|
Sen. Michael E. Hastings
Filed: 4/28/2017
| | 10000SB1502sam004 | | LRB100 08019 RJF 25517 a |
|
|
1 | | AMENDMENT TO SENATE BILL 1502
|
2 | | AMENDMENT NO. ______. Amend Senate Bill 1502, AS AMENDED, |
3 | | by replacing everything after the enacting clause with the |
4 | | following:
|
5 | | "Section 1. Short title. This Act may be cited as the |
6 | | Illinois Right to Know Data Transparency and Privacy Protection |
7 | | Act. |
8 | | Section 5. Findings and purpose.
|
9 | | The General Assembly hereby finds and declares that the |
10 | | right to privacy is a personal and fundamental right protected |
11 | | by the United States Constitution. As such, all individuals |
12 | | have a right to privacy in information pertaining to them. This |
13 | | State recognizes the importance of providing consumers with |
14 | | transparency about how their personal information, especially |
15 | | information relating to their children, is shared by |
16 | | businesses. This transparency is crucial for Illinois citizens |
|
| | 10000SB1502sam004 | - 2 - | LRB100 08019 RJF 25517 a |
|
|
1 | | to protect themselves and their families from cyber-crimes and |
2 | | identity thieves. Furthermore, for free market forces to have a |
3 | | role in shaping the privacy practices and for "opt-in" and |
4 | | "opt-out" remedies to be effective, consumers must be more than |
5 | | vaguely informed that a business might share personal |
6 | | information with third parties. Consumers must be better |
7 | | informed about what kinds of personal information are shared |
8 | | with other businesses. With these specifics, consumers can |
9 | | knowledgeably choose to opt-in, opt-out, or choose among |
10 | | businesses that disclose information to third parties on the |
11 | | basis of how protective the business is of consumers' privacy. |
12 | | Businesses are now collecting personal information and |
13 | | sharing and selling it in ways not contemplated or properly |
14 | | covered by the current law. Some websites are installing |
15 | | tracking tools that record when consumers visit web pages, and |
16 | | sending very personal information, such as age, gender, race, |
17 | | income, health concerns, religion, and recent purchases to |
18 | | third party marketers and data brokers. Third party data broker |
19 | | companies are buying, selling, and trading personal |
20 | | information obtained from mobile phones, financial |
21 | | institutions, social media sites, and other online and brick |
22 | | and mortar companies. Some mobile applications are sharing |
23 | | personal information, such as location information, unique |
24 | | phone identification numbers, and age, gender, and other |
25 | | personal details with third party companies. As such, consumers |
26 | | need to know the ways that their personal information is being |
|
| | 10000SB1502sam004 | - 3 - | LRB100 08019 RJF 25517 a |
|
|
1 | | collected by companies and then shared or sold to third parties |
2 | | in order to properly protect their privacy, personal safety, |
3 | | and financial security.
|
4 | | Section 10. Definitions.
As used in this Act:
|
5 | | "Categories of personal information" includes, but is not |
6 | | limited to, the following:
|
7 | | (a) Identity information including, but not limited |
8 | | to, real name, alias, nickname, and user name.
|
9 | | (b) Address information, including, but not limited |
10 | | to, postal or e-mail.
|
11 | | (c) Telephone number.
|
12 | | (d) Account name.
|
13 | | (e) Social security number or other government-issued |
14 | | identification number, including, but not limited to, |
15 | | social security number, driver's license number, |
16 | | identification card number, and passport number.
|
17 | | (f) Birthdate or age.
|
18 | | (g) Physical characteristic information, including, |
19 | | but not limited to, height and weight.
|
20 | | (h) Sexual information, including, but not limited to, |
21 | | sexual orientation, sex, gender status, gender identity, |
22 | | and gender expression.
|
23 | | (i) Race or ethnicity.
|
24 | | (j) Religious affiliation or activity.
|
25 | | (k) Political affiliation or activity.
|
|
| | 10000SB1502sam004 | - 4 - | LRB100 08019 RJF 25517 a |
|
|
1 | | (l) Professional or employment-related information.
|
2 | | (m) Educational information.
|
3 | | (n) Medical information, including, but not limited |
4 | | to, medical conditions or drugs, therapies, mental health, |
5 | | or medical products or equipment used.
|
6 | | (o) Financial information, including, but not limited |
7 | | to, credit, debit, or account numbers, account balances, |
8 | | payment history, or information related to assets, |
9 | | liabilities, or general creditworthiness.
|
10 | | (p) Commercial information, including, but not limited |
11 | | to, records of property, products or services provided, |
12 | | obtained, or considered, or other purchasing or consumer |
13 | | histories or tendencies.
|
14 | | (q) Location information.
