Full Text of HB3357 101st General Assembly
HB3357ham001 101ST GENERAL ASSEMBLY | Rep. Arthur Turner Filed: 3/25/2019
| | 10100HB3357ham001 | | LRB101 11183 JLS 58340 a |
|
| 1 | | AMENDMENT TO HOUSE BILL 3357
| 2 | | AMENDMENT NO. ______. Amend House Bill 3357 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 1. Short title. This Act may be cited as the Data | 5 | | Transparency and Privacy Act. | 6 | | Section 5. Legislative findings. The General Assembly | 7 | | hereby finds and declares that: | 8 | | (1) The right to privacy is a personal and fundamental | 9 | | right protected by the United States Constitution. As such, all | 10 | | individuals have a right to privacy in information pertaining | 11 | | to them. This State recognizes the importance of providing | 12 | | consumers with transparency about how their personal | 13 | | information, especially information relating to their | 14 | | children, is shared by businesses. This transparency is crucial | 15 | | for Illinois citizens to protect themselves and their families | 16 | | from cyber-crimes and identity thieves. |
| | | 10100HB3357ham001 | - 2 - | LRB101 11183 JLS 58340 a |
|
| 1 | | (2) Furthermore, for free market forces to have a role in | 2 | | shaping the privacy practices and for "opt-in" and "opt-out" | 3 | | remedies to be effective, consumers must be more than vaguely | 4 | | informed that a business might share personal information with | 5 | | third parties. Consumers must be better informed about what | 6 | | kinds of personal information is shared with other businesses. | 7 | | With these specifics, consumers can knowledgeably choose to opt | 8 | | in, opt out, or choose among businesses that disclose | 9 | | information to third parties on the basis of how protective the | 10 | | business is of consumers' privacy. | 11 | | (3) Businesses are now collecting personal information and | 12 | | sharing and selling it in ways not contemplated or properly | 13 | | covered by the current law. Some websites are installing | 14 | | tracking tools that record when consumers visit web pages, and | 15 | | sending very personal information, such as age, gender, race, | 16 | | income, health concerns, religion, and recent purchases to | 17 | | third-party marketers and data brokers. Third-party data | 18 | | broker companies are buying, selling, and trading personal | 19 | | information obtained from mobile phones, financial | 20 | | institutions, social media sites, and other online and brick | 21 | | and mortar companies. Some mobile applications are sharing | 22 | | personal information, such as location information, unique | 23 | | phone identification numbers, and age, gender, and other | 24 | | personal details with third-party companies. | 25 | | (4) As such, consumers need to know the ways that their | 26 | | personal information is being collected by companies and then |
| | | 10100HB3357ham001 | - 3 - | LRB101 11183 JLS 58340 a |
|
| 1 | | shared or sold to third parties in order to properly protect | 2 | | their privacy, personal safety, and financial security. | 3 | | Section 10. Definitions. As used in this Act: | 4 | | "Consumer" means an individual residing in this State who | 5 | | provides, either knowingly or unknowingly, personal | 6 | | information to an operator, with or without an exchange of | 7 | | consideration, in the course of purchasing, viewing, | 8 | | accessing, renting, leasing, or otherwise using real or | 9 | | personal property, or any interest therein, or obtaining a | 10 | | product or service from the private entity, including | 11 | | advertising or any other content. | 12 | | "Designated request address" means an electronic email | 13 | | address, online form, or toll-free telephone number that a | 14 | | consumer may use to request the information required to be | 15 | | provided pursuant to this Act. | 16 | | "Disclose" means to disclose, release, transfer, share, | 17 | | disseminate, make available, sell, or otherwise communicate | 18 | | orally, in writing, or by electronic or any other means to any | 19 | | third party. | 20 | | "Disclose" does not include the disclosure of personal | 21 | | information by a private entity to a third party under a | 22 | | written contract authorizing the third party to utilize the | 23 | | personal information for the limited purposes of performing | 24 | | services on behalf of the private entity, including maintaining | 25 | | or servicing accounts, disclosure of personal information by a |
| | | 10100HB3357ham001 | - 4 - | LRB101 11183 JLS 58340 a |
|
| 1 | | private entity to a transportation network company driver | 2 | | providing consumer service, processing or fulfilling orders | 3 | | and transactions, verifying consumer information, processing | 4 | | payments, providing financing, or similar services, but only | 5 | | if: | 6 | | (1) the contract prohibits the third party or | 7 | | transportation network company driver from using the | 8 | | personal information for any reason other than performing | 9 | | the specified service or services on behalf of the private | 10 | | entity and from disclosing any such personal information to | 11 | | additional third parties; and | 12 | | (2) disclosure of personal information by a business to | 13 | | a third party based on a good-faith belief that disclosure | 14 | | is required to comply with applicable law, regulation, | 15 | | legal process, or court order.
