HB3358 EngrossedLRB101 11180 JLS 56421 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the Data
5Transparency and Privacy Act.
 
6    Section 5. Legislative findings. The General Assembly
7hereby finds and declares that:
8    (1) The right to privacy is a personal and fundamental
9right protected by the United States Constitution. As such, all
10individuals have a right to privacy and a personal property
11interest in information pertaining to them and that information
12shall be adequately protected from unlawful invasions and
13takings. This State recognizes the importance of providing
14consumers with transparency about how their personal
15information, especially information relating to their
16children, is shared by businesses. This transparency is crucial
17for Illinois citizens to protect themselves and their families
18from cyber-crimes and identity thieves.
19    (2) Furthermore, for free market forces to have a role in
20shaping the privacy practices and for "opt-in" and "opt-out"
21remedies to be effective, consumers must be more than vaguely
22informed that a business might share personal information with
23third parties. Consumers must be better informed about what

 

 

HB3358 Engrossed- 2 -LRB101 11180 JLS 56421 b

1kinds of personal information is shared with other businesses.
2With these specifics, consumers can knowledgeably choose to opt
3in, opt out, or choose among businesses that disclose
4information to third parties on the basis of how protective the
5business is of consumers' privacy.
6    (3) Businesses are now collecting personal information and
7sharing and selling it in ways not contemplated or properly
8covered by the current law. Some websites are installing
9tracking tools that record when consumers visit web pages, and
10sending very personal information, such as age, gender, race,
11income, health concerns, religion, and recent purchases to
12third-party marketers and data brokers. Third-party data
13broker companies are buying, selling, and trading personal
14information obtained from mobile phones, financial
15institutions, social media sites, and other online and brick
16and mortar companies. Some mobile applications are sharing
17personal information, such as location information, unique
18phone identification numbers, and age, gender, and other
19personal details with third-party companies.
20    (4) As such, consumers need to know the ways that their
21personal information is being collected by companies and then
22shared or sold to third parties in order to properly protect
23their privacy, property, personal safety, and financial
24security.
 
25    Section 10. Definitions. As used in this Act:

 

 

HB3358 Engrossed- 3 -LRB101 11180 JLS 56421 b

1    "Consumer" means an individual residing in this State who
2provides, either knowingly or unknowingly, personal
3information to a private entity, with or without an exchange of
4consideration, in the course of purchasing, viewing,
5accessing, renting, leasing, or otherwise using real or
6personal property, or any interest therein, or obtaining a
7product or service from the private entity, including
8advertising or any other content. "Consumer" does not include a
9natural person from whom personal information is collected
10while that natural person is acting in an employment context.
11    "Designated request address" means an electronic email
12address, online form, or toll-free telephone number that a
13consumer may use to request the information required to be
14provided pursuant to this Act.
15    "Disclose" means to disclose, release, transfer, share,
16disseminate, make available, sell, or otherwise communicate
17orally, in writing, or by electronic or any other means a
18consumer's personal information to any third party.
19    "Disclose" does not include:
20        (1) the disclosure of personal information by a private
21    entity to a third party under a written contract
22    authorizing the third party to utilize the personal
23    information for the limited purposes of performing
24    services on behalf of the private entity, including
25    maintaining or servicing accounts, disclosure of personal
26    information by a private entity to a transportation network

 

 

HB3358 Engrossed- 4 -LRB101 11180 JLS 56421 b

1    company driver providing consumer service, processing or
2    fulfilling orders and transactions, verifying consumer
3    information, processing payments, providing financing, or
4    similar services, but only if: the contract prohibits the
5    third party or transportation network company driver from
6    using the personal information for any reason other than
7    performing the specified service or services on behalf of
8    the private entity and from disclosing any such personal
9    information to additional third parties unless those
10    additional third parties (i) are allowed by the contract to
11    further the specified services and (ii) the additional
12    third parties are subject to the same restrictions imposed
13    by this subsection;
14        (2) disclosure of personal information by a private
15    entity to a third party based on a good faith belief that
16    disclosure is required to comply with applicable law,
17    regulation, legal process, or court order; or
18        (3) disclosure of personal information by a private
19    entity to a third party that is reasonably necessary to
20    address fraud, security, or technical issues; to protect
21    the disclosing private entity's rights or property; or to
22    protect consumers or the public from illegal activities as
23    required or permitted by law.
24    "Operator" means any private entity that owns an Internet
25website or an online service that collects, maintains, or
26discloses personal information of a consumer residing in this

