| |||||||
| |||||||
| |||||||
| 1 | AN ACT concerning business.
| ||||||
| 2 | Be it enacted by the People of the State of Illinois,
| ||||||
| 3 | represented in the General Assembly:
| ||||||
| 4 | Section 1. Short title. This Act may be cited as the Data | ||||||
| 5 | Transparency and Privacy Act. | ||||||
| 6 | Section 5. Legislative findings. The General Assembly | ||||||
| 7 | hereby finds and declares that: | ||||||
| 8 | (1) The right to privacy is a personal and fundamental | ||||||
| 9 | right protected by the United States Constitution. As such, all | ||||||
| 10 | individuals have a right to privacy and a personal property | ||||||
| 11 | interest in information pertaining to them and that information | ||||||
| 12 | shall be adequately protected from unlawful invasions and | ||||||
| 13 | takings. This State recognizes the importance of providing | ||||||
| 14 | consumers with transparency about how their personal | ||||||
| 15 | information, especially information relating to their | ||||||
| 16 | children, is shared by businesses. This transparency is crucial | ||||||
| 17 | for Illinois citizens to protect themselves and their families | ||||||
| 18 | from cyber-crimes and identity thieves. | ||||||
| 19 | (2) Furthermore, for free market forces to have a role in | ||||||
| 20 | shaping the privacy practices and for "opt-in" and "opt-out" | ||||||
| 21 | remedies to be effective, consumers must be more than vaguely | ||||||
| 22 | informed that a business might share personal information with | ||||||
| 23 | third parties. Consumers must be better informed about what | ||||||
| |||||||
| |||||||
| 1 | kinds of personal information is shared with other businesses. | ||||||
| 2 | With these specifics, consumers can knowledgeably choose to opt | ||||||
| 3 | in, opt out, or choose among businesses that disclose | ||||||
| 4 | information to third parties on the basis of how protective the | ||||||
| 5 | business is of consumers' privacy. | ||||||
| 6 | (3) Businesses are now collecting personal information and | ||||||
| 7 | sharing and selling it in ways not contemplated or properly | ||||||
| 8 | covered by the current law. Some websites are installing | ||||||
| 9 | tracking tools that record when consumers visit web pages, and | ||||||
| 10 | sending very personal information, such as age, gender, race, | ||||||
| 11 | income, health concerns, religion, and recent purchases to | ||||||
| 12 | third-party marketers and data brokers. Third-party data | ||||||
| 13 | broker companies are buying, selling, and trading personal | ||||||
| 14 | information obtained from mobile phones, financial | ||||||
| 15 | institutions, social media sites, and other online and brick | ||||||
| 16 | and mortar companies. Some mobile applications are sharing | ||||||
| 17 | personal information, such as location information, unique | ||||||
| 18 | phone identification numbers, and age, gender, and other | ||||||
| 19 | personal details with third-party companies. | ||||||
| 20 | (4) As such, consumers need to know the ways that their | ||||||
| 21 | personal information is being collected by companies and then | ||||||
| 22 | shared or sold to third parties in order to properly protect | ||||||
| 23 | their privacy, property, personal safety, and financial | ||||||
| 24 | security. | ||||||
| 25 | Section 10. Definitions. As used in this Act: | ||||||
| |||||||
| |||||||
| 1 | "Consumer" means an individual residing in this State who | ||||||
| 2 | provides, either knowingly or unknowingly, personal | ||||||
| 3 | information to a private entity, with or without an exchange of | ||||||
| 4 | consideration, in the course of purchasing, viewing, | ||||||
| 5 | accessing, renting, leasing, or otherwise using real or | ||||||
| 6 | personal property, or any interest therein, or obtaining a | ||||||
| 7 | product or service from the private entity, including | ||||||
| 8 | advertising or any other content. "Consumer" does not include a | ||||||
| 9 | natural person from whom personal information is collected | ||||||
| 10 | while that natural person is acting in an employment context. | ||||||
| 11 | "Designated request address" means an electronic email | ||||||
| 12 | address, online form, or toll-free telephone number that a | ||||||
| 13 | consumer may use to request the information required to be | ||||||
| 14 | provided pursuant to this Act. | ||||||
| 15 | "Disclose" means to disclose, release, transfer, share, | ||||||
