| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| 1 | AN ACT concerning safety.
| |||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||
| 3 | represented in the General Assembly:
| |||||||||||||||||||
| 4 | Section 1. Short title. This Act may be cited as the | |||||||||||||||||||
| 5 | Protect Health Data Privacy Act. | |||||||||||||||||||
| 6 | Section 5. Definitions.
As used in this Act:
| |||||||||||||||||||
| 7 | "Collect" means to buy, rent, lease, access, retain, | |||||||||||||||||||
| 8 | receive, acquire, or otherwise process health data in any | |||||||||||||||||||
| 9 | manner.
| |||||||||||||||||||
| 10 | "Consent" means a clear affirmative act by a consumer that | |||||||||||||||||||
| 11 | unambiguously communicates the consumer's express, freely | |||||||||||||||||||
| 12 | given, informed, opt-in, voluntary, specific, and unambiguous | |||||||||||||||||||
| 13 | written agreement, which may include written consent provided | |||||||||||||||||||
| 14 | by electronic means, to the collection, sale, sharing or | |||||||||||||||||||
| 15 | storage of health data.
Consent may not be implied, and | |||||||||||||||||||
| 16 | consent cannot be obtained by:
| |||||||||||||||||||
| 17 | (1) acceptance of a general or broad terms of use | |||||||||||||||||||
| 18 | agreement or a similar document that contains descriptions | |||||||||||||||||||
| 19 | of personal data processing along with other, unrelated | |||||||||||||||||||
| 20 | information;
| |||||||||||||||||||
| 21 | (2) hovering over, muting, pausing, or closing a given | |||||||||||||||||||
| 22 | piece of digital content; or
| |||||||||||||||||||
| 23 | (3) agreement obtained through the use of deceptive | |||||||||||||||||||
| |||||||
| |||||||
| 1 | designs.
| ||||||
| 2 | "Consumer" means a person who is a resident of the State, | ||||||
| 3 | however identified, including by any unique identifier. A | ||||||
| 4 | person located in the State when the person's health data is | ||||||
| 5 | collected by a regulated entity will create a presumption that | ||||||
| 6 | the person is a resident of the State for purposes of enforcing | ||||||
| 7 | this Act.
| ||||||
| 8 | "Deceptive design" means any user interface or element | ||||||
| 9 | thereof that has the effect of subverting, impairing, or | ||||||
| 10 | impeding an individual's autonomy, decision-making, or choice.
| ||||||
| 11 | "Deidentified data" means data that cannot be used to | ||||||
| 12 | infer information about, or otherwise be linked to, an | ||||||
| 13 | identified or identifiable individual, or a device linked to | ||||||
| 14 | such individual. A regulated entity that possesses | ||||||
| 15 | deidentified data shall: (i) take reasonable measures to | ||||||
| 16 | ensure that such data cannot be associated with an individual; | ||||||
| 17 | (ii) publicly commit to process such data only in a | ||||||
| 18 | deidentified fashion and not attempt to reidentify such data; | ||||||
| 19 | and, (iii) contractually obligate any recipients of such data | ||||||
| 20 | to satisfy the criteria set forth in items (i) and (ii).
| ||||||
| 21 | "Geofence" means technology that uses global positioning | ||||||
| 22 | coordinates, cell tower connectivity, cellular data, radio | ||||||
| 23 | frequency identification, wireless Internet data, or any other | ||||||
| 24 | form of location detection to establish a virtual boundary | ||||||
| 25 | around a specific physical location.
