101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
SB2330

 

Introduced 1/8/2020, by Sen. Thomas Cullerton

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Data Transparency and Privacy Act. Provides that any business that processes personal information or deidentified information must, prior to processing, provide notice to the consumer to whom the information refers or belongs of specific information in the service agreement or somewhere readily accessible on the business' website or mobile application. Establishes a "right to know" for consumers and prescribes types of information that they may request of businesses. Provides that consumers have the right to opt out of agreements that entail the disclosure of personal information from the business to third parties and affiliates, the sale of personal information from the business to third parties and affiliates, and the processing of personal information by the business, third parties, and affiliates. Provides that consumers have the right to request that a business correct inaccurate personal information about the consumer or delete personal information about the consumer. Prescribes a protocol for the handling of consumer requests by businesses. Prescribes pricing incentives and prohibitions against discrimination. Provides that businesses, affiliates, and third parties must conduct risk assessments and provides requirements for the assessments. Provides that enforcement of the Act may arise through private actions or enforcement by the Attorney General. Provides that any waiver of the provisions of the Act is void and unenforceable. Contains home rule preemption and severability provisions. Effective July 1, 2021.


LRB101 16295 KTG 65668 b

 

 

A BILL FOR

 

SB2330LRB101 16295 KTG 65668 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the Data
5Transparency and Privacy Act.
 
6    Section 5. Findings. The General Assembly finds and
7declares that:
8        (1) The right to privacy is a personal and fundamental
9    right protected by the United States Constitution. As such,
10    all individuals have a right to privacy and a personal
11    property interest in information pertaining to them and
12    that information shall be adequately protected from
13    unlawful invasions and takings. This State recognizes the
14    importance of providing consumers with transparency about
15    how their personal information is stored, used, and shared
16    by businesses. This transparency is crucial for Illinois
17    citizens to protect themselves and their families from
18    cyber-crimes and identity thieves.
19        (2) Businesses are now collecting, sharing, and
20    selling personal information in ways not contemplated or
21    properly covered by current law.
22            (a) Some websites install tracking tools that
23        record when consumers visit web pages and send personal

 

 

SB2330- 2 -LRB101 16295 KTG 65668 b

1        information collected to third party marketers and
2        data brokers.
3            (b) Third-party data broker companies are buying,
4        selling, and trading personal information obtained
5        from mobile phones, financial institutions, social
6        media sites, and other online and brick and mortar
7        companies.
8            (c) Social media companies, credit agencies and
9        retail stores have all had their internal security
10        systems breached, resulting in consumers' personal
11        information being stolen and sold on the black market.
12        (3) Illinois consumers must be better informed about
13    what kinds of personal information are collected, how
14    information is shared with third parties, and how
15    businesses store consumers' personal information. With
16    this specific information, consumers can knowledgeably
17    choose to opt in, opt out, or choose among businesses that
18    disclose information to third parties on the basis of how
19    protective the business is of consumers' privacy in order
20    to properly protect their privacy, property, personal
21    safety, and financial security.
 
22    Section 10. Definitions. As used in this Act:
23    "Affiliate" means a legal entity that controls, is
24controlled by, or is under common control with another legal
25entity.

 

 

SB2330- 3 -LRB101 16295 KTG 65668 b

1    "Business" means any sole proprietorship, partnership,
2limited liability company, corporation, association, or other
3legal entity that is organized or operated for the profit or
4financial benefit of its shareholders or other owners, that
5does business in the State of Illinois and meets one or more of
6the following thresholds:
7        (1) The business collects or discloses the personal
8    information of 50,000 or more persons, Illinois
9    households, or the combination thereof.
10        (2) The business derives 50% or more of its annual
11    revenues from selling consumers' personal information.
12    "Business" does not include any third party that operates,
13hosts, or manages, but does not own, a website or online
14service on the owner's behalf or by processing information on
15behalf of the owners, or any State and local governments or
16municipal corporations.
17    "Categories of sources" means types of entities from which
18a business collects personal information about consumers,
19including, but not limited to, the consumer directly,
20government entities from which public records are obtained, and
21consumer data resellers.
22    "Categories of third parties" means types of entities that
23do not collect personal information directly from consumers,
24including, but not limited to, advertising networks, internet
25service providers, data analytics providers, government
26entities, operating systems and platforms, social networks,

