|
Sen. Bill Cunningham
Filed: 4/6/2018
| | 10000SB3053sam002 | | LRB100 19520 HEP 38183 a |
|
|
| 1 | | AMENDMENT TO SENATE BILL 3053
|
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 3053 by replacing |
| 3 | | everything after the enacting clause with the following:
|
| 4 | | "Section 5. The Biometric Information Privacy Act is |
| 5 | | amended by changing Sections 10, 15, 20, and 25 and by adding |
| 6 | | Section 35 as follows:
|
| 7 | | (740 ILCS 14/10)
|
| 8 | | Sec. 10. Definitions. In this Act: |
| 9 | | "Biometric identifier" means a retina or iris scan, |
| 10 | | fingerprint, voiceprint, or scan of hand or face geometry that |
| 11 | | is linked by a private entity to the subject's confidential and |
| 12 | | sensitive information. Biometric identifiers do not include |
| 13 | | physical or digital photographs; video recordings; audio |
| 14 | | recordings; data generated from physical or digital |
| 15 | | photographs, video recordings, or audio recordings; writing |
| 16 | | samples; , written signatures; , photographs, human biological |
|
| | 10000SB3053sam002 | - 2 - | LRB100 19520 HEP 38183 a |
|
|
| 1 | | samples used for valid scientific testing or screening; , |
| 2 | | demographic data; , tattoo descriptions; , or physical |
| 3 | | descriptions such as height, weight, hair color, or eye color. |
| 4 | | Biometric identifiers do not include donated organs, tissues, |
| 5 | | or parts as defined in the Illinois Anatomical Gift Act or |
| 6 | | blood or serum stored on behalf of recipients or potential |
| 7 | | recipients of living or cadaveric transplants and obtained or |
| 8 | | stored by a federally designated organ procurement agency. |
| 9 | | Biometric identifiers do not include biological materials |
| 10 | | regulated under the Genetic Information Privacy Act. Biometric |
| 11 | | identifiers do not include information captured from a patient |
| 12 | | in a health care setting or information collected, used, or |
| 13 | | stored for health care treatment, payment, or operations under |
| 14 | | the federal Health Insurance Portability and Accountability |
| 15 | | Act of 1996. Biometric identifiers do not include an X-ray, |
| 16 | | roentgen process, computed tomography, MRI, PET scan, |
| 17 | | mammography, or other image or film of the human anatomy used |
| 18 | | to diagnose, prognose, or treat an illness or other medical |
| 19 | | condition or to further validate scientific testing or |
| 20 | | screening. |
| 21 | | "Biometric information" means any information, regardless |
| 22 | | of how it is captured, converted, stored, or shared, based on |
| 23 | | an individual's biometric identifier that is linked by a |
| 24 | | private entity to the subject's confidential and sensitive |
| 25 | | information used to identify an individual. Biometric |
| 26 | | information does not include information derived from items or |
|
| | 10000SB3053sam002 | - 3 - | LRB100 19520 HEP 38183 a |
|
|
| 1 | | procedures excluded under the definition of biometric |
| 2 | | identifiers. |
| 3 | | "Confidential and sensitive information" means personal |
| 4 | | information that can be used to uniquely identify an individual |
| 5 | | or an individual's account or property. Examples of |
| 6 | | confidential and sensitive information include, but are not |
| 7 | | limited to, a genetic marker, genetic testing information, a |
| 8 | | unique identifier number to locate an account or property, an |
| 9 | | account number, a PIN number, a pass code, a driver's license |
| 10 | | number, or a social security number. |
| 11 | | "Private entity" means any individual, partnership, |
| 12 | | corporation, limited liability company, association, or other |
| 13 | | group, however organized.
A private entity does not include a |
| 14 | | State or local government agency. A private entity does not |
| 15 | | include any court of Illinois, a clerk of the court, or a judge |
| 16 | | or justice thereof. |
| 17 | | "Written release" means informed written consent or, in the |
| 18 | | context of employment, a release executed by an employee as a |
| 19 | | condition of employment.
|
| 20 | | (Source: P.A. 95-994, eff. 10-3-08.)
