102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
SB3782

 

Introduced 1/21/2022, by Sen. John Connor

 

SYNOPSIS AS INTRODUCED:
 
740 ILCS 14/10
740 ILCS 14/15

    Amends the Biometric Privacy Information Act. Defines "security purpose" as the purpose of preventing retail theft, fraud, or any other misappropriation or theft of a thing of value, including protecting property from trespass, controlling access to property, protecting any person from harm, including stalking, violence, or harassment, and assisting a law enforcement investigation. Allows a private entity to collect, capture, or otherwise obtain a person's or customer's biometric identifier or biometric information without satisfying other specified requirements if: (1) the private entity collects, captures, or otherwise obtains a person's or customer's biometric identifier or biometric information for a security purpose; (2) the private entity uses the biometric identifier or biometric information only for a security purpose; (3) the private entity retains the biometric identifier or biometric information no longer than is reasonably necessary to satisfy a security purpose; and (4) the private entity documents a process and time frame to delete any biometric identifier or biometric information.


LRB102 24507 LNS 33741 b

 

 

A BILL FOR

 

SB3782LRB102 24507 LNS 33741 b

1    AN ACT concerning civil law.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Biometric Information Privacy Act is
5amended by changing Sections 10 and 15 as follows:
 
6    (740 ILCS 14/10)
7    Sec. 10. Definitions. In this Act:
8    "Biometric identifier" means a retina or iris scan,
9fingerprint, voiceprint, or scan of hand or face geometry.
10Biometric identifiers do not include writing samples, written
11signatures, photographs, human biological samples used for
12valid scientific testing or screening, demographic data,
13tattoo descriptions, or physical descriptions such as height,
14weight, hair color, or eye color. Biometric identifiers do not
15include donated organs, tissues, or parts as defined in the
16Illinois Anatomical Gift Act or blood or serum stored on
17behalf of recipients or potential recipients of living or
18cadaveric transplants and obtained or stored by a federally
19designated organ procurement agency. Biometric identifiers do
20not include biological materials regulated under the Genetic
21Information Privacy Act. Biometric identifiers do not include
22information captured from a patient in a health care setting
23or information collected, used, or stored for health care

 

 

SB3782- 2 -LRB102 24507 LNS 33741 b

1treatment, payment, or operations under the federal Health
2Insurance Portability and Accountability Act of 1996.
3Biometric identifiers do not include an X-ray, roentgen
4process, computed tomography, MRI, PET scan, mammography, or
5other image or film of the human anatomy used to diagnose,
6prognose, or treat an illness or other medical condition or to
7further validate scientific testing or screening.
8    "Biometric information" means any information, regardless
9of how it is captured, converted, stored, or shared, based on
10an individual's biometric identifier used to identify an
11individual. Biometric information does not include information
12derived from items or procedures excluded under the definition
13of biometric identifiers.
14    "Confidential and sensitive information" means personal
15information that can be used to uniquely identify an
16individual or an individual's account or property. Examples of
17confidential and sensitive information include, but are not
18limited to, a genetic marker, genetic testing information, a
19unique identifier number to locate an account or property, an
20account number, a PIN number, a pass code, a driver's license
21number, or a social security number.
22    "Private entity" means any individual, partnership,
23corporation, limited liability company, association, or other
24group, however organized. A private entity does not include a
25State or local government agency. A private entity does not
26include any court of Illinois, a clerk of the court, or a judge

 

 

SB3782- 3 -LRB102 24507 LNS 33741 b

1or justice thereof.
2    "Security purpose" means the purpose of preventing or
3investigating retail theft, fraud, or any other
4misappropriation or theft of a thing of value, including
5protecting property from trespass, controlling access to
6property, protecting any person from harm including stalking,
7violence, or harassment, and assisting a law enforcement
8investigation.
9    "Written release" means informed written consent or, in
10the context of employment, a release executed by an employee
11as a condition of employment.
12(Source: P.A. 95-994, eff. 10-3-08.)
 
13    (740 ILCS 14/15)
14    Sec. 15. Retention; collection; disclosure; destruction.
15    (a) A private entity in possession of biometric
16identifiers or biometric information must develop a written
17policy, made available to the public, establishing a retention
18schedule and guidelines for permanently destroying biometric
19identifiers and biometric information when the initial purpose
20for collecting or obtaining such identifiers or information
21has been satisfied or within 3 years of the individual's last
22interaction with the private entity, whichever occurs first.
23Absent a valid warrant or subpoena issued by a court of
24competent jurisdiction, a private entity in possession of
25biometric identifiers or biometric information must comply

 

 

SB3782- 4 -LRB102 24507 LNS 33741 b

1with its established retention schedule and destruction
2guidelines.
3    (b) No private entity may collect, capture, purchase,
4receive through trade, or otherwise obtain a person's or a
5customer's biometric identifier or biometric information,
6unless it first:
7        (1) informs the subject or the subject's legally
8    authorized representative in writing that a biometric
9    identifier or biometric information is being collected or
10    stored;
11        (2) informs the subject or the subject's legally
12    authorized representative in writing of the specific
13    purpose and length of term for which a biometric
14    identifier or biometric information is being collected,
15    stored, and used; and
16        (3) receives a written release executed by the subject
17    of the biometric identifier or biometric information or
18    the subject's legally authorized representative.
19        (b-5) A private entity may collect, capture, or
20    otherwise obtain a person's or customer's biometric
21    identifier or biometric information without satisfying the
22    requirements of subsection (b) if:
23            (1) the private entity collects, captures, or
24        otherwise obtains a person's or customer's biometric
25        identifier or biometric information for a security
26        purpose;

 

 

SB3782- 5 -LRB102 24507 LNS 33741 b

1            (2) the private entity uses the biometric
2        identifier or biometric information only for a
3        security purpose;
4            (3) the private entity retains the biometric
5        identifier or biometric information no longer than is
6        reasonably necessary to satisfy a security purpose;
7        and
8            (4) the private entity documents a process and
9        time frame to delete any biometric identifier or
10        biometric information used for the purposes identified
11        in this subsection.
12    (c) No private entity in possession of a biometric
13identifier or biometric information may sell, lease, trade, or
14otherwise profit from a person's or a customer's biometric
15identifier or biometric information.
16    (d) No private entity in possession of a biometric
17identifier or biometric information may disclose, redisclose,
18or otherwise disseminate a person's or a customer's biometric
19identifier or biometric information unless:
20        (1) the subject of the biometric identifier or
21    biometric information or the subject's legally authorized
22    representative consents to the disclosure or redisclosure;
23        (2) the disclosure or redisclosure completes a
24    financial transaction requested or authorized by the
25    subject of the biometric identifier or the biometric
26    information or the subject's legally authorized

 

 

SB3782- 6 -LRB102 24507 LNS 33741 b

1    representative;
2        (3) the disclosure or redisclosure is required by
3    State or federal law or municipal ordinance; or
4        (4) the disclosure is required pursuant to a valid
5    warrant or subpoena issued by a court of competent
6    jurisdiction.
7    (e) A private entity in possession of a biometric
8identifier or biometric information shall:
9        (1) store, transmit, and protect from disclosure all
10    biometric identifiers and biometric information using the
11    reasonable standard of care within the private entity's
12    industry; and
13        (2) store, transmit, and protect from disclosure all
14    biometric identifiers and biometric information in a
15    manner that is the same as or more protective than the
16    manner in which the private entity stores, transmits, and
17    protects other confidential and sensitive information.
18(Source: P.A. 95-994, eff. 10-3-08.)