Sen. Thomas Cullerton

Filed: 4/12/2021

 

 


 

 


 
10200SB0731sam003LRB102 17247 KTG 25022 a

1
AMENDMENT TO SENATE BILL 731

2    AMENDMENT NO. ______. Amend Senate Bill 731 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the Do
5Not Track Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Anonymous data" means data which does not relate to an
8identified or identifiable user. Identifiable data may be
9rendered anonymous data if it has become de-identified to an
10extent that no user can be singled out or identified, either
11directly or indirectly, by that data alone or in combination
12with other data. To determine whether a user can be identified
13from the data, account should be taken of all means reasonably
14likely to be used by any party to identify the user. Data that
15has been re-identified, is shown to be capable of
16re-identification, or that is capable of being used for

 

 

10200SB0731sam003- 2 -LRB102 17247 KTG 25022 a

1personalization or profiling a user or a device used by a user
2is not anonymous data.
3    "Collect" means to receive identifiable data in a network
4interaction and to retain that data after the network
5interaction is complete.
6    "Commission" means the Federal Trade Commission.
7    "Context" means a website or similar online resource, or a
8connected set of such resources. A connected set of resources
9that are controlled by the same party or jointly controlled by
10a set of parties can constitute a single context if a user
11would reasonably expect them to form a single context. Factors
12relevant to determining whether such a reasonable expectation
13exists include, but are not limited to, whether they share
14prominent branding, provide connected and integrated
15user-facing features, are offered under the same domain name
16or through a single app, use the same sign-in credentials, and
17are marketed or sold as a single product or service.
18    "De-identify" means to alter data such that the likelihood
19of identifying a user from the data is reduced.
20De-identification includes a range of techniques and differing
21levels or re-identification risk. Data that is fully
22de-identified such that it becomes anonymous data is no longer
23identifiable data. Data that is de-identified to a lesser
24extent remains identifiable data.
25    "Do-not-track signal" means a signal sent by a web browser
26or similar user agent that conveys a user's choice regarding

 

 

10200SB0731sam003- 3 -LRB102 17247 KTG 25022 a

1online tracking, reflects a deliberate choice by the user, and
2otherwise complies with the latest Tracking Preference
3Expression (DNT) specifications published by the World Wide
4Web Consortium.
5    "First party" means, with respect to a given user action,
6a party with which the user intends to interact, via one or
7more network interactions, as a result of that action.
8        (1) Typically, when a user visits a website, the first
9    party is the organization identified in the website URL or
10    whose branding is most prominent on the website.
11        (2) More than one party can be a first party with
12    regard to a given user action.
13        (3) The mere presence of a first party's website of
14    embedded content from another party does not make that
15    other party a first party, and merely hovering over,
16    muting, pausing, or closing a given piece of content does
17    not constitute a user's intent to interact with a party.
18    When a user visits an organization's website that displays
19    advertisements from a third-party ad network, the
20    organization is a first party and the ad network is a third
21    party. When a user signs into an organization's website
22    using a sign-in method provided by another party, the
23    organization is a first party and the sign-in provider is
24    a third party with respect to user actions in that
25    website.
26    "Identifiable data" means data from which the user can be

 

 

10200SB0731sam003- 4 -LRB102 17247 KTG 25022 a

1singled out or identified, directly or indirectly, by that
2data alone or in combination with other data. Identifiable
3data includes, but is not limited to, a user's contact
4information, such as email addresses and phone numbers, unique
5persistent identifiers, such as IP addresses, cross-session
6cookie IDs, and device identifiers including derived through
7device fingerprinting and probabilistic techniques), and any
8other data associated with such identifiers. Identifiable data
9does not include anonymous data.
10    "Network interaction" means an online connection
11consisting of an HTTP or HTTPS request and as many
12corresponding responses as are necessary to respond to a
13single user action. A user interaction or session with a
14website or other resource frequently consists of many network
15interactions.
16    "Organization" means a legal entity. Such term does not
17include government agencies or users.
18    "Party" means a user, an organization, or a group of legal
19entities that share common ownership and control, operate as
20an integrated enterprise, and have a group identity that is
21easily discoverable by a user. Common branding or publishing a
22list of affiliates that is readily available online via a
23prominent link from a resource where a party describes its
24Tracking Preference Expression (DNT) practices are deemed
25easily discoverable. With respect to a user action, a party is
26either a first party or a third party, but not both.