 

 

HB3358 Engrossed- 5 -LRB101 11180 JLS 56421 b

1State who uses or visits the website or online service if the
2website or online service is operated for commercial purposes.
3It does not include any third party that operates, hosts, or
4manages, but does not own, a website or online service on the
5owner's behalf or by processing information on behalf of the
6owner.
7    "Personal information" means any information that is
8linked or can reasonably be linked, directly or indirectly, to
9a particular consumer, including, but not limited to,
10identifiers such as a real name, alias, signature, address,
11telephone number, passport number, driver's license or State
12identification card number, insurance policy number, bank
13account number, credit card number, debit card number, or any
14other financial account information, unique personal
15identifier, geolocation, or biometric information.
16    "Private entity" means a sole proprietorship, partnership,
17limited liability company, corporation, association, or other
18legal entity that is organized or operated for the profit or
19financial benefit of its shareholders or other owners, that
20does business in the State of Illinois, and that satisfies one
21or more of the following thresholds:
22        (1) Has annual gross revenues in excess of $25,000,000,
23    as adjusted in January of every odd-numbered year to
24    reflect any increase in the Consumer Price Index.
25        (2) Annually buys, receives for the business'
26    commercial purposes, sells, or shares for commercial

 

 

HB3358 Engrossed- 6 -LRB101 11180 JLS 56421 b

1    purposes, alone or in combination, the personal
2    information of 50,000 or more consumers, households, or
3    devices.
4        (3) Derives 50% or more of its annual revenues from
5    selling consumers' personal information.
6    "Process" or "processes" means any collection, use,
7storage, disclosure, analysis, deletion, or modification of
8personal information.
9    "Sale" or "sell" means the exchange of a consumer's
10personal information for purposes of licensing, renting or
11selling personal information by the private entity to a third
12party for monetary or other valuable consideration.
13    "Sale" or "sell" does not include circumstances in which:
14        (1) A consumer uses or directs the business to
15    intentionally disclose personal information or uses the
16    business to intentionally interact with a third party,
17    provided the third party does not also sell the personal
18    information, unless that disclosure would be consistent
19    with the provisions of this Act. An intentional interaction
20    occurs when the consumer intends to interact with the third
21    party by one or more deliberate interactions. Hovering
22    over, muting, pausing, or closing a given piece of content
23    does not constitute a consumer's intent to interact with a
24    third party.
25        (2) The business uses or shares an identifier for a
26    consumer who has opted out of the sale of the consumer's

 

 

HB3358 Engrossed- 7 -LRB101 11180 JLS 56421 b

1    personal information for the purposes of alerting third
2    parties that the consumer has opted out of the sale of the
3    consumer's personal information.
4        (3) The business uses or shares with a service provider
5    personal information of a consumer that is necessary to
6    perform a business purpose if the service provider does not
7    further collect, sell, or use the personal information of
8    the consumer except as necessary to perform the business
9    purpose.
10        (4) The business transfers to a third party the
11    personal information of a consumer as an asset that is part
12    of a merger, acquisition, bankruptcy, or other transaction
13    in which the third party assumes control of all or part of
14    the business provided that information is used or shared
15    consistently with this Act. If a third party materially
16    alters how it uses or shares the personal information of a
17    consumer in a manner that is materially inconsistent with
18    the promises made at the time of collection, it shall
19    provide prior notice of the new or changed practice to the
20    consumer. The notice shall be sufficiently prominent and
21    robust to ensure that existing consumers can easily
22    exercise their choices consistently with Section 25. This
23    subparagraph does not authorize a business to make
24    material, retroactive privacy policy changes or make other
25    changes in their privacy policy in a manner that would
26    violate the Consumer Fraud and Deceptive Business

 

 

HB3358 Engrossed- 8 -LRB101 11180 JLS 56421 b

1    Practices Act.
2    "Third party" means:
3        (1) a private entity that is a separate legal entity
4    from the private entity that has disclosed personal
5    information;
6        (2) a private entity that does not share common
7    ownership or common corporate control with the private
8    entity that has disclosed personal information; or
9        (3) a private entity that does not share a brand name
10    or common branding with the private entity that has
11    disclosed personal information such that the affiliate
12    relationship is clear to the consumer.
13    "Verified request" means the process through which a
14consumer may submit a request to exercise a right or rights set
15forth in this Act and by which an operator can reasonably
16authenticate the request. A consumer shall not be required to
17create an account with the operator in order to make a verified
18request, and the method for exercising the rights set forth in
19this Act shall be reasonably accessible and not be overly
20burdensome on the consumer.
 
