| 1 | 1 | | 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB2252 Introduced , by Rep. Dan Ugaste SYNOPSIS AS INTRODUCED: 740 ILCS 14/5740 ILCS 14/10740 ILCS 14/15740 ILCS 14/20740 ILCS 14/25 Amends the Biometric Information Privacy Act. Changes the term "written release" to "written consent". Provides that the written policy that is developed by a private entity in possession of biometric identifiers shall be made available to the person from whom biometric information is to be collected or was collected (rather than to the public). Provides that an action brought under the Act shall be commenced within one year after the cause of action accrued if, prior to initiating any action against a private entity, the aggrieved person provides a private entity 30 days' written notice identifying the specific provisions the aggrieved person alleges have been or are being violated. Provides that if within the 30 days the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. Provides that if a private entity continues to violate the Act in breach of the express written statement, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. Provides that a prevailing party may recover: against a private entity that negligently violates the Act, actual damages (rather than liquidated damages of $1,000 or actual damages, whichever is greater); or against a private entity that willfully (rather than intentionally or recklessly) violates the Act, actual damages plus liquidated damages up to the amount of actual damages (rather than liquidated damages of $5,000 or actual damages, whichever is greater). Provides that the Act does not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information. Makes other changes. LRB103 25586 LNS 51935 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB2252 Introduced , by Rep. Dan Ugaste SYNOPSIS AS INTRODUCED: 740 ILCS 14/5740 ILCS 14/10740 ILCS 14/15740 ILCS 14/20740 ILCS 14/25 740 ILCS 14/5 740 ILCS 14/10 740 ILCS 14/15 740 ILCS 14/20 740 ILCS 14/25 Amends the Biometric Information Privacy Act. Changes the term "written release" to "written consent". Provides that the written policy that is developed by a private entity in possession of biometric identifiers shall be made available to the person from whom biometric information is to be collected or was collected (rather than to the public). Provides that an action brought under the Act shall be commenced within one year after the cause of action accrued if, prior to initiating any action against a private entity, the aggrieved person provides a private entity 30 days' written notice identifying the specific provisions the aggrieved person alleges have been or are being violated. Provides that if within the 30 days the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. Provides that if a private entity continues to violate the Act in breach of the express written statement, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. Provides that a prevailing party may recover: against a private entity that negligently violates the Act, actual damages (rather than liquidated damages of $1,000 or actual damages, whichever is greater); or against a private entity that willfully (rather than intentionally or recklessly) violates the Act, actual damages plus liquidated damages up to the amount of actual damages (rather than liquidated damages of $5,000 or actual damages, whichever is greater). Provides that the Act does not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information. Makes other changes. LRB103 25586 LNS 51935 b LRB103 25586 LNS 51935 b A BILL FOR |
|---|
