103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB5635
 
Introduced 2/9/2024, by Rep. Jeff Keicher
 
SYNOPSIS AS INTRODUCED:
 
740 ILCS 14/10
740 ILCS 14/15
740 ILCS 14/20
740 ILCS 14/25
    Amends the Biometric Information Privacy Act. Changes the definitions of "biometric identifier" and "written release". Defines "biometric lock", "biometric time clock", "electronic signature", "person", and "security purpose". Provides that if the biometric identifier or biometric information is collected or captured for the same repeated process, the private entity is only required to inform the subject or receive consent during the initial collection. Waives certain requirements for collecting, capturing, or otherwise obtaining a person's or a customer's biometric identifier or biometric information under certain circumstances relating to security purposes. Provides that nothing in the Act shall be construed to apply to information captured by a biometric time clock or biometric lock that converts a person's biometric identifier or biometric information to a mathematical representation. Provides that any person aggrieved by a violation of this Act has a right of action in State court or federal court within one year from its occurrence. Requires the aggrieved person to provide the private entity 30 days a written entity alleging the specific provisions of the Act that have been violated. Provides the private entity 30 days to cure the noticed violation. Effective immediately.


LRB103 39209 JRC 69359 b

 
 
A BILL FOR
 
HB5635LRB103 39209 JRC 69359 b

1    AN ACT concerning civil law.
 
2    Be it enacted by the People of the State of Illinois, 
3represented in the General Assembly:
 
4    Section 5. The Biometric Information Privacy Act is 
5amended by changing Sections 10, 15, 20, and 25 as follows:
 
6    (740 ILCS 14/10)
7    Sec. 10. Definitions. In this Act:
8    "Biometric identifier" means a retina or iris scan, 
9fingerprint, voiceprint, or scan of hand or face geometry. 
10Biometric identifiers do not include writing samples, written 
11signatures, photographs, human biological samples used for 
12valid scientific testing or screening, demographic data, 
13tattoo descriptions, or physical descriptions such as height, 
14weight, hair color, or eye color. Biometric identifiers do not 
15include donated organs, tissues, or parts as defined in the 
16Illinois Anatomical Gift Act or blood or serum stored on 
17behalf of recipients or potential recipients of living or 
18cadaveric transplants and obtained or stored by a federally 
19designated organ procurement agency. Biometric identifiers do 
20not include biological materials regulated under the Genetic 
21Information Privacy Act. Biometric identifiers do not include 
22information captured from a patient in a health care setting 
23or information collected, used, or stored for health care 
 
 
HB5635- 2 -LRB103 39209 JRC 69359 b

1treatment, payment, or operations under the federal Health 
2Insurance Portability and Accountability Act of 1996. 
3Biometric identifiers do not include an X-ray, roentgen 
4process, computed tomography, MRI, PET scan, mammography, or 
5other image or film of the human anatomy used to diagnose, 
6prognose, or treat an illness or other medical condition or to 
7further validate scientific testing or screening. Biometric 
8identifiers do not include information captured and converted 
9to a mathematical representation, including, but not limited 
10to, a numeric string or similar method that cannot be used to 
11recreate the biometric identifier. Biometric identifiers do 
12not include information that cannot reasonably be used to 
13identify an individual. 
14    "Biometric information" means any information, regardless 
15of how it is captured, converted, stored, or shared, based on 
16an individual's biometric identifier used to identify an 
17individual. Biometric information does not include information 
18derived from items or procedures excluded under the definition 
19of biometric identifiers.
20    "Biometric lock" means a device that is used to grant 
21access to a person and converts the person's biometric 
22identifier or biometric information to a mathematical 
23representation, including, but not limited to, a numeric 
24string or similar method that cannot be used to recreate the 
25person's biometric identifier.
26    "Biometric time clock" means a device that is used for 
 
 
HB5635- 3 -LRB103 39209 JRC 69359 b

1time management and converts a person's biometric identifier 
2or biometric information to a mathematical representation, 
3including, but not limited to, a numeric string or similar 
4method that cannot be used to recreate the person's biometric 
5identifier. 
6    "Confidential and sensitive information" means personal 
7information that can be used to uniquely identify an 
8individual or an individual's account or property. Examples of 
9confidential and sensitive information include, but are not 
10limited to, a genetic marker, genetic testing information, a 
11unique identifier number to locate an account or property, an 
12account number, a PIN number, a pass code, a driver's license 
13number, or a social security number.
14    "Electronic signature" means an electronic sound, symbol, 
15or process attached to or logically associated with a record 
16and executed or adopted by a person with the intent to sign the 
17record.
18    "Person" means a natural person. A person does not include 
19an individual a private entity has no knowing contact with, or 
20awareness of. 
21    "Private entity" means any individual, partnership, 
22corporation, limited liability company, association, or other 
23group, however organized. A private entity does not include a 
24State or local governmental government agency. A private 
25entity does not include any court of Illinois, a clerk of the 
26court, or a judge or justice thereof.
 
