Rep. Arthur Turner

Filed: 3/25/2019

 

 


 

 


 
10100HB3357ham001LRB101 11183 JLS 58340 a

1
AMENDMENT TO HOUSE BILL 3357

2    AMENDMENT NO. ______. Amend House Bill 3357 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the Data
5Transparency and Privacy Act.
 
6    Section 5. Legislative findings. The General Assembly
7hereby finds and declares that:
8    (1) The right to privacy is a personal and fundamental
9right protected by the United States Constitution. As such, all
10individuals have a right to privacy in information pertaining
11to them. This State recognizes the importance of providing
12consumers with transparency about how their personal
13information, especially information relating to their
14children, is shared by businesses. This transparency is crucial
15for Illinois citizens to protect themselves and their families
16from cyber-crimes and identity thieves.

 

 

10100HB3357ham001- 2 -LRB101 11183 JLS 58340 a

1    (2) Furthermore, for free market forces to have a role in
2shaping the privacy practices and for "opt-in" and "opt-out"
3remedies to be effective, consumers must be more than vaguely
4informed that a business might share personal information with
5third parties. Consumers must be better informed about what
6kinds of personal information is shared with other businesses.
7With these specifics, consumers can knowledgeably choose to opt
8in, opt out, or choose among businesses that disclose
9information to third parties on the basis of how protective the
10business is of consumers' privacy.
11    (3) Businesses are now collecting personal information and
12sharing and selling it in ways not contemplated or properly
13covered by the current law. Some websites are installing
14tracking tools that record when consumers visit web pages, and
15sending very personal information, such as age, gender, race,
16income, health concerns, religion, and recent purchases to
17third-party marketers and data brokers. Third-party data
18broker companies are buying, selling, and trading personal
19information obtained from mobile phones, financial
20institutions, social media sites, and other online and brick
21and mortar companies. Some mobile applications are sharing
22personal information, such as location information, unique
23phone identification numbers, and age, gender, and other
24personal details with third-party companies.
25    (4) As such, consumers need to know the ways that their
26personal information is being collected by companies and then

 

 

10100HB3357ham001- 3 -LRB101 11183 JLS 58340 a

1shared or sold to third parties in order to properly protect
2their privacy, personal safety, and financial security.
 
3    Section 10. Definitions. As used in this Act:
4    "Consumer" means an individual residing in this State who
5provides, either knowingly or unknowingly, personal
6information to an operator, with or without an exchange of
7consideration, in the course of purchasing, viewing,
8accessing, renting, leasing, or otherwise using real or
9personal property, or any interest therein, or obtaining a
10product or service from the private entity, including
11advertising or any other content.
12    "Designated request address" means an electronic email
13address, online form, or toll-free telephone number that a
14consumer may use to request the information required to be
15provided pursuant to this Act.
16    "Disclose" means to disclose, release, transfer, share,
17disseminate, make available, sell, or otherwise communicate
18orally, in writing, or by electronic or any other means to any
19third party.
20    "Disclose" does not include the disclosure of personal
21information by a private entity to a third party under a
22written contract authorizing the third party to utilize the
23personal information for the limited purposes of performing
24services on behalf of the private entity, including maintaining
25or servicing accounts, disclosure of personal information by a

 

 

10100HB3357ham001- 4 -LRB101 11183 JLS 58340 a

1private entity to a transportation network company driver
2providing consumer service, processing or fulfilling orders
3and transactions, verifying consumer information, processing
4payments, providing financing, or similar services, but only
5if:
6        (1) the contract prohibits the third party or
7    transportation network company driver from using the
8    personal information for any reason other than performing
9    the specified service or services on behalf of the private
10    entity and from disclosing any such personal information to
11    additional third parties; and
12        (2) disclosure of personal information by a business to
13    a third party based on a good-faith belief that disclosure
14    is required to comply with applicable law, regulation,
15    legal process, or court order.
16    "Disclose" does not include disclosure of personal
17information by a private entity to a third party that is
18reasonably necessary to address fraud, security, or technical
19issues; to protect the disclosing private entity's rights or
20property; or to protect consumers or the public from illegal
21activities as required or permitted by law.
22    "Operator" means any private entity that owns an Internet
23website or an online service that collects, maintains, or
24discloses personal information of a consumer residing in this
25State who uses or visits the website or online service if the
26website or online service is operated for commercial purposes.