| ||||||
| 26 | "Health data" means information regarding, relating to, | ||||||
| |||||||
| |||||||
| 1 | derived, or extrapolated from the past, present, or future | ||||||
| 2 | physical or mental health of a consumer, including, but not | ||||||
| 3 | limited to, any information relating to:
| ||||||
| 4 | (1) individual health conditions, treatment, status, | ||||||
| 5 | diseases, or diagnoses;
| ||||||
| 6 | (2) health related surgeries or procedures;
| ||||||
| 7 | (3) use or purchase of medication;
| ||||||
| 8 | (4) social, psychological, behavioral, and medical | ||||||
| 9 | interventions;
| ||||||
| 10 | (5) bodily functions, vital signs, measurements, or | ||||||
| 11 | symptoms;
| ||||||
| 12 | (6) diagnoses or diagnostic testing, treatment, or | ||||||
| 13 | medication;
| ||||||
| 14 | (7) efforts to research or obtain health services or | ||||||
| 15 | supplies;
| ||||||
| 16 | (8) health services or products that support or relate | ||||||
| 17 | to lawful health care, as defined by Public Act 102-1117;
| ||||||
| 18 | (9) location information that could reasonably | ||||||
| 19 | indicate a consumer's attempt to acquire or receive health | ||||||
| 20 | services or supplies; and
| ||||||
| 21 | (10) any information described in paragraphs (1) | ||||||
| 22 | through (9) that is derived or extrapolated from nonhealth | ||||||
| 23 | information, including by use of algorithms or machine | ||||||
| 24 | learning.
| ||||||
| 25 | "Health data" does not include personal information | ||||||
| 26 | collected with the consumer's consent that is used to engage | ||||||
| |||||||
| |||||||
| 1 | in public or peer-reviewed scientific, historical, or | ||||||
| 2 | statistical research in the public interest that adheres to | ||||||
| 3 | all other applicable ethics and privacy laws and is approved, | ||||||
| 4 | monitored, and governed by an institutional review board, | ||||||
| 5 | human subjects research ethics review board, or a similar | ||||||
| 6 | independent oversight entity that determines that the | ||||||
| 7 | regulated entity has implemented reasonable safeguards to | ||||||
| 8 | mitigate privacy risks associated with research, including any | ||||||
| 9 | risks associated with reidentification.
| ||||||
| 10 | "Health services" means any service, medical care, or | ||||||
| 11 | information related to a consumer's health data provided to a | ||||||
| 12 | consumer.
| ||||||
| 13 | "Homepage" means the introductory page of an Internet | ||||||
| 14 | website and any Internet web page where personal information | ||||||
| 15 | is collected. In the case of an online service, such as a | ||||||
| 16 | mobile application, homepage means the application's platform | ||||||
| 17 | page or download page, such as from the application | ||||||
| 18 | configuration, "About," "Information," or settings page, and | ||||||
| 19 | any other location that allows consumers to review the notice.
| ||||||
| 20 | "Personal information" means information that identifies, | ||||||
| 21 | relates to, describes, is reasonably capable of being | ||||||
| 22 | associated with, or linked, directly or indirectly, with a | ||||||
| 23 | particular consumer or household. "Personal information" does | ||||||
| 24 | not include publicly available information or deidentified | ||||||
| 25 | data. "Publicly available" means information that is lawfully | ||||||
| 26 | made available from federal, State, or local government | ||||||
| |||||||
| |||||||
| 1 | records.
| ||||||
| 2 | "Regulated entity" means any individual, partnership, | ||||||
| 3 | corporation, limited liability company, association, or other | ||||||
| 4 | group, however organized, that: (i) conducts business in the | ||||||
| 5 | State or produces products or services that are available to | ||||||
| 6 | consumers in the State, and (ii) for any purpose, handles, | ||||||
| 7 | collects, shares, sells, stores or otherwise deals with health | ||||||
| 8 | data. "Regulated entity" does not mean government agencies, | ||||||
| 9 | tribal nations, a clerk of the court, or a judge or justice | ||||||
| 10 | thereof.
