SB0731sam001 102ND GENERAL ASSEMBLY

Sen. Thomas Cullerton

Filed: 4/8/2021

 

 


 

 


 
10200SB0731sam001LRB102 17247 KTG 24736 a

1
AMENDMENT TO SENATE BILL 731

2    AMENDMENT NO. ______. Amend Senate Bill 731 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the Data
5Transparency and Privacy Act.
 
6    Section 5. Findings. The General Assembly finds and
7declares that:
8        (1) The right to privacy is a personal and fundamental
9    right protected by the United States Constitution. As
10    such, all individuals have a right to privacy and a
11    personal property interest in information pertaining to
12    them and that information shall be adequately protected
13    from unlawful invasions and takings. This State recognizes
14    the importance of providing consumers with transparency
15    about how their personal information is stored, used, and
16    shared by businesses. This transparency is crucial for

 

 

10200SB0731sam001- 2 -LRB102 17247 KTG 24736 a

1    Illinois citizens to protect themselves and their families
2    from cyber-crimes and identity thieves.
3        (2) Businesses are now collecting, sharing, and
4    selling personal information in ways not contemplated or
5    properly covered by current law.
6            (a) Some websites install tracking tools that
7        record when consumers visit web pages and send
8        personal information collected to third party
9        marketers and data brokers.
10            (b) Third-party data broker companies are buying,
11        selling, and trading personal information obtained
12        from mobile phones, financial institutions, social
13        media sites, and other online and brick and mortar
14        companies.
15            (c) Social media companies, credit agencies and
16        retail stores have all had their internal security
17        systems breached, resulting in consumers' personal
18        information being stolen and sold on the black market.
19        (3) Illinois consumers must be better informed about
20    what kinds of personal information are collected, how
21    information is shared with third parties, and how
22    businesses store consumers' personal information. With
23    this specific information, consumers can knowledgeably
24    choose to opt in, opt out, or choose among businesses that
25    disclose information to third parties on the basis of how
26    protective the business is of consumers' privacy in order

 

 

10200SB0731sam001- 3 -LRB102 17247 KTG 24736 a

1    to properly protect their privacy, property, personal
2    safety, and financial security.
 
3    Section 10. Definitions. As used in this Act:
4    "Affiliate" means a legal entity that controls, is
5controlled by, or is under common control with another legal
6entity.
7    "Business" means any sole proprietorship, partnership,
8limited liability company, corporation, association, or other
9legal entity that is organized or operated for the profit or
10financial benefit of its shareholders or other owners, that
11does business in the State of Illinois and meets one or more of
12the following thresholds:
13        (1) The business collects or discloses the personal
14    information of 50,000 or more persons, Illinois
15    households, or the combination thereof.
16        (2) The business derives 50% or more of its annual
17    revenues from selling consumers' personal information.
18    "Business" does not include any third party that operates,
19hosts, or manages, but does not own, a website or online
20service on the owner's behalf or by processing information on
21behalf of the owners, or any State and local governments or
22municipal corporations.
23    "Categories of sources" means types of entities from which
24a business collects personal information about consumers,
25including, but not limited to, the consumer directly,

 

 

10200SB0731sam001- 4 -LRB102 17247 KTG 24736 a

1government entities from which public records are obtained,
2and consumer data resellers.
3    "Categories of third parties" means types of entities that
4do not collect personal information directly from consumers,
5including, but not limited to, advertising networks, internet
6service providers, data analytics providers, government
7entities, operating systems and platforms, social networks,
8and consumer data resellers.
9    "Consumer" means a natural person residing in this State.
10"Consumer" does not include a natural person acting in an
11employment context.
12    "Deidentified" means information that cannot reasonably
13identify, relate to, describe, be capable of being associated
14with, or be linked, directly or indirectly, to a particular
15consumer, provided that a business that uses deidentified
16information:
17        (1) Has implemented technical safeguards that prohibit
18    reidentification of the consumer to whom the information
19    may pertain.
20        (2) Has implemented business processes that
21    specifically prohibit reidentification of the information.
22        (3) Has implemented business processes to prevent
23    inadvertent release of deidentified information.
24        (4) Makes no attempt to reidentify the information.
25    "Designated request address" means an electronic mail
26address, online form, mailing address, or toll-free telephone