| 16 | disseminate, make available, sell, or otherwise communicate | ||||||
| 17 | orally, in writing, or by electronic or any other means a | ||||||
| 18 | consumer's personal information to any third party. | ||||||
| 19 | "Disclose" does not include: | ||||||
| 20 | (1) the disclosure of personal information by a private | ||||||
| 21 | entity to a third party under a written contract | ||||||
| 22 | authorizing the third party to utilize the personal | ||||||
| 23 | information for the limited purposes of performing | ||||||
| 24 | services on behalf of the private entity, including | ||||||
| 25 | maintaining or servicing accounts, disclosure of personal | ||||||
| 26 | information by a private entity to a transportation network | ||||||
| |||||||
| |||||||
| 1 | company driver providing consumer service, processing or | ||||||
| 2 | fulfilling orders and transactions, verifying consumer | ||||||
| 3 | information, processing payments, providing financing, or | ||||||
| 4 | similar services, but only if: the contract prohibits the | ||||||
| 5 | third party or transportation network company driver from | ||||||
| 6 | using the personal information for any reason other than | ||||||
| 7 | performing the specified service or services on behalf of | ||||||
| 8 | the private entity and from disclosing any such personal | ||||||
| 9 | information to additional third parties unless those | ||||||
| 10 | additional third parties (i) are allowed by the contract to | ||||||
| 11 | further the specified services and (ii) the additional | ||||||
| 12 | third parties are subject to the same restrictions imposed | ||||||
| 13 | by this subsection; | ||||||
| 14 | (2) disclosure of personal information by a private | ||||||
| 15 | entity to a third party based on a good faith belief that | ||||||
| 16 | disclosure is required to comply with applicable law, | ||||||
| 17 | regulation, legal process, or court order; or | ||||||
| 18 | (3) disclosure of personal information by a private | ||||||
| 19 | entity to a third party that is reasonably necessary to | ||||||
| 20 | address fraud, security, or technical issues; to protect | ||||||
| 21 | the disclosing private entity's rights or property; or to | ||||||
| 22 | protect consumers or the public from illegal activities as | ||||||
| 23 | required or permitted by law. | ||||||
| 24 | "Operator" means any private entity that owns an Internet | ||||||
| 25 | website or an online service that collects, maintains, or | ||||||
| 26 | discloses personal information of a consumer residing in this | ||||||
| |||||||
| |||||||
| 1 | State who uses or visits the website or online service if the | ||||||
| 2 | website or online service is operated for commercial purposes. | ||||||
| 3 | It does not include any third party that operates, hosts, or | ||||||
| 4 | manages, but does not own, a website or online service on the | ||||||
| 5 | owner's behalf or by processing information on behalf of the | ||||||
| 6 | owner. | ||||||
| 7 | "Personal information" means any information that is | ||||||
| 8 | linked or can reasonably be linked, directly or indirectly, to | ||||||
| 9 | a particular consumer, including, but not limited to, | ||||||
| 10 | identifiers such as a real name, alias, signature, address, | ||||||
| 11 | telephone number, passport number, driver's license or State | ||||||
| 12 | identification card number, insurance policy number, bank | ||||||
| 13 | account number, credit card number, debit card number, or any | ||||||
| 14 | other financial account information, unique personal | ||||||
| 15 | identifier, geolocation, or biometric information. | ||||||
| 16 | "Private entity" means a sole proprietorship, partnership, | ||||||
| 17 | limited liability company, corporation, association, or other | ||||||
| 18 | legal entity that is organized or operated for the profit or | ||||||
| 19 | financial benefit of its shareholders or other owners, that | ||||||
| 20 | does business in the State of Illinois, and that satisfies one | ||||||
| 21 | or more of the following thresholds: | ||||||
| 22 | (1) Has annual gross revenues in excess of $25,000,000, | ||||||
| 23 | as adjusted in January of every odd-numbered year to | ||||||
| 24 | reflect any increase in the Consumer Price Index. | ||||||
| 25 | (2) Annually buys, receives for the business' | ||||||
| 26 | commercial purposes, sells, or shares for commercial | ||||||
| |||||||
| |||||||
