|
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
SB2149 Introduced 2/15/2019, by Sen. Michael E. Hastings SYNOPSIS AS INTRODUCED:
|
| |
Creates the Right to Know Data Transparency and Privacy Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an email address, toll-free telephone number, or webform whereby customers may request or obtain that information. Provides violation provisions. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to specified provisions of federal or State law or certain interactions with State or local government. Provides findings and purpose. Defines terms.
|
| |
| | A BILL FOR |
|
|
| | SB2149 | | LRB101 10850 RJF 55988 b |
|
|
| 1 | | AN ACT concerning regulation.
|
| 2 | | Be it enacted by the People of the State of Illinois,
|
| 3 | | represented in the General Assembly:
|
| 4 | | Section 1. Short title. This Act may be cited as the Right |
| 5 | | to Know Data Transparency and Privacy Act.
|
| 6 | | Section 5. Findings and purpose.
|
| 7 | | The General Assembly hereby finds and declares that: |
| 8 | | (1) The right to privacy is a personal and fundamental |
| 9 | | right protected by the United States Constitution. As such, |
| 10 | | all individuals have a right to privacy in information |
| 11 | | pertaining to them. This State recognizes the importance of |
| 12 | | providing consumers with transparency about how their |
| 13 | | personal information, especially information relating to |
| 14 | | their children, is shared by businesses. This transparency |
| 15 | | is crucial for Illinois citizens to protect themselves and |
| 16 | | their families from cyber-crimes and identity thieves. |
| 17 | | (2) Furthermore, for free market forces to have a role |
| 18 | | in shaping the privacy practices and for "opt-in" and |
| 19 | | "opt-out" remedies to be effective, consumers must be more |
| 20 | | than vaguely informed that a business might share personal |
| 21 | | information with third parties. Consumers must be better |
| 22 | | informed about what kinds of personal information are |
| 23 | | shared with other businesses. With these specifics, |
|
| | SB2149 | - 2 - | LRB101 10850 RJF 55988 b |
|
|
| 1 | | consumers can knowledgeably choose to opt-in, opt-out, or |
| 2 | | choose among businesses that disclose information to third |
| 3 | | parties on the basis of how protective the business is of |
| 4 | | consumers' privacy. |
| 5 | | (3) Businesses are now collecting personal information |
| 6 | | and sharing and selling it in ways not contemplated or |
| 7 | | properly covered by the current law. Some websites are |
| 8 | | installing tracking tools that record when consumers visit |
| 9 | | web pages, and sending very personal information, such as |
| 10 | | age, gender, race, income, health concerns, religion, and |
| 11 | | recent purchases to third party marketers and data brokers. |
| 12 | | Third party data broker companies are buying, selling, and |
| 13 | | trading personal information obtained from mobile phones, |
| 14 | | financial institutions, social media sites, and other |
| 15 | | online and brick and mortar companies. Some mobile |
| 16 | | applications are sharing personal information, such as |
| 17 | | location information, unique phone identification numbers, |
| 18 | | and age, gender, and other personal details with third |
| 19 | | party companies. |
| 20 | | (4) As such, consumers need to know the ways that their |
| 21 | | personal information is being collected by companies and |
| 22 | | then shared or sold to third parties in order to properly |
| 23 | | protect their privacy, personal safety, and financial |
| 24 | | security.
|
| 25 | | Section 10. Definitions.
As used in this Act:
|
|
| | SB2149 | - 3 - | LRB101 10850 RJF 55988 b |
|
|
| 1 | | "Categories of personal information" includes, but is not |
| 2 | | limited to, the following:
|
| 3 | | (a) Identity information including, but not limited |
| 4 | | to, real name, alias, nickname, and user name.
|
| 5 | | (b) Address information, including, but not limited |
| 6 | | to, postal or e-mail.
|
| 7 | | (c) Telephone number.
|
| 8 | | (d) Account name.
|
| 9 | | (e) Social security number or other government-issued |
| 10 | | identification number, including, but not limited to, |
| 11 | | social security number, driver's license number, |
| 12 | | identification card number, and passport number.