 

 

10200SB0731sam001- 5 -LRB102 17247 KTG 24736 a

1number that a consumer may use to request information, opt out
2of the sale or disclosure of personal information, or correct
3or delete personal information, as required to be provided
4under this Act.
5    "Disclose" means to disclose, release, transfer, share,
6disseminate, make available, or otherwise communicate orally,
7in writing, or by electronic or any other means a consumer's
8personal information to any affiliate or third party.
9"Disclose" does not include:
10        (1) Disclosure of personal information by a business
11    to a third party or service provider under a written
12    contract authorizing the third party or service provider
13    to use the personal information to perform services on
14    behalf of the business, including, but not limited to,
15    maintaining or servicing accounts, disclosure of personal
16    information by a business to a service provider,
17    processing or fulfilling orders and transactions,
18    verifying consumer information, processing payments,
19    providing financing, or similar services, but only if: the
20    contract prohibits the third party or service provider
21    from using the personal information for any reason other
22    than performing the specified service on behalf of the
23    business and from disclosing any such personal information
24    to additional third parties or service providers unless
25    those additional third parties or service providers are
26    allowed by the contract to further the specified services

 

 

10200SB0731sam001- 6 -LRB102 17247 KTG 24736 a

1    and the additional third parties and service providers and
2    subject to the same restrictions imposed by this
3    subsection.
4        (2) Disclosure of personal information by a business
5    to a third party based on a good faith belief that
6    disclosure is required to comply with applicable law,
7    regulation, legal process, or court order.
8        (3) Disclosure of personal information by a business
9    to a third party that is reasonably necessary to address
10    fraud, risk management, security, or technical issues; to
11    protect the disclosing business' right or property; or to
12    protect consumers or the public from illegal activities.
13        (4) Disclosure of personal information by a business
14    to a third party in connection with the proposed or actual
15    sale, merger, or bankruptcy of the business, to a third
16    party.
17    "Personal information" means information that identifies,
18relates to, describes, is reasonably capable of being
19associated with, or could reasonably be linked, directly or
20indirectly, with a particular consumer or household. Personal
21information includes, but is not limited to, the following:
22        (1) Identifiers such as a real name, alias, signature,
23    postal address, telephone number, unique personal
24    identifier, online identifier Internet Protocol address,
25    email address, account name, social security number,
26    driver's license number, state identification number,

 

 

10200SB0731sam001- 7 -LRB102 17247 KTG 24736 a

1    passport number, physical characteristics or description,
2    insurance policy number, employment, employment history,
3    bank account number, credit card number, debit card
4    number, financial information, medical information, health
5    insurance information, or other similar identifiers.
6        (2) Characteristics of protected classifications under
7    Illinois or federal law.
8        (3) Commercial information, including records of
9    personal property, products or services purchased,
10    obtained, or considered, or other purchasing or consuming
11    histories or tendencies.
12        (4) Biometric information.
13        (5) Internet or other electronic network activity
14    information, including, but not limited to, browsing
15    history, search history, and information regarding a
16    consumer's interaction with an Internet website,
17    application or advertisement.
18        (6) Geolocation data.
19        (7) Audio, electronic, visual, thermal, olfactory, or
20    similar information.
21        (8) Professional or employment-related information.
22        (9) Educational information.
23        (10) Inferences drawn from any of the information
24    identified in this Section to create a profile about a
25    consumer reflecting the consumer's preferences,
26    characteristics, psychological trends, preferences,

 

 

10200SB0731sam001- 8 -LRB102 17247 KTG 24736 a

1    predispositions, behavior, attitudes, intelligence,
2    abilities, and aptitudes.
3    "Personal information" does not include publicly available
4information which the business obtained directly from records
5lawfully made available from federal, state, or local
6government records. "Personal information" does not include
7consumer information that is deidentified or aggregate
8consumer information.
9    "Process" or "processes" means any collection, use,
10storage, disclosure, analysis, deletion, or modification of
11personal information.
12    "Request" means a consumer right set forth in this Act
13including one or more of the following: (i) for the disclosure
14of information regarding a consumer's personal information;
15(ii) the opt out of sale or disclosure of a consumer's personal
16information; (iii) the correction of inaccurate personal
17information; and (iv) the deletion of personal information.
18    "Sale" or "sell" means the selling, renting, or licensing
19of a consumer's personal information by a business to a third
20party in direct exchange for monetary consideration, whereby,
21as a result of such transaction, the third party may use the
22personal information for its own commercial purposes. "Sale"
23or "sell" does not include circumstances in which:
24        (1) A consumer uses or directs the business to
25    intentionally disclose personal information or uses the
26    business to intentionally interact with a third party or

