102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
SB0602
 
Introduced 2/24/2021, by Sen. Bill Cunningham
 
SYNOPSIS AS INTRODUCED:
 

 
740 ILCS 14/10
740 ILCS 14/15
740 ILCS 14/25
740 ILCS 14/35 new

     Amends the Biometric Information Privacy Act. Changes the definitions of "biometric identifier" and "written release". Defines "biometric lock", "biometric time clock", "electronic signature", "in writing", and "security purpose". Provides that if the biometric identifier or biometric information is collected or captured for the same repeated process, the private entity is only required to inform the subject or receive consent during the initial collection. Waives certain requirements for collecting, capturing, or otherwise obtaining a person's or a customer's biometric identifier or biometric information under certain circumstances relating to security purposes. Provides that nothing in the Act shall be construed to: conflict with information captured by an alarm system installed by a licensed person; and apply to information captured by a biometric time clock or biometric lock that converts a person's biometric identifier to a mathematical representation. Provides that the Department of Labor shall provide on its website information for employers regarding the requirements of the Act. Effective immediately.
  


LRB102 11317 LNS 16650 b

 
 
A BILL FOR
 

  
SB0602LRB102 11317 LNS 16650 b


  
1    AN ACT concerning civil law.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 5. The Biometric Information Privacy Act is 
5amended  by changing Sections 10, 15, and 25 and  by adding 
6Section 35 as follows:
 
7    (740 ILCS 14/10)

8    Sec. 10. Definitions. In this Act:
9    "Biometric identifier" means a retina or iris scan, 
10fingerprint, voiceprint, or scan of hand or face geometry. 
11Biometric identifiers do not include writing samples, written 
12signatures, photographs, human biological samples used for 
13valid scientific testing or screening, demographic data, 
14tattoo descriptions, or physical descriptions such as height, 
15weight, hair color, or eye color. Biometric identifiers do not 
16include donated organs, tissues, or parts as defined in the 
17Illinois Anatomical Gift Act or blood or serum stored on 
18behalf of recipients or potential recipients of living or 
19cadaveric transplants and obtained or stored by a federally 
20designated organ procurement agency. Biometric identifiers do 
21not include biological materials regulated under the Genetic 
22Information Privacy Act. Biometric identifiers do not include 
23information captured from a patient in a health care setting 
 
 
SB0602- 2 -LRB102 11317 LNS 16650 b

1or information collected, used, or stored for health care 
2treatment, payment, or operations under the federal Health 
3Insurance Portability and Accountability Act of 1996. 
4Biometric identifiers do not include an X-ray, roentgen 
5process, computed tomography, MRI, PET scan, mammography, or 
6other image or film of the human anatomy used to diagnose, 
7prognose, or treat an illness or other medical condition or to 
8further validate scientific testing or screening. Biometric 
9identifiers do not include information captured and converted 
10to a mathematical representation, including, but not limited 
11to, a numeric string or similar method that cannot be used to 
12recreate the biometric identifier. 
13    "Biometric information" means any information, regardless 
14of how it is captured, converted, stored, or shared, based on 
15an individual's biometric identifier used to identify an 
16individual. Biometric information does not include information 
17derived from items or procedures excluded under the definition 
18of biometric identifiers.
19    "Biometric lock" means a device that is used to grant 
20access to a person and converts the person's biometric 
21identifier or biometric information to a mathematical 
22representation, including, but not limited to, a numeric 
23string or similar method that cannot be used to recreate the 
24person's biometric identifier.
25    "Biometric time clock" means a device that is used for 
26time management and converts a person's biometric identifier 
 
 
SB0602- 3 -LRB102 11317 LNS 16650 b

1or biometric information to a mathematical representation, 
2including, but not limited to, a numeric string or similar 
3method that cannot be used to recreate the person's biometric 
4identifier. 
5    "Confidential and sensitive information" means personal 
6information that can be used to uniquely identify an 
7individual or an individual's account or property. Examples of 
8confidential and sensitive information include, but are not 
9limited to, a genetic marker, genetic testing information, a 
10unique identifier number to locate an account or property, an 
11account number, a PIN number, a pass code, a driver's license 
12number, or a social security number.
13    "Electronic signature" means a signature in electronic 
14form attached to or logically associated with an electronic 
15record.
16    "In writing" includes, but is not limited to, electronic 
17communications or notices. 
18    "Private entity" means any individual, partnership, 
19corporation, limited liability company, association, or other 
20group, however organized.
A private entity does not include a 
21State or local government agency.  A private entity does not 
22include any court of Illinois, a clerk of the court, or a judge 
23or justice thereof.
24    "Security purpose" means for the purpose of preventing 
25retail theft, fraud, or any other misappropriation or theft of 
26a thing of value, including protecting property from trespass, 
 
 
SB0602- 4 -LRB102 11317 LNS 16650 b

1controlling access to property, or protecting any person from 
2stalking, violence, or harassment, and including assisting a 
3law enforcement investigation. 
4    "Written release" means informed written consent or, in 
5the context of employment, a release executed by an employee 
6as a condition of employment. Written release includes 
7electronic communications, and such a release or communication 
8by electronic signature of the employee as provided under 
9Section 5-120 of the Electronic Commerce Security Act. 

10(Source: P.A. 95-994, eff. 10-3-08.)
 
