[ Back ] [ Bottom ]
91_SB1946
LRB9113314LDpr
1 AN ACT to create the Disclosure of Personal Information
2 Act.
3 Be it enacted by the People of the State of Illinois,
4 represented in the General Assembly:
5 Section 1. Short title. This Act may be cited as the
6 Disclosure of Personal Information Act.
7 Section 5. Definitions. For the purpose of this Act:
8 "Department" means the Department of Financial
9 Institutions.
10 "Financial institution" means any bank subject to the
11 Illinois Banking Act, including a branch of an out-of-state
12 bank as defined in Section 2 of the Illinois Banking Act, any
13 savings bank subject to the Savings Bank Act, any savings and
14 loan association subject to the Illinois Savings and Loan Act
15 of 1985, any credit union subject to the Illinois Credit
16 Union Act, and any federal chartered commercial bank, savings
17 bank, or savings and loan association organized and operated
18 in this State under the laws of the United States.
19 "Personal information" means personally identifiable
20 information provided by a consumer to a financial institution
21 in connection with any transaction with a consumer involving
22 any financial product or any financial service or otherwise
23 obtained by the financial institution.
24 "Unrelated use", when used with respect to information
25 collected by a financial institution in connection with any
26 transaction with a consumer in any financial product or any
27 financial service, means any use other than a use that is
28 necessary to effect, administer, or enforce such transaction.
29 "Affiliate" means any company that controls, is
30 controlled by, or is under common control with another
31 company.
-2- LRB9113314LDpr
1 "Nonaffiliated third party" means any entity that is not
2 an affiliate of, related by common ownership to, or
3 affiliated by corporate control with a financial institution,
4 but does not include a joint employee of such institution.
5 "Consumer" means an individual who obtains from a
6 financial institution any financial products or services that
7 are to be used primarily for personal, family, or household
8 purposes and also includes the legal representative of such
9 an individual.
10 Section 10. Obligations with respect to personal
11 information.
12 (a) Except as otherwise provided in this Act, a
13 financial institution may not, directly or through any
14 affiliate, disclose or make an unrelated use of any personal
15 information collected by the financial institution in
16 connection with any transaction with a consumer in any
17 financial product or any financial service.
18 (b) (1) A financial institution may not make available
19 any personal information to any affiliate or other person
20 that is not an employee or agent of the institution, unless
21 the consumer to whom the information pertains:
22 (A) has affirmatively consented to the
23 transfer of such information; and
24 (B) has not withdrawn the consent.
25 (2) A financial institution shall not deny any
26 consumer a financial product or a financial service for
27 the refusal by the consumer to grant the consent required
28 by paragraph (1) of this subsection (b).
29 (c) Each financial institution that maintains a system
30 of records for personal information shall:
31 (1) upon request by any individual to gain access
32 to his or her record or to any information pertaining to
33 him or her that is contained in the system, permit him or
-3- LRB9113314LDpr
1 her, upon his or her request, a person of his or her own
2 choosing to accompany him or her, to review the record
3 and have a copy made of all or any portion thereof in a
4 form comprehensible to him or her, except that the
5 financial institution may require the individual to
6 furnish a written statement authorizing discussion of
7 that individual's record in the accompanying person's
8 presence;
9 (2) permit the individual to request amendment of a
10 record pertaining to him or her and:
11 (A) not later than 10 days (excluding
12 Saturdays, Sundays, and legal public holidays) after
13 the date of receipt of such request, acknowledge in
14 writing receipt of the request; and
15 (B) promptly, either (i) make any correction
16 of any portion thereof that the individual believes
17 is not accurate, relevant, timely, or complete; or
18 (ii) inform the individual of its refusal to amend
19 the record in accordance with his or her request,
20 the reason for the refusal, the procedures
21 established by the financial institution for the
22 individual to request a review of that refusal by
23 the head of the financial institution or an officer
24 designated by the head of the financial institution,
25 and the name and business address of that officer;
26 (3) permit an individual who disagrees with the
27 refusal of the financial institution to amend his or her
28 record to request a review of such refusal and, not later
29 than 30 days (excluding Saturdays, Sundays, and legal
30 public holidays) from the date on which the individual
31 requests such review, complete such review and make a
32 final determination unless, for good cause shown, the
33 head of the financial institution extends such 30-day
34 period; and if, after his or her review, the reviewing
-4- LRB9113314LDpr
1 officer also refuses to amend the record in accordance
2 with the request, permit the individual to file with the
3 financial institution a concise statement setting forth
4 the reasons for his or her disagreement with the refusal
5 of the financial institution and notify the individual of
6 the provisions for judicial review of the reviewing
7 officer's determination under subsection (d) of Section
8 20; and
9 (4) in any disclosure containing information about
10 which the individual has filed a statement of
11 disagreement occurring after the filing of the statement
12 under paragraph (3) of this subsection, clearly note any
13 portion of the record that is disputed and provide copies
14 of the statement and, if the financial institution deems
15 it appropriate, copies of a concise statement of the
16 reasons of the financial institution for not making the
17 amendments requested, to persons or other agencies to
18 whom the disputed record has been disclosed. Nothing in
19 this subsection (c) shall allow an individual access to
20 any information compiled in reasonable anticipation of a
21 civil action or proceeding.