 

 

10200SB0731sam001- 9 -LRB102 17247 KTG 24736 a

1    affiliate, provided the third party or affiliate does not
2    also sell the personal information, unless that disclosure
3    would be consistent with the provisions of this Act. An
4    intentional interaction occurs when the consumer intends
5    to interact with the third party by one or more deliberate
6    interactions. Hovering over, muting, pausing, or closing a
7    given piece of content does not constitute a consumer's
8    intent to interact with a third party.
9        (2) The business uses or shares an identifier for a
10    consumer who has opted out of the sale of the consumer's
11    personal information for the purposes of altering third
12    parties or affiliates that the consumer has opted out of
13    the sale of the consumer's personal information.
14        (3) The business uses or shares with a service
15    provider personal information of a consumer that is
16    necessary to perform a business purpose or business
17    purposes if the service provider does not further collect,
18    sell, or use the personal information of the consumer
19    except as necessary to perform the business purposes.
20        (4) The business transfers to a third party the
21    personal information of a consumer as an asset that is
22    part of a merger, acquisition, bankruptcy, or other
23    transaction in which the third party or affiliate assumes
24    control of all or part of the business, provided that
25    information is used or shared consistently with this Act.
26    If a third party or affiliate materially alters how it

 

 

10200SB0731sam001- 10 -LRB102 17247 KTG 24736 a

1    uses or shares the personal information of a consumer in a
2    manner that is materially inconsistent with the promises
3    made at the time of collection, it shall provide prior
4    notice of the new or changed practice to the consumer. The
5    notice shall be sufficiently prominent and robust to
6    ensure that existing consumers can easily exercise their
7    choices consistent with Section 20 and Section 25. This
8    subparagraph does not authorize a business to make
9    material, retroactive privacy policy changes or make other
10    changes in their privacy policy in a manner that would
11    violate the Consumer Fraud and Deceptive Business
12    Practices Act.
13        (5) A business uses a consumer's personal information
14    to sell targeted advertising space to a third party as
15    long as the personal information is not sold by the
16    business to the third party or affiliate.
17        (6) The disclosure or transfer of personal information
18    to an affiliate of the business.
19    "Service provider" means the natural or legal person that
20processes personal information on behalf of the business.
21    "Third party" means a business that is: (1) not an
22affiliate of the business that has collected, disclosed, or
23sold personal information; or (2) an affiliate with the
24business that has collected, disclosed, or sold personal
25information and the affiliate relationship is not clear to the
26consumer.
 

 

 

10200SB0731sam001- 11 -LRB102 17247 KTG 24736 a

1    Section 15. Right to transparency. Any business that
2processes personal information or deidentified information
3must, prior to processing, provide notice to the consumer of
4the following in the service agreement or somewhere readily
5accessible on the business' website or mobile application:
6        (1) All categories of personal information and
7    deidentified information that the business processes about
8    individual consumers;
9        (2) All categories of third parties and affiliates
10    with whom the business may disclose or sell that personal
11    information or deidentified information and the business
12    purpose for the disclosure or sale;
13        (3) The process in which an individual consumer may:
14            (A) review the personal information collected by
15        the business;
16            (B) request changes to inaccurate personal
17        information;
18            (C) opt out of the disclosure or sale of personal
19        information; and
20            (D) request deletion of personal information; and
21        (4) The process in which the business notifies
22    consumers of material changes to the notice required to be
23    made available under this Section.
 
24    Section 20. Right to know. Consumers may request the

 

 

10200SB0731sam001- 12 -LRB102 17247 KTG 24736 a

1following information of businesses:
2        (1) Copies of specific pieces of personal information
3    about the consumer processed by the business.
4        (2) Categories of sources for the personal information
5    processed.
6        (3) Name and contact information for each third party
7    and affiliate to whom the personal information is
8    disclosed or sold.
 
