State of Illinois
91st General Assembly
Legislation

   [ Search ]   [ Legislation ]
[ Home ]   [ Back ]   [ Bottom ]



91_SB1946

 
                                               LRB9113314LDpr

 1        AN  ACT  to create the Disclosure of Personal Information
 2    Act.

 3        Be it enacted by the People of  the  State  of  Illinois,
 4    represented in the General Assembly:

 5        Section  1.  Short  title.   This Act may be cited as the
 6    Disclosure of Personal Information Act.

 7        Section 5. Definitions.  For the purpose of this Act:
 8        "Department"   means   the   Department   of    Financial
 9    Institutions.
10        "Financial  institution"  means  any  bank subject to the
11    Illinois Banking Act, including a branch of  an  out-of-state
12    bank as defined in Section 2 of the Illinois Banking Act, any
13    savings bank subject to the Savings Bank Act, any savings and
14    loan association subject to the Illinois Savings and Loan Act
15    of  1985,  any  credit  union  subject to the Illinois Credit
16    Union Act, and any federal chartered commercial bank, savings
17    bank, or savings and loan association organized and  operated
18    in this State under the laws of the United States.
19        "Personal   information"  means  personally  identifiable
20    information provided by a consumer to a financial institution
21    in connection with any transaction with a consumer  involving
22    any  financial  product or any financial service or otherwise
23    obtained by the financial institution.
24        "Unrelated use", when used with  respect  to  information
25    collected  by  a financial institution in connection with any
26    transaction with a consumer in any financial product  or  any
27    financial  service,  means  any  use other than a use that is
28    necessary to effect, administer, or enforce such transaction.
29        "Affiliate"  means  any   company   that   controls,   is
30    controlled  by,  or  is  under  common  control  with another
31    company.
 
                            -2-                LRB9113314LDpr
 1        "Nonaffiliated third party" means any entity that is  not
 2    an   affiliate   of,  related  by  common  ownership  to,  or
 3    affiliated by corporate control with a financial institution,
 4    but does not include a joint employee of such institution.
 5        "Consumer"  means  an  individual  who  obtains  from   a
 6    financial institution any financial products or services that
 7    are  to  be used primarily for personal, family, or household
 8    purposes and also includes the legal representative  of  such
 9    an individual.

10        Section   10.   Obligations   with  respect  to  personal
11    information.
12        (a)  Except  as  otherwise  provided  in  this   Act,   a
13    financial  institution  may  not,  directly  or  through  any
14    affiliate,  disclose or make an unrelated use of any personal
15    information  collected  by  the  financial   institution   in
16    connection  with  any  transaction  with  a  consumer  in any
17    financial product or any financial service.
18        (b)  (1)  A financial institution may not make  available
19    any  personal  information  to  any affiliate or other person
20    that is not an employee or agent of the  institution,  unless
21    the consumer to whom the information pertains:
22                  (A)  has   affirmatively   consented   to   the
23             transfer of such information; and
24                  (B)  has not withdrawn the consent.
25             (2)  A  financial  institution  shall  not  deny any
26        consumer a financial product or a financial  service  for
27        the refusal by the consumer to grant the consent required
28        by paragraph (1) of this subsection (b).
29        (c)  Each  financial  institution that maintains a system
30    of records for personal information shall:
31             (1)  upon request by any individual to  gain  access
32        to  his or her record or to any information pertaining to
33        him or her that is contained in the system, permit him or
 
