This Act may be cited as the “National Biometric Information Privacy Act of 2020”.

In this Act:

(a) Written policy.—

(1) IN GENERAL.—Not later than 60 days after the date of the enactment of this Act, any private entity in possession of biometric identifiers or biometric information concerning an individual shall develop and make available to the public a written policy establishing a retention schedule and guidelines for permanently destroying such biometric identifiers and biometric information not later than the earlier of—

(A) the date on which the initial purpose for collecting or obtaining such identifiers or information has been satisfied, if the individual from whom the biometric information was collected—

(i) freely consented to the original purpose for such collection; and

(ii) could have declined such collection without consequence; or

(B) 1 year after the individual’s last intentional interaction with the private entity.

(2) COMPLIANCE.—Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information shall comply with the retention schedule and destruction guidelines established pursuant to paragraph (1).

(b) Limitations.—

(1) IN GENERAL.—A private entity may not collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information unless—

(A) the entity requires the identifier or information—

(i) to provide a service for the person or customer; or

(ii) for another valid business purpose specified in the written policy published pursuant to section 3; and

(B) the entity first—

(i) informs the person or customer, or his or her legally authorized representative, in writing—

(I) that such biometric identifier or biometric information is being collected or stored; and

(II) of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(ii) receives a written release executed by the subject of the biometric identifier or biometric information or by the subject’s legally authorized representative.

(2) WRITTEN RELEASE.—A written release under paragraph (1)(B)—

(A) may not be sought through, as a part of, or otherwise combined with any other consent or permission seeking instrument or function;

(B) may not be combined with an employment contract; and

(C) if it involves a minor, may only be obtained through the minor’s parent or guardian.

(c) Prohibited acts.—A private entity in possession of a biometric identifier or biometric information may not sell, lease, trade, use for advertising purposes, or otherwise profit from a person’s or a customer’s biometric identifier or biometric information.

(d) Disclosure.—A private entity in possession of a biometric identifier or the biometric information of a person, including a consumer, job applicant, employee, former employee, or contractor, may not disclose, redisclose, sell, lease, trade, use for advertising purposes, otherwise disseminate, or profit from such biometric identifier or biometric information unless—

(1) the subject of the biometric identifier or biometric information, or the subject’s legally authorized representative, provides a written release to such specified action immediately prior to such disclosure or redisclosure, including a description of—

(A) the data that will be disclosed;

(B) the reason for such disclosure; and

(C) the recipients of such data;

(2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject’s legally authorized representative; or

(3) the disclosure or redisclosure—

(A) is required by Federal, State, or municipal law; or

(B) is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

(e) Conditions.—A private entity in possession of a biometric identifier or biometric information shall store, transmit, and protect from disclosure all biometric identifiers and biometric information—

(1) using the reasonable standard of care within the private entity’s industry; and

(2) in a manner that is the same as, or more protective than, the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

(f) Right To know.—Any business that collects, uses, shares, or sells biometric identifiers or biometric information, upon the request of an individual, shall disclose, free of charge, any such information relating to such individual collected during the preceding 12-month period, including—

(1) the categories of personal information;

(2) specific pieces of personal information;

(3) the categories of sources from which the business collected personal information;

(4) the purposes for which the business uses the personal information;

(5) the categories of third parties with whom the business shares the personal information; and

(6) the categories of information that the business sells or discloses to third parties.

(a) In general.—Any individual aggrieved by a violation of section 3 may bring a civil action in a court of competent jurisdiction against a private entity that allegedly committed such violation. Any such violation constitutes an injury-in-fact and a harm to any affected individual.

(b) Admissibility.—Except in a judicial investigation or proceeding alleging a violation of section 3, information obtained in violation of section 3 is not admissible by the Federal Government in any criminal, civil, administrative, or other investigation or proceeding.

(c) Right to sue.—An individual described in subsection (a) may institute legal proceedings against a private entity alleged to have violated section 3 for the relief described in subsection (e) in any court of competent jurisdiction.

(d) Enforcement by State attorneys general.—The chief law enforcement officer of a State, or any other State officer authorized by law to bring actions on behalf of the residents of a State, may bring a civil action, as parens patriae, on behalf of the residents of such State in an appropriate district court of the United States to enforce this Act if the chief law enforcement officer or other State officer has reason to believe that the interests of the residents of the State have been or are being threatened or adversely affected by a violation of section 3.

(e) Forms of relief.—

(1) IN GENERAL.—A plaintiff bringing a civil action under this section may recover—

(A) (i) for the negligent violations of any provision of section 3, the greater of—

(I) $1,000 in liquidated damages per violation; or

(II) the actual damages suffered by the plaintiff; or

(ii) for the intentional or reckless violation of any provision of section 3, the sum of—

(I) the actual damages suffered by the plaintiff; and

(II) any punitive damages awarded by the court, which shall be limited to $5,000 per violation;

(B) reasonable attorneys’ fees and costs, including expert witness fees and other litigation expenses; and

(C) other relief, including an injunction, as the court may deem appropriate.

(2) SPECIFIC PERFORMANCE.—A court may require a private entity to permanently destroy the biometric identifiers, biometric information, or confidential and sensitive information of a plaintiff under this section.

Nothing in this Act may be construed—