An Act

amending title 18, Arizona Revised Statutes, by adding chapter 7; relating to biometric information.

(TEXT OF BILL BEGINS ON NEXT PAGE)

Be it enacted by the Legislature of the State of Arizona:

Section 1. Title 18, Arizona Revised Statutes, is amended by adding chapter 7, to read:

CHAPTER 7

BIOMETRIC IDENTIFIERS

ARTICLE 1. GENERAL PROVISIONS

START_STATUTE18-701. Definitions

In this chapter, unless the context otherwise requires:

1. "Biometric identifier":

(a) Means a retina or iris scan, fingerprint, voiceprint or scan of hand or face geometry.

(b) Does not include:

(i) writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions or physical descriptions such as height, weight, hair color or eye color.

(ii) Donated organs as defined in section 41-706, tissues as defined in section 36-841 or blood or serum that is stored on behalf of recipients or potential recipients of living or cadaveric transplants and that is obtained or stored by a federally designated organ procurement agency.

(iii) Biological materials that are regulated under the genetic information nondiscrimination act of 2008 (P.L. 110-233; 122 stat. 881). 

(iv) Information that is captured from a patient in a health care setting or information that is collected, used or stored for health care treatment, payment or operations under the health insurance portability and accountability act of 1996 (P.L. 104-191; 110 Stat. 1936).

(v) An X-ray, roentgen process, computed tomography, magnetic resonance imaging, positron emission tomography scan, mammography or other image or film of the human anatomy that is used to diagnose or treat an illness or other medical condition or to further validate scientific testing or screening.

2. "Biometric information":

(a) Means any information, regardless of how it is captured, converted, stored or shared, based on an individual's biometric identifier that is used to identify an individual.

(b) Does not include information that is derived from items or procedures that are excluded under the definition of biometric identifier.

3. "Confidential and sensitive information":

(a) Means personal information that can be used to uniquely identify an individual or an individual's account or property.

(b) Includes a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a personal identification number, a pass code, a driver license number or a social security number.

4. "Private entity":

(a) Means any individual, partnership, corporation, limited liability company, association or other group, however organized.

(b) Does not include a state or local government agency, any court in this state, a clerk of the court, a justice or a judge.

5. "Written release" means informed written consent or, in the context of employment, a release that is executed by an employee as a condition of employment. END_STATUTE

START_STATUTE18-702. Retention; collection; disclosure; destruction

A. A private entity in possession of biometric identifiers or biometric information must develop and make available to the public a written policy that establishes a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining the identifiers or information has been satisfied or within three years after the individual's last interaction with the private entity, whichever occurs first. Unless a court of competent jurisdiction has issued a valid warrant or subpoena, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

B. A private entity may not collect, capture, purchase, receive through trade or otherwise obtain a person's or a customer's biometric identifier or biometric information unless it first does all of the following:

1. Informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored.

2. Informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which the biometric identifiers or biometric information is being collected, stored and used.

3. Receives a written release that is executed by the subject of the biometric identifiers or biometric information or the subject's legally authorized representative.

C. A private entity in possession of biometric identifiers or biometric information may not sell, lease, trade or otherwise profit from a person's biometric identifier or biometric information.

D. A private entity in possession of biometric identifiers or biometric information may not disclose or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless any of the following applies:

1. The subject of the biometric identifiers or biometric information or the subject's legally authorized representative consents to the disclosure or dissemination.

2. The disclosure or dissemination completes a financial transaction that is requested or authorized by the subject of the biometric identifiers or the biometric information or the subject's legally authorized representative.

3. The disclosure or dissemination is required by state or federal law or municipal ordinance.

4. The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

E. A private entity in possession of biometric identifiers or biometric information shall both:

1. Store, transmit and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry.

2. Store, transmit and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits and protects other confidential and sensitive information. END_STATUTE

START_STATUTE18-703. Right of action; damages; other relief

A person who is aggrieved by a violation of this chapter may bring an action in the superior court or as a supplemental claim in federal district court against an offending party. For each violation, a prevailing party may recover:

1. Against a private entity that negligently violates this chapter liquidated damages of $1,000 or actual damages, whichever is greater.

2. Against a private entity that intentionally or recklessly violates this chapter liquidated damages of $5,000 or actual damages, whichever is greater.

3. Reasonable attorney fees and costs, including expert witness fees and other litigation expenses.

4. Other relief, including an injunction, as the state or federal court deems appropriate. END_STATUTE

START_STATUTE18-704. Construction

A. This chapter does not impact the admission or discovery of biometric identifiers and biometric information in any action in any court or before any tribunal, board, agency or person.

B. This chapter does not conflict with the health insurance portability and accountability act of 1996 (P.L. 104-191; 110 State. 1936).

C. This chapter does not apply to a financial institution or an affiliate of a financial institution that is subject to title V, subtitle A of the Gramm-Leach-Bliley act (15 United States Code sections 6801 through 6809) related to privacy and protection of nonpublic personal information.

D. This chapter does not apply to a contractor, subcontractor or agent of a state agency or local unit of government when working for that state agency or local unit of government. END_STATUTE