 

 

SB2330- 4 -LRB101 16295 KTG 65668 b

1and consumer data resellers.
2    "Consumer" means a natural person residing in this State.
3"Consumer" does not include a natural person acting in an
4employment context.
5    "Deidentified" means information that cannot reasonably
6identify, relate to, describe, be capable of being associated
7with, or be linked, directly or indirectly, to a particular
8consumer, provided that a business that uses deidentified
9information:
10        (1) Has implemented technical safeguards that prohibit
11    reidentification of the consumer to whom the information
12    may pertain.
13        (2) Has implemented business processes that
14    specifically prohibit reidentification of the information.
15        (3) Has implemented business processes to prevent
16    inadvertent release of deidentified information.
17        (4) Makes no attempt to reidentify the information.
18    "Designated request address" means an electronic mail
19address, online form, mailing address, or toll-free telephone
20number that a consumer may use to request information, opt out
21of the sale or disclosure of personal information, or correct
22or delete personal information, as required to be provided
23under this Act.
24    "Disclose" means to disclose, release, transfer, share,
25disseminate, make available, or otherwise communicate orally,
26in writing, or by electronic or any other means a consumer's

 

 

SB2330- 5 -LRB101 16295 KTG 65668 b

1personal information to any affiliate or third party.
2"Disclose" does not include:
3        (1) Disclosure of personal information by a business to
4    a third party or service provider under a written contract
5    authorizing the third party or service provider to use the
6    personal information to perform services on behalf of the
7    business, including, but not limited to, maintaining or
8    servicing accounts, disclosure of personal information by
9    a business to a service provider, processing or fulfilling
10    orders and transactions, verifying consumer information,
11    processing payments, providing financing, or similar
12    services, but only if: the contract prohibits the third
13    party or service provider from using the personal
14    information for any reason other than performing the
15    specified service on behalf of the business and from
16    disclosing any such personal information to additional
17    third parties or service providers unless those additional
18    third parties or service providers are allowed by the
19    contract to further the specified services and the
20    additional third parties and service providers and subject
21    to the same restrictions imposed by this subsection.
22        (2) Disclosure of personal information by a business to
23    a third party based on a good faith belief that disclosure
24    is required to comply with applicable law, regulation,
25    legal process, or court order.
26        (3) Disclosure of personal information by a business to

 

 

SB2330- 6 -LRB101 16295 KTG 65668 b

1    a third party that is reasonably necessary to address
2    fraud, risk management, security, or technical issues; to
3    protect the disclosing business' right or property; or to
4    protect consumers or the public from illegal activities.
5        (4) Disclosure of personal information by a business to
6    a third party in connection with the proposed or actual
7    sale, merger, or bankruptcy of the business, to a third
8    party.
9    "Personal information" means information that identifies,
10relates to, describes, is reasonably capable of being
11associated with, or could reasonably be linked, directly or
12indirectly, with a particular consumer or household. Personal
13information includes, but is not limited to, the following:
14        (1) Identifiers such as a real name, alias, signature,
15    postal address, telephone number, unique personal
16    identifier, online identifier Internet Protocol address,
17    email address, account name, social security number,
18    driver's license number, state identification number,
19    passport number, physical characteristics or description,
20    insurance policy number, employment, employment history,
21    bank account number, credit card number, debit card number,
22    financial information, medical information, health
23    insurance information, or other similar identifiers.
24        (2) Characteristics of protected classifications under
25    Illinois or federal law.
26        (3) Commercial information, including records of

 

 

SB2330- 7 -LRB101 16295 KTG 65668 b

1    personal property, products or services purchased,
2    obtained, or considered, or other purchasing or consuming
3    histories or tendencies.
4        (4) Biometric information.
5        (5) Internet or other electronic network activity
6    information, including, but not limited to, browsing
7    history, search history, and information regarding a
8    consumer's interaction with an Internet website,
9    application or advertisement.
10        (6) Geolocation data.
11        (7) Audio, electronic, visual, thermal, olfactory, or
12    similar information.
13        (8) Professional or employment-related information.
14        (9) Educational information.
15        (10) Inferences drawn from any of the information
16    identified in this Section to create a profile about a
17    consumer reflecting the consumer's preferences,
18    characteristics, psychological trends, preferences,
19    predispositions, behavior, attitudes, intelligence,
20    abilities, and aptitudes.
21    "Personal information" does not include publicly available
22information which the business obtained directly from records
23lawfully made available from federal, state, or local
24government records. "Personal information" does not include
25consumer information that is deidentified or aggregate
26consumer information.