21    Section 15. Right to transparency. An operator that
22collects personal information through the Internet about
23individual consumers who use or visit its Internet website or
24online service, in its consumer service agreement or
25incorporated addendum or any other similar and readily

 

 

HB3358 Engrossed- 9 -LRB101 11180 JLS 56421 b

1available mechanism accessible to the consumer, shall:
2        (1) identify all categories of personal information
3    that the operator processes about individual consumers
4    collected through its Internet website or online service;
5        (2) identify all categories of third parties with whom
6    the operator may disclose that personal information;
7        (3) disclose whether a third party may collect personal
8    information about an individual consumer's online
9    activities over time and across different Internet
10    websites or online services when the consumer uses the
11    Internet website or online service of the operator;
12        (4) provide a description of the process, if any such
13    process exists, for an individual consumer who uses or
14    visits the Internet website or online service to review and
15    request changes to inaccurate personal information that is
16    collected by the operator as a result of the consumer's use
17    or visits to the Internet website or online service;
18        (5) describe the process by which the operator notifies
19    consumers who use or visit its Internet website or online
20    service of material changes to the notice required to be
21    made available under this Section;
22        (6) state the effective date of the notice;
23        (7) provide a description of a consumer's rights, as
24    required by this Act, accompanied by one or more designated
25    request addresses.
 

 

 

HB3358 Engrossed- 10 -LRB101 11180 JLS 56421 b

1    Section 20. Right to know.
2    (a) An operator that discloses personal information to a
3third party shall make the following information available to a
4consumer, free of charge, upon receipt of a verified request:
5        (1) the categories of personal information that were
6    disclosed about the consumer; and
7        (2) the categories of third parties and the approximate
8    number of third parties that received the consumer's
9    personal information.
10    (b) Notwithstanding the other provisions of this Section, a
11parent or legal guardian of a consumer under the age of 13 may
12submit a verified request under this Section on behalf of that
13consumer.
14    (c) This Section applies only to personal information
15disclosed after the effective date of this Act.
 
16    Section 25. Right to opt out. An operator that sells the
17personal information of a consumer collected through the
18consumer's use of or visit to the operator's Internet website
19or online service shall clearly and conspicuously post, on its
20Internet website or online service or in another prominently
21and easily accessible location the operator maintains for
22consumer privacy settings, a link to an Internet web page
23maintained by the operator that enables a consumer, by verified
24request through a designated request address, to opt out of the
25sale of the consumer's personal information to third parties.

 

 

HB3358 Engrossed- 11 -LRB101 11180 JLS 56421 b

1The method by which a consumer may opt out shall be done in a
2way and fashion that is not overly burdensome, shall not
3require a consumer to establish an account with the operator in
4order to opt out of the sale of a consumer's personal
5information, and shall be posted in a conspicuous place that is
6readily and easily accessible to a consumer. This Section
7applies only to operators that sell personal information. This
8Section only applies to personal information sold after the
9effective date of this Act.
 
10    Section 30. Response to verified requests.
11    (a) An operator that receives a verified request from a
12consumer through a designated request address under this Act
13shall provide a response to the consumer within 45 days of the
14request.
15    (b) An operator shall not be required to respond to a
16request made by the same consumer or made by the same parent or
17legal guardian on behalf of a consumer under the age of 13 more
18than once in any 12-month period.
 
19    Section 35. Enforcement. The Attorney General shall have
20exclusive authority to enforce this Act, and there shall be no
21private right of action to enforce violations under this Act.
22Nothing in this Act shall be construed to modify, limit, or
23supersede the operation of any other Illinois law or prevent a
24party from otherwise seeking relief under the Code of Civil

 

 

HB3358 Engrossed- 12 -LRB101 11180 JLS 56421 b

1Procedure.
 
2    Section 40. Waivers; contracts. Any waiver of the
3provisions of this Act is void and unenforceable. Any agreement
4that does not comply with the applicable provisions of this Act
5is void and unenforceable.
 
