Sen. Thomas Cullerton
Filed: 5/27/2019
| |||||||
| |||||||
| |||||||
1 | AMENDMENT TO HOUSE BILL 3358
| ||||||
2 | AMENDMENT NO. ______. Amend House Bill 3358 by replacing | ||||||
3 | everything after the enacting clause with the following:
| ||||||
4 | "Section 1. Short title. This Act may be cited as the Data | ||||||
5 | Transparency and Privacy Act. | ||||||
6 | Section 5. Findings. The General Assembly finds and | ||||||
7 | declares that: | ||||||
8 | (1) The right to privacy is a personal and fundamental | ||||||
9 | right protected by the United States Constitution. As such, all | ||||||
10 | individuals have a right to privacy and a personal property | ||||||
11 | interest in information pertaining to them and that information | ||||||
12 | shall be adequately protected from unlawful invasions and | ||||||
13 | takings. This State recognizes the importance of providing | ||||||
14 | consumers with transparency about how their personal | ||||||
15 | information, especially information relating to their | ||||||
16 | children, is shared by businesses. This transparency is crucial |
| |||||||
| |||||||
1 | for Illinois citizens to protect themselves and their families | ||||||
2 | from cyber-crimes and identity thieves. | ||||||
3 | (2) Furthermore, for free market forces to have a role in | ||||||
4 | shaping the privacy practices and for "opt-in" and "opt-out" | ||||||
5 | remedies to be effective, consumers must be more than vaguely | ||||||
6 | informed that a business might share personal information with | ||||||
7 | third parties. Consumers must be better informed about what | ||||||
8 | kinds of personal information is shared with other businesses. | ||||||
9 | With these specifics, consumers can knowledgeably choose to opt | ||||||
10 | in, opt out, or choose among businesses that disclose | ||||||
11 | information to third parties on the basis of how protective the | ||||||
12 | business is of consumers' privacy. | ||||||
13 | (3) Businesses are now collecting personal information and | ||||||
14 | sharing and selling it in ways not contemplated or properly | ||||||
15 | covered by the current law. Some websites are installing | ||||||
16 | tracking tools that record when consumers visit web pages, and | ||||||
17 | sending very personal information, such as age, gender, race, | ||||||
18 | income, health concerns, religion, and recent purchases to | ||||||
19 | third-party marketers and data brokers. Third-party data | ||||||
20 | broker companies are buying, selling, and trading personal | ||||||
21 | information obtained from mobile phones, financial | ||||||
22 | institutions, social media sites, and other online and brick | ||||||
23 | and mortar companies. Some mobile applications are sharing | ||||||
24 | personal information, such as location information, unique | ||||||
25 | phone identification numbers, and age, gender, and other | ||||||
26 | personal details with third-party companies. |
| |||||||
| |||||||
1 | (4) As such, consumers need to know the ways that their | ||||||
2 | personal information is being collected by companies and then | ||||||
3 | shared or sold to third parties in order to properly protect | ||||||
4 | their privacy, property, personal safety, and financial | ||||||
5 | security. | ||||||
6 | Section 10. Definitions. As used in this Act: | ||||||
7 | "Affiliate" means a legal entity that controls, is | ||||||
8 | controlled by, or is under common control with another legal | ||||||
9 | entity. | ||||||
10 | "Consumer" means a natural person residing in this State. | ||||||
11 | "Consumer" does not include a natural person acting in an | ||||||
12 | employment context. | ||||||
13 | "Deidentified" means information that cannot reasonably be | ||||||
14 | used to infer information about, or otherwise be linked to, a | ||||||
15 | particular consumer. An operator that uses deidentified | ||||||
16 | information: | ||||||
17 | (1) must take reasonable measures to ensure that the | ||||||
18 | data is deidentified; and | ||||||
19 | (2) must publicly commit to maintain and use the data | ||||||
20 | in a deidentified fashion and not to attempt to reidentify | ||||||
21 | the data. | ||||||
22 | If a company makes such deidentified data available to | ||||||
23 | service providers or other third parties, then it must | ||||||
24 | contractually prohibit such entities from attempting to | ||||||
25 | reidentify the data. |
| |||||||
| |||||||
1 | "Designated request address" means an electronic mail | ||||||
2 | address, online form, or toll-free telephone number that a | ||||||