 

 

10200SB0731sam003- 5 -LRB102 17247 KTG 25022 a

1    "Personalize" means to use identifiable data to alter the
2experience of a user, including, but not limited to, the
3content or advertising displayed to the user.
4    "Process" means to collect, use, or share data.
5    "Resource" means a single online destination or
6experience, such as a website, streaming service, online game,
7digital assistant, or other online service, accessed by a user
8through the use of a user agent.
9    "Service provider" means an organization that processes
10identifiable data on behalf of another organization. A service
11provider has no right to use any identifiable data for its own
12purposes.
13    "Share" means, with respect to collected data, to transfer
14or provide a copy of such data to any third party.
15    "Third party" means, for any user action, any party other
16than the user, a first party to that user action, or a service
17provider action on behalf of either the user or a first party.
18    "Tracking" or "track" means to (i) collect data regarding
19a user action of a particular user, (ii) process such data
20outside the context in which the user action occurred, (iii)
21facilitate the creation of a user profile, or (iv) personalize
22that user's online experience. For the purposes of this
23definition, processing data related to a device used by a user
24or the user's household shall be considered processing data
25related to the user.
26    "User" means a natural person residing in this State who

 

 

10200SB0731sam003- 6 -LRB102 17247 KTG 25022 a

1uses the Internet.
2    "User action" means a deliberate online action by the
3user, via configuration, invocation, or selection, to initiate
4a network interaction. Selection of a link, submission of a
5form, and reloading a page are examples of user actions.
6    "User agent" means any of the various client programs
7capable of initiating network interactions, including, but not
8limited to, browsers, web-based robots, command-line tools,
9native applications, mobile apps, or Internet-connected
10devices.
 
11    Section 10. Response to do-not-track signals.
12    (a) In general. Except as permitted in this Section, a
13party to a user action that receives a do-not-track signal
14indicating a user preference not to be tracked shall not
15track.
16    (b) Exceptions.
17        (1) First party. A first party to a user action within
18    a context to which the user has affirmatively signed in
19    may process data received from such user action, including
20    for personalized content, services, and advertising,
21    within that context. However, a first party shall not
22    share such data with a third party. For the purposes of
23    this paragraph, a user is signed into a context when the
24    user has affirmatively authenticated and identified
25    oneself by entering a username and password, or similar

 

 

10200SB0731sam003- 7 -LRB102 17247 KTG 25022 a

1    credentials.
2        (2) Anonymous data. Data that has been sufficiently
3    de-identified such that it is rendered anonymous data may
4    be processed for any purpose, including outside the
5    context of the user actions from which it originates, or
6    across multiple contexts.
7        (3) Consent. A party may disregard a user's
8    do-not-track signal when the user has given express
9    affirmative consent to track. A user may give consent
10    through a technical means defined in the Tracking
11    Preference Expression (DNT) specification published by the
12    World Wide Web Consortium or through a separate mechanism
13    such as an online or offline consent form that
14    demonstrates a specific and voluntary choice of the user.
15    For instance, accepting a general or broad terms of use
16    document that contains a clause regarding tracing does not
17    constitute express affirmation consent for the purposes of
18    this Act. Likewise, agreement obtained through a user
19    interface designed or manipulated with the purpose of
20    substantial effect of subverting or impairing user
21    autonomy, decision-making, or choice does not constitute
22    consent for the purposes of this Act. When relying on
23    consent from a user given through a separate mechanism, a
24    party must provide notice in accordance with Section 20.
25        (4) Permitted uses.
26            (A) In general. An organization may process data

 

 

10200SB0731sam003- 8 -LRB102 17247 KTG 25022 a

1        for the uses specified in subparagraphs (B), (C), (D),
2        (E), (F), and (G), provided the organization:
3                (i) limits the amount of identifiable data
4            collected to that which is strictly needed for the
5            permitted uses;
6                (ii) limits the retention of identifiable data
7            to no longer than what is reasonably needed for
8            the permitted uses;
9                (iii) uses anonymous data to the extent the
10            permitted uses can be achieved with such data, or
11            otherwise de-identifies the identifiable data to
12            the greatest extent that is compatible with the
13            permitted uses;
14                (iv) processes the data separately from
15            systems that are used for purposes other than the
16            permitted uses specified in this Section; and
17                (v) does not process the data beyond the
18            permitted uses.
19            (B) Providing a service. An organization may
20        process data to the extent necessary to effectuate a
21        transaction with the user, or to provide a product or
22        service to a user, provided the user has consented to
23        or authorized the transaction or the provision of the
24        product or service and any tracking, including
25        personalization, that is a necessary or inherent part
26        of that transaction, product, or service would have

 

 