|
| 21 | | (740 ILCS 14/15)
|
| 22 | | Sec. 15. Retention; collection; disclosure; destruction. |
| 23 | | (a) A private entity in possession of biometric identifiers |
| 24 | | or biometric information for more than 24 hours must develop a |
| 25 | | written policy, made available to the public, establishing a |
|
| | 10000SB3053sam002 | - 4 - | LRB100 19520 HEP 38183 a |
|
|
| 1 | | retention schedule and guidelines for permanently destroying |
| 2 | | biometric identifiers and biometric information when the |
| 3 | | initial purpose for collecting or obtaining such identifiers or |
| 4 | | information has been satisfied or within 3 years of the |
| 5 | | individual's last interaction with the private entity, |
| 6 | | whichever occurs first. Absent a valid warrant or subpoena |
| 7 | | issued by a court of competent jurisdiction, a private entity |
| 8 | | in possession of biometric identifiers or biometric |
| 9 | | information must comply with its established retention |
| 10 | | schedule and destruction guidelines. |
| 11 | | (b) No private entity may collect, capture, purchase, |
| 12 | | receive through trade, or otherwise obtain a person's or a |
| 13 | | customer's biometric identifier or biometric information and |
| 14 | | retain it for more than 24 hours, unless it first: |
| 15 | | (1) informs the subject or the subject's legally |
| 16 | | authorized representative in writing that a biometric |
| 17 | | identifier or biometric information is being collected or |
| 18 | | stored; |
| 19 | | (2) informs the subject or the subject's legally |
| 20 | | authorized representative in writing of the specific |
| 21 | | purpose and length of term for which a biometric identifier |
| 22 | | or biometric information is being collected, stored, and |
| 23 | | used; and |
| 24 | | (3) receives a written release executed by the subject |
| 25 | | of the biometric identifier or biometric information or the |
| 26 | | subject's legally authorized representative.
|
|
| | 10000SB3053sam002 | - 5 - | LRB100 19520 HEP 38183 a |
|
|
| 1 | | (c) No private entity in possession of a biometric |
| 2 | | identifier or biometric information may sell, lease, trade, or |
| 3 | | otherwise exchange for financial consideration profit from a |
| 4 | | person's or a customer's biometric identifier or biometric |
| 5 | | information. |
| 6 | | (d) No private entity in possession of a biometric |
| 7 | | identifier or biometric information may disclose, redisclose, |
| 8 | | or otherwise disseminate a person's or a customer's biometric |
| 9 | | identifier or biometric information
unless: |
| 10 | | (1) the subject of the biometric identifier or
|
| 11 | | biometric information or the subject's legally authorized
|
| 12 | | representative consents to the disclosure or redisclosure; |
| 13 | | (2) the disclosure or redisclosure completes a |
| 14 | | financial transaction requested or authorized by the |
| 15 | | subject of the biometric identifier or the biometric |
| 16 | | information or the subject's legally authorized |
| 17 | | representative; |
| 18 | | (3) the disclosure or redisclosure is required by State |
| 19 | | or federal law or municipal ordinance; or |
| 20 | | (4) the disclosure is required pursuant to a valid |
| 21 | | warrant or subpoena issued by a court of competent |
| 22 | | jurisdiction.
|
| 23 | | (e) A private entity in possession of a biometric |
| 24 | | identifier or biometric information shall: |
| 25 | | (1) store, transmit, and protect from disclosure all |
| 26 | | biometric identifiers and biometric information using the |
|
| | 10000SB3053sam002 | - 6 - | LRB100 19520 HEP 38183 a |
|
|
| 1 | | reasonable standard of care within the private entity's |
| 2 | | industry; and
|
| 3 | | (2) store, transmit, and protect from disclosure all |
| 4 | | biometric identifiers and biometric information in a |
| 5 | | manner that is the same as or more protective than the |
| 6 | | manner in which the private entity stores, transmits, and |
| 7 | | protects other confidential and sensitive information. |
| 8 | | (f) It is not unlawful under this Act for any user to |
| 9 | | collect, capture, otherwise obtain, or possess a biometric |
| 10 | | identifier or biometric information on a personal device, |
| 11 | | unless the biometric identifier or biometric information is |
| 12 | | used for the purpose of committing a criminal or tortious act. |
| 13 | | It is not unlawful under this Act for a private entity to |
| 14 | | create or make available a device, software, or other |
| 15 | | functionality that collects, captures, otherwise obtains, or |
| 16 | | possesses biometric identifiers or biometric information on a |
| 17 | | personal device.
