2019 -- H 5945 | |
======== | |
LC002323 | |
======== | |
STATE OF RHODE ISLAND | |
IN GENERAL ASSEMBLY | |
JANUARY SESSION, A.D. 2019 | |
____________ | |
A N A C T | |
RELATING TO HEALTH AND SAFETY -- BIOMETRIC INFORMATION PRIVACY | |
PROTECTION ACT | |
| |
Introduced By: Representatives Edwards, Canario, Shanley, and Barros | |
Date Introduced: April 03, 2019 | |
Referred To: House Corporations | |
It is enacted by the General Assembly as follows: | |
1 | SECTION 1. Title 23 of the General Laws entitled "HEALTH AND SAFETY" is hereby |
2 | amended by adding thereto the following chapter: |
3 | CHAPTER 95 |
4 | BIOMETRIC INFORMATION PRIVACY PROTECTION ACT |
5 | 23-95-1. Short title. |
6 | This chapter shall be known and may be cited as the "Biometric Information Privacy |
7 | Protection Act." |
8 | 23-95-2. Legislative findings. |
9 | It is hereby found and declared as follows: |
10 | (1) The use of biometrics is growing in the business and security screening sectors and |
11 | appears to promise streamlined financial transactions and security screenings; |
12 | (2) Biometrics are unlike other unique identifiers that are used to access finances or other |
13 | sensitive information. For example, social security numbers, when compromised, can be changed. |
14 | Biometrics, however, are biologically unique to the individual; therefore, once compromised, the |
15 | individual has no recourse, is at heightened risk for identity theft, and is likely to withdraw from |
16 | biometric-facilitated transactions; |
17 | (3) An overwhelming majority of members of the public are weary of the use of |
18 | biometrics when such information is tied to finances and other personal information; |
| |
1 | (4) Despite limited state law regulating the collection, use, safeguarding, and storage of |
2 | biometrics, many members of the public are deterred from partaking in biometric identifier- |
3 | facilitated transactions; |
4 | (5) The full ramifications of biometric technology are not fully known; and |
5 | (6) The public welfare, security, and safety will be served by regulating the collection, |
6 | use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and |
7 | information. |
8 | 23-95-3. Definitions. |
9 | As used in this chapter, the following words and phrases have the following meanings: |
10 | (1) "Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of |
11 | hand or face geometry. Biometric identifiers do not include writing samples, written signatures, |
12 | photographs, human biological samples used for valid scientific testing or screening, |
13 | demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, |
14 | or eye color. Biometric identifiers do not include donated organs, tissues, parts, blood or serum |
15 | stored on behalf of recipients or potential recipients of living or cadaveric transplants and |
16 | obtained or stored by a federally designated organ procurement agency. Biometric identifiers do |
17 | not include information captured from a patient in a health care setting or information collected, |
18 | used, or stored for health care treatment, payment, or operations under the federal Health |
19 | Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X- |
20 | ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or |
21 | film of the human anatomy used to diagnose, prognose, or treat an illness or other medical |
22 | condition or to further validate scientific testing or screening. |
23 | (2) "Biometric information" means any information, regardless of how it is captured, |
24 | converted, stored, or shared, based on an individual's biometric identifier used to identify an |
25 | individual. Biometric information does not include information derived from items or procedures |
26 | excluded under the definition of biometric identifiers. |
27 | (3) "Confidential and sensitive information" means personal information that can be used |
28 | to uniquely identify an individual or an individual's account or property. Examples of confidential |
29 | and sensitive information include, but are not limited to, a genetic marker, genetic testing |
30 | information, a unique identifier number to locate an account or property, an account number, a |
31 | PIN number, a pass code, a driver's license number, or a social security number. |
32 | (4) "Collect" means the capture, purchase, or acquisition of a person's biometric |
33 | identifier. |
34 | (5) "Private entity" means any individual, partnership, corporation, limited liability |
| LC002323 - Page 2 of 6 |
1 | company, association, or other group, however organized. A private entity does not include a |
2 | state or local government agency. |
3 | (6) "Retain" means to collect and store a biometric identifier in whatever form for future |
4 | use as an identifier of an individual. |
5 | (7) "Security purpose" means the purpose of preventing shoplifting, theft or fraud. |
6 | (8) "Written release" means informed written consent or, in the context of employment, a |
7 | release executed by an employee as a condition of employment. |
8 | 23-95-4. Retention, collection and destruction. |
9 | (a) A private entity in possession of biometric identifiers or biometric information shall |
10 | develop a written policy, made available to the public, establishing a retention schedule and |
11 | guidelines for permanently destroying biometric identifiers and biometric information when the |
12 | initial purpose for collecting or obtaining such identifiers or information has been satisfied or |
13 | within three (3) years of the individual's last interaction with the private entity, whichever occurs |
14 | first. Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private |
15 | entity in possession of biometric identifiers or biometric information must comply with its |
16 | established retention schedule and destruction guidelines. |
17 | (b) No private entity may collect, capture, purchase, receive through trade, or otherwise |
18 | obtain a person's or a customer's biometric identifier or biometric information, unless it first: |
19 | (1) Informs the subject or the subject's legally authorized representative in writing that a |
20 | biometric identifier or biometric information is being collected or stored; |
21 | (2) Informs the subject or the subject's legally authorized representative in writing of the |