                            -3-                LRB9113314LDpr
 1        her, upon his or her  request, a person of his or her own
 2        choosing to accompany him or her, to  review  the  record
 3        and  have  a copy made of all or any portion thereof in a
 4        form comprehensible  to  him  or  her,  except  that  the
 5        financial  institution  may  require  the  individual  to
 6        furnish  a  written  statement  authorizing discussion of
 7        that individual's record  in  the  accompanying  person's
 8        presence;
 9             (2)  permit the individual to request amendment of a
10        record pertaining to him or her and:
11                  (A)  not   later   than   10   days  (excluding
12             Saturdays, Sundays, and legal public holidays) after
13             the date of receipt of such request, acknowledge  in
14             writing receipt of the request; and
15                  (B)  promptly,  either  (i) make any correction
16             of any portion thereof that the individual  believes
17             is  not  accurate, relevant, timely, or complete; or
18             (ii) inform the individual of its refusal  to  amend
19             the  record  in  accordance with his or her request,
20             the  reason  for   the   refusal,   the   procedures
21             established  by  the  financial  institution for the
22             individual to request a review of  that  refusal  by
23             the  head of the financial institution or an officer
24             designated by the head of the financial institution,
25             and the name and business address of that officer;
26             (3)  permit an individual  who  disagrees  with  the
27        refusal  of the financial institution to amend his or her
28        record to request a review of such refusal and, not later
29        than 30 days (excluding  Saturdays,  Sundays,  and  legal
30        public  holidays)  from  the date on which the individual
31        requests such review, complete such  review  and  make  a
32        final  determination  unless,  for  good cause shown, the
33        head of the financial  institution  extends  such  30-day
34        period;  and  if,  after his or her review, the reviewing
 
                            -4-                LRB9113314LDpr
 1        officer also refuses to amend the  record  in  accordance
 2        with  the request, permit the individual to file with the
 3        financial institution a concise statement  setting  forth
 4        the  reasons for his or her disagreement with the refusal
 5        of the financial institution and notify the individual of
 6        the provisions  for  judicial  review  of  the  reviewing
 7        officer's  determination  under subsection (d) of Section
 8        20; and
 9             (4)  in any disclosure containing information  about
10        which   the   individual   has   filed   a  statement  of
11        disagreement occurring after the filing of the  statement
12        under  paragraph (3) of this subsection, clearly note any
13        portion of the record that is disputed and provide copies
14        of the statement and, if the financial institution  deems
15        it  appropriate,  copies  of  a  concise statement of the
16        reasons of the financial institution for not  making  the
17        amendments  requested,  to  persons  or other agencies to
18        whom the disputed record has been disclosed.  Nothing  in
19        this  subsection  (c) shall allow an individual access to
20        any information compiled in reasonable anticipation of  a
21        civil action or proceeding.
22        (d)  A  financial  institution  shall  not  disclose  any
23    personal  information  to  any affiliate or any nonaffiliated
24    third party for use in telemarketing, direct mail  marketing,
25    or   other   marketing   through  electronic  mail  or  other
26    electronic means to the consumer.
27        (e)  Except  as  otherwise  provided  in  this  Act,   an
28    affiliate or a nonaffiliated third party that receives from a
29    financial institution personal information under this Section
30    10  shall  not,  directly  or  through  an  affiliate of such
31    receiving third party, disclose such information to any other
32    person that is an affiliate or a nonaffiliated third party of
33    both the  financial  institution  and  such  receiving  third
34    party,  unless  such  disclosure  would  be  lawful  if  made
 
                            -5-                LRB9113314LDpr
 1    directly to such other person by the financial institution.
 2        (f)  Subsections (a) and (b) of this Section 10 shall not
 3    prohibit the disclosure of personal information:
 4             (1)  as  necessary to effect, administer, or enforce
 5        a transaction requested or authorized by the consumer, or
 6        in connection with;
 7                  (A)  servicing  or   processing   a   financial
 8             product  or  service  requested  or  authorized by a
 9             consumer;
10                  (B)  maintaining  or  servicing  a   consumer's
11             account with the financial institution; or
12                  (C)  a   proposed   or  actual  securitization,
13             secondary market sale (including sales of  servicing
14             rights),   or   similar  transaction  related  to  a
15             transaction of a consumer;
16             (2)  with the consent or at  the  direction  of  the
17        consumer;
18             (3)  to  protect  the confidentiality or security of
19        the financial institution's  records  pertaining  to  the
20        consumer,  the  service  or  product,  or the transaction
21        therein;
22             (4)  to  protect  against  or  prevent   actual   or
23        potential  fraud,  unauthorized  transactions, claims, or
24        other liability;
25             (5)  for required institutional risk control, or for
26        resolving consumer disputes or inquiries;
27             (6)  to  persons  holding  a  legal  or   beneficial
28        interest relating to the consumer;
29             (7)  to   persons   acting   in   a   fiduciary   or
30        representative capacity on behalf of the consumer;
31             (8)  to   provide   information  to  insurance  rate
32        advisory  organizations,  guaranty  funds  or   agencies,
33        applicable  rating agencies of the financial institution,
34        and  the  institution's   attorneys,   accountants,   and
 
