101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
SB3593
 
Introduced 2/14/2020, by Sen. Jason A. Barickman
 
SYNOPSIS AS INTRODUCED:
 

 
740 ILCS 14/5
740 ILCS 14/10
740 ILCS 14/15
740 ILCS 14/20
740 ILCS 14/25

     Amends the Biometric Information Privacy Act. Changes the term of "written release" to "written consent". Provides that the written policy that is developed by a private entity in possession of biometric identifiers shall be made available to the person from whom biometric information is to be collected or was collected (rather than to the public). Provides that an action brought under the Act shall be commenced within one year after the cause of action accrued if, prior to initiating any action against a private entity, the aggrieved person provides a private entity 30 days' written notice identifying the specific provisions the aggrieved person alleges have been or are being violated. Provides that if within the 30 days the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. Provides that if a private entity continues to violate the Act in breach of the express written statement, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. Provides that a prevailing party may recover: against a private entity that negligently violates the Act, actual damages (rather than liquidated damages of $1,000 or actual damages, whichever is greater); or against a private entity that willfully (rather than intentionally or recklessly) violates the Act, actual damages plus liquidated damages up to the amount of actual damages (rather than liquidated damages of $5,000 or actual damages, whichever is greater). Provides that the Act does not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information. Makes other changes.
  


LRB101 19663 LNS 69153 b

 
 
A BILL FOR
 

  
SB3593LRB101 19663 LNS 69153 b


  
1    AN ACT concerning civil law.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 5. The Biometric Information Privacy Act is amended  
5by changing Sections 5, 10, 15, 20, and 25 as follows:
 
6    (740 ILCS 14/5)

7    Sec. 5. Legislative findings; intent.   The General Assembly 
8finds all of the following:
9    (a) The use of biometrics is growing in the business and 
10security screening sectors and appears to promise streamlined 
11financial transactions and security screenings.
12    (b)  Major national corporations have selected the City of 
13Chicago and other locations in this State as pilot testing 
14sites for new applications of biometric-facilitated financial 
15transactions, including finger-scan technologies at grocery 
16stores, gas stations, and school cafeterias.
17    (c)  Biometrics are unlike other unique identifiers that are 
18used to access finances or other sensitive information.  For 
19example, social security numbers, when compromised, can be 
20changed.  Biometrics, however, are biologically unique to the 
21individual; therefore, once compromised, the individual has no 
22recourse, is at heightened risk for identity theft, and is 
23likely to withdraw from biometric-facilitated transactions.
 
 
SB3593- 2 -LRB101 19663 LNS 69153 b

1    (d) An overwhelming majority of members of the public are 
2wary weary of the use of biometrics when such information is 
3tied to finances and other personal information.
4    (e)  Despite limited State law regulating the collection, 
5use, safeguarding, and storage of biometrics, many members of 
6the public are deterred from partaking in biometric 
7identifier-facilitated transactions.
8    (f)  The full ramifications of biometric technology are not 
9fully known.
10    (g)  The public welfare, security, and safety will be served 
11by regulating the collection, use, safeguarding, handling, 
12storage, retention, and destruction of biometric identifiers 
13and information.


14(Source: P.A. 95-994, eff. 10-3-08.)
 
15    (740 ILCS 14/10)

16    Sec. 10. Definitions. In this Act:
17    "Biometric identifier" means a retina or iris scan, 
18fingerprint, voiceprint, or scan of hand or face geometry. 
19Biometric identifiers do not include writing samples, written 
20signatures, photographs, human biological samples used for 
21valid scientific testing or screening, demographic data, 
22tattoo descriptions, or physical descriptions such as height, 
23weight, hair color, or eye color. Biometric identifiers do not 
24include donated organs, tissues, or parts as defined in the 
25Illinois Anatomical Gift Act or blood or serum stored on behalf 
 
