HOUSE BILL NO. 1970 103RD GENERAL ASSEMBLY
INTRODUCED BY REPRESENTATIVE CLEMENS.
4623H.01I JOSEPH ENGLER, Chief Clerk
AN ACT To amend chapter 1, RSMo, by adding thereto six new sections relating to the biometric information privacy act.
Be it enacted by the General Assembly of the state of Missouri, as follows:
Section A. Chapter 1, RSMo, is amended by adding thereto six new sections, to be 2 known as sections 1.561, 1.563, 1.566, 1.567, 1.569, and 1.572, to read as follows: 1.561. Sections 1.561 to 1.572 shall be known and may be cited as the "Biometric 2 Information Privacy Act". 1.563. As used in sections 1.561 to 1.572, the following terms mean: 2 (1) "Biometric identifier", a retina or iris scan, fingerprint, voiceprint, or scan of 3 hand or face geometry or any other biological characteristic that can be used to 4 uniquely identify an individual. "Biometric identifier" does not include: 5 (a) Writing samples; written signatures; a photograph or video, except data 6 generated, captured, or collected from the biological characteristics of a person depicted 7 in a photograph or video; human biological samples used for valid scientific testing or 8 screening; demographic data; tattoo descriptions; or physical descriptions such as 9 height, weight, hair color, or eye color; 10 (b) Any donated organ, tissue or part as those terms are defined under section 11 194.210, or blood or serum stored on behalf of recipients or potential recipients of living 12 or cadaveric transplants and obtained or stored by a federally designated organ 13 procurement agency; 14 (c) Information captured from a patient in a health care setting or information 15 collected, used, or stored for health care treatment, payment, or operations under the
EXPLANATION — Matter enclosed in bold-faced brackets [thus] in the above bill is not enacted and is intended to be omitted from the law. Matter in bold-face type in the above bill is proposed language. HB 1970 2
16 federal Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191; 17 or 18 (d) An X-ray, roentgen process, computed tomography, MRI, PET scan, 19 mammography, or other image or film of the human anatomy used to diagnose, 20 prognose, or treat an illness or other medical condition or to further validate scientific 21 testing or screening; 22 (2) "Biometric information", any information, regardless of how it is captured, 23 converted, stored, or shared, that is based on an individual's biometric identifier and 24 used to identify an individual. "Biometric information" does not include information 25 derived from items or procedures excluded under the definition of biometric identifiers; 26 (3) "Confidential and sensitive information", personal information that can be 27 used to uniquely identify an individual or an individual's account or property. 28 Examples of "confidential and sensitive information" include, but are not limited to, a 29 genetic marker, genetic testing information, a unique identifier number to locate an 30 account or property, an account number, a personal identification number, a pass code, 31 a driver's license number, or a Social Security number; 32 (4) "Private entity", any individual acting in a commercial context, partnership, 33 corporation, limited liability company, association, or other group however organized. 34 "Private entity" does not include a state or local government agency. "Private entity" 35 does not include any court of Missouri, a clerk of the court, or a judge or justice thereof; 36 (5) "Written release", informed written consent, including written consent 37 provided by electronic means. A valid written release shall not be secured through a 38 general release or user agreement. In the context of employment, a written release: 39 (a) Shall be used only to secure consent to collect and use biometric identifiers 40 for the purposes of: 41 a. Permitting access to secure physical locations and secure electronic hardware 42 and software applications without retaining data that allows for employee location 43 tracking or the tracking of how long an employee spends using a hardware or software 44 application; or 45 b. Recording the commencement and conclusion of an employee's full work day 46 and meal or rest breaks in excess of thirty minutes; and 47 (b) May be secured in the form of a written release executed by an employee as a 48 condition of employment. 1.566. 1. Any private entity in possession of biometric identifiers or biometric 2 information shall develop a written policy, made available to the public, establishing a 3 retention schedule and guidelines for permanently destroying biometric identifiers and 4 biometric information when the initial purpose for collecting or obtaining such HB 1970 3