|
| 13 | | (f) Birthdate or age.
|
| 14 | | (g) Physical characteristic information, including, |
| 15 | | but not limited to, height and weight.
|
| 16 | | (h) Sexual information, including, but not limited to, |
| 17 | | sexual orientation, sex, gender status, gender identity, |
| 18 | | and gender expression.
|
| 19 | | (i) Race or ethnicity.
|
| 20 | | (j) Religious affiliation or activity.
|
| 21 | | (k) Political affiliation or activity.
|
| 22 | | (l) Professional or employment-related information.
|
| 23 | | (m) Educational information.
|
| 24 | | (n) Medical information, including, but not limited |
| 25 | | to, medical conditions or drugs, therapies, mental health, |
| 26 | | or medical products or equipment used.
|
|
| | SB2149 | - 4 - | LRB101 10850 RJF 55988 b |
|
|
| 1 | | (o) Financial information, including, but not limited |
| 2 | | to, credit, debit, or account numbers, account balances, |
| 3 | | payment history, or information related to assets, |
| 4 | | liabilities, or general creditworthiness.
|
| 5 | | (p) Commercial information, including, but not limited |
| 6 | | to, records of property, products or services provided, |
| 7 | | obtained, or considered, or other purchasing or consumer |
| 8 | | histories or tendencies.
|
| 9 | | (q) Location information.
|
| 10 | | (r) Internet or mobile activity information, |
| 11 | | including, but not limited to, Internet protocol addresses |
| 12 | | or information concerning the access or use of any Internet |
| 13 | | or mobile-based site or service.
|
| 14 | | (s) Content, including text, photographs, audio or |
| 15 | | video recordings, or other material generated by or |
| 16 | | provided by the customer.
|
| 17 | | (t) Any of the above categories of information as they |
| 18 | | pertain to the children of the customer.
|
| 19 | | "Customer" means an individual residing in Illinois who |
| 20 | | provides, either knowingly or unknowingly, personal |
| 21 | | information to a private entity, with or without an exchange of |
| 22 | | consideration, in the course of purchasing, viewing, |
| 23 | | accessing, renting, leasing, or otherwise using real or |
| 24 | | personal property, or any interest therein, or obtaining a |
| 25 | | product or service from the private entity, including |
| 26 | | advertising or any other content.
|
|
| | SB2149 | - 5 - | LRB101 10850 RJF 55988 b |
|
|
| 1 | | "Designated request address" means an email address, |
| 2 | | toll-free telephone number, or webform whereby customers may |
| 3 | | request or obtain the information required to be provided under |
| 4 | | Section 15 of this Act.
|
| 5 | | "Disclose" means to disclose, release, transfer, share, |
| 6 | | disseminate, make available, or otherwise communicate orally, |
| 7 | | in writing, or by electronic or any other means to any third |
| 8 | | party. "Disclose" does not include the following: |
| 9 | | (a) Disclosure of personal information by a private |
| 10 | | entity to a third party under a written contract |
| 11 | | authorizing the third party to utilize the personal |
| 12 | | information to perform services on behalf of the private |
| 13 | | entity, including maintaining or servicing accounts, |
| 14 | | disclosure of personal information by a private entity to a |
| 15 | | transportation network company driver or TNC as defined |
| 16 | | under the Transportation Network Providers Act, providing |
| 17 | | customer service, processing or fulfilling orders and |
| 18 | | transactions, verifying customer information, processing |
| 19 | | payments, providing financing, or similar services, but |
| 20 | | only if the contract prohibits the third party from using |
| 21 | | the personal information for any reason other than |
| 22 | | performing the specified service or services on behalf of |
| 23 | | the private entity and from disclosing any such personal |
| 24 | | information to additional third parties. |
| 25 | | (b) Disclosure of personal information by a business to |
| 26 | | a third party based on a good-faith belief that disclosure |
|
| | SB2149 | - 6 - | LRB101 10850 RJF 55988 b |
|
|
| 1 | | is required to comply with applicable law, regulation, |
| 2 | | legal process, or court order. |
| 3 | | (c) Disclosure of personal information by a private |
| 4 | | entity to a third party that is reasonably necessary to |
| 5 | | address fraud, security, or technical issues; to protect |
| 6 | | the disclosing private entity's rights or property; or to |
| 7 | | protect customers or the public from illegal activities as |
| 8 | | required or permitted by law.
