103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB2259

 

Introduced 2/14/2023, by Rep. Dan Ugaste

 

SYNOPSIS AS INTRODUCED:
 
740 ILCS 14/10
740 ILCS 14/15

    Amends the Biometric Privacy Information Act. Defines "security purpose" as the purpose of preventing retail theft, fraud, or any other misappropriation or theft of a thing of value, including protecting property from trespass, controlling access to property, protecting any person from harm, including stalking, violence, or harassment, and assisting a law enforcement investigation. Allows a private entity to collect, capture, or otherwise obtain a person's or customer's biometric identifier or biometric information without satisfying other specified requirements if: (1) the private entity collects, captures, or otherwise obtains a person's or customer's biometric identifier or biometric information for a security purpose; (2) the private entity uses the biometric identifier or biometric information only for a security purpose; (3) the private entity retains the biometric identifier or biometric information no longer than is reasonably necessary to satisfy a security purpose; and (4) the private entity documents a process and time frame to delete any biometric identifier or biometric information.


LRB103 30733 LNS 57209 b

 

 

A BILL FOR

 

HB2259LRB103 30733 LNS 57209 b

1    AN ACT concerning civil law.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Biometric Information Privacy Act is
5amended by changing Sections 10 and 15 as follows:
 
6    (740 ILCS 14/10)
7    Sec. 10. Definitions. In this Act:
8    "Biometric identifier" means a retina or iris scan,
9fingerprint, voiceprint, or scan of hand or face geometry.
10Biometric identifiers do not include writing samples, written
11signatures, photographs, human biological samples used for
12valid scientific testing or screening, demographic data,
13tattoo descriptions, or physical descriptions such as height,
14weight, hair color, or eye color. Biometric identifiers do not
15include donated organs, tissues, or parts as defined in the
16Illinois Anatomical Gift Act or blood or serum stored on
17behalf of recipients or potential recipients of living or
18cadaveric transplants and obtained or stored by a federally
19designated organ procurement agency. Biometric identifiers do
20not include biological materials regulated under the Genetic
21Information Privacy Act. Biometric identifiers do not include
22information captured from a patient in a health care setting
23or information collected, used, or stored for health care

 

 

HB2259- 2 -LRB103 30733 LNS 57209 b

1treatment, payment, or operations under the federal Health
2Insurance Portability and Accountability Act of 1996.
3Biometric identifiers do not include an X-ray, roentgen
4process, computed tomography, MRI, PET scan, mammography, or
5other image or film of the human anatomy used to diagnose,
6prognose, or treat an illness or other medical condition or to
7further validate scientific testing or screening.
8    "Biometric information" means any information, regardless
9of how it is captured, converted, stored, or shared, based on
10an individual's biometric identifier used to identify an
11individual. Biometric information does not include information
12derived from items or procedures excluded under the definition
13of biometric identifiers.
14    "Confidential and sensitive information" means personal
15information that can be used to uniquely identify an
16individual or an individual's account or property. Examples of
17confidential and sensitive information include, but are not
18limited to, a genetic marker, genetic testing information, a
19unique identifier number to locate an account or property, an
20account number, a PIN number, a pass code, a driver's license
21number, or a social security number.
22    "Private entity" means any individual, partnership,
23corporation, limited liability company, association, or other
24group, however organized. A private entity does not include a
25State or local government agency. A private entity does not
26include any court of Illinois, a clerk of the court, or a judge

 

 

HB2259- 3 -LRB103 30733 LNS 57209 b

1or justice thereof.
2    "Security purpose" means the purpose of preventing or
3investigating retail theft, fraud, or any other
4misappropriation or theft of a thing of value, including
5protecting property from trespass, controlling access to
6property, protecting any person from harm including stalking,
7violence, or harassment, and assisting a law enforcement
8investigation.
9    "Written release" means informed written consent or, in
10the context of employment, a release executed by an employee
11as a condition of employment.
12(Source: P.A. 95-994, eff. 10-3-08.)
 
13    (740 ILCS 14/15)
14    Sec. 15. Retention; collection; disclosure; destruction.
15    (a) A private entity in possession of biometric
16identifiers or biometric information must develop a written
17policy, made available to the public, establishing a retention
18schedule and guidelines for permanently destroying biometric
19identifiers and biometric information when the initial purpose
20for collecting or obtaining such identifiers or information
21has been satisfied or within 3 years of the individual's last
22interaction with the private entity, whichever occurs first.
23Absent a valid warrant or subpoena issued by a court of
24competent jurisdiction, a private entity in possession of
25biometric identifiers or biometric information must comply

 

 

HB2259- 4 -LRB103 30733 LNS 57209 b

1with its established retention schedule and destruction
2guidelines.
3    (b) No private entity may collect, capture, purchase,
4receive through trade, or otherwise obtain a person's or a
5customer's biometric identifier or biometric information,
6unless it first:
7        (1) informs the subject or the subject's legally
8    authorized representative in writing that a biometric
9    identifier or biometric information is being collected or
10    stored;
11        (2) informs the subject or the subject's legally
12    authorized representative in writing of the specific
13    purpose and length of term for which a biometric
14    identifier or biometric information is being collected,
15    stored, and used; and
16        (3) receives a written release executed by the subject
17    of the biometric identifier or biometric information or
18    the subject's legally authorized representative.
19    (b-5) A private entity may collect, capture, or otherwise
20obtain a person's or customer's biometric identifier or
21biometric information without satisfying the requirements of
22subsection (b) if:
23        (1) the private entity collects, captures, or
24    otherwise obtains a person's or customer's biometric
25    identifier or biometric information for a security
26    purpose;

 

 

HB2259- 5 -LRB103 30733 LNS 57209 b

1        (2) the private entity uses the biometric identifier
2    or biometric information only for a security purpose;
3        (3) the private entity retains the biometric
4    identifier or biometric information no longer than is
5    reasonably necessary to satisfy a security purpose; and
6        (4) the private entity documents a process and time
7    frame to delete any biometric identifier or biometric
8    information used for the purposes identified in this
9    subsection.
10    (c) No private entity in possession of a biometric
11identifier or biometric information may sell, lease, trade, or
12otherwise profit from a person's or a customer's biometric
13identifier or biometric information.
14    (d) No private entity in possession of a biometric
15identifier or biometric information may disclose, redisclose,
16or otherwise disseminate a person's or a customer's biometric
17identifier or biometric information unless:
18        (1) the subject of the biometric identifier or
19    biometric information or the subject's legally authorized
20    representative consents to the disclosure or redisclosure;
21        (2) the disclosure or redisclosure completes a
22    financial transaction requested or authorized by the
23    subject of the biometric identifier or the biometric
24    information or the subject's legally authorized
25    representative;
26        (3) the disclosure or redisclosure is required by

 

 

HB2259- 6 -LRB103 30733 LNS 57209 b

1    State or federal law or municipal ordinance; or
2        (4) the disclosure is required pursuant to a valid
3    warrant or subpoena issued by a court of competent
4    jurisdiction.
5    (e) A private entity in possession of a biometric
6identifier or biometric information shall:
7        (1) store, transmit, and protect from disclosure all
8    biometric identifiers and biometric information using the
9    reasonable standard of care within the private entity's
10    industry; and
11        (2) store, transmit, and protect from disclosure all
12    biometric identifiers and biometric information in a
13    manner that is the same as or more protective than the
14    manner in which the private entity stores, transmits, and
15    protects other confidential and sensitive information.
16(Source: P.A. 95-994, eff. 10-3-08.)