Rep. Arthur Turner

Filed: 4/4/2017





10000HB2774ham004LRB100 08020 RJF 24758 a


2    AMENDMENT NO. ______. Amend House Bill 2774, AS AMENDED, by
3replacing everything after the enacting clause with the
5    "Section 1. Short title. This Act may be cited as the Right
6to Know Act.
7    Section 5. Findings and purpose.
8    The General Assembly hereby finds and declares that the
9right to privacy is a personal and fundamental right protected
10by the United States Constitution. As such, all individuals
11have a right to privacy in information pertaining to them. This
12State recognizes the importance of providing consumers with
13transparency about how their personal information, especially
14information relating to their children, is shared by
15businesses. This transparency is crucial for Illinois citizens
16to protect themselves and their families from cyber-crimes and



10000HB2774ham004- 2 -LRB100 08020 RJF 24758 a

1identity thieves. Furthermore, for free market forces to have a
2role in shaping the privacy practices and for "opt-in" and
3"opt-out" remedies to be effective, consumers must be more than
4vaguely informed that a business might share personal
5information with third parties. Consumers must be better
6informed about what kinds of personal information are shared
7with other businesses. With these specifics, consumers can
8knowledgeably choose to opt-in, opt-out, or choose among
9businesses that disclose information to third parties on the
10basis of how protective the business is of consumers' privacy.
11    Businesses are now collecting personal information and
12sharing and selling it in ways not contemplated or properly
13covered by the current law. Some websites are installing
14tracking tools that record when consumers visit web pages, and
15sending very personal information, such as age, gender, race,
16income, health concerns, religion, and recent purchases to
17third party marketers and data brokers. Third party data broker
18companies are buying, selling, and trading personal
19information obtained from mobile phones, financial
20institutions, social media sites, and other online and brick
21and mortar companies. Some mobile applications are sharing
22personal information, such as location information, unique
23phone identification numbers, and age, gender, and other
24personal details with third party companies. As such, consumers
25need to know the ways that their personal information is being
26collected by companies and then shared or sold to third parties



10000HB2774ham004- 3 -LRB100 08020 RJF 24758 a

1in order to properly protect their privacy, personal safety,
2and financial security.
3    Section 10. Definitions. As used in this Act:
4    "Categories of personal information" includes, but is not
5limited to, the following:
6        (a) Identity information including, but not limited
7    to, real name, alias, nickname, and user name.
8        (b) Address information, including, but not limited
9    to, postal or e-mail.
10        (c) Telephone number.
11        (d) Account name.
12        (e) Social security number or other government-issued
13    identification number, including, but not limited to,
14    social security number, driver's license number,
15    identification card number, and passport number.
16        (f) Birthdate or age.
17        (g) Physical characteristic information, including,
18    but not limited to, height and weight.
19        (h) Sexual information, including, but not limited to,
20    sexual orientation, sex, gender status, gender identity,
21    and gender expression.
22        (i) Race or ethnicity.
23        (j) Religious affiliation or activity.
24        (k) Political affiliation or activity.
25        (l) Professional or employment-related information.



10000HB2774ham004- 4 -LRB100 08020 RJF 24758 a

1        (m) Educational information.
2        (n) Medical information, including, but not limited
3    to, medical conditions or drugs, therapies, mental health,
4    or medical products or equipment used.
5        (o) Financial information, including, but not limited
6    to, credit, debit, or account numbers, account balances,
7    payment history, or information related to assets,
8    liabilities, or general creditworthiness.
9        (p) Commercial information, including, but not limited
10    to, records of property, products or services provided,
11    obtained, or considered, or other purchasing or consumer
12    histories or tendencies.
13        (q) Location information.
14        (r) Internet or mobile activity information,
15    including, but not limited to, Internet protocol addresses
16    or information concerning the access or use of any Internet
17    or mobile-based site or service.
18        (s) Content, including text, photographs, audio or
19    video recordings, or other material generated by or
20    provided by the customer.
21        (t) Any of the above categories of information as they
22    pertain to the children of the customer.
23    "Customer" means an individual residing in Illinois who
24provides, either knowingly or unknowingly, personal
25information to a private entity, with or without an exchange of
26consideration, in the course of purchasing, viewing,