| 1 | purposes, alone or in combination, the personal | ||||||
| 2 | information of 50,000 or more consumers, households, or | ||||||
| 3 | devices. | ||||||
| 4 | (3) Derives 50% or more of its annual revenues from | ||||||
| 5 | selling consumers' personal information. | ||||||
| 6 | "Process" or "processes" means any collection, use, | ||||||
| 7 | storage, disclosure, analysis, deletion, or modification of | ||||||
| 8 | personal information. | ||||||
| 9 | "Sale" or "sell" means the exchange of a consumer's | ||||||
| 10 | personal information for purposes of licensing, renting or | ||||||
| 11 | selling personal information by the private entity to a third | ||||||
| 12 | party for monetary or other valuable consideration. | ||||||
| 13 | "Sale" or "sell" does not include circumstances in which: | ||||||
| 14 | (1) A consumer uses or directs the business to | ||||||
| 15 | intentionally disclose personal information or uses the | ||||||
| 16 | business to intentionally interact with a third party, | ||||||
| 17 | provided the third party does not also sell the personal | ||||||
| 18 | information, unless that disclosure would be consistent | ||||||
| 19 | with the provisions of this Act. An intentional interaction | ||||||
| 20 | occurs when the consumer intends to interact with the third | ||||||
| 21 | party by one or more deliberate interactions. Hovering | ||||||
| 22 | over, muting, pausing, or closing a given piece of content | ||||||
| 23 | does not constitute a consumer's intent to interact with a | ||||||
| 24 | third party. | ||||||
| 25 | (2) The business uses or shares an identifier for a | ||||||
| 26 | consumer who has opted out of the sale of the consumer's | ||||||
| |||||||
| |||||||
| 1 | personal information for the purposes of alerting third | ||||||
| 2 | parties that the consumer has opted out of the sale of the | ||||||
| 3 | consumer's personal information. | ||||||
| 4 | (3) The business uses or shares with a service provider | ||||||
| 5 | personal information of a consumer that is necessary to | ||||||
| 6 | perform a business purpose if the service provider does not | ||||||
| 7 | further collect, sell, or use the personal information of | ||||||
| 8 | the consumer except as necessary to perform the business | ||||||
| 9 | purpose. | ||||||
| 10 | (4) The business transfers to a third party the | ||||||
| 11 | personal information of a consumer as an asset that is part | ||||||
| 12 | of a merger, acquisition, bankruptcy, or other transaction | ||||||
| 13 | in which the third party assumes control of all or part of | ||||||
| 14 | the business provided that information is used or shared | ||||||
| 15 | consistently with this Act. If a third party materially | ||||||
| 16 | alters how it uses or shares the personal information of a | ||||||
| 17 | consumer in a manner that is materially inconsistent with | ||||||
| 18 | the promises made at the time of collection, it shall | ||||||
| 19 | provide prior notice of the new or changed practice to the | ||||||
| 20 | consumer. The notice shall be sufficiently prominent and | ||||||
| 21 | robust to ensure that existing consumers can easily | ||||||
| 22 | exercise their choices consistently with Section 25. This | ||||||
| 23 | subparagraph does not authorize a business to make | ||||||
| 24 | material, retroactive privacy policy changes or make other | ||||||
| 25 | changes in their privacy policy in a manner that would | ||||||
| 26 | violate the Consumer Fraud and Deceptive Business | ||||||
| |||||||
| |||||||
| 1 | Practices Act. | ||||||
| 2 | "Third party" means:
| ||||||
| 3 | (1) a private entity that is a separate legal entity | ||||||
| 4 | from the private entity that has disclosed personal | ||||||
| 5 | information; | ||||||
| 6 | (2) a private entity that does not share common | ||||||
| 7 | ownership or common corporate control with the private | ||||||
| 8 | entity that has disclosed personal information; or | ||||||
| 9 | (3) a private entity that does not share a brand name | ||||||
| 10 | or common branding with the private entity that has | ||||||
| 11 | disclosed personal information such that the affiliate | ||||||
| 12 | relationship is clear to the consumer. | ||||||
| 13 | "Verified request" means the process through which a | ||||||
| 14 | consumer may submit a request to exercise a right or rights set | ||||||
| 15 | forth in this Act and by which an operator can reasonably | ||||||
| 16 | authenticate the request.
