95TH GENERAL ASSEMBLY
State of Illinois
2007 and 2008
SB2400

 

Introduced 2/14/2008, by Sen. Terry Link

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Biometric Information Privacy Act. Provides that a public agency or private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the public agency or private entity. Provides that absent a valid warrant or subpoena, a public agency or private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines. Provides that no public agency or private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first satisfies certain conditions. Provides that these provisions do not apply to a public agency engaged in criminal investigations or prosecutions or a public agency acting pursuant to a valid warrant or subpoena. Provides that a public agency in possession of biometric identifiers or biometric information shall store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the public agency stores, transmits, and protects other confidential and sensitive information. Provides that any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court. Preempts home rule. Contains other provisions.


LRB095 19768 KBJ 46142 b

FISCAL NOTE ACT MAY APPLY
HOME RULE NOTE ACT MAY APPLY

 

 

A BILL FOR

 

SB2400 LRB095 19768 KBJ 46142 b

1     AN ACT concerning health.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 1. Short title. This Act may be cited as the
5 Biometric Information Privacy Act.
 
6     Section 5. Legislative findings; intent. The General
7 Assembly finds all of the following:
8     (a) The use of biometrics is growing in the business and
9 security screening sectors and appears to promise streamlined
10 financial transactions and security screenings.
11     (b) Major national corporations have selected the City of
12 Chicago and other locations in this State as pilot testing
13 sites for new applications of biometric-facilitated financial
14 transactions, including "Pay By Touch" at banks, grocery
15 stores, gas stations, and school cafeterias.
16     (c) Biometrics are unlike other unique identifiers that are
17 used to access finances or other sensitive information. For
18 example, social security numbers, when compromised, can be
19 changed. Biometrics, however, are biologically unique to the
20 individual; therefore, once compromised, the individual has no
21 recourse, is at heightened risk for identity theft, and is
22 likely to withdraw from biometric-facilitated transactions.
23     (d) An overwhelming majority of members of the public are

 

 

SB2400 - 2 - LRB095 19768 KBJ 46142 b

1 opposed to the use of biometrics when such information is tied
2 to personal finances and other personal information.
3     (e) Despite limited State law regulating the collection,
4 use, safeguarding, and storage of biometric information, many
5 members of the public are deterred from partaking in biometric
6 identifier-facilitated facility transactions.
7     (f) The public welfare, security, and safety will be served
8 by regulating the collection, use, safeguarding, handling,
9 storage, retention, and destruction of biometric identifiers
10 and information.
 
11     Section 10. Definitions. In this Act:
12     "Biometric identifier" means any indelible personal
13 physical characteristic which can be used to uniquely identify
14 an individual or pinpoint an individual at a particular place
15 at a particular time. Examples of biometric identifiers
16 include, but are not limited to iris or retinal scans,
17 fingerprints, voiceprints, and records of hand or facial
18 geometry. Biometric identifiers do not include writing
19 samples, written signature, and photographs.
20     "Biometric information" means any information, regardless
21 of how it is captured, converted, stored, or shared, based on
22 an individual's biometric identifier used to identify an
23 individual.
24     "Confidential and sensitive information" means personal
25 information that can be used to uniquely identify an individual

 

 

SB2400 - 3 - LRB095 19768 KBJ 46142 b

1 or an individual's account or property include, but are not
2 limited to a genetic marker, genetic testing information, a
3 unique identifier number to locate an account or property, an
4 account number, a PIN number, a pass code, a driver's license
5 number, or a social security number.
6     "Legally effective written release" means informed written
7 consent.
8     "Private entity" means any individual, partnership,
9 corporation, limited liability company, association, or other
10 group, however organized.
11     "Public agency" means the State of Illinois and its various
12 subdivisions and agencies, and all units of local government,
13 school districts, and other governmental entities.
 
14     Section 15. Retention; collection; disclosure;
15 destruction.
16     (a) A public agency or private entity in possession of
17 biometric identifiers or biometric information must develop a
18 written policy, made available to the public, establishing a
19 retention schedule and guidelines for permanently destroying
20 biometric identifiers and biometric information when the
21 initial purpose for collecting or obtaining such identifiers or
22 information has been satisfied or within 3 years of the
23 individual's last interaction with the public agency or private
24 entity. Absent a valid warrant or subpoena issued by a court of
25 competent jurisdiction, a public agency or private entity in

 

 

