Public Act 095-0994

SB2400 Enrolled LRB095 19768 KBJ 46142 b

AN ACT concerning health.

Be it enacted by the People of the State of Illinois,

represented in the General Assembly:

Section 1. Short title. This Act may be cited as the

Biometric Information Privacy Act.

Section 5. Legislative findings; intent. The General

Assembly finds all of the following:

(a) The use of biometrics is growing in the business and

security screening sectors and appears to promise streamlined

financial transactions and security screenings.

(b) Major national corporations have selected the City of

Chicago and other locations in this State as pilot testing

sites for new applications of biometric-facilitated financial

transactions, including finger-scan technologies at grocery

stores, gas stations, and school cafeterias.

(c) Biometrics are unlike other unique identifiers that are

used to access finances or other sensitive information. For

example, social security numbers, when compromised, can be

changed. Biometrics, however, are biologically unique to the

individual; therefore, once compromised, the individual has no

recourse, is at heightened risk for identity theft, and is

likely to withdraw from biometric-facilitated transactions.

(d) An overwhelming majority of members of the public are

weary of the use of biometrics when such information is tied to

finances and other personal information.

(e) Despite limited State law regulating the collection,

use, safeguarding, and storage of biometrics, many members of

the public are deterred from partaking in biometric

identifier-facilitated transactions.

(f) The full ramifications of biometric technology are not

fully known.

(g) The public welfare, security, and safety will be served

by regulating the collection, use, safeguarding, handling,

storage, retention, and destruction of biometric identifiers

and information.

Section 10. Definitions. In this Act:

"Biometric identifier" means a retina or iris scan,

fingerprint, voiceprint, or scan of hand or face geometry.

Biometric identifiers do not include writing samples, written

signatures, photographs, human biological samples used for

valid scientific testing or screening, demographic data,

tattoo descriptions, or physical descriptions such as height,

weight, hair color, or eye color. Biometric identifiers do not

include donated organs, tissues, or parts as defined in the

Illinois Anatomical Gift Act or blood or serum stored on behalf

of recipients or potential recipients of living or cadaveric

transplants and obtained or stored by a federally designated

organ procurement agency. Biometric identifiers do not include

biological materials regulated under the Genetic Information

Privacy Act. Biometric identifiers do not include information

captured from a patient in a health care setting or information

collected, used, or stored for health care treatment, payment,

or operations under the federal Health Insurance Portability

and Accountability Act of 1996. Biometric identifiers do not

include an X-ray, roentgen process, computed tomography, MRI,

PET scan, mammography, or other image or film of the human

anatomy used to diagnose, prognose, or treat an illness or

other medical condition or to further validate scientific

testing or screening.

"Biometric information" means any information, regardless

of how it is captured, converted, stored, or shared, based on

an individual's biometric identifier used to identify an

individual. Biometric information does not include information

derived from items or procedures excluded under the definition

of biometric identifiers.

"Confidential and sensitive information" means personal

information that can be used to uniquely identify an individual

or an individual's account or property. Examples of

confidential and sensitive information include, but are not

limited to, a genetic marker, genetic testing information, a

unique identifier number to locate an account or property, an

account number, a PIN number, a pass code, a driver's license

number, or a social security number.

"Private entity" means any individual, partnership,

corporation, limited liability company, association, or other

group, however organized. A private entity does not include a

State or local government agency. A private entity does not

include any court of Illinois, a clerk of the court, or a judge

or justice thereof.

"Written release" means informed written consent or, in the

context of employment, a release executed by an employee as a

condition of employment.

Section 15. Retention; collection; disclosure;

destruction.

(a) A private entity in possession of biometric identifiers

or biometric information must develop a written policy, made

available to the public, establishing a retention schedule and

guidelines for permanently destroying biometric identifiers

and biometric information when the initial purpose for

collecting or obtaining such identifiers or information has

been satisfied or within 3 years of the individual's last

interaction with the private entity, whichever occurs first.

Absent a valid warrant or subpoena issued by a court of

competent jurisdiction, a private entity in possession of

biometric identifiers or biometric information must comply

with its established retention schedule and destruction

guidelines.

(b) No private entity may collect, capture, purchase,

receive through trade, or otherwise obtain a person's or a

customer's biometric identifier or biometric information,

unless it first:

(1) informs the subject or the subject's legally

authorized representative in writing that a biometric

identifier or biometric information is being collected or

stored;

(2) informs the subject or the subject's legally

authorized representative in writing of the specific

purpose and length of term for which a biometric identifier

or biometric information is being collected, stored, and

used; and

(3) receives a written release executed by the subject

of the biometric identifier or biometric information or the

subject's legally authorized representative.

(c) No private entity in possession of a biometric

identifier or biometric information may sell, lease, trade, or

otherwise profit from a person's or a customer's biometric

identifier or biometric information.

