HB7046 93RD GENERAL ASSEMBLY


 


 
93RD GENERAL ASSEMBLY
State of Illinois
2003 and 2004
HB7046

 

Introduced 02/09/04, by Lisa M. Dugan

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Illinois Financial Information Privacy Act. Allows a consumer to direct a financial institution to not share the nonpublic personal information with affiliated companies or with nonaffiliated financial companies with which the financial institution has contracted to provide financial products and services. Does not restrict or prohibit the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries or in certain other cases if both entities are regulated by the same functional regulator and are engaged in the same line of business, among other requirements. Requires the permission of the consumer before the financial institution may share the nonpublic personal information with other nonaffiliated companies. Provides that a financial institution shall not discriminate against or deny an otherwise qualified consumer a financial product or service because the consumer has not provided the necessary consent that would authorize the financial institution to disclose or share nonpublic personal information. Requires a financial institution to comply with the consumer's request regarding nonpublic personal information within 45 days of receipt of the request.


LRB093 19187 SAS 44922 b

FISCAL NOTE ACT MAY APPLY

 

 

A BILL FOR

 

HB7046 LRB093 19187 SAS 44922 b

1     AN ACT concerning financial institutions.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 1. Short title. This Act may be cited as the
5 Illinois Financial Information Privacy Act.
 
6     Section 5. Legislative purpose.
7     (a) The General Assembly intends for financial
8 institutions to provide their consumers notice and meaningful
9 choice about how consumers' nonpublic personal information is
10 shared or sold by their financial institutions.
11     (b) It is the intent of the General Assembly in enacting
12 the Illinois Financial Information Privacy Act to afford
13 persons greater privacy protections than those provided in
14 Public Law 106-102, the federal Gramm-Leach-Bliley Act, and
15 that this Act be interpreted to be consistent with that
16 purpose.
 
17     Section 10. Definitions. For the purposes of this Act:
18     (a) "Nonpublic personal information" means personally
19 identifiable financial information (1) provided by a consumer
20 to a financial institution, (2) resulting from any transaction
21 with the consumer or any service performed for the consumer, or
22 (3) otherwise obtained by the financial institution. Nonpublic
23 personal information does not include publicly available
24 information that the financial institution has a reasonable
25 basis to believe is lawfully made available to the general
26 public from (1) federal, state, or local government records,
27 (2) widely distributed media, or (3) disclosures to the general
28 public that are required to be made by federal, state, or local
29 law. Nonpublic personal information shall include any list,
30 description, or other grouping of consumers, and publicly
31 available information pertaining to them, that is derived using

 

 

HB7046 - 2 - LRB093 19187 SAS 44922 b

1 any nonpublic personal information other than publicly
2 available information, but shall not include any list,
3 description, or other grouping of consumers, and publicly
4 available information pertaining to them, that is derived
5 without using any nonpublic personal information.
6     (b) "Personally identifiable financial information" means
7 information (1) that a consumer provides to a financial
8 institution to obtain a product or service from the financial
9 institution, (2) about a consumer resulting from any
10 transaction involving a product or service between the
11 financial institution and a consumer, or (3) that the financial
12 institution otherwise obtains about a consumer in connection
13 with providing a product or service to that consumer. Any
14 personally identifiable information is financial if it was
15 obtained by a financial institution in connection with
16 providing a financial product or service to a consumer.
17 Personally identifiable financial information includes all of
18 the following:
19         (1) Information a consumer provides to a financial
20     institution on an application to obtain a loan, credit
21     card, or other financial product or service.
22         (2) Account balance information, payment history,
23     overdraft history, and credit or debit card purchase
24     information.
25         (3) The fact that an individual is or has been a
26     consumer of a financial institution or has obtained a
27     financial product or service from a financial institution.
28         (4) Any information about a financial institution's
29     consumer if it is disclosed in a manner that indicates that
30     the individual is or has been the financial institution's
31     consumer.
32         (5) Any information that a consumer provides to a
33     financial institution or that a financial institution or
34     its agent otherwise obtains in connection with collecting
35     on a loan or servicing a loan.
36         (6) Any personally identifiable financial information

 

 

HB7046 - 3 - LRB093 19187 SAS 44922 b

1     collected through an Internet cookie or an information
2     collecting device from a Web server.
3         (7) Information from a consumer report.
4     (c) "Financial institution" means any institution the
5     business of which is engaging in financial activities as
6     described in Section 1843(k) of Title 12 of the United States
7     Code and doing business in this State. An institution that is
8     not significantly engaged in financial activities is not a
9     financial institution. The term "financial institution" does
10     not include any institution that is primarily engaged in
11     providing hardware, software, or interactive services,
12     provided that it does not act as a debt collector, as defined
13     in 15 U.S.C. Sec. 1692a, or engage in activities for which the
14     institution is required to acquire a charter, license, or
15     registration from a state or federal governmental banking,
16     insurance, or securities agency. The term "financial
17     institution" does not include the Federal Agricultural
18     Mortgage Corporation or any entity chartered and operating
19     under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et
20     seq.), provided that the entity does not sell or transfer
21     nonpublic personal information to an affiliate or a
22     nonaffiliated third party. The term "financial institution"
23     does not include any provider of professional services, or any
24     wholly owned affiliate thereof, that is prohibited by rules of
25     professional ethics and applicable law from voluntarily
26     disclosing confidential client information without the consent
27     of the client. The term "financial institution" does not
28     include institutions chartered by Congress specifically to
29     engage in a proposed or actual securitization, secondary market
30     sale, including sales of servicing rights, or similar
31     transactions related to a transaction of the consumer, as long
32     as those institutions do not sell or transfer nonpublic
33     personal information to a nonaffiliated third party. Nothing in
34     this Act applies to the Motor Vehicle Retail Installment Sales
35     Act, the Motor Vehicle Leasing Act, or the Retail Installment
36     Sales Act.

