Full Text of SB2400 95th General Assembly
SB2400 95TH GENERAL ASSEMBLY
|
|
|
95TH GENERAL ASSEMBLY
State of Illinois
2007 and 2008 SB2400
Introduced 2/14/2008, by Sen. Terry Link SYNOPSIS AS INTRODUCED: |
|
|
Creates the Biometric Information Privacy Act. Provides that a public agency or private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the public agency or private entity. Provides that absent a valid warrant or subpoena, a public agency or private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines. Provides that no public agency or private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first satisfies certain conditions. Provides that these provisions do not apply to a public agency engaged in criminal investigations or prosecutions or a public agency acting pursuant to a valid warrant or subpoena. Provides that a public agency in possession of biometric identifiers or biometric information shall store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the public agency stores, transmits, and protects other confidential and sensitive information. Provides that any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court. Preempts home rule. Contains other provisions.
|
| |
|
|
FISCAL NOTE ACT MAY APPLY | |
HOME RULE NOTE ACT MAY APPLY |
|
|
A BILL FOR
|
|
|
|
|
SB2400 |
|
LRB095 19768 KBJ 46142 b |
|
| 1 |
| AN ACT concerning health.
| 2 |
| Be it enacted by the People of the State of Illinois,
| 3 |
| represented in the General Assembly:
| 4 |
| Section 1. Short title. This Act may be cited as the | 5 |
| Biometric Information Privacy Act. | 6 |
| Section 5. Legislative findings; intent. The General | 7 |
| Assembly finds all of the following: | 8 |
| (a) The use of biometrics is growing in the business and | 9 |
| security screening sectors and appears to promise streamlined | 10 |
| financial transactions and security screenings. | 11 |
| (b) Major national corporations have selected the City of | 12 |
| Chicago and other locations in this State as pilot testing | 13 |
| sites for new applications of biometric-facilitated financial | 14 |
| transactions, including "Pay By Touch" at banks, grocery | 15 |
| stores, gas stations, and school cafeterias. | 16 |
| (c) Biometrics are unlike other unique identifiers that are | 17 |
| used to access finances or other sensitive information. For | 18 |
| example, social security numbers, when compromised, can be | 19 |
| changed. Biometrics, however, are biologically unique to the | 20 |
| individual; therefore, once compromised, the individual has no | 21 |
| recourse, is at heightened risk for identity theft, and is | 22 |
| likely to withdraw from biometric-facilitated transactions. | 23 |
| (d) An overwhelming majority of members of the public are |
|
|
|
SB2400 |
- 2 - |
LRB095 19768 KBJ 46142 b |
|
| 1 |
| opposed to the use of biometrics when such information is tied | 2 |
| to personal finances and other personal information. | 3 |
| (e) Despite limited State law regulating the collection, | 4 |
| use, safeguarding, and storage of biometric information, many | 5 |
| members of the public are deterred from partaking in biometric | 6 |
| identifier-facilitated facility transactions. | 7 |
| (f) The public welfare, security, and safety will be served | 8 |
| by regulating the collection, use, safeguarding, handling, | 9 |
| storage, retention, and destruction of biometric identifiers | 10 |
| and information.
| 11 |
| Section 10. Definitions. In this Act: | 12 |
| "Biometric identifier" means any indelible personal | 13 |
| physical characteristic which can be used to uniquely identify | 14 |
| an individual or pinpoint an individual at a particular place | 15 |
| at a particular time. Examples of biometric identifiers | 16 |
| include, but are not limited to iris or retinal scans, | 17 |
| fingerprints, voiceprints, and records of hand or facial | 18 |
| geometry. Biometric identifiers do not include writing | 19 |
| samples, written signature, and photographs. | 20 |
| "Biometric information" means any information, regardless | 21 |
| of how it is captured, converted, stored, or shared, based on | 22 |
| an individual's biometric identifier used to identify an | 23 |
| individual. | 24 |
| "Confidential and sensitive information" means personal | 25 |
| information that can be used to uniquely identify an individual |
|
|
|
SB2400 |
- 3 - |
LRB095 19768 KBJ 46142 b |
|
| 1 |
| or an individual's account or property include, but are not | 2 |
| limited to a genetic marker, genetic testing information, a | 3 |
| unique identifier number to locate an account or property, an | 4 |
| account number, a PIN number, a pass code, a driver's license | 5 |
| number, or a social security number.