A consumer shall not be required to | ||||||
| 17 | create an account with the operator in order to make a verified | ||||||
| 18 | request, and the method for exercising the rights set forth in | ||||||
| 19 | this Act shall be reasonably accessible and not be overly | ||||||
| 20 | burdensome on the consumer. | ||||||
| 21 | Section 15. Right to transparency. An operator that | ||||||
| 22 | collects personal information through the Internet about | ||||||
| 23 | individual consumers who use or visit its Internet website or | ||||||
| 24 | online service, in its consumer service agreement or | ||||||
| 25 | incorporated addendum or any other similar and readily | ||||||
| |||||||
| |||||||
| 1 | available mechanism accessible to the consumer, shall: | ||||||
| 2 | (1) identify all categories of personal information | ||||||
| 3 | that the operator processes about individual consumers | ||||||
| 4 | collected through its Internet website or online service; | ||||||
| 5 | (2) identify all categories of third parties with whom | ||||||
| 6 | the operator may disclose that personal information; | ||||||
| 7 | (3) disclose whether a third party may collect personal | ||||||
| 8 | information about an individual consumer's online | ||||||
| 9 | activities over time and across different Internet | ||||||
| 10 | websites or online services when the consumer uses the | ||||||
| 11 | Internet website or online service of the operator; | ||||||
| 12 | (4) provide a description of the process, if any such | ||||||
| 13 | process exists, for an individual consumer who uses or | ||||||
| 14 | visits the Internet website or online service to review and | ||||||
| 15 | request changes to inaccurate personal information that is | ||||||
| 16 | collected by the operator as a result of the consumer's use | ||||||
| 17 | or visits to the Internet website or online service; | ||||||
| 18 | (5) describe the process by which the operator notifies | ||||||
| 19 | consumers who use or visit its Internet website or online | ||||||
| 20 | service of material changes to the notice required to be | ||||||
| 21 | made available under this Section; | ||||||
| 22 | (6) state the effective date of the notice; | ||||||
| 23 | (7) provide a description of a consumer's rights, as | ||||||
| 24 | required by this Act, accompanied by one or more designated | ||||||
| 25 | request addresses. | ||||||
| |||||||
| |||||||
| 1 | Section 20. Right to know. | ||||||
| 2 | (a) An operator that discloses personal information to a | ||||||
| 3 | third party shall make the following information available to a | ||||||
| 4 | consumer, free of charge, upon receipt of a verified request: | ||||||
| 5 | (1) the categories of personal information that were | ||||||
| 6 | disclosed about the consumer; and | ||||||
| 7 | (2) the categories of third parties and the approximate | ||||||
| 8 | number of third parties that received the consumer's | ||||||
| 9 | personal information. | ||||||
| 10 | (b) Notwithstanding the other provisions of this Section, a | ||||||
| 11 | parent or legal guardian of a consumer under the age of 13 may | ||||||
| 12 | submit a verified request under this Section on behalf of that | ||||||
| 13 | consumer. | ||||||
| 14 | (c) This Section applies only to personal information | ||||||
| 15 | disclosed after the effective date of this Act. | ||||||
| 16 | Section 25. Right to opt out. An operator that sells the | ||||||