10200SB0731sam003- 9 -LRB102 17247 KTG 25022 a

1        been clear to the user at the time of such consent or
2        authorization. If such processing requires sharing
3        data with a third party, such third party may not
4        process the data for any other purpose.
5            (C) Security. An organization may process data to
6        the extent reasonably necessary to detect security
7        incidents, protect the website or other resource
8        accessed by the user against malicious, deceptive,
9        fraudulent, or illegal activity, and prosecute those
10        responsible for such activity.
11            (D) Debugging. An organization may process data
12        for debugging purposes to identify and repair errors
13        that impair the existing functionality of the website
14        or other resource accessed by the user.
15            (E) Financial logging. An organization may process
16        data for billing and auditing related to network
17        interactions and related transactions.
18            (F) Research. An organization may process data to
19        conduct security research.
20            (G) Journalism. An organization may process data
21        as necessary for news gathering purposes by
22        journalists or other purposes protected by the First
23        Amendment of the United States Constitution.
24        (5) Technical errors. Data that is processed by a
25    party due to a technical error does not violate this Act if
26    such error is unintentional and unexpected, and within 30

 

 

10200SB0731sam003- 10 -LRB102 17247 KTG 25022 a

1    days of the party discovering or receiving a report of the
2    error: (i) the error is corrected, (ii) any processing by
3    the party that is otherwise prohibited is stopped, and
4    (iii) the party deletes any data that should not have been
5    collected.
 
6    Section 15. Contractual obligations and liability. A first
7party that enables or permits a third party to engage in
8tracking on or through the first party's website or other
9resource:
10        (1) Must require the third party, through a contract,
11    terms of service, or similar binding and enforceable legal
12    agreement, to comply with this Act.
13        (2) Shall be liable for the third party's
14    non-compliance with this Act if the first party knew or
15    could have upon the exercise of due diligence known of the
16    third party's non-compliance and failed to take adequate
17    corrective action.
 
18    Section 20. Transparency. An organization that engages in
19tracking shall describe, in understandable language and syntax
20such that an ordinary user can comprehend, its practices with
21respect to do-not-track signals in its privacy statement or
22similar notice, available through a clear and prominent link
23on the home page of its website. The description required
24under this paragraph must include at least the following

 

 

10200SB0731sam003- 11 -LRB102 17247 KTG 25022 a

1information:
2        (1) the exceptions or permitted uses under this Act
3    under which the organization processes data;
4        (2) the effects on the user, if any, resulting from a
5    do-not-track signal, including if any webpages, features,
6    or services are not available or reduced in functionality;
7        (3) if the organization obtains out-of-band consent to
8    disregard the do-not-track signal, a description of how a
9    user may give and revoke consent, and the scope of any such
10    consent, and the anticipated effect of the consent or
11    revocation on the user;
12        (4) the time period or periods for which identifiable
13    data collected by the organization is retained or the
14    criteria used to determine such time periods, and whether
15    such identifiable data is rendered anonymous data in lieu
16    of being deleted; and
17        (5) how a user may contact the organization with any
18    inquiries or complaints regarding the organization's
19    do-not-track practices.
 
20    Section 25. No circumvention. A party shall not block or
21take similar actions to avoid receiving a user's do-not-track
22signal. Nor shall any party take other actions to circumvent
23the effectiveness of do-not-track signals.
 
24    Section 30. Enforcement.

 

 

10200SB0731sam003- 12 -LRB102 17247 KTG 25022 a

1    (a) De facto and de jure harm. Users from whom
2identifiable information has been processed in violation of
3this Act shall be deemed to have been harmed by such
4violations.
5    (b) Enforcement by the Attorney General. Whenever the
6Attorney General has reasonable cause to believe that a party
7or organization has engaged in a violation of this Act, the
8Attorney General shall enforce the provisions of this Act by
9bringing a civil action on behalf of the people of this State
10in a court of competent jurisdiction:
11        (1) to enjoin further violation of this Act by the
12    defendant; or
13        (2) to obtain damages on behalf of the people of this
14    State, in the amount authorized under State law or as
15    permitted under federal law, whichever is greater.
16    (c) A user from whom identifiable information has been
17processed in violation of this Act may bring a civil action in
18any court of competent jurisdiction:
19        (1) to enjoin further violation of this Act by the
20    defendant; or
21        (2) to obtain damages, in the amount of $1,000 or
22    actual damages shown, whichever is greater.
23    (d) Attorney fees. In the case of any successful action
24under this Section, the court, in its discretion, may award
25the costs of the action and reasonable attorney fees to the
26State or the user.
 

 

 

10200SB0731sam003- 13 -LRB102 17247 KTG 25022 a

1    Section 35. Home rule preemption. Except as otherwise
2provided in this Act, the regulation of the activities
3described in this Act are the exclusive powers and functions
4of the State. Except as otherwise provided in this Act, a unit
5of local government, including a home rule unit, may not
6regulate the activities described in this Act. This Section is
7a denial and limitation of home rule powers and functions
8under subsection (h) of Section 6 of Article VII of the
9Illinois Constitution.
 
10    Section 97. Severability. The provisions of this Act are
11severable under Section 1.31 of the Statute on Statutes.
 
12    Section 99. Effective date. This Act takes effect January
131, 2022.".