| 2 | 2 | | 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB2252 Introduced , by Rep. Dan Ugaste SYNOPSIS AS INTRODUCED: |
|---|
| 3 | 3 | | 740 ILCS 14/5740 ILCS 14/10740 ILCS 14/15740 ILCS 14/20740 ILCS 14/25 740 ILCS 14/5 740 ILCS 14/10 740 ILCS 14/15 740 ILCS 14/20 740 ILCS 14/25 |
|---|
| 4 | 4 | | 740 ILCS 14/5 |
|---|
| 5 | 5 | | 740 ILCS 14/10 |
|---|
| 6 | 6 | | 740 ILCS 14/15 |
|---|
| 7 | 7 | | 740 ILCS 14/20 |
|---|
| 8 | 8 | | 740 ILCS 14/25 |
|---|
| 9 | 9 | | Amends the Biometric Information Privacy Act. Changes the term "written release" to "written consent". Provides that the written policy that is developed by a private entity in possession of biometric identifiers shall be made available to the person from whom biometric information is to be collected or was collected (rather than to the public). Provides that an action brought under the Act shall be commenced within one year after the cause of action accrued if, prior to initiating any action against a private entity, the aggrieved person provides a private entity 30 days' written notice identifying the specific provisions the aggrieved person alleges have been or are being violated. Provides that if within the 30 days the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. Provides that if a private entity continues to violate the Act in breach of the express written statement, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. Provides that a prevailing party may recover: against a private entity that negligently violates the Act, actual damages (rather than liquidated damages of $1,000 or actual damages, whichever is greater); or against a private entity that willfully (rather than intentionally or recklessly) violates the Act, actual damages plus liquidated damages up to the amount of actual damages (rather than liquidated damages of $5,000 or actual damages, whichever is greater). Provides that the Act does not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information. Makes other changes. |
|---|
| 10 | 10 | | LRB103 25586 LNS 51935 b LRB103 25586 LNS 51935 b |
|---|
| 11 | 11 | | LRB103 25586 LNS 51935 b |
|---|
| 12 | 12 | | A BILL FOR |
|---|
| 13 | 13 | | HB2252LRB103 25586 LNS 51935 b HB2252 LRB103 25586 LNS 51935 b |
|---|
| 14 | 14 | | HB2252 LRB103 25586 LNS 51935 b |
|---|
| 15 | 15 | | 1 AN ACT concerning civil law. |
|---|
| 16 | 16 | | 2 Be it enacted by the People of the State of Illinois, |
|---|
| 17 | 17 | | 3 represented in the General Assembly: |
|---|
| 18 | 18 | | 4 Section 5. The Biometric Information Privacy Act is |
|---|
| 19 | 19 | | 5 amended by changing Sections 5, 10, 15, 20, and 25 as follows: |
|---|
| 20 | 20 | | 6 (740 ILCS 14/5) |
|---|
| 21 | 21 | | 7 Sec. 5. Legislative findings; intent. The General Assembly |
|---|
| 22 | 22 | | 8 finds all of the following: |
|---|
| 23 | 23 | | 9 (a) The use of biometrics is growing in the business and |
|---|
| 24 | 24 | | 10 security screening sectors and appears to promise streamlined |
|---|
| 25 | 25 | | 11 financial transactions and security screenings. |
|---|
| 26 | 26 | | 12 (b) Major national corporations have selected the City of |
|---|
| 27 | 27 | | 13 Chicago and other locations in this State as pilot testing |
|---|
| 28 | 28 | | 14 sites for new applications of biometric-facilitated financial |
|---|
| 29 | 29 | | 15 transactions, including finger-scan technologies at grocery |
|---|
| 30 | 30 | | 16 stores, gas stations, and school cafeterias. |
|---|
| 31 | 31 | | 17 (c) Biometrics are unlike other unique identifiers that |
|---|
| 32 | 32 | | 18 are used to access finances or other sensitive information. |
|---|
| 33 | 33 | | 19 For example, social security numbers, when compromised, can be |