| 17 | personal information of a consumer collected through the | ||||||
| 18 | consumer's use of or visit to the operator's Internet website | ||||||
| 19 | or online service shall clearly and conspicuously post, on its | ||||||
| 20 | Internet website or online service or in another prominently | ||||||
| 21 | and easily accessible location the operator maintains for | ||||||
| 22 | consumer privacy settings, a link to an Internet web page | ||||||
| 23 | maintained by the operator that enables a consumer, by verified | ||||||
| 24 | request through a designated request address, to opt out of the | ||||||
| 25 | sale of the consumer's personal information to third parties. | ||||||
| |||||||
| |||||||
| 1 | The method by which a consumer may opt out shall be done in a | ||||||
| 2 | way and fashion that is not overly burdensome, shall not | ||||||
| 3 | require a consumer to establish an account with the operator in | ||||||
| 4 | order to opt out of the sale of a consumer's personal | ||||||
| 5 | information, and shall be posted in a conspicuous place that is | ||||||
| 6 | readily and easily accessible to a consumer. This Section | ||||||
| 7 | applies only to operators that sell personal information. This | ||||||
| 8 | Section only applies to personal information sold after the | ||||||
| 9 | effective date of this Act. | ||||||
| 10 | Section 30. Response to verified requests. | ||||||
| 11 | (a) An operator that receives a verified request from a | ||||||
| 12 | consumer through a designated request address under this Act | ||||||
| 13 | shall provide a response to the consumer within 45 days of the | ||||||
| 14 | request. | ||||||
| 15 | (b) An operator shall not be required to respond to a | ||||||
| 16 | request made by the same consumer or made by the same parent or | ||||||
| 17 | legal guardian on behalf of a consumer under the age of 13 more | ||||||
| 18 | than once in any 12-month period. | ||||||
| 19 | Section 35. Enforcement. The Attorney General shall have | ||||||
| 20 | exclusive authority to enforce this Act, and there shall be no | ||||||
| 21 | private right of action to enforce violations under this Act. | ||||||
| 22 | Nothing in this Act shall be construed to modify, limit, or | ||||||
| 23 | supersede the operation of any other Illinois law or prevent a | ||||||
| 24 | party from otherwise seeking relief under the Code of Civil | ||||||
| |||||||
| |||||||
| 1 | Procedure.
| ||||||
| 2 | Section 40. Waivers; contracts. Any waiver of the | ||||||
| 3 | provisions of this Act is void and unenforceable. Any agreement | ||||||
| 4 | that does not comply with the applicable provisions of this Act | ||||||
| 5 | is void and unenforceable. | ||||||
| 6 | Section 45. Construction. | ||||||
| 7 | (a) The obligations imposed on operators by this Act shall | ||||||
| 8 | not restrict an operator's ability to: | ||||||
| 9 | (1) Comply with federal, state, or local laws. | ||||||
| 10 | (2) Comply with a civil, criminal, or regulatory | ||||||
| 11 | inquiry, investigation, subpoena, or summons by federal, | ||||||
| 12 | state, or local authorities. | ||||||
| 13 | (3) Cooperate with law enforcement agencies concerning | ||||||
| 14 | conduct or activity that the operator, service provider, or | ||||||
| 15 | third party reasonably and in good faith believes may | ||||||
| 16 | violate federal, state, or local law. | ||||||
| 17 | (4) Exercise or defend legal claims.