 

 

HB7046 - 4 - LRB093 19187 SAS 44922 b

1     (d) "Affiliate" means any entity that controls, is
2     controlled by, or is under common control with, another entity,
3     but does not include a joint employee of the entity and the
4     affiliate. A franchisor, including any affiliate thereof,
5     shall be deemed an affiliate of the franchisee for purposes of
6     this Act.
7     (e) "Nonaffiliated third party" means any entity that is
8     not an affiliate of, or related by common ownership or
9     affiliated by corporate control with, the financial
10     institution, but does not include a joint employee of that
11     institution and a third party.
12     (f) "Consumer" means an individual resident of this State,
13     or that individual's legal representative, who obtains or has
14     obtained from a financial institution a financial product or
15     service to be used primarily for personal, family, or household
16     purposes. For purposes of this Act, an individual resident of
17     this State is someone whose last known mailing address, other
18     than an Armed Forces Post Office or Fleet Post Office address,
19     as shown in the records of the financial institution, is
20     located in this State. For purposes of this Act, an individual
21     is not a consumer of a financial institution solely because he
22     or she is (1) a participant or beneficiary of an employee
23     benefit plan that a financial institution administers or
24     sponsors, or for which the financial institution acts as a
25     trustee, insurer, or fiduciary, (2) covered under a group or
26     blanket insurance policy or group annuity contract issued by
27     the financial institution, (3) a beneficiary in a workers'
28     compensation plan, (4) a beneficiary of a trust for which the
29     financial institution is a trustee, or (5) a person who has
30     designated the financial institution as trustee for a trust,
31     provided that the financial institution provides all required
32     notices and rights required by this Act to the plan sponsor,
33     group or blanket insurance policyholder, or group annuity
34     contract holder.
35     (g) "Control" means (1) ownership or power to vote 25
36     percent or more of the outstanding shares of any class of

 

 

HB7046 - 5 - LRB093 19187 SAS 44922 b

1     voting security of a company, acting through one or more
2     persons, (2) control in any manner over the election of a
3     majority of the directors, or of individuals exercising similar
4     functions, or (3) the power to exercise, directly or
5     indirectly, a controlling influence over the management or
6     policies of a company. However, for purposes of the application
7     of the definition of control as it relates to credit unions, a
8     credit union has a controlling influence over the management or
9     policies of a credit union service organization (CUSO), as that
10     term is defined by state or federal law or regulation, if the
11     CUSO is at least 67 percent owned by credit unions. For
12     purposes of the application of the definition of control to a
13     financial institution subject to regulation by the United
14     States Securities and Exchange Commission, a person who owns
15     beneficially, either directly or through one or more controlled
16     companies, more than 25 percent of the voting securities of a
17     company is presumed to control the company, and a person who
18     does not own more than 25 percent of the voting securities of a
19     company is presumed not to control the company, and a
20     presumption regarding control may be rebutted by evidence, but
21     in the case of an investment company, the presumption shall
22     continue until the United States Securities and Exchange
23     Commission makes a decision to the contrary according to the
24     procedures described in Section 2(a)(9) of the federal
25     Investment Company Act of 1940.
26     (h) "Necessary to effect, administer, or enforce" means the
27     following:
28         (1) The disclosure is required, or is a usual,
29     appropriate, or acceptable method to carry out the
30     transaction or the product or service business of which the
31     transaction is a part, and record or service or maintain
32     the consumer's account in the ordinary course of providing
33     the financial service or financial product, or to
34     administer or service benefits or claims relating to the
35     transaction or the product or service business of which it
36     is a part, and includes the following:

 

 

HB7046 - 6 - LRB093 19187 SAS 44922 b

1             (A) Providing the consumer or the consumer's agent
2         or broker with a confirmation, statement, or other
3         record of the transaction, or information on the status
4         or value of the financial service or financial product.
5             (B) The accrual or recognition of incentives,
6         discounts, or bonuses associated with the transaction
7         or communications to eligible existing consumers of
8         the financial institution regarding the availability
9         of those incentives, discounts, and bonuses that are
10         provided by the financial institution or another
11         party.
12             (C) In the case of a financial institution that has
13         issued a credit account bearing the name of a company
14         primarily engaged in retail sales or a name proprietary
15         to a company primarily engaged in retail sales, the
16         financial institution providing the retailer with
17         nonpublic personal information as follows:
18                 (i) Providing the retailer, or licensees or
19             contractors of the retailer that provide products
20             or services in the name of the retailer and under a
21             contract with the retailer, with the names and
22             addresses of the consumers in whose name the
23             account is held and a record of the purchases made
24             using the credit account from a business
25             establishment, including a Web site or catalog,
26             bearing the brand name of the retailer.
27                 (ii) Where the credit account can only be used
28             for transactions with the retailer or affiliates
29             of that retailer that are also primarily engaged in
30             retail sales, providing the retailer, or licensees
31             or contractors of the retailer that provide
32             products or services in the name of the retailer
33             and under a contract with the retailer, with
34             nonpublic personal information concerning the
35             credit account, in connection with the offering or
36             provision of the products or services of the

 

 

