Sen. Michael E. Hastings
Filed: 4/28/2017
| |||||||
| |||||||
| |||||||
| 1 | AMENDMENT TO SENATE BILL 1502
| ||||||
| 2 | AMENDMENT NO. ______. Amend Senate Bill 1502, AS AMENDED, | ||||||
| 3 | by replacing everything after the enacting clause with the | ||||||
| 4 | following:
| ||||||
| 5 | "Section 1. Short title. This Act may be cited as the | ||||||
| 6 | Illinois Right to Know Data Transparency and Privacy Protection | ||||||
| 7 | Act. | ||||||
| 8 | Section 5. Findings and purpose.
| ||||||
| 9 | The General Assembly hereby finds and declares that the | ||||||
| 10 | right to privacy is a personal and fundamental right protected | ||||||
| 11 | by the United States Constitution. As such, all individuals | ||||||
| 12 | have a right to privacy in information pertaining to them. This | ||||||
| 13 | State recognizes the importance of providing consumers with | ||||||
| 14 | transparency about how their personal information, especially | ||||||
| 15 | information relating to their children, is shared by | ||||||
| 16 | businesses. This transparency is crucial for Illinois citizens | ||||||
| |||||||
| |||||||
| 1 | to protect themselves and their families from cyber-crimes and | ||||||
| 2 | identity thieves. Furthermore, for free market forces to have a | ||||||
| 3 | role in shaping the privacy practices and for "opt-in" and | ||||||
| 4 | "opt-out" remedies to be effective, consumers must be more than | ||||||
| 5 | vaguely informed that a business might share personal | ||||||
| 6 | information with third parties. Consumers must be better | ||||||
| 7 | informed about what kinds of personal information are shared | ||||||
| 8 | with other businesses. With these specifics, consumers can | ||||||
| 9 | knowledgeably choose to opt-in, opt-out, or choose among | ||||||
| 10 | businesses that disclose information to third parties on the | ||||||
| 11 | basis of how protective the business is of consumers' privacy. | ||||||
| 12 | Businesses are now collecting personal information and | ||||||
| 13 | sharing and selling it in ways not contemplated or properly | ||||||
| 14 | covered by the current law. Some websites are installing | ||||||
| 15 | tracking tools that record when consumers visit web pages, and | ||||||
| 16 | sending very personal information, such as age, gender, race, | ||||||
| 17 | income, health concerns, religion, and recent purchases to | ||||||
| 18 | third party marketers and data brokers. Third party data broker | ||||||
| 19 | companies are buying, selling, and trading personal | ||||||
| 20 | information obtained from mobile phones, financial | ||||||
| 21 | institutions, social media sites, and other online and brick | ||||||
| 22 | and mortar companies. Some mobile applications are sharing | ||||||
| 23 | personal information, such as location information, unique | ||||||
| 24 | phone identification numbers, and age, gender, and other | ||||||
| 25 | personal details with third party companies. As such, consumers | ||||||
| 26 | need to know the ways that their personal information is being | ||||||
| |||||||
| |||||||
| 1 | collected by companies and then shared or sold to third parties | ||||||
| 2 | in order to properly protect their privacy, personal safety, | ||||||
| 3 | and financial security.
| ||||||
| 4 | Section 10. Definitions.
As used in this Act:
| ||||||
| 5 | "Categories of personal information" includes, but is not | ||||||
| 6 | limited to, the following:
| ||||||
| 7 | (a) Identity information including, but not limited | ||||||
| 8 | to, real name, alias, nickname, and user name.
| ||||||
| 9 | (b) Address information, including, but not limited | ||||||
| 10 | to, postal or e-mail.
| ||||||
| 11 | (c) Telephone number.
| ||||||
| 12 | (d) Account name.
| ||||||
| 13 | (e) Social security number or other government-issued | ||||||
| 14 | identification number, including, but not limited to, | ||||||
| 15 | social security number, driver's license number, | ||||||
| 16 | identification card number, and passport number.
| ||||||
| 17 | (f) Birthdate or age.
| ||||||
| 18 | (g) Physical characteristic information, including, | ||||||
| 19 | but not limited to, height and weight.