22 (d) A financial institution shall not disclose any
23 personal information to any affiliate or any nonaffiliated
24 third party for use in telemarketing, direct mail marketing,
25 or other marketing through electronic mail or other
26 electronic means to the consumer.
27 (e) Except as otherwise provided in this Act, an
28 affiliate or a nonaffiliated third party that receives from a
29 financial institution personal information under this Section
30 10 shall not, directly or through an affiliate of such
31 receiving third party, disclose such information to any other
32 person that is an affiliate or a nonaffiliated third party of
33 both the financial institution and such receiving third
34 party, unless such disclosure would be lawful if made
-5- LRB9113314LDpr
1 directly to such other person by the financial institution.
2 (f) Subsections (a) and (b) of this Section 10 shall not
3 prohibit the disclosure of personal information:
4 (1) as necessary to effect, administer, or enforce
5 a transaction requested or authorized by the consumer, or
6 in connection with;
7 (A) servicing or processing a financial
8 product or service requested or authorized by a
9 consumer;
10 (B) maintaining or servicing a consumer's
11 account with the financial institution; or
12 (C) a proposed or actual securitization,
13 secondary market sale (including sales of servicing
14 rights), or similar transaction related to a
15 transaction of a consumer;
16 (2) with the consent or at the direction of the
17 consumer;
18 (3) to protect the confidentiality or security of
19 the financial institution's records pertaining to the
20 consumer, the service or product, or the transaction
21 therein;
22 (4) to protect against or prevent actual or
23 potential fraud, unauthorized transactions, claims, or
24 other liability;
25 (5) for required institutional risk control, or for
26 resolving consumer disputes or inquiries;
27 (6) to persons holding a legal or beneficial
28 interest relating to the consumer;
29 (7) to persons acting in a fiduciary or
30 representative capacity on behalf of the consumer;
31 (8) to provide information to insurance rate
32 advisory organizations, guaranty funds or agencies,
33 applicable rating agencies of the financial institution,
34 and the institution's attorneys, accountants, and
-6- LRB9113314LDpr
1 auditors;
2 (9) to the extent specifically permitted or
3 required under other provisions of law and in accordance
4 with the Right to Financial Privacy Act of 1978, to law
5 enforcement agencies (including a Federal functional
6 regulator, the Secretary of the Treasury with respect to
7 subchapter II of chapter 53 of title 31, United States
8 Code, and chapter 2 of title I of Public Law 91-508 (12
9 U.S.C. 1951-1959), a State insurance authority, or the
10 Federal Trade Commission), self-regulatory organizations,
11 or for an investigation on a matter related to public
12 safety;
13 (10) to a consumer reporting agency in accordance
14 with the Fair Credit Reporting Act,
15 (11) from a consumer report reported by a consumer
16 reporting agency in accordance with the Fair Credit
17 Reporting Act;
18 (12) in connection with a proposed or actual sale,
19 merger, transfer, or exchange of all or a portion of a
20 business or operating unit if the disclosure of personal
21 information concerns solely consumers of such business or
22 unit; or
23 (13) to comply with federal, State, or local laws,
24 rules, and other applicable legal requirements; to comply
25 with a properly authorized civil, criminal, or regulatory
26 investigation or subpoena or summons by federal, State,
27 or local authorities; or to respond to judicial process
28 or government regulatory authorities having jurisdiction
29 over the financial institution for examination,
30 compliance, or other purposes as authorized by law.