 

 

SB2330- 8 -LRB101 16295 KTG 65668 b

1    "Process" or "processes" means any collection, use,
2storage, disclosure, analysis, deletion, or modification of
3personal information.
4    "Request" means a consumer right set forth in this Act
5including one or more of the following: (i) for the disclosure
6of information regarding a consumer's personal information;
7(ii) the opt out of sale or disclosure of a consumer's personal
8information; (iii) the correction of inaccurate personal
9information; and (iv) the deletion of personal information.
10    "Sale" or "sell" means the selling, renting, or licensing
11of a consumer's personal information by a business to a third
12party in direct exchange for monetary consideration, whereby,
13as a result of such transaction, the third party may use the
14personal information for its own commercial purposes. "Sale" or
15"sell" does not include circumstances in which:
16        (1) A consumer uses or directs the business to
17    intentionally disclose personal information or uses the
18    business to intentionally interact with a third party or
19    affiliate, provided the third party or affiliate does not
20    also sell the personal information, unless that disclosure
21    would be consistent with the provisions of this Act. An
22    intentional interaction occurs when the consumer intends
23    to interact with the third party by one or more deliberate
24    interactions. Hovering over, muting, pausing, or closing a
25    given piece of content does not constitute a consumer's
26    intent to interact with a third party.

 

 

SB2330- 9 -LRB101 16295 KTG 65668 b

1        (2) The business uses or shares an identifier for a
2    consumer who has opted out of the sale of the consumer's
3    personal information for the purposes of altering third
4    parties or affiliates that the consumer has opted out of
5    the sale of the consumer's personal information.
6        (3) The business uses or shares with a service provider
7    personal information of a consumer that is necessary to
8    perform a business purpose or business purposes if the
9    service provider does not further collect, sell, or use the
10    personal information of the consumer except as necessary to
11    perform the business purposes.
12        (4) The business transfers to a third party the
13    personal information of a consumer as an asset that is part
14    of a merger, acquisition, bankruptcy, or other transaction
15    in which the third party or affiliate assumes control of
16    all or part of the business, provided that information is
17    used or shared consistently with this Act. If a third party
18    or affiliate materially alters how it uses or shares the
19    personal information of a consumer in a manner that is
20    materially inconsistent with the promises made at the time
21    of collection, it shall provide prior notice of the new or
22    changed practice to the consumer. The notice shall be
23    sufficiently prominent and robust to ensure that existing
24    consumers can easily exercise their choices consistent
25    with Section 20 and Section 25. This subparagraph does not
26    authorize a business to make material, retroactive privacy

 

 

SB2330- 10 -LRB101 16295 KTG 65668 b

1    policy changes or make other changes in their privacy
2    policy in a manner that would violate the Consumer Fraud
3    and Deceptive Business Practices Act.
4        (5) A business uses a consumer's personal information
5    to sell targeted advertising space to a third party as long
6    as the personal information is not sold by the business to
7    the third party or affiliate.
8        (6) The disclosure or transfer of personal information
9    to an affiliate of the business.
10    "Service provider" means the natural or legal person that
11processes personal information on behalf of the business.
12    "Third party" means a business that is: (1) not an
13affiliate of the business that has collected, disclosed, or
14sold personal information; or (2) an affiliate with the
15business that has collected, disclosed, or sold personal
16information and the affiliate relationship is not clear to the
17consumer.
 
18    Section 15. Right to transparency. Any business that
19processes personal information or deidentified information
20must, prior to processing, provide notice to the consumer of
21the following in the service agreement or somewhere readily
22accessible on the business' website or mobile application:
23        (1) All categories of personal information and
24    deidentified information that the business processes about
25    individual consumers;

 

 

SB2330- 11 -LRB101 16295 KTG 65668 b

1        (2) All categories of third parties and affiliates with
2    whom the business may disclose or sell that personal
3    information or deidentified information and the business
4    purpose for the disclosure or sale;
5        (3) The process in which an individual consumer may:
6            (A) review the personal information collected by
7        the business;
8            (B) request changes to inaccurate personal
9        information;
10            (C) opt out of the disclosure or sale of personal
11        information; and
12            (D) request deletion of personal information; and
13        (4) The process in which the business notifies
14    consumers of material changes to the notice required to be
15    made available under this Section.
 
