Florida Senate - 2019 SB 1270
By Senator Farmer
34-01069-19 20191270__
1 A bill to be entitled
2 An act relating to biometric information privacy;
3 creating s. 501.172, F.S.; providing a short title;
4 providing definitions; establishing requirements and
5 restrictions on private entities as to the use,
6 collection, and maintenance of biometric identifiers
7 and biometric information; creating a private cause of
8 action for relief for violations of the act; providing
9 for construction; providing an effective date.
10
11 Be It Enacted by the Legislature of the State of Florida:
12
13 Section 1. Section 501.172, Florida Statutes, is created to
14 read:
15 501.172 Biometric information privacy.—
16 (1) SHORT TITLE.—This section may be cited as the “Florida
17 Biometric Information Privacy Act.”
18 (2) DEFINITIONS.—As used in this section, the term:
19 (a) “Biometric identifier” means a retina or iris scan,
20 fingerprint, voice print, or scan of hand or face geometry. The
21 term does not include any of the following:
22 1. Writing samples, written signatures, photographs, human
23 biological samples used for valid scientific testing or
24 screening, demographic data, tattoo descriptions, or physical
25 descriptions such as height, weight, hair color, or eye color.
26 2. Donated organs, tissues, parts, or blood or serum that
27 is stored on behalf of recipients, or potential recipients, of
28 living or cadaveric transplants and that are obtained by or
29 stored by a federally designated organ procurement organization.
30 3. Information captured from a patient in a health care
31 setting or information collected, used, or stored for health
32 care treatment, payment, or operations under the federal Health
33 Insurance Portability and Accountability Act of 1996.
34 4. An X-ray, roentgen process, computed tomography, MRI,
35 PET scan, mammography, or other image or film of the human
36 anatomy used to diagnose, prognose, or treat an illness or other
37 medical condition or to further validate scientific testing or
38 screening.
39 (b) “Biometric information” means any information,
40 regardless of the manner in which it is captured, converted,
41 stored, or shared, based on an individual’s biometric identifier
42 used to identify an individual. The term does not include
43 information derived from items or procedures excluded from the
44 definition of biometric identifiers as specified in paragraph
45 (a).
46 (c) “Confidential and sensitive information” means personal
47 information that can be used to uniquely identify an individual
48 or an individual’s account or property which includes, but is
49 not limited to, a genetic marker, genetic testing information, a
50 unique identifier number to locate an account or property, an
51 account number, a PIN number, a pass code, a driver license
52 number, a Florida identification card number, or a social
53 security number.
54 (d) “Private entity” means any individual, partnership,
55 corporation, limited liability company, association, or other
56 group. The term does not include a state or local governmental
57 agency or any state court, a clerk of the court, or a judge or
58 justice thereof.
59 (e) “Written release” means informed written consent or, in
60 the context of employment, a release executed by an employee as
61 a condition of employment.
62 (3) REQUIREMENTS OF PRIVATE ENTITIES.—
63 (a) A private entity that is in possession of biometric
64 identifiers or biometric information shall develop a publicly
65 available written policy establishing a retention schedule and
66 guidelines for permanently destroying biometric identifiers and
67 biometric information upon satisfaction of the initial purpose
68 for collecting or obtaining such identifiers or information or
69 within 3 years after the individual’s last interaction with the
70 private entity, whichever occurs first. Absent a valid warrant
71 or subpoena issued by a court of competent jurisdiction, a
72 private entity in possession of biometric identifiers or
73 biometric information must comply with its established retention
74 schedule and destruction guidelines.
75 (b) A private entity may not collect, capture, purchase,
76 receive through trade, or otherwise obtain a person’s or a
77 customer’s biometric identifier or biometric information unless
78 the private entity:
79 1. Informs the subject or the subject’s legally authorized
80 representative in writing that a biometric identifier or
81 biometric information is being collected or stored;
82 2. Informs the subject or the subject’s legally authorized
83 representative in writing of the specific purpose and length of
84 term for which a biometric identifier or biometric information
85 is being collected, stored, and used; and
86 3. Receives a written release executed by the subject of
87 the biometric identifier or biometric information or the
88 subject’s legally authorized representative.
89 (c) A private entity in possession of a biometric
90 identifier or biometric information may not sell, lease, trade,
91 or otherwise profit from a person’s or a customer’s biometric
92 identifier or biometric information.
93 (d) A private entity in possession of a biometric
94 identifier or biometric information may not disclose or
95 otherwise disseminate a person’s or a customer’s biometric
96 identifier or biometric information unless:
97 1. The subject of the biometric identifier or biometric
98 information or the subject’s legally authorized representative
99 consents to the disclosure;
100 2. The disclosure completes a financial transaction
101 requested or authorized by the subject of the biometric
102 identifier or the biometric information or the subject’s legally
103 authorized representative;
104 3. The disclosure is required by state or federal law or
105 local ordinance; or
106 4. The disclosure is required pursuant to a valid warrant
107 or subpoena issued by a court of competent jurisdiction.
108 (e) A private entity in possession of a biometric
109 identifier or biometric information shall store, transmit, and
110 protect from disclosure all biometric identifiers and biometric
111 information:
112 1. Using the reasonable standard of care within the private
113 entity’s industry; and
114 2. In a manner that is the same as or more protective than
115 the manner in which the private entity stores, transmits, and
116 protects other confidential and sensitive information.
117 (4) CAUSE OF ACTION.—Any person aggrieved by a violation of
118 this section has a cause of action in circuit court against an
119 offending party. A prevailing party may recover for each
120 violation:
121 (a) Liquidated damages of $1,000 or actual damages,
122 whichever amount is greater, against a private entity that
123 negligently violates any provision in subsection (3).
124 (b) Liquidated damages of $5,000 or actual damages,
125 whichever amount is greater, against a private entity that
126 intentionally or recklessly violates any provision in subsection
127 (3).
128 (c) Reasonable attorney fees.
129 (d) Other relief, including an injunction, as the court
130 deems appropriate.
131 (5) CONSTRUCTION.—This section may not be construed to:
132 (a) Impact the admission or discovery of biometric
133 identifiers and biometric information in any action of any kind
134 in any court, or before any tribunal, board, agency, or person;
135 (b) Conflict with the federal Health Insurance Portability
136 and Accountability Act of 1996 and any regulations promulgated
137 pursuant to that act;
138 (c) Apply to a contractor, subcontractor, or agent of a
139 state agency or local unit of government when working for that
140 state agency or local unit of government; or
141 (d) Apply to a financial institution or an affiliate of a
142 financial institution that is subject to Title V of the federal
143 Gramm-Leach-Bliley Act of 1999 and any regulations promulgated
144 pursuant to that act.
145 Section 2. This act shall take effect October 1, 2019.