Full Text of HB4102 103rd General Assembly
HB4102 103RD GENERAL ASSEMBLY
|
| | 103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB4102 Introduced , by Rep. La Shawn K. Ford SYNOPSIS AS INTRODUCED:
|
| 740 ILCS 14/10 | | 740 ILCS 14/15 | |
|
Amends the Biometric Information Privacy Act. Defines "security purpose" as a purpose to ensure that (i) a
person accessing an online product or service is who they
person claims to be or (ii) a person identified as a safety
concern or as a person violating the terms of use or service of
the online product or service can be kept off of or denied
access to the product or service. Provides that no private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or customer's biometric identifier or biometric information unless it is done in furtherance of a security purpose. Provides that a private entity is not required to comply with the 3-year retention limitation of biometric identifiers or biometric information if the biometric identifiers or biometric information are being collected for a security purpose.
|
| |
| | A BILL FOR |
|
| | | HB4102 | | LRB103 32688 LNS 62409 b |
|
| | 1 | | AN ACT concerning civil law.
| | 2 | | Be it enacted by the People of the State of Illinois,
| | 3 | | represented in the General Assembly:
| | 4 | | Section 5. The Biometric Information Privacy Act is | | 5 | | amended by changing Sections 10 and 15 as follows:
| | 6 | | (740 ILCS 14/10)
| | 7 | | Sec. 10. Definitions. In this Act: | | 8 | | "Biometric identifier" means a retina or iris scan, | | 9 | | fingerprint, voiceprint, or scan of hand or face geometry. | | 10 | | Biometric identifiers do not include writing samples, written | | 11 | | signatures, photographs, human biological samples used for | | 12 | | valid scientific testing or screening, demographic data, | | 13 | | tattoo descriptions, or physical descriptions such as height, | | 14 | | weight, hair color, or eye color. Biometric identifiers do not | | 15 | | include donated organs, tissues, or parts as defined in the | | 16 | | Illinois Anatomical Gift Act or blood or serum stored on | | 17 | | behalf of recipients or potential recipients of living or | | 18 | | cadaveric transplants and obtained or stored by a federally | | 19 | | designated organ procurement agency. Biometric identifiers do | | 20 | | not include biological materials regulated under the Genetic | | 21 | | Information Privacy Act. Biometric identifiers do not include | | 22 | | information captured from a patient in a health care setting | | 23 | | or information collected, used, or stored for health care |
| | | HB4102 | - 2 - | LRB103 32688 LNS 62409 b |
|
| | 1 | | treatment, payment, or operations under the federal Health | | 2 | | Insurance Portability and Accountability Act of 1996. | | 3 | | Biometric identifiers do not include an X-ray, roentgen | | 4 | | process, computed tomography, MRI, PET scan, mammography, or | | 5 | | other image or film of the human anatomy used to diagnose, | | 6 | | prognose, or treat an illness or other medical condition or to | | 7 | | further validate scientific testing or screening. | | 8 | | "Biometric information" means any information, regardless | | 9 | | of how it is captured, converted, stored, or shared, based on | | 10 | | an individual's biometric identifier used to identify a | | 11 | | specific an individual. "Biometric information" does not | | 12 | | include information derived from items or procedures excluded | | 13 | | under the definition of biometric identifiers. | | 14 | | "Confidential and sensitive information" means personal | | 15 | | information that can be used to uniquely identify an | | 16 | | individual or an individual's account or property. Examples of | | 17 | | confidential and sensitive information include, but are not | | 18 | | limited to, a genetic marker, genetic testing information, a | | 19 | | unique identifier number to locate an account or property, an | | 20 | | account number, a PIN number, a pass code, a driver's license | | 21 | | number, or a social security number. | | 22 | | "Private entity" means any individual, partnership, | | 23 | | corporation, limited liability company, association, or other | | 24 | | group, however organized.
