Rep. Arthur Turner

Filed: 4/9/2019

 

 


 

 


 
10100HB3358ham003LRB101 11180 TAE 59624 a

1
AMENDMENT TO HOUSE BILL 3358

2    AMENDMENT NO. ______. Amend House Bill 3358, AS AMENDED, by
3replacing everything after the enacting clause with the
4following:
 
5    "Section 1. Short title. This Act may be cited as the Data
6Transparency and Privacy Act.
 
7    Section 5. Legislative findings. The General Assembly
8hereby finds and declares that:
9    (1) The right to privacy is a personal and fundamental
10right protected by the United States Constitution. As such, all
11individuals have a right to privacy and a personal property
12interest in information pertaining to them and that information
13shall be adequately protected from unlawful invasions and
14takings. This State recognizes the importance of providing
15consumers with transparency about how their personal
16information, especially information relating to their

 

 

10100HB3358ham003- 2 -LRB101 11180 TAE 59624 a

1children, is shared by businesses. This transparency is crucial
2for Illinois citizens to protect themselves and their families
3from cyber-crimes and identity thieves.
4    (2) Furthermore, for free market forces to have a role in
5shaping the privacy practices and for "opt-in" and "opt-out"
6remedies to be effective, consumers must be more than vaguely
7informed that a business might share personal information with
8third parties. Consumers must be better informed about what
9kinds of personal information is shared with other businesses.
10With these specifics, consumers can knowledgeably choose to opt
11in, opt out, or choose among businesses that disclose
12information to third parties on the basis of how protective the
13business is of consumers' privacy.
14    (3) Businesses are now collecting personal information and
15sharing and selling it in ways not contemplated or properly
16covered by the current law. Some websites are installing
17tracking tools that record when consumers visit web pages, and
18sending very personal information, such as age, gender, race,
19income, health concerns, religion, and recent purchases to
20third-party marketers and data brokers. Third-party data
21broker companies are buying, selling, and trading personal
22information obtained from mobile phones, financial
23institutions, social media sites, and other online and brick
24and mortar companies. Some mobile applications are sharing
25personal information, such as location information, unique
26phone identification numbers, and age, gender, and other

 

 

10100HB3358ham003- 3 -LRB101 11180 TAE 59624 a

1personal details with third-party companies.
2    (4) As such, consumers need to know the ways that their
3personal information is being collected by companies and then
4shared or sold to third parties in order to properly protect
5their privacy, property, personal safety, and financial
6security.
 
7    Section 10. Definitions. As used in this Act:
8    "Consumer" means an individual residing in this State who
9provides, either knowingly or unknowingly, personal
10information to a private entity, with or without an exchange of
11consideration, in the course of purchasing, viewing,
12accessing, renting, leasing, or otherwise using real or
13personal property, or any interest therein, or obtaining a
14product or service from the private entity, including
15advertising or any other content. "Consumer" does not include a
16natural person from whom personal information is collected
17while that natural person is acting in an employment context.
18    "Designated request address" means an electronic email
19address, online form, or toll-free telephone number that a
20consumer may use to request the information required to be
21provided pursuant to this Act.
22    "Disclose" means to disclose, release, transfer, share,
23disseminate, make available, sell, or otherwise communicate
24orally, in writing, or by electronic or any other means a
25consumer's personal information to any third party.

 

 

10100HB3358ham003- 4 -LRB101 11180 TAE 59624 a

1    "Disclose" does not include:
2        (1) the disclosure of personal information by a private
3    entity to a third party under a written contract
4    authorizing the third party to utilize the personal
5    information for the limited purposes of performing
6    services on behalf of the private entity, including
7    maintaining or servicing accounts, disclosure of personal
8    information by a private entity to a transportation network
9    company driver providing consumer service, processing or
10    fulfilling orders and transactions, verifying consumer
11    information, processing payments, providing financing, or
12    similar services, but only if: the contract prohibits the
13    third party or transportation network company driver from
14    using the personal information for any reason other than
15    performing the specified service or services on behalf of
16    the private entity and from disclosing any such personal
17    information to additional third parties unless those
18    additional third parties (i) are allowed by the contract to
19    further the specified services and (ii) the additional
20    third parties are subject to the same restrictions imposed
21    by this subsection;
22        (2) disclosure of personal information by a private
23    entity to a third party based on a good faith belief that
24    disclosure is required to comply with applicable law,
25    regulation, legal process, or court order; or
26        (3) disclosure of personal information by a private