3 | consumer may use to request the information required to be | ||||||
4 | provided pursuant to this Act. | ||||||
5 | "Disclose" means to disclose, release, transfer, share, | ||||||
6 | disseminate, make available, sell, or otherwise communicate | ||||||
7 | orally, in writing, or by electronic or any other means a | ||||||
8 | consumer's personal information to any affiliate or third | ||||||
9 | party. | ||||||
10 | "Disclose" does not include: | ||||||
11 | (1) Disclosure of personal information by an operator | ||||||
12 | to a third party or service provider under a written | ||||||
13 | contract authorizing the third party or service provider to | ||||||
14 | utilize the personal information to perform services on | ||||||
15 | behalf of the operator, including, but not limited to, | ||||||
16 | maintaining or servicing accounts, disclosure of personal | ||||||
17 | information by an operator to a service provider, | ||||||
18 | processing or fulfilling orders and transactions, | ||||||
19 | verifying consumer information, processing payments, | ||||||
20 | providing financing, or similar services, but only if: the | ||||||
21 | contract prohibits the third party or service provider from | ||||||
22 | using the personal information for any reason other than | ||||||
23 | performing the specified service on behalf of the operator | ||||||
24 | and from disclosing any such personal information to | ||||||
25 | additional third parties or service providers unless those | ||||||
26 | additional third parties or service providers (i) are |
| |||||||
| |||||||
1 | allowed by the contract to further the specified services | ||||||
2 | and (ii) the additional third parties are subject to the | ||||||
3 | same restrictions imposed by this subsection. | ||||||
4 | (2) Disclosure of personal information by an operator | ||||||
5 | to a third party based on a good faith belief that | ||||||
6 | disclosure is required to comply with applicable law, | ||||||
7 | regulation, legal process, or court order. | ||||||
8 | (3) Disclosure of personal information by an operator | ||||||
9 | to a third party that is reasonably necessary to address | ||||||
10 | fraud, risk management, security, or technical issues; to | ||||||
11 | protect the disclosing operator's rights or property; or to | ||||||
12 | protect consumers or the public from illegal activities. | ||||||
13 | (4) Disclosure of personal information by an operator | ||||||
14 | to a third party in connection with the proposed or actual | ||||||
15 | sale, merger, or bankruptcy of the operator, to a third | ||||||
16 | party. | ||||||
17 | "Operator" means any private entity that owns an Internet | ||||||
18 | website or an online service that collects, maintains, or | ||||||
19 | discloses personal information of a consumer residing in this | ||||||
20 | State who uses or visits the website or online service if the | ||||||
21 | website or online service is operated for commercial purposes. | ||||||
22 | It does not include any third party that operates, hosts, or | ||||||
23 | manages, but does not own, a website or online service on the | ||||||
24 | owner's behalf or by processing information on behalf of the | ||||||
25 | owner. | ||||||
26 | "Personal information" means any information that can |
| |||||||
| |||||||
1 | reasonably be used to infer information about, or otherwise be | ||||||
2 | linked to, a particular consumer, including, but not limited | ||||||
3 | to, identifiers such as a real name, alias, signature, address, | ||||||
4 | telephone number, passport number, driver's license or State | ||||||
5 | identification card number, insurance policy number, bank | ||||||
6 | account number, credit card number, debit card number, or any | ||||||
7 | other financial account information, unique personal | ||||||
8 | identifier, geolocation, or biometric information. Personal | ||||||
9 | information does not include data that has been deidentified. | ||||||
10 | "Private entity" means a sole proprietorship, partnership, | ||||||
11 | limited liability company, corporation, association, or other | ||||||
12 | legal entity that is organized or operated for the profit or | ||||||
13 | financial benefit of its shareholders or other owners, that | ||||||
14 | does business in the State of Illinois, and that satisfies one | ||||||
15 | or more of the following thresholds: | ||||||
16 | (1) Annually buys, receives for the business' | ||||||
17 | commercial purposes, sells, or shares for commercial | ||||||
18 | purposes, alone or in combination, the personal | ||||||
19 | information of 50,000 or more consumers, households, or | ||||||