|---|
| 34 | 34 | | 20 changed. Biometrics, however, are biologically unique to the |
|---|
| 35 | 35 | | 21 individual; therefore, once compromised, the individual has no |
|---|
| 36 | 36 | | 22 recourse, is at heightened risk for identity theft, and is |
|---|
| 37 | 37 | | 23 likely to withdraw from biometric-facilitated transactions. |
|---|
| 38 | 38 | | |
|---|
| 39 | 39 | | |
|---|
| 40 | 40 | | |
|---|
| 41 | 41 | | 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB2252 Introduced , by Rep. Dan Ugaste SYNOPSIS AS INTRODUCED: |
|---|
| 42 | 42 | | 740 ILCS 14/5740 ILCS 14/10740 ILCS 14/15740 ILCS 14/20740 ILCS 14/25 740 ILCS 14/5 740 ILCS 14/10 740 ILCS 14/15 740 ILCS 14/20 740 ILCS 14/25 |
|---|
| 43 | 43 | | 740 ILCS 14/5 |
|---|
| 44 | 44 | | 740 ILCS 14/10 |
|---|
| 45 | 45 | | 740 ILCS 14/15 |
|---|
| 46 | 46 | | 740 ILCS 14/20 |
|---|
| 47 | 47 | | 740 ILCS 14/25 |
|---|
| 48 | 48 | | Amends the Biometric Information Privacy Act. Changes the term "written release" to "written consent". Provides that the written policy that is developed by a private entity in possession of biometric identifiers shall be made available to the person from whom biometric information is to be collected or was collected (rather than to the public). Provides that an action brought under the Act shall be commenced within one year after the cause of action accrued if, prior to initiating any action against a private entity, the aggrieved person provides a private entity 30 days' written notice identifying the specific provisions the aggrieved person alleges have been or are being violated. Provides that if within the 30 days the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. Provides that if a private entity continues to violate the Act in breach of the express written statement, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. Provides that a prevailing party may recover: against a private entity that negligently violates the Act, actual damages (rather than liquidated damages of $1,000 or actual damages, whichever is greater); or against a private entity that willfully (rather than intentionally or recklessly) violates the Act, actual damages plus liquidated damages up to the amount of actual damages (rather than liquidated damages of $5,000 or actual damages, whichever is greater). Provides that the Act does not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information. Makes other changes. |
|---|
| 49 | 49 | | LRB103 25586 LNS 51935 b LRB103 25586 LNS 51935 b |
|---|
| 50 | 50 | | LRB103 25586 LNS 51935 b |
|---|
| 51 | 51 | | A BILL FOR |
|---|
| 52 | 52 | | |
|---|
| 53 | 53 | | |
|---|
| 54 | 54 | | |
|---|
| 55 | 55 | | |
|---|
| 56 | 56 | | |
|---|
| 57 | 57 | | 740 ILCS 14/5 |
|---|
| 58 | 58 | | 740 ILCS 14/10 |
|---|
| 59 | 59 | | 740 ILCS 14/15 |
|---|
| 60 | 60 | | 740 ILCS 14/20 |
|---|
| 61 | 61 | | 740 ILCS 14/25 |
|---|
| 62 | 62 | | |
|---|
| 63 | 63 | | |
|---|
| 64 | 64 | | |
|---|
| 65 | 65 | | LRB103 25586 LNS 51935 b |
|---|
| 66 | 66 | | |
|---|
| 67 | 67 | | |
|---|
| 68 | 68 | | |
|---|
| 69 | 69 | | |
|---|
| 70 | 70 | | |
|---|
| 71 | 71 | | |
|---|
| 72 | 72 | | |
|---|
| 73 | 73 | | |
|---|
| 74 | 74 | | |
|---|
| 75 | 75 | | HB2252 LRB103 25586 LNS 51935 b |
|---|
| 76 | 76 | | |
|---|
| 77 | 77 | | |
|---|
| 78 | 78 | | HB2252- 2 -LRB103 25586 LNS 51935 b HB2252 - 2 - LRB103 25586 LNS 51935 b |
|---|
| 79 | 79 | | HB2252 - 2 - LRB103 25586 LNS 51935 b |
|---|
| 80 | 80 | | 1 (d) An overwhelming majority of members of the public are |
|---|
| 81 | 81 | | 2 wary weary of the use of biometrics when such information is |
|---|