9    Section 25. Right to opt out, correct, and delete.
10Consumers have the following rights concerning their personal
11information:
12        (1) The right to request to opt out of the following:
13            (A) the disclosure of personal information from
14        the business to third parties and affiliates;
15            (B) the sale of personal information from the
16        business to third parties and affiliates; and
17            (C) the processing of personal information by the
18        business, third parties, and affiliates.
19        (2) The right to request that a business correct
20    inaccurate personal information about the consumer.
21        (3) The right to request that a business delete
22    personal information about the consumer.
 
23    Section 30. Consumer requests and business responses.
24    (a) Businesses shall establish a process for collecting

 

 

10200SB0731sam001- 13 -LRB102 17247 KTG 24736 a

1consumer requests and reasonably authenticating consumers
2making the requests and reasonably authenticating any request
3to correct inaccurate personal information. The method by
4which a consumer may submit a request under Section 20 and
5Section 25 shall be done in a form and manner determined by the
6business in a way that is not overly burdensome on the
7consumer.
8    (b) A business shall post on its website, online service,
9and within any mobile application, a link to a designated
10request address web page maintained by the business for the
11purpose of collecting and processing consumer requests. The
12business shall also post a designated request street address
13for consumers to submit requests by mail.
14    (c) A parent or legal guardian of a consumer under the age
15of 13 may submit a request on behalf of that consumer.
16    (d) A business that receives a request from a consumer
17through a designated request address shall promptly take steps
18to disclose and deliver, free of charge to the consumer, the
19personal information required or confirmation of the
20consumer's opt out, correction or deletion request and
21business' compliance.
22        (1) The information may be delivered by mail or
23    electronically, and if provided electronically, the
24    information shall be in a portable and, to the extent
25    technically feasible, in a readily usable format that
26    allows the consumer to transmit this information to

 

 

10200SB0731sam001- 14 -LRB102 17247 KTG 24736 a

1    another entity without hindrance.
2        (2) A business that has received a request to opt out
3    of the disclosure or sale of a consumer's personal
4    information shall be prohibited from selling or disclosing
5    that consumer's personal information after its receipt of
6    the consumer's request, unless the consumer subsequently
7    provides express authorization for the sale or disclosure
8    of the consumer's personal information.
9        (3) A business that receives a request to delete the
10    consumer's personal information, shall delete the
11    consumer's personal information from its records and
12    direct any third party or affiliate with whom the personal
13    information was disclosed, to delete the consumer's
14    personal information from their records.
15        (4) A business shall not be required to comply with a
16    consumer's request to delete the consumer's personal
17    information if it is necessary for the business to
18    maintain the consumer's personal information in order to:
19            (i) Complete the transaction for which the
20        personal information was collected, provide a good or
21        service requested by the consumer, or reasonably
22        anticipated within the context of a business' ongoing
23        business relationship with the consumer, or otherwise
24        perform a contract between the business and the
25        consumer.
26            (ii) Detect security incidents, protect against

 

 

10200SB0731sam001- 15 -LRB102 17247 KTG 24736 a

1        malicious, deceptive, fraudulent, or illegal activity;
2        or prosecute those responsible for that activity.
3            (iii) Debug to identify and repair errors that
4        impair existing intended functionality.
5            (iv) Exercise free speech, ensure the right of
6        another consumer to exercise their right of free
7        speech, or exercise another right provided for by law.
8            (v) Engage in public or peer-reviewed scientific,
9        historical, or statistical research in the public
10        interest that adheres to all other applicable ethics
11        and privacy laws, when the business' deletion of the
12        information is likely to render impossible or
13        seriously impair the achievement of such research, if
14        the consumer has provided informed consent.
15            (vi) To enable solely internal uses that are
16        reasonably aligned with the expectations of the
17        consumer based on the consumer's relationship with the
18        business.
19            (vii) Comply with a legal obligation.
20            (viii) Otherwise use the consumer's personal
21        information, internally, in a lawful manner that is
22        compatible with the context in which the consumer
23        provided the information.
24    (e) A business must provide a response to the consumer
25within 45 days of a request under Section 20 and Section 25.
26        (1) The business shall promptly take steps to verify

