Florida Senate - 2019                                    SB 1270
       
       
        
       By Senator Farmer
       
       
       
       
       
       34-01069-19                                           20191270__
    1                        A bill to be entitled                      
    2         An act relating to biometric information privacy;
    3         creating s. 501.172, F.S.; providing a short title;
    4         providing definitions; establishing requirements and
    5         restrictions on private entities as to the use,
    6         collection, and maintenance of biometric identifiers
    7         and biometric information; creating a private cause of
    8         action for relief for violations of the act; providing
    9         for construction; providing an effective date.
   10          
   11  Be It Enacted by the Legislature of the State of Florida:
   12  
   13         Section 1. Section 501.172, Florida Statutes, is created to
   14  read:
   15         501.172 Biometric information privacy.—
   16         (1) SHORT TITLE.—This section may be cited as the “Florida
   17  Biometric Information Privacy Act.”
   18         (2) DEFINITIONS.—As used in this section, the term:
   19         (a) “Biometric identifier” means a retina or iris scan,
   20  fingerprint, voice print, or scan of hand or face geometry. The
   21  term does not include any of the following:
   22         1. Writing samples, written signatures, photographs, human
   23  biological samples used for valid scientific testing or
   24  screening, demographic data, tattoo descriptions, or physical
   25  descriptions such as height, weight, hair color, or eye color.
   26         2. Donated organs, tissues, parts, or blood or serum that
   27  is stored on behalf of recipients, or potential recipients, of
   28  living or cadaveric transplants and that are obtained by or
   29  stored by a federally designated organ procurement organization.
   30         3. Information captured from a patient in a health care
   31  setting or information collected, used, or stored for health
   32  care treatment, payment, or operations under the federal Health
   33  Insurance Portability and Accountability Act of 1996.
   34         4. An X-ray, roentgen process, computed tomography, MRI,
   35  PET scan, mammography, or other image or film of the human
   36  anatomy used to diagnose, prognose, or treat an illness or other
   37  medical condition or to further validate scientific testing or
   38  screening.
   39         (b) “Biometric information” means any information,
   40  regardless of the manner in which it is captured, converted,
   41  stored, or shared, based on an individual’s biometric identifier
   42  used to identify an individual. The term does not include
   43  information derived from items or procedures excluded from the
   44  definition of biometric identifiers as specified in paragraph
   45  (a).
   46         (c) “Confidential and sensitive information” means personal
   47  information that can be used to uniquely identify an individual
   48  or an individual’s account or property which includes, but is
   49  not limited to, a genetic marker, genetic testing information, a
   50  unique identifier number to locate an account or property, an
   51  account number, a PIN number, a pass code, a driver license
   52  number, a Florida identification card number, or a social
   53  security number.
   54         (d) “Private entity” means any individual, partnership,
   55  corporation, limited liability company, association, or other
   56  group. The term does not include a state or local governmental
   57  agency or any state court, a clerk of the court, or a judge or
   58  justice thereof.
   59         (e) “Written release” means informed written consent or, in
   60  the context of employment, a release executed by an employee as
   61  a condition of employment.
   62         (3) REQUIREMENTS OF PRIVATE ENTITIES.—
   63         (a) A private entity that is in possession of biometric
   64  identifiers or biometric information shall develop a publicly
   65  available written policy establishing a retention schedule and
   66  guidelines for permanently destroying biometric identifiers and
   67  biometric information upon satisfaction of the initial purpose
   68  for collecting or obtaining such identifiers or information or
   69  within 3 years after the individual’s last interaction with the
   70  private entity, whichever occurs first. Absent a valid warrant
   71  or subpoena issued by a court of competent jurisdiction, a
   72  private entity in possession of biometric identifiers or
   73  biometric information must comply with its established retention
   74  schedule and destruction guidelines.
   75         (b) A private entity may not collect, capture, purchase,
   76  receive through trade, or otherwise obtain a person’s or a
   77  customer’s biometric identifier or biometric information unless
   78  the private entity:
   79         1. Informs the subject or the subject’s legally authorized
   80  representative in writing that a biometric identifier or
   81  biometric information is being collected or stored;
   82         2. Informs the subject or the subject’s legally authorized
   83  representative in writing of the specific purpose and length of
   84  term for which a biometric identifier or biometric information
   85  is being collected, stored, and used; and
   86         3. Receives a written release executed by the subject of
   87  the biometric identifier or biometric information or the
   88  subject’s legally authorized representative.
   89         (c) A private entity in possession of a biometric
   90  identifier or biometric information may not sell, lease, trade,
   91  or otherwise profit from a person’s or a customer’s biometric
   92  identifier or biometric information.
   93         (d) A private entity in possession of a biometric
   94  identifier or biometric information may not disclose or
   95  otherwise disseminate a person’s or a customer’s biometric
   96  identifier or biometric information unless:
   97         1. The subject of the biometric identifier or biometric
   98  information or the subject’s legally authorized representative
   99  consents to the disclosure;
  100         2. The disclosure completes a financial transaction
  101  requested or authorized by the subject of the biometric
  102  identifier or the biometric information or the subject’s legally
  103  authorized representative;
  104         3. The disclosure is required by state or federal law or
  105  local ordinance; or
  106         4. The disclosure is required pursuant to a valid warrant
  107  or subpoena issued by a court of competent jurisdiction.
  108         (e) A private entity in possession of a biometric
  109  identifier or biometric information shall store, transmit, and
  110  protect from disclosure all biometric identifiers and biometric
  111  information:
  112         1. Using the reasonable standard of care within the private
  113  entity’s industry; and
  114         2. In a manner that is the same as or more protective than
  115  the manner in which the private entity stores, transmits, and
  116  protects other confidential and sensitive information.
  117         (4) CAUSE OF ACTION.—Any person aggrieved by a violation of
  118  this section has a cause of action in circuit court against an
  119  offending party. A prevailing party may recover for each
  120  violation:
  121         (a) Liquidated damages of $1,000 or actual damages,
  122  whichever amount is greater, against a private entity that
  123  negligently violates any provision in subsection (3).
  124         (b) Liquidated damages of $5,000 or actual damages,
  125  whichever amount is greater, against a private entity that
  126  intentionally or recklessly violates any provision in subsection
  127  (3).
  128         (c) Reasonable attorney fees.
  129         (d) Other relief, including an injunction, as the court
  130  deems appropriate.
  131         (5) CONSTRUCTION.—This section may not be construed to:
  132         (a) Impact the admission or discovery of biometric
  133  identifiers and biometric information in any action of any kind
  134  in any court, or before any tribunal, board, agency, or person;
  135         (b) Conflict with the federal Health Insurance Portability
  136  and Accountability Act of 1996 and any regulations promulgated
  137  pursuant to that act;
  138         (c) Apply to a contractor, subcontractor, or agent of a
  139  state agency or local unit of government when working for that
  140  state agency or local unit of government; or
  141         (d) Apply to a financial institution or an affiliate of a
  142  financial institution that is subject to Title V of the federal
  143  Gramm-Leach-Bliley Act of 1999 and any regulations promulgated
  144  pursuant to that act.
  145         Section 2. This act shall take effect October 1, 2019.