31 Section 15. Notice concerning disclosing information.
32 (a) All financial institutions, through the use of a
33 form that complies with subsection (b) of this Section 15,
-7- LRB9113314LDpr
1 must clearly and conspicuously disclose to the consumer at
2 the time of establishing a customer relationship with a
3 consumer and not less than annually during the continuation
4 of such relationship:
5 (1) the categories of personal information that are
6 collected by the financial institution;
7 (2) the practices and policies of the financial
8 institution with respect to disclosing personal information
9 or making unrelated uses of such information, including:
10 (A) the categories of persons to whom the
11 information is or may be disclosed or who may be
12 permitted to make unrelated uses of such information,
13 other than the persons to whom the information must be
14 provided to effect, administer, or enforce a transaction;
15 and
16 (B) the practices and policies of the institution
17 with respect to disclosing or making unrelated uses of
18 personal information of persons who have ceased to be
19 consumers of the financial institution;
20 (3) the policies that the institution maintains to
21 protect the confidentiality and security of personal
22 information;
23 (4) the practices and policies of the institution with
24 respect to providing consumers the opportunity to examine and
25 dispute information pursuant to subsection (c) of Section 10;
26 and
27 (5) the right of the consumer under Section 10 to
28 examine, upon request, the personal information, to dispute
29 the accuracy of any of such information, and to present
30 evidence thereon.
31 (b) Financial institutions must provide consumers with a
32 clear and conspicuous disclosure that permits them to compare
33 differences in the measures that the financial institution
34 takes and the policies that the institution has established
-8- LRB9113314LDpr
1 to protect the consumer's privacy as compared to the measures
2 taken and the policies established by other financial
3 institutions. The disclosure shall specifically identify the
4 rights the institution affords consumers to grant or deny
5 consent to (i) the disclosing of personal information for any
6 purpose other than as required in order to effect,
7 administer, or enforce the consumer's transaction, or (ii)
8 the making of an unrelated use of such information.
9 Section 20. Enforcement.
10 (a) This Act shall be enforced by the Department and the
11 Attorney General with respect to financial institutions and
12 other persons subject to their jurisdiction under applicable
13 law.
14 (b) In addition to such other remedies as are provided
15 under State law, if the Department or the Attorney General
16 has reason to believe that any person has violated or is
17 violating this Act, the State:
18 (1) may bring an action to enjoin such violation in
19 any court of competent jurisdiction; and
20 (2) may bring an action on behalf of the residents
21 of this State to enforce compliance with this Act, to
22 obtain damages, restitution, or other compensation on
23 behalf of residents of this State, or to obtain such
24 further and other relief as the court may deem
25 appropriate.
26 (c) For purposes of bringing any action under this
27 Section 20, no provision of this Section shall be construed
28 as preventing the Director of Financial Institutions or the
29 Attorney General from exercising the powers conferred to them
30 by the laws of this State to conduct investigations or to
31 administer oaths or affirmations or to compel the attendance
32 of witnesses or the production of documentary and other
33 evidence.
-9- LRB9113314LDpr
1 (d) If a financial institution fails to comply with any
2 provision of this Act in such a way as to have an adverse
3 effect on an individual, the individual may bring a civil
4 action against the financial institution in any court of
5 competent jurisdiction. In any suit brought pursuant to this
6 subsection (d), the court may order the financial institution
7 to take such action as is necessary to remedy violations of
8 this Act, including but not limited to:
9 (1) amending the individual's record in accordance
10 with his or her request or in such other way as the court
11 may direct;
12 (2) enjoining the financial institution from
13 withholding the complainant's records and order the
14 production to the complainant of any financial
15 institution records improperly withheld from him or her,
16 in which case the court may examine the contents of any
17 financial institution records in camera to determine
18 whether the records or any portion thereof may be
19 withheld; and
20 (3) enjoining the financial institution from
21 transferring to any affiliate or nonaffiliated third
22 party financial information.