| 16 | | "Disclose" does not include disclosure of personal | 17 | | information by a private entity to a third party that is | 18 | | reasonably necessary to address fraud, security, or technical | 19 | | issues; to protect the disclosing private entity's rights or | 20 | | property; or to protect consumers or the public from illegal | 21 | | activities as required or permitted by law. | 22 | | "Operator" means any private entity that owns an Internet | 23 | | website or an online service that collects, maintains, or | 24 | | discloses personal information of a consumer residing in this | 25 | | State who uses or visits the website or online service if the | 26 | | website or online service is operated for commercial purposes. |
| | | 10100HB3357ham001 | - 5 - | LRB101 11183 JLS 58340 a |
|
| 1 | | It does not include any third party that operates, hosts, or | 2 | | manages, but does not own, a website or online service on the | 3 | | owner's behalf or by processing information on behalf of the | 4 | | owner. | 5 | | "Personal information" means any information that | 6 | | identifies, relates to, describes, or is capable of being | 7 | | associated with, or could reasonably be linked, directly or | 8 | | indirectly, with a particular consumer or household, | 9 | | including, but not limited to identifiers such as a real name, | 10 | | alias, signature, physical characteristics or description, | 11 | | address, telephone number, passport number, driver's license | 12 | | or State identification card number, insurance policy number, | 13 | | education, employment, employment history, bank account | 14 | | number, credit card number, debit card number, or any other | 15 | | financial information, unique personal identifier, Internet | 16 | | Protocol address, geolocation, biometric information, audio, | 17 | | visual, thermal, olfactory, or similar information. | 18 | | "Personal information" also means professional or | 19 | | employment-related information, education information, defined | 20 | | as information that is not publicly available personally | 21 | | identifiable information as defined in the Family Educational | 22 | | Rights and Privacy Act (20 U.S.C. 1232g and 34 CFR 99) records | 23 | | of income, assets, liabilities, purchases, leases, products or | 24 | | services purchases, obtained, or considered, or other | 25 | | purchasing or consuming histories or tendencies, or real | 26 | | property. |
| | | 10100HB3357ham001 | - 6 - | LRB101 11183 JLS 58340 a |
|
| 1 | | "Private entity" means a sole proprietorship, partnership, | 2 | | limited liability company, corporation, association, or other | 3 | | legal entity that is organized or operated for the profit or | 4 | | financial benefit of its shareholders or other owners, that | 5 | | does business in the State of Illinois, and that satisfies one | 6 | | or more of the following thresholds: | 7 | | (1) Has annual gross revenues in excess of $25,000,000, | 8 | | as adjusted in January of every odd-numbered year to | 9 | | reflect any increase in the Consumer Price Index. | 10 | | (2) Annually buys, receives for the business' | 11 | | commercial purposes, sells, or shares for commercial | 12 | | purposes, alone or in combination, the personal | 13 | | information of 50,000 or more consumers, households, or | 14 | | devices. | 15 | | (3) Derives 50% or more of its annual revenues from | 16 | | selling consumers' personal information. | 17 | | "Process" or "processes" means any collection, use, | 18 | | storage, disclosure, analysis, deletion, or modification of | 19 | | personal information. | 20 | | "Third party" means:
| 21 | | (1) a private entity that is a separate legal entity | 22 | | from the private entity that has disclosed personal | 23 | | information; | 24 | | (2) a private entity that does not share common | 25 | | ownership or common corporate control with the private | 26 | | entity that has disclosed personal information; or |