| 82 | 82 | | 3 tied to finances and other personal information. |
|---|
| 83 | 83 | | 4 (e) Despite limited State law regulating the collection, |
|---|
| 84 | 84 | | 5 use, safeguarding, and storage of biometrics, many members of |
|---|
| 85 | 85 | | 6 the public are deterred from partaking in biometric |
|---|
| 86 | 86 | | 7 identifier-facilitated transactions. |
|---|
| 87 | 87 | | 8 (f) The full ramifications of biometric technology are not |
|---|
| 88 | 88 | | 9 fully known. |
|---|
| 89 | 89 | | 10 (g) The public welfare, security, and safety will be |
|---|
| 90 | 90 | | 11 served by regulating the collection, use, safeguarding, |
|---|
| 91 | 91 | | 12 handling, storage, retention, and destruction of biometric |
|---|
| 92 | 92 | | 13 identifiers and information. |
|---|
| 93 | 93 | | 14 (Source: P.A. 95-994, eff. 10-3-08.) |
|---|
| 94 | 94 | | 15 (740 ILCS 14/10) |
|---|
| 95 | 95 | | 16 Sec. 10. Definitions. In this Act: |
|---|
| 96 | 96 | | 17 "Biometric identifier" means a retina or iris scan, |
|---|
| 97 | 97 | | 18 fingerprint, voiceprint, or scan of hand or face geometry. |
|---|
| 98 | 98 | | 19 Biometric identifiers do not include writing samples, written |
|---|
| 99 | 99 | | 20 signatures, photographs, human biological samples used for |
|---|
| 100 | 100 | | 21 valid scientific testing or screening, demographic data, |
|---|
| 101 | 101 | | 22 tattoo descriptions, or physical descriptions such as height, |
|---|
| 102 | 102 | | 23 weight, hair color, or eye color. Biometric identifiers do not |
|---|
| 103 | 103 | | 24 include donated organs, tissues, or parts as defined in the |
|---|
| 104 | 104 | | 25 Illinois Anatomical Gift Act or blood or serum stored on |
|---|
| 105 | 105 | | |
|---|
| 106 | 106 | | |
|---|
| 107 | 107 | | |
|---|
| 108 | 108 | | |
|---|
| 109 | 109 | | |
|---|
| 110 | 110 | | HB2252 - 2 - LRB103 25586 LNS 51935 b |
|---|
| 111 | 111 | | |
|---|
| 112 | 112 | | |
|---|
| 113 | 113 | | HB2252- 3 -LRB103 25586 LNS 51935 b HB2252 - 3 - LRB103 25586 LNS 51935 b |
|---|
| 114 | 114 | | HB2252 - 3 - LRB103 25586 LNS 51935 b |
|---|
| 115 | 115 | | 1 behalf of recipients or potential recipients of living or |
|---|
| 116 | 116 | | 2 cadaveric transplants and obtained or stored by a federally |
|---|
| 117 | 117 | | 3 designated organ procurement agency. Biometric identifiers do |
|---|
| 118 | 118 | | 4 not include biological materials regulated under the Genetic |
|---|
| 119 | 119 | | 5 Information Privacy Act. Biometric identifiers do not include |
|---|
| 120 | 120 | | 6 information captured from a patient in a health care setting |
|---|
| 121 | 121 | | 7 or information collected, used, or stored for health care |
|---|
| 122 | 122 | | 8 treatment, payment, or operations under the federal Health |
|---|
| 123 | 123 | | 9 Insurance Portability and Accountability Act of 1996. |
|---|
| 124 | 124 | | 10 Biometric identifiers do not include an X-ray, roentgen |
|---|
| 125 | 125 | | 11 process, computed tomography, MRI, PET scan, mammography, or |
|---|
| 126 | 126 | | 12 other image or film of the human anatomy used to diagnose, |
|---|
| 127 | 127 | | 13 prognose, or treat an illness or other medical condition or to |
|---|
| 128 | 128 | | 14 further validate scientific testing or screening. |
|---|
| 129 | 129 | | 15 "Biometric information" means any information, regardless |
|---|
| 130 | 130 | | 16 of how it is captured, converted, stored, or shared, based on |
|---|
| 131 | 131 | | 17 an individual's biometric identifier used to identify an |
|---|
| 132 | 132 | | 18 individual. Biometric information does not include information |
|---|