| ||||||
| 20 | (h) Sexual information, including, but not limited to, | ||||||
| 21 | sexual orientation, sex, gender status, gender identity, | ||||||
| 22 | and gender expression.
| ||||||
| 23 | (i) Race or ethnicity.
| ||||||
| 24 | (j) Religious affiliation or activity.
| ||||||
| 25 | (k) Political affiliation or activity.
| ||||||
| |||||||
| |||||||
| 1 | (l) Professional or employment-related information.
| ||||||
| 2 | (m) Educational information.
| ||||||
| 3 | (n) Medical information, including, but not limited | ||||||
| 4 | to, medical conditions or drugs, therapies, mental health, | ||||||
| 5 | or medical products or equipment used.
| ||||||
| 6 | (o) Financial information, including, but not limited | ||||||
| 7 | to, credit, debit, or account numbers, account balances, | ||||||
| 8 | payment history, or information related to assets, | ||||||
| 9 | liabilities, or general creditworthiness.
| ||||||
| 10 | (p) Commercial information, including, but not limited | ||||||
| 11 | to, records of property, products or services provided, | ||||||
| 12 | obtained, or considered, or other purchasing or consumer | ||||||
| 13 | histories or tendencies.
| ||||||
| 14 | (q) Location information.
| ||||||
| 15 | (r) Internet or mobile activity information, | ||||||
| 16 | including, but not limited to, Internet protocol addresses | ||||||
| 17 | or information concerning the access or use of any Internet | ||||||
| 18 | or mobile-based site or service.
| ||||||
| 19 | (s) Content, including text, photographs, audio or | ||||||
| 20 | video recordings, or other material generated by or | ||||||
| 21 | provided by the customer.
| ||||||
| 22 | (t) Any of the above categories of information as they | ||||||
| 23 | pertain to the children of the customer.
| ||||||
| 24 | "Customer" means an individual residing in Illinois who | ||||||
| 25 | provides, either knowingly or unknowingly, personal | ||||||
| 26 | information to a private entity, with or without an exchange of | ||||||
| |||||||
| |||||||
| 1 | consideration, in the course of purchasing, viewing, | ||||||
| 2 | accessing, renting, leasing, or otherwise using real or | ||||||
| 3 | personal property, or any interest therein, or obtaining a | ||||||
| 4 | product or service from the private entity, including | ||||||
| 5 | advertising or any other content.
| ||||||
| 6 | "Designated request address" means an e-mail address or | ||||||
| 7 | toll-free telephone number whereby customers may request or | ||||||
| 8 | obtain the information required to be provided under Section 15 | ||||||
| 9 | of this Act.
| ||||||
| 10 | "Disclose" means to disclose, release, transfer, share, | ||||||
| 11 | disseminate, make available, or otherwise communicate orally, | ||||||
| 12 | in writing, or by electronic or any other means to any third | ||||||
| 13 | party. "Disclose" does not include the following: | ||||||
| 14 | (a) Disclosure of personal information by a private | ||||||
| 15 | entity to a third party under a written contract | ||||||
| 16 | authorizing the third party to utilize the personal | ||||||
| 17 | information to perform services on behalf of the private | ||||||
| 18 | entity, including maintaining or servicing accounts, | ||||||
| 19 | providing customer service, processing or fulfilling | ||||||
| 20 | orders and transactions, verifying customer information, | ||||||
| 21 | processing payments, providing financing, or similar | ||||||
| 22 | services, but only if (i) the contract prohibits the third | ||||||
| 23 | party from using the personal information for any reason | ||||||
| 24 | other than performing the specified service or services on | ||||||
| 25 | behalf of the private entity and from disclosing any such | ||||||
| 26 | personal information to additional third parties; and (ii) | ||||||
| |||||||
| |||||||
| 1 | the private entity effectively enforces these | ||||||
| 2 | prohibitions. | ||||||
| 3 | (b) Disclosure of personal information by a business to | ||||||
| 4 | a third party based on a good-faith belief that disclosure | ||||||
| 5 | is required to comply with applicable law, regulation, | ||||||
| 6 | legal process, or court order. | ||||||
| 7 | (c) Disclosure of personal information by a private | ||||||
| 8 | entity to a third party that is reasonably necessary to | ||||||
| 9 | address fraud, security, or technical issues; to protect | ||||||
| 10 | the disclosing private entity's rights or property; or to | ||||||
| 11 | protect customers or the public from illegal activities as | ||||||
| 12 | required or permitted by law.
