Illinois General Assembly - Full Text of SB1502
Illinois General Assembly

Previous General Assemblies

Full Text of SB1502  100th General Assembly

SB1502sam001 100TH GENERAL ASSEMBLY

Sen. Michael E. Hastings

Filed: 2/22/2017

 

 


 

 


 
10000SB1502sam001LRB100 08019 RJF 22357 a

1
AMENDMENT TO SENATE BILL 1502

2    AMENDMENT NO. ______. Amend Senate Bill 1502 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the Right
5to Know Act.
 
6    Section 5. Findings and purpose.
7    The General Assembly hereby finds and declares that the
8right to privacy is a personal and fundamental right protected
9by the United States Constitution. As such, all individuals
10have a right to privacy in information pertaining to them. This
11State recognizes the importance of providing consumers with
12transparency about how their personal information, especially
13information relating to their children, is shared by
14businesses. This transparency is crucial for Illinois citizens
15to protect themselves and their families from cyber-crimes and
16identity thieves. Furthermore, for free market forces to have a

 

 

10000SB1502sam001- 2 -LRB100 08019 RJF 22357 a

1role in shaping the privacy practices and for "opt-in" and
2"opt-out" remedies to be effective, consumers must be more than
3vaguely informed that a business might share personal
4information with third parties. Consumers must be better
5informed about what kinds of personal information are shared
6with other businesses. With these specifics, consumers can
7knowledgeably choose to opt-in, opt-out, or choose among
8businesses that disclose information to third parties on the
9basis of how protective the business is of consumers' privacy.
10    Businesses are now collecting personal information and
11sharing and selling it in ways not contemplated or properly
12covered by the current law. Some websites are installing
13tracking tools that record when consumers visit web pages, and
14sending very personal information, such as age, gender, race,
15income, health concerns, religion, and recent purchases to
16third party marketers and data brokers. Third party data broker
17companies are buying, selling, and trading personal
18information obtained from mobile phones, financial
19institutions, social media sites, and other online and brick
20and mortar companies. Some mobile applications are sharing
21personal information, such as location information, unique
22phone identification numbers, and age, gender, and other
23personal details with third party companies. As such, consumers
24need to know the ways that their personal information is being
25collected by companies and then shared or sold to third parties
26in order to properly protect their privacy, personal safety,

 

 

10000SB1502sam001- 3 -LRB100 08019 RJF 22357 a

1and financial security.
 
2    Section 10. Definitions. As used in this Act:
3    "Categories of personal information" includes, but is not
4limited to, the following:
5        (a) Identity information including, but not limited
6    to, real name, alias, nickname, and user name.
7        (b) Address information, including, but not limited
8    to, postal or e-mail.
9        (c) Telephone number.
10        (d) Account name.
11        (e) Social security number or other government-issued
12    identification number, including, but not limited to,
13    social security number, driver's license number,
14    identification card number, and passport number.
15        (f) Birthdate or age.
16        (g) Physical characteristic information, including,
17    but not limited to, height and weight.
18        (h) Sexual information, including, but not limited to,
19    sexual orientation, sex, gender status, gender identity,
20    and gender expression.
21        (i) Race or ethnicity.
22        (j) Religious affiliation or activity.
23        (k) Political affiliation or activity.
24        (l) Professional or employment-related information.
25        (m) Educational information.

 

 

10000SB1502sam001- 4 -LRB100 08019 RJF 22357 a

1        (n) Medical information, including, but not limited
2    to, medical conditions or drugs, therapies, mental health,
3    or medical products or equipment used.
4        (o) Financial information, including, but not limited
5    to, credit, debit, or account numbers, account balances,
6    payment history, or information related to assets,
7    liabilities, or general creditworthiness.
8        (p) Commercial information, including, but not limited
9    to, records of property, products or services provided,
10    obtained, or considered, or other purchasing or consumer
11    histories or tendencies.
12        (q) Location information.
13        (r) Internet or mobile activity information,
14    including, but not limited to, Internet protocol addresses
15    or information concerning the access or use of any Internet
16    or mobile-based site or service.
17        (s) Content, including text, photographs, audio or
18    video recordings, or other material generated by or
19    provided by the customer.
20        (t) Any of the above categories of information as they
21    pertain to the children of the customer.
22    "Customer" means an individual residing in Illinois who
23provides, either knowingly or unknowingly, personal
24information to a private entity, with or without an exchange of
25consideration, in the course of purchasing, viewing,
26accessing, renting, leasing, or otherwise using real or

 

 

10000SB1502sam001- 5 -LRB100 08019 RJF 22357 a

1personal property, or any interest therein, or obtaining a
2product or service from the private entity, including
3advertising or any other content.
4    "Designated request address" means an e-mail address or
5toll-free telephone number whereby customers may request or
6obtain the information required to be provided under Section 15
7of this Act.
8    "Disclose" means to disclose, release, transfer, share,
9disseminate, make available, or otherwise communicate orally,
10in writing, or by electronic or any other means to any third
11party. "Disclose" does not include the following:
12        (a) Disclosure of personal information by a private
13    entity to a third party under a written contract
14    authorizing the third party to utilize the personal
15    information to perform services on behalf of the private
16    entity, including maintaining or servicing accounts,
17    providing customer service, processing or fulfilling
18    orders and transactions, verifying customer information,
19    processing payments, providing financing, or similar
20    services, but only if (i) the contract prohibits the third
21    party from using the personal information for any reason
22    other than performing the specified service or services on
23    behalf of the private entity and from disclosing any such
24    personal information to additional third parties; and (ii)
25    the private entity effectively enforces these
26    prohibitions.

