 |
ARIZONA STATE SENATE
Fifty-Sixth Legislature, First Regular Session
biometrics identifiers; collection; retention; disclosure
Purpose
Establishes statutory requirements for a private entity in possession of biometric identifiers or biometric information relating to the collection, retention and destruction of biomarker identifiers and information.
Background
If a person that owns, maintains or licenses unencrypted and unredacted computerized personal information becomes aware of a security incident, the person must conduct an investigation to promptly determine whether there has been a security system breach and must notify the individuals affected within 45 days of verifying the occurrence of the breach. The Attorney General is charged with enforcement of breach notification requirements and may impose a civil penalty for a violation of up to $10,000 per affected individual, not to exceed $500,000 (A.R.S. § 18-552).
There is no anticipated fiscal impact to the state General Fund associated with this legislation.
Provisions
Retention Schedule and Destruction Guidelines
1. Requires a private entity in possession of biometric identifiers or biometric information to develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and information at the first occurrence of:
a) when the initial purpose for collecting or obtaining the identifiers or information is satisfied; or
b) within three years after the individual's last interaction with the private entity.
2. Requires a private entity to comply with its established retention schedule and destruction guidelines, unless a valid warrant or subpoena is issued.
Disclosure Requirements
3. Requires a private entity, before collecting, capturing, purchasing, receiving through trade or otherwise obtaining a person's or customer's biometric identifier or biometric information, to:
a) inform the subject, or the subject's legally authorized representative, in writing that a biometric identifier or information is being collected or stored and the specific purpose and length of term for which the biometric identifiers or information is being collected, stored and used; and
b) receive a written release that is executed by the subject of the biometric identifiers or information, or the subject's legally authorized representative.
4. Requires a private entity in possession of biometric identifiers or biometric information to store, transmit and protect from disclosure all biometric identifiers and biometric information:
a) using the reasonable standard of care within the private entity's industry; and
b) in a manner that is the same as or more protective than the manner in which the private entity stores, transmits and protects other confidential and sensitive information.
5. Prohibits a private entity in possession of biometric identifiers or biometric information from:
a) selling, leasing, trading or otherwise profiting from a person's biometric identifier or biometric information; and
b) disclosing or otherwise disseminating a person's or a customer's biometric identifier or biometric information.
6. Exempts a private entity in possession from disclosure and dissemination requirements, if:
a) the subject, or the subject's legally authorized representative, consents to the disclosure or dissemination;
b) the disclosure or dissemination completes a financial transaction that is requested or authorized by the subject, or the subject's legally authorized representative;
c) the disclosure or dissemination is required by state or federal law or municipal ordinance; or
d) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Civil Action
7. Allows a person who is aggrieved by a violation of statutory requirements for biomarker identifiers or information to bring an action in the superior court or as a supplemental claim in federal district court against an offending party.
8. Allows, for each violation, a prevailing party to recover:
a) against a negligently violating private entity, liquidated damages of $1,000 or actual damages, whichever is greater;
b) against an intentionally or recklessly violation private entity, liquidated damages of $5,000 or actual damages, whichever is greater;
c) reasonable attorney fees and costs, including expert witness fees and other litigation expenses; and
d) other relief, including an injunction, as the state or federal court deems appropriate.
Application of Statutory Requirements
9. Stipulates that the biomarker identifier and information requirements do not impact the admission or discovery of biometric identifiers and biometric information in any action in any court or before any tribunal, board, agency or person.
10. States that statutory requirements for biomarker identifiers do not conflict with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
11. Exempts, from the statutory requirements for biomarker identifiers and information:
a) a financial institution or an affiliate of a financial institution that is subject to Title V, subtitle A of the federal Gramm-Leach-Bliley Act; and
b) a contractor, subcontractor or agent of a state agency or local unit of government when working for that state agency or local unit of government.
Definitions
12. Defines a biometric identifier as a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry, excluding:
a) writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions or physical descriptions such as height, weight, hair color or eye color;
b) donated organs, tissues or blood or serum that is stored on behalf of recipients or potential recipients of living or cadaveric transplants and that is obtained or stored by a federally designated organ procurement agency;
c) biological materials that are regulated under the Genetic Information Nondiscrimination Act of 2008;
d) information that is captured from a patient in a healthcare setting or information that is collected, used or stored for healthcare treatment, payment or operations under HIPAA; or
e) an x-ray, roentgen process, computed tomography, magnetic resonance imaging, positron emission tomography scan, mammography or other image or film of the human anatomy that is used to diagnose or treat an illness or other medical condition or to further validate scientific testing or screening.
13. Defines biometric information as any information, regardless of how it is captured, converted, stored or shared, based on an individual's biometric identifier that is used to identify an individual, excluding information derived from items or procedures that are excluded from the definitions of biometric identifier.
14. Defines confidential and sensitive information as personal information that can be used to uniquely identify an individual or an individual's account or property, including a genetic marker, genetic testing information, a unique identifier number to locate an account or property, a pass code, or an account, personal identification, driver license or social security number.
15. Defines a private entity as any individual, partnership, corporation, limited liability company, association or other group, however organized, excluding a state or local government agency, any court in this state or a clerk of the court, justice or judge.
16. Defines a written release as informed written consent or, in the context of employment, a release that is executed by an employee as a condition of employment.
Miscellaneous
17. Makes conforming changes.
18. Becomes effective on the general effective date.
Prepared by Senate Research
February 2, 2023
KJA/sr