103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB5635

 

Introduced 2/9/2024, by Rep. Jeff Keicher

 

SYNOPSIS AS INTRODUCED:
 
740 ILCS 14/10
740 ILCS 14/15
740 ILCS 14/20
740 ILCS 14/25

    Amends the Biometric Information Privacy Act. Changes the definitions of "biometric identifier" and "written release". Defines "biometric lock", "biometric time clock", "electronic signature", "person", and "security purpose". Provides that if the biometric identifier or biometric information is collected or captured for the same repeated process, the private entity is only required to inform the subject or receive consent during the initial collection. Waives certain requirements for collecting, capturing, or otherwise obtaining a person's or a customer's biometric identifier or biometric information under certain circumstances relating to security purposes. Provides that nothing in the Act shall be construed to apply to information captured by a biometric time clock or biometric lock that converts a person's biometric identifier or biometric information to a mathematical representation. Provides that any person aggrieved by a violation of this Act has a right of action in State court or federal court within one year from its occurrence. Requires the aggrieved person to provide the private entity 30 days a written entity alleging the specific provisions of the Act that have been violated. Provides the private entity 30 days to cure the noticed violation. Effective immediately.


LRB103 39209 JRC 69359 b

 

 

A BILL FOR

 

HB5635LRB103 39209 JRC 69359 b

1    AN ACT concerning civil law.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Biometric Information Privacy Act is
5amended by changing Sections 10, 15, 20, and 25 as follows:
 
6    (740 ILCS 14/10)
7    Sec. 10. Definitions. In this Act:
8    "Biometric identifier" means a retina or iris scan,
9fingerprint, voiceprint, or scan of hand or face geometry.
10Biometric identifiers do not include writing samples, written
11signatures, photographs, human biological samples used for
12valid scientific testing or screening, demographic data,
13tattoo descriptions, or physical descriptions such as height,
14weight, hair color, or eye color. Biometric identifiers do not
15include donated organs, tissues, or parts as defined in the
16Illinois Anatomical Gift Act or blood or serum stored on
17behalf of recipients or potential recipients of living or
18cadaveric transplants and obtained or stored by a federally
19designated organ procurement agency. Biometric identifiers do
20not include biological materials regulated under the Genetic
21Information Privacy Act. Biometric identifiers do not include
22information captured from a patient in a health care setting
23or information collected, used, or stored for health care

 

 

HB5635- 2 -LRB103 39209 JRC 69359 b

1treatment, payment, or operations under the federal Health
2Insurance Portability and Accountability Act of 1996.
3Biometric identifiers do not include an X-ray, roentgen
4process, computed tomography, MRI, PET scan, mammography, or
5other image or film of the human anatomy used to diagnose,
6prognose, or treat an illness or other medical condition or to
7further validate scientific testing or screening. Biometric
8identifiers do not include information captured and converted
9to a mathematical representation, including, but not limited
10to, a numeric string or similar method that cannot be used to
11recreate the biometric identifier. Biometric identifiers do
12not include information that cannot reasonably be used to
13identify an individual.
14    "Biometric information" means any information, regardless
15of how it is captured, converted, stored, or shared, based on
16an individual's biometric identifier used to identify an
17individual. Biometric information does not include information
18derived from items or procedures excluded under the definition
19of biometric identifiers.
20    "Biometric lock" means a device that is used to grant
21access to a person and converts the person's biometric
22identifier or biometric information to a mathematical
23representation, including, but not limited to, a numeric
24string or similar method that cannot be used to recreate the
25person's biometric identifier.
26    "Biometric time clock" means a device that is used for

 

 

HB5635- 3 -LRB103 39209 JRC 69359 b

1time management and converts a person's biometric identifier
2or biometric information to a mathematical representation,
3including, but not limited to, a numeric string or similar
4method that cannot be used to recreate the person's biometric
5identifier.
6    "Confidential and sensitive information" means personal
7information that can be used to uniquely identify an
8individual or an individual's account or property. Examples of
9confidential and sensitive information include, but are not
10limited to, a genetic marker, genetic testing information, a
11unique identifier number to locate an account or property, an
12account number, a PIN number, a pass code, a driver's license
13number, or a social security number.
14    "Electronic signature" means an electronic sound, symbol,
15or process attached to or logically associated with a record
16and executed or adopted by a person with the intent to sign the
17record.
18    "Person" means a natural person. A person does not include
19an individual a private entity has no knowing contact with, or
20awareness of.
21    "Private entity" means any individual, partnership,
22corporation, limited liability company, association, or other
23group, however organized. A private entity does not include a
24State or local governmental government agency. A private
25entity does not include any court of Illinois, a clerk of the
26court, or a judge or justice thereof.