16    Section 20. Right to know. Consumers may request the
17following information of businesses:
18        (1) Copies of specific pieces of personal information
19    about the consumer processed by the business.
20        (2) Categories of sources for the personal information
21    processed.
22        (3) Name and contact information for each third party
23    and affiliate to whom the personal information is disclosed
24    or sold.
 

 

 

SB2330- 12 -LRB101 16295 KTG 65668 b

1    Section 25. Right to opt out, correct, and delete.
2Consumers have the following rights concerning their personal
3information:
4        (1) The right to request to opt out of the following:
5            (A) the disclosure of personal information from
6        the business to third parties and affiliates;
7            (B) the sale of personal information from the
8        business to third parties and affiliates; and
9            (C) the processing of personal information by the
10        business, third parties, and affiliates.
11        (2) The right to request that a business correct
12    inaccurate personal information about the consumer.
13        (3) The right to request that a business delete
14    personal information about the consumer.
 
15    Section 30. Consumer requests and business responses.
16    (a) Businesses shall establish a process for collecting
17consumer requests and reasonably authenticating consumers
18making the requests and reasonably authenticating any request
19to correct inaccurate personal information. The method by which
20a consumer may submit a request under Section 20 and Section 25
21shall be done in a form and manner determined by the business
22in a way that is not overly burdensome on the consumer.
23    (b) A business shall post on its website, online service,
24and within any mobile application, a link to a designated
25request address web page maintained by the business for the

 

 

SB2330- 13 -LRB101 16295 KTG 65668 b

1purpose of collecting and processing consumer requests. The
2business shall also post a designated request street address
3for consumers to submit requests by mail.
4    (c) A parent or legal guardian of a consumer under the age
5of 13 may submit a request on behalf of that consumer.
6    (d) A business that receives a request from a consumer
7through a designated request address shall promptly take steps
8to disclose and deliver, free of charge to the consumer, the
9personal information required or confirmation of the consumers
10opt out, correction or deletion request and business'
11compliance.
12        (1) The information may be delivered by mail or
13    electronically, and if provided electronically, the
14    information shall be in a portable and, to the extent
15    technically feasible, in a readily usable format that
16    allows the consumer to transmit this information to another
17    entity without hindrance.
18        (2) A business that has received a request to opt out
19    of the disclosure or sale of a consumer's personal
20    information shall be prohibited from selling or disclosing
21    that consumer's personal information after its receipt of
22    the consumer's request, unless the consumer subsequently
23    provides express authorization for the sale or disclosure
24    of the consumer's personal information.
25        (3) A business that receives a request to delete the
26    consumer's personal information, shall delete the

 

 

SB2330- 14 -LRB101 16295 KTG 65668 b

1    consumer's personal information from its records and
2    direct any third party or affiliate with whom the personal
3    information was disclosed, to delete the consumer's
4    personal information from their records.
5        (4) A business shall not be required to comply with a
6    consumer's request to delete the consumer's personal
7    information if it is necessary for the business to maintain
8    the consumer's personal information in order to:
9            (i) Complete the transaction for which the
10        personal information was collected, provide a good or
11        service requested by the consumer, or reasonably
12        anticipated within the context of a business' ongoing
13        business relationship with the consumer, or otherwise
14        perform a contract between the business and the
15        consumer.
16            (ii) Detect security incidents, protect against
17        malicious, deceptive, fraudulent, or illegal activity;
18        or prosecute those responsible for that activity.
19            (iii) Debug to identify and repair errors that
20        impair existing intended functionality.
21            (iv) Exercise free speech, ensure the right of
22        another consumer to exercise their right of free
23        speech, or exercise another right provided for by law.
24            (v) Engage in public or peer-reviewed scientific,
25        historical, or statistical research in the public
26        interest that adheres to all other applicable ethics

 

 