5 identifiers or information has been satisfied or within one year of the individual's last 6 interaction with the private entity, whichever occurs first. Absent a valid warrant or 7 subpoena issued by a court of competent jurisdiction, a private entity in possession of 8 biometric identifiers or biometric information shall comply with its established 9 retention schedule and destruction guidelines. 10 2. No private entity shall collect, capture, purchase, receive through trade, or 11 otherwise obtain a person's or a customer's biometric identifier or biometric 12 information unless it first: 13 (1) Informs the person or customer, or the person's or customer's legally 14 authorized representative, in writing that a biometric identifier or biometric 15 information is being collected or stored; 16 (2) Informs the person or customer, or the person's or customer's legally 17 authorized representative, of the specific purpose and length of term for which a 18 biometric identifier or biometric information is being collected, stored, and used; and 19 (3) Receives a written release executed by the person or customer, or the 20 person's or customer's legally authorized representative. 21 3. (1) Any entity or individual required to comply with the federal Health 22 Insurance Portability and Accountability Act, Pub. L. No. 104-191, shall treat biometric 23 identifiers and biometric information as individually identifiable health information and 24 unique health identifiers protected under that act and the rules promulgated 25 thereunder. 26 (2) No private entity in possession of a biometric identifier or biometric 27 information shall sell, lease, or trade a person's or a customer's biometric identifier or 28 biometric information. 29 4. No private entity in possession of a biometric identifier or biometric 30 information shall disclose, redisclose, or otherwise disseminate a person's or a 31 customer's biometric identifier or biometric information unless: 32 (1) The person or customer, or the person's or customer's legally authorized 33 representative, provides written release to the disclosure or redisclosure; 34 (2) The disclosure or redisclosure completes a financial transaction requested or 35 authorized by the person or customer, or the person's or customer's legally authorized 36 representative; 37 (3) The disclosure or redisclosure is required by state law, federal law, or 38 municipal ordinance; or 39 (4) The disclosure is required pursuant to a valid warrant or subpoena issued by 40 a court of competent jurisdiction. HB 1970 4
41 5. A private entity in possession of a biometric identifier or biometric 42 information shall: 43 (1) Store, transmit, and protect from disclosure all biometric identifiers and 44 biometric information using the reasonable standard of care within the private entity's 45 industry; and 46 (2) Store, transmit, and protect from disclosure all biometric identifiers and 47 biometric information in a manner that is the same as or more protective than the 48 manner in which the private entity stores, transmits, and protects other confidential and 49 sensitive information. 1.567. A private entity shall not: 2 (1) Condition the provision of a good or service on the collection, use, disclosure, 3 transfer, sale, retention, or processing of a biometric identifier unless the biometric 4 identifier is strictly necessary to provide the good or service; or 5 (2) Charge different prices or rates for goods or services or provide a different 6 level of quality of a good or service to any individual who exercises the individual's 7 rights under sections 1.561 to 1.572. 1.569. Any person aggrieved by a violation of sections 1.561 to 1.572 shall have a 2 right of action in a state circuit court or as a supplemental claim in federal district court 3 against an offending party including, but not limited to, a class action brought pursuant 4 to the rules of the Missouri supreme court. The court shall award all attorney's fees and 5 costs, including expert witness fees and other litigation expenses, to the prevailing 6 plaintiff. A prevailing plaintiff may recover for each violation: 7 (1) Against a private entity that negligently violates a provision of sections 1.561 8 to 1.572, liquidated damages of one thousand dollars or actual damages, whichever is 9 greater; 10 (2) Against a private entity that intentionally or recklessly violates a provision of 11 sections 1.561 to 1.572, liquidated damages of five thousand dollars or actual damages, 12 whichever is greater; and 13 (3) Other relief, including an injunction, as the state or federal court may deem 14 appropriate. 1.572. 1. Nothing in sections 1.561 to 1.572 shall be construed to impact the 2 admission or discovery of biometric identifiers and biometric information in any action 3 of any kind in any court, or before any tribunal, board, agency, or person. 4 2. Nothing in sections 1.561 to 1.572 shall be construed to conflict with section 5 334.097 or with the federal Health Insurance Portability and Accountability Act of 1996, 6 Pub. L. 104-191, or the rules promulgated thereunder. HB 1970 5
7 3. Nothing in sections 1.561 to 1.572 shall be deemed to apply in any manner to a 8 financial institution or an affiliate of a financial institution that is subject to Title V of 9 the federal Gramm-Leach-Bliley Act of 1999, Pub. L. 106-102, and the rules 10 promulgated thereunder. 11 4. Nothing in sections 1.561 to 1.572 shall be construed to apply to a contractor, 12 subcontractor, or agent of a state agency or local unit of government when working for 13 that state agency or local unit of government. ✔
Statutes affected: