Sen. Chapin Rose

Filed: 5/29/2017

 

 

 

10000SB1035sam001 LRB100 07588 RJF 27311 a
1		AMENDMENT TO SENATE BILL 1035
2		AMENDMENT NO. ______. Amend Senate Bill 1035 by replacing
3		everything after the enacting clause with the following:
4		"Section 1. Short title. This Act may be cited as the
5		Illinois Right to Know Data Transparency and Privacy Protection
6		Act.
7		Section 5. Findings and purpose.
8		The General Assembly hereby finds and declares that the
9		right to privacy is a personal and fundamental right protected
10		by the United States Constitution. As such, all individuals
11		have a right to privacy in information pertaining to them. This
12		State recognizes the importance of providing consumers with
13		transparency about how their personal information, especially
14		information relating to their children, is shared by
15		businesses. This transparency is crucial for Illinois citizens
16		to protect themselves and their families from cyber-crimes and

10000SB1035sam001 - 2 - LRB100 07588 RJF 27311 a
1		identity thieves. Furthermore, for free market forces to have a
2		role in shaping the privacy practices and for "opt-in" and
3		"opt-out" remedies to be effective, consumers must be more than
4		vaguely informed that a business might share personal
5		information with third parties. Consumers must be better
6		informed about what kinds of personal information are shared
7		with other businesses. With these specifics, consumers can
8		knowledgeably choose to opt-in, opt-out, or choose among
9		businesses that disclose information to third parties on the
10		basis of how protective the business is of consumers' privacy.
11		Businesses are now collecting personal information and
12		sharing and selling it in ways not contemplated or properly
13		covered by the current law. Some websites are installing
14		tracking tools that record when consumers visit web pages, and
15		sending very personal information, such as age, gender, race,
16		income, health concerns, religion, and recent purchases to
17		third party marketers and data brokers. Third party data broker
18		companies are buying, selling, and trading personal
19		information obtained from mobile phones, financial
20		institutions, social media sites, and other online and brick
21		and mortar companies. Some mobile applications are sharing
22		personal information, such as location information, unique
23		phone identification numbers, and age, gender, and other
24		personal details with third party companies. As such, consumers
25		need to know the ways that their personal information is being
26		collected by companies and then shared or sold to third parties

10000SB1035sam001 - 3 - LRB100 07588 RJF 27311 a
1		in order to properly protect their privacy, personal safety,
2		and financial security.
3		Section 10. Definitions. As used in this Act:
4		"Categories of personal information" includes, but is not
5		limited to, the following:
6		(a) Identity information including, but not limited
7		to, real name, alias, nickname, and user name.
8		(b) Address information, including, but not limited
9		to, postal or e-mail.
10		(c) Telephone number.
11		(d) Account name.
12		(e) Social security number or other government-issued
13		identification number, including, but not limited to,
14		social security number, driver's license number,
15		identification card number, and passport number.
16		(f) Birthdate or age.
17		(g) Physical characteristic information, including,
18		but not limited to, height and weight.
19		(h) Sexual information, including, but not limited to,
20		sexual orientation, sex, gender status, gender identity,
21		and gender expression.
22		(i) Race or ethnicity.
23		(j) Religious affiliation or activity.
24		(k) Political affiliation or activity.
25		(l) Professional or employment-related information.

10000SB1035sam001 - 4 - LRB100 07588 RJF 27311 a
1		(m) Educational information.
2		(n) Medical information, including, but not limited
3		to, medical conditions or drugs, therapies, mental health,
4		or medical products or equipment used.
5		(o) Financial information, including, but not limited
6		to, credit, debit, or account numbers, account balances,
7		payment history, or information related to assets,
8		liabilities, or general creditworthiness.
9		(p) Commercial information, including, but not limited
10		to, records of property, products or services provided,
11		obtained, or considered, or other purchasing or consumer
12		histories or tendencies.
13		(q) Location information.
14		(r) Internet or mobile activity information,
15		including, but not limited to, Internet protocol addresses
16		or information concerning the access or use of any Internet
17		or mobile-based site or service.
18		(s) Content, including text, photographs, audio or
19		video recordings, or other material generated by or
20		provided by the customer.
21		(t) Any of the above categories of information as they
22		pertain to the children of the customer.
23		"Customer" means an individual residing in Illinois who
24		provides, either knowingly or unknowingly, personal
25		information to a private entity, with or without an exchange of
26		consideration, in the course of purchasing, viewing,

10000SB1035sam001 - 5 - LRB100 07588 RJF 27311 a
1		accessing, renting, leasing, or otherwise using real or
2		personal property, or any interest therein, or obtaining a
3		product or service from the private entity, including
4		advertising or any other content.
5		"Designated request address" means an e-mail address,
6		toll-free telephone number, or webform whereby customers may
7		request or obtain the information required to be provided under
8		Section 15 of this Act.
9		"Disclose" means to disclose, release, transfer, share,
10		disseminate, make available, or otherwise communicate orally,
11		in writing, or by electronic or any other means to any third
12		party. "Disclose" does not include the following:
13		(a) Disclosure of personal information by a private
14		entity to a third party under a written contract
15		authorizing the third party to utilize the personal
16		information to perform services on behalf of the private
17		entity, including maintaining or servicing accounts,
18		providing customer service, processing or fulfilling
19		orders and transactions, verifying customer information,
20		processing payments, providing financing, or similar
21		services, but only if the contract prohibits the third
22		party from using the personal information for any reason
23		other than performing the specified service or services on
24		behalf of the private entity and from disclosing any such
25		personal information to additional third parties.
26		(b) Disclosure of personal information by a business to

10000SB1035sam001 - 6 - LRB100 07588 RJF 27311 a
1		a third party based on a good-faith belief that disclosure
2		is required to comply with applicable law, regulation,
3		legal process, or court order.
4		(c) Disclosure of personal information by a private
5		entity to a third party that is reasonably necessary to
6		address fraud, security, or technical issues; to protect
7		the disclosing private entity's rights or property; or to
8		protect customers or the public from illegal activities as
9		required or permitted by law.
10		(d) Disclosure of personal information by a private
11		entity to a transportation network company driver or TNC
12		driver as defined under the Transportation Network
13		Providers Act.
14		"Operator" means any person or entity that owns a website
15		located on the Internet or an online service that collects and
16		maintains personal information from a customer residing in
17		Illinois who uses or visits the website or online service if
18		the website or online service is operated for commercial
19		purposes. "Operator" does not include businesses having 10 or
20		fewer employees or any third party that operates, hosts, or
21		manages, but does not own, a website or online service on the
22		owner's behalf or by processing information on behalf of the
23		owner.
24		"Personal information" means any information that
25		identifies, relates to, describes, or is capable of being
26		associated with, a particular individual, including, but not

10000SB1035sam001 - 7 - LRB100 07588 RJF 27311 a
1		limited to, his or her name, signature, physical
2		characteristics or description, address, telephone number,
3		passport number, driver's license or State identification card
4		number, insurance policy number, education, employment,
5		employment history, bank account number, credit card number,
6		debit card number, or any other financial information.
7		"Personal information" also means any data or information
8		pertaining to an individual's income, assets, liabilities,
9		purchases, leases, or rentals of goods, services, or real
10		property, if that information is disclosed, or is intended to
11		be disclosed, with any identifying information, such as the
12		individual's name, address, telephone number, or social
13		security number.
14		"Third party" or "third parties" means (i) a private entity
15		that is a separate legal entity from the private entity that
16		has disclosed personal information; (ii) a private entity that
17		does not share common ownership or common corporate control
18		with the private entity that has disclosed personal
19		information; or (iii) a private entity that does not share a
20		brand name or common branding with the private entity that has
21		disclosed personal information such that the affiliate
22		relationship is clear to the customer.
23		Section 15. Notification of information sharing practices.
24		An operator of a commercial website or online service that
25		collects personal information through the Internet about

