September 27, 2017, Introduced by Rep. Lucido and referred to the Committee on Commerce and Trade.
A bill to regulate the acquisition, possession, and protection
of biometric identifiers and biometric information by private
entities; and to provide remedies.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
Sec. 1. This act shall be known and may be cited as the
"biometric information privacy act".
Sec. 3. As used in this act:
(a) "Biometric identifier" means a retina or iris scan,
fingerprint, voiceprint, or scan of hand or face geometry. The term
does not include any of the following:
(i) A writing sample, written signature, photograph, human
biological sample used for valid scientific testing or screening,
tattoo description, or a physical description such as height,
weight, hair color, or eye color or demographic data.
(ii) A body part as defined in the revised uniform anatomical
gift law, sections 10101 to 10123 of the public health code, 1978
PA 368, MCL 333.10101 to 333.10123, or blood or serum stored on
behalf of recipients or potential recipients of living or cadaveric
transplants and obtained or stored by a federally designated organ
procurement agency.
(iii) Information captured from a patient in a health care
setting or information collected, used, or stored for health care
treatment, payment, or operations under the health insurance
portability and accountability act of 1996, Public Law 104-191.
(iv) An X-ray, roentgen process, computed tomography, MRI, PET
scan, mammography, or other image or film of the human anatomy used
to diagnose, prognose, or treat an illness or other medical
condition or to further validate scientific testing or screening.
(b) "Biometric information" means any information, regardless
of how it is captured, converted, stored, or shared, based on an
individual's biometric identifier used to identify an individual.
Biometric information does not include information derived from an
item or procedure that is excluded from the definition of biometric
identifier in subdivision (a)(i) to (iv).
(c) "Confidential and sensitive information" means personal
information that can be used to uniquely identify an individual or
an individual's account or property. Examples of confidential and
sensitive information include, but are not limited to, a genetic
marker, genetic testing information, a unique identifier number to
locate an account or property, an account number, a PIN number, a
pass code, a driver license number, or a Social Security number.
(d) "Private entity" means any individual, partnership,
corporation, limited liability company, association, or other legal
entity. Private entity does not include a state or local government
agency, any court of this state, or a clerk, judge, or justice of a
court of this state.
(e) "Written release" means informed written consent or, in
the context of employment, a release executed by an employee as a
condition of employment.
Sec. 5. (1) A private entity in possession of biometric
identifiers or biometric information must develop a written policy
that establishes a retention schedule and guidelines for
permanently destroying biometric identifiers and biometric
information when the initial purpose for collecting or obtaining
the identifiers or information is satisfied, or within 3 years of
the individual's last interaction with the private entity,
whichever occurs first. Unless it has received a valid warrant or
subpoena issued by a court of competent jurisdiction, a private
entity in possession of biometric identifiers or biometric
information must comply with its established retention schedule and
destruction guidelines.
(2) A private entity shall make its written policy under
subsection (1) available to the public.
(3) A private entity shall not collect, capture, purchase,
receive through trade, or otherwise obtain a biometric identifier
or biometric information of a customer or other individual, unless
it first does all of the following:
(a) Informs the individual or his or her legally authorized
representative in writing that a biometric identifier or biometric
information is being collected or stored.
(b) Informs the individual or his or her legally authorized
representative in writing of the specific purpose and length of
term for which a biometric identifier or biometric information is
being collected, stored, and used.
(c) Receives a written release executed by the individual or
his or her legally authorized representative.
(4) A private entity in possession of a biometric identifier
or biometric information shall not sell, lease, trade, or otherwise
profit from a biometric identifier or biometric information of a
customer or other individual.
(5) A private entity in possession of a biometric identifier
or biometric information of an individual shall not disclose,
redisclose, or otherwise disseminate that biometric identifier or
biometric information unless 1 of the following applies:
(a) The individual or his or her legally authorized
representative consents to the dissemination of the identifier or
information.
(b) The dissemination of the identifier or information
completes a financial transaction that is requested or authorized
by the individual or his or her legally authorized representative.
(c) The dissemination of the identifier or information is
required under state or federal law or municipal ordinance.
(d) The dissemination of the identifier or information is
required pursuant to a valid warrant or subpoena issued by a court
of competent jurisdiction.
(6) A private entity that is in possession of a biometric
identifier or biometric information shall do all of the following:
(a) Store, transmit, and protect from disclosure all biometric
identifiers and biometric information using the reasonable standard
of care within the private entity's industry.
(b) Store, transmit, and protect from disclosure all biometric
identifiers and biometric information in a manner that is the same
as or more protective than the manner in which the private entity
stores, transmits, and protects other confidential and sensitive
information.
Sec. 7. A person that is aggrieved by a violation of this act
by a private entity or another person has a cause of action in a
circuit court or as a supplemental claim in federal district court
against that person. The court may award 1 or more of the following
remedies to a plaintiff that prevails in an action brought under
this section:
(a) Against a private entity that negligently violates a
provision of this act, liquidated damages of $1,000.00, or actual
damages, whichever is greater.
(b) Against a private entity that intentionally or recklessly
violates a provision of this act, liquidated damages of $5,000.00,
or actual damages, whichever is greater.
(c) Reasonable attorney fees and costs, including expert
witness fees and other litigation expenses.
(d) An injunction or other relief, as the court determines
appropriate.
Sec. 9. (1) This act shall not be construed to impact the
admission or discovery of biometric identifiers and biometric
information in any action of any kind in any court, or before any
tribunal, board, agency, or person.
(2) This act shall not be construed to conflict with the
health insurance portability and accountability act of 1996, Public
Law 104-191, or the regulations promulgated under that act.
(3) This act shall not be considered to apply in any manner to
a financial institution or an affiliate of a financial institution
that is subject to subtitle A of title V of the Gramm-Leach-Bliley
act, 15 USC 6801 to 6809, or the regulations promulgated under that
act.
(4) This act shall not be construed to apply to a contractor,
subcontractor, or agent of a state agency or local unit of
government when working for that state agency or local unit of
government.
Enacting section 1. This act takes effect 90 days after the
date it is enacted into law.