 
HB5635- 4 -LRB103 39209 JRC 69359 b

1    "Security purpose" means for the purpose of preventing or 
2investigating retail theft, fraud, or any other 
3misappropriation or theft of a thing of value. "Security 
4purpose" includes protecting property from trespass, 
5controlling access to property, or protecting any person from 
6harm, including stalking, violence, or harassment, and 
7includes assisting a law enforcement investigation. 
8    "Written release" means informed written consent, 
9electronic signature, or, in the context of employment, a 
10release executed by an employee as a condition of employment. 
11(Source: P.A. 95-994, eff. 10-3-08.)
 
12    (740 ILCS 14/15)
13    Sec. 15. Retention; collection; disclosure; destruction. 
14    (a) A private entity in possession of biometric 
15identifiers or biometric information must develop a written 
16policy, made available to the person from whom biometric 
17information is to be collected or was collected public, 
18establishing a retention schedule and guidelines for 
19permanently destroying biometric identifiers and biometric 
20information when the initial purpose for collecting or 
21obtaining such identifiers or information has been satisfied 
22or within 3 years of the individual's last interaction with 
23the private entity, whichever occurs first. Absent a valid 
24order, warrant, or subpoena issued by a court of competent 
25jurisdiction or a local or federal governmental agency, a 
 
 
HB5635- 5 -LRB103 39209 JRC 69359 b

1private entity in possession of biometric identifiers or 
2biometric information must comply with its established 
3retention schedule and destruction guidelines.
4    (b) No private entity may collect, capture, purchase, 
5receive through trade, or otherwise obtain a person's or a 
6customer's biometric identifier or biometric information, 
7unless it first:
8        (1) informs the subject or the subject's legally 
9    authorized representative in writing that a biometric 
10    identifier or biometric information is being collected or 
11    stored;
12        (2) informs the subject or the subject's legally 
13    authorized representative in writing of the specific 
14    purpose and length of term for which a biometric 
15    identifier or biometric information is being collected, 
16    stored, and used; and
17        (3) receives a written release executed by the subject 
18    of the biometric identifier or biometric information or 
19    the subject's legally authorized representative. 
20    (b-5) A private entity may collect, capture, or otherwise 
21obtain a person's or a customer's biometric identifier or 
22biometric information without satisfying the requirements of 
23subsection (b) if:
24        (1) the private entity collects, captures, or 
25    otherwise obtains a person's or a customer's biometric 
26    identifier or biometric information for a security 
 
 
HB5635- 6 -LRB103 39209 JRC 69359 b

1    purpose;
2        (2) the private entity uses the biometric identifier 
3    or biometric information only for a security purpose;
4        (3) the private entity retains the biometric 
5    identifier or biometric information no longer than is 
6    reasonably necessary to satisfy a security purpose; and
7        (4) the private entity documents a process and time 
8    frame to delete any biometric information used for the 
9    purposes identified in this subsection. 
10    (c) No private entity in possession of a biometric 
11identifier or biometric information may sell, lease, trade, or 
12otherwise profit from a person's or a customer's biometric 
13identifier or biometric information.
14    (d) No private entity in possession of a biometric 
15identifier or biometric information may disclose, redisclose, 
16or otherwise disseminate a person's or a customer's biometric 
17identifier or biometric information unless:
18        (1) the subject of the biometric identifier or 
19    biometric information or the subject's legally authorized 
20    representative consents to the disclosure or redisclosure;
21        (2) the disclosure or redisclosure completes a 
22    financial transaction requested or authorized by the 
23    subject of the biometric identifier or the biometric 
24    information or the subject's legally authorized 
25    representative;
26        (3) the disclosure or redisclosure is required by 
 
 
HB5635- 7 -LRB103 39209 JRC 69359 b

1    State or federal law or municipal ordinance; or
2        (4) the disclosure is required pursuant to a valid 
3    warrant or subpoena issued by a court of competent 
4    jurisdiction. 
5    (e) A private entity in possession of a biometric 
6identifier or biometric information shall:
7        (1) store, transmit, and protect from disclosure all 
8    biometric identifiers and biometric information using the 
9    reasonable standard of care within the private entity's 
10    industry; and 
11        (2) store, transmit, and protect from disclosure all 
12    biometric identifiers and biometric information in a 
13    manner that is the same as or more protective than the 
14    manner in which the private entity stores, transmits, and 
15    protects other confidential and sensitive information. 
16(Source: P.A. 95-994, eff. 10-3-08.)
 