 

 

HB5635- 4 -LRB103 39209 JRC 69359 b

1    "Security purpose" means for the purpose of preventing or
2investigating retail theft, fraud, or any other
3misappropriation or theft of a thing of value. "Security
4purpose" includes protecting property from trespass,
5controlling access to property, or protecting any person from
6harm, including stalking, violence, or harassment, and
7includes assisting a law enforcement investigation.
8    "Written release" means informed written consent,
9electronic signature, or, in the context of employment, a
10release executed by an employee as a condition of employment.
11(Source: P.A. 95-994, eff. 10-3-08.)
 
12    (740 ILCS 14/15)
13    Sec. 15. Retention; collection; disclosure; destruction.
14    (a) A private entity in possession of biometric
15identifiers or biometric information must develop a written
16policy, made available to the person from whom biometric
17information is to be collected or was collected public,
18establishing a retention schedule and guidelines for
19permanently destroying biometric identifiers and biometric
20information when the initial purpose for collecting or
21obtaining such identifiers or information has been satisfied
22or within 3 years of the individual's last interaction with
23the private entity, whichever occurs first. Absent a valid
24order, warrant, or subpoena issued by a court of competent
25jurisdiction or a local or federal governmental agency, a

 

 

HB5635- 5 -LRB103 39209 JRC 69359 b

1private entity in possession of biometric identifiers or
2biometric information must comply with its established
3retention schedule and destruction guidelines.
4    (b) No private entity may collect, capture, purchase,
5receive through trade, or otherwise obtain a person's or a
6customer's biometric identifier or biometric information,
7unless it first:
8        (1) informs the subject or the subject's legally
9    authorized representative in writing that a biometric
10    identifier or biometric information is being collected or
11    stored;
12        (2) informs the subject or the subject's legally
13    authorized representative in writing of the specific
14    purpose and length of term for which a biometric
15    identifier or biometric information is being collected,
16    stored, and used; and
17        (3) receives a written release executed by the subject
18    of the biometric identifier or biometric information or
19    the subject's legally authorized representative.
20    (b-5) A private entity may collect, capture, or otherwise
21obtain a person's or a customer's biometric identifier or
22biometric information without satisfying the requirements of
23subsection (b) if:
24        (1) the private entity collects, captures, or
25    otherwise obtains a person's or a customer's biometric
26    identifier or biometric information for a security

 

 

HB5635- 6 -LRB103 39209 JRC 69359 b

1    purpose;
2        (2) the private entity uses the biometric identifier
3    or biometric information only for a security purpose;
4        (3) the private entity retains the biometric
5    identifier or biometric information no longer than is
6    reasonably necessary to satisfy a security purpose; and
7        (4) the private entity documents a process and time
8    frame to delete any biometric information used for the
9    purposes identified in this subsection.
10    (c) No private entity in possession of a biometric
11identifier or biometric information may sell, lease, trade, or
12otherwise profit from a person's or a customer's biometric
13identifier or biometric information.
14    (d) No private entity in possession of a biometric
15identifier or biometric information may disclose, redisclose,
16or otherwise disseminate a person's or a customer's biometric
17identifier or biometric information unless:
18        (1) the subject of the biometric identifier or
19    biometric information or the subject's legally authorized
20    representative consents to the disclosure or redisclosure;
21        (2) the disclosure or redisclosure completes a
22    financial transaction requested or authorized by the
23    subject of the biometric identifier or the biometric
24    information or the subject's legally authorized
25    representative;
26        (3) the disclosure or redisclosure is required by

 

 

HB5635- 7 -LRB103 39209 JRC 69359 b

1    State or federal law or municipal ordinance; or
2        (4) the disclosure is required pursuant to a valid
3    warrant or subpoena issued by a court of competent
4    jurisdiction.
5    (e) A private entity in possession of a biometric
6identifier or biometric information shall:
7        (1) store, transmit, and protect from disclosure all
8    biometric identifiers and biometric information using the
9    reasonable standard of care within the private entity's
10    industry; and
11        (2) store, transmit, and protect from disclosure all
12    biometric identifiers and biometric information in a
13    manner that is the same as or more protective than the
14    manner in which the private entity stores, transmits, and
15    protects other confidential and sensitive information.
16(Source: P.A. 95-994, eff. 10-3-08.)
 