| ||||||
| 13 | "Operator" means any person or entity that owns a website | ||||||
| 14 | located on the Internet or an online service that collects and | ||||||
| 15 | maintains personal information from a customer residing in | ||||||
| 16 | Illinois who uses or visits the website or online service if | ||||||
| 17 | the website or online service is operated for commercial | ||||||
| 18 | purposes. "Operator" does not include businesses having 10 or | ||||||
| 19 | fewer employees or any third party that operates, hosts, or | ||||||
| 20 | manages, but does not own, a website or online service on the | ||||||
| 21 | owner's behalf or by processing information on behalf of the | ||||||
| 22 | owner.
| ||||||
| 23 | "Personal information" means any information that | ||||||
| 24 | identifies, relates to, describes, or is capable of being | ||||||
| 25 | associated with, a particular individual, including, but not | ||||||
| 26 | limited to, his or her name, signature, physical | ||||||
| |||||||
| |||||||
| 1 | characteristics or description, address, telephone number, | ||||||
| 2 | passport number, driver's license or State identification card | ||||||
| 3 | number, insurance policy number, education, employment, | ||||||
| 4 | employment history, bank account number, credit card number, | ||||||
| 5 | debit card number, or any other financial information. | ||||||
| 6 | "Personal information" also means any data or information | ||||||
| 7 | pertaining to an individual's income, assets, liabilities, | ||||||
| 8 | purchases, leases, or rentals of goods, services, or real | ||||||
| 9 | property, if that information is disclosed, or is intended to | ||||||
| 10 | be disclosed, with any identifying information, such as the | ||||||
| 11 | individual's name, address, telephone number, or social | ||||||
| 12 | security number.
| ||||||
| 13 | "Third party" or "third parties" means (i) a private entity | ||||||
| 14 | that is a separate legal entity from the private entity that | ||||||
| 15 | has disclosed personal information; (ii) a private entity that | ||||||
| 16 | does not share common ownership or common corporate control | ||||||
| 17 | with the private entity that has disclosed personal | ||||||
| 18 | information; or (iii) a private entity that does not share a | ||||||
| 19 | brand name or common branding with the private entity that has | ||||||
| 20 | disclosed personal information such that the affiliate | ||||||
| 21 | relationship is clear to the customer. | ||||||
| 22 | Section 15. Notification of information sharing practices. | ||||||
| 23 | An operator of a commercial website or online service that | ||||||
| 24 | collects personal information through the Internet about | ||||||
| 25 | individual customers residing in Illinois who use or visit its | ||||||
| |||||||
| |||||||
| 1 | commercial website or online service shall, in its customer | ||||||
| 2 | agreement or incorporated addendum or in another conspicuous | ||||||
| 3 | location on its website or online service platform where | ||||||
| 4 | similar notices are customarily posted: (i) identify all | ||||||
| 5 | categories of personal information that the operator collects | ||||||
| 6 | through the website or online service about individual | ||||||
| 7 | customers who use or visit its commercial website or online | ||||||
| 8 | service; and (ii) provide a description of a customer's rights, | ||||||
| 9 | as required under Section 25 of this Act, accompanied by one or | ||||||
| 10 | more designated request addresses. | ||||||
| 11 | Section 20. Disclosure of a customer's personal | ||||||
| 12 | information to a third party.
| ||||||
| 13 | (a) An operator that discloses a customer's personal | ||||||
| 14 | information to a third party shall make the following | ||||||
| 15 | information available to the customer free of charge:
| ||||||
| 16 | (1) all categories of personal information that were | ||||||
| 17 | disclosed; and
| ||||||
| 18 | (2) the names of all third parties that received the | ||||||
| 19 | customer's personal information.
| ||||||
| 20 | (b) This Section applies only to personal information | ||||||
| 21 | disclosed after the effective date of this Act.
| ||||||
| 22 | Section 25. Information availability service.