20 | devices. | ||||||
21 | (2) Derives 50% or more of its annual revenues from | ||||||
22 | selling consumers' personal information. | ||||||
23 | "Process" or "processes" means any collection, use, | ||||||
24 | storage, disclosure, analysis, deletion, or modification of | ||||||
25 | personal information. | ||||||
26 | "Sale" or "sell" means the selling, renting, or licensing |
| |||||||
| |||||||
1 | of a consumer's personal information by an operator to a third | ||||||
2 | party in direct exchange for monetary consideration, whereby, | ||||||
3 | as a result of such transaction, the third party may use the | ||||||
4 | personal information for its own commercial purposes. | ||||||
5 | "Sale" or "sell" does not include circumstances in which: | ||||||
6 | (1) A consumer uses or directs the operator to | ||||||
7 | intentionally disclose personal information or uses the | ||||||
8 | operator to intentionally interact with a third party, | ||||||
9 | provided the third party does not also sell the personal | ||||||
10 | information, unless that disclosure would be consistent | ||||||
11 | with the provisions of this Act. An intentional interaction | ||||||
12 | occurs when the consumer intends to interact with the third | ||||||
13 | party by one or more deliberate interactions. Hovering | ||||||
14 | over, muting, pausing, or closing a given piece of content | ||||||
15 | does not constitute a consumer's intent to interact with a | ||||||
16 | third party. | ||||||
17 | (2) The operator uses or shares an identifier for a | ||||||
18 | consumer who has opted out of the sale of the consumer's | ||||||
19 | personal information for the purposes of alerting third | ||||||
20 | parties that the consumer has opted out of the sale of the | ||||||
21 | consumer's personal information. | ||||||
22 | (3) The operator uses or shares with a service provider | ||||||
23 | personal information of a consumer that is necessary to | ||||||
24 | perform a business purpose or business purposes if the | ||||||
25 | service provider does not further collect, sell, or use the | ||||||
26 | personal information of the consumer except as necessary to |
| |||||||
| |||||||
1 | perform the business purpose or business purposes. | ||||||
2 | (4) The operator transfers to a third party the | ||||||
3 | personal information of a consumer as an asset that is part | ||||||
4 | of a merger, acquisition, bankruptcy, or other transaction | ||||||
5 | in which the third party assumes control of all or part of | ||||||
6 | the business provided that information is used or shared | ||||||
7 | consistently with this Act. If a third party materially | ||||||
8 | alters how it uses or shares the personal information of a | ||||||
9 | consumer in a manner that is materially inconsistent with | ||||||
10 | the promises made at the time of collection, it shall | ||||||
11 | provide prior notice of the new or changed practice to the | ||||||
12 | consumer. The notice shall be sufficiently prominent and | ||||||
13 | robust to ensure that existing consumers can easily | ||||||
14 | exercise their choices consistently with Section 25. This | ||||||
15 | subparagraph does not authorize a business to make | ||||||
16 | material, retroactive privacy policy changes or make other | ||||||
17 | changes in their privacy policy in a manner that would | ||||||
18 | violate the Consumer Fraud and Deceptive Business | ||||||
19 | Practices Act. | ||||||
20 | (5) An operator uses a consumer's personal information | ||||||
21 | to sell targeted advertising space to a third party as long | ||||||
22 | as the personal information is not sold by the operator to | ||||||
23 | the third party. | ||||||
24 | (6) The disclosure or transfer of personal information | ||||||
25 | to an affiliate of the operator. | ||||||
26 | "Service provider" means the natural or legal person that |
| |||||||
| |||||||
1 | processes personal information on behalf of the operator. | ||||||
2 | "Third party" means a private entity that is: (1) not an | ||||||
3 | affiliate of the private entity that has disclosed personal | ||||||
4 | information; or (2) a private entity that is an affiliate with | ||||||
5 | the private entity that has disclosed personal information and | ||||||
6 | the affiliate relationship is not clear to the consumer. | ||||||
7 | "Verified request" means the process through which a | ||||||
8 | consumer may submit a request to exercise a right or rights set | ||||||
9 | forth in this Act and by which an operator can reasonably | ||||||
10 | authenticate the request.