| | | 10100HB3357ham001 | - 7 - | LRB101 11183 JLS 58340 a |
|
| 1 | | (3) a private entity that does not share a brand name | 2 | | or common branding with the private entity that has | 3 | | disclosed personal information such that the affiliate | 4 | | relationship is clear to the consumer. | 5 | | "Sell" means selling, renting, releasing, disclosing, | 6 | | disseminating, making available, transferring, or otherwise | 7 | | communicating orally, in writing, or by electronic or other | 8 | | means, a consumer's personal information by the business to | 9 | | another business or a third party for monetary or other | 10 | | valuable consideration. | 11 | | "Unique identifier" means a persistent identifier that can | 12 | | be used to recognize a consumer, a family, or a device that is | 13 | | linked to a consumer or family, over time and across different | 14 | | services, including, but not limited to, a device identifier; | 15 | | an Internet Protocol address; cookies, beacons, pixel tags, | 16 | | mobile ad identifiers, or similar technology; consumer number, | 17 | | unique pseudonym, or user alias; telephone numbers, or other | 18 | | forms of persistent or probabilistic identifiers that can be | 19 | | used to identify a particular consumer or device. For purposes | 20 | | of this definition, "family" means a custodial parent or | 21 | | guardian and any minor children over which the parent or | 22 | | guardian has custody. | 23 | | "Verified request" means the process through which a | 24 | | consumer may submit a request to exercise a right or rights set | 25 | | forth in this Act and by which an operator can reasonably | 26 | | authenticate the request.
|
| | | 10100HB3357ham001 | - 8 - | LRB101 11183 JLS 58340 a |
|
| 1 | | Section 15. Right to transparency. An operator that | 2 | | collects personal information through the Internet about | 3 | | individual consumers who use or visit its online service, in | 4 | | its consumer service agreement or incorporated addendum or any | 5 | | other similar and readily available mechanism accessible to the | 6 | | consumer, shall: | 7 | | (1) identify all categories of personal information | 8 | | that the operator processes about individual consumers | 9 | | collected through its Internet website or online service; | 10 | | (2) identify all categories of third parties with whom | 11 | | the operator may disclose that personal information; | 12 | | (3) disclose whether a third party may collect personal | 13 | | information about an individual consumer's online | 14 | | activities over time and across different Internet | 15 | | websites or online services when the consumer uses the | 16 | | Internet website or online service of the operator; | 17 | | (4) provide a description of the process, if any such | 18 | | process exists, for an individual consumer who uses or | 19 | | visits the Internet website or online service to review and | 20 | | request changes to inaccurate personal information that is | 21 | | collected by the operator as a result of the consumer's use | 22 | | or visits to the Internet website or online service; | 23 | | (5) describe the process by which the operator notifies | 24 | | consumers who use or visit its Internet website or online | 25 | | service of material changes to the notice required to be |
| | | 10100HB3357ham001 | - 9 - | LRB101 11183 JLS 58340 a |
|
