IN THE SENATE OF THE UNITED STATES
August 3, 2020
Mr. Merkley (for himself and Mr. Sanders) introduced the following bill; which was read twice and referred to the Committee on the Judiciary
To regulate the collection, retention, disclosure, and destruction of biometric information, and for other purposes.
This Act may be cited as the
National Biometric Information Privacy Act of 2020.
In this Act:
The term biometric identifier—
a retina or iris scan;
a faceprint (including any faceprint derived from a photograph);
fingerprints or palm prints; and
any other uniquely identifying information based on the characteristics of an individual’s gait or other immutable characteristic of an individual;
does not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color;
does not include donated organs, tissues, or parts or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency;
does not include information captured from a patient in a health care setting for a medical purpose or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191); and
does not include an x ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.
Confidential and sensitive information
The term confidential and sensitive information—
means personal information that can be used to uniquely identify an individual or an individual’s account or property; and
includes genetic markers, genetic testing information, unique identifier numbers to locate accounts or property, account numbers, personal identification numbers, pass codes, driver’s license numbers, or Social Security numbers.
The term private entity—
means any individual, partnership, corporation, limited liability company, association, or other group, however organized; and
does not include any Federal, State, or local government agency or academic institution.
The term written release means—
specific, discrete, freely given, unambiguous, and informed written consent given by an individual who is not under any duress or undue influence of an entity or third party at the time such consent is given; or
in the context of employment, a release executed by an employee as a condition of employment.
Collection, retention, disclosure, and destruction of biometric information
Not later than 60 days after the date of the enactment of this Act, any private entity in possession of biometric identifiers or biometric information concerning an individual shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying such biometric identifiers and biometric information not later than the earlier of—
the date on which the initial purpose for collecting or obtaining such identifiers or information has been satisfied, if the individual from whom the biometric information was collected—
freely consented to the original purpose for such collection; and
could have declined such collection without consequence; or
1 year after the individual’s last intentional interaction with the private entity.
Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information shall comply with the retention schedule and destruction guidelines established pursuant to paragraph (1).
A private entity may not collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information unless—
the entity requires the identifier or information—
to provide a service for the person or customer; or
for another valid business purpose specified in the written policy published pursuant to section 3; and
the entity first—
informs the person or customer, or his or her legally authorized representative, in writing—
that such biometric identifier or biometric information is being collected or stored; and
of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and
receives a written release executed by the subject of the biometric identifier or biometric information or by the subject’s legally authorized representative.
A written release under paragraph (1)(B)—
may not be sought through, as a part of, or otherwise combined with any other consent or permission seeking instrument or function;
may not be combined with an employment contract; and
if it involves a minor, may only be obtained through the minor’s parent or guardian.
A private entity in possession of a biometric identifier or biometric information may not sell, lease, trade, use for advertising purposes, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.
A private entity in possession of a biometric identifier or the biometric information of a person, including a consumer, job applicant, employee, former employee, or contractor, may not disclose, redisclose, sell, lease, trade, use for advertising purposes, otherwise disseminate, or profit from such biometric identifier or biometric information unless—
the subject of the biometric identifier or biometric information, or the subject’s legally authorized representative, provides a written release to such specified action immediately prior to such disclosure or redisclosure, including a description of—
the data that will be disclosed;
the reason for such disclosure; and
the recipients of such data;
the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject’s legally authorized representative; or
the disclosure or redisclosure—
is required by Federal, State, or municipal law; or
is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
A private entity in possession of a biometric identifier or biometric information shall store, transmit, and protect from disclosure all biometric identifiers and biometric information—
using the reasonable standard of care within the private entity’s industry; and
in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
Right To know
Any business that collects, uses, shares, or sells biometric identifiers or biometric information, upon the request of an individual, shall disclose, free of charge, any such information relating to such individual collected during the preceding 12-month period, including—
the categories of personal information;
specific pieces of personal information;
the categories of sources from which the business collected personal information;
the purposes for which the business uses the personal information;
the categories of third parties with whom the business shares the personal information; and
the categories of information that the business sells or discloses to third parties.
Cause of action
Any individual aggrieved by a violation of section 3 may bring a civil action in a court of competent jurisdiction against a private entity that allegedly committed such violation. Any such violation constitutes an injury-in-fact and a harm to any affected individual.
Except in a judicial investigation or proceeding alleging a violation of section 3, information obtained in violation of section 3 is not admissible by the Federal Government in any criminal, civil, administrative, or other investigation or proceeding.
Right to sue
An individual described in subsection (a) may institute legal proceedings against a private entity alleged to have violated section 3 for the relief described in subsection (e) in any court of competent jurisdiction.
Enforcement by State attorneys general
The chief law enforcement officer of a State, or any other State officer authorized by law to bring actions on behalf of the residents of a State, may bring a civil action, as parens patriae, on behalf of the residents of such State in an appropriate district court of the United States to enforce this Act if the chief law enforcement officer or other State officer has reason to believe that the interests of the residents of the State have been or are being threatened or adversely affected by a violation of section 3.
Forms of relief
A plaintiff bringing a civil action under this section may recover—
for the negligent violations of any provision of section 3, the greater of—
$1,000 in liquidated damages per violation; or
the actual damages suffered by the plaintiff; or
for the intentional or reckless violation of any provision of section 3, the sum of—
the actual damages suffered by the plaintiff; and
any punitive damages awarded by the court, which shall be limited to $5,000 per violation;
reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and
other relief, including an injunction, as the court may deem appropriate.
A court may require a private entity to permanently destroy the biometric identifiers, biometric information, or confidential and sensitive information of a plaintiff under this section.
Rules of construction
Nothing in this Act may be construed—
to impact the admission or discovery of biometric identifiers and biometric information in any action of any kind in any court, or before any tribunal, board, agency, or person;
to conflict with the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191);
to conflict with title V of the Federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.);
to apply to a contractor, subcontractor, or agent of a Federal, State, or local government agency in the course of employment with such agency; or
to preempt or supersede any Federal, State, or local law that imposes a more stringent limitation than the limitations described in section 3.