 

 

10100HB3358ham003- 5 -LRB101 11180 TAE 59624 a

1    entity to a third party that is reasonably necessary to
2    address fraud, security, or technical issues; to protect
3    the disclosing private entity's rights or property; or to
4    protect consumers or the public from illegal activities as
5    required or permitted by law.
6    "Operator" means any private entity that owns an Internet
7website or an online service that collects, maintains, or
8discloses personal information of a consumer residing in this
9State who uses or visits the website or online service if the
10website or online service is operated for commercial purposes.
11It does not include any third party that operates, hosts, or
12manages, but does not own, a website or online service on the
13owner's behalf or by processing information on behalf of the
14owner.
15    "Personal information" means any information that is
16linked or can reasonably be linked, directly or indirectly, to
17a particular consumer, including, but not limited to,
18identifiers such as a real name, alias, signature, address,
19telephone number, passport number, driver's license or State
20identification card number, insurance policy number, bank
21account number, credit card number, debit card number, or any
22other financial account information, unique personal
23identifier, geolocation, or biometric information.
24    "Private entity" means a sole proprietorship, partnership,
25limited liability company, corporation, association, or other
26legal entity that is organized or operated for the profit or

 

 

10100HB3358ham003- 6 -LRB101 11180 TAE 59624 a

1financial benefit of its shareholders or other owners, that
2does business in the State of Illinois, and that satisfies one
3or more of the following thresholds:
4        (1) Has annual gross revenues in excess of $25,000,000,
5    as adjusted in January of every odd-numbered year to
6    reflect any increase in the Consumer Price Index.
7        (2) Annually buys, receives for the business'
8    commercial purposes, sells, or shares for commercial
9    purposes, alone or in combination, the personal
10    information of 50,000 or more consumers, households, or
11    devices.
12        (3) Derives 50% or more of its annual revenues from
13    selling consumers' personal information.
14    "Process" or "processes" means any collection, use,
15storage, disclosure, analysis, deletion, or modification of
16personal information.
17    "Sale" or "sell" means the exchange of a consumer's
18personal information for purposes of licensing, renting or
19selling personal information by the private entity to a third
20party for monetary or other valuable consideration.
21    "Sale" or "sell" does not include circumstances in which:
22        (1) A consumer uses or directs the business to
23    intentionally disclose personal information or uses the
24    business to intentionally interact with a third party,
25    provided the third party does not also sell the personal
26    information, unless that disclosure would be consistent

 

 

10100HB3358ham003- 7 -LRB101 11180 TAE 59624 a

1    with the provisions of this Act. An intentional interaction
2    occurs when the consumer intends to interact with the third
3    party by one or more deliberate interactions. Hovering
4    over, muting, pausing, or closing a given piece of content
5    does not constitute a consumer's intent to interact with a
6    third party.
7        (2) The business uses or shares an identifier for a
8    consumer who has opted out of the sale of the consumer's
9    personal information for the purposes of alerting third
10    parties that the consumer has opted out of the sale of the
11    consumer's personal information.
12        (3) The business uses or shares with a service provider
13    personal information of a consumer that is necessary to
14    perform a business purpose if the service provider does not
15    further collect, sell, or use the personal information of
16    the consumer except as necessary to perform the business
17    purpose.
18        (4) The business transfers to a third party the
19    personal information of a consumer as an asset that is part
20    of a merger, acquisition, bankruptcy, or other transaction
21    in which the third party assumes control of all or part of
22    the business provided that information is used or shared
23    consistently with this Act. If a third party materially
24    alters how it uses or shares the personal information of a
25    consumer in a manner that is materially inconsistent with
26    the promises made at the time of collection, it shall

 

 

10100HB3358ham003- 8 -LRB101 11180 TAE 59624 a

1    provide prior notice of the new or changed practice to the
2    consumer. The notice shall be sufficiently prominent and
3    robust to ensure that existing consumers can easily
4    exercise their choices consistently with Section 25. This
5    subparagraph does not authorize a business to make
6    material, retroactive privacy policy changes or make other
7    changes in their privacy policy in a manner that would
8    violate the Consumer Fraud and Deceptive Business
9    Practices Act.
10    "Third party" means:
11        (1) a private entity that is a separate legal entity
12    from the private entity that has disclosed personal
13    information;
14        (2) a private entity that does not share common
15    ownership or common corporate control with the private
16    entity that has disclosed personal information; or
17        (3) a private entity that does not share a brand name
18    or common branding with the private entity that has
19    disclosed personal information such that the affiliate
20    relationship is clear to the consumer.
21    "Verified request" means the process through which a
22consumer may submit a request to exercise a right or rights set
23forth in this Act and by which an operator can reasonably
24authenticate the request. A consumer shall not be required to
25create an account with the operator in order to make a verified
26request, and the method for exercising the rights set forth in