| ||||||
| 11 | "Sell" or "sale" means when a regulated entity, directly | ||||||
| 12 | or indirectly, receives any form of remuneration or other | ||||||
| 13 | valuable consideration from the use of health data or from the | ||||||
| 14 | recipient of the health data in exchange for the health data. | ||||||
| 15 | "Sell" does not include:
| ||||||
| 16 | (1) the sharing of health data to a recipient where | ||||||
| 17 | the regulated entity maintains control and ownership of | ||||||
| 18 | the health data;
| ||||||
| 19 | (2) the sharing of health data to comply with | ||||||
| 20 | applicable laws or regulations;
| ||||||
| 21 | (3) the recipient uses the health data only at the | ||||||
| 22 | direction of the regulated entity and consistent with the | ||||||
| 23 | purpose for which it was collected and disclosed to the | ||||||
| 24 | consumer; and
| ||||||
| 25 | (4) the transfer of health data to a third party as an | ||||||
| 26 | asset as part of a merger, acquisition, bankruptcy, or | ||||||
| |||||||
| |||||||
| 1 | other transaction in which the third party assumes control | ||||||
| 2 | of all or part of the regulated entity's assets that shall | ||||||
| 3 | comply with the requirements and obligations in this Act.
| ||||||
| 4 | "Share" means to release, disclose, disseminate, divulge, | ||||||
| 5 | loans, make available, provide access to, license, or | ||||||
| 6 | otherwise communicate orally, in writing, or by electronic or | ||||||
| 7 | other means, health data by a regulated entity to a third party | ||||||
| 8 | except where the regulated entity maintains exclusive control | ||||||
| 9 | and ownership of the health data. "Share" does not include:
| ||||||
| 10 | (1) the disclosure of health data to an entity who | ||||||
| 11 | collects or processes the personal data on behalf of the | ||||||
| 12 | regulated entity, when the regulated entity maintains | ||||||
| 13 | control and ownership of the data and the third party | ||||||
| 14 | maintains or uses the health data only for the regulated | ||||||
| 15 | entity's distinct purposes;
| ||||||
| 16 | (2) the disclosure of health data to a third party | ||||||
| 17 | with whom the consumer has a direct relationship for | ||||||
| 18 | purposes of and only to the extent necessary for providing | ||||||
| 19 | a product or service requested by the consumer when the | ||||||
| 20 | regulated entity maintains control and ownership of the | ||||||
| 21 | data and the third party maintains or uses the health data | ||||||
| 22 | only for the regulated entity's distinct purposes; or
| ||||||
| 23 | (3) the disclosure or transfer of personal data to a | ||||||
| 24 | third party as an asset that is part of a merger, | ||||||
| 25 | acquisition, bankruptcy, or other transaction in which the | ||||||
| 26 | third party assumes control of all or part of the | ||||||
| |||||||
| |||||||
| 1 | regulated entity's assets and shall comply with the | ||||||
| 2 | requirements and obligations in this Act.
| ||||||
| 3 | "Third party" means an entity other than a consumer, | ||||||
| 4 | regulated entity, service provider, or affiliate of the | ||||||
| 5 | regulated entity.
| ||||||
| 6 | Section 10. Scope.
| ||||||
| 7 | (a) This Act applies to consumers seeking, researching, or | ||||||
| 8 | obtaining health services within the State, or information | ||||||
| 9 | about health services available in the State and regulated | ||||||
| 10 | entities.
| ||||||
| 11 | (b) This Act does not affect an individual's right to | ||||||
| 12 | voluntarily share the individual's own health care information | ||||||
| 13 | with another person.
| ||||||
| 14 | Section 15. Health data privacy policy required.