SB2330- 15 -LRB101 16295 KTG 65668 b

1        and privacy laws, when the business' deletion of the
2        information is likely to render impossible or
3        seriously impair the achievement of such research, if
4        the consumer has provided informed consent.
5            (vi) To enable solely internal uses that are
6        reasonably aligned with the expectations of the
7        consumer based on the consumer's relationship with the
8        business.
9            (vii) Comply with a legal obligation.
10            (viii) Otherwise use the consumer's personal
11        information, internally, in a lawful manner that is
12        compatible with the context in which the consumer
13        provided the information.
14    (e) A business must provide a response to the consumer
15within 45 days of a request under Section 20 and Section 25.
16        (1) The business shall promptly take steps to verify
17    the request, but shall not extend the business' duty to
18    disclose and deliver the information within 45 days of
19    receipt of the consumer's request. The time period to
20    provide the required information may be extended once by an
21    additional 45 days when reasonably necessary, provided the
22    consumer is provided notice of the extension within the
23    first 45-day period.
24        (2) The disclosure shall cover at least the 12-month
25    period preceding the business' receipt of the request. The
26    business shall not require the consumer to create an

 

 

SB2330- 16 -LRB101 16295 KTG 65668 b

1    account with the business in order to make a request.
2        (3) If requests from a consumer are manifestly
3    unfounded or excessive, in particular because of their
4    repetitive character, a business may either charge a
5    reasonable fee, taking into account the administrative
6    costs of providing the information or communication or
7    taking the action requested or refuse to act on the request
8    and notify the consumer of the reason for refusing the
9    request. The business shall bear the burden of
10    demonstrating that any consumer request is manifestly
11    unfounded or excessive.
12    (f) A business shall not be required to respond to a
13request made by or on behalf of the same consumer more than
14once in any 12-month period.
 
15    Section 35. Businesses, affiliates, and third parties.
16    (a) A business is not required to retain any personal
17information collected for a single, one-time transaction, if
18such information is not sold or retained by the business or to
19reidentify or otherwise link information that is not maintained
20in a manner that would be considered personal information.
21    (b) A business shall not reidentify any deidentified
22consumer information, unless the consumer subsequently
23provides express authorization for reidentification of
24deidentified information.
25    (c) A business shall not sell the personal information of

 

 

SB2330- 17 -LRB101 16295 KTG 65668 b

1any consumer for which the business has actual knowledge that
2the consumer is less than 16 years of age. A business that
3willfully disregards the consumer's age shall be deemed to have
4had actual knowledge of the consumer's age.
5    (d) A business shall not use a consumer's personal
6information for any purpose other than those disclosed in the
7notice at collection. If the business intends to use a
8consumer's personal information for a purpose that was not
9previously disclosed to the consumer in the notice at
10collection, the business shall directly notify the consumer of
11this new use and obtain explicit consent from the consumer to
12use it for this new purpose.
13    (e) A business shall not collect categories of personal
14information other than those disclosed in the notice at
15collection. If the business intends to collect additional
16categories of personal information, the business shall provide
17a new notice at collection.
18    (f) If a business does not give the notice at collection to
19the consumer at or before the collection of their personal
20information, the business shall not collect personal
21information from the consumer.
22    (g) Affiliates and third parties shall not sell consumer
23personal information purchased from a business unless the
24consumer has received notice and is provided an opportunity to
25opt out of the resale of the consumer's personal information.
26    (h) Pricing incentives and prohibition of discrimination.

 

 

SB2330- 18 -LRB101 16295 KTG 65668 b

1        (1) A business shall not discriminate against a
2    consumer because the consumer exercised any of the
3    consumer's rights in this Act, including, but not limited
4    to:
5            (A) Denying goods or services to the consumer.
6            (B) Charging different prices or rates for goods or
7        services, including through the use of discounts or
8        other benefits or imposing penalties.
9            (C) Providing a different level or quality of goods
10        or services to the consumer, if the consumer exercises
11        the consumer's rights under this Act.
12            (D) Suggesting that the consumer will receive a
13        different price or rate for goods or services or a
14        different level or quality of goods or services.
15        (2) Nothing shall prohibit a business from charging a
16    consumer a different price or rate, or from providing a
17    different level or quality of goods or services to the
18    consumer, if that difference is reasonably related to the
19    value provided to the consumer by the consumer's data.
20        (3) A business may offer financial incentives,
21    including payments to consumers as compensation, for the
22    collection of personal information, the sale of personal
23    information, or the deletion of personal information. A
24    business may also offer a different price, rate, level, or
25    quality of goods or services to the consumer if that price
26    or difference is directly related to the value provided to