 

 

10200SB0731sam001- 16 -LRB102 17247 KTG 24736 a

1    the request, but shall not extend the business' duty to
2    disclose and deliver the information within 45 days of
3    receipt of the consumer's request. The time period to
4    provide the required information may be extended once by
5    an additional 45 days when reasonably necessary, provided
6    the consumer is provided notice of the extension within
7    the first 45-day period.
8        (2) The disclosure shall cover at least the 12-month
9    period preceding the business' receipt of the request. The
10    business shall not require the consumer to create an
11    account with the business in order to make a request.
12        (3) If requests from a consumer are manifestly
13    unfounded or excessive, in particular because of their
14    repetitive character, a business may either charge a
15    reasonable fee, taking into account the administrative
16    costs of providing the information or communication or
17    taking the action requested or refuse to act on the
18    request and notify the consumer of the reason for refusing
19    the request. The business shall bear the burden of
20    demonstrating that any consumer request is manifestly
21    unfounded or excessive.
22    (f) A business shall not be required to respond to a
23request made by or on behalf of the same consumer more than
24once in any 12-month period.
 
25    Section 35. Businesses, affiliates, and third parties.

 

 

10200SB0731sam001- 17 -LRB102 17247 KTG 24736 a

1    (a) A business is not required to retain any personal
2information collected for a single, one-time transaction, if
3such information is not sold or retained by the business or to
4reidentify or otherwise link information that is not
5maintained in a manner that would be considered personal
6information.
7    (b) A business shall not reidentify any deidentified
8consumer information, unless the consumer subsequently
9provides express authorization for reidentification of
10deidentified information.
11    (c) A business shall not sell the personal information of
12any consumer for which the business has actual knowledge that
13the consumer is less than 16 years of age. A business that
14willfully disregards the consumer's age shall be deemed to
15have had actual knowledge of the consumer's age.
16    (d) A business shall not use a consumer's personal
17information for any purpose other than those disclosed in the
18notice at collection. If the business intends to use a
19consumer's personal information for a purpose that was not
20previously disclosed to the consumer in the notice at
21collection, the business shall directly notify the consumer of
22this new use and obtain explicit consent from the consumer to
23use it for this new purpose.
24    (e) A business shall not collect categories of personal
25information other than those disclosed in the notice at
26collection. If the business intends to collect additional

 

 

10200SB0731sam001- 18 -LRB102 17247 KTG 24736 a

1categories of personal information, the business shall provide
2a new notice at collection.
3    (f) If a business does not give the notice at collection to
4the consumer at or before the collection of their personal
5information, the business shall not collect personal
6information from the consumer.
7    (g) Affiliates and third parties shall not sell consumer
8personal information purchased from a business unless the
9consumer has received notice and is provided an opportunity to
10opt out of the resale of the consumer's personal information.
11    (h) Pricing incentives and prohibition of discrimination.
12        (1) A business shall not discriminate against a
13    consumer because the consumer exercised any of the
14    consumer's rights in this Act, including, but not limited
15    to:
16            (A) Denying goods or services to the consumer.
17            (B) Charging different prices or rates for goods
18        or services, including through the use of discounts or
19        other benefits or imposing penalties.
20            (C) Providing a different level or quality of
21        goods or services to the consumer, if the consumer
22        exercises the consumer's rights under this Act.
23            (D) Suggesting that the consumer will receive a
24        different price or rate for goods or services or a
25        different level or quality of goods or services.
26        (2) Nothing shall prohibit a business from charging a

 

 

10200SB0731sam001- 19 -LRB102 17247 KTG 24736 a

1    consumer a different price or rate, or from providing a
2    different level or quality of goods or services to the
3    consumer, if that difference is reasonably related to the
4    value provided to the consumer by the consumer's data.
5        (3) A business may offer financial incentives,
6    including payments to consumers as compensation, for the
7    collection of personal information, the sale of personal
8    information, or the deletion of personal information. A
9    business may also offer a different price, rate, level, or
10    quality of goods or services to the consumer if that price
11    or difference is directly related to the value provided to
12    the consumer by the consumer's data.
13            (A) A business that offers any financial
14        incentives regarding consumer personal information or
15        deidentified information, shall notify consumers of
16        the financial incentives in the consumer service
17        agreement, website, online service or mobile
18        application.
19            (B) A business may enter a consumer into a
20        financial incentive program only if the consumer gives
21        the business prior opt-in consent which clearly
22        describes the material terms of the financial
23        incentive program, and which may be revoked by the
24        consumer at any time.
25            (C) A business shall not use financial incentive
26        practices that are unjust, unreasonable, or coercive.