 

 

10100HB3358ham003- 9 -LRB101 11180 TAE 59624 a

1this Act shall be reasonably accessible and not be overly
2burdensome on the consumer.
 
3    Section 15. Right to transparency. An operator that
4collects personal information through the Internet about
5individual consumers who use or visit its Internet website or
6online service, in its consumer service agreement or
7incorporated addendum or any other similar and readily
8available mechanism accessible to the consumer, shall:
9        (1) identify all categories of personal information
10    that the operator processes about individual consumers
11    collected through its Internet website or online service;
12        (2) identify all categories of third parties with whom
13    the operator may disclose that personal information;
14        (3) disclose whether a third party may collect personal
15    information about an individual consumer's online
16    activities over time and across different Internet
17    websites or online services when the consumer uses the
18    Internet website or online service of the operator;
19        (4) provide a description of the process, if any such
20    process exists, for an individual consumer who uses or
21    visits the Internet website or online service to review and
22    request changes to inaccurate personal information that is
23    collected by the operator as a result of the consumer's use
24    or visits to the Internet website or online service;
25        (5) describe the process by which the operator notifies

 

 

10100HB3358ham003- 10 -LRB101 11180 TAE 59624 a

1    consumers who use or visit its Internet website or online
2    service of material changes to the notice required to be
3    made available under this Section;
4        (6) state the effective date of the notice;
5        (7) provide a description of a consumer's rights, as
6    required by this Act, accompanied by one or more designated
7    request addresses.
 
8    Section 20. Right to know.
9    (a) An operator that discloses personal information to a
10third party shall make the following information available to a
11consumer, free of charge, upon receipt of a verified request:
12        (1) the categories of personal information that were
13    disclosed about the consumer; and
14        (2) the categories of third parties and the approximate
15    number of third parties that received the consumer's
16    personal information.
17    (b) Notwithstanding the other provisions of this Section, a
18parent or legal guardian of a consumer under the age of 13 may
19submit a verified request under this Section on behalf of that
20consumer.
21    (c) This Section applies only to personal information
22disclosed after the effective date of this Act.
 
23    Section 25. Right to opt out. An operator that sells the
24personal information of a consumer collected through the

 

 

10100HB3358ham003- 11 -LRB101 11180 TAE 59624 a

1consumer's use of or visit to the operator's Internet website
2or online service shall clearly and conspicuously post, on its
3Internet website or online service or in another prominently
4and easily accessible location the operator maintains for
5consumer privacy settings, a link to an Internet web page
6maintained by the operator that enables a consumer, by verified
7request through a designated request address, to opt out of the
8sale of the consumer's personal information to third parties.
9The method by which a consumer may opt out shall be done in a
10way and fashion that is not overly burdensome, shall not
11require a consumer to establish an account with the operator in
12order to opt out of the sale of a consumer's personal
13information, and shall be posted in a conspicuous place that is
14readily and easily accessible to a consumer. This Section
15applies only to operators that sell personal information. This
16Section only applies to personal information sold after the
17effective date of this Act.
 
18    Section 30. Response to verified requests.
19    (a) An operator that receives a verified request from a
20consumer through a designated request address under this Act
21shall provide a response to the consumer within 45 days of the
22request.
23    (b) An operator shall not be required to respond to a
24request made by the same consumer or made by the same parent or
25legal guardian on behalf of a consumer under the age of 13 more

 

 

10100HB3358ham003- 12 -LRB101 11180 TAE 59624 a

1than once in any 12-month period.
 
2    Section 35. Enforcement. The Attorney General shall have
3exclusive authority to enforce this Act, and there shall be no
4private right of action to enforce violations under this Act.
5Nothing in this Act shall be construed to modify, limit, or
6supersede the operation of any other Illinois law or prevent a
7party from otherwise seeking relief under the Code of Civil
8Procedure.
 