A consumer shall not be required to | ||||||
11 | create an account with the operator in order to make a verified | ||||||
12 | request, and the method for exercising the rights set forth in | ||||||
13 | this Act shall be reasonably accessible and not be overly | ||||||
14 | burdensome on the consumer. | ||||||
15 | Section 15. Right to transparency. An operator that | ||||||
16 | collects personal information or deidentified information | ||||||
17 | through the Internet about individual consumers who use or | ||||||
18 | visit its Internet website or online service, in its consumer | ||||||
19 | service agreement or incorporated addendum or any other similar | ||||||
20 | and readily available mechanism accessible to the consumer, | ||||||
21 | shall: | ||||||
22 | (1) identify all categories of personal information | ||||||
23 | and deidentified information that the operator processes | ||||||
24 | about individual consumers collected through its Internet | ||||||
25 | website or online service; |
| |||||||
| |||||||
1 | (2) identify all categories of third parties with whom | ||||||
2 | the operator may disclose that personal information or | ||||||
3 | deidentified information; | ||||||
4 | (3) disclose whether a third party may collect personal | ||||||
5 | information or deidentified information about an | ||||||
6 | individual consumer's online activities over time and | ||||||
7 | across different Internet websites or online services when | ||||||
8 | the consumer uses the Internet website or online service of | ||||||
9 | the operator; | ||||||
10 | (4) provide a description of the process, if any such | ||||||
11 | process exists, for an individual consumer who uses or | ||||||
12 | visits the Internet website or online service to review and | ||||||
13 | request changes to inaccurate personal information that is | ||||||
14 | collected by the operator as a result of the consumer's use | ||||||
15 | or visits to the Internet website or online service; | ||||||
16 | (5) describe the process by which the operator notifies | ||||||
17 | consumers who use or visit its Internet website or online | ||||||
18 | service of material changes to the notice required to be | ||||||
19 | made available under this Section; | ||||||
20 | (6) state the effective date of the notice; | ||||||
21 | (7) provide a description of a consumer's rights, as | ||||||
22 | required by this Act, accompanied by one or more designated | ||||||
23 | request addresses. | ||||||
24 | Section 20. Right to know. | ||||||
25 | (a) An operator that discloses personal information of a |
| |||||||
| |||||||
1 | consumer collected through the consumer's use of or visit to | ||||||
2 | the operator's website or online service to a third party shall | ||||||
3 | make the following information available to a consumer, free of | ||||||
4 | charge, upon receipt of a verified request: | ||||||
5 | (1) the categories of personal information that were | ||||||
6 | disclosed about an individual consumer and the approximate | ||||||
7 | number of all third parties that received the consumer's | ||||||
8 | personal information; or | ||||||
9 | (2) all categories of personal information about | ||||||
10 | consumers that were disclosed and the approximate number of | ||||||
11 | all third parties that received any consumer's personal | ||||||
12 | information. | ||||||
13 | (b) An operator may establish processes for reasonably | ||||||
14 | authenticating consumers making the request if the operator | ||||||
15 | seeks to provide the consumer with information about the | ||||||
16 | individual consumer pursuant to item(1) of subsection (a). | ||||||
17 | (c) Notwithstanding the other provisions of this Section, a | ||||||
18 | parent or legal guardian of a consumer under the age of 13 may | ||||||
19 | submit a verified request under this Section on behalf of that | ||||||
20 | consumer. | ||||||
21 | (d) This Section applies only to personal information | ||||||
22 | disclosed after the effective date of this Act. | ||||||
23 | Section 25. Right to opt out. An operator that sells the | ||||||
24 | personal information of a consumer collected through the | ||||||