| 133 | 133 | | 19 derived from items or procedures excluded under the definition |
|---|
| 134 | 134 | | 20 of biometric identifiers, including information derived from |
|---|
| 135 | 135 | | 21 biometric information that cannot be used to recreate the |
|---|
| 136 | 136 | | 22 original biometric identifier. |
|---|
| 137 | 137 | | 23 "Confidential and sensitive information" means personal |
|---|
| 138 | 138 | | 24 information that can be used to uniquely identify an |
|---|
| 139 | 139 | | 25 individual or an individual's account or property. Examples of |
|---|
| 140 | 140 | | 26 confidential and sensitive information include, but are not |
|---|
| 141 | 141 | | |
|---|
| 142 | 142 | | |
|---|
| 143 | 143 | | |
|---|
| 144 | 144 | | |
|---|
| 145 | 145 | | |
|---|
| 146 | 146 | | HB2252 - 3 - LRB103 25586 LNS 51935 b |
|---|
| 147 | 147 | | |
|---|
| 148 | 148 | | |
|---|
| 149 | 149 | | HB2252- 4 -LRB103 25586 LNS 51935 b HB2252 - 4 - LRB103 25586 LNS 51935 b |
|---|
| 150 | 150 | | HB2252 - 4 - LRB103 25586 LNS 51935 b |
|---|
| 151 | 151 | | 1 limited to, a genetic marker, genetic testing information, a |
|---|
| 152 | 152 | | 2 unique identifier number to locate an account or property, an |
|---|
| 153 | 153 | | 3 account number, a PIN number, a pass code, a driver's license |
|---|
| 154 | 154 | | 4 number, or a social security number. |
|---|
| 155 | 155 | | 5 "Private entity" means any individual, partnership, |
|---|
| 156 | 156 | | 6 corporation, limited liability company, association, or other |
|---|
| 157 | 157 | | 7 group, however organized. A private entity does not include a |
|---|
| 158 | 158 | | 8 State or local government agency. A private entity does not |
|---|
| 159 | 159 | | 9 include any court of Illinois, a clerk of the court, or a judge |
|---|
| 160 | 160 | | 10 or justice thereof. |
|---|
| 161 | 161 | | 11 "Written consent release" means informed written consent |
|---|
| 162 | 162 | | 12 or, in the context of employment, a release executed by an |
|---|
| 163 | 163 | | 13 employee as a condition of employment. |
|---|
| 164 | 164 | | 14 (Source: P.A. 95-994, eff. 10-3-08.) |
|---|
| 165 | 165 | | 15 (740 ILCS 14/15) |
|---|
| 166 | 166 | | 16 Sec. 15. Retention; collection; disclosure; destruction. |
|---|
| 167 | 167 | | 17 (a) A private entity in possession of biometric |
|---|
| 168 | 168 | | 18 identifiers or biometric information must develop a written |
|---|
| 169 | 169 | | 19 policy, made available to the person from whom biometric |
|---|
| 170 | 170 | | 20 information is to be collected or was collected public, |
|---|
| 171 | 171 | | 21 establishing a retention schedule and guidelines for |
|---|
| 172 | 172 | | 22 permanently destroying biometric identifiers and biometric |
|---|
| 173 | 173 | | 23 information when the initial purpose for collecting or |
|---|
| 174 | 174 | | 24 obtaining such identifiers or information has been satisfied |
|---|
| 175 | 175 | | 25 or within 3 years of the individual's last interaction with |
|---|
| 176 | 176 | | |
|---|
| 177 | 177 | | |
|---|
| 178 | 178 | | |
|---|
| 179 | 179 | | |
|---|
| 180 | 180 | | |
|---|
| 181 | 181 | | HB2252 - 4 - LRB103 25586 LNS 51935 b |
|---|
| 182 | 182 | | |
|---|
| 183 | 183 | | |
|---|
| 184 | 184 | | HB2252- 5 -LRB103 25586 LNS 51935 b HB2252 - 5 - LRB103 25586 LNS 51935 b |
|---|
| 185 | 185 | | HB2252 - 5 - LRB103 25586 LNS 51935 b |
|---|
| 186 | 186 | | 1 the private entity, whichever occurs first. Absent a valid |
|---|
| 187 | 187 | | 2 order, warrant, or subpoena issued by a court of competent |
|---|
| 188 | 188 | | 3 jurisdiction or a local or federal governmental agency, a |