 

 

10200SB0731sam001- 20 -LRB102 17247 KTG 24736 a

1    (i) A business that discloses personal information to a
2service provider shall not be liable under this Act if the
3service provider receiving the personal information uses it in
4violation of the restrictions set forth in the Act, provided
5that, at the time of disclosing the personal information, the
6business does not have actual knowledge, or reason to believe,
7that the service provider intends to commit such a violation.
8A service provider shall likewise not be liable under this Act
9for the obligations of a business for which it provides
10services as set forth in this Act.
11    (j) The obligations imposed on businesses by this Act do
12not restrict a business' ability to:
13        (1) Comply with federal, state, or local laws, rules,
14    regulations, or enforceable guidance.
15        (2) Comply with a civil, criminal, or regulatory
16    inquiry, investigation, subpoena, or summons by federal,
17    state, or local authorities.
18        (3) Cooperate with law enforcement agencies concerning
19    conduct or activity that the business, service provider,
20    or third party reasonably and in good faith believes may
21    violate federal, state, or local law.
22        (4) Exercise or defend legal claims.
23        (5) Prevent, detect, or respond to identity theft,
24    fraud, or other malicious or illegal activity.
25        (6) Collect, use, retain, sell, or disclose consumer's
26    personal information that is deidentified or in the

 

 

10200SB0731sam001- 21 -LRB102 17247 KTG 24736 a

1    aggregate consumer information.
2    (k) Businesses, affiliates, and third parties shall take
3reasonable measures to protect customer's personal information
4from unauthorized use, disclosure, or access.
5        (1) In implementing security measures required by this
6    subsection, a business, affiliate, and third party shall
7    take into account each of the following factors:
8            (A) The nature and scope of the business;,
9        affiliate's, or third party's activities;
10            (B) The sensitivity of the data processed;
11            (C) The size of the business, affiliate, or third
12        party; and
13            (D) The technical feasibility of the security
14        measures.
15        (2) A business, affiliate, or third party may employ
16    any lawful measure that allows the business, affiliate, or
17    third party to comply with the requirements of this
18    subsection.
19    (l) Risk assessments.
20        (1) Businesses, affiliates, and third parties must
21    conduct, to the extent not previously conducted, a risk
22    assessment of each of their processing activities
23    involving personal information and an additional risk
24    assessment any time there is a change in processing that
25    materially increases the risk to consumers. Such risk
26    assessments must take into account the type of personal

 

 

10200SB0731sam001- 22 -LRB102 17247 KTG 24736 a

1    data to be processed by the business, affiliate, or third
2    party, including the extent to which the personal
3    information is sensitive information or otherwise
4    sensitive in nature, and the context in which the personal
5    information is to be processed.
6        (2) Risk assessments conducted under subsection (a)
7    must identify and weigh the benefits that may flow
8    directly and indirectly from the processing to the
9    business, consumer, other stakeholders, and the public,
10    against the potential risks to the rights of the consumer
11    associated with such processing, as mitigated by
12    safeguards that can be employed by the business to reduce
13    such risks. The use of deidentified data and the
14    reasonable expectations of consumers, as well as the
15    context of the processing and the relationship between the
16    business, affiliate, or third party and the consumer whose
17    personal data will be processed, must factor into this
18    assessment by the business, affiliate, or third party.
19        (3) If the risk assessment conducted under subsection
20    (a) of this Section determines that the potential risks of
21    privacy harm to consumers are substantial and outweigh the
22    interests of the business, consumer, other stakeholders,
23    and the public in processing the personal information of
24    the consumer, the business may only engage in such
25    processing with the consent of the consumer or if another
26    exemption under this Act applies. To the extent the