 

 

SB2330- 19 -LRB101 16295 KTG 65668 b

1    the consumer by the consumer's data.
2            (A) A business that offers any financial
3        incentives regarding consumer personal information or
4        deidentified information, shall notify consumers of
5        the financial incentives in the consumer service
6        agreement, website, online service or mobile
7        application.
8            (B) A business may enter a consumer into a
9        financial incentive program only if the consumer gives
10        the business prior opt-in consent which clearly
11        describes the material terms of the financial
12        incentive program, and which may be revoked by the
13        consumer at any time.
14            (C) A business shall not use financial incentive
15        practices that are unjust, unreasonable, or coercive.
16    (i) A business that discloses personal information to a
17service provider shall not be liable under this Act if the
18service provider receiving the personal information uses it in
19violation of the restrictions set forth in the Act, provided
20that, at the time of disclosing the personal information, the
21business does not have actual knowledge, or reason to believe,
22that the service provider intends to commit such a violation. A
23service provider shall likewise not be liable under this Act
24for the obligations of a business for which it provides
25services as set forth in this Act.
26    (j) The obligations imposed on businesses by this Act do

 

 

SB2330- 20 -LRB101 16295 KTG 65668 b

1not restrict a business' ability to:
2        (1) Comply with federal, state, or local laws, rules,
3    regulations, or enforceable guidance.
4        (2) Comply with a civil, criminal, or regulatory
5    inquiry, investigation, subpoena, or summons by federal,
6    state, or local authorities.
7        (3) Cooperate with law enforcement agencies concerning
8    conduct or activity that the business, service provider, or
9    third party reasonably and in good faith believes may
10    violate federal, state, or local law.
11        (4) Exercise or defend legal claims.
12        (5) Prevent, detect, or respond to identity theft,
13    fraud, or other malicious or illegal activity.
14        (6) Collect, use, retain, sell, or disclose consumer's
15    personal information that is deidentified or in the
16    aggregate consumer information.
17    (k) Businesses, affiliates, and third parties shall take
18reasonable measures to protect customer's personal information
19from unauthorized use, disclosure, or access.
20        (1) In implementing security measures required by this
21    subsection, a business, affiliate, and third party shall
22    take into account each of the following factors:
23            (A) The nature and scope of the business;,
24        affiliate's, or third party's activities;
25            (B) The sensitivity of the data processed;
26            (C) The size of the business, affiliate, or third

 

 

SB2330- 21 -LRB101 16295 KTG 65668 b

1        party; and
2            (D) The technical feasibility of the security
3        measures.
4        (2) A business, affiliate, or third party may employ
5    any lawful measure that allows the business, affiliate, or
6    third party to comply with the requirements of this
7    subsection.
8    (l) Risk assessments.
9        (1) Businesses, affiliates, and third parties must
10    conduct, to the extent not previously conducted, a risk
11    assessment of each of their processing activities
12    involving personal information and an additional risk
13    assessment any time there is a change in processing that
14    materially increases the risk to consumers. Such risk
15    assessments must take into account the type of personal
16    data to be processed by the business, affiliate, or third
17    party, including the extent to which the personal
18    information is sensitive information or otherwise
19    sensitive in nature, and the context in which the personal
20    information is to be processed.
21        (2) Risk assessments conducted under subsection (a)
22    must identify and weigh the benefits that may flow directly
23    and indirectly from the processing to the business,
24    consumer, other stakeholders, and the public, against the
25    potential risks to the rights of the consumer associated
26    with such processing, as mitigated by safeguards that can

 

 