|---|
| 189 | 189 | | 4 private entity in possession of biometric identifiers or |
|---|
| 190 | 190 | | 5 biometric information must comply with its established |
|---|
| 191 | 191 | | 6 retention schedule and destruction guidelines. |
|---|
| 192 | 192 | | 7 (b) No private entity may collect, capture, purchase, |
|---|
| 193 | 193 | | 8 receive through trade, or otherwise obtain a person's or a |
|---|
| 194 | 194 | | 9 customer's biometric identifier or biometric information, |
|---|
| 195 | 195 | | 10 unless it first: |
|---|
| 196 | 196 | | 11 (1) informs the subject or the subject's legally |
|---|
| 197 | 197 | | 12 authorized representative in writing that a biometric |
|---|
| 198 | 198 | | 13 identifier or biometric information is being collected or |
|---|
| 199 | 199 | | 14 stored; |
|---|
| 200 | 200 | | 15 (2) informs the subject or the subject's legally |
|---|
| 201 | 201 | | 16 authorized representative in writing of the specific |
|---|
| 202 | 202 | | 17 purpose and length of term for which a biometric |
|---|
| 203 | 203 | | 18 identifier or biometric information is being collected, |
|---|
| 204 | 204 | | 19 stored, and used; and |
|---|
| 205 | 205 | | 20 (3) receives a written consent release executed by the |
|---|
| 206 | 206 | | 21 subject of the biometric identifier or biometric |
|---|
| 207 | 207 | | 22 information or the subject's legally authorized |
|---|
| 208 | 208 | | 23 representative. |
|---|
| 209 | 209 | | 24 Written consent may be obtained by electronic means. |
|---|
| 210 | 210 | | 25 (c) No private entity in possession of a biometric |
|---|
| 211 | 211 | | 26 identifier or biometric information may sell, lease, trade, or |
|---|
| 212 | 212 | | |
|---|
| 213 | 213 | | |
|---|
| 214 | 214 | | |
|---|
| 215 | 215 | | |
|---|
| 216 | 216 | | |
|---|
| 217 | 217 | | HB2252 - 5 - LRB103 25586 LNS 51935 b |
|---|
| 218 | 218 | | |
|---|
| 219 | 219 | | |
|---|
| 220 | 220 | | HB2252- 6 -LRB103 25586 LNS 51935 b HB2252 - 6 - LRB103 25586 LNS 51935 b |
|---|
| 221 | 221 | | HB2252 - 6 - LRB103 25586 LNS 51935 b |
|---|
| 222 | 222 | | 1 otherwise profit from a person's or a customer's biometric |
|---|
| 223 | 223 | | 2 identifier or biometric information. |
|---|
| 224 | 224 | | 3 (d) No private entity in possession of a biometric |
|---|
| 225 | 225 | | 4 identifier or biometric information may disclose, redisclose, |
|---|
| 226 | 226 | | 5 or otherwise disseminate a person's or a customer's biometric |
|---|
| 227 | 227 | | 6 identifier or biometric information unless: |
|---|
| 228 | 228 | | 7 (1) the subject of the biometric identifier or |
|---|
| 229 | 229 | | 8 biometric information or the subject's legally authorized |
|---|
| 230 | 230 | | 9 representative provides written consent consents to the |
|---|
| 231 | 231 | | 10 disclosure or redisclosure; |
|---|
| 232 | 232 | | 11 (2) the disclosure or redisclosure completes a |
|---|
| 233 | 233 | | 12 financial transaction requested or authorized by the |
|---|
| 234 | 234 | | 13 subject of the biometric identifier or the biometric |
|---|
| 235 | 235 | | 14 information or the subject's legally authorized |
|---|
| 236 | 236 | | 15 representative; |
|---|
| 237 | 237 | | 16 (3) the disclosure or redisclosure is required by |
|---|
| 238 | 238 | | 17 State or federal law or municipal ordinance; or |
|---|
| 239 | 239 | | 18 (4) the disclosure is required pursuant to a valid |
|---|
| 240 | 240 | | 19 warrant or subpoena issued by a court of competent |
|---|
| 241 | 241 | | 20 jurisdiction. |
|---|
| 242 | 242 | | 21 (e) A private entity in possession of a biometric |
|---|