| ||||||
| 15 | (a) A regulated entity shall disclose and maintain a | ||||||
| 16 | health data privacy policy that, in plain language, clearly | ||||||
| 17 | and conspicuously discloses:
| ||||||
| 18 | (1) the specific types of health data collected and | ||||||
| 19 | the purpose for which the data is collected and used;
| ||||||
| 20 | (2) the categories of sources from which the health | ||||||
| 21 | data is collected;
| ||||||
| 22 | (3) the specific types of health data that are shared, | ||||||
| 23 | sold, and stored;
| ||||||
| 24 | (4) the categories of third parties with whom the | ||||||
| |||||||
| |||||||
| 1 | regulated entity collects, shares, sells, and stores | ||||||
| 2 | health data, and the process to withdraw consent from | ||||||
| 3 | having health data collected, shared, sold, and stored;
| ||||||
| 4 | (5) a list of the specific third parties to which the | ||||||
| 5 | regulated entity shares health data, and an active | ||||||
| 6 | electronic mail address or other online mechanism that the | ||||||
| 7 | consumer may use to contact these third parties free of | ||||||
| 8 | charge;
| ||||||
| 9 | (6) how a consumer may exercise the rights provided in | ||||||
| 10 | this Act, including, but not limited to, identifying 2 or | ||||||
| 11 | more designated methods for a consumer to contact the | ||||||
| 12 | regulated entity in connection with the exercise of any | ||||||
| 13 | rights provided in this Act;
| ||||||
| 14 | (7) the length of time the regulated entity intends to | ||||||
| 15 | retain each category of health data, or if that is not | ||||||
| 16 | possible, the criteria used to determine that period | ||||||
| 17 | provided that a regulated entity shall not retain health | ||||||
| 18 | data for each disclosed purpose for which the health data | ||||||
| 19 | was collected for longer than is reasonably necessary to | ||||||
| 20 | fulfill that disclosed purpose; and
| ||||||
| 21 | (8) whether the regulated entity collects health data | ||||||
| 22 | when the consumer is not directly interacting with the | ||||||
| 23 | regulated entity or its services.
| ||||||
| 24 | (b) A regulated entity shall prominently publish its | ||||||
| 25 | health data privacy policy on its website homepage. Such | ||||||
| 26 | health data privacy policy must be distinguishable from other | ||||||
| |||||||
| |||||||
| 1 | matters.
| ||||||
| 2 | (c) A regulated entity shall not collect, share, sell, or | ||||||
| 3 | store additional categories of health data not disclosed in | ||||||
| 4 | the health data privacy policy without first disclosing the | ||||||
| 5 | additional categories of health data and obtaining the | ||||||
| 6 | consumer's consent prior to the collection, sharing, selling, | ||||||
| 7 | or storing of such health data.
| ||||||
| 8 | (d) A regulated entity shall not collect, share, sell, or | ||||||
| 9 | store health data for additional purposes not disclosed in the | ||||||
| 10 | health data privacy policy without first disclosing the | ||||||
| 11 | additional purposes and obtaining the consumer's affirmative | ||||||
| 12 | consent prior to the collection, sharing, selling, or storing | ||||||
| 13 | of such health data.
| ||||||
| 14 | (e) It is a violation of this Act for a regulated entity to | ||||||
| 15 | contract with a service provider to process consumer health | ||||||
| 16 | data in a manner that is inconsistent with the regulated | ||||||
| 17 | entity's consumer health data privacy policy.
| ||||||
| 18 | Section 20. Prohibition on collection, sharing, selling, | ||||||
| 19 | or storing of health data.
| ||||||
| 20 | (a) A regulated entity shall not collect health data, | ||||||
| 21 | except:
| ||||||
| 22 | (1) with the consent of the consumer to whom such | ||||||
| 23 | information relates for a specified purpose; or
| ||||||
| 24 | (2) as is strictly necessary to provide a product or | ||||||
| 25 | service that the consumer to whom such health data relates | ||||||
| |||||||
| |||||||
| 1 | has specifically requested from such regulated entity.
| ||||||
| 2 | (b) A regulated entity shall not share any health data | ||||||
| 3 | except:
| ||||||
| 4 | (1) with consent from the consumer for such sharing | ||||||
| 5 | that is separate and distinct from the consent obtained to | ||||||
| 6 | collect health data; or
| ||||||
| 7 | (2) to the extent strictly necessary to provide a | ||||||
| 8 | product or service that the consumer to whom such health | ||||||
| 9 | data relates has specifically requested from such | ||||||
| 10 | regulated entity.
| ||||||
| 11 | (c) A regulated entity shall not sell health data to any | ||||||
| 12 | third party without entering into a separate written agreement | ||||||
| 13 | with the consumer to whom such health data relates, in which | ||||||
| 14 | the consumer expressly consents to and authorizes the | ||||||
| 15 | regulated entity to sell such health data.
