Illinois General Assembly - Full Text of HB2774
Illinois General Assembly

Previous General Assemblies

Full Text of HB2774  100th General Assembly

HB2774ham005 100TH GENERAL ASSEMBLY

Rep. Arthur Turner

Filed: 4/25/2017

 

 


 

 


 
10000HB2774ham005LRB100 08020 RJF 25438 a

1
AMENDMENT TO HOUSE BILL 2774

2    AMENDMENT NO. ______. Amend House Bill 2774, AS AMENDED, by
3replacing everything after the enacting clause with the
4following:
 
5    "Section 1. Short title. This Act may be cited as the
6Illinois Right to Know Data Transparency and Privacy Protection
7Act.
 
8    Section 5. Findings and purpose.
9    The General Assembly hereby finds and declares that the
10right to privacy is a personal and fundamental right protected
11by the United States Constitution. As such, all individuals
12have a right to privacy in information pertaining to them. This
13State recognizes the importance of providing consumers with
14transparency about how their personal information, especially
15information relating to their children, is shared by
16businesses. This transparency is crucial for Illinois citizens

 

 

10000HB2774ham005- 2 -LRB100 08020 RJF 25438 a

1to protect themselves and their families from cyber-crimes and
2identity thieves. Furthermore, for free market forces to have a
3role in shaping the privacy practices and for "opt-in" and
4"opt-out" remedies to be effective, consumers must be more than
5vaguely informed that a business might share personal
6information with third parties. Consumers must be better
7informed about what kinds of personal information are shared
8with other businesses. With these specifics, consumers can
9knowledgeably choose to opt-in, opt-out, or choose among
10businesses that disclose information to third parties on the
11basis of how protective the business is of consumers' privacy.
12    Businesses are now collecting personal information and
13sharing and selling it in ways not contemplated or properly
14covered by the current law. Some websites are installing
15tracking tools that record when consumers visit web pages, and
16sending very personal information, such as age, gender, race,
17income, health concerns, religion, and recent purchases to
18third party marketers and data brokers. Third party data broker
19companies are buying, selling, and trading personal
20information obtained from mobile phones, financial
21institutions, social media sites, and other online and brick
22and mortar companies. Some mobile applications are sharing
23personal information, such as location information, unique
24phone identification numbers, and age, gender, and other
25personal details with third party companies. As such, consumers
26need to know the ways that their personal information is being

 

 

10000HB2774ham005- 3 -LRB100 08020 RJF 25438 a

1collected by companies and then shared or sold to third parties
2in order to properly protect their privacy, personal safety,
3and financial security.
 
4    Section 10. Definitions. As used in this Act:
5    "Categories of personal information" includes, but is not
6limited to, the following:
7        (a) Identity information including, but not limited
8    to, real name, alias, nickname, and user name.
9        (b) Address information, including, but not limited
10    to, postal or e-mail.
11        (c) Telephone number.
12        (d) Account name.
13        (e) Social security number or other government-issued
14    identification number, including, but not limited to,
15    social security number, driver's license number,
16    identification card number, and passport number.
17        (f) Birthdate or age.
18        (g) Physical characteristic information, including,
19    but not limited to, height and weight.
20        (h) Sexual information, including, but not limited to,
21    sexual orientation, sex, gender status, gender identity,
22    and gender expression.
23        (i) Race or ethnicity.
24        (j) Religious affiliation or activity.
25        (k) Political affiliation or activity.