23 (e) In any suit brought pursuant to subsection (d) of
24 this Section in which the court determines that the financial
25 institution violated this Act, the financial institution
26 shall be liable to the individual in an amount equal to the
27 sum of:
28 (1) actual damages sustained by the individual as a
29 result of the refusal or failure, but in no case shall a
30 person entitled to recovery receive less than the sum of
31 $1,000; and
32 (2) reasonable attorney fees and other litigation
33 costs reasonably incurred in any case brought under this
34 Section 20 related to those claims on which the
-10- LRB9113314LDpr
1 complainant has substantially prevailed.
2 (f) An action to enforce any liability created under
3 this Section may be brought in any court of competent
4 jurisdiction, without regard to the amount in controversy,
5 within 2 years from the date on which the cause of action
6 arises, except that where a financial institution has
7 materially and willfully misrepresented any information
8 required to be disclosed to an individual under this Section
9 and the information so misrepresented is material to
10 establishment of the liability of the financial institution
11 to the individual under this Section, the action may be
12 brought at any time within 2 years after discovery by the
13 individual of the misrepresentation.
14 (g) For the purposes of this Section, the parent of any
15 minor or the legal guardian of any individual who has been
16 declared to be incompetent due to physical or mental
17 incapacity or age by a court of competent jurisdiction may
18 act on behalf of the individual.
19 (h) The terms used in subsection (a) that are not
20 defined in this Act or otherwise defined in section 3(s) of
21 the Federal Deposit Insurance Act shall have the meaning
22 given to them in section 1(b) of the International Banking
23 Act of 1978.
24 Section 25. Effect on Fair Credit Reporting Act. Nothing
25 in this Act shall be construed to modify, limit, or supersede
26 the operation of the Fair Credit Reporting Act and no
27 inference shall be drawn on the basis of the provisions of
28 this Act regarding whether information is transaction or
29 experience information under section 603 of the Fair Credit
30 Reporting Act.
31 Section 30. Relation to other State laws. This Act shall
32 not be construed as superseding, altering, or affecting any
-11- LRB9113314LDpr
1 statutes, rules, orders, or interpretations in effect in this
2 State, except to the extent that such statutes, rules,
3 orders, or interpretations are inconsistent with the
4 provisions of this Act and then only to the extent of the
5 inconsistency.
6 Section 35. Personal information that is necessary to
7 effect or administer a transaction. The disclosing or use of
8 personal information shall be treated as necessary to effect
9 or administer a transaction with a consumer if the disclosing
10 or use:
11 (1) is required or is a usual, appropriate, or
12 acceptable method to carry out the transaction or the product
13 or service business of which the transaction is a part and
14 record, service or maintain the consumer's account in the
15 ordinary course of providing the financial service or a
16 financial product or to administer or service benefits or
17 claims relating to the transaction or the product or service
18 business of which it is a part, and includes:
19 (A) providing the consumer or the consumer's agent
20 or broker with a confirmation, statement, or other record
21 of the transaction or information on the status or value
22 of the financial service or financial product; and
23 (B) the accrual or recognition of incentives or
24 bonuses associated with the transaction that are provided
25 by the financial institution or any other party;
26 (2) is required or is one of the lawful or appropriate
27 methods to enforce the rights of the financial institution or
28 of other persons engaged in carrying out the financial
29 transaction or providing the product or service;
30 (3) is required or is a usual, appropriate, or
31 acceptable method for insurance underwriting at the
32 consumer's request or for reinsurance purposes, or for any of
33 the following purposes as they relate to a consumer's
-12- LRB9113314LDpr
1 insurance: account administration, reporting, investigating,
2 or preventing fraud or material misrepresentation, processing
3 premium payments, processing insurance claims, administering
4 insurance benefits (including utilization review activities),
5 participating in research projects, or as otherwise required
6 or specifically permitted by federal or State law; or
7 (4) the disclosure is required or is a usual,
8 appropriate, or acceptable method in connection with:
9 (A) the authorization, settlement, billing,
10 processing, clearing, transferring, reconciling, or
11 collection of amounts charged, debited, or otherwise paid
12 using a debit, credit, or other payment card, check, or
13 account number, or by other payment means;
14 (B) the transfer of receivables, accounts, or
15 interests therein; or
16 (C) the audit of debit, credit, or other payment
17 information.
[ Top ]