REFERENCE TITLE: biometric identifiers; commercial purpose; consent |
State of Arizona House of Representatives Fifty-fourth Legislature Second Regular Session 2020
|
HB 2728 |
|
Introduced by Representatives DeGrazia: Blanc, Butler, Engel, Epstein, Gabaldón, Peten, Powers Hannley, Rodriguez, Salman, Sierra, Teller, Thorpe
|
AN ACT
amending title 44, Arizona Revised Statutes, by adding chapter 38; relating to biological characteristics.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona:
Section 1. Title 44, Arizona Revised Statutes, is amended by adding chapter 38, to read:
CHAPTER 38
BIOMETRIC IDENTIFIERS
ARTICLE 1. GENERAL PROVISIONS
44-7921. Definitions
In this chapter, unless the context otherwise requires:
1. "Biometric identifier":
(a) Means data that is generated by automatic measurements of an individual's biological characteristics, including a fingerprint, voiceprint, retina, iris or other unique biological pattern or characteristic that is used to identify a specific individual.
(b) Does not include a physical or digital photograph, a video or audio recording, any data generated from a physical or digital photograph or video or audio recording or any information collected, used or stored for health care treatment, payment or operations under the health insurance portability and accountability act of 1996 (P.L. 104‑191; 110 stat. 1936).
2. "Biometric system" means an automated identification system that is capable of capturing, processing and storing a biometric identifier, comparing the biometric identifier to one or more references and matching the biometric identifier to a specific individual.
3. "Capture" means the process of collecting a biometric identifier from an individual.
4. "Commercial purpose":
(a) Means a purpose in furtherance of the sale or disclosure to a third party of a biometric identifier for the purpose of marketing goods or services if the goods or services are unrelated to the initial transaction in which a person first gains possession of an individual's biometric identifier.
(b) Does not include a security purpose or law enforcement purpose.
5. "Enroll" means to do all of the following:
(a) Capture an individual's biometric identifier.
(b) Convert the biometric identifier into a reference template that cannot be reconstructed into the original output image.
(c) Store the biometric identifier in a database that matches the biometric identifier to a specific individual.
6. "Security purpose" means the purpose of preventing shoplifting, fraud or other misappropriation or theft of a thing of value, including tangible and intangible goods or services, and other purposes in furtherance of protecting the security or integrity of software, accounts, applications, online services or any person.
44-7922. Enrollment; disclosure and retention of biometric identifiers
A. A person may not enroll an individual's biometric identifier in a database for a commercial purpose unless the person Provides a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose or the person does both of the following:
1. Provides notice to the individual that the individual's biometric identifier will be enrolled in a database for a commercial purpose. Notice provided pursuant to this paragraph is not affirmative consent. Notice must be given through a procedure that is reasonably designed to be readily available to affected individuals. The exact notice required is context dependent.
2. Obtains consent from the individual to enroll the individual's biometric identifier in a database for a commercial purpose. The type of consent required is context dependent.
B. Unless a person obtains an individual's consent pursuant to subsection A of this section, the person may not sell, lease or otherwise disclose the individual's biometric identifier to another person for a commercial purpose unless the disclosure is any of the following:
1. Necessary to provide a product or service subscribed to, requested or expressly authorized by the individual.
2. Necessary to effect, administer, enforce or complete a financial transaction that the individual requested, initiated or authorized, and the third party to whom the biometric identifier is disclosed maintains the confidentiality of the biometric identifier and does not further disclose the biometric identifier except as otherwise allowed under this subsection.
3. Required or expressly authorized by a federal or state law or court order.
4. Made to a third party that contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose inconsistent with the notice and consent requirements described in this section.
5. Made to prepare for litigation or to respond to or participate in the judicial process.
C. A person that knowingly possesses an individual's biometric identifier that has been enrolled for a commercial purpose:
1. Must take reasonable care to guard against unauthorized access to and acquisition of the biometric identifier.
2. May not retain the biometric identifier longer than is reasonably necessary to:
(a) Comply with a court order, statute or public records retention schedule specified under federal, state or local law.
(b) Protect against or prevent actual or potential fraud, criminal activity, claims, security threats or liability.
(c) Provide the services for which the biometric identifier was enrolled.
D. A person that enrolls an individual's biometric identifier for a commercial purpose or that obtains an individual's biometric identifier from a third party for a commercial purpose may not use or disclose the biometric identifier in a manner that is materially inconsistent with the terms under which the biometric identifier was originally provided without obtaining the individual's consent for the new terms of use or disclosing to the individual the new terms of use.
E. The limits on disclosure and retention of biometric identifiers prescribed in this section do not apply to the disclosure or retention of biometric identifiers that have been unenrolled.
F. A person is not required to provide notice and obtain consent to capture or enroll a biometric identifier and store it in a biometric system if the person is acting to further a security purpose.
44-7923. Unlawful practice; attorney general
A violation of this chapter is an unlawful practice under section 44‑1522. The attorney general may investigate and take appropriate action as prescribed by chapter 10, article 7 of this title.
44-7924. Applicability; law enforcement officer's authority
A. This chapter does not apply to either of the following:
1. a financial institution or an affiliate of a financial institution that is subject to title V of the Gramm‑Leach‑Bliley act (P.L. 106‑102; 113 stat. 1338).
2. Activities that are subject to the health insurance portability and accountability act of 1996 (P.L. 104‑191; 110 stat. 1936).
B. This chapter does not expand or limit the authority of a law enforcement officer acting within the scope of the law enforcement officer's authority, including a law enforcement officer's authority to execute lawful searches and seizures.