| 243 | 243 | | 22 identifier or biometric information shall: |
|---|
| 244 | 244 | | 23 (1) store, transmit, and protect from disclosure all |
|---|
| 245 | 245 | | 24 biometric identifiers and biometric information using the |
|---|
| 246 | 246 | | 25 reasonable standard of care within the private entity's |
|---|
| 247 | 247 | | 26 industry; and |
|---|
| 248 | 248 | | |
|---|
| 249 | 249 | | |
|---|
| 250 | 250 | | |
|---|
| 251 | 251 | | |
|---|
| 252 | 252 | | |
|---|
| 253 | 253 | | HB2252 - 6 - LRB103 25586 LNS 51935 b |
|---|
| 254 | 254 | | |
|---|
| 255 | 255 | | |
|---|
| 256 | 256 | | HB2252- 7 -LRB103 25586 LNS 51935 b HB2252 - 7 - LRB103 25586 LNS 51935 b |
|---|
| 257 | 257 | | HB2252 - 7 - LRB103 25586 LNS 51935 b |
|---|
| 258 | 258 | | 1 (2) store, transmit, and protect from disclosure all |
|---|
| 259 | 259 | | 2 biometric identifiers and biometric information in a |
|---|
| 260 | 260 | | 3 manner that is the same as or more protective than the |
|---|
| 261 | 261 | | 4 manner in which the private entity stores, transmits, and |
|---|
| 262 | 262 | | 5 protects other confidential and sensitive information. |
|---|
| 263 | 263 | | 6 (Source: P.A. 95-994, eff. 10-3-08.) |
|---|
| 264 | 264 | | 7 (740 ILCS 14/20) |
|---|
| 265 | 265 | | 8 Sec. 20. Right of action. Any person aggrieved by a |
|---|
| 266 | 266 | | 9 violation of this Act shall have a right of action in a State |
|---|
| 267 | 267 | | 10 circuit court or as a supplemental claim in federal district |
|---|
| 268 | 268 | | 11 court against an offending party, which shall be commenced |
|---|
| 269 | 269 | | 12 within one year after the cause of action accrued if, prior to |
|---|
| 270 | 270 | | 13 initiating any action against a private entity, the aggrieved |
|---|
| 271 | 271 | | 14 person provides a private entity 30 days' written notice |
|---|
| 272 | 272 | | 15 identifying the specific provisions of this Act the aggrieved |
|---|
| 273 | 273 | | 16 person alleges have been or are being violated. If, within the |
|---|
| 274 | 274 | | 17 30 days, the private entity actually cures the noticed |
|---|
| 275 | 275 | | 18 violation and provides the aggrieved person an express written |
|---|
| 276 | 276 | | 19 statement that the violation has been cured and that no |
|---|
| 277 | 277 | | 20 further violations shall occur, no action for individual |
|---|
| 278 | 278 | | 21 statutory damages or class-wide statutory damages may be |
|---|
| 279 | 279 | | 22 initiated against the private entity. If a private entity |
|---|
| 280 | 280 | | 23 continues to violate this Act in breach of the express written |
|---|
| 281 | 281 | | 24 statement provided to the aggrieved person under this Section, |
|---|
| 282 | 282 | | 25 the aggrieved person may initiate an action against the |
|---|
| 283 | 283 | | |
|---|
| 284 | 284 | | |
|---|
| 285 | 285 | | |
|---|
| 286 | 286 | | |
|---|
| 287 | 287 | | |
|---|
| 288 | 288 | | HB2252 - 7 - LRB103 25586 LNS 51935 b |
|---|
| 289 | 289 | | |
|---|
| 290 | 290 | | |
|---|
| 291 | 291 | | HB2252- 8 -LRB103 25586 LNS 51935 b HB2252 - 8 - LRB103 25586 LNS 51935 b |
|---|
| 292 | 292 | | HB2252 - 8 - LRB103 25586 LNS 51935 b |
|---|
| 293 | 293 | | 1 private entity to enforce the written statement and may pursue |
|---|
| 294 | 294 | | 2 statutory damages for each breach of the express written |
|---|
| 295 | 295 | | 3 statement and any other violation that postdates the written |
|---|
| 296 | 296 | | 4 statement. A prevailing party in any such action may recover |
|---|
| 297 | 297 | | 5 for each violation: |
|---|
| 298 | 298 | | 6 (1) against a private entity that negligently violates |
|---|
