or | | 3 | | investigating retail theft, fraud, or any other | | 4 | | misappropriation or theft of a thing of value, including | | 5 | | protecting property from trespass, controlling access to | | 6 | | property, protecting any person from harm including stalking, | | 7 | | violence, or harassment, and assisting a law enforcement | | 8 | | investigation. | | 9 | | "Written release" means informed written consent or, in | | 10 | | the context of employment, a release executed by an employee | | 11 | | as a condition of employment.
| | 12 | | (Source: P.A. 95-994, eff. 10-3-08.)
| | 13 | | (740 ILCS 14/15)
| | 14 | | Sec. 15. Retention; collection; disclosure; destruction. | | 15 | | (a) A private entity in possession of biometric | | 16 | | identifiers or biometric information must develop a written | | 17 | | policy, made available to the public, establishing a retention | | 18 | | schedule and guidelines for permanently destroying biometric | | 19 | | identifiers and biometric information when the initial purpose | | 20 | | for collecting or obtaining such identifiers or information | | 21 | | has been satisfied or within 3 years of the individual's last | | 22 | | interaction with the private entity, whichever occurs first. | | 23 | | Absent a valid warrant or subpoena issued by a court of | | 24 | | competent jurisdiction, a private entity in possession of | | 25 | | biometric identifiers or biometric information must comply |
| | | SB3782 | - 4 - | LRB102 24507 LNS 33741 b |
|
| | 1 | | with its established retention schedule and destruction | | 2 | | guidelines. | | 3 | | (b) No private entity may collect, capture, purchase, | | 4 | | receive through trade, or otherwise obtain a person's or a | | 5 | | customer's biometric identifier or biometric information, | | 6 | | unless it first: | | 7 | | (1) informs the subject or the subject's legally | | 8 | | authorized representative in writing that a biometric | | 9 | | identifier or biometric information is being collected or | | 10 | | stored; | | 11 | | (2) informs the subject or the subject's legally | | 12 | | authorized representative in writing of the specific | | 13 | | purpose and length of term for which a biometric | | 14 | | identifier or biometric information is being collected, | | 15 | | stored, and used; and | | 16 | | (3) receives a written release executed by the subject | | 17 | | of the biometric identifier or biometric information or | | 18 | | the subject's legally authorized representative.
| | 19 | | (b-5) A private entity may collect, capture, or | | 20 | | otherwise obtain a person's or customer's biometric | | 21 | | identifier or biometric information without satisfying the | | 22 | | requirements of subsection (b) if: | | 23 | | (1) the private entity collects, captures, or | | 24 | | otherwise obtains a person's or customer's biometric | | 25 | | identifier or biometric information for a security | | 26 | | purpose; |
| | | SB3782 | - 5 - | LRB102 24507 LNS 33741 b |
|
| | 1 | | (2) the private entity uses the biometric | | 2 | | identifier or biometric information only for a | | 3 | | security purpose; | | 4 | | (3) the private entity retains the biometric | | 5 | | identifier or biometric information no longer than is | | 6 | | reasonably necessary to satisfy a security purpose; | | 7 | | and | | 8 | | (4) the private entity documents a process and | | 9 | | time frame to delete any biometric identifier or | | 10 | | biometric information used for the purposes identified | | 11 | | in this subsection. | | 12 | | (c) No private entity in possession of a biometric | | 13 | | identifier or biometric information may sell, lease, trade, or | | 14 | | otherwise profit from a person's or a customer's biometric | | 15 | | identifier or biometric information. | | 16 | | (d) No private entity in possession of a biometric | | 17 | | identifier or biometric information may disclose, redisclose, | | 18 | | or otherwise disseminate a person's or a customer's biometric | | 19 | | identifier or biometric information
unless: | | 20 | | (1) the subject of the biometric identifier or
| | 21 | | biometric information or the subject's legally authorized
| | 22 | | representative consents to the disclosure or redisclosure; | | 23 | | (2) the disclosure or redisclosure completes a | | 24 | | financial transaction requested or authorized by the | | 25 | | subject of the biometric identifier or the biometric | | 26 | | information or the subject's legally authorized |
| | | SB3782 | - 6 - | LRB102 24507 LNS 33741 b |
|
| | 1 | | representative; | | 2 | | (3) the disclosure or redisclosure is required by | | 3 | | State or federal law or municipal ordinance; or | | 4 | | (4) the disclosure is required pursuant to a valid | | 5 | | warrant or subpoena issued by a court of competent | | 6 | | jurisdiction.
| | 7 | | (e) A private entity in possession of a biometric | | 8 | | identifier or biometric information shall: | | 9 | | (1) store, transmit, and protect from disclosure all | | 10 | | biometric identifiers and biometric information using the | | 11 | | reasonable standard of care within the private entity's | | 12 | | industry; and
| | 13 | | (2) store, transmit, and protect from disclosure all | | 14 | | biometric identifiers and biometric information in a | | 15 | | manner that is the same as or more protective than the | | 16 | | manner in which the private entity stores, transmits, and | | 17 | | protects other confidential and sensitive information.
| | 18 | | (Source: P.A. 95-994, eff. 10-3-08.)
|
|
Translate