 

 

10100HB3357ham001- 5 -LRB101 11183 JLS 58340 a

1It does not include any third party that operates, hosts, or
2manages, but does not own, a website or online service on the
3owner's behalf or by processing information on behalf of the
4owner.
5    "Personal information" means any information that
6identifies, relates to, describes, or is capable of being
7associated with, or could reasonably be linked, directly or
8indirectly, with a particular consumer or household,
9including, but not limited to identifiers such as a real name,
10alias, signature, physical characteristics or description,
11address, telephone number, passport number, driver's license
12or State identification card number, insurance policy number,
13education, employment, employment history, bank account
14number, credit card number, debit card number, or any other
15financial information, unique personal identifier, Internet
16Protocol address, geolocation, biometric information, audio,
17visual, thermal, olfactory, or similar information.
18    "Personal information" also means professional or
19employment-related information, education information, defined
20as information that is not publicly available personally
21identifiable information as defined in the Family Educational
22Rights and Privacy Act (20 U.S.C. 1232g and 34 CFR 99) records
23of income, assets, liabilities, purchases, leases, products or
24services purchases, obtained, or considered, or other
25purchasing or consuming histories or tendencies, or real
26property.

 

 

10100HB3357ham001- 6 -LRB101 11183 JLS 58340 a

1    "Private entity" means a sole proprietorship, partnership,
2limited liability company, corporation, association, or other
3legal entity that is organized or operated for the profit or
4financial benefit of its shareholders or other owners, that
5does business in the State of Illinois, and that satisfies one
6or more of the following thresholds:
7        (1) Has annual gross revenues in excess of $25,000,000,
8    as adjusted in January of every odd-numbered year to
9    reflect any increase in the Consumer Price Index.
10        (2) Annually buys, receives for the business'
11    commercial purposes, sells, or shares for commercial
12    purposes, alone or in combination, the personal
13    information of 50,000 or more consumers, households, or
14    devices.
15        (3) Derives 50% or more of its annual revenues from
16    selling consumers' personal information.
17    "Process" or "processes" means any collection, use,
18storage, disclosure, analysis, deletion, or modification of
19personal information.
20    "Third party" means:
21        (1) a private entity that is a separate legal entity
22    from the private entity that has disclosed personal
23    information;
24        (2) a private entity that does not share common
25    ownership or common corporate control with the private
26    entity that has disclosed personal information; or

 

 

10100HB3357ham001- 7 -LRB101 11183 JLS 58340 a

1        (3) a private entity that does not share a brand name
2    or common branding with the private entity that has
3    disclosed personal information such that the affiliate
4    relationship is clear to the consumer.
5    "Sell" means selling, renting, releasing, disclosing,
6disseminating, making available, transferring, or otherwise
7communicating orally, in writing, or by electronic or other
8means, a consumer's personal information by the business to
9another business or a third party for monetary or other
10valuable consideration.
11    "Unique identifier" means a persistent identifier that can
12be used to recognize a consumer, a family, or a device that is
13linked to a consumer or family, over time and across different
14services, including, but not limited to, a device identifier;
15an Internet Protocol address; cookies, beacons, pixel tags,
16mobile ad identifiers, or similar technology; consumer number,
17unique pseudonym, or user alias; telephone numbers, or other
18forms of persistent or probabilistic identifiers that can be
19used to identify a particular consumer or device. For purposes
20of this definition, "family" means a custodial parent or
21guardian and any minor children over which the parent or
22guardian has custody.
23    "Verified request" means the process through which a
24consumer may submit a request to exercise a right or rights set
25forth in this Act and by which an operator can reasonably
26authenticate the request.
 