 
SB3593- 3 -LRB101 19663 LNS 69153 b

1of recipients or potential recipients of living or cadaveric 
2transplants and obtained or stored by a federally designated 
3organ procurement agency. Biometric identifiers do not include 
4biological materials regulated under the Genetic Information 
5Privacy Act. Biometric identifiers do not include information 
6captured from a patient in a health care setting or information 
7collected, used, or stored for health care treatment, payment, 
8or operations under the federal Health Insurance Portability 
9and Accountability Act of 1996. Biometric identifiers do not 
10include an X-ray, roentgen process, computed tomography, MRI, 
11PET scan, mammography, or other image or film of the human 
12anatomy used to diagnose, prognose, or treat an illness or 
13other medical condition or to further validate scientific 
14testing or screening.
15    "Biometric information" means any information, regardless 
16of how it is captured, converted, stored, or shared, based on 
17an individual's biometric identifier used to identify an 
18individual. Biometric information does not include information 
19derived from items or procedures excluded under the definition 
20of biometric identifiers, including information derived from 
21biometric information that cannot be used to recreate the 
22original biometric identifier.
23    "Confidential and sensitive information" means personal 
24information that can be used to uniquely identify an individual 
25or an individual's account or property. Examples of 
26confidential and sensitive information include, but are not 
 
 
SB3593- 4 -LRB101 19663 LNS 69153 b

1limited to, a genetic marker, genetic testing information, a 
2unique identifier number to locate an account or property, an 
3account number, a PIN number, a pass code, a driver's license 
4number, or a social security number.
5    "Private entity" means any individual, partnership, 
6corporation, limited liability company, association, or other 
7group, however organized.
A private entity does not include a 
8State or local government agency.  A private entity does not 
9include any court of Illinois, a clerk of the court, or a judge 
10or justice thereof.
11    "Written consent release" means informed written consent 
12or, in the context of employment, a release executed by an 
13employee as a condition of employment.

14(Source: P.A. 95-994, eff. 10-3-08.)
 
15    (740 ILCS 14/15)

16    Sec. 15. Retention; collection; disclosure; destruction. 
17    (a) A private entity in possession of biometric identifiers 
18or biometric information must develop a written policy, made 
19available to the person from whom biometric information is to 
20be collected or was collected public, establishing a retention 
21schedule and guidelines for permanently destroying biometric 
22identifiers and biometric information when the initial purpose 
23for collecting or obtaining such identifiers or information has 
24been satisfied or within 3 years of the individual's last 
25interaction with the private entity, whichever occurs first.  
 
 
SB3593- 5 -LRB101 19663 LNS 69153 b

1Absent a valid order, warrant, or subpoena issued by a court of 
2competent jurisdiction or a local or federal governmental 
3agency, a private entity in possession of biometric identifiers 
4or biometric information must comply with its established 
5retention schedule and destruction guidelines.
6    (b) No private entity may collect, capture, purchase, 
7receive through trade, or otherwise obtain a person's or a 
8customer's biometric identifier or biometric information, 
9unless it first:
10        (1) informs the subject or the subject's legally 
11    authorized representative in writing that a biometric 
12    identifier or biometric information is being collected or 
13    stored;
14        (2) informs the subject or the subject's legally 
15    authorized representative in writing of the specific 
16    purpose and length of term for which a biometric identifier 
17    or biometric information is being collected, stored, and 
18    used; and
19        (3) receives a written consent release executed by the 
20    subject of the biometric identifier or biometric 
21    information or the subject's legally authorized 
22    representative.


23    Written consent may be obtained by electronic means.
24    (c) No private entity in possession of a biometric 
25identifier or biometric information may sell, lease, trade, or 
26otherwise profit from a person's or a customer's biometric 
 
 
SB3593- 6 -LRB101 19663 LNS 69153 b

1identifier or biometric information.
2    (d) No private entity in possession of a biometric 
3identifier or biometric information may disclose, redisclose, 
4or otherwise disseminate a person's or a customer's biometric 
5identifier or biometric information
unless:
6        (1) the subject of the biometric identifier or

7    biometric information or the subject's legally authorized

8    representative provides written consent consents to the 
9    disclosure or redisclosure;
10        (2) the disclosure or redisclosure completes a 
11    financial transaction requested or authorized by the 
12    subject of the biometric identifier or the biometric 
13    information or the subject's legally authorized 
14    representative;
15        (3) the disclosure or redisclosure is required by State 
16    or federal law or municipal ordinance; or
17        (4) the disclosure is required pursuant to a valid 
18    warrant or subpoena issued by a court of competent 
19    jurisdiction.