|
| 9 | | "Operator" means any person or entity that owns an Internet |
| 10 | | website or an online service that collects and maintains |
| 11 | | personally identifiable information from a customer residing |
| 12 | | in this State who uses or visits the website or online service |
| 13 | | if the website or online service is operated for commercial |
| 14 | | purposes. "Operator" does not include any third party that |
| 15 | | operates, hosts, or manages, but does not own, a website or |
| 16 | | online service on the owner's behalf or by processing |
| 17 | | information on behalf of the owner.
|
| 18 | | "Personal information" means any information that |
| 19 | | identifies, relates to, describes, or is capable of being |
| 20 | | associated with, a particular individual, including, but not |
| 21 | | limited to, his or her name, signature, physical |
| 22 | | characteristics or description, address, telephone number, |
| 23 | | passport number, driver's license or State identification card |
| 24 | | number, insurance policy number, education, employment, |
| 25 | | employment history, bank account number, credit card number, |
| 26 | | debit card number, or any other financial information. |
|
| | SB2149 | - 7 - | LRB101 10850 RJF 55988 b |
|
|
| 1 | | "Personal information" also means any data or information |
| 2 | | pertaining to an individual's income, assets, liabilities, |
| 3 | | purchases, leases, or rentals of goods, services, or real |
| 4 | | property, if that information is disclosed, or is intended to |
| 5 | | be disclosed, with any identifying information, such as the |
| 6 | | individual's name, address, telephone number, or social |
| 7 | | security number.
|
| 8 | | "Third party" or "third parties" means (i) a private entity |
| 9 | | that is a separate legal entity from the private entity that |
| 10 | | has disclosed personal information; (ii) a private entity that |
| 11 | | does not share common ownership or common corporate control |
| 12 | | with the private entity that has disclosed personal |
| 13 | | information; or (iii) a private entity that does not share a |
| 14 | | brand name or common branding with the private entity that has |
| 15 | | disclosed personal information such that the affiliate |
| 16 | | relationship is clear to the customer.
|
| 17 | | Section 15. Notification of information sharing practices. |
| 18 | | An operator of a commercial website or online service that |
| 19 | | collects personally identifiable information through the |
| 20 | | Internet about individual customers residing in this State who |
| 21 | | use or visit its commercial website or online service shall, in |
| 22 | | its customer agreement or incorporated addendum, or in another |
| 23 | | conspicuous location on its website or online service platform |
| 24 | | where similar notices are customarily posted: (i) identify all |
| 25 | | categories of personal information that the operator collects |
|
| | SB2149 | - 8 - | LRB101 10850 RJF 55988 b |
|
|
| 1 | | through the website or online service about individual |
| 2 | | customers who use or visit its commercial website or online |
| 3 | | service; (ii) identify all categories of third party persons or |
| 4 | | entities with whom the operator may disclose that personally |
| 5 | | identifiable information; and (iii) provide a description of a |
| 6 | | customer's rights, as required under Section 25 of this Act, |
| 7 | | accompanied by one or more designated request addresses.
|
| 8 | | Section 20. Disclosure of a customer's personal |
| 9 | | information to a third party.
|
| 10 | | (a) An operator that discloses a customer's personal |
| 11 | | information to a third party shall make the following |
| 12 | | information available to the customer free of charge:
|
| 13 | | (1) the categories of personal information that were |
| 14 | | disclosed about an individual customer, and the name or |
| 15 | | names of all third parties that received the customer's |
| 16 | | personal information; or |
| 17 | | (2) all categories of personal information about |
| 18 | | customers that were disclosed, and the name or names of all |
| 19 | | third parties that received any customer's personal |
| 20 | | information.
|
| 21 | | (b) This Section applies only to personal information |
| 22 | | disclosed after the effective date of this Act.
|
| 23 | | Section 25. Information availability service.