(d) No private entity in possession of a biometric

identifier or biometric information may disclose, redisclose,

or otherwise disseminate a person's or a customer's biometric

identifier or biometric information unless:

(1) the subject of the biometric identifier or

biometric information or the subject's legally authorized

representative consents to the disclosure or redisclosure;

(2) the disclosure or redisclosure completes a

financial transaction requested or authorized by the

subject of the biometric identifier or the biometric

information or the subject's legally authorized

representative;

(3) the disclosure or redisclosure is required by State

or federal law or municipal ordinance; or

(4) the disclosure is required pursuant to a valid

warrant or subpoena issued by a court of competent

jurisdiction.

(e) A private entity in possession of a biometric

identifier or biometric information shall:

(1) store, transmit, and protect from disclosure all

biometric identifiers and biometric information using the

reasonable standard of care within the private entity's

industry; and

(2) store, transmit, and protect from disclosure all

biometric identifiers and biometric information in a

manner that is the same as or more protective than the

manner in which the private entity stores, transmits, and

protects other confidential and sensitive information.

Section 20. Right of action. Any person aggrieved by a

violation of this Act shall have a right of action in a State

circuit court or as a supplemental claim in federal district

court against an offending party. A prevailing party may

recover for each violation:

(1) against a private entity that negligently violates

a provision of this Act, liquidated damages of $1,000 or

actual damages, whichever is greater;

(2) against a private entity that intentionally or

recklessly violates a provision of this Act, liquidated

damages of $5,000 or actual damages, whichever is greater;

(3) reasonable attorneys' fees and costs, including

expert witness fees and other litigation expenses; and

(4) other relief, including an injunction, as the State

or federal court may deem appropriate.

Section 25. Construction.

(a) Nothing in this Act shall be construed to impact the

admission or discovery of biometric identifiers and biometric

information in any action of any kind in any court, or before

any tribunal, board, agency, or person.

(b) Nothing in this Act shall be construed to conflict with

the X-Ray Retention Act, the federal Health Insurance

Portability and Accountability Act of 1996 and the rules

promulgated under either Act.

(c) Nothing in this Act shall be deemed to apply in any

manner to a financial institution or an affiliate of a

financial institution that is subject to Title V of the federal

Gramm-Leach-Bliley Act of 1999 and the rules promulgated

thereunder.

(d) Nothing in this Act shall be construed to conflict with

the Private Detective, Private Alarm, Private Security,

Fingerprint Vendor, and Locksmith Act of 2004 and the rules

promulgated thereunder.

(e) Nothing in this Act shall be construed to apply to a

contractor, subcontractor, or agent of a State agency or local

unit of government when working for that State agency or local

unit of government.

Section 30. Biometric Information Privacy Study Committee.

(a) The Department of Human Services, in conjunction with

Central Management Services, subject to appropriation or other

funds made available for this purpose, shall create the

Biometric Information Privacy Study Committee, hereafter

referred to as the Committee. The Department of Human Services,

in conjunction with Central Management Services, shall provide

staff and administrative support to the Committee. The

Committee shall examine (i) current policies, procedures, and

practices used by State and local governments to protect an

individual against unauthorized disclosure of his or her

biometric identifiers and biometric information when State or

local government requires the individual to provide his or her

biometric identifiers to an officer or agency of the State or

local government; (ii) issues related to the collection,

destruction, security, and ramifications of biometric

identifiers, biometric information, and biometric technology;

and (iii) technical and procedural changes necessary in order

to implement and enforce reasonable, uniform biometric

safeguards by State and local government agencies.

(b) The Committee shall hold such public hearings as it

deems necessary and present a report of its findings and

recommendations to the General Assembly before January 1, 2009.

The Committee may begin to conduct business upon appointment of

a majority of its members. All appointments shall be completed

by 4 months prior to the release of the Committee's final

report. The Committee shall meet at least twice and at other

times at the call of the chair and may conduct meetings by

telecommunication, where possible, in order to minimize travel

expenses. The Committee shall consist of 27 members appointed

as follows:

(1) 2 members appointed by the President of the Senate;

(2) 2 members appointed by the Minority Leader of the

Senate;

(3) 2 members appointed by the Speaker of the House of

Representatives;

(4) 2 members appointed by the Minority Leader of the

House of Representatives;

(5) One member representing the Office of the Governor,

appointed by the Governor;

(6) One member, who shall serve as the chairperson of

the Committee, representing the Office of the Attorney

General, appointed by the Attorney General;

(7) One member representing the Office of the Secretary

of the State, appointed by the Secretary of State;

(8) One member from each of the following State

agencies appointed by their respective heads: Department

of Corrections, Department of Public Health, Department of

Human Services, Central Management Services, Illinois

Commerce Commission, Illinois State Police, Department of

Revenue;

(9) One member appointed by the chairperson of the

Committee, representing the interests of the City of

Chicago;

(10) 2 members appointed by the chairperson of the

Committee, representing the interests of other

municipalities;

(11) 2 members appointed by the chairperson of the

Committee, representing the interests of public hospitals;

and

(12) 4 public members appointed by the chairperson of

the Committee, representing the interests of the civil

liberties community, the electronic privacy community, and

government employees.

(c) This Section is repealed January 1, 2009.

Section 99. Effective date. This Act takes effect upon

becoming law.