| ||||||
| 18 | (b) Nothing in this Act applies to a health care provider | ||||||
| 19 | or other covered entity subject to the Federal Health Insurance | ||||||
| 20 | Portability and Accountability Act of 1996 and the rules | ||||||
| 21 | promulgated under that Act. | ||||||
| 22 | (c) Nothing in this Act applies in any manner to a | ||||||
| 23 | financial institution or an affiliate of a financial | ||||||
| 24 | institution that is subject to Title V of the Federal | ||||||
| |||||||
| |||||||
| 1 | Gramm-Leach-Bliley Act and the rules promulgated under that | ||||||
| 2 | Act. | ||||||
| 3 | (d) Nothing in this Act applies to a contractor, | ||||||
| 4 | subcontractor, or agent of a State agency or local unit of | ||||||
| 5 | government when working for that State agency or local unit of | ||||||
| 6 | government. | ||||||
| 7 | (e) Nothing in this Act applies to a public utility, an | ||||||
| 8 | alternative retail electric supplier, or an alternative gas | ||||||
| 9 | supplier, as those terms are defined in Sections 3-105, 16-102, | ||||||
| 10 | and 19-105 of the Public Utilities Act, or an electric | ||||||
| 11 | cooperative, as defined in Section 3.4 of the Electric Supplier | ||||||
| 12 | Act. | ||||||
| 13 | (f) Nothing in this Act applies to: (i) a hospital operated | ||||||
| 14 | under the Hospital Licensing Act; (ii) a hospital affiliate, as | ||||||
| 15 | defined under the Hospital Licensing Act; or (iii) a hospital | ||||||
| 16 | operated under the University of Illinois Hospital Act. | ||||||
| 17 | (g) Nothing in this Act applies to an entity maintaining a | ||||||
| 18 | place of business in this State that collects sales taxes under | ||||||
| 19 | the Retailers' Occupation Tax Act who uses personal information | ||||||
| 20 | for purposes of selling, moving, or delivering tangible | ||||||
| 21 | personal property at retail with respect to such sales at | ||||||
| 22 | retail and (i) is a retailer's wholly owned retail subsidiary | ||||||
| 23 | or service provider processing personal information on behalf | ||||||
| 24 | of the retailer; (ii) is a party to a merchant card agreement | ||||||
| 25 | to process a consumer transaction at the sale of retail in | ||||||
| 26 | accordance with the agreement; (iii) administers a private | ||||||
| |||||||
| |||||||
| 1 | label credit card or owns a private label administered by a | ||||||
| 2 | third party in accordance with the agreement; (iv) collects | ||||||
| 3 | sales tax on behalf of the consumer as a result of a sale at | ||||||
| 4 | retail as authorized by the Department of Revenue; (v) is | ||||||
| 5 | subject to the Federal Health Insurance Portability and | ||||||
| 6 | Accountability Act of 1996 and the rules promulgated | ||||||
| 7 | thereunder; (vi) provides Medicaid benefits to Illinois | ||||||
| 8 | consumers through sales at retail as is authorized by the | ||||||
| 9 | Department of Healthcare and Family Services; or (vii) provides | ||||||
| 10 | Supplemental Nutrition Assistance Program (SNAP) or special | ||||||
| 11 | supplemental nutrition program for women, infants, and | ||||||
| 12 | children (WIC) benefits to consumers in Illinois through sales | ||||||
| 13 | at retail as authorized by the United States Department of | ||||||
| 14 | Agriculture and the Illinois Department of Human Services. | ||||||
| 15 | (h) Nothing in this Act applies to the following entities | ||||||
| 16 | and affiliates, as defined in 17 CFR 230.405, of any such | ||||||
| 17 | entities: telecommunications carriers as defined in Section | ||||||
| 18 | 13-202 of the Public Utilities Act and wireless carriers as | ||||||
| 19 | defined in Section 2 of the Emergency Telephone System Act. | ||||||
| 20 | (i) Nothing in this Act restricts a private entity's | ||||||
| 21 | ability to collect or disclose a consumer's personal | ||||||
| 22 | information if a consumer's conduct takes place wholly outside | ||||||
| 23 | of Illinois. For purposes of this Act, conduct takes place | ||||||
| 24 | wholly outside of Illinois if the private entity collected that | ||||||
| 25 | information while the consumer was outside of Illinois, no part | ||||||
| 26 | of the sale of the consumer's personal information occurred in | ||||||
| |||||||
| |||||||
| 1 | Illinois, and no personal information collected while the | ||||||
| 2 | consumer was in Illinois is disclosed. | ||||||
| 3 | Section 50. Severability. If any provision of this Act or | ||||||
| 4 | its application to any person or circumstance is held invalid, | ||||||
| 5 | the invalidity of that provision or application does not affect | ||||||
| 6 | other provisions or applications of this Act that can be given | ||||||
| 7 | effect without the invalid provision or application.
| ||||||
| 8 | Section 99. Effective date. This Act takes effect April 1, | ||||||
| 9 | 2020.
| ||||||