|
15 | | (r) Internet or mobile activity information, |
16 | | including, but not limited to, Internet protocol addresses |
17 | | or information concerning the access or use of any Internet |
18 | | or mobile-based site or service.
|
19 | | (s) Content, including text, photographs, audio or |
20 | | video recordings, or other material generated by or |
21 | | provided by the customer.
|
22 | | (t) Any of the above categories of information as they |
23 | | pertain to the children of the customer.
|
24 | | "Customer" means an individual residing in Illinois who |
25 | | provides, either knowingly or unknowingly, personal |
26 | | information to a private entity, with or without an exchange of |
|
| | 10000SB1502sam004 | - 5 - | LRB100 08019 RJF 25517 a |
|
|
1 | | consideration, in the course of purchasing, viewing, |
2 | | accessing, renting, leasing, or otherwise using real or |
3 | | personal property, or any interest therein, or obtaining a |
4 | | product or service from the private entity, including |
5 | | advertising or any other content.
|
6 | | "Designated request address" means an e-mail address or |
7 | | toll-free telephone number whereby customers may request or |
8 | | obtain the information required to be provided under Section 15 |
9 | | of this Act.
|
10 | | "Disclose" means to disclose, release, transfer, share, |
11 | | disseminate, make available, or otherwise communicate orally, |
12 | | in writing, or by electronic or any other means to any third |
13 | | party. "Disclose" does not include the following: |
14 | | (a) Disclosure of personal information by a private |
15 | | entity to a third party under a written contract |
16 | | authorizing the third party to utilize the personal |
17 | | information to perform services on behalf of the private |
18 | | entity, including maintaining or servicing accounts, |
19 | | providing customer service, processing or fulfilling |
20 | | orders and transactions, verifying customer information, |
21 | | processing payments, providing financing, or similar |
22 | | services, but only if (i) the contract prohibits the third |
23 | | party from using the personal information for any reason |
24 | | other than performing the specified service or services on |
25 | | behalf of the private entity and from disclosing any such |
26 | | personal information to additional third parties; and (ii) |
|
| | 10000SB1502sam004 | - 6 - | LRB100 08019 RJF 25517 a |
|
|
1 | | the private entity effectively enforces these |
2 | | prohibitions. |
3 | | (b) Disclosure of personal information by a business to |
4 | | a third party based on a good-faith belief that disclosure |
5 | | is required to comply with applicable law, regulation, |
6 | | legal process, or court order. |
7 | | (c) Disclosure of personal information by a private |
8 | | entity to a third party that is reasonably necessary to |
9 | | address fraud, security, or technical issues; to protect |
10 | | the disclosing private entity's rights or property; or to |
11 | | protect customers or the public from illegal activities as |
12 | | required or permitted by law.
|
13 | | "Operator" means any person or entity that owns a website |
14 | | located on the Internet or an online service that collects and |
15 | | maintains personal information from a customer residing in |
16 | | Illinois who uses or visits the website or online service if |
17 | | the website or online service is operated for commercial |
18 | | purposes. "Operator" does not include businesses having 10 or |
19 | | fewer employees or any third party that operates, hosts, or |
20 | | manages, but does not own, a website or online service on the |
21 | | owner's behalf or by processing information on behalf of the |
22 | | owner.
|
23 | | "Personal information" means any information that |
24 | | identifies, relates to, describes, or is capable of being |
25 | | associated with, a particular individual, including, but not |
26 | | limited to, his or her name, signature, physical |
|
| | 10000SB1502sam004 | - 7 - | LRB100 08019 RJF 25517 a |
|
|
1 | | characteristics or description, address, telephone number, |
2 | | passport number, driver's license or State identification card |
3 | | number, insurance policy number, education, employment, |
4 | | employment history, bank account number, credit card number, |
5 | | debit card number, or any other financial information. |
6 | | "Personal information" also means any data or information |
7 | | pertaining to an individual's income, assets, liabilities, |
8 | | purchases, leases, or rentals of goods, services, or real |
9 | | property, if that information is disclosed, or is intended to |
10 | | be disclosed, with any identifying information, such as the |
11 | | individual's name, address, telephone number, or social |
12 | | security number.
|
13 | | "Third party" or "third parties" means (i) a private entity |
14 | | that is a separate legal entity from the private entity that |
15 | | has disclosed personal information; (ii) a private entity that |
16 | | does not share common ownership or common corporate control |
17 | | with the private entity that has disclosed personal |
18 | | information; or (iii) a private entity that does not share a |
19 | | brand name or common branding with the private entity that has |
20 | | disclosed personal information such that the affiliate |
21 | | relationship is clear to the customer. |
22 | | Section 15. Notification of information sharing practices. |
23 | | An operator of a commercial website or online service that |
24 | | collects personal information through the Internet about |
25 | | individual customers residing in Illinois who use or visit its |
|
| | 10000SB1502sam004 | - 8 - | LRB100 08019 RJF 25517 a |
|
|
1 | | commercial website or online service shall, in its customer |
2 | | agreement or incorporated addendum or in another conspicuous |
3 | | location on its website or online service platform where |
4 | | similar notices are customarily posted: (i) identify all |
5 | | categories of personal information that the operator collects |
6 | | through the website or online service about individual |
7 | | customers who use or visit its commercial website or online |
8 | | service; and (ii) provide a description of a customer's rights, |
9 | | as required under Section 25 of this Act, accompanied by one or |
10 | | more designated request addresses. |
11 | | Section 20. Disclosure of a customer's personal |
12 | | information to a third party.
