HB3358ham002 101ST GENERAL ASSEMBLY

Rep. Arthur Turner

Filed: 3/27/2019

 

 


 

 


 
10100HB3358ham002LRB101 11180 JLS 58691 a

1
AMENDMENT TO HOUSE BILL 3358

2    AMENDMENT NO. ______. Amend House Bill 3358 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the Data
5Transparency and Privacy Act.
 
6    Section 5. Legislative findings. The General Assembly
7hereby finds and declares that:
8    (1) The right to privacy is a personal and fundamental
9right protected by the United States Constitution. As such, all
10individuals have a right to privacy in information pertaining
11to them. This State recognizes the importance of providing
12consumers with transparency about how their personal
13information, especially information relating to their
14children, is shared by businesses. This transparency is crucial
15for Illinois citizens to protect themselves and their families
16from cyber-crimes and identity thieves.

 

 

10100HB3358ham002- 2 -LRB101 11180 JLS 58691 a

1    (2) Furthermore, for free market forces to have a role in
2shaping the privacy practices and for "opt-in" and "opt-out"
3remedies to be effective, consumers must be more than vaguely
4informed that a business might share personal information with
5third parties. Consumers must be better informed about what
6kinds of personal information is shared with other businesses.
7With these specifics, consumers can knowledgeably choose to opt
8in, opt out, or choose among businesses that disclose
9information to third parties on the basis of how protective the
10business is of consumers' privacy.
11    (3) Businesses are now collecting personal information and
12sharing and selling it in ways not contemplated or properly
13covered by the current law. Some websites are installing
14tracking tools that record when consumers visit web pages, and
15sending very personal information, such as age, gender, race,
16income, health concerns, religion, and recent purchases to
17third-party marketers and data brokers. Third-party data
18broker companies are buying, selling, and trading personal
19information obtained from mobile phones, financial
20institutions, social media sites, and other online and brick
21and mortar companies. Some mobile applications are sharing
22personal information, such as location information, unique
23phone identification numbers, and age, gender, and other
24personal details with third-party companies.
25    (4) As such, consumers need to know the ways that their
26personal information is being collected by companies and then

 

 

10100HB3358ham002- 3 -LRB101 11180 JLS 58691 a

1shared or sold to third parties in order to properly protect
2their privacy, personal safety, and financial security.
 
3    Section 10. Definitions. As used in this Act:
4    "Consumer" means an individual residing in this State who
5provides, either knowingly or unknowingly, personal
6information to an operator, with or without an exchange of
7consideration, in the course of purchasing, viewing,
8accessing, renting, leasing, or otherwise using real or
9personal property, or any interest therein, or obtaining a
10product or service from the private entity, including
11advertising or any other content.
12    "Designated request address" means an electronic email
13address, online form, or toll-free telephone number that a
14consumer may use to request the information required to be
15provided pursuant to this Act.
16    "Disclose" means to disclose, release, transfer, share,
17disseminate, make available, sell, or otherwise communicate
18orally, in writing, or by electronic or any other means to any
19third party.
20    "Disclose" does not include the disclosure of personal
21information by a private entity to a third party under a
22written contract authorizing the third party to utilize the
23personal information for the limited purposes of performing
24services on behalf of the private entity, including maintaining
25or servicing accounts, disclosure of personal information by a

 

 

10100HB3358ham002- 4 -LRB101 11180 JLS 58691 a

1private entity to a transportation network company driver
2providing consumer service, processing or fulfilling orders
3and transactions, verifying consumer information, processing
4payments, providing financing, or similar services, but only
5if:
6        (1) the contract prohibits the third party or
7    transportation network company driver from using the
8    personal information for any reason other than performing
9    the specified service or services on behalf of the private
10    entity and from disclosing any such personal information to
11    additional third parties; and
12        (2) disclosure of personal information by a business to
13    a third party based on a good-faith belief that disclosure
14    is required to comply with applicable law, regulation,
15    legal process, or court order.
16    "Disclose" does not include disclosure of personal
17information by a private entity to a third party that is
18reasonably necessary to address fraud, security, or technical
19issues; to protect the disclosing private entity's rights or
20property; or to protect consumers or the public from illegal
21activities as required or permitted by law.
22    "Operator" means any private entity that owns an Internet
23website or an online service that collects, maintains, or
24discloses personal information of a consumer residing in this
25State who uses or visits the website or online service if the
26website or online service is operated for commercial purposes.