11    (740 ILCS 14/15)

12    Sec. 15. Retention; collection; disclosure; destruction. 
13    (a) A private entity in possession of biometric 
14identifiers or biometric information must develop a written 
15policy, made available to the public, establishing a retention 
16schedule and guidelines for permanently destroying biometric 
17identifiers and biometric information when the initial purpose 
18for collecting or obtaining such identifiers or information 
19has been satisfied or within 3 years of the individual's last 
20interaction with the private entity, whichever occurs first.  
21Absent a valid warrant or subpoena issued by a court of 
22competent jurisdiction, a private entity in possession of 
23biometric identifiers or biometric information must comply 
24with its established retention schedule and destruction 
25guidelines.
 
 
SB0602- 5 -LRB102 11317 LNS 16650 b

1    (b) No private entity may collect, capture, purchase, 
2receive through trade, or otherwise obtain a person's or a 
3customer's biometric identifier or biometric information, 
4unless it first:
5        (1) informs the subject or the subject's legally 
6    authorized representative in writing that a biometric 
7    identifier or biometric information is being collected or 
8    stored;
9        (2) informs the subject or the subject's legally 
10    authorized representative in writing of the specific 
11    purpose and length of term for which a biometric 
12    identifier or biometric information is being collected, 
13    stored, and used; and
14        (3) receives a written release executed by the subject 
15    of the biometric identifier or biometric information or 
16    the subject's legally authorized representative.


17    (b-5) If the biometric identifier or biometric information 
18is collected or captured for the same repeated process, the 
19private entity is only required to inform the subject or 
20receive consent pursuant paragraphs (1), (2), and (3) of 
21subsection (b) during the initial collection.
22    (b-10) A private entity may collect, capture, or otherwise 
23obtain a person's or a customer's biometric identifier or 
24biometric information without satisfying the requirements of 
25subsection (b) if:
26        (1) the private entity collects, captures, or 
 
 
SB0602- 6 -LRB102 11317 LNS 16650 b

1    otherwise obtains a person's or a customer's biometric 
2    identifier or biometric information for a security 
3    purpose;
4        (2) the private entity uses the biometric identifier 
5    or information only for a security purpose;
6        (3) the private entity retains the biometric 
7    identifier or information no longer than is reasonably 
8    necessary to satisfy a security purpose; and
9        (4) the private entity documents a process and time 
10    frame to delete any biometric information used for the 
11    purposes identified in this subsection. 
12    (c) No private entity in possession of a biometric 
13identifier or biometric information may sell, lease, trade, or 
14otherwise profit from a person's or a customer's biometric 
15identifier or biometric information.
16    (d) No private entity in possession of a biometric 
17identifier or biometric information may disclose, redisclose, 
18or otherwise disseminate a person's or a customer's biometric 
19identifier or biometric information
unless:
20        (1) the subject of the biometric identifier or

21    biometric information or the subject's legally authorized

22    representative consents to the disclosure or redisclosure;
23        (2) the disclosure or redisclosure completes a 
24    financial transaction requested or authorized by the 
25    subject of the biometric identifier or the biometric 
26    information or the subject's legally authorized 
 
 
SB0602- 7 -LRB102 11317 LNS 16650 b

1    representative;
2        (3) the disclosure or redisclosure is required by 
3    State or federal law or municipal ordinance; or
4        (4) the disclosure is required pursuant to a valid 
5    warrant or subpoena issued by a court of competent 
6    jurisdiction.

7    (e) A private entity in possession of a biometric 
8identifier or biometric information shall:
9        (1) store, transmit, and protect from disclosure all 
10    biometric identifiers and biometric information using the 
11    reasonable standard of care within the private entity's 
12    industry; and

13        (2)  store, transmit, and protect from disclosure all 
14    biometric identifiers and biometric information in a 
15    manner that is the same as or more protective than the 
16    manner in which the private entity stores, transmits, and 
17    protects other confidential and sensitive information.



18(Source: P.A. 95-994, eff. 10-3-08.)
 
19    (740 ILCS 14/25)

20    Sec. 25. Construction. 
21    (a) Nothing in this Act shall be construed to impact the 
22admission or discovery of biometric identifiers and biometric 
23information in any action of any kind in any court, or before 
24any tribunal, board, agency, or person.
25    (b) Nothing in this Act shall be construed to conflict 
 
 
SB0602- 8 -LRB102 11317 LNS 16650 b

1with the X-Ray Retention Act, the federal Health Insurance 
2Portability and Accountability Act of 1996 and the rules 
3promulgated under either Act.
4    (c) Nothing in this Act shall be deemed to apply in any 
5manner to a financial institution or an affiliate of a 
6financial institution that is subject to Title V of the 
7federal Gramm-Leach-Bliley Act of 1999 and the rules 
8promulgated thereunder.
9    (d) Nothing in this Act shall be construed to conflict 
10with the Private Detective, Private Alarm, Private Security, 
11Fingerprint Vendor, and Locksmith Act of 2004 and the rules 
12promulgated thereunder or information captured by an alarm 
13system as defined by that Act installed by a person licensed 
14under that Act and the rules adopted thereunder.
15    (e) Nothing in this Act shall be construed to apply to a 
16contractor, subcontractor, or agent of a State agency or local 
17unit of government when working for that State agency or local 
18unit of government.

19    (f) Nothing in this Act shall be construed to apply to 
20information captured by a biometric time clock or biometric 
21lock that converts a person's biometric identifier to a 
22mathematical representation, including, but not limited to, a 
23numeric string or similar method that cannot be used to 
24recreate the person's biometric identifier. 
25(Source: P.A. 95-994, eff. 10-3-08.)
 
 
 
SB0602- 9 -LRB102 11317 LNS 16650 b

1    (740 ILCS 14/35 new)
2    Sec. 35. Department of Labor website. The Department of 
3Labor shall provide on its website information for employers 
4regarding the requirements of this Act.
 
 
5    Section 99. Effective date. This Act takes effect upon 
6becoming law.