 

 

10200SB0731sam001- 23 -LRB102 17247 KTG 24736 a

1    business seeks consumer consent for processing, such
2    consent shall be as easy to withdraw as to give.
3        (4) Processing for a business purpose shall be
4    presumed to be permissible unless: (i) it involves the
5    processing of sensitive data; and (ii) the risk of
6    processing cannot be reduced through the use of
7    appropriate administrative and technical safeguards.
8        (5) The business, affiliate, and third party must make
9    the risk assessment available to the Office of the
10    Attorney General upon request. Risk assessments are
11    confidential and exempt from public inspection and copying
12    under the Freedom of Information Act.
 
13    Section 40. Enforcement.
14    (a) Private right of action.
15        (1) Any consumer whose unencrypted or unredacted
16    personal information is subject to an unauthorized access
17    and exfiltration, theft, or disclosure as a result of the
18    business' violation of the duty to implement and maintain
19    reasonable security procedures and practices appropriate
20    to the nature of the information to protect the personal
21    information may institute a civil action for any of the
22    following:
23            (A) To recover damages in an amount not less than
24        $100 and not greater than $750 per customer per
25        incident or actual damages, whichever is greater.

 

 

10200SB0731sam001- 24 -LRB102 17247 KTG 24736 a

1            (B) Injunctive or declaratory relief.
2            (C) Any other relief the court deems proper.
3        (2) In assessing the amount of statutory damages, the
4    court shall consider any one or more of the relevant
5    circumstances presented by any of the parties to the case,
6    including, but not limited to, the nature and seriousness
7    of the misconduct, the number of violations, the
8    persistence of the misconduct, the length of time over
9    which the misconduct occurred, the willfulness of the
10    defendant's misconduct, and the defendant's assets,
11    liabilities, and net worth.
12        (3) Nothing in this Act shall be interpreted to serve
13    as the basis for a private right of action under any other
14    law. This shall not be construed to relieve any party from
15    any duties or obligations imposed under other law or the
16    United States or Illinois Constitution.
17    (b) Attorney General enforcement. A violation of this Act
18constitutes an unlawful practice under the Consumer Fraud and
19Deceptive Business Practices Act. The Attorney General has
20authority to enforce this Act as a violation of the Consumer
21Fraud and Deceptive Business Practices Act, subject to the
22remedies available to the Attorney General under the Consumer
23Fraud and Deceptive Business Practices Act.
 
24    Section 45. Applicability.
25    (a) This Act does not apply to personal information

 

 

10200SB0731sam001- 25 -LRB102 17247 KTG 24736 a

1collected, processed, sold, or disclosed under:
2        (1) The Gramm-Leach-Bliley Act, and the rules
3    promulgated under that Act.
4        (2) The Health Insurance Portability and
5    Accountability Act of 1996, and the rules promulgated
6    under that Act.
7        (3) The Fair Credit Reporting Act, and the rules
8    promulgated under that Act.
9    (b) Nothing in this Act restricts a business' ability to
10collect or disclose a consumer's personal information if a
11consumer's conduct takes place wholly outside of Illinois. For
12purposes of this Act, conduct takes place wholly outside of
13Illinois if the business collected that information while the
14consumer was outside of Illinois, no part of the sale of the
15consumer's personal information occurred in Illinois, and no
16personal information collected while the consumer was in
17Illinois is disclosed.
 
18    Section 50. Waivers; contracts. Any waiver of the
19provisions of this Act is void and unenforceable.
 
20    Section 55. Home rule preemption. Except as otherwise
21provided in this Act, the regulation of the activities
22described in this Act are the exclusive powers and functions
23of the State. Except as otherwise provided in this Act, a unit
24of local government, including a home rule unit, may not

 

 

10200SB0731sam001- 26 -LRB102 17247 KTG 24736 a

1regulate the activities described in this Act. This Section is
2a denial and limitation of home rule powers and functions
3under subsection (h) of Section 6 of Article VII of the
4Illinois Constitution.
 
5    Section 97. Severability. The provisions of this Act are
6severable under Section 1.31 of the Statute on Statutes.
 
7    Section 99. Effective date. This Act takes effect January
81, 2022.".