17    (740 ILCS 14/20)
18    Sec. 20. Right of action.  
19    (a) Any person aggrieved by a violation of this Act shall 
20have a right of action in a State circuit court or as a 
21supplemental claim in federal district court against an 
22offending party, which shall be commenced within one year 
23after the cause of action accrued if, prior to initiating any 
24action against a private entity, the aggrieved person provides 
25a private entity 30 days' written notice identifying the 
 
 
HB5635- 8 -LRB103 39209 JRC 69359 b

1specific provisions of this Act the aggrieved person alleges 
2have been or are being violated. If, within the 30 days, the 
3private entity actually cures the noticed violation and 
4provides the aggrieved person an express written statement 
5that the violation has been cured and that no further 
6violations shall occur, no action for individual statutory 
7damages or class-wide statutory damages may be initiated 
8against the private entity. If a private entity continues to 
9violate this Act in breach of the express written statement 
10provided to the aggrieved person under this Section, the 
11aggrieved person may initiate an action against the private 
12entity to enforce the written statement and may pursue 
13statutory damages for each breach of the express written 
14statement and any other violation that postdates the written 
15statement. A prevailing party may recover for each violation:
16        (1) against a private entity that negligently violates 
17    a provision of this Act, liquidated damages of $1,000 or 
18    actual damages, whichever is greater;
19        (2) against a private entity that intentionally or 
20    recklessly violates a provision of this Act, liquidated 
21    damages of $5,000 or actual damages, whichever is greater;
22        (3) reasonable attorneys' fees and costs, including 
23    expert witness fees and other litigation expenses; and
24        (4) other relief, including an injunction, as the 
25    State or federal court may deem appropriate.
26    (b) As intended by the General Assembly in enacting the 
 
 
HB5635- 9 -LRB103 39209 JRC 69359 b

1Act, and for purposes of subsection (b) of Section 15, a 
2private entity that, in more than one instance, collects, 
3captures, purchases, receives through trade, or otherwise 
4obtains biometric identifiers or biometric information from 
5the same person using the same method of collection in 
6violation of subsection (b) of Section 15 has committed a 
7single violation of subsection (b) of Section 15 for which the 
8aggrieved person is entitled to, at most, one recovery under 
9this Section.
10    (c) As intended by the General Assembly in enacting the 
11Act, and for purposes of subsection (d) of Section 15, a 
12private entity that, in more than one instance, discloses, 
13rediscloses, or otherwise disseminates biometric identifiers 
14or biometric information from the same person to the same 
15recipient using the same method of collection in violation of 
16subsection (d) of Section 15 has committed a single violation 
17of subsection (d) of Section 15 for which the aggrieved person 
18is entitled to, at most, one recovery under this Section 
19regardless of the number of times the private entity 
20disclosed, redisclosed, or otherwise disseminated the same 
21biometric identifier or biometric information of the same 
22person to the same recipient. 
23(Source: P.A. 95-994, eff. 10-3-08.)
 
24    (740 ILCS 14/25)
25    Sec. 25. Construction. 
 
 
HB5635- 10 -LRB103 39209 JRC 69359 b

1    (a) Nothing in this Act shall be construed to impact the 
2admission or discovery of biometric identifiers and biometric 
3information in any action of any kind in any court, or before 
4any tribunal, board, agency, or person.
5    (b) Nothing in this Act shall be construed to conflict 
6with the X-Ray Retention Act, the federal Health Insurance 
7Portability and Accountability Act of 1996, and the rules 
8promulgated under either Act.
9    (c) Nothing in this Act shall be deemed to apply in any 
10manner to a financial institution or an affiliate of a 
11financial institution that is subject to Title V of the 
12federal Gramm-Leach-Bliley Act of 1999 and the rules 
13promulgated thereunder.
14    (d) Nothing in this Act shall be construed to conflict 
15with the Private Detective, Private Alarm, Private Security, 
16Fingerprint Vendor, and Locksmith Act of 2004 and the rules 
17promulgated thereunder or information captured by an alarm 
18system as defined by that Act installed by a person licensed 
19under that Act and the rules adopted thereunder.
20    (e) Nothing in this Act shall be construed to apply to a 
21contractor, subcontractor, or agent of a State or federal 
22agency or local unit of government when working for that State 
23or federal agency or local unit of government.
24    (f) Nothing in this Act shall be construed to apply to 
25information captured by a biometric time clock or biometric 
26lock that converts a person's biometric identifier or 
 
 
HB5635- 11 -LRB103 39209 JRC 69359 b

1biometric information to a mathematical representation, 
2including, but not limited to, a numeric string or similar 
3method that cannot be used to recreate the person's biometric 
4identifier or biometric information. 
5    (g) Nothing in this Act shall be construed to apply to a 
6private entity if the private entity's employees are covered 
7by a collective bargaining agreement that provides for 
8different policies regarding the retention, collection, 
9disclosure, and destruction of biometric information. 
10(Source: P.A. 95-994, eff. 10-3-08.)
 
11    Section 99. Effective date. This Act takes effect upon 
12becoming law.