                            -6-                LRB9113314LDpr
 1        auditors;
 2             (9)  to   the   extent   specifically  permitted  or
 3        required under other provisions of law and in  accordance
 4        with  the  Right to Financial Privacy Act of 1978, to law
 5        enforcement  agencies  (including  a  Federal  functional
 6        regulator, the Secretary of the Treasury with respect  to
 7        subchapter  II  of  chapter 53 of title 31, United States
 8        Code, and chapter 2 of title I of Public Law  91-508  (12
 9        U.S.C.  1951-1959),  a  State insurance authority, or the
10        Federal Trade Commission), self-regulatory organizations,
11        or for an investigation on a  matter  related  to  public
12        safety;
13             (10)  to  a  consumer reporting agency in accordance
14        with the Fair Credit Reporting Act,
15             (11)  from a consumer report reported by a  consumer
16        reporting  agency  in  accordance  with  the  Fair Credit
17        Reporting Act;
18             (12)  in connection with a proposed or actual  sale,
19        merger,  transfer,  or  exchange of all or a portion of a
20        business or operating unit if the disclosure of  personal
21        information concerns solely consumers of such business or
22        unit; or
23             (13)  to  comply with federal, State, or local laws,
24        rules, and other applicable legal requirements; to comply
25        with a properly authorized civil, criminal, or regulatory
26        investigation or subpoena or summons by  federal,  State,
27        or  local  authorities; or to respond to judicial process
28        or government regulatory authorities having  jurisdiction
29        over   the   financial   institution   for   examination,
30        compliance, or other purposes as authorized by law.

31        Section 15. Notice concerning disclosing information.
32        (a)  All  financial  institutions,  through  the use of a
33    form that complies with subsection (b) of  this  Section  15,
 
                            -7-                LRB9113314LDpr
 1    must  clearly  and  conspicuously disclose to the consumer at
 2    the time of  establishing  a  customer  relationship  with  a
 3    consumer  and  not less than annually during the continuation
 4    of such relationship:
 5        (1)  the categories  of  personal  information  that  are
 6    collected by the financial institution;
 7        (2)  the   practices   and   policies  of  the  financial
 8    institution with respect to disclosing  personal  information
 9    or making unrelated uses of such information, including:
10             (A)  the   categories   of   persons   to  whom  the
11        information  is  or  may  be  disclosed  or  who  may  be
12        permitted to make unrelated  uses  of  such  information,
13        other  than  the  persons to whom the information must be
14        provided to effect, administer, or enforce a transaction;
15        and
16             (B)  the practices and policies of  the  institution
17        with  respect  to  disclosing or making unrelated uses of
18        personal information of persons who  have  ceased  to  be
19        consumers of the financial institution;
20        (3)  the  policies  that  the  institution  maintains  to
21    protect   the   confidentiality   and  security  of  personal
22    information;
23        (4)  the practices and policies of the  institution  with
24    respect to providing consumers the opportunity to examine and
25    dispute information pursuant to subsection (c) of Section 10;
26    and
27        (5)  the  right  of  the  consumer  under  Section  10 to
28    examine, upon request, the personal information,  to  dispute
29    the  accuracy  of  any  of  such  information, and to present
30    evidence thereon.
31        (b)  Financial institutions must provide consumers with a
32    clear and conspicuous disclosure that permits them to compare
33    differences in the measures that  the  financial  institution
34    takes  and  the policies that the institution has established
 
                            -8-                LRB9113314LDpr
 1    to protect the consumer's privacy as compared to the measures
 2    taken  and  the  policies  established  by  other   financial
 3    institutions.  The disclosure shall specifically identify the
 4    rights the institution affords consumers  to  grant  or  deny
 5    consent to (i) the disclosing of personal information for any
 6    purpose   other   than   as  required  in  order  to  effect,
 7    administer, or enforce the consumer's  transaction,  or  (ii)
 8    the making of an unrelated use of such information.