 

 

10100HB3357ham001- 8 -LRB101 11183 JLS 58340 a

1    Section 15. Right to transparency. An operator that
2collects personal information through the Internet about
3individual consumers who use or visit its online service, in
4its consumer service agreement or incorporated addendum or any
5other similar and readily available mechanism accessible to the
6consumer, shall:
7        (1) identify all categories of personal information
8    that the operator processes about individual consumers
9    collected through its Internet website or online service;
10        (2) identify all categories of third parties with whom
11    the operator may disclose that personal information;
12        (3) disclose whether a third party may collect personal
13    information about an individual consumer's online
14    activities over time and across different Internet
15    websites or online services when the consumer uses the
16    Internet website or online service of the operator;
17        (4) provide a description of the process, if any such
18    process exists, for an individual consumer who uses or
19    visits the Internet website or online service to review and
20    request changes to inaccurate personal information that is
21    collected by the operator as a result of the consumer's use
22    or visits to the Internet website or online service;
23        (5) describe the process by which the operator notifies
24    consumers who use or visit its Internet website or online
25    service of material changes to the notice required to be

 

 

10100HB3357ham001- 9 -LRB101 11183 JLS 58340 a

1    made available under this Section;
2        (6) state the effective date of the notice;
3        (7) provide a description of a consumer's rights, as
4    required by this Act, accompanied by one or more designated
5    request addresses.
 
6    Section 20. Right to know.
7    (a) An operator that discloses personal information to a
8third party shall make the following information available to a
9consumer upon request free of charge:
10        (1) the categories of personal information that were
11    disclosed about the consumer and the name or names of all
12    third parties that received the consumer's personal
13    information; or
14        (2) all categories of personal information about
15    consumers that were disclosed and the name or names of all
16    third parties that received any consumer's personal
17    information.
18    (b) Notwithstanding the provisions of this Section, a
19parent or legal guardian of a consumer under the age of 18 may
20submit a verified request under this Section on behalf of that
21consumer.
22    (c) This Section applies only to personal information
23disclosed after the effective date of this Act.
 
24    Section 25. Right to opt out. An operator that sells the

 

 

10100HB3357ham001- 10 -LRB101 11183 JLS 58340 a

1personal information of a consumer collected through the
2consumer's use of or visit to the operator's Internet website
3or online service shall clearly and conspicuously post, on its
4Internet website or online service or in another prominently
5and easily accessible location the operator maintains for
6consumer privacy settings, a link to an Internet web page
7maintained by the operator that enables a consumer, by verified
8request through a designated request address, to opt out of the
9sale of the consumer's personal information to third parties.
10The method by which a consumer may opt out shall be in a form
11and manner determined by the operator but should not be overly
12burdensome and shall require a consumer to establish an account
13with the operator in order to opt out of the sale of a
14consumer's personal information.
 
15    Section 30. Response to verified requests.
16    (a) An operator that receives a verified request from a
17consumer through a designated request address under this Act
18shall provide a response to the consumer within 45 days of the
19request.
20    (b) An operator shall not be required to respond to a
21request made by the same consumer or made by the same parent or
22legal guardian on behalf of a consumer under the age of 18 more
23than once in any 12-month period.
 
24    Section 35. Violations. The Attorney General or State's

 

 

10100HB3357ham001- 11 -LRB101 11183 JLS 58340 a

1Attorney shall have exclusive authority to enforce this Act. It
2is a violation of the Consumer Fraud and Deceptive Business
3Practices Act for an operator to fail to comply with any
4requirements of this Act. Nothing in this Act shall be
5construed to modify, limit, or supersede the operation of any
6privacy or security provision in any other Illinois law, or
7from otherwise seeking relief under the Code of Civil
8Procedure.
 
9    Section 40. Waivers; contracts. Any waiver of the
10provisions of this Act is void and unenforceable. Any agreement
11that does not comply with the applicable provisions of this Act
12is void and unenforceable.
 
13    Section 45. Construction.
14    (a) The obligations imposed on operators by this Act shall
15not restrict an operator's ability to:
16        (1) Comply with federal, state, or local laws.
17        (2) Comply with a civil, criminal, or regulatory
18    inquiry, investigation, subpoena, or summons by federal,
19    state, or local authorities.
20        (3) Cooperate with law enforcement agencies concerning
21    conduct or activity that the business, service provider, or
22    third party reasonably and in good faith believes may
23    violate federal, state, or local law.
24        (4) Exercise or defend legal claims.