SB2330- 22 -LRB101 16295 KTG 65668 b

1    be employed by the business to reduce such risks. The use
2    of deidentified data and the reasonable expectations of
3    consumers, as well as the context of the processing and the
4    relationship between the business, affiliate, or third
5    party and the consumer whose personal data will be
6    processed, must factor into this assessment by the
7    business, affiliate, or third party.
8        (3) If the risk assessment conducted under subsection
9    (a) of this Section determines that the potential risks of
10    privacy harm to consumers are substantial and outweigh the
11    interests of the business, consumer, other stakeholders,
12    and the public in processing the personal information of
13    the consumer, the business may only engage in such
14    processing with the consent of the consumer or if another
15    exemption under this Act applies. To the extent the
16    business seeks consumer consent for processing, such
17    consent shall be as easy to withdraw as to give.
18        (4) Processing for a business purpose shall be presumed
19    to be permissible unless: (i) it involves the processing of
20    sensitive data; and (ii) the risk of processing cannot be
21    reduced through the use of appropriate administrative and
22    technical safeguards.
23        (5) The business, affiliate, and third party must make
24    the risk assessment available to the Office of the Attorney
25    General upon request. Risk assessments are confidential
26    and exempt from public inspection and copying under the

 

 

SB2330- 23 -LRB101 16295 KTG 65668 b

1    Freedom of Information Act.
 
2    Section 40. Enforcement.
3    (a) Private right of action.
4        (1) Any consumer whose unencrypted or unredacted
5    personal information is subject to an unauthorized access
6    and exfiltration, theft, or disclosure as a result of the
7    business' violation of the duty to implement and maintain
8    reasonable security procedures and practices appropriate
9    to the nature of the information to protect the personal
10    information may institute a civil action for any of the
11    following:
12            (A) To recover damages in an amount not less than
13        $100 and not greater than $750 per customer per
14        incident or actual damages, whichever is greater.
15            (B) Injunctive or declaratory relief.
16            (C) Any other relief the court deems proper.
17        (2) In assessing the amount of statutory damages, the
18    court shall consider any one or more of the relevant
19    circumstances presented by any of the parties to the case,
20    including, but not limited to, the nature and seriousness
21    of the misconduct, the number of violations, the
22    persistence of the misconduct, the length of time over
23    which the misconduct occurred, the willfulness of the
24    defendant's misconduct, and the defendant's assets,
25    liabilities, and net worth.

 

 

SB2330- 24 -LRB101 16295 KTG 65668 b

1        (3) Nothing in this Act shall be interpreted to serve
2    as the basis for a private right of action under any other
3    law. This shall not be construed to relieve any party from
4    any duties or obligations imposed under other law or the
5    United States or Illinois Constitution.
6    (b) Attorney General enforcement. A violation of this Act
7constitutes an unlawful practice under the Consumer Fraud and
8Deceptive Business Practices Act. The Attorney General has
9authority to enforce this Act as a violation of the Consumer
10Fraud and Deceptive Business Practices Act, subject to the
11remedies available to the Attorney General under the Consumer
12Fraud and Deceptive Business Practices Act.
 
13    Section 45. Applicability.
14    (a) This Act does not apply to personal information
15collected, processed, sold, or disclosed under:
16        (1) The Gramm-Leach-Bliley Act, and the rules
17    promulgated under that Act.
18        (2) The Health Insurance Portability and
19    Accountability Act of 1996, and the rules promulgated under
20    that Act.
21        (3) The Fair Credit Reporting Act, and the rules
22    promulgated under that Act.
23    (b) Nothing in this Act restricts a business' ability to
24collect or disclose a consumer's personal information if a
25consumer's conduct takes place wholly outside of Illinois. For

 

 

SB2330- 25 -LRB101 16295 KTG 65668 b

1purposes of this Act, conduct takes place wholly outside of
2Illinois if the business collected that information while the
3consumer was outside of Illinois, no part of the sale of the
4consumer's personal information occurred in Illinois, and no
5personal information collected while the consumer was in
6Illinois is disclosed.
 
7    Section 50. Waivers; contracts. Any waiver of the
8provisions of this Act is void and unenforceable.
 
9    Section 55. Home rule preemption. Except as otherwise
10provided in this Act, the regulation of the activities
11described in this Act are the exclusive powers and functions of
12the State. Except as otherwise provided in this Act, a unit of
13local government, including a home rule unit, may not regulate
14the activities described in this Act. This Section is a denial
15and limitation of home rule powers and functions under
16subsection (h) of Section 6 of Article VII of the Illinois
17Constitution.
 
18    Section 97. Severability. The provisions of this Act are
19severable under Section 1.31 of the Statute on Statutes.
 
20    Section 99. Effective date. This Act takes effect July 1,
212021.