10000SB1035sam001 - 8 - LRB100 07588 RJF 27311 a
1		individual customers residing in Illinois who use or visit its
2		commercial website or online service shall, in its customer
3		agreement or incorporated addendum or in another conspicuous
4		location on its website or online service platform where
5		similar notices are customarily posted: (i) identify all
6		categories of personal information that the operator collects
7		through the website or online service about individual
8		customers who use or visit its commercial website or online
9		service; and (ii) provide a description of a customer's rights,
10		as required under Section 25 of this Act, accompanied by one or
11		more designated request addresses.
12		Section 20. Disclosure of a customer's personal
13		information to a third party.
14		(a) An operator that discloses personal information to a
15		third party shall make the following information available to a
16		customer upon request free of charge:
17		(1) the categories of personal information that were
18		disclosed about the customer, and the name or names of all
19		third parties that received the customer's personal
20		information; or
21		(2) all categories of personal information about
22		customers that were disclosed, and the name or names of all
23		third parties that received any customer's personal
24		information.
25		(b) This Section applies only to personal information

10000SB1035sam001 - 9 - LRB100 07588 RJF 27311 a
1		disclosed after the effective date of this Act.
2		Section 25. Information availability service.
3		(a) An operator required to comply with Section 20 shall
4		make the required information available by providing a
5		designated request address in its customer agreement or
6		incorporated addendum or in another conspicuous location on its
7		website or online service platform where similar notices are
8		customarily posted, and, upon receipt of a request under this
9		Section, shall provide the customer with the information
10		required under Section 20 for all disclosures occurring in the
11		prior 12 months.
12		(b) An operator that receives a request from a customer
13		under this Section at one of the designated addresses shall
14		provide a response to the customer within 30 days.
15		(c) An operator shall not be required to respond to a
16		request made by the same customer more than once in a given
17		12-month period.
18		(d) Notwithstanding the provisions of this Section, a
19		parent or legal guardian of a customer under the age of 18 may
20		submit a request under this Section on behalf of that customer.
21		An operator shall not be required to respond to a request made
22		by the same parent or legal guardian on behalf of a customer
23		under the age of 18 more than once within a given 12-month
24		period.

10000SB1035sam001 - 10 - LRB100 07588 RJF 27311 a
1		Section 30. Violation. A violation of this Act constitutes
2		a violation of the Consumer Fraud and Deceptive Business
3		Practices Act. The Office of the Attorney General shall have
4		sole enforcement authority of the provisions of this Act and
5		may enforce a violation of this Act as an unlawful practice
6		under the Consumer Fraud and Deceptive Business Practices Act.
7		An operator in violation of this Act shall have 90 days after
8		being notified of a violation to rectify that violation before
9		the Attorney General seeks an enforcement action against that
10		operator.
11		Section 35. Waivers; contracts. Any waiver of the
12		provisions of this Act shall be void and unenforceable.
13		Section 40. Construction.
14		(a) Nothing in this Act shall be construed to conflict with
15		the federal Health Insurance Portability and Accountability
16		Act of 1996 and the rules promulgated under that Act.
17		(b) Nothing in this Act shall be deemed to apply in any
18		manner to a financial institution or an affiliate of a
19		financial institution that is subject to Title V of the federal
20		Gramm-Leach-Bliley Act of 1999 and the rules promulgated under
21		that Act.
22		(c) Nothing in this Act shall be construed to apply to any
23		State agency, federal agency, unit of local government, or any
24		contractor, subcontractor, or agent thereof, when working for

10000SB1035sam001 - 11 - LRB100 07588 RJF 27311 a
1		that State agency, federal agency, or unit of local government.
2		(d) Nothing in this Act shall be construed to apply to any
3		entity recognized as a tax-exempt organization under 501(c)(3)
4		or 501(c)(4) of the Internal Revenue Code of 1986.
5		(e) Nothing in this Act shall be construed to apply to: (i)
6		internet, wireless, or telecommunications service providers;
7		or (ii) a public utility, an alternative retail electric
8		supplier, or an alternative gas supplier, as those terms are
9		defined in Sections 3-105, 16-102, and 19-105 of the Public
10		Utilities Act, or an electric cooperative, as defined in
11		Section 3.4 of the Electric Supplier Act.
12		(f) Nothing in this Act shall be construed to apply to: (i)
13		a hospital operated under the Hospital Licensing Act; (ii) a
14		hospital affiliate, as defined under the Hospital Licensing
15		Act; or (iii) a hospital operated under the University of
16		Illinois Hospital Act.".