HB7046 - 7 - LRB093 19187 SAS 44922 b

1             retailer and those licensees or contractors.
2             (2) The disclosure is required or is one of the
3         lawful or appropriate methods to enforce the rights of
4         the financial institution or of other persons engaged
5         in carrying out the financial transaction or providing
6         the product or service.
7             (3) The disclosure is required, or is a usual,
8         appropriate, or acceptable method for insurance
9         underwriting or the placement of insurance products by
10         licensed agents and brokers with authorized insurance
11         companies at the consumer's request, for reinsurance,
12         stop loss insurance, or excess loss insurance
13         purposes, or for any of the following purposes as they
14         relate to a consumer's insurance:
15                 (A) Account administration.
16                 (B) Reporting, investigating, or preventing
17             fraud or material misrepresentation.
18                 (C) Processing premium payments.
19                 (D) Processing insurance claims.
20                 (E) Administering insurance benefits,
21             including utilization review activities.
22                 (F) Participating in research projects.
23                 (G) As otherwise required or specifically
24             permitted by federal or state law.
25             (4) The disclosure is required, or is a usual,
26         appropriate, or acceptable method, in connection with
27         the following:
28                 (A) The authorization, settlement, billing,
29             processing, clearing, transferring, reconciling,
30             or collection of amounts charged, debited, or
31             otherwise paid using a debit, credit or other
32             payment card, check, or account number, or by other
33             payment means.
34                 (B) The transfer of receivables, accounts, or
35             interests therein.
36                 (C) The audit of debit, credit, or other

 

 

HB7046 - 8 - LRB093 19187 SAS 44922 b

1             payment information.
2             (5) The disclosure is required in a transaction
3         covered by the federal Real Estate Settlement
4         Procedures Act (12 U.S.C. Sec. 2601 et seq.) in order
5         to offer settlement services prior to the close of
6         escrow (as those services are defined in 12 U.S.C. Sec.
7         2602), provided that (A) the nonpublic personal
8         information is disclosed for the sole purpose of
9         offering those settlement services and (B) the
10         nonpublic personal information disclosed is limited to
11         that necessary to enable the financial institution to
12         offer those settlement services in that transaction.
13     (i) "Financial product or service" means any product or
14     service that a financial holding company could offer by
15     engaging in an activity that is financial in nature or
16     incidental to a financial activity under subsection (k) of
17     Section 1843 of Title 12 of the United States Code (the United
18     States Bank Holding Company Act of 1956). Financial service
19     includes a financial institution's evaluation or brokerage of
20     information that the financial institution collects in
21     connection with a request or an application from a consumer for
22     a financial product or service.
23     (j) "Clear and conspicuous" means that a notice is
24     reasonably understandable and designed to call attention to the
25     nature and significance of the information contained in the
26     notice.
27     (k) "Widely distributed media" means media available to the
28     general public and includes a telephone book, a television or
29     radio program, a newspaper, or a Web site that is available to
30     the general public on an unrestricted basis.
 
31     Section 15. Prior consent. Except as provided in Sections
32 25, 35, and 45, a financial institution shall not sell, share,
33 transfer, or otherwise disclose nonpublic personal information
34 to or with any nonaffiliated third parties without the explicit
35 prior consent of the consumer to whom the nonpublic personal

 

 

HB7046 - 9 - LRB093 19187 SAS 44922 b

1 information relates.
 
2     Section 20. Disclosure.
3     (a) A financial institution shall not disclose to, or share
4 a consumer's nonpublic personal information with, any
5 nonaffiliated third party as prohibited by Section 15, unless
6 the financial institution has obtained a consent
7 acknowledgment from the consumer that authorizes the financial
8 institution to disclose or share the nonpublic personal
9 information. Nothing in this Section shall prohibit or
10 otherwise apply to the disclosure of nonpublic personal
11 information as allowed in Section 40. A financial institution
12 shall not discriminate against or deny an otherwise qualified
13 consumer a financial product or a financial service because the
14 consumer has not provided consent pursuant to this Section and
15 Section 15 to authorize the financial institution to disclose
16 or share nonpublic personal information pertaining to him or
17 her with any nonaffiliated third party. Nothing in this Section
18 shall prohibit a financial institution from denying a consumer
19 a financial product or service if the financial institution
20 could not provide the product or service to a consumer without
21 the consent to disclose the consumer's nonpublic personal
22 information required by this Section and Section 15, and the
23 consumer has failed to provide consent. A financial institution
24 shall not be liable for failing to offer products and services
25 to a consumer solely because that consumer has failed to
26 provide consent pursuant to this Section and Section 15 and the
27 financial institution could not offer the product or service
28 without the consent to disclose the consumer's nonpublic
29 personal information required by this Section and Section 15,
30 and the consumer has failed to provide consent. Nothing in this
31 Section is intended to prohibit a financial institution from
32 offering incentives or discounts to elicit a specific response
33 to the notice.
34     (b)(1) A financial institution shall not disclose to, or
35 share a consumer's nonpublic personal information with, an

 

 

HB7046 - 10 - LRB093 19187 SAS 44922 b

1 affiliate unless the financial institution has clearly and
2 conspicuously notified the consumer annually in writing
3 pursuant to subsection (d) that the nonpublic personal
4 information may be disclosed to an affiliate of the financial
5 institution and the consumer has not directed that the
6 nonpublic personal information not be disclosed. A financial
7 institution does not disclose information to, or share
8 information with, its affiliate merely because information is
9 maintained in common information systems or databases, and
10 employees of the financial institution and its affiliate have
11 access to those common information systems or databases, or a
12 consumer accesses a Web site jointly operated or maintained
13 under a common name by or on behalf of the financial
14 institution and its affiliate, provided that where a consumer
15 has exercised his or her right to prohibit disclosure pursuant
16 to this Act, nonpublic personal information is not further
17 disclosed or used by an affiliate except as permitted by this
18 Act.
19     (2) Subsection (a) of this Section shall not prohibit the
20     release of nonpublic personal information by a financial
21     institution with whom the consumer has a relationship to a
22     nonaffiliated financial institution for purposes of jointly
23     offering a financial product or financial service pursuant to a
24     written agreement with the financial institution that receives
25     the nonpublic personal information provided that all of the
26     following requirements are met:
27             (A) The financial product or service offered is a
28         product or service of, and is provided by, at least one
29         of the financial institutions that is a party to the
30         written agreement.
31             (B) The financial product or service is jointly
32         offered, endorsed, or sponsored, and clearly and
33         conspicuously identifies for the consumer the
34         financial institutions that disclose and receive the
35         disclosed nonpublic personal information.
36             (C) The written agreement provides that the

 

 

HB7046 - 11 - LRB093 19187 SAS 44922 b

1         financial institution that receives that nonpublic
2         personal information is required to maintain the
3         confidentiality of the information and is prohibited
4         from disclosing or using the information other than to
5         carry out the joint offering or servicing of a
6         financial product or financial service that is the
7         subject of the written agreement.
8             (D) The financial institution that releases the
9         nonpublic personal information has complied with
10         subsection (d) and the consumer has not directed that
11         the nonpublic personal information not be disclosed.
12             (E) Notwithstanding this Section, until January 1,
13         2006, a financial institution may disclose nonpublic
14         personal information to a nonaffiliated financial
15         institution pursuant to a preexisting contract with
16         the nonaffiliated financial institution, for purposes
17         of offering a financial product or financial service,
18         if that contract was entered into on or before January
19         1, 2005. Beginning on January 1, 2006, no nonpublic
20         personal information may be disclosed pursuant to that
21         contract unless all the requirements of this
22         subsection are met.
23         (3) Nothing in this subsection shall prohibit a
24     financial institution from disclosing or sharing nonpublic
25     personal information as otherwise specifically permitted
26     by this Act.
27         (4) A financial institution shall not discriminate
28     against or deny an otherwise qualified consumer a financial
29     product or a financial service because the consumer has
30     directed pursuant to this subsection that nonpublic
31     personal information pertaining to him or her not be
32     disclosed. A financial institution shall not be required to
33     offer or provide products or services offered through
34     affiliated entities or jointly with nonaffiliated
35     financial institutions pursuant to paragraph (2) of this
36     subsection where the consumer has directed that nonpublic

 

 

HB7046 - 12 - LRB093 19187 SAS 44922 b

1     personal information not be disclosed pursuant to this
2     subsection and the financial institution could not offer or
3     provide the products or services to the consumer without
4     disclosure of the consumer's nonpublic personal
5     information that the consumer has directed not be disclosed
6     pursuant to this subsection. A financial institution shall
7     not be liable for failing to offer or provide products or
8     services offered through affiliated entities or jointly
9     with nonaffiliated financial institutions pursuant to
10     paragraph (2) of this subsection solely because the
11     consumer has directed that nonpublic personal information
12     not be disclosed pursuant to this subsection and the
13     financial institution could not offer or provide the
14     products or services to the consumer without disclosure of
15     the consumer's nonpublic personal information that the
16     consumer has directed not be disclosed to affiliates
17     pursuant to this subsection. Nothing in this Section is
18     intended to prohibit a financial institution from offering
19     incentives or discounts to elicit a specific response to
20     the notice set forth in this Act. Nothing in this Section
21     shall prohibit the disclosure of nonpublic personal
22     information allowed by Section 40.
23         (5) The financial institution may, at its option,
24     choose instead to comply with the requirements of
25     subsection (a).
26     (c) Nothing in this Act shall restrict or prohibit the
27     sharing of nonpublic personal information between a financial
28     institution and its wholly owned financial institution
29     subsidiaries; among financial institutions that are each
30     wholly owned by the same financial institution; among financial
31     institutions that are wholly owned by the same holding company;
32     or among the insurance and management entities of a single
33     insurance holding company system consisting of one or more
34     reciprocal insurance exchanges which has a single corporation
35     or its wholly owned subsidiaries providing management services
36     to the reciprocal insurance exchanges, provided that in each

 

 

HB7046 - 13 - LRB093 19187 SAS 44922 b

1     case all of the following requirements are met:
2         (1) The financial institution disclosing the nonpublic
3     personal information and the financial institution
4     receiving it are regulated by the same functional
5     regulator; provided, however, that for purposes of this
6     subsection, financial institutions regulated by the Office
7     of the Comptroller of the Currency, Office of Thrift
8     Supervision, National Credit Union Administration, or a
9     state regulator of depository institutions shall be deemed
10     to be regulated by the same functional regulator; financial
11     institutions regulated by the Securities and Exchange
12     Commission, the United States Department of Labor, or a
13     state securities regulator shall be deemed to be regulated
14     by the same functional regulator; and insurers admitted in
15     this State to transact insurance and licensed to write
16     insurance policies shall be deemed to be in compliance with
17     this paragraph.
18         (2) The financial institution disclosing the nonpublic
19     personal information and the financial institution
20     receiving it are both principally engaged in the same line
21     of business. For purposes of this subsection, "same line of
22     business" shall be one and only one of the following:
23             (A) Insurance.
24             (B) Banking.
25             (C) Securities.
26         (3) The financial institution disclosing the nonpublic
27     personal information and the financial institution
28     receiving it share a common brand, excluding a brand
29     consisting solely of a graphic element or symbol, within
30     their trademark, service mark, or trade name, which is used
31     to identify the source of the products and services
32     provided. A wholly owned subsidiary shall include a
33     subsidiary wholly owned directly or wholly owned
34     indirectly in a chain of wholly owned subsidiaries. Nothing
35     in this subsection shall permit the disclosure by a
36     financial institution of medical record information, as

 

 