9    Section 40. Waivers; contracts. Any waiver of the
10provisions of this Act is void and unenforceable. Any agreement
11that does not comply with the applicable provisions of this Act
12is void and unenforceable.
 
13    Section 45. Construction.
14    (a) The obligations imposed on operators by this Act shall
15not restrict an operator's ability to:
16        (1) Comply with federal, state, or local laws.
17        (2) Comply with a civil, criminal, or regulatory
18    inquiry, investigation, subpoena, or summons by federal,
19    state, or local authorities.
20        (3) Cooperate with law enforcement agencies concerning
21    conduct or activity that the operator, service provider, or
22    third party reasonably and in good faith believes may
23    violate federal, state, or local law.

 

 

10100HB3358ham003- 13 -LRB101 11180 TAE 59624 a

1        (4) Exercise or defend legal claims.
2    (b) Nothing in this Act applies to a health care provider
3or other covered entity subject to the Federal Health Insurance
4Portability and Accountability Act of 1996 and the rules
5promulgated under that Act.
6    (c) Nothing in this Act applies in any manner to a
7financial institution or an affiliate of a financial
8institution that is subject to Title V of the Federal
9Gramm-Leach-Bliley Act and the rules promulgated under that
10Act.
11    (d) Nothing in this Act applies to a contractor,
12subcontractor, or agent of a State agency or local unit of
13government when working for that State agency or local unit of
14government.
15    (e) Nothing in this Act applies to a public utility, an
16alternative retail electric supplier, or an alternative gas
17supplier, as those terms are defined in Sections 3-105, 16-102,
18and 19-105 of the Public Utilities Act, or an electric
19cooperative, as defined in Section 3.4 of the Electric Supplier
20Act.
21    (f) Nothing in this Act applies to: (i) a hospital operated
22under the Hospital Licensing Act; (ii) a hospital affiliate, as
23defined under the Hospital Licensing Act; or (iii) a hospital
24operated under the University of Illinois Hospital Act.
25    (g) Nothing in this Act applies to an entity maintaining a
26place of business in this State that collects sales taxes under

 

 

10100HB3358ham003- 14 -LRB101 11180 TAE 59624 a

1the Retailers' Occupation Tax Act who uses personal information
2for purposes of selling, moving, or delivering tangible
3personal property at retail with respect to such sales at
4retail and (i) is a retailer's wholly owned retail subsidiary
5or service provider processing personal information on behalf
6of the retailer; (ii) is a party to a merchant card agreement
7to process a consumer transaction at the sale of retail in
8accordance with the agreement; (iii) administers a private
9label credit card or owns a private label administered by a
10third party in accordance with the agreement; (iv) collects
11sales tax on behalf of the consumer as a result of a sale at
12retail as authorized by the Department of Revenue; (v) is
13subject to the Federal Health Insurance Portability and
14Accountability Act of 1996 and the rules promulgated
15thereunder; (vi) provides Medicaid benefits to Illinois
16consumers through sales at retail as is authorized by the
17Department of Healthcare and Family Services; or (vii) provides
18Supplemental Nutrition Assistance Program (SNAP) or special
19supplemental nutrition program for women, infants, and
20children (WIC) benefits to consumers in Illinois through sales
21at retail as authorized by the United States Department of
22Agriculture and the Illinois Department of Human Services.
23    (h) Nothing in this Act applies to the following entities
24and affiliates, as defined in 17 CFR 230.405, of any such
25entities: telecommunications carriers as defined in Section
2613-202 of the Public Utilities Act and wireless carriers as

 

 

10100HB3358ham003- 15 -LRB101 11180 TAE 59624 a

1defined in Section 2 of the Emergency Telephone System Act.
2    (i) Nothing in this Act restricts a private entity's
3ability to collect or disclose a consumer's personal
4information if a consumer's conduct takes place wholly outside
5of Illinois. For purposes of this Act, conduct takes place
6wholly outside of Illinois if the private entity collected that
7information while the consumer was outside of Illinois, no part
8of the sale of the consumer's personal information occurred in
9Illinois, and no personal information collected while the
10consumer was in Illinois is disclosed.
 
11    Section 50. Severability. If any provision of this Act or
12its application to any person or circumstance is held invalid,
13the invalidity of that provision or application does not affect
14other provisions or applications of this Act that can be given
15effect without the invalid provision or application.
 
16    Section 99. Effective date. This Act takes effect April 1,
172020.".