| 6 |
| "Legally effective written release" means informed written | 7 |
| consent. | 8 |
| "Private entity" means any individual, partnership, | 9 |
| corporation, limited liability company, association, or other | 10 |
| group, however organized.
| 11 |
| "Public agency" means the State of Illinois and its various | 12 |
| subdivisions and agencies, and all units of local government, | 13 |
| school districts, and other governmental entities.
| 14 |
| Section 15. Retention; collection; disclosure; | 15 |
| destruction. | 16 |
| (a) A public agency or private entity in possession of | 17 |
| biometric identifiers or biometric information must develop a | 18 |
| written policy, made available to the public, establishing a | 19 |
| retention schedule and guidelines for permanently destroying | 20 |
| biometric identifiers and biometric information when the | 21 |
| initial purpose for collecting or obtaining such identifiers or | 22 |
| information has been satisfied or within 3 years of the | 23 |
| individual's last interaction with the public agency or private | 24 |
| entity. Absent a valid warrant or subpoena issued by a court of | 25 |
| competent jurisdiction, a public agency or private entity in |
|
|
|
SB2400 |
- 4 - |
LRB095 19768 KBJ 46142 b |
|
| 1 |
| possession of biometric identifiers or biometric information | 2 |
| must comply with its established retention schedule and | 3 |
| destruction guidelines. | 4 |
| (b) No public agency or private entity may collect, | 5 |
| capture, purchase, receive through trade, or otherwise obtain a | 6 |
| person's or a customer's biometric identifier or biometric | 7 |
| information, unless it first: | 8 |
| (1) informs the subject in writing that a biometric | 9 |
| identifier or biometric information is being collected or | 10 |
| stored; | 11 |
| (2) informs the subject in writing of the specific | 12 |
| purpose and length of term for which a biometric identifier | 13 |
| or biometric information is being collected, stored, and | 14 |
| used; and | 15 |
| (3) receives a legally effective written release | 16 |
| executed by the subject of the biometric identifier or | 17 |
| biometric information or the subject's legally authorized | 18 |
| representative.
| 19 |
| (c) Subsections (a) and (b) of this Section do not apply to | 20 |
| a public agency engaged in criminal investigations or | 21 |
| prosecutions. Subsections (a) and (b) of this Section do not | 22 |
| apply to a public agency acting pursuant to a valid warrant or | 23 |
| subpoena issued by a court of competent jurisdiction. | 24 |
| (d) No public agency or private entity in possession of a | 25 |
| biometric identifier or biometric information may sell, lease, | 26 |
| trade, or otherwise profit from a person's or a customer's |
|
|
|
SB2400 |
- 5 - |
LRB095 19768 KBJ 46142 b |
|
| 1 |
| biometric identifier or biometric information.
| 2 |
| (e) Nothing in subsection (d) of this Section shall be | 3 |
| construed to prohibit or inhibit a public agency engaged in | 4 |
| criminal investigations or prosecutions from:
| 5 |
| (1) sharing biometric identifiers or biometric | 6 |
| information with another public agency engaged in criminal | 7 |
| investigations or prosecutions to further such criminal | 8 |
| investigations or prosecutions;
| 9 |
| (2) sharing biometric identifiers or biometric | 10 |
| information pursuant to federal law or regulation; or
| 11 |
| (3) sharing biometric identifiers or biometric | 12 |
| information pursuant to a valid warrant or subpoena issued | 13 |
| by a court of competent jurisdiction.