| 299 | 299 | | 7 a provision of this Act, liquidated damages of $1,000 or |
|---|
| 300 | 300 | | 8 actual damages, whichever is greater; |
|---|
| 301 | 301 | | 9 (2) against a private entity that willfully |
|---|
| 302 | 302 | | 10 intentionally or recklessly violates a provision of this |
|---|
| 303 | 303 | | 11 Act, actual damages plus liquidated damages up to the |
|---|
| 304 | 304 | | 12 amount of actual damages of $5,000 or actual damages, |
|---|
| 305 | 305 | | 13 whichever is greater; |
|---|
| 306 | 306 | | 14 (3) reasonable attorneys' fees and costs, including |
|---|
| 307 | 307 | | 15 expert witness fees and other litigation expenses; and |
|---|
| 308 | 308 | | 16 (4) other relief, including an injunction, as the |
|---|
| 309 | 309 | | 17 State or federal court may deem appropriate. |
|---|
| 310 | 310 | | 18 (Source: P.A. 95-994, eff. 10-3-08.) |
|---|
| 311 | 311 | | 19 (740 ILCS 14/25) |
|---|
| 312 | 312 | | 20 Sec. 25. Construction. |
|---|
| 313 | 313 | | 21 (a) Nothing in this Act shall be construed to impact the |
|---|
| 314 | 314 | | 22 admission or discovery of biometric identifiers and biometric |
|---|
| 315 | 315 | | 23 information in any action of any kind in any court, or before |
|---|
| 316 | 316 | | 24 any tribunal, board, agency, or person. |
|---|
| 317 | 317 | | 25 (b) Nothing in this Act shall be construed to conflict |
|---|
| 318 | 318 | | |
|---|
| 319 | 319 | | |
|---|
| 320 | 320 | | |
|---|
| 321 | 321 | | |
|---|
| 322 | 322 | | |
|---|
| 323 | 323 | | HB2252 - 8 - LRB103 25586 LNS 51935 b |
|---|
| 324 | 324 | | |
|---|
| 325 | 325 | | |
|---|
| 326 | 326 | | HB2252- 9 -LRB103 25586 LNS 51935 b HB2252 - 9 - LRB103 25586 LNS 51935 b |
|---|
| 327 | 327 | | HB2252 - 9 - LRB103 25586 LNS 51935 b |
|---|
| 328 | 328 | | 1 with the X-Ray Retention Act, the federal Health Insurance |
|---|
| 329 | 329 | | 2 Portability and Accountability Act of 1996 and the rules |
|---|
| 330 | 330 | | 3 promulgated under either Act. |
|---|
| 331 | 331 | | 4 (c) Nothing in this Act shall be deemed to apply in any |
|---|
| 332 | 332 | | 5 manner to a financial institution or an affiliate of a |
|---|
| 333 | 333 | | 6 financial institution that is subject to Title V of the |
|---|
| 334 | 334 | | 7 federal Gramm-Leach-Bliley Act of 1999 and the rules |
|---|
| 335 | 335 | | 8 promulgated thereunder. |
|---|
| 336 | 336 | | 9 (d) Nothing in this Act shall be construed to conflict |
|---|
| 337 | 337 | | 10 with the Private Detective, Private Alarm, Private Security, |
|---|
| 338 | 338 | | 11 Fingerprint Vendor, and Locksmith Act of 2004 and the rules |
|---|
| 339 | 339 | | 12 promulgated thereunder. |
|---|
| 340 | 340 | | 13 (e) Nothing in this Act shall be construed to apply to a |
|---|
| 341 | 341 | | 14 contractor, subcontractor, or agent of a State or federal |
|---|
| 342 | 342 | | 15 agency or local unit of government when working for that State |
|---|
| 343 | 343 | | 16 or federal agency or local unit of government. |
|---|
| 344 | 344 | | 17 (f) Nothing in this Act shall be construed to apply to a |
|---|
| 345 | 345 | | 18 private entity if the private entity's employees are covered |
|---|
| 346 | 346 | | 19 by a collective bargaining agreement that provides for |
|---|
| 347 | 347 | | 20 different policies regarding the retention, collection, |
|---|
| 348 | 348 | | 21 disclosure, and destruction of biometric information. |
|---|
| 349 | 349 | | 22 (Source: P.A. 95-994, eff. 10-3-08.) |
|---|
| 350 | 350 | | |
|---|
| 351 | 351 | | |
|---|
| 352 | 352 | | |
|---|
| 353 | 353 | | |
|---|
| 354 | 354 | | |
|---|
| 355 | 355 | | HB2252 - 9 - LRB103 25586 LNS 51935 b |
|---|