| ||||||
| 23 | (a) An operator required to comply with Section 20 shall | ||||||
| 24 | make the required information available by providing a | ||||||
| |||||||
| |||||||
| 1 | designated request address in its customer agreement or | ||||||
| 2 | incorporated addendum or in another conspicuous location on its | ||||||
| 3 | website or online service platform where similar notices are | ||||||
| 4 | customarily posted, and, upon receipt of a request under this | ||||||
| 5 | Section, shall provide the customer with the information | ||||||
| 6 | required under Section 20 for all disclosures occurring in the | ||||||
| 7 | prior 12 months.
| ||||||
| 8 | (b) An operator that receives a request from a customer | ||||||
| 9 | under this Section at one of the designated addresses shall | ||||||
| 10 | provide a response to the customer within 30 days.
| ||||||
| 11 | (c) An operator shall not be required to respond to a | ||||||
| 12 | request made by the same customer more than once in a given | ||||||
| 13 | 12-month period. | ||||||
| 14 | (d) Notwithstanding the provisions of this Section, a | ||||||
| 15 | parent or legal guardian of a customer under the age of 18 may | ||||||
| 16 | submit a request under this section on behalf of that customer. | ||||||
| 17 | An operator shall not be required to respond to a
request made | ||||||
| 18 | by the same parent or legal guardian on behalf of a customer | ||||||
| 19 | under the age of 18 more than once within a given
12-month | ||||||
| 20 | period.
| ||||||
| 21 | Section 30. Violation. A violation of this Act constitutes | ||||||
| 22 | a violation of the Consumer Fraud and Deceptive Business | ||||||
| 23 | Practices Act. The Office of the Attorney General or the | ||||||
| 24 | appropriate State's Attorney's Office shall have sole | ||||||
| 25 | enforcement authority of the provisions of this Act and may | ||||||
| |||||||
| |||||||
| 1 | enforce a violation of this Act as an unlawful practice under | ||||||
| 2 | the Consumer Fraud and Deceptive Business Practices Act. | ||||||
| 3 | Nothing in this Section shall prevent a person from seeking a | ||||||
| 4 | right of action for a violation of the Biometric Information | ||||||
| 5 | Privacy Act or otherwise seeking relief under the Code of Civil | ||||||
| 6 | Procedure. | ||||||
| 7 | Section 35. Waivers; contracts. Any waiver of the | ||||||
| 8 | provisions of this Act shall be void and unenforceable. Any | ||||||
| 9 | agreement that does not comply with the applicable provisions | ||||||
| 10 | of this Act shall be void and unenforceable. | ||||||
| 11 | Section 40. Construction.
| ||||||
| 12 | (a) Nothing in this Act shall be construed to conflict with | ||||||
| 13 | the federal Health Insurance Portability and Accountability | ||||||
| 14 | Act of 1996 and the rules promulgated under that Act.
| ||||||
| 15 | (b) Nothing in this Act shall be deemed to apply in any | ||||||
| 16 | manner to a financial institution or an affiliate of a | ||||||
| 17 | financial institution that is subject to Title V of the federal | ||||||
| 18 | Gramm-Leach-Bliley Act of 1999 and the rules promulgated under | ||||||
| 19 | that Act.
| ||||||
| 20 | (c) Nothing in this Act shall be construed to apply to any | ||||||
| 21 | State agency, federal agency, unit of local government, or any | ||||||
| 22 | contractor, subcontractor, or agent thereof, when working for | ||||||
| 23 | that State agency, federal agency, or unit of local government.
| ||||||
| 24 | (d) Nothing in this Act shall be construed to apply to any | ||||||
| |||||||
| |||||||
| 1 | entity recognized as a tax-exempt organization under 501(c)(3) | ||||||
| 2 | or 501(c)(4) of the Internal Revenue Code of 1986. | ||||||
| 3 | (e) Nothing in this Act shall be construed to apply to a | ||||||
| 4 | public utility, an alternative retail electric supplier, or an | ||||||
| 5 | alternative gas supplier, as those terms are defined in | ||||||
| 6 | Sections 3-105, 16-102, and 19-105 of the Public Utilities | ||||||
| 7 | Act.".
| ||||||