| ||||||
| 16 | (d) A regulated entity shall not store any health data | ||||||
| 17 | except:
| ||||||
| 18 | (1) with consent from the consumer for such sharing | ||||||
| 19 | that is separate and distinct from the consent obtained to | ||||||
| 20 | collect health data; or
| ||||||
| 21 | (2) to the extent strictly necessary to provide a | ||||||
| 22 | product or service that the consumer to whom such health | ||||||
| 23 | data relates has specifically requested from such | ||||||
| 24 | regulated entity.
| ||||||
| 25 | Section 25. Consent required.
| ||||||
| |||||||
| |||||||
| 1 | (a) A regulated entity shall not seek consent to collect, | ||||||
| 2 | share, sell, or store health data without first disclosing its | ||||||
| 3 | health data privacy policy as required under Section 15.
| ||||||
| 4 | (b) Consent obtained prior to collection, sharing, | ||||||
| 5 | selling, or storing. Consent required under this Section must | ||||||
| 6 | be obtained prior to the collection, sharing, selling, or | ||||||
| 7 | storing, as applicable, of any health data, and the request | ||||||
| 8 | for consent must clearly and conspicuously disclose, separate | ||||||
| 9 | and apart from its health data privacy policy:
| ||||||
| 10 | (1) the categories of health data collected, sold, | ||||||
| 11 | shared, or stored;
| ||||||
| 12 | (2) the purpose of the collection, selling, sharing, | ||||||
| 13 | or storage of the health data, including the specific ways | ||||||
| 14 | in which it will be used; and
| ||||||
| 15 | (3) how the consumer can withdraw consent from future | ||||||
| 16 | collection, selling, sharing or storage of their health | ||||||
| 17 | data.
| ||||||
| 18 | (c) Consent required under this Section must be obtained | ||||||
| 19 | prior to the use of any health data for any purpose not | ||||||
| 20 | specified prior to obtaining a consumer's consent for the use | ||||||
| 21 | of such health data for any new purpose.
| ||||||
| 22 | Section 30. Right to withdraw consent.
A consumer has the | ||||||
| 23 | right to withdraw consent from the collection and sharing of | ||||||
| 24 | the consumer's health data.
| ||||||
| |||||||
| |||||||
| 1 | Section 35. Prohibition on discrimination.
It shall be | ||||||
| 2 | unlawful for a regulated entity to discriminate against a | ||||||
| 3 | consumer solely because they have not provided consent | ||||||
| 4 | pursuant to this Act, or have exercised any other rights | ||||||
| 5 | provided by this Act or guaranteed by law. Discrimination | ||||||
| 6 | includes, but is not limited to:
| ||||||
| 7 | (1) providing different, or a different level or | ||||||
| 8 | quality of, goods or services to the consumer;
| ||||||
| 9 | (2) denying or limiting goods or services to the | ||||||
| 10 | consumer;
| ||||||
| 11 | (3) imposing additional requirements or restrictions | ||||||
| 12 | on the individual that would not be necessary if the | ||||||
| 13 | consumer provided their consent;
| ||||||
| 14 | (4) providing materially different treatment to | ||||||
| 15 | consumers who provide consent as compared to consumers who | ||||||
| 16 | do not provide consent;
| ||||||
| 17 | (5) suggesting that the consumer will receive a | ||||||
| 18 | different price or rate for goods or services or a | ||||||
| 19 | different level or quality of goods or services; or
| ||||||
| 20 | (6) charging different prices or rates for goods or | ||||||
| 21 | services, including through the use of discounts or other | ||||||
| 22 | benefits or imposing penalties.
| ||||||
| 23 | Section 40. Right to confirm.