| 1 | | made available under this Section; | 2 | | (6) state the effective date of the notice; | 3 | | (7) provide a description of a consumer's rights, as | 4 | | required by this Act, accompanied by one or more designated | 5 | | request addresses. | 6 | | Section 20. Right to know. | 7 | | (a) An operator that discloses personal information to a | 8 | | third party shall make the following information available to a | 9 | | consumer upon request free of charge: | 10 | | (1) the categories of personal information that were | 11 | | disclosed about the consumer and the name or names of all | 12 | | third parties that received the consumer's personal | 13 | | information; or | 14 | | (2) all categories of personal information about | 15 | | consumers that were disclosed and the name or names of all | 16 | | third parties that received any consumer's personal | 17 | | information. | 18 | | (b) Notwithstanding the provisions of this Section, a | 19 | | parent or legal guardian of a consumer under the age of 18 may | 20 | | submit a verified request under this Section on behalf of that | 21 | | consumer. | 22 | | (c) This Section applies only to personal information | 23 | | disclosed after the effective date of this Act. | 24 | | Section 25. Right to opt out. An operator that sells the |
| | | 10100HB3357ham001 | - 10 - | LRB101 11183 JLS 58340 a |
|
| 1 | | personal information of a consumer collected through the | 2 | | consumer's use of or visit to the operator's Internet website | 3 | | or online service shall clearly and conspicuously post, on its | 4 | | Internet website or online service or in another prominently | 5 | | and easily accessible location the operator maintains for | 6 | | consumer privacy settings, a link to an Internet web page | 7 | | maintained by the operator that enables a consumer, by verified | 8 | | request through a designated request address, to opt out of the | 9 | | sale of the consumer's personal information to third parties. | 10 | | The method by which a consumer may opt out shall be in a form | 11 | | and manner determined by the operator but should not be overly | 12 | | burdensome and shall require a consumer to establish an account | 13 | | with the operator in order to opt out of the sale of a | 14 | | consumer's personal information. | 15 | | Section 30. Response to verified requests. | 16 | | (a) An operator that receives a verified request from a | 17 | | consumer through a designated request address under this Act | 18 | | shall provide a response to the consumer within 45 days of the | 19 | | request. | 20 | | (b) An operator shall not be required to respond to a | 21 | | request made by the same consumer or made by the same parent or | 22 | | legal guardian on behalf of a consumer under the age of 18 more | 23 | | than once in any 12-month period. | 24 | | Section 35. Violations. The Attorney General or State's |
| | | 10100HB3357ham001 | - 11 - | LRB101 11183 JLS 58340 a |
|
| 1 | | Attorney shall have exclusive authority to enforce this Act. It | 2 | | is a violation of the Consumer Fraud and Deceptive Business | 3 | | Practices Act for an operator to fail to comply with any | 4 | | requirements of this Act. Nothing in this Act shall be | 5 | | construed to modify, limit, or supersede the operation of any | 6 | | privacy or security provision in any other Illinois law, or | 7 | | from otherwise seeking relief under the Code of Civil | 8 | | Procedure. | 9 | | Section 40. Waivers; contracts. Any waiver of the | 10 | | provisions of this Act is void and unenforceable. Any agreement | 11 | | that does not comply with the applicable provisions of this Act | 12 | | is void and unenforceable. | 13 | | Section 45. Construction. | 14 | | (a) The obligations imposed on operators by this Act shall | 15 | | not restrict an operator's ability to: | 16 | | (1) Comply with federal, state, or local laws. | 17 | | (2) Comply with a civil, criminal, or regulatory | 18 | | inquiry, investigation, subpoena, or summons by federal, | 19 | | state, or local authorities. | 20 | | (3) Cooperate with law enforcement agencies concerning | 21 | | conduct or activity that the business, service provider, or | 22 | | third party reasonably and in good faith believes may | 23 | | violate federal, state, or local law. | 24 | | (4) Exercise or defend legal claims.