17    (740 ILCS 14/20)
18    Sec. 20. Right of action.
19    (a) Any person aggrieved by a violation of this Act shall
20have a right of action in a State circuit court or as a
21supplemental claim in federal district court against an
22offending party, which shall be commenced within one year
23after the cause of action accrued if, prior to initiating any
24action against a private entity, the aggrieved person provides
25a private entity 30 days' written notice identifying the

 

 

HB5635- 8 -LRB103 39209 JRC 69359 b

1specific provisions of this Act the aggrieved person alleges
2have been or are being violated. If, within the 30 days, the
3private entity actually cures the noticed violation and
4provides the aggrieved person an express written statement
5that the violation has been cured and that no further
6violations shall occur, no action for individual statutory
7damages or class-wide statutory damages may be initiated
8against the private entity. If a private entity continues to
9violate this Act in breach of the express written statement
10provided to the aggrieved person under this Section, the
11aggrieved person may initiate an action against the private
12entity to enforce the written statement and may pursue
13statutory damages for each breach of the express written
14statement and any other violation that postdates the written
15statement. A prevailing party may recover for each violation:
16        (1) against a private entity that negligently violates
17    a provision of this Act, liquidated damages of $1,000 or
18    actual damages, whichever is greater;
19        (2) against a private entity that intentionally or
20    recklessly violates a provision of this Act, liquidated
21    damages of $5,000 or actual damages, whichever is greater;
22        (3) reasonable attorneys' fees and costs, including
23    expert witness fees and other litigation expenses; and
24        (4) other relief, including an injunction, as the
25    State or federal court may deem appropriate.
26    (b) As intended by the General Assembly in enacting the

 

 

HB5635- 9 -LRB103 39209 JRC 69359 b

1Act, and for purposes of subsection (b) of Section 15, a
2private entity that, in more than one instance, collects,
3captures, purchases, receives through trade, or otherwise
4obtains biometric identifiers or biometric information from
5the same person using the same method of collection in
6violation of subsection (b) of Section 15 has committed a
7single violation of subsection (b) of Section 15 for which the
8aggrieved person is entitled to, at most, one recovery under
9this Section.
10    (c) As intended by the General Assembly in enacting the
11Act, and for purposes of subsection (d) of Section 15, a
12private entity that, in more than one instance, discloses,
13rediscloses, or otherwise disseminates biometric identifiers
14or biometric information from the same person to the same
15recipient using the same method of collection in violation of
16subsection (d) of Section 15 has committed a single violation
17of subsection (d) of Section 15 for which the aggrieved person
18is entitled to, at most, one recovery under this Section
19regardless of the number of times the private entity
20disclosed, redisclosed, or otherwise disseminated the same
21biometric identifier or biometric information of the same
22person to the same recipient.
23(Source: P.A. 95-994, eff. 10-3-08.)
 
24    (740 ILCS 14/25)
25    Sec. 25. Construction.

 

 

HB5635- 10 -LRB103 39209 JRC 69359 b

1    (a) Nothing in this Act shall be construed to impact the
2admission or discovery of biometric identifiers and biometric
3information in any action of any kind in any court, or before
4any tribunal, board, agency, or person.
5    (b) Nothing in this Act shall be construed to conflict
6with the X-Ray Retention Act, the federal Health Insurance
7Portability and Accountability Act of 1996, and the rules
8promulgated under either Act.
9    (c) Nothing in this Act shall be deemed to apply in any
10manner to a financial institution or an affiliate of a
11financial institution that is subject to Title V of the
12federal Gramm-Leach-Bliley Act of 1999 and the rules
13promulgated thereunder.
14    (d) Nothing in this Act shall be construed to conflict
15with the Private Detective, Private Alarm, Private Security,
16Fingerprint Vendor, and Locksmith Act of 2004 and the rules
17promulgated thereunder or information captured by an alarm
18system as defined by that Act installed by a person licensed
19under that Act and the rules adopted thereunder.
20    (e) Nothing in this Act shall be construed to apply to a
21contractor, subcontractor, or agent of a State or federal
22agency or local unit of government when working for that State
23or federal agency or local unit of government.
24    (f) Nothing in this Act shall be construed to apply to
25information captured by a biometric time clock or biometric
26lock that converts a person's biometric identifier or

 

 

HB5635- 11 -LRB103 39209 JRC 69359 b

1biometric information to a mathematical representation,
2including, but not limited to, a numeric string or similar
3method that cannot be used to recreate the person's biometric
4identifier or biometric information.
5    (g) Nothing in this Act shall be construed to apply to a
6private entity if the private entity's employees are covered
7by a collective bargaining agreement that provides for
8different policies regarding the retention, collection,
9disclosure, and destruction of biometric information.
10(Source: P.A. 95-994, eff. 10-3-08.)
 
11    Section 99. Effective date. This Act takes effect upon
12becoming law.