10000HB2774ham004- 5 -LRB100 08020 RJF 24758 a

1accessing, renting, leasing, or otherwise using real or
2personal property, or any interest therein, or obtaining a
3product or service from the private entity, including
4advertising or any other content.
5    "Designated request address" means an e-mail address or
6toll-free telephone number whereby customers may request or
7obtain the information required to be provided under Section 15
8of this Act.
9    "Disclose" means to disclose, release, transfer, share,
10disseminate, make available, or otherwise communicate orally,
11in writing, or by electronic or any other means to any third
12party. "Disclose" does not include the following:
13        (a) Disclosure of personal information by a private
14    entity to a third party under a written contract
15    authorizing the third party to utilize the personal
16    information to perform services on behalf of the private
17    entity, including maintaining or servicing accounts,
18    providing customer service, processing or fulfilling
19    orders and transactions, verifying customer information,
20    processing payments, providing financing, or similar
21    services, but only if (i) the contract prohibits the third
22    party from using the personal information for any reason
23    other than performing the specified service or services on
24    behalf of the private entity and from disclosing any such
25    personal information to additional third parties; and (ii)
26    the private entity effectively enforces these



10000HB2774ham004- 6 -LRB100 08020 RJF 24758 a

1    prohibitions.
2        (b) Disclosure of personal information by a business to
3    a third party based on a good-faith belief that disclosure
4    is required to comply with applicable law, regulation,
5    legal process, or court order.
6        (c) Disclosure of personal information by a private
7    entity to a third party that is reasonably necessary to
8    address fraud, security, or technical issues; to protect
9    the disclosing private entity's rights or property; or to
10    protect customers or the public from illegal activities as
11    required or permitted by law.
12    "Operator" means any person or entity that owns a website
13located on the Internet or an online service that collects and
14maintains personal information from a customer residing in
15Illinois who uses or visits the website or online service if
16the website or online service is operated for commercial
17purposes. "Operator" does not include businesses having 5 or
18fewer employees or any third party that operates, hosts, or
19manages, but does not own, a website or online service on the
20owner's behalf or by processing information on behalf of the
22    "Personal information" means any information that
23identifies, relates to, describes, or is capable of being
24associated with, a particular individual, including, but not
25limited to, his or her name, signature, physical
26characteristics or description, address, telephone number,



10000HB2774ham004- 7 -LRB100 08020 RJF 24758 a

1passport number, driver's license or State identification card
2number, insurance policy number, education, employment,
3employment history, bank account number, credit card number,
4debit card number, or any other financial information.
5"Personal information" also means any data or information
6pertaining to an individual's income, assets, liabilities,
7purchases, leases, or rentals of goods, services, or real
8property, if that information is disclosed, or is intended to
9be disclosed, with any identifying information, such as the
10individual's name, address, telephone number, or social
11security number.
12    "Third party" or "third parties" means (i) a private entity
13that is a separate legal entity from the private entity that
14has disclosed personal information; (ii) a private entity that
15does not share common ownership or common corporate control
16with the private entity that has disclosed personal
17information; or (iii) a private entity that does not share a
18brand name or common branding with the private entity that has
19disclosed personal information such that the affiliate
20relationship is clear to the customer.
21    Section 15. Notification of information sharing practices.
22An operator of a commercial website or online service that
23collects personal information through the Internet about
24individual customers residing in Illinois who use or visit its
25commercial website or online service shall, in its customer



10000HB2774ham004- 8 -LRB100 08020 RJF 24758 a

1agreement or incorporated addendum: (i) identify all
2categories of personal information that the operator collects
3through the website or online service about individual
4customers who use or visit its commercial website or online
5service; (ii) identify all categories of third party persons or
6entities with whom the operator may disclose that personal
7information; and (iii) provide a description of a customer's
8rights, as required under Section 25 of this Act, accompanied
9by one or more designated request addresses.
10    Section 20. Disclosure of a customer's personal
11information to a third party.
12    (a) An operator that discloses a customer's personal
13information to a third party shall make the following
14information available to the customer free of charge:
15        (1) all categories of personal information that were
16    disclosed; and
17        (2) the names of all third parties that received the
18    customer's personal information.
19    (b) This Section applies only to personal information
20disclosed after the effective date of this Act.
21    Section 25. Information availability service.
22    (a) An operator required to comply with Section 20 shall
23make the required information available by providing a
24designated request address in its customer agreement or



