|
| | 103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB4447 Introduced 1/16/2024, by Rep. John M. Cabello SYNOPSIS AS INTRODUCED:
| | 815 ILCS 505/2EEEE new | | 815 ILCS 530/5 | | 815 ILCS 530/55 new | |
| Amends the Consumer Fraud and Deceptive Business Practices Act. Provides that it is an unlawful practice within the meaning of the Act for any person to solicit the purchase of an extended warranty through the mail. Amends the Personal Information Protection Act. Provides that, annually, on or before January 31, a data broker operating in the State shall: (1) register with the Secretary of State; (2) pay a registration fee of $100; and (3) provide specified information. Provides penalties for data brokers that fail to register with the Secretary of State. Provides that the Attorney General may maintain an action in circuit court to collect penalties and to seek injunctive relief. Defines "data broker" and "brokered personal information". |
| |
| | A BILL FOR |
|
|
| | HB4447 | | LRB103 34729 SPS 64577 b |
|
|
| 1 | | AN ACT concerning business.
|
| 2 | | Be it enacted by the People of the State of Illinois, |
| 3 | | represented in the General Assembly:
|
| 4 | | Section 5. The Consumer Fraud and Deceptive Business |
| 5 | | Practices Act is amended by adding Section 2EEEE as follows:
|
| 6 | | (815 ILCS 505/2EEEE new) |
| 7 | | Sec. 2EEEE. Motor vehicle extended warranty. |
| 8 | | (a) As used in this Section, "extended warranty" means any |
| 9 | | contract or agreement indemnifying the service agreement |
| 10 | | holder for the motor vehicle listed on the service agreement |
| 11 | | and arising out of the ownership, operation, and use of the |
| 12 | | motor vehicle against loss caused by failure of any mechanical |
| 13 | | or other component part, or any mechanical or other component |
| 14 | | part that does not function as it was originally intended. |
| 15 | | "Extended warranty" does not include the usual performance |
| 16 | | guarantees by manufacturers or dealers in connection with the |
| 17 | | sale of motor vehicles. |
| 18 | | (b) It is an unlawful practice within the meaning of this |
| 19 | | Act for any person to solicit the purchase of an extended |
| 20 | | warranty through the mail.
|
| 21 | | Section 10. The Personal Information Protection Act is |
| 22 | | amended by changing Section 5 and by adding Section 55 as |
|
| | HB4447 | - 2 - | LRB103 34729 SPS 64577 b |
|
|
| 1 | | follows:
|
| 2 | | (815 ILCS 530/5) |
| 3 | | Sec. 5. Definitions. In this Act: |
| 4 | | "Brokered personal information" means one or more of the |
| 5 | | following computerized data elements about an individual, if |
| 6 | | categorized or organized for dissemination to third parties: |
| 7 | | (1) Name. |
| 8 | | (2) Address. |
| 9 | | (3) Date of birth. |
| 10 | | (4) Place of birth. |
| 11 | | (5) Mother's maiden name. |
| 12 | | (6) Unique biometric data generated from measurements |
| 13 | | or technical analysis of human body characteristics used |
| 14 | | by the owner or licensee of the data to identify or |
| 15 | | authenticate the individual, such as a fingerprint, retina |
| 16 | | or iris image, or other unique physical representation or |
| 17 | | digital representation of biometric data; |
| 18 | | (7) name or address of a member of the individual's |
| 19 | | immediate family or household. |
| 20 | | (8) Social Security number or other government-issued |
| 21 | | identification number. |
| 22 | | (9) Other information that, alone or in combination |
| 23 | | with the other information sold or licensed, would allow a |
| 24 | | reasonable person to identify the individual with |
| 25 | | reasonable certainty. |
|
| | HB4447 | - 3 - | LRB103 34729 SPS 64577 b |
|
|
| 1 | | "Brokered personal information" does not include publicly |
| 2 | | available information to the extent that it is related to an |
| 3 | | individual's business or profession. |
| 4 | | "Data broker" means a business or a unit of a business, |
| 5 | | separately or together, that knowingly collects and sells or |
| 6 | | licenses to third parties the brokered personal information of |
| 7 | | an individual with whom the business does not have a direct |
| 8 | | relationship. A direct relationship with a business includes |
| 9 | | if the individual is a past or present: (i) customer, client, |
| 10 | | subscriber, user, or registered user of the business's goods |
| 11 | | or services; (ii) employee, contractor, or agent of the |
| 12 | | business; (iii) investor in the business; or (iv) donor to the |
| 13 | | business. |
| 14 | | "Data broker" does not include a business that conducts |