 

 

10000SB1502sam001- 6 -LRB100 08019 RJF 22357 a

1        (b) Disclosure of personal information by a business to
2    a third party based on a good-faith belief that disclosure
3    is required to comply with applicable law, regulation,
4    legal process, or court order.
5        (c) Disclosure of personal information by a private
6    entity to a third party that is reasonably necessary to
7    address fraud, security, or technical issues; to protect
8    the disclosing private entity's rights or property; or to
9    protect customers or the public from illegal activities as
10    required or permitted by law.
11    "Operator" means any person or entity that owns a website
12located on the Internet or an online service that collects and
13maintains personal information from a customer residing in
14Illinois who uses or visits the website or online service if
15the website or online service is operated for commercial
16purposes. It does not include any third party that operates,
17hosts, or manages, but does not own, a website or online
18service on the owner's behalf or by processing information on
19behalf of the owner.
20    "Personal information" means any information that
21identifies, relates to, describes, or is capable of being
22associated with, a particular individual, including, but not
23limited to, his or her name, signature, physical
24characteristics or description, address, telephone number,
25passport number, driver's license or State identification card
26number, insurance policy number, education, employment,

 

 

10000SB1502sam001- 7 -LRB100 08019 RJF 22357 a

1employment history, bank account number, credit card number,
2debit card number, or any other financial information.
3"Personal information" also means any data or information
4pertaining to an individual's income, assets, liabilities,
5purchases, leases, or rentals of goods, services, or real
6property, if that information is disclosed, or is intended to
7be disclosed, with any identifying information, such as the
8individual's name, address, telephone number, or social
9security number.
10    "Third party" or "third parties" means (i) a private entity
11that is a separate legal entity from the private entity that
12has disclosed personal information; (ii) a private entity that
13does not share common ownership or common corporate control
14with the private entity that has disclosed personal
15information; or (iii) a private entity that does not share a
16brand name or common branding with the private entity that has
17disclosed personal information such that the affiliate
18relationship is clear to the customer.
 
19    Section 15. Notification of information sharing practices.
20An operator of a commercial website or online service that
21collects personal information through the Internet about
22individual customers residing in Illinois who use or visit its
23commercial website or online service shall, in its customer
24agreement or incorporated addendum: (i) identify all
25categories of personal information that the operator collects

 

 

10000SB1502sam001- 8 -LRB100 08019 RJF 22357 a

1through the website or online service about individual
2customers who use or visit its commercial website or online
3service; (ii) identify all categories of third party persons or
4entities with whom the operator may disclose that personal
5information; and (iii) provide a description of a customer's
6rights, as required under Section 25 of this Act, accompanied
7by one or more designated request addresses.
 
8    Section 20. Disclosure of a customer's personal
9information to a third party.
10    (a) An operator that discloses a customer's personal
11information to a third party shall make the following
12information available to the customer free of charge:
13        (1) all categories of personal information that were
14    disclosed; and
15        (2) the names of all third parties that received the
16    customer's personal information.
17    (b) This Section applies only to personal information
18disclosed after the effective date of this Act.
 
19    Section 25. Information availability service.
20    (a) An operator required to comply with Section 20 shall
21make the required information available by providing a
22designated request address in its customer agreement or
23incorporated addendum, and, upon receipt of a request under
24this Section, shall provide the customer with the information

 

 

10000SB1502sam001- 9 -LRB100 08019 RJF 22357 a

1required under Section 20 for all disclosures occurring in the
2prior 12 months.
3    (b) An operator that receives a request from a customer
4under this Section at one of the designated addresses shall
5provide a response to the customer within 30 days.
6    (c) The parent or legal guardian of a customer under the
7age of 18 may submit a request under this Section on behalf of
8that customer.
9    (d) An operator shall not be required to respond to a
10request made by the same customer more than once within a given
1112-month period.
 
12    Section 30. Right of action. Any person whose rights under
13this Act are violated shall have a right of action against an
14offending party, and shall recover: (i) liquidated damages of
15$10 or actual damages, whichever is greater; (ii) injunctive
16relief, if appropriate; and (iii) reasonable attorneys' fees,
17costs, and expenses.
 
18    Section 35. Waivers; contracts. Any waiver of the
19provisions of this Act shall be void and unenforceable. Any
20agreement that does not comply with the applicable provisions
21of this Act shall be void and unenforceable.
 
22    Section 40. Construction.
23    (a) Nothing in this Act shall be construed to conflict with

 

 

10000SB1502sam001- 10 -LRB100 08019 RJF 22357 a

1the federal Health Insurance Portability and Accountability
2Act of 1996 and the rules promulgated under that Act.
3    (b) Nothing in this Act shall be deemed to apply in any
4manner to a financial institution or an affiliate of a
5financial institution that is subject to Title V of the federal
6Gramm-Leach-Bliley Act of 1999 and the rules promulgated under
7that Act.
8    (c) Nothing in this Act shall be deemed to apply to the
9activities of an individual or entity to the extent that those
10activities are subject to Section 222 or 631 of the federal
11Communications Act of 1934.
12    (d) Nothing in this Act shall be construed to apply to a
13contractor, subcontractor, or agent of a State agency or local
14unit of government when working for that State agency or local
15unit of government.".