 

 

10100HB3358ham002- 5 -LRB101 11180 JLS 58691 a

1It does not include any third party that operates, hosts, or
2manages, but does not own, a website or online service on the
3owner's behalf or by processing information on behalf of the
4owner.
5    "Personal information" means any information that
6identifies, relates to, describes, or is capable of being
7associated with, or could reasonably be linked, directly or
8indirectly, with a particular consumer or household,
9including, but not limited to identifiers such as a real name,
10alias, signature, physical characteristics or description,
11address, telephone number, passport number, driver's license
12or State identification card number, insurance policy number,
13education, employment, employment history, bank account
14number, credit card number, debit card number, or any other
15financial information, unique personal identifier, Internet
16Protocol address, geolocation, biometric information, audio,
17visual, thermal, olfactory, or similar information.
18    "Personal information" also means professional or
19employment-related information, education information, defined
20as information that is not publicly available personally
21identifiable information as defined in the Family Educational
22Rights and Privacy Act (20 U.S.C. 1232g and 34 CFR 99) records
23of income, assets, liabilities, purchases, leases, products or
24services purchases, obtained, or considered, or other
25purchasing or consuming histories or tendencies, or real
26property.

 

 

10100HB3358ham002- 6 -LRB101 11180 JLS 58691 a

1    "Private entity" means a sole proprietorship, partnership,
2limited liability company, corporation, association, or other
3legal entity that is organized or operated for the profit or
4financial benefit of its shareholders or other owners, that
5does business in the State of Illinois, and that satisfies one
6or more of the following thresholds:
7        (1) Has annual gross revenues in excess of $25,000,000,
8    as adjusted in January of every odd-numbered year to
9    reflect any increase in the Consumer Price Index.
10        (2) Annually buys, receives for the business'
11    commercial purposes, sells, or shares for commercial
12    purposes, alone or in combination, the personal
13    information of 50,000 or more consumers, households, or
14    devices.
15        (3) Derives 50% or more of its annual revenues from
16    selling consumers' personal information.
17    "Process" or "processes" means any collection, use,
18storage, disclosure, analysis, deletion, or modification of
19personal information.
20    "Third party" means:
21        (1) a private entity that is a separate legal entity
22    from the private entity that has disclosed personal
23    information;
24        (2) a private entity that does not share common
25    ownership or common corporate control with the private
26    entity that has disclosed personal information; or

 

 

10100HB3358ham002- 7 -LRB101 11180 JLS 58691 a

1        (3) a private entity that does not share a brand name
2    or common branding with the private entity that has
3    disclosed personal information such that the affiliate
4    relationship is clear to the consumer.
5    "Sell" means selling, renting, releasing, disclosing,
6disseminating, making available, transferring, or otherwise
7communicating orally, in writing, or by electronic or other
8means, a consumer's personal information by the business to
9another business or a third party for monetary or other
10valuable consideration.
11    "Unique identifier" means a persistent identifier that can
12be used to recognize a consumer, a family, or a device that is
13linked to a consumer or family, over time and across different
14services, including, but not limited to, a device identifier;
15an Internet Protocol address; cookies, beacons, pixel tags,
16mobile ad identifiers, or similar technology; consumer number,
17unique pseudonym, or user alias; telephone numbers, or other
18forms of persistent or probabilistic identifiers that can be
19used to identify a particular consumer or device. For purposes
20of this definition, "family" means a custodial parent or
21guardian and any minor children over which the parent or
22guardian has custody.
23    "Verified request" means the process through which a
24consumer may submit a request to exercise a right or rights set
25forth in this Act and by which an operator can reasonably
26authenticate the request.
 

 

 

10100HB3358ham002- 8 -LRB101 11180 JLS 58691 a

1    Section 15. Right to transparency. An operator that
2collects personal information through the Internet about
3individual consumers who use or visit its online service, in
4its consumer service agreement or incorporated addendum or any
5other similar and readily available mechanism accessible to the
6consumer, shall:
7        (1) identify all categories of personal information
8    that the operator processes about individual consumers
9    collected through its Internet website or online service;
10        (2) identify all categories of third parties with whom
11    the operator may disclose that personal information;
12        (3) disclose whether a third party may collect personal
13    information about an individual consumer's online
14    activities over time and across different Internet
15    websites or online services when the consumer uses the
16    Internet website or online service of the operator;
17        (4) provide a description of the process, if any such
18    process exists, for an individual consumer who uses or
19    visits the Internet website or online service to review and
20    request changes to inaccurate personal information that is
21    collected by the operator as a result of the consumer's use
22    or visits to the Internet website or online service;
23        (5) describe the process by which the operator notifies
24    consumers who use or visit its Internet website or online
25    service of material changes to the notice required to be

 

 

10100HB3358ham002- 9 -LRB101 11180 JLS 58691 a

1    made available under this Section;
2        (6) state the effective date of the notice;
3        (7) provide a description of a consumer's rights, as
4    required by this Act, accompanied by one or more designated
5    request addresses.
 
6    Section 20. Right to know.
7    (a) An operator that discloses personal information to a
8third party shall make the following information available to a
9consumer upon request free of charge:
10        (1) the categories of personal information that were
11    disclosed about the consumer and the name or names of all
12    third parties that received the consumer's personal
13    information; or
14        (2) all categories of personal information about
15    consumers that were disclosed and the name or names of all
16    third parties that received any consumer's personal
17    information.
18    (b) Notwithstanding the provisions of this Section, a
19parent or legal guardian of a consumer under the age of 18 may
20submit a verified request under this Section on behalf of that
21consumer.
22    (c) This Section applies only to personal information
23disclosed after the effective date of this Act.
 