 

 

10100HB3357ham001- 12 -LRB101 11183 JLS 58340 a

1    (b) Nothing in this Act shall be construed to conflict with
2the Federal Health Insurance Portability and Accountability
3Act of 1996 and the rules promulgated under that Act.
4    (c) Nothing in this Act shall be deemed to apply in any
5manner to a financial institution or an affiliate of a
6financial institution that is subject to Title V of the Federal
7Gramm-Leach-Bliley Act of 1999 and the rules promulgated under
8that Act.
9    (d) Nothing in this Act shall be construed to apply to a
10contractor, subcontractor, or agent of a State agency or local
11unit of government when working for that State agency or local
12unit of government.
13    (e) Nothing in this Act shall be construed to apply to: (i)
14Internet, wireless, or telecommunications service providers;
15or (ii) a public utility, an alternative retail electric
16supplier, or an alternative gas supplier, as those terms are
17defined in Sections 3-105, 16-102, and 19-105 of the Public
18Utilities Act, or an electric cooperative, as defined in
19Section 3.4 of the Electric Supplier Act.
20    (f) Nothing in this Act shall be construed to apply to: (i)
21a hospital operated under the Hospital Licensing Act; (ii) a
22hospital affiliate, as defined under the Hospital Licensing
23Act; or (iii) a hospital operated under the University of
24Illinois Hospital Act.
25    (g) Nothing in this Act shall restrict a business' ability
26to collect or disclose a consumer's personal information if a

 

 

10100HB3357ham001- 13 -LRB101 11183 JLS 58340 a

1consumer's conduct takes place wholly outside of Illinois. For
2purposes of this Act, conduct takes place wholly outside of
3Illinois if the business collected that information while the
4consumer was outside of Illinois, no part of the sale of the
5consumer's personal information occurred in Illinois, and no
6personal information collected while the consumer was in
7Illinois is disclosed.
 
8    Section 91. The Consumer Fraud and Deceptive Business
9Practices Act is amended by changing Section 2Z as follows:
 
10    (815 ILCS 505/2Z)  (from Ch. 121 1/2, par. 262Z)
11    Sec. 2Z. Violations of other Acts. Any person who knowingly
12violates the Automotive Repair Act, the Automotive Collision
13Repair Act, the Home Repair and Remodeling Act, the Dance
14Studio Act, the Data Transparency and Privacy Act, the Physical
15Fitness Services Act, the Hearing Instrument Consumer
16Protection Act, the Illinois Union Label Act, the Installment
17Sales Contract Act, the Job Referral and Job Listing Services
18Consumer Protection Act, the Travel Promotion Consumer
19Protection Act, the Credit Services Organizations Act, the
20Automatic Telephone Dialers Act, the Pay-Per-Call Services
21Consumer Protection Act, the Telephone Solicitations Act, the
22Illinois Funeral or Burial Funds Act, the Cemetery Oversight
23Act, the Cemetery Care Act, the Safe and Hygienic Bed Act, the
24Illinois Pre-Need Cemetery Sales Act, the High Risk Home Loan

 

 

10100HB3357ham001- 14 -LRB101 11183 JLS 58340 a

1Act, the Payday Loan Reform Act, the Mortgage Rescue Fraud Act,
2subsection (a) or (b) of Section 3-10 of the Cigarette Tax Act,
3subsection (a) or (b) of Section 3-10 of the Cigarette Use Tax
4Act, the Electronic Mail Act, the Internet Caller
5Identification Act, paragraph (6) of subsection (k) of Section
66-305 of the Illinois Vehicle Code, Section 11-1431, 18d-115,
718d-120, 18d-125, 18d-135, 18d-150, or 18d-153 of the Illinois
8Vehicle Code, Article 3 of the Residential Real Property
9Disclosure Act, the Automatic Contract Renewal Act, the Reverse
10Mortgage Act, Section 25 of the Youth Mental Health Protection
11Act, the Personal Information Protection Act, or the Student
12Online Personal Protection Act commits an unlawful practice
13within the meaning of this Act.
14(Source: P.A. 99-331, eff. 1-1-16; 99-411, eff. 1-1-16; 99-642,
15eff. 7-28-16; 100-315, eff. 8-24-17; 100-416, eff. 1-1-18;
16100-863, eff. 8-14-18.)
 
17    Section 99. Effective date. This Act takes effect April 1,
182020.".