State of Illinois
2021 and 2022


Introduced 2/17/2021, by Rep. Kambium Buckner


New Act

    Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms.

LRB102 14514 RJF 19867 b





HB2404LRB102 14514 RJF 19867 b

1    AN ACT concerning regulation.
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
4    Section 1. Short title. This Act may be cited as the Right
5to Know Act.
6    Section 5. Findings and purpose.
7    The General Assembly hereby finds and declares that the
8right to privacy is a personal and fundamental right protected
9by the United States Constitution. As such, all individuals
10have a right to privacy in information pertaining to them.
11This State recognizes the importance of providing consumers
12with transparency about how their personal information,
13especially information relating to their children, is shared
14by businesses. This transparency is crucial for Illinois
15citizens to protect themselves and their families from
16cyber-crimes and identity thieves. Furthermore, for free
17market forces to have a role in shaping the privacy practices
18and for "opt-in" and "opt-out" remedies to be effective,
19consumers must be more than vaguely informed that a business
20might share personal information with third parties. Consumers
21must be better informed about what kinds of personal
22information are shared with other businesses. With these
23specifics, consumers can knowledgeably choose to opt-in,



HB2404- 2 -LRB102 14514 RJF 19867 b

1opt-out, or choose among businesses that disclose information
2to third parties on the basis of how protective the business is
3of consumers' privacy.
4    Businesses are now collecting personal information and
5sharing and selling it in ways not contemplated or properly
6covered by the current law. Some websites are installing
7tracking tools that record when consumers visit web pages, and
8sending very personal information, such as age, gender, race,
9income, health concerns, religion, and recent purchases to
10third party marketers and data brokers. Third party data
11broker companies are buying, selling, and trading personal
12information obtained from mobile phones, financial
13institutions, social media sites, and other online and brick
14and mortar companies. Some mobile applications are sharing
15personal information, such as location information, unique
16phone identification numbers, and age, gender, and other
17personal details with third party companies. As such,
18consumers need to know the ways that their personal
19information is being collected by companies and then shared or
20sold to third parties in order to properly protect their
21privacy, personal safety, and financial security.
22    Section 10. Definitions. As used in this Act:
23    "Categories of personal information" includes, but is not
24limited to, the following:
25        (a) Identity information including, but not limited



HB2404- 3 -LRB102 14514 RJF 19867 b

1    to, real name, alias, nickname, and user name.
2        (b) Address information, including, but not limited
3    to, postal or e-mail.
4        (c) Telephone number.
5        (d) Account name.
6        (e) Social security number or other government-issued
7    identification number, including, but not limited to,
8    social security number, driver's license number,
9    identification card number, and passport number.
10        (f) Birthdate or age.
11        (g) Physical characteristic information, including,
12    but not limited to, height and weight.
13        (h) Sexual information, including, but not limited to,
14    sexual orientation, sex, gender status, gender identity,
15    and gender expression.
16        (i) Race or ethnicity.
17        (j) Religious affiliation or activity.
18        (k) Political affiliation or activity.
19        (l) Professional or employment-related information.
20        (m) Educational information.
21        (n) Medical information, including, but not limited
22    to, medical conditions or drugs, therapies, mental health,
23    or medical products or equipment used.
24        (o) Financial information, including, but not limited
25    to, credit, debit, or account numbers, account balances,
26    payment history, or information related to assets,



HB2404- 4 -LRB102 14514 RJF 19867 b

1    liabilities, or general creditworthiness.
2        (p) Commercial information, including, but not limited
3    to, records of property, products or services provided,
4    obtained, or considered, or other purchasing or consumer
5    histories or tendencies.
6        (q) Location information.
7        (r) Internet or mobile activity information,
8    including, but not limited to, Internet protocol addresses
9    or information concerning the access or use of any
10    Internet or mobile-based site or service.
11        (s) Content, including text, photographs, audio or
12    video recordings, or other material generated by or
13    provided by the customer.
14        (t) Any of the above categories of information as they
15    pertain to the children of the customer.
16    "Customer" means an individual residing in Illinois who
17provides, either knowingly or unknowingly, personal
18information to a private entity, with or without an exchange
19of consideration, in the course of purchasing, viewing,
20accessing, renting, leasing, or otherwise using real or
21personal property, or any interest therein, or obtaining a
22product or service from the private entity, including
23advertising or any other content.
24    "Designated request address" means an e-mail address or
25toll-free telephone number whereby customers may request or
26obtain the information required to be provided under Section



HB2404- 5 -LRB102 14514 RJF 19867 b

115 of this Act.
2    "Disclose" means to disclose, release, transfer, share,
3disseminate, make available, or otherwise communicate orally,
4in writing, or by electronic or any other means to any third
5party. "Disclose" does not include the following:
6        (a) Disclosure of personal information by a private
7    entity to a third party under a written contract
8    authorizing the third party to utilize the personal
9    information to perform services on behalf of the private
10    entity, including maintaining or servicing accounts,
11    providing customer service, processing or fulfilling
12    orders and transactions, verifying customer information,
13    processing payments, providing financing, or similar
14    services, but only if (i) the contract prohibits the third
15    party from using the personal information for any reason
16    other than performing the specified service or services on
17    behalf of the private entity and from disclosing any such
18    personal information to additional third parties, and (ii)
19    the private entity effectively enforces these
20    prohibitions.
21        (b) Disclosure of personal information by a business
22    to a third party based on a good-faith belief that
23    disclosure is required to comply with applicable law,
24    regulation, legal process, or court order.
25        (c) Disclosure of personal information by a private
26    entity to a third party (i) that is reasonably necessary