| 14 |
| (f) No public agency, private entity, or person in | 15 |
| possession of a biometric identifier or biometric information | 16 |
| may disclose, redisclose, or otherwise disseminate a person's | 17 |
| or a customer's biometric identifier or biometric information, | 18 |
| unless: | 19 |
| (1) the subject of the biometric identifier or | 20 |
| biometric information or the subject's legally authorized | 21 |
| representative consents to the disclosure or redisclosure; | 22 |
| (2) the disclosure or redisclosure completes a | 23 |
| financial transaction requested or authorized by the | 24 |
| subject of the biometric identifier or the biometric | 25 |
| information; | 26 |
| (3) the disclosure or redisclosure is required under |
|
|
|
SB2400 |
- 6 - |
LRB095 19768 KBJ 46142 b |
|
| 1 |
| federal law; and | 2 |
| (4) the disclosure is required pursuant to a valid | 3 |
| warrant or subpoena issued by a court of competent | 4 |
| jurisdiction.
| 5 |
| (g) A public agency in possession of biometric identifiers | 6 |
| or biometric information shall store, transmit, and protect | 7 |
| from disclosure all biometric identifiers and biometric | 8 |
| information in a manner that is the same as or more protective | 9 |
| than the manner in which the public agency stores, transmits, | 10 |
| and protects other confidential and sensitive information.
| 11 |
| (h) A private entity in possession of a biometric | 12 |
| identifier or biometric information shall: | 13 |
|
(1) store, transmit, and protect from disclosure all | 14 |
| biometric identifiers and biometric information using the | 15 |
| reasonable standard of care within the private entity's | 16 |
| industry; and
| 17 |
| (2) store, transmit, and protect from disclosure all | 18 |
| biometric identifiers and biometric information in a | 19 |
| manner that is the same as or more protective than the | 20 |
| manner in which the private entity stores, transmits, and | 21 |
| protects other confidential and sensitive information.
| 22 |
| (i) All information and records held by a public agency | 23 |
| pertaining to biometric identifiers and biometric information | 24 |
| shall be confidential and exempt from copying and inspection | 25 |
| under the Freedom of Information Act to all except to the | 26 |
| subject of the biometric identifier or biometric information. |
|
|
|
SB2400 |
- 7 - |
LRB095 19768 KBJ 46142 b |
|
| 1 |
| The subject of the biometric identifier or biometric | 2 |
| information held by a public agency shall be permitted to copy | 3 |
| and inspect only their own biometric identifiers and biometric | 4 |
| information.
| 5 |
| Section 20. Right of action. | 6 |
| (a) Any person aggrieved by a violation of this Act shall | 7 |
| have a right of action in a State circuit court or as a | 8 |
| supplemental claim in federal district court against an | 9 |
| offending party. A prevailing party may recover for each | 10 |
| violation: | 11 |
| (1) against any public agency or private entity that | 12 |
| negligently violates a provision of this Act, liquidated | 13 |
| damages of $1,000 or actual damages, whichever is greater; | 14 |
| (2) against any public agency or private entity that | 15 |
| intentionally or recklessly violates a provision of this | 16 |
| Act, liquidated damages of $5,000 or actual damages, | 17 |
| whichever is greater; | 18 |
| (3) reasonable attorneys' fees and costs, including | 19 |
| expert witness fees and other litigation expenses; and
| 20 |
| (4) other relief, including an injunction, as the State | 21 |
| or federal court may deem appropriate.
| 22 |
| (b) For the purpose of this Act, "prevailing party" | 23 |
| includes any party:
(i) who obtains some of his or her | 24 |
| requested relief through a judicial judgment in his or her | 25 |
| favor;
(ii) who obtains some of his or her requested relief |
|
|
|
SB2400 |
- 8 - |
LRB095 19768 KBJ 46142 b |
|
| 1 |
| through any settlement agreement approved by the court; or
| 2 |
| (iii) whose pursuit of a non-frivolous claim was a catalyst for | 3 |
| a unilateral change in position by the opposing party relative | 4 |
| to the relief sought.
| 5 |
| Section 25. Home rule. The corporate authorities of a | 6 |
| municipality or other unit of local government may enact | 7 |
| ordinances, standards, rules, or regulations that protect | 8 |
| biometric identifiers and biometric information in a manner or | 9 |
| to an extent equal to or greater than the protection provided | 10 |
| in this Act. This Section is a limitation on the concurrent | 11 |
| exercise of home rule power under subsection (i) of Section 6 | 12 |
| of Article VII of the Illinois Constitution.
|
|