| 15 | | the following activities and the collection, sale, or |
| 16 | | licensing of brokered personal information incidental to |
| 17 | | conducting the activities: |
| 18 | | (1) developing or maintaining third-party e-commerce |
| 19 | | or application platforms; or |
| 20 | | (2) providing 411 directory assistance or directory |
| 21 | | information services, including name, address, and |
| 22 | | telephone number, on behalf of or as a function of a |
| 23 | | telecommunications carrier; |
| 24 | | "Data collector" may include, but is not limited to, |
| 25 | | government agencies, public and private universities, |
| 26 | | privately and publicly held corporations, financial |
|
| | HB4447 | - 4 - | LRB103 34729 SPS 64577 b |
|
|
| 1 | | institutions, retail operators, and any other entity that, for |
| 2 | | any purpose, handles, collects, disseminates, or otherwise |
| 3 | | deals with nonpublic personal information. |
| 4 | | "Breach of the security of the system data" or "breach" |
| 5 | | means unauthorized acquisition of computerized data that |
| 6 | | compromises the security, confidentiality, or integrity of |
| 7 | | personal information maintained by the data collector. "Breach |
| 8 | | of the security of the system data" does not include good faith |
| 9 | | acquisition of personal information by an employee or agent of |
| 10 | | the data collector for a legitimate purpose of the data |
| 11 | | collector, provided that the personal information is not used |
| 12 | | for a purpose unrelated to the data collector's business or |
| 13 | | subject to further unauthorized disclosure. |
| 14 | | "Health insurance information" means an individual's |
| 15 | | health insurance policy number or subscriber identification |
| 16 | | number, any unique identifier used by a health insurer to |
| 17 | | identify the individual, or any medical information in an |
| 18 | | individual's health insurance application and claims history, |
| 19 | | including any appeals records. |
| 20 | | "Medical information" means any information regarding an |
| 21 | | individual's medical history, mental or physical condition, or |
| 22 | | medical treatment or diagnosis by a healthcare professional, |
| 23 | | including such information provided to a website or mobile |
| 24 | | application. |
| 25 | | "Personal information" means either of the following: |
| 26 | | (1) An individual's first name or first initial and |
|
| | HB4447 | - 5 - | LRB103 34729 SPS 64577 b |
|
|
| 1 | | last name in combination with any one or more of the |
| 2 | | following data elements, when either the name or the data |
| 3 | | elements are not encrypted or redacted or are encrypted or |
| 4 | | redacted but the keys to unencrypt or unredact or |
| 5 | | otherwise read the name or data elements have been |
| 6 | | acquired without authorization through the breach of |
| 7 | | security: |
| 8 | | (A) Social Security number. |
| 9 | | (B) Driver's license number or State |
| 10 | | identification card number. |
| 11 | | (C) Account number or credit or debit card number, |
| 12 | | or an account number or credit card number in |
| 13 | | combination with any required security code, access |
| 14 | | code, or password that would permit access to an |
| 15 | | individual's financial account. |
| 16 | | (D) Medical information. |
| 17 | | (E) Health insurance information. |
| 18 | | (F) Unique biometric data generated from |
| 19 | | measurements or technical analysis of human body |
| 20 | | characteristics used by the owner or licensee to |
| 21 | | authenticate an individual, such as a fingerprint, |
| 22 | | retina or iris image, or other unique physical |
| 23 | | representation or digital representation of biometric |
| 24 | | data. |
| 25 | | (G) Motor vehicle purchasing information. |
| 26 | | (H) Home purchasing information. |
|
| | HB4447 | - 6 - | LRB103 34729 SPS 64577 b |
|
|
| 1 | | (2) User name or email address, in combination with a |
| 2 | | password or security question and answer that would permit |
| 3 | | access to an online account, when either the user name or |
| 4 | | email address or password or security question and answer |
| 5 | | are not encrypted or redacted or are encrypted or redacted |
| 6 | | but the keys to unencrypt or unredact or otherwise read |
| 7 | | the data elements have been obtained through the breach of |
| 8 | | security. |
| 9 | | "Personal information" does not include publicly available |
| 10 | | information that is lawfully made available to the general |
| 11 | | public from federal, State, or local government records. |
| 12 | | (Source: P.A. 99-503, eff. 1-1-17.)