HB7046 - 14 - LRB093 19187 SAS 44922 b

1     defined in the Illinois Insurance Code, except in
2     compliance with the requirements of this Act, including the
3     requirements set forth in subsections (a) and (b).
4     (d)(1) The consumer shall be provided a reasonable
5     opportunity prior to disclosure of nonpublic personal
6     information to direct that nonpublic personal information not
7     be disclosed. A consumer may direct at any time that his or her
8     nonpublic personal information not be disclosed. A financial
9     institution shall comply with a consumer's directions
10     concerning the sharing of his or her nonpublic personal
11     information within 45 days of receipt by the financial
12     institution. When a consumer directs that nonpublic personal
13     information not be disclosed, that direction is in effect until
14     otherwise stated by the consumer. A financial institution that
15     has not provided a consumer with annual notice pursuant to
16     subsection (b) shall provide the consumer with a form that
17     meets the requirements of this subsection, and shall allow 45
18     days to lapse from the date of providing the form in person or
19     the postmark or other postal verification of mailing before
20     disclosing nonpublic personal information pertaining to the
21     consumer. Nothing in this subsection shall prohibit the
22     disclosure of nonpublic personal information as allowed by
23     subsection (c) or Section 40.
24     (2) A financial institution may elect to comply with the
25     requirements of subsection (a) with respect to disclosure of
26     nonpublic personal information to an affiliate or with respect
27     to nonpublic personal information disclosed pursuant to
28     paragraph (2) of subsection (b), or subsection (c) of Section
29     35.
30     (3) If a financial institution does not have a continuing
31     relationship with a consumer other than the initial transaction
32     in which the product or service is provided, no annual
33     disclosure requirement exists pursuant to this section as long
34     as the financial institution provides the consumer with the
35     form required by this section at the time of the initial
36     transaction. As used in this section, "annually" means at least

 

 

HB7046 - 15 - LRB093 19187 SAS 44922 b

1     once in any period of 12 consecutive months during which that
2     relationship exists. The financial institution may define the
3     12-consecutive-month period, but shall apply it to the consumer
4     on a consistent basis. If, for example, a financial institution
5     defines the 12-consecutive-month period as a calendar year and
6     provides the annual notice to the consumer once in each
7     calendar year, it complies with the requirement to send the
8     notice annually.
9     (4) A financial institution with assets in excess of
10     $25,000,000 shall include a self-addressed first class
11     business reply return envelope with the notice. A financial
12     institution with assets of up to and including $25,000,000
13     shall include a self-addressed return envelope with the notice.
14     In lieu of the first class business reply return envelope
15     required by this paragraph, a financial institution may offer a
16     self-addressed return envelope with the notice and at least two
17     alternative cost-free means for consumers to communicate their
18     privacy choices, such as calling a toll-free number, sending a
19     facsimile to a toll-free telephone number, or using electronic
20     means. A financial institution shall clearly and conspicuously
21     disclose in the form required by this subsection the
22     information necessary to direct the consumer on how to
23     communicate his or her choices, including the toll-free or
24     facsimile number or Web site address that may be used, if those
25     means of communication are offered by the financial
26     institution.
27     (5) A financial institution may provide a joint notice from
28     it and one or more of its affiliates or other financial
29     institutions, as identified in the notice, so long as the
30     notice is accurate with respect to the financial institution
31     and the affiliates and other financial institutions.
32     (e) Nothing in this Act shall prohibit a financial
33     institution from marketing its own products and services or the
34     products and services of affiliates or nonaffiliated third
35     parties to customers of the financial institution as long as
36     (1) nonpublic personal information is not disclosed in

 

 

HB7046 - 16 - LRB093 19187 SAS 44922 b

1     connection with the delivery of the applicable marketing
2     materials to those customers except as permitted by Section 40
3     and (2) in cases in which the applicable nonaffiliated third
4     party may extrapolate nonpublic personal information about the
5     consumer responding to those marketing materials, the
6     applicable nonaffiliated third party has signed a contract with
7     the financial institution under the terms of which (A) the
8     nonaffiliated third party is prohibited from using that
9     information for any purpose other than the purpose for which it
10     was provided, as set forth in the contract, and (B) the
11     financial institution has the right by audit, inspections, or
12     other means to verify the nonaffiliated third party's
13     compliance with that contract.
 
14     Section 25. Receipt of nonpublic personal information.
15 Except as otherwise provided in this Act, an entity that
16 receives nonpublic personal information from a financial
17 institution under this Act shall not disclose this information
18 to any other entity, unless the disclosure would be lawful if
19 made directly to the other entity by the financial institution.
20 An entity that receives nonpublic personal information
21 pursuant to any exception set forth in Section 45 shall not use
22 or disclose the information except in the ordinary course of
23 business to carry out the activity covered by the exception
24 under which the information was received.
 
25     Section 30. Notice.
26     (a) Nothing in this Act shall require a financial
27 institution to provide a written notice to a consumer pursuant
28 to Section 20 if the financial institution does not disclose
29 nonpublic personal information to any nonaffiliated third
30 party or to any affiliate, except as allowed in this Act.
31     (b) A notice provided to a member of a household pursuant
32 to Section 20 shall be considered notice to all members of that
33 household unless that household contains another individual
34 who also has a separate account with the financial institution.