|
| | | 10100HB3357ham001 | - 12 - | LRB101 11183 JLS 58340 a |
|
| 1 | | (b) Nothing in this Act shall be construed to conflict with | 2 | | the Federal Health Insurance Portability and Accountability | 3 | | Act of 1996 and the rules promulgated under that Act. | 4 | | (c) Nothing in this Act shall be deemed to apply in any | 5 | | manner to a financial institution or an affiliate of a | 6 | | financial institution that is subject to Title V of the Federal | 7 | | Gramm-Leach-Bliley Act of 1999 and the rules promulgated under | 8 | | that Act. | 9 | | (d) Nothing in this Act shall be construed to apply to a | 10 | | contractor, subcontractor, or agent of a State agency or local | 11 | | unit of government when working for that State agency or local | 12 | | unit of government. | 13 | | (e) Nothing in this Act shall be construed to apply to: (i) | 14 | | Internet, wireless, or telecommunications service providers; | 15 | | or (ii) a public utility, an alternative retail electric | 16 | | supplier, or an alternative gas supplier, as those terms are | 17 | | defined in Sections 3-105, 16-102, and 19-105 of the Public | 18 | | Utilities Act, or an electric cooperative, as defined in | 19 | | Section 3.4 of the Electric Supplier Act. | 20 | | (f) Nothing in this Act shall be construed to apply to: (i) | 21 | | a hospital operated under the Hospital Licensing Act; (ii) a | 22 | | hospital affiliate, as defined under the Hospital Licensing | 23 | | Act; or (iii) a hospital operated under the University of | 24 | | Illinois Hospital Act. | 25 | | (g) Nothing in this Act shall restrict a business' ability | 26 | | to collect or disclose a consumer's personal information if a |
| | | 10100HB3357ham001 | - 13 - | LRB101 11183 JLS 58340 a |
|
| 1 | | consumer's conduct takes place wholly outside of Illinois. For | 2 | | purposes of this Act, conduct takes place wholly outside of | 3 | | Illinois if the business collected that information while the | 4 | | consumer was outside of Illinois, no part of the sale of the | 5 | | consumer's personal information occurred in Illinois, and no | 6 | | personal information collected while the consumer was in | 7 | | Illinois is disclosed. | 8 | | Section 91. The Consumer Fraud and Deceptive Business | 9 | | Practices Act is amended by changing Section 2Z as follows:
| 10 | | (815 ILCS 505/2Z) (from Ch. 121 1/2, par. 262Z)
| 11 | | Sec. 2Z. Violations of other Acts. Any person who knowingly | 12 | | violates
the Automotive Repair Act, the Automotive Collision | 13 | | Repair Act,
the Home Repair and Remodeling Act,
the Dance | 14 | | Studio Act, the Data Transparency and Privacy Act,
the Physical | 15 | | Fitness Services Act,
the Hearing Instrument Consumer | 16 | | Protection Act,
the Illinois Union Label Act, the Installment | 17 | | Sales Contract Act,
the Job Referral and Job Listing Services | 18 | | Consumer Protection Act,
the Travel Promotion Consumer | 19 | | Protection Act,
the Credit Services Organizations Act,
the | 20 | | Automatic Telephone Dialers Act,
the Pay-Per-Call Services | 21 | | Consumer Protection Act,
the Telephone Solicitations Act,
the | 22 | | Illinois Funeral or Burial Funds Act,
the Cemetery Oversight | 23 | | Act, the Cemetery Care Act,
the Safe and Hygienic Bed Act,
the | 24 | | Illinois Pre-Need Cemetery Sales Act,
the High Risk Home Loan |
| | | 10100HB3357ham001 | - 14 - | LRB101 11183 JLS 58340 a |
|
| 1 | | Act, the Payday Loan Reform Act, the Mortgage Rescue Fraud Act, | 2 | | subsection (a) or (b) of Section 3-10 of the
Cigarette Tax Act, | 3 | | subsection
(a) or (b) of Section 3-10 of the Cigarette Use Tax | 4 | | Act, the Electronic
Mail Act, the Internet Caller | 5 | | Identification Act, paragraph (6)
of
subsection (k) of Section | 6 | | 6-305 of the Illinois Vehicle Code, Section 11-1431, 18d-115, | 7 | | 18d-120, 18d-125, 18d-135, 18d-150, or 18d-153 of the Illinois | 8 | | Vehicle Code, Article 3 of the Residential Real Property | 9 | | Disclosure Act, the Automatic Contract Renewal Act, the Reverse | 10 | | Mortgage Act, Section 25 of the Youth Mental Health Protection | 11 | | Act, the Personal Information Protection Act, or the Student | 12 | | Online Personal Protection Act commits an unlawful practice | 13 | | within the meaning of this Act.
| 14 | | (Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; 99-642, | 15 | | eff. 7-28-16; 100-315, eff. 8-24-17; 100-416, eff. 1-1-18; | 16 | | 100-863, eff. 8-14-18.)
| 17 | | Section 99. Effective date. This Act takes effect April 1, | 18 | | 2020.".
|
|