A consumer has the right to | ||||||
| 24 | confirm whether a regulated entity is collecting, selling, | ||||||
| 25 | sharing, or storing any of the consumer's health data, and to | ||||||
| |||||||
| |||||||
| 1 | confirm that a regulated entity has deleted the consumer's | ||||||
| 2 | health data following a deletion request pursuant to Section | ||||||
| 3 | 45 of this Act. A regulated entity that receives a consumer | ||||||
| 4 | request to confirm shall respond within 30 calendar days from | ||||||
| 5 | receiving the request to confirm from the consumer. The | ||||||
| 6 | regulated entity shall, without reasonable delay, promptly | ||||||
| 7 | take all steps necessary to verify the consumer's request, but | ||||||
| 8 | this shall not extend the regulated entity's duty to respond | ||||||
| 9 | within 30 days of receipt of the consumer's request. The time | ||||||
| 10 | period to provide the required confirmation may be extended | ||||||
| 11 | once by an additional 30 calendar days when reasonably | ||||||
| 12 | necessary, provided the consumer is provided notice of the | ||||||
| 13 | extension within the first 30-day period.
| ||||||
| 14 | Section 45. Right to deletion.
| ||||||
| 15 | (a) A consumer has the right to have the consumer's health | ||||||
| 16 | data that is collected by a regulated entity deleted by | ||||||
| 17 | informing the regulated entity of the consumer's request for | ||||||
| 18 | deletion.
| ||||||
| 19 | (b) A regulated entity that collects health data about | ||||||
| 20 | consumers shall disclose the consumer's rights to request the | ||||||
| 21 | deletion of the consumer's health data.
| ||||||
| 22 | (c) Except as otherwise specified in subsection (f), a | ||||||
| 23 | regulated entity that receives a consumer request to delete | ||||||
| 24 | any of the consumer's health data shall without unreasonable | ||||||
| 25 | delay, and no more than 30 calendar days from receiving the | ||||||
| |||||||
| |||||||
| 1 | deletion request:
| ||||||
| 2 | (1) delete the consumer's health data from its | ||||||
| 3 | records, including from all parts of the regulated | ||||||
| 4 | entity's network or backup systems; and
| ||||||
| 5 | (2) notify all service providers, contractors, and | ||||||
| 6 | third parties with whom the regulated entity has shared | ||||||
| 7 | the consumer's health data of the deletion request.
| ||||||
| 8 | (d) Any service provider, contractor, and other third | ||||||
| 9 | party that receives notice of a consumer's deletion request | ||||||
| 10 | from a Regulated Entity shall honor the consumer's deletion | ||||||
| 11 | request and delete the health data from the regulated entity's | ||||||
| 12 | records, including from all parts of its network or backup | ||||||
| 13 | systems.
| ||||||
| 14 | (e) A consumer or a consumer's authorized agent may | ||||||
| 15 | exercise the rights set forth in this Act by submitting a | ||||||
| 16 | request, at any time, to a regulated entity. Such a request may | ||||||
| 17 | be made by:
| ||||||
| 18 | (1) contacting the regulated entity through the manner | ||||||
| 19 | included in its health data privacy policy;
| ||||||
| 20 | (2) by designating an authorized agent who may | ||||||
| 21 | exercise the rights on behalf of the consumer;
| ||||||
| 22 | (3) in the case of collecting health data of a minor, | ||||||
| 23 | the minor seeking health services may exercise their | ||||||
| 24 | rights under this Act, or the parent or legal guardian of | ||||||
| 25 | the minor, may exercise the rights of this Act on the | ||||||
| 26 | minor's behalf; or
| ||||||
| |||||||
| |||||||
| 1 | (4) in the case of collecting health data concerning a | ||||||
| 2 | consumer subject to guardianship, conservatorship, or | ||||||
| 3 | other protective arrangement under the Probate Act of | ||||||
| 4 | 1975, the guardian or the conservator of the consumer may | ||||||
| 5 | exercise the rights of this Act on the consumer's behalf.
| ||||||
| 6 | (f) The time period to delete any of the consumer's health | ||||||
| 7 | data may be extended once by an additional 30 calendar days | ||||||
| 8 | when reasonably necessary, provided the consumer is provided | ||||||
| 9 | notice of the extension within the first 30-day period.
| ||||||
| 10 | Section 50. Consumer health data security and | ||||||
| 11 | minimization.