HB2404- 6 -LRB102 14514 RJF 19867 b

1    to address fraud, security, or technical issues, (ii) to
2    protect the disclosing private entity's rights or
3    property, or (iii) to protect customers or the public from
4    illegal activities as required or permitted by law.
5    "Operator" means any person or entity that owns a website
6located on the Internet or an online service that collects and
7maintains personally identifiable information from a customer
8residing in Illinois who uses or visits the website or online
9service if the website or online service is operated for
10commercial purposes. It does not include any third party that
11operates, hosts, or manages, but does not own, a website or
12online service on the owner's behalf or by processing
13information on behalf of the owner.
14    "Personal information" means any information that
15identifies, relates to, describes, or is capable of being
16associated with, a particular individual, including, but not
17limited to, his or her name, signature, physical
18characteristics or description, address, telephone number,
19passport number, driver's license or State identification card
20number, insurance policy number, education, employment,
21employment history, bank account number, credit card number,
22debit card number, or any other financial information.
23"Personal information" also means any data or information
24pertaining to an individual's income, assets, liabilities,
25purchases, leases, or rentals of goods, services, or real
26property, if that information is disclosed, or is intended to



HB2404- 7 -LRB102 14514 RJF 19867 b

1be disclosed, with any identifying information, such as the
2individual's name, address, telephone number, or social
3security number.
4    "Third party" or "third parties" means (i) a private
5entity that is a separate legal entity from the private entity
6that has disclosed personal information, (ii) a private entity
7that does not share common ownership or common corporate
8control with the private entity that has disclosed personal
9information, or (iii) a private entity that does not share a
10brand name or common branding with the private entity that has
11disclosed personal information such that the affiliate
12relationship is clear to the customer.
13    Section 15. Notification of information sharing practices.
14An operator of a commercial website or online service that
15collects personally identifiable information through the
16Internet about individual customers residing in Illinois who
17use or visit its commercial website or online service shall,
18in its customer agreement or incorporated addendum (i)
19identify all categories of personal information that the
20operator collects through the website or online service about
21individual customers who use or visit its commercial website
22or online service, (ii) identify all categories of third party
23persons or entities with whom the operator may disclose that
24personally identifiable information, and (iii) provide a
25description of a customer's rights, as required under Section



HB2404- 8 -LRB102 14514 RJF 19867 b

125 of this Act, accompanied by one or more designated request
3    Section 20. Disclosure of a customer's personal
4information to a third party.
5    (a) An operator that discloses a customer's personal
6information to a third party shall make the following
7information available to the customer free of charge:
8        (1) all categories of personal information that were
9    disclosed; and
10        (2) the names of all third parties that received the
11    customer's personal information.
12    (b) This Section applies only to personal information
13disclosed after the effective date of this Act.
14    Section 25. Information availability service.
15    (a) An operator required to comply with Section 20 shall
16make the required information available by providing a
17designated request address in its customer agreement or
18incorporated addendum, and, upon receipt of a request under
19this Section, shall provide the customer with the information
20required under Section 20 for all disclosures occurring in the
21prior 12 months.
22    (b) An operator that receives a request from a customer
23under this Section at one of the designated addresses shall
24provide a response to the customer within 30 days.



HB2404- 9 -LRB102 14514 RJF 19867 b

1    Section 30. Data protection safety plan. Each manufacturer
2or company doing business in this State, or which collects
3personal information from customers who are residents of this
4State, shall develop a safety plan for the protection of
5customer data.
6    Section 35. Right of action. Any person whose rights under
7this Act are violated shall have a right of action against an
8offending party, and shall recover: (i) liquidated damages of
9$10 or actual damages, whichever is greater; (ii) injunctive
10relief, if appropriate; and (iii) reasonable attorneys' fees,
11costs, and expenses.
12    Section 40. Waivers; contracts. Any waiver of the
13provisions of this Act shall be void and unenforceable. Any
14agreement that does not comply with the applicable provisions
15of this Act shall be void and unenforceable.
16    Section 45. Construction.
17    (a) Nothing in this Act shall be construed to conflict
18with the federal Health Insurance Portability and
19Accountability Act of 1996 and the rules promulgated under
20that Act.
21    (b) Nothing in this Act shall be deemed to apply in any
22manner to a financial institution or an affiliate of a



HB2404- 10 -LRB102 14514 RJF 19867 b

1financial institution that is subject to Title V of the
2federal Gramm-Leach-Bliley Act of 1999 and the rules
3promulgated under that Act.
4    (c) Nothing in this Act shall be deemed to apply to the
5activities of an individual or entity to the extent that those
6activities are subject to Section 222 or 631 of the federal
7Communications Act of 1934.
8    (d) Nothing in this Act shall be construed to apply to a
9contractor, subcontractor, or agent of a State agency or local
10unit of government when working for that State agency or local
11unit of government.