|
13 | | (a) An operator that discloses a customer's personal |
14 | | information to a third party shall make the following |
15 | | information available to the customer free of charge:
|
16 | | (1) all categories of personal information that were |
17 | | disclosed; and
|
18 | | (2) the names of all third parties that received the |
19 | | customer's personal information.
|
20 | | (b) This Section applies only to personal information |
21 | | disclosed after the effective date of this Act.
|
22 | | Section 25. Information availability service.
|
23 | | (a) An operator required to comply with Section 20 shall |
24 | | make the required information available by providing a |
|
| | 10000SB1502sam004 | - 9 - | LRB100 08019 RJF 25517 a |
|
|
1 | | designated request address in its customer agreement or |
2 | | incorporated addendum or in another conspicuous location on its |
3 | | website or online service platform where similar notices are |
4 | | customarily posted, and, upon receipt of a request under this |
5 | | Section, shall provide the customer with the information |
6 | | required under Section 20 for all disclosures occurring in the |
7 | | prior 12 months.
|
8 | | (b) An operator that receives a request from a customer |
9 | | under this Section at one of the designated addresses shall |
10 | | provide a response to the customer within 30 days.
|
11 | | (c) An operator shall not be required to respond to a |
12 | | request made by the same customer more than once in a given |
13 | | 12-month period. |
14 | | (d) Notwithstanding the provisions of this Section, a |
15 | | parent or legal guardian of a customer under the age of 18 may |
16 | | submit a request under this section on behalf of that customer. |
17 | | An operator shall not be required to respond to a
request made |
18 | | by the same parent or legal guardian on behalf of a customer |
19 | | under the age of 18 more than once within a given
12-month |
20 | | period.
|
21 | | Section 30. Violation. A violation of this Act constitutes |
22 | | a violation of the Consumer Fraud and Deceptive Business |
23 | | Practices Act. The Office of the Attorney General or the |
24 | | appropriate State's Attorney's Office shall have sole |
25 | | enforcement authority of the provisions of this Act and may |
|
| | 10000SB1502sam004 | - 10 - | LRB100 08019 RJF 25517 a |
|
|
1 | | enforce a violation of this Act as an unlawful practice under |
2 | | the Consumer Fraud and Deceptive Business Practices Act. |
3 | | Nothing in this Section shall prevent a person from seeking a |
4 | | right of action for a violation of the Biometric Information |
5 | | Privacy Act or otherwise seeking relief under the Code of Civil |
6 | | Procedure. |
7 | | Section 35. Waivers; contracts. Any waiver of the |
8 | | provisions of this Act shall be void and unenforceable. Any |
9 | | agreement that does not comply with the applicable provisions |
10 | | of this Act shall be void and unenforceable. |
11 | | Section 40. Construction.
|
12 | | (a) Nothing in this Act shall be construed to conflict with |
13 | | the federal Health Insurance Portability and Accountability |
14 | | Act of 1996 and the rules promulgated under that Act.
|
15 | | (b) Nothing in this Act shall be deemed to apply in any |
16 | | manner to a financial institution or an affiliate of a |
17 | | financial institution that is subject to Title V of the federal |
18 | | Gramm-Leach-Bliley Act of 1999 and the rules promulgated under |
19 | | that Act.
|
20 | | (c) Nothing in this Act shall be construed to apply to any |
21 | | State agency, federal agency, unit of local government, or any |
22 | | contractor, subcontractor, or agent thereof, when working for |
23 | | that State agency, federal agency, or unit of local government.
|
24 | | (d) Nothing in this Act shall be construed to apply to any |
|
| | 10000SB1502sam004 | - 11 - | LRB100 08019 RJF 25517 a |
|
|
1 | | entity recognized as a tax-exempt organization under 501(c)(3) |
2 | | or 501(c)(4) of the Internal Revenue Code of 1986. |
3 | | (e) Nothing in this Act shall be construed to apply to a |
4 | | public utility, an alternative retail electric supplier, or an |
5 | | alternative gas supplier, as those terms are defined in |
6 | | Sections 3-105, 16-102, and 19-105 of the Public Utilities |
7 | | Act.".
|