22 | specific purpose and length of term for which a biometric identifier or biometric information is |
23 | being collected, stored, and used; and |
24 | (3) Receives a written release executed by the subject of the biometric identifier or |
25 | biometric information or the subject's legally authorized representative. |
26 | (c) No private entity in possession of a biometric identifier or biometric information may |
27 | sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or |
28 | biometric information. |
29 | (d) No private entity in possession of a biometric identifier or biometric information may |
30 | disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or |
31 | biometric information unless: |
32 | (1) The subject of the biometric identifier or biometric information or the subject's legally |
33 | authorized representative consents to the disclosure or redisclosure; |
34 | (2) The disclosure or redisclosure completes a financial transaction requested or |
| LC002323 - Page 3 of 6 |
1 | authorized by the subject of the biometric identifier or the biometric information or the subject's |
2 | legally authorized representative; |
3 | (3) The disclosure or redisclosure is required by state or federal law or municipal |
4 | ordinance; or |
5 | (4) The disclosure is required pursuant to a valid warrant or subpoena issued by a court of |
6 | competent jurisdiction. |
7 | (e) A private entity in possession of a biometric identifier or biometric information shall: |
8 | (1) Store, transmit, and protect from disclosure all biometric identifiers and biometric |
9 | information using the reasonable standard of care within the private entity's industry; and |
10 | (2) Store, transmit, and protect from disclosure all biometric identifiers and biometric |
11 | information in a manner that is the same as or more protective than the manner in which the |
12 | private entity stores, transmits, and protects other confidential and sensitive information. |
13 | 23-95-5. Exceptions. |
14 | The provisions of ยง 23-95-4 shall not apply to: |
15 | (1) Law enforcement and correctional custody, including, but not limited to, the |
16 | identification of perpetrators, prisoners, missing persons, trafficking victims, or human remains; |
17 | (2) Facial images used to create driver's licenses or other state identification cards; |
18 | (3) Purposes authorized and conducted pursuant to state or federal law; |
19 | (4) The retention of voices for quality assurance purposes; |
20 | (5) Third-party data storage providers or data transmitters, including Internet service |
21 | providers or mobile carriers, who provide for the storage or transmittal of data only; |
22 | (6) Instances where a person's biometric identifier is captured and stored within the |
23 | person's own mobile device, computer device, or home security device where biometric |
24 | identifiers are captured and stored locally within the device and the biometric identifiers do not |
25 | transmit away from the device using the Internet or other network; |
26 | (7) Information collected or retained exclusively for scientific research; |
27 | (8) Government security-clearance related programs, research and projects; and |
28 | (9) Information used solely and exclusively for security purposes. |
29 | 23-95-6. Construction. |
30 | (a) Nothing in this chapter shall be construed to impact the admission or discovery of |
31 | biometric identifiers and biometric information in any action of any kind in any court, or before |
32 | any tribunal, board, agency, or person. |
33 | (b) Nothing in this chapter shall be construed to conflict with the federal Health Insurance |
34 | Portability and Accountability Act of 1996. |
| LC002323 - Page 4 of 6 |
1 | (c) Nothing in this chapter shall be deemed to apply in any manner to a financial |
2 | institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm- |
3 | Leach-Bliley Act of 1999 and the rules promulgated thereunder. |
4 | (d) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or |
5 | agent of a state agency or local unit of government when working for that state agency or local |
6 | unit of government. |
7 | 23-95-7. Private cause of action. |
8 | Any person aggrieved by a violation of this chapter shall have a right of action in a state |
9 | court or as a supplemental claim in federal district court against an offending party. A prevailing |
10 | party may recover for each violation: |
11 | (1) Against a private entity that negligently violates a provision of this chapter, liquidated |
12 | damages of one thousand dollars ($1,000) or actual damages, whichever is greater; |
13 | (2) Against a private entity that intentionally or recklessly violates a provision of this |
14 | chapter, liquidated damages of five thousand dollars ($5,000) or actual damages, whichever is |
15 | greater; and |
16 | (3) Reasonable attorneys' fees and costs. |
17 | 23-95-8. Enforcement by attorney general. |
18 | Whenever the attorney general has reason to believe that a person or private entity has |
19 | violated the provisions of this chapter, and that proceeding would be in the public interest, the |
20 | attorney general may bring an action in the name of the state or on behalf of persons residing in |
21 | the state, against the person or private entity to restrain and enjoin the use of methods, acts or |
22 | practices that are in violation of this chapter. |
23 | 23-95-9. Severability. |
24 | If any part of this chapter shall be deemed invalid, all valid parts that are severable shall |
25 | remain in full force and effect. |
26 | SECTION 2. This act shall take effect upon passage. |
======== | |
LC002323 | |
======== | |
| LC002323 - Page 5 of 6 |
EXPLANATION | |
BY THE LEGISLATIVE COUNCIL | |
OF | |
A N A C T | |
RELATING TO HEALTH AND SAFETY -- BIOMETRIC INFORMATION PRIVACY | |
PROTECTION ACT | |
*** | |
1 | This act would prohibit the collection and retention of biometric identifiers without |
2 | consent of the person whose information is collected. Exceptions would be law enforcement, |
3 | government use, research and government security-clearance related projects. |
4 | This act would take effect upon passage. |
======== | |
LC002323 | |
======== | |
| LC002323 - Page 6 of 6 |