 

 

HB7046 - 17 - LRB093 19187 SAS 44922 b

1     (c)(1) The requirement to send a written notice to a
2 consumer may be fulfilled by electronic means if the following
3 requirements are met:
4             (A) The notice, and the manner in which it is sent,
5         meets all of the requirements for notices that are
6         required by law to be in writing, as set forth in
7         Section 101 of the federal Electronic Signatures in
8         Global and National Commerce Act.
9             (B) All other requirements applicable to the
10         notice, as set forth in this Act, are met, including,
11         but not limited to, requirements concerning content,
12         timing, form, and delivery. An electronic notice sent
13         pursuant to this section is not required to include a
14         return envelope.
15             (C) The notice is delivered to the consumer in a
16         form the consumer may keep.
17         (2) A notice that is made available to a consumer, and
18     is not delivered to the consumer, does not satisfy the
19     requirements of paragraph (1).
20         (3) Any electronic consumer reply to an electronic
21     notice sent pursuant to this Act is effective. A person
22     that electronically sends a notice required by this Act to
23     a consumer may not by contract, or otherwise, eliminate the
24     effectiveness of the consumer's electronic reply.
25         (4) This Act modifies the provisions of Section 101 of
26     the federal Electronic Signatures in Global and National
27     Commerce Act. However, it does not modify, limit, or
28     supersede the provisions of subsection (c), (d), (e), (f),
29     or (h) of Section 101 of the federal Electronic Signatures
30     in Global and National Commerce Act, nor does it authorize
31     electronic delivery of any notice of the type described in
32     subsection (b) of Section 103 of that federal act.
 
33     Section 35. Affinity partners.
34     (a) When a financial institution and an organization or
35 business entity that is not a financial institution ("affinity

 

 

HB7046 - 18 - LRB093 19187 SAS 44922 b

1 partner") have an agreement to issue a credit card in the name
2 of the affinity partner ("affinity card"), the financial
3 institution shall be permitted to disclose to the affinity
4 partner in whose name the card is issued only the following
5 information pertaining to the financial institution's
6 customers who are in receipt of the affinity card: (1) name,
7 address, telephone number, and electronic mail address and (2)
8 record of purchases made using the affinity card in a business
9 establishment, including a Web site, bearing the brand name of
10 the affinity partner.
11     (b) When a financial institution and an affinity partner
12 have an agreement to issue a financial product or service,
13 other than a credit card, on behalf of the affinity partner
14 ("affinity financial product or service"), the financial
15 institution shall be permitted to disclose to the affinity
16 partner only the following information pertaining to the
17 financial institution's customers who obtained the affinity
18 financial product or service: name, address, telephone number,
19 and electronic mail address.
20     (c) The disclosures specified in subsections (a) and (b)
21 shall be permitted only if the following requirements are met:
22          (1) The financial institution has provided the
23     consumer a notice meeting the requirements of subsection
24     (d) of Section 20, and the consumer has not directed that
25     nonpublic personal information not be disclosed. A
26     response to a notice meeting the requirements of subsection
27     (d) directing the financial institution to not disclose
28     nonpublic personal information to a nonaffiliated
29     financial institution shall be deemed a direction to the
30     financial institution to not disclose nonpublic personal
31     information to an affinity partner, unless the form
32     containing the notice provides the consumer with a separate
33     choice for disclosure to affinity partners.
34         (2) The financial institution has a contractual
35     agreement with the affinity partner that requires the
36     affinity partner to maintain the confidentiality of the

 

 

HB7046 - 19 - LRB093 19187 SAS 44922 b

1     nonpublic personal information and prohibits affinity
2     partners from using the information for any purposes other
3     than verifying membership, verifying the consumer's
4     contact information, or offering the affinity partner's
5     own products or services to the consumer.
6         (3) The customer list is not disclosed in any way that
7     reveals or permits extrapolation of any additional
8     nonpublic personal information about any customer on the
9     list.
10         (4) If the affinity partner sends any message to any
11     electronic mail addresses obtained pursuant to this
12     section, the message shall include at least both of the
13     following:
14             (A) The identity of the sender of the message.
15             (B) A cost-free means for the recipient to notify
16         the sender not to electronically mail any further
17         message to the recipient.
18     (d) Nothing in this Section shall prohibit the disclosure
19     of nonpublic personal information pursuant to Section 40.
20     (e) This Section does not apply to credit cards issued in
21     the name of an entity primarily engaged in retail sales or a
22     name proprietary to a company primarily engaged in retail
23     sales.
 
24     Section 40. Release of nonpublic personal information.
25     (a) This Act shall not apply to information that is not
26 personally identifiable to a particular person.
27     (b) Notwithstanding Sections 15, 20, 30, and 35, a
28 financial institution may release nonpublic personal
29 information under the following circumstances:
30         (1) The nonpublic personal information is necessary to
31     effect, administer, or enforce a transaction requested or
32     authorized by the consumer, or in connection with servicing
33     or processing a financial product or service requested or
34     authorized by the consumer, or in connection with
35     maintaining or servicing the consumer's account with the

 

 

HB7046 - 20 - LRB093 19187 SAS 44922 b

1     financial institution, or with another entity as part of a
2     private label credit card program or other extension of
3     credit on behalf of that entity, or in connection with a
4     proposed or actual securitization or secondary market
5     sale, including sales of servicing rights, or similar
6     transactions related to a transaction of the consumer.
7         (2) The nonpublic personal information is released
8     with the consent of or at the direction of the consumer.
9         (3) The nonpublic personal information is:
10             (A) Released to protect the confidentiality or
11         security of the financial institution's records
12         pertaining to the consumer, the service or product, or
13         the transaction therein.
14             (B) Released to protect against or prevent actual
15         or potential fraud, identity theft, unauthorized
16         transactions, claims, or other liability.
17             (C) Released for required institutional risk
18         control, or for resolving customer disputes or
19         inquiries.
20             (D) Released to persons holding a legal or
21         beneficial interest relating to the consumer,
22         including for purposes of debt collection.
23             (E) Released to persons acting in a fiduciary or
24         representative capacity on behalf of the consumer.
25         (4) The nonpublic personal information is released to
26     provide information to insurance rate advisory
27     organizations, guaranty funds or agencies, applicable
28     rating agencies of the financial institution, persons
29     assessing the institution's compliance with industry
30     standards, and the institution's attorneys, accountants,
31     and auditors.
32         (5) The nonpublic personal information is released to
33     the extent specifically required or specifically permitted
34     under other provisions of law and in accordance with the
35     Right to Financial Privacy Act of 1978 (12 U.S.C. Sec. 3401
36     et seq.), to law enforcement agencies, including a federal