10000HB2774ham004- 9 -LRB100 08020 RJF 24758 a

1incorporated addendum, and, upon receipt of a request under
2this Section, shall provide the customer with the information
3required under Section 20 for all disclosures occurring in the
4prior 12 months.
5    (b) An operator that receives a request from a customer
6under this Section at one of the designated addresses shall
7provide a response to the customer within 30 days.
8    (c) The parent or legal guardian of a customer under the
9age of 18 may submit a request under this Section on behalf of
10that customer.
11    (d) An operator shall not be required to respond to a
12request made by the same customer more than once within a given
1312-month period.
14    Section 30. Violation; right of action. A violation of this
15Act constitutes a violation of the Consumer Fraud and Deceptive
16Business Practices Act. Any lawsuits filed under the Consumer
17Fraud and Deceptive Business Practices Act for a violation of
18this Act shall only be filed by the Office of the Attorney
19General or the appropriate State's Attorney's Office on behalf
20of the plaintiff. On any award granted for a violation of this
21Act, the amount awarded shall be deposited into the
22Cyber-secure Illinois Educational Advancement Fund created by
23this Act. Any operator bound to the requirements of this Act
24that makes a good faith effort to respond to a customer's
25request for information under Section 25 shall not be liable



10000HB2774ham004- 10 -LRB100 08020 RJF 24758 a

1for a violation of this Act. Any person whose rights under this
2Act are violated shall also have, in addition to any rights
3under the Consumer Fraud and Deceptive Business Practices Act,
4a right of action against an offending party to seek injunctive
5relief, if appropriate. Nothing in this Section shall prevent a
6person from seeking a right of action for a violation of the
7Biometric Information Privacy Act or otherwise seeking relief
8under the Code of Civil Procedure.
9    Section 35. The Cyber-secure Illinois Educational
10Advancement Fund. The Cyber-secure Illinois Educational
11Advancement Fund is created as a special fund in the State
12Treasury. All moneys in the Fund shall be appropriated for the
13public interest by the State of Illinois university system to
14fund the enhancement and creation of partnerships between
15employers, schools, and community organizations that focus on
16cyber security skill shortages and the education of the next
17generation of cyber security experts in the State of Illinois.
18    Section 40. Waivers; contracts. Any waiver of the
19provisions of this Act shall be void and unenforceable. Any
20agreement that does not comply with the applicable provisions
21of this Act shall be void and unenforceable.
22    Section 45. Construction.
23    (a) Nothing in this Act shall be construed to conflict with



10000HB2774ham004- 11 -LRB100 08020 RJF 24758 a

1the federal Health Insurance Portability and Accountability
2Act of 1996 and the rules promulgated under that Act.
3    (b) Nothing in this Act shall be deemed to apply in any
4manner to a financial institution or an affiliate of a
5financial institution that is subject to Title V of the federal
6Gramm-Leach-Bliley Act of 1999 and the rules promulgated under
7that Act.
8    (c) Nothing in this Act shall be deemed to apply to the
9activities of an individual or entity to the extent that those
10activities are subject to Section 222 or 631 of the federal
11Communications Act of 1934.
12    (d) Nothing in this Act shall be construed to apply to any
13State agency, federal agency, unit of local government, or any
14contractor, subcontractor, or agent thereof, when working for
15that State agency, federal agency, or unit of local government.
16    (e) Nothing in this Act shall be construed to apply to any
17entity recognized as a tax-exempt organization under 501(c)(3)
18or 501(c)(4) of the Internal Revenue Code of 1986.
19    (f) Nothing in this Act shall be construed to apply to a
20public utility, an alternative retail electric supplier, or an
21alternative gas supplier, as those terms are defined in
22Sections 3-105, 16-102, and 19-105 of the Public Utilities Act.
23    Section 100. The State Finance Act is amended by adding
24Section 5.878 as follows:



10000HB2774ham004- 12 -LRB100 08020 RJF 24758 a

1    (30 ILCS 105/5.878 new)
2    Sec. 5.878. The Cyber-secure Illinois Educational
3Advancement Fund.".