|
| 24 | | (a) An operator required to comply with Section 20 shall |
|
| | SB2149 | - 9 - | LRB101 10850 RJF 55988 b |
|
|
| 1 | | make the required information available by providing a |
| 2 | | designated request address in its customer agreement or |
| 3 | | incorporated addendum, or in another conspicuous location on |
| 4 | | its website or online service platform where similar notices |
| 5 | | are customarily posted, and, upon receipt of a request under |
| 6 | | this Section, shall provide the customer with the information |
| 7 | | required under Section 20 for all disclosures occurring in the |
| 8 | | prior 12 months.
|
| 9 | | (b) An operator that receives a request from a customer |
| 10 | | under this Section at one of the designated addresses shall |
| 11 | | provide a response to the customer within 30 days.
|
| 12 | | (c) Notwithstanding the provisions of this Section, a |
| 13 | | parent or legal guardian of a customer under the age of 18 may |
| 14 | | submit a request under this Section on behalf of that customer. |
| 15 | | An operator shall not be required to, but may respond to a |
| 16 | | request made by the same parent or legal guardian on behalf of |
| 17 | | a customer under the age of 18 more than once within a given |
| 18 | | 12-month period.
|
| 19 | | Section 30. Violations. A violation of this Act constitutes |
| 20 | | a violation of the Consumer Fraud and Deceptive Business |
| 21 | | Practices Act. The Office of the Attorney General or the |
| 22 | | appropriate State's Attorney's office shall have sole |
| 23 | | enforcement authority of the provisions of this Act and may |
| 24 | | enforce a violation of this Act as an unlawful practice under |
| 25 | | the Consumer Fraud and Deceptive Business Practices Act. |
|
| | SB2149 | - 10 - | LRB101 10850 RJF 55988 b |
|
|
| 1 | | Nothing in this Section shall prevent a person from seeking a |
| 2 | | right of action for a violation of the Biometric Information |
| 3 | | Privacy Act or otherwise seeking relief under the Code of Civil |
| 4 | | Procedure.
|
| 5 | | Section 35. Waivers; contracts. Any waiver of the |
| 6 | | provisions of this Act shall be void and unenforceable. Any |
| 7 | | agreement that does not comply with the applicable provisions |
| 8 | | of this Act shall be void and unenforceable.
|
| 9 | | Section 40. Construction.
|
| 10 | | (a) Nothing in this Act shall be construed to conflict with |
| 11 | | the federal Health Insurance Portability and Accountability |
| 12 | | Act of 1996 and the rules promulgated under that Act.
|
| 13 | | (b) Nothing in this Act shall be deemed to apply in any |
| 14 | | manner to a financial institution or an affiliate of a |
| 15 | | financial institution that is subject to Title V of the federal |
| 16 | | Gramm-Leach-Bliley Act of 1999 and the rules promulgated under |
| 17 | | that Act.
|
| 18 | | (c) Nothing in this Act shall be construed to apply to a |
| 19 | | contractor, subcontractor, or agent of a State agency or unit |
| 20 | | of local of government when working for that State agency or |
| 21 | | unit of local of government.
|
| 22 | | (d) Nothing in this Act shall be construed to apply to: (i) |
| 23 | | Internet, wireless, or telecommunications service providers; |
| 24 | | or (ii) a public utility, an alternative retail electric |
|
| | SB2149 | - 11 - | LRB101 10850 RJF 55988 b |
|
|
| 1 | | supplier, or an alternative gas supplier, as those terms are |
| 2 | | defined in Sections 3-105, 16-102, and 19-105 of the Public |
| 3 | | Utilities Act, or an electric cooperative, as defined in |
| 4 | | Section 3.4 of the Electric Supplier Act. |
| 5 | | (e) Nothing in this Act shall be construed to apply to: (i) |
| 6 | | a hospital operated under the Hospital Licensing Act; (ii) a |
| 7 | | hospital affiliate, as defined under the Hospital Licensing |
| 8 | | Act; or (iii) a hospital operated under the University of |
| 9 | | Illinois Hospital Act.
|