 

 

HB7046 - 21 - LRB093 19187 SAS 44922 b

1     functional regulator, the Secretary of the Treasury with
2     respect to subchapter II of Chapter 53 of Title 31, and
3     Chapter 2 of Title I of Public Law 91-508 (12 U.S.C. Secs.
4     1951-1959), the Illinois Department of Insurance, or the
5     Federal Trade Commission, and self-regulatory
6     organizations, or for an investigation on a matter related
7     to public safety.
8         (6) The nonpublic personal information is released in
9     connection with a proposed or actual sale, merger,
10     transfer, or exchange of all or a portion of a business or
11     operating unit if the disclosure of nonpublic personal
12     information concerns solely consumers of the business or
13     unit.
14         (7) The nonpublic personal information is released to
15     comply with federal, state, or local laws, rules, and other
16     applicable legal requirements; to comply with a properly
17     authorized civil, criminal, administrative, or regulatory
18     investigation or subpoena or summons by federal, state, or
19     local authorities; or to respond to judicial process or
20     government regulatory authorities having jurisdiction over
21     the financial institution for examination, compliance, or
22     other purposes as authorized by law.
23         (8) When a financial institution is reporting a known
24     or suspected instance of elder or dependent adult financial
25     abuse or is cooperating with a local adult protective
26     services agency investigation of known or suspected elder
27     or dependent adult financial abuse pursuant to the Elder
28     Abuse and Neglect Act.
29         (9) The nonpublic personal information is released to
30     an affiliate or a nonaffiliated third party in order for
31     the affiliate or nonaffiliated third party to perform
32     business or professional services, such as printing,
33     mailing services, data processing or analysis, or customer
34     surveys, on behalf of the financial institution, provided
35     that all of the following requirements are met:
36             (A) The services to be performed by the affiliate

 

 

HB7046 - 22 - LRB093 19187 SAS 44922 b

1         or nonaffiliated third party could lawfully be
2         performed by the financial institution.
3             (B) There is a written contract between the
4         affiliate or nonaffiliated third party and the
5         financial institution that prohibits the affiliate or
6         nonaffiliated third party, as the case may be, from
7         disclosing or using the nonpublic personal information
8         other than to carry out the purpose for which the
9         financial institution disclosed the information, as
10         set forth in the written contract.
11             (C) The nonpublic personal information provided to
12         the affiliate or nonaffiliated third party is limited
13         to that which is necessary for the affiliate or
14         nonaffiliated third party to perform the services
15         contracted for on behalf of the financial institution.
16             (D) The financial institution does not receive any
17         payment from or through the affiliate or nonaffiliated
18         third party in connection with, or as a result of, the
19         release of the nonpublic personal information.
20         (10) The nonpublic personal information is released to
21     identify or locate missing and abducted children,
22     witnesses, criminals and fugitives, parties to lawsuits,
23     parents delinquent in child support payments, organ and
24     bone marrow donors, pension fund beneficiaries, and
25     missing heirs.
26         (11) The nonpublic personal information is released to
27     a real estate appraiser licensed or certified by the State
28     and the nonpublic personal information is compiled
29     strictly to complete other real estate appraisals and is
30     not used for any other purpose.
31         (12) The nonpublic personal information is released as
32     required by Title III of the federal United and
33     Strengthening America by Providing Appropriate Tools
34     Required to Intercept and Obstruct Terrorism Act of 2001
35     (USA Patriot Act; P.L. 107-56).
36         (13) The nonpublic personal information is released

 

 

HB7046 - 23 - LRB093 19187 SAS 44922 b

1     either to a consumer reporting agency pursuant to the Fair
2     Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) or from
3     a consumer report reported by a consumer reporting agency.
4         (14) The nonpublic personal information is released in
5     connection with a written agreement between a consumer and
6     a broker-dealer registered under the Securities Exchange
7     Act of 1934 or an investment adviser registered under the
8     Investment Advisers Act of 1940 to provide investment
9     management services, portfolio advisory services, or
10     financial planning, and the nonpublic personal information
11     is released for the sole purpose of providing the products
12     and services covered by that agreement.
13     (c) Nothing in this Act is intended to change existing law
14     relating to access by law enforcement agencies to information
15     held by financial institutions.
 
16     Section 45. Application.
17     (a) The provisions of this Act do not apply to any person
18 or entity that meets the requirements of paragraph (1) or (2)
19 below. However, when nonpublic personal information is being or
20 will be shared by a person or entity meeting the requirements
21 of paragraph (1) or (2) with an affiliate or nonaffiliated
22 third party, this Act shall apply.
23         (1) The person or entity is licensed in one or both of
24     the following categories and is acting within the scope of
25     the respective license or certificate:
26             (A) As an insurance producer, certified under the
27         Illinois Insurance Code, as a registered investment
28         adviser under the Illinois Securities Law of 1953, or
29         as an investment adviser pursuant to Section
30         202(a)(11) of the federal Investment Advisers Act of
31         1940.
32             (B) Is licensed to sell securities by the National
33         Association of Securities Dealers (NASD).
34         (2) The person or entity meets the requirements in
35         paragraph (1) and has a written contractual agreement

 