 9        Section 20. Enforcement.
10        (a)  This Act shall be enforced by the Department and the
11    Attorney  General  with respect to financial institutions and
12    other persons subject to their jurisdiction under  applicable
13    law.
14        (b)  In  addition  to such other remedies as are provided
15    under State law, if the Department or  the  Attorney  General
16    has  reason  to  believe  that  any person has violated or is
17    violating this Act, the State:
18             (1)  may bring an action to enjoin such violation in
19        any court of competent jurisdiction; and
20             (2)  may bring an action on behalf of the  residents
21        of  this  State  to  enforce compliance with this Act, to
22        obtain damages, restitution,  or  other  compensation  on
23        behalf  of  residents  of  this  State, or to obtain such
24        further  and  other  relief  as  the   court   may   deem
25        appropriate.
26        (c)  For  purposes  of  bringing  any  action  under this
27    Section 20, no provision of this Section shall  be  construed
28    as  preventing  the Director of Financial Institutions or the
29    Attorney General from exercising the powers conferred to them
30    by the laws of this State to  conduct  investigations  or  to
31    administer  oaths or affirmations or to compel the attendance
32    of witnesses or  the  production  of  documentary  and  other
33    evidence.
 
                            -9-                LRB9113314LDpr
 1        (d)  If  a financial institution fails to comply with any
 2    provision of this Act in such a way as  to  have  an  adverse
 3    effect  on  an  individual,  the individual may bring a civil
 4    action against the financial  institution  in  any  court  of
 5    competent jurisdiction.  In any suit brought pursuant to this
 6    subsection (d), the court may order the financial institution
 7    to  take  such action as is necessary to remedy violations of
 8    this Act, including but not limited to:
 9             (1)  amending the individual's record in  accordance
10        with his or her request or in such other way as the court
11        may direct;
12             (2)  enjoining   the   financial   institution  from
13        withholding  the  complainant's  records  and  order  the
14        production  to   the   complainant   of   any   financial
15        institution  records improperly withheld from him or her,
16        in which case the court may examine the contents  of  any
17        financial  institution  records  in  camera  to determine
18        whether  the  records  or  any  portion  thereof  may  be
19        withheld; and
20             (3)  enjoining  the   financial   institution   from
21        transferring  to  any  affiliate  or  nonaffiliated third
22        party financial information.
23        (e)  In any suit brought pursuant to  subsection  (d)  of
24    this Section in which the court determines that the financial
25    institution  violated  this  Act,  the  financial institution
26    shall be liable to the individual in an amount equal  to  the
27    sum of:
28             (1)  actual damages sustained by the individual as a
29        result  of the refusal or failure, but in no case shall a
30        person entitled to recovery receive less than the sum  of
31        $1,000; and
32             (2)  reasonable  attorney  fees and other litigation
33        costs reasonably incurred in any case brought under  this
34        Section   20   related  to  those  claims  on  which  the
 