SB2400 - 4 - LRB095 19768 KBJ 46142 b

1 possession of biometric identifiers or biometric information
2 must comply with its established retention schedule and
3 destruction guidelines.
4     (b) No public agency or private entity may collect,
5 capture, purchase, receive through trade, or otherwise obtain a
6 person's or a customer's biometric identifier or biometric
7 information, unless it first:
8         (1) informs the subject in writing that a biometric
9     identifier or biometric information is being collected or
10     stored;
11         (2) informs the subject in writing of the specific
12     purpose and length of term for which a biometric identifier
13     or biometric information is being collected, stored, and
14     used; and
15         (3) receives a legally effective written release
16     executed by the subject of the biometric identifier or
17     biometric information or the subject's legally authorized
18     representative.
19     (c) Subsections (a) and (b) of this Section do not apply to
20 a public agency engaged in criminal investigations or
21 prosecutions. Subsections (a) and (b) of this Section do not
22 apply to a public agency acting pursuant to a valid warrant or
23 subpoena issued by a court of competent jurisdiction.
24     (d) No public agency or private entity in possession of a
25 biometric identifier or biometric information may sell, lease,
26 trade, or otherwise profit from a person's or a customer's

 

 

SB2400 - 5 - LRB095 19768 KBJ 46142 b

1 biometric identifier or biometric information.
2     (e) Nothing in subsection (d) of this Section shall be
3 construed to prohibit or inhibit a public agency engaged in
4 criminal investigations or prosecutions from:
5         (1) sharing biometric identifiers or biometric
6     information with another public agency engaged in criminal
7     investigations or prosecutions to further such criminal
8     investigations or prosecutions;
9         (2) sharing biometric identifiers or biometric
10     information pursuant to federal law or regulation; or
11         (3) sharing biometric identifiers or biometric
12     information pursuant to a valid warrant or subpoena issued
13     by a court of competent jurisdiction.
14     (f) No public agency, private entity, or person in
15 possession of a biometric identifier or biometric information
16 may disclose, redisclose, or otherwise disseminate a person's
17 or a customer's biometric identifier or biometric information,
18 unless:
19         (1) the subject of the biometric identifier or
20     biometric information or the subject's legally authorized
21     representative consents to the disclosure or redisclosure;
22         (2) the disclosure or redisclosure completes a
23     financial transaction requested or authorized by the
24     subject of the biometric identifier or the biometric
25     information;
26         (3) the disclosure or redisclosure is required under

 

 

SB2400 - 6 - LRB095 19768 KBJ 46142 b

1     federal law; and
2         (4) the disclosure is required pursuant to a valid
3     warrant or subpoena issued by a court of competent
4     jurisdiction.
5     (g) A public agency in possession of biometric identifiers
6 or biometric information shall store, transmit, and protect
7 from disclosure all biometric identifiers and biometric
8 information in a manner that is the same as or more protective
9 than the manner in which the public agency stores, transmits,
10 and protects other confidential and sensitive information.
11     (h) A private entity in possession of a biometric
12 identifier or biometric information shall:
13          (1) store, transmit, and protect from disclosure all
14     biometric identifiers and biometric information using the
15     reasonable standard of care within the private entity's
16     industry; and
17         (2) store, transmit, and protect from disclosure all
18     biometric identifiers and biometric information in a
19     manner that is the same as or more protective than the
20     manner in which the private entity stores, transmits, and
21     protects other confidential and sensitive information.
22     (i) All information and records held by a public agency
23 pertaining to biometric identifiers and biometric information
24 shall be confidential and exempt from copying and inspection
25 under the Freedom of Information Act to all except to the
26 subject of the biometric identifier or biometric information.

 

 

SB2400 - 7 - LRB095 19768 KBJ 46142 b

1 The subject of the biometric identifier or biometric
2 information held by a public agency shall be permitted to copy
3 and inspect only their own biometric identifiers and biometric
4 information.
 
5     Section 20. Right of action.
6     (a) Any person aggrieved by a violation of this Act shall
7 have a right of action in a State circuit court or as a
8 supplemental claim in federal district court against an
9 offending party. A prevailing party may recover for each
10 violation:
11         (1) against any public agency or private entity that
12     negligently violates a provision of this Act, liquidated
13     damages of $1,000 or actual damages, whichever is greater;
14         (2) against any public agency or private entity that
15     intentionally or recklessly violates a provision of this
16     Act, liquidated damages of $5,000 or actual damages,
17     whichever is greater;
18         (3) reasonable attorneys' fees and costs, including
19     expert witness fees and other litigation expenses; and
20         (4) other relief, including an injunction, as the State
21     or federal court may deem appropriate.
22     (b) For the purpose of this Act, "prevailing party"
23 includes any party: (i) who obtains some of his or her
24 requested relief through a judicial judgment in his or her
25 favor; (ii) who obtains some of his or her requested relief

 

 

SB2400 - 8 - LRB095 19768 KBJ 46142 b

1 through any settlement agreement approved by the court; or
2 (iii) whose pursuit of a non-frivolous claim was a catalyst for
3 a unilateral change in position by the opposing party relative
4 to the relief sought.
 
5     Section 25. Home rule. The corporate authorities of a
6 municipality or other unit of local government may enact
7 ordinances, standards, rules, or regulations that protect
8 biometric identifiers and biometric information in a manner or
9 to an extent equal to or greater than the protection provided
10 in this Act. This Section is a limitation on the concurrent
11 exercise of home rule power under subsection (i) of Section 6
12 of Article VII of the Illinois Constitution.