 

HB7046 - 24 - LRB093 19187 SAS 44922 b

1         with another person or entity described in paragraph
2         (1) and the contract clearly and explicitly includes
3         the following:
4             (A) The rights and obligations between the
5         licensees arising out of the business relationship
6         relating to insurance or securities transactions.
7             (B) An explicit limitation on the use of nonpublic
8         personal information about a consumer to transactions
9         authorized by the contract and permitted pursuant to
10         this Act.
11             (C) A requirement that transactions specified in
12         the contract fall within the scope of activities
13         permitted by the licenses of the parties.
14     (b) The restrictions on disclosure and use of nonpublic
15     personal information, and the requirement for notification and
16     disclosure provided in this Act, shall not limit the ability of
17     insurance producers and brokers to respond to written or
18     electronic, including telephone, requests from consumers
19     seeking price quotes on insurance products and services or to
20     obtain competitive quotes to renew an existing insurance
21     contract, provided that any nonpublic personal information
22     disclosed pursuant to this subsection shall not be used or
23     disclosed except in the ordinary course of business in order to
24     obtain those quotes.
25     (c)(1) The disclosure or sharing of personal information
26     from an insurer, as defined in Article XL of the Illinois
27     Insurance Code, or its affiliates to an agent whose contractual
28     or employment relationship requires that the agent offer only
29     the insurer's policies for sale or financial products or
30     services that meet the requirements of paragraph (2) of
31     subsection (b) of Section 20 and are authorized by the insurer,
32     or whose contractual or employment relationship with an insurer
33     gives the insurer the right of first refusal for all policies
34     of insurance by the agent, and who may not share nonpublic
35     personal information with any insurer other than the insurer
36     with whom the agent has a contractual or employment

 

 

HB7046 - 25 - LRB093 19187 SAS 44922 b

1     relationship as described above, is not a violation of this
2     Act, provided that the agent may not disclose nonpublic
3     personal information to any party except as permitted by this
4     Act. An insurer or its affiliates do not disclose or share
5     nonpublic personal information with exclusive agents merely
6     because information is maintained in common information
7     systems or databases, and exclusive agents of the insurer or
8     its affiliates have access to those common information systems
9     or databases, provided that where a consumer has exercised his
10     or her rights to prohibit disclosure pursuant to this Act,
11     nonpublic personal information is not further disclosed or used
12     by an exclusive agent except as permitted by this Act.
13     (2) Nothing in this subsection is intended to affect the
14     sharing of information allowed in subsection (a) or subsection
15     (b).
 
16     Section 50. Negligence.
17     (a) An entity that negligently discloses or shares
18 nonpublic personal information in violation of this Act shall
19 be liable, irrespective of the amount of damages suffered by
20 the consumer as a result of that violation, for a civil penalty
21 not to exceed $2,500 per violation. However, if the disclosure
22 or sharing results in the release of nonpublic personal
23 information of more than one individual, the total civil
24 penalty awarded pursuant to this subsection shall not exceed
25 $500,000.
26     (b) An entity that knowingly and willfully obtains,
27 discloses, shares, or uses nonpublic personal information in
28 violation of this Act shall be liable for a civil penalty not
29 to exceed $2,500 per individual violation, irrespective of the
30 amount of damages suffered by the consumer as a result of that
31 violation.
32     (c) In determining the penalty to be assessed pursuant to a
33 violation of this Act, the court shall take into account the
34 following factors:
35         (1) The total assets and net worth of the violating

 

 

HB7046 - 26 - LRB093 19187 SAS 44922 b

1     entity.
2         (2) The nature and seriousness of the violation.
3         (3) The persistence of the violation, including any
4     attempts to correct the situation leading to the violation.
5         (4) The length of time over which the violation
6     occurred.
7         (5) The number of times the entity has violated this
8     Act.
9         (6) The harm caused to consumers by the violation.
10         (7) The level of proceeds derived from the violation.
11         (8) The impact of possible penalties on the overall
12     fiscal solvency of the violating entity.
13     (d) In the event a violation of this Act results in the
14     identity theft of a consumer, as defined by Article 16g of the
15     Criminal Code, the civil penalties set forth in this Section
16     shall be doubled.
17     (e) The civil penalties provided for in this Section shall
18     be exclusively assessed and recovered in a civil action brought
19     in the name of the people of the State of Illinois in any court
20     of competent jurisdiction by any of the following:
21         (1) The Attorney General.
22         (2) The functional regulator with jurisdiction over
23     regulation of the financial institution as follows:
24             (A) In the case of banks, savings associations,
25         credit unions, commercial lending companies, and bank
26         holding companies, by the Department of Financial
27         Institutions or the Office of Banks and Real Estate, or
28         the appropriate federal authority;
29             (B) in the case of any person engaged in the
30         business of insurance, by the Department of Insurance;
31             (C) in the case of any investment broker or dealer,
32         investment company, investment advisor, residential
33         mortgage lender or finance lender, by the Illinois
34         Secretary of State; and
35             (D) in the case of a financial institution not
36         subject to the jurisdiction of any functional

 

 

HB7046 - 27 - LRB093 19187 SAS 44922 b

1         regulator listed under subparagraphs (A) to (C),
2         inclusive, above, by the Attorney General.
 
3     Section 55. Authority of departments or agencies. Nothing
4 in this Act shall be construed as altering or annulling the
5 authority of any department or agency of the state to regulate
6 any financial institution subject to its jurisdiction.
 
7     Section 60. Severability. The provisions of this Act shall
8 be severable, and if any phrase, clause, sentence, or provision
9 is declared to be invalid or is preempted by federal law or
10 regulation, the validity of the remainder of this Act shall not
11 be affected thereby.