A private entity does not include a | | 25 | | State or local government agency. A private entity does not | | 26 | | include any court of Illinois, a clerk of the court, or a judge |
| | | HB4102 | - 3 - | LRB103 32688 LNS 62409 b |
|
| | 1 | | or justice thereof. | | 2 | | "Security purpose" means a purpose to ensure that (i) a | | 3 | | person accessing an online product or service is who they | | 4 | | person claims to be or (ii) a person identified as a safety | | 5 | | concern or as a person violating the terms of use or service of | | 6 | | the online product or service can be kept off of or denied | | 7 | | access to the product or service. | | 8 | | "Written release" means informed written consent or, in | | 9 | | the context of employment, a release executed by an employee | | 10 | | as a condition of employment.
| | 11 | | (Source: P.A. 95-994, eff. 10-3-08.)
| | 12 | | (740 ILCS 14/15)
| | 13 | | Sec. 15. Retention; collection; disclosure; destruction. | | 14 | | (a) A private entity in possession of biometric | | 15 | | identifiers or biometric information must develop a written | | 16 | | policy, made available to the public, establishing a retention | | 17 | | schedule and guidelines for permanently destroying biometric | | 18 | | identifiers and biometric information when the initial purpose | | 19 | | for collecting or obtaining such identifiers or information | | 20 | | has been satisfied or within 3 years of the individual's last | | 21 | | interaction with the private entity, whichever occurs first. | | 22 | | Absent a valid warrant or subpoena issued by a court of | | 23 | | competent jurisdiction, a private entity in possession of | | 24 | | biometric identifiers or biometric information must comply | | 25 | | with its established retention schedule and destruction |
| | | HB4102 | - 4 - | LRB103 32688 LNS 62409 b |
|
| | 1 | | guidelines. | | 2 | | (b) No private entity may collect, capture, purchase, | | 3 | | receive through trade, or otherwise obtain a person's or a | | 4 | | customer's biometric identifier or biometric information, | | 5 | | unless it first: | | 6 | | (1) informs the subject or the subject's legally | | 7 | | authorized representative in writing that a biometric | | 8 | | identifier or biometric information is being collected or | | 9 | | stored; | | 10 | | (2) informs the subject or the subject's legally | | 11 | | authorized representative in writing of the specific | | 12 | | purpose and length of term for which a biometric | | 13 | | identifier or biometric information is being collected, | | 14 | | stored, and used; and | | 15 | | (3) receives a written release executed by the subject | | 16 | | of the biometric identifier or biometric information or | | 17 | | the subject's legally authorized representative.
| | 18 | | (c) No private entity in possession of a biometric | | 19 | | identifier or biometric information may sell, lease, trade, or | | 20 | | otherwise profit from a person's or a customer's biometric | | 21 | | identifier or biometric information. | | 22 | | (d) No private entity in possession of a biometric | | 23 | | identifier or biometric information may disclose, redisclose, | | 24 | | or otherwise disseminate a person's or a customer's biometric | | 25 | | identifier or biometric information
unless: | | 26 | | (1) the subject of the biometric identifier or
|
| | | HB4102 | - 5 - | LRB103 32688 LNS 62409 b |
|
| | 1 | | biometric information or the subject's legally authorized
| | 2 | | representative consents to the disclosure or redisclosure; | | 3 | | (2) the disclosure or redisclosure completes a | | 4 | | financial transaction requested or authorized by the | | 5 | | subject of the biometric identifier or the biometric | | 6 | | information or the subject's legally authorized | | 7 | | representative; | | 8 | | (3) the disclosure or redisclosure is required by | | 9 | | State or federal law or municipal ordinance; or | | 10 | | (4) the disclosure is required pursuant to a valid | | 11 | | warrant or subpoena issued by a court of competent | | 12 | | jurisdiction; or .
| | 13 | | (5) it is done in furtherance of a security purpose. | | 14 | | (e) A private entity in possession of a biometric | | 15 | | identifier or biometric information shall: | | 16 | | (1) store, transmit, and protect from disclosure all | | 17 | | biometric identifiers and biometric information using the | | 18 | | reasonable standard of care within the private entity's | | 19 | | industry; and
| | 20 | | (2) store, transmit, and protect from disclosure all | | 21 | | biometric identifiers and biometric information in a | | 22 | | manner that is the same as or more protective than the | | 23 | | manner in which the private entity stores, transmits, and | | 24 | | protects other confidential and sensitive information.
| | 25 | | (f) A private entity shall not be required to comply with | | 26 | | the 3-year retention limitation of biometric identifiers or |
| | | HB4102 | - 6 - | LRB103 32688 LNS 62409 b |
|
| | 1 | | biometric information of subsection (a) or the requirements of | | 2 | | subsection (b) if the biometric identifiers or biometric | | 3 | | information are being collected for a security purpose. | | 4 | | (Source: P.A. 95-994, eff. 10-3-08.)
|
|
Translate