 

 

10000HB2774ham005- 4 -LRB100 08020 RJF 25438 a

1        (l) Professional or employment-related information.
2        (m) Educational information.
3        (n) Medical information, including, but not limited
4    to, medical conditions or drugs, therapies, mental health,
5    or medical products or equipment used.
6        (o) Financial information, including, but not limited
7    to, credit, debit, or account numbers, account balances,
8    payment history, or information related to assets,
9    liabilities, or general creditworthiness.
10        (p) Commercial information, including, but not limited
11    to, records of property, products or services provided,
12    obtained, or considered, or other purchasing or consumer
13    histories or tendencies.
14        (q) Location information.
15        (r) Internet or mobile activity information,
16    including, but not limited to, Internet protocol addresses
17    or information concerning the access or use of any Internet
18    or mobile-based site or service.
19        (s) Content, including text, photographs, audio or
20    video recordings, or other material generated by or
21    provided by the customer.
22        (t) Any of the above categories of information as they
23    pertain to the children of the customer.
24    "Customer" means an individual residing in Illinois who
25provides, either knowingly or unknowingly, personal
26information to a private entity, with or without an exchange of

 

 

10000HB2774ham005- 5 -LRB100 08020 RJF 25438 a

1consideration, in the course of purchasing, viewing,
2accessing, renting, leasing, or otherwise using real or
3personal property, or any interest therein, or obtaining a
4product or service from the private entity, including
5advertising or any other content.
6    "Designated request address" means an e-mail address or
7toll-free telephone number whereby customers may request or
8obtain the information required to be provided under Section 15
9of this Act.
10    "Disclose" means to disclose, release, transfer, share,
11disseminate, make available, or otherwise communicate orally,
12in writing, or by electronic or any other means to any third
13party. "Disclose" does not include the following:
14        (a) Disclosure of personal information by a private
15    entity to a third party under a written contract
16    authorizing the third party to utilize the personal
17    information to perform services on behalf of the private
18    entity, including maintaining or servicing accounts,
19    providing customer service, processing or fulfilling
20    orders and transactions, verifying customer information,
21    processing payments, providing financing, or similar
22    services, but only if (i) the contract prohibits the third
23    party from using the personal information for any reason
24    other than performing the specified service or services on
25    behalf of the private entity and from disclosing any such
26    personal information to additional third parties; and (ii)

 

 

10000HB2774ham005- 6 -LRB100 08020 RJF 25438 a

1    the private entity effectively enforces these
2    prohibitions.
3        (b) Disclosure of personal information by a business to
4    a third party based on a good-faith belief that disclosure
5    is required to comply with applicable law, regulation,
6    legal process, or court order.
7        (c) Disclosure of personal information by a private
8    entity to a third party that is reasonably necessary to
9    address fraud, security, or technical issues; to protect
10    the disclosing private entity's rights or property; or to
11    protect customers or the public from illegal activities as
12    required or permitted by law.
13    "Operator" means any person or entity that owns a website
14located on the Internet or an online service that collects and
15maintains personal information from a customer residing in
16Illinois who uses or visits the website or online service if
17the website or online service is operated for commercial
18purposes. "Operator" does not include businesses having 10 or
19fewer employees or any third party that operates, hosts, or
20manages, but does not own, a website or online service on the
21owner's behalf or by processing information on behalf of the
22owner.
23    "Personal information" means any information that
24identifies, relates to, describes, or is capable of being
25associated with, a particular individual, including, but not
26limited to, his or her name, signature, physical

 

 

10000HB2774ham005- 7 -LRB100 08020 RJF 25438 a

1characteristics or description, address, telephone number,
2passport number, driver's license or State identification card
3number, insurance policy number, education, employment,
4employment history, bank account number, credit card number,
5debit card number, or any other financial information.
6"Personal information" also means any data or information
7pertaining to an individual's income, assets, liabilities,
8purchases, leases, or rentals of goods, services, or real
9property, if that information is disclosed, or is intended to
10be disclosed, with any identifying information, such as the
11individual's name, address, telephone number, or social
12security number.
13    "Third party" or "third parties" means (i) a private entity
14that is a separate legal entity from the private entity that
15has disclosed personal information; (ii) a private entity that
16does not share common ownership or common corporate control
17with the private entity that has disclosed personal
18information; or (iii) a private entity that does not share a
19brand name or common branding with the private entity that has
20disclosed personal information such that the affiliate
21relationship is clear to the customer.
 