| ||||||
| 12 | (a) A regulated entity shall restrict access to health | ||||||
| 13 | data by the employees, service providers, and contractors of | ||||||
| 14 | such regulated entity to only those employees, services | ||||||
| 15 | providers, and contractors for which access is necessary to | ||||||
| 16 | provide a product or service that the consumer to whom such | ||||||
| 17 | health data relates has requested from such regulated entity.
| ||||||
| 18 | (b) A regulated entity shall establish, implement, and | ||||||
| 19 | maintain administrative, technical, and physical data security | ||||||
| 20 | practices that at least satisfy a reasonable standard of care | ||||||
| 21 | within the regulated entity's industry to protect the | ||||||
| 22 | confidentiality, integrity, and accessibility of health data | ||||||
| 23 | appropriate to the volume and nature of the personal data at | ||||||
| 24 | issue.
| ||||||
| |||||||
| |||||||
| 1 | Section 55. Prohibition on geofencing.
| ||||||
| 2 | (a) It shall be unlawful for any person to implement a | ||||||
| 3 | geofence that enables the sending of a notification, message, | ||||||
| 4 | alert, or other pieces of information to a consumer that | ||||||
| 5 | enters the perimeter around any entity that provides health | ||||||
| 6 | services.
| ||||||
| 7 | (b) It shall be unlawful for any person to implement a | ||||||
| 8 | geofence around any entity that provides in-person health care | ||||||
| 9 | services where such geofence is used to identify, track, or | ||||||
| 10 | collect data from a consumer that enters the virtual | ||||||
| 11 | perimeter.
| ||||||
| 12 | Section 60. Private right of action.
Any person aggrieved | ||||||
| 13 | by a violation of this Act shall have a right of action in a | ||||||
| 14 | state circuit court or as a supplemental claim in federal | ||||||
| 15 | district court against an offending party. A prevailing party | ||||||
| 16 | may recover for each violation:
| ||||||
| 17 | (1) against any offending party that negligently | ||||||
| 18 | violates a provision of this Act, liquidated damages of | ||||||
| 19 | $1,000 or actual damages, whichever is greater;
| ||||||
| 20 | (2) against any offending party that intentionally or | ||||||
| 21 | recklessly violates a provision of this Act, liquidated | ||||||
| 22 | damages of $5,000 or actual damages, whichever is greater;
| ||||||
| 23 | (3) reasonable attorneys' fees and costs, including | ||||||
| 24 | expert witness fees and other litigation expenses; and
| ||||||
| 25 | (4) other relief, including an injunction, as the | ||||||
| |||||||
| |||||||
| 1 | State or federal court may deem appropriate.
| ||||||
| 2 | Section 65. Enforcement by the Attorney General.
The | ||||||
| 3 | Attorney General may enforce a violation of this Act as an | ||||||
| 4 | unlawful practice under the Consumer Fraud and Deceptive | ||||||
| 5 | Business Practices Act. All rights and remedies provided the | ||||||
| 6 | Attorney General under the Consumer Fraud and Deceptive | ||||||
| 7 | Business Practices Act shall be available for enforcement of a | ||||||
| 8 | violation of this Act.
| ||||||
| 9 | Section 70. Conflict with other laws.
| ||||||
| 10 | (a) Nothing in this Act shall be construed to conflict | ||||||
| 11 | with the Health Insurance Portability and Accountability Act | ||||||
| 12 | of 1996.
| ||||||
| 13 | (b) Nothing in this Act shall be construed to prohibit | ||||||
| 14 | disclosure as required under the Adult Protective Services | ||||||
| 15 | Act, the Abused and Neglected Child Reporting Act, the | ||||||
| 16 | Criminal Code of 2012, and the Disclosure of Offenses Against | ||||||
| 17 | Children Act.
| ||||||
| 18 | (c) If any provision of this Act, or the application | ||||||
| 19 | thereof to any person or circumstance, is held invalid, the | ||||||
| 20 | remainder of this Act and the application of such provision to | ||||||
| 21 | other persons not similarly situated or to other circumstances | ||||||
| 22 | shall not be affected by the invalidation.
| ||||||