24    Section 25. Right to opt out. An operator that sells the

 

 

10100HB3358ham002- 10 -LRB101 11180 JLS 58691 a

1personal information of a consumer collected through the
2consumer's use of or visit to the operator's Internet website
3or online service shall clearly and conspicuously post, on its
4Internet website or online service or in another prominently
5and easily accessible location the operator maintains for
6consumer privacy settings, a link to an Internet web page
7maintained by the operator that enables a consumer, by verified
8request through a designated request address, to opt out of the
9sale of the consumer's personal information to third parties.
10The method by which a consumer may opt out shall not be overly
11burdensome and shall not require a consumer to establish an
12account with the operator in order to opt out of the sale of a
13consumer's personal information. The Attorney General's Office
14shall adopt rules and procedures to facilitate and govern the
15submission of a request by a consumer to opt out of the sale of
16personal information pursuant to this Section.
 
17    Section 30. Response to verified requests.
18    (a) An operator that receives a verified request from a
19consumer through a designated request address under this Act
20shall provide a response to the consumer within 45 days of the
21request.
22    (b) An operator shall not be required to respond to a
23request made by the same consumer or made by the same parent or
24legal guardian on behalf of a consumer under the age of 18 more
25than once in any 12-month period.
 

 

 

10100HB3358ham002- 11 -LRB101 11180 JLS 58691 a

1    Section 35. Violations. The Attorney General shall have
2exclusive authority to enforce this Act. Nothing in this Act
3shall be construed to modify, limit, or supersede the operation
4of any privacy or security provision in any other Illinois law,
5or from otherwise seeking relief under the Code of Civil
6Procedure.
 
7    Section 40. Waivers; contracts. Any waiver of the
8provisions of this Act is void and unenforceable. Any agreement
9that does not comply with the applicable provisions of this Act
10is void and unenforceable.
 
11    Section 45. Construction.
12    (a) The obligations imposed on operators by this Act shall
13not restrict an operator's ability to:
14        (1) Comply with federal, state, or local laws.
15        (2) Comply with a civil, criminal, or regulatory
16    inquiry, investigation, subpoena, or summons by federal,
17    state, or local authorities.
18        (3) Cooperate with law enforcement agencies concerning
19    conduct or activity that the business, service provider, or
20    third party reasonably and in good faith believes may
21    violate federal, state, or local law.
22        (4) Exercise or defend legal claims.
23    (b) Nothing in this Act shall be construed to conflict with

 

 

10100HB3358ham002- 12 -LRB101 11180 JLS 58691 a

1the Federal Health Insurance Portability and Accountability
2Act of 1996 and the rules promulgated under that Act.
3    (c) Nothing in this Act shall be deemed to apply in any
4manner to a financial institution or an affiliate of a
5financial institution that is subject to Title V of the Federal
6Gramm-Leach-Bliley Act and the rules promulgated under that
7Act.
8    (d) Nothing in this Act shall be construed to apply to a
9contractor, subcontractor, or agent of a State agency or local
10unit of government when working for that State agency or local
11unit of government.
12    (e) Nothing in this Act shall be construed to apply to: (i)
13Internet, wireless, or telecommunications service providers;
14or (ii) a public utility, an alternative retail electric
15supplier, or an alternative gas supplier, as those terms are
16defined in Sections 3-105, 16-102, and 19-105 of the Public
17Utilities Act, or an electric cooperative, as defined in
18Section 3.4 of the Electric Supplier Act.
19    (f) Nothing in this Act shall be construed to apply to: (i)
20a hospital operated under the Hospital Licensing Act; (ii) a
21hospital affiliate, as defined under the Hospital Licensing
22Act; or (iii) a hospital operated under the University of
23Illinois Hospital Act.
24    (g) Nothing in this Act shall restrict a business' ability
25to collect or disclose a consumer's personal information if a
26consumer's conduct takes place wholly outside of Illinois. For

 

 

10100HB3358ham002- 13 -LRB101 11180 JLS 58691 a

1purposes of this Act, conduct takes place wholly outside of
2Illinois if the business collected that information while the
3consumer was outside of Illinois, no part of the sale of the
4consumer's personal information occurred in Illinois, and no
5personal information collected while the consumer was in
6Illinois is disclosed.
7    (h) The Attorney General may adopt additional rules as
8necessary to further the purposes of this Act.
 
9    Section 50. Severability. If any provision of this Act or
10its application to any person or circumstance is held invalid,
11the invalidity of that provision or application does not affect
12other provisions or applications of this Act that can be given
13effect without the invalid provision or application.
 
14    Section 99. Effective date. This Act takes effect April 1,
152020.".