20    (e) A private entity in possession of a biometric 
21identifier or biometric information shall:
22        (1) store, transmit, and protect from disclosure all 
23    biometric identifiers and biometric information using the 
24    reasonable standard of care within the private entity's 
25    industry; and

26        (2)  store, transmit, and protect from disclosure all 
 
 
SB3593- 7 -LRB101 19663 LNS 69153 b

1    biometric identifiers and biometric information in a 
2    manner that is the same as or more protective than the 
3    manner in which the private entity stores, transmits, and 
4    protects other confidential and sensitive information.



5(Source: P.A. 95-994, eff. 10-3-08.)
 
6    (740 ILCS 14/20)

7    Sec. 20. Right of action. Any person aggrieved by a 
8violation of this Act shall have a right of action in a State 
9circuit court or as a supplemental claim in federal district 
10court against an offending party, which shall be commenced 
11within one year after the cause of action accrued if, prior to 
12initiating any action against a private entity, the aggrieved 
13person provides a private entity 30 days' written notice 
14identifying the specific provisions of this Act the aggrieved 
15person alleges have been or are being violated. If, within the 
1630 days, the private entity actually cures the noticed 
17violation and provides the aggrieved person an express written 
18statement that the violation has been cured and that no further 
19violations shall occur, no action for individual statutory 
20damages or class-wide statutory damages may be initiated 
21against the private entity. If a private entity continues to 
22violate this Act in breach of the express written statement 
23provided to the aggrieved person under this Section, the 
24aggrieved person may initiate an action against the private 
25entity to enforce the written statement and may pursue 
 
 
SB3593- 8 -LRB101 19663 LNS 69153 b

1statutory damages for each breach of the express written 
2statement and any other violation that postdates the written 
3statement.  A prevailing party in any such action may recover 
4for each violation:
5        (1) against a private entity that negligently violates 
6    a provision of this Act, liquidated damages of $1,000 or 
7    actual damages, whichever is greater;
8        (2) against a private entity that willfully 
9    intentionally or recklessly violates a provision of this 
10    Act, actual damages plus liquidated damages up to the 
11    amount of actual damages of $5,000 or actual damages, 
12    whichever is greater;
13        (3) reasonable attorneys' fees and costs, including 
14    expert witness fees and other litigation expenses; and
15        (4) other relief, including an injunction, as the State 
16    or federal court may deem appropriate.

17(Source: P.A. 95-994, eff. 10-3-08.)
 
18    (740 ILCS 14/25)

19    Sec. 25. Construction. 
20    (a) Nothing in this Act shall be construed to impact the 
21admission or discovery of biometric identifiers and biometric 
22information in any action of any kind in any court, or before 
23any tribunal, board, agency, or person.
24    (b) Nothing in this Act shall be construed to conflict with 
25the X-Ray Retention Act, the federal Health Insurance 
 
 
SB3593- 9 -LRB101 19663 LNS 69153 b

1Portability and Accountability Act of 1996 and the rules 
2promulgated under either Act.
3    (c) Nothing in this Act shall be deemed to apply in any 
4manner to a financial institution or an affiliate of a 
5financial institution that is subject to Title V of the federal 
6Gramm-Leach-Bliley Act of 1999 and the rules promulgated 
7thereunder.
8    (d) Nothing in this Act shall be construed to conflict with 
9the Private Detective, Private Alarm, Private Security, 
10Fingerprint Vendor, and Locksmith Act of 2004 and the rules 
11promulgated thereunder.
12    (e) Nothing in this Act shall be construed to apply to a 
13contractor, subcontractor, or agent of a State or federal 
14agency or local unit of government when working for that State 
15or federal agency or local unit of government.

16    (f)   Nothing in this Act shall be construed to apply to a 
17private entity if the private entity's employees are covered by 
18a collective bargaining agreement that provides for different 
19policies regarding the retention, collection, disclosure, and 
20destruction of biometric information. 
21(Source: P.A. 95-994, eff. 10-3-08.)