                            -10-               LRB9113314LDpr
 1        complainant has substantially prevailed.
 2        (f)  An action to enforce  any  liability  created  under
 3    this  Section  may  be  brought  in  any  court  of competent
 4    jurisdiction, without regard to the  amount  in  controversy,
 5    within  2  years  from  the date on which the cause of action
 6    arises,  except  that  where  a  financial  institution   has
 7    materially   and  willfully  misrepresented  any  information
 8    required to be disclosed to an individual under this  Section
 9    and   the   information  so  misrepresented  is  material  to
10    establishment of the liability of the  financial  institution
11    to  the  individual  under  this  Section,  the action may be
12    brought at any time within 2 years  after  discovery  by  the
13    individual of the misrepresentation.
14        (g)  For  the purposes of this Section, the parent of any
15    minor or the legal guardian of any individual  who  has  been
16    declared   to  be  incompetent  due  to  physical  or  mental
17    incapacity or age by a court of  competent  jurisdiction  may
18    act on behalf of the individual.
19        (h)  The  terms  used  in  subsection  (a)  that  are not
20    defined in this Act or otherwise defined in section  3(s)  of
21    the  Federal  Deposit  Insurance  Act  shall have the meaning
22    given to them in section 1(b) of  the  International  Banking
23    Act of 1978.

24        Section 25. Effect on Fair Credit Reporting Act.  Nothing
25    in this Act shall be construed to modify, limit, or supersede
26    the  operation  of  the  Fair  Credit  Reporting  Act  and no
27    inference shall be drawn on the basis of  the  provisions  of
28    this  Act  regarding  whether  information  is transaction or
29    experience information under section 603 of the  Fair  Credit
30    Reporting Act.

31        Section 30. Relation to other State laws.  This Act shall
32    not  be  construed as superseding, altering, or affecting any
 
                            -11-               LRB9113314LDpr
 1    statutes, rules, orders, or interpretations in effect in this
 2    State, except  to  the  extent  that  such  statutes,  rules,
 3    orders,   or   interpretations   are  inconsistent  with  the
 4    provisions of this Act and then only to  the  extent  of  the
 5    inconsistency.

 6        Section  35.  Personal  information  that is necessary to
 7    effect or administer a transaction.  The disclosing or use of
 8    personal information shall be treated as necessary to  effect
 9    or administer a transaction with a consumer if the disclosing
10    or use:
11        (1)  is   required   or   is  a  usual,  appropriate,  or
12    acceptable method to carry out the transaction or the product
13    or service business of which the transaction is  a  part  and
14    record,  service  or  maintain  the consumer's account in the
15    ordinary course of  providing  the  financial  service  or  a
16    financial  product  or  to  administer or service benefits or
17    claims relating to the transaction or the product or  service
18    business of which it is a part, and includes:
19             (A)  providing  the consumer or the consumer's agent
20        or broker with a confirmation, statement, or other record
21        of the transaction or information on the status or  value
22        of the financial service or financial product; and
23             (B)  the  accrual  or  recognition  of incentives or
24        bonuses associated with the transaction that are provided
25        by the financial institution or any other party;
26        (2)  is required or is one of the lawful  or  appropriate
27    methods to enforce the rights of the financial institution or
28    of  other  persons  engaged  in  carrying  out  the financial
29    transaction or providing the product or service;
30        (3)  is  required  or  is  a   usual,   appropriate,   or
31    acceptable   method   for   insurance   underwriting  at  the
32    consumer's request or for reinsurance purposes, or for any of
33    the  following  purposes  as  they  relate  to  a  consumer's
 
                            -12-               LRB9113314LDpr
 1    insurance: account administration, reporting,  investigating,
 2    or preventing fraud or material misrepresentation, processing
 3    premium  payments, processing insurance claims, administering
 4    insurance benefits (including utilization review activities),
 5    participating in research projects, or as otherwise  required
 6    or specifically permitted by federal or State law; or
 7        (4)  the   disclosure   is   required   or  is  a  usual,
 8    appropriate, or acceptable method in connection with:
 9             (A)  the   authorization,    settlement,    billing,
10        processing,   clearing,   transferring,  reconciling,  or
11        collection of amounts charged, debited, or otherwise paid
12        using a debit, credit, or other payment card,  check,  or
13        account number, or by other payment means;
14             (B)  the   transfer  of  receivables,  accounts,  or
15        interests therein; or
16             (C)  the audit of debit, credit,  or  other  payment
17        information.

[ Top ]