It is not unlawful under this Act for a cloud |
| 18 | | service provider to take any action at the direction of or on |
| 19 | | behalf of a user of the cloud service.
|
| 20 | | (Source: P.A. 95-994, eff. 10-3-08.)
|
| 21 | | (740 ILCS 14/20)
|
| 22 | | Sec. 20. Right of action. Any person aggrieved by a |
| 23 | | violation of this Act that occurs in this State shall have a |
| 24 | | right of action in a State circuit court or as a supplemental |
| 25 | | claim in federal district court against an offending party. A |
|
| | 10000SB3053sam002 | - 7 - | LRB100 19520 HEP 38183 a |
|
|
| 1 | | prevailing party may recover for each violation: |
| 2 | | (1) against a private entity that negligently violates |
| 3 | | a provision of this Act, liquidated damages of $1,000 or |
| 4 | | actual damages, whichever is greater; |
| 5 | | (2) against a private entity that intentionally or |
| 6 | | recklessly violates a provision of this Act, liquidated |
| 7 | | damages of $5,000 or actual damages, whichever is greater; |
| 8 | | (3) reasonable attorneys' fees and costs, including |
| 9 | | expert witness fees and other litigation expenses; and |
| 10 | | (4) other relief, including an injunction, as the State |
| 11 | | or federal court may deem appropriate.
|
| 12 | | (Source: P.A. 95-994, eff. 10-3-08.)
|
| 13 | | (740 ILCS 14/25)
|
| 14 | | Sec. 25. Construction. |
| 15 | | (a) Nothing in this Act shall be construed to impact the |
| 16 | | admission or discovery of biometric identifiers and biometric |
| 17 | | information in any action of any kind in any court, or before |
| 18 | | any tribunal, board, agency, or person. |
| 19 | | (b) Nothing in this Act shall be deemed to apply in any |
| 20 | | manner to a private entity that complies construed to conflict |
| 21 | | with
the X-Ray Retention Act, the federal Health Insurance
|
| 22 | | Portability and Accountability Act of 1996 as amended by the |
| 23 | | Health Information Technology for Economic and Clinical Health |
| 24 | | Act of 2009, the Personal Information Protection Act, and the |
| 25 | | rules
promulgated under those Acts either Act. |
|
| | 10000SB3053sam002 | - 8 - | LRB100 19520 HEP 38183 a |
|
|
| 1 | | (c) Nothing in this Act shall be deemed to apply in any |
| 2 | | manner to a financial institution or an affiliate of a |
| 3 | | financial institution that is subject to Title V of the federal |
| 4 | | Gramm-Leach-Bliley Act of 1999 and the rules promulgated |
| 5 | | thereunder. |
| 6 | | (d) Nothing in this Act shall be construed to conflict with |
| 7 | | the Private Detective, Private Alarm, Private Security, |
| 8 | | Fingerprint Vendor, and Locksmith Act of 2004 and the rules |
| 9 | | promulgated thereunder. |
| 10 | | (e) Nothing in this Act shall be construed to apply to a |
| 11 | | contractor, subcontractor, or agent of a State agency or local |
| 12 | | unit of government when working for that State agency or local |
| 13 | | unit of government. |
| 14 | | (f) Nothing in this Act shall be deemed to apply to a |
| 15 | | private entity collecting, storing, or transmitting biometric |
| 16 | | information if: |
| 17 | | (1) the biometric information is used exclusively for: |
| 18 | | (A) employment, human resources, compliance, |
| 19 | | identification, or authentication purposes; |
| 20 | | (B) preventing or investigating acts of terrorism, |
| 21 | | human trafficking, kidnapping, or violence; or |
| 22 | | (C) safety, security, or fraud prevention |
| 23 | | purposes; |
| 24 | | (2) the private entity does not sell, lease, or trade |
| 25 | | the biometric identifier or biometric information |
| 26 | | collected; and |
|
| | 10000SB3053sam002 | - 9 - | LRB100 19520 HEP 38183 a |
|
|
| 1 | | (3) the private entity documents a process and time |
| 2 | | frame to delete any biometric information used for the |
| 3 | | purposes identified in paragraph (1).
|
| 4 | | (Source: P.A. 95-994, eff. 10-3-08.)
|
| 5 | | (740 ILCS 14/35 new) |
| 6 | | Sec. 35. Department of Labor website. The Illinois |
| 7 | | Department of Labor shall provide on its website information |
| 8 | | for employers regarding the requirements of this Act.".
|