|
| 13 | | (815 ILCS 530/55 new) |
| 14 | | Sec. 55. Annual registration. |
| 15 | | (a) Annually, on or before January 31, a data broker |
| 16 | | operating in this State shall: |
| 17 | | (1) register with the Secretary of State; |
| 18 | | (2) pay a registration fee of $100; and |
| 19 | | (3) provide the following information: |
| 20 | | (A) the name and primary physical, e-mail, and |
| 21 | | Internet addresses of the data broker; |
| 22 | | (B) if the data broker permits an individual to |
| 23 | | opt out of the data broker's collection of brokered |
| 24 | | personal information, opt out of its databases, or opt out |
| 25 | | of certain sales of data: |
|
| | HB4447 | - 7 - | LRB103 34729 SPS 64577 b |
|
|
| 1 | | (i) the method for requesting an opt-out; |
| 2 | | (ii) which activities or sales the opt-out |
| 3 | | applies to; and |
| 4 | | (iii) whether the data broker permits an |
| 5 | | individual to authorize a third party to perform |
| 6 | | the opt-out on the individual's behalf; |
| 7 | | (C) a statement specifying the data collection, |
| 8 | | databases or sales activities from which an individual may |
| 9 | | not opt out; |
| 10 | | (D) a statement whether the data broker implements |
| 11 | | a purchaser credentialing process; |
| 12 | | (E) the number of data broker security breaches |
| 13 | | that the data broker has experienced during the prior year |
| 14 | | and, if known, the total number of individuals affected by |
| 15 | | the breaches; |
| 16 | | (F) if the data broker has actual knowledge that |
| 17 | | it possesses the brokered personal information of minors, |
| 18 | | a separate statement detailing the data collection |
| 19 | | practices, databases, sales activities, and opt-out |
| 20 | | policies that are applicable to the brokered personal |
| 21 | | information of minors; and |
| 22 | | (G) any additional information or explanation the |
| 23 | | data broker chooses to provide concerning its data |
| 24 | | collection practices. |
| 25 | | (b) The Secretary of State shall publish on its website a |
| 26 | | list of registered data brokers and update the list annually. |
|
| | HB4447 | - 8 - | LRB103 34729 SPS 64577 b |
|
|
| 1 | | (c) A data broker that fails to register as required under |
| 2 | | this Section shall pay a civil penalty of $50 for each day, not |
| 3 | | to exceed a total of $10,000 for each year, it fails to |
| 4 | | register; (2) an amount equal to the fees due under this |
| 5 | | Section during the period it failed to register as required |
| 6 | | under this Section; and (3) other penalties imposed by law. |
| 7 | | (d) The Attorney General may maintain an action in circuit |
| 8 | | court to collect the penalties imposed by this Section and to |
| 9 | | seek injunctive relief. |