22    Section 15. Notification of information sharing practices.
23An operator of a commercial website or online service that
24collects personal information through the Internet about
25individual customers residing in Illinois who use or visit its

 

 

10000HB2774ham005- 8 -LRB100 08020 RJF 25438 a

1commercial website or online service shall, in its customer
2agreement or incorporated addendum or in another conspicuous
3location on its website or online service platform where
4similar notices are customarily posted: (i) identify all
5categories of personal information that the operator collects
6through the website or online service about individual
7customers who use or visit its commercial website or online
8service; and (ii) provide a description of a customer's rights,
9as required under Section 25 of this Act, accompanied by one or
10more designated request addresses.
 
11    Section 20. Disclosure of a customer's personal
12information to a third party.
13    (a) An operator that discloses a customer's personal
14information to a third party shall make the following
15information available to the customer free of charge:
16        (1) all categories of personal information that were
17    disclosed; and
18        (2) the names of all third parties that received the
19    customer's personal information.
20    (b) This Section applies only to personal information
21disclosed after the effective date of this Act.
 
22    Section 25. Information availability service.
23    (a) An operator required to comply with Section 20 shall
24make the required information available by providing a

 

 

10000HB2774ham005- 9 -LRB100 08020 RJF 25438 a

1designated request address in its customer agreement or
2incorporated addendum or in another conspicuous location on its
3website or online service platform where similar notices are
4customarily posted, and, upon receipt of a request under this
5Section, shall provide the customer with the information
6required under Section 20 for all disclosures occurring in the
7prior 12 months.
8    (b) An operator that receives a request from a customer
9under this Section at one of the designated addresses shall
10provide a response to the customer within 30 days.
11    (c) An operator shall not be required to respond to a
12request made by the same customer more than once in a given
1312-month period.
14    (d) Notwithstanding the provisions of this Section, a
15parent or legal guardian of a customer under the age of 18 may
16submit a request under this section on behalf of that customer.
17An operator shall not be required to respond to a request made
18by the same parent or legal guardian on behalf of a customer
19under the age of 18 more than once within a given 12-month
20period.
 
21    Section 30. Violation. A violation of this Act constitutes
22a violation of the Consumer Fraud and Deceptive Business
23Practices Act. The Office of the Attorney General or the
24appropriate State's Attorney's Office shall have sole
25enforcement authority of the provisions of this Act and may

 

 

10000HB2774ham005- 10 -LRB100 08020 RJF 25438 a

1enforce a violation of this Act as an unlawful practice under
2the Consumer Fraud and Deceptive Business Practices Act.
3Nothing in this Section shall prevent a person from seeking a
4right of action for a violation of the Biometric Information
5Privacy Act or otherwise seeking relief under the Code of Civil
6Procedure.
 
7    Section 35. Waivers; contracts. Any waiver of the
8provisions of this Act shall be void and unenforceable. Any
9agreement that does not comply with the applicable provisions
10of this Act shall be void and unenforceable.
 
11    Section 40. Construction.
12    (a) Nothing in this Act shall be construed to conflict with
13the federal Health Insurance Portability and Accountability
14Act of 1996 and the rules promulgated under that Act.
15    (b) Nothing in this Act shall be deemed to apply in any
16manner to a financial institution or an affiliate of a
17financial institution that is subject to Title V of the federal
18Gramm-Leach-Bliley Act of 1999 and the rules promulgated under
19that Act.
20    (c) Nothing in this Act shall be construed to apply to any
21State agency, federal agency, unit of local government, or any
22contractor, subcontractor, or agent thereof, when working for
23that State agency, federal agency, or unit of local government.
24    (d) Nothing in this Act shall be construed to apply to any

 

 

10000HB2774ham005- 11 -LRB100 08020 RJF 25438 a

1entity recognized as a tax-exempt organization under 501(c)(3)
2or 501(c)(4) of the Internal Revenue Code of 1986.
3    (e) Nothing in this Act shall be construed to apply to a
4public utility, an alternative retail electric supplier, or an
5alternative gas supplier, as those terms are defined in
6Sections 3-105, 16-102, and 19-105 of the Public Utilities
7Act.".