6    Section 45. Construction.
7    (a) The obligations imposed on operators by this Act shall
8not restrict an operator's ability to:
9        (1) Comply with federal, state, or local laws.
10        (2) Comply with a civil, criminal, or regulatory
11    inquiry, investigation, subpoena, or summons by federal,
12    state, or local authorities.
13        (3) Cooperate with law enforcement agencies concerning
14    conduct or activity that the operator, service provider, or
15    third party reasonably and in good faith believes may
16    violate federal, state, or local law.
17        (4) Exercise or defend legal claims.
18    (b) Nothing in this Act applies to a health care provider
19or other covered entity subject to the Federal Health Insurance
20Portability and Accountability Act of 1996 and the rules
21promulgated under that Act.
22    (c) Nothing in this Act applies in any manner to a
23financial institution or an affiliate of a financial
24institution that is subject to Title V of the Federal

 

 

HB3358 Engrossed- 13 -LRB101 11180 JLS 56421 b

1Gramm-Leach-Bliley Act and the rules promulgated under that
2Act.
3    (d) Nothing in this Act applies to a contractor,
4subcontractor, or agent of a State agency or local unit of
5government when working for that State agency or local unit of
6government.
7    (e) Nothing in this Act applies to a public utility, an
8alternative retail electric supplier, or an alternative gas
9supplier, as those terms are defined in Sections 3-105, 16-102,
10and 19-105 of the Public Utilities Act, or an electric
11cooperative, as defined in Section 3.4 of the Electric Supplier
12Act.
13    (f) Nothing in this Act applies to: (i) a hospital operated
14under the Hospital Licensing Act; (ii) a hospital affiliate, as
15defined under the Hospital Licensing Act; or (iii) a hospital
16operated under the University of Illinois Hospital Act.
17    (g) Nothing in this Act applies to an entity maintaining a
18place of business in this State that collects sales taxes under
19the Retailers' Occupation Tax Act who uses personal information
20for purposes of selling, moving, or delivering tangible
21personal property at retail with respect to such sales at
22retail and (i) is a retailer's wholly owned retail subsidiary
23or service provider processing personal information on behalf
24of the retailer; (ii) is a party to a merchant card agreement
25to process a consumer transaction at the sale of retail in
26accordance with the agreement; (iii) administers a private

 

 

HB3358 Engrossed- 14 -LRB101 11180 JLS 56421 b

1label credit card or owns a private label administered by a
2third party in accordance with the agreement; (iv) collects
3sales tax on behalf of the consumer as a result of a sale at
4retail as authorized by the Department of Revenue; (v) is
5subject to the Federal Health Insurance Portability and
6Accountability Act of 1996 and the rules promulgated
7thereunder; (vi) provides Medicaid benefits to Illinois
8consumers through sales at retail as is authorized by the
9Department of Healthcare and Family Services; or (vii) provides
10Supplemental Nutrition Assistance Program (SNAP) or special
11supplemental nutrition program for women, infants, and
12children (WIC) benefits to consumers in Illinois through sales
13at retail as authorized by the United States Department of
14Agriculture and the Illinois Department of Human Services.
15    (h) Nothing in this Act applies to the following entities
16and affiliates, as defined in 17 CFR 230.405, of any such
17entities: telecommunications carriers as defined in Section
1813-202 of the Public Utilities Act and wireless carriers as
19defined in Section 2 of the Emergency Telephone System Act.
20    (i) Nothing in this Act restricts a private entity's
21ability to collect or disclose a consumer's personal
22information if a consumer's conduct takes place wholly outside
23of Illinois. For purposes of this Act, conduct takes place
24wholly outside of Illinois if the private entity collected that
25information while the consumer was outside of Illinois, no part
26of the sale of the consumer's personal information occurred in

 

 

HB3358 Engrossed- 15 -LRB101 11180 JLS 56421 b

1Illinois, and no personal information collected while the
2consumer was in Illinois is disclosed.
 
3    Section 50. Severability. If any provision of this Act or
4its application to any person or circumstance is held invalid,
5the invalidity of that provision or application does not affect
6other provisions or applications of this Act that can be given
7effect without the invalid provision or application.
 
8    Section 99. Effective date. This Act takes effect April 1,
92020.