25 | consumer's use of or visit to the operator's Internet website |
| |||||||
| |||||||
1 | or online service shall clearly and conspicuously post, on its | ||||||
2 | Internet website or online service or in another prominently | ||||||
3 | and easily accessible location the operator maintains for | ||||||
4 | consumer privacy settings, a link to an Internet web page | ||||||
5 | maintained by the operator that enables a consumer, by verified | ||||||
6 | request through a designated request address, to opt out of | ||||||
7 | such sale of the consumer's personal information to third | ||||||
8 | parties. The method by which a consumer may opt out shall be | ||||||
9 | done in a form and manner determined by the operator in a way | ||||||
10 | and fashion that is not overly burdensome, shall not require a | ||||||
11 | consumer to establish an account with the operator in order to | ||||||
12 | opt out of the sale of a consumer's personal information, and | ||||||
13 | shall be posted in a conspicuous place that is readily and | ||||||
14 | easily accessible to a consumer. This Section applies only to | ||||||
15 | operators that sell personal information. This Section only | ||||||
16 | applies to personal information sold after the effective date | ||||||
17 | of this Act. | ||||||
18 | Section 30. Response to verified requests. | ||||||
19 | (a) An operator that receives a verified request from a | ||||||
20 | consumer through a designated request address under this Act | ||||||
21 | shall provide a response to the consumer within 45 days of the | ||||||
22 | request. | ||||||
23 | (b) An operator shall not be required to respond to a | ||||||
24 | request made by the same consumer or made by the same parent or | ||||||
25 | legal guardian on behalf of a consumer under the age of 13 more |
| |||||||
| |||||||
1 | than once in any 12-month period. | ||||||
2 | Section 35. Enforcement. A violation of this Act | ||||||
3 | constitutes an unlawful practice under the Consumer Fraud and | ||||||
4 | Deceptive Business Practices Act. The Attorney General has | ||||||
5 | exclusive authority to enforce this Act as a violation of the | ||||||
6 | Consumer Fraud and Deceptive Business Practices Act, subject to | ||||||
7 | the remedies available to the Attorney General pursuant to the | ||||||
8 | Consumer Fraud and Deceptive Business Practices Act. There | ||||||
9 | shall be no private right of action to enforce violations under | ||||||
10 | this Act. | ||||||
11 | Section 40. Waivers; contracts. Any waiver of the | ||||||
12 | provisions of this Act is void and unenforceable. If a party | ||||||
13 | violates any provision of this Act, the non-violating party's | ||||||
14 | obligations under any agreement between the parties are | ||||||
15 | terminated. | ||||||
16 | Section 45. Construction. | ||||||
17 | (a) The obligations imposed on operators by this Act shall | ||||||
18 | not restrict an operator's ability to: | ||||||
19 | (1) Comply with federal, state, or local laws, rules, | ||||||
20 | regulations, or enforceable guidance. | ||||||
21 | (2) Comply with a civil, criminal, or regulatory | ||||||
22 | inquiry, investigation, subpoena, or summons by federal, | ||||||
23 | state, or local authorities. |
| |||||||
| |||||||
1 | (3) Cooperate with law enforcement agencies concerning | ||||||
2 | conduct or activity that the operator, service provider, or | ||||||
3 | third party reasonably and in good faith believes may | ||||||
4 | violate federal, state, or local law. | ||||||
5 | (4) Exercise or defend legal claims.
| ||||||
6 | (5) Prevent, detect, or respond to identity theft, | ||||||
7 | fraud, or other malicious or illegal activity. | ||||||
8 | (b) Nothing in this Act applies to a health care provider | ||||||
9 | or other covered entity subject to the Federal Health Insurance | ||||||
10 | Portability and Accountability Act of 1996 and the rules | ||||||
11 | promulgated under that Act. | ||||||
12 | (c) Nothing in this Act applies in any manner to a | ||||||
13 | financial institution or an affiliate of a financial | ||||||
14 | institution that is subject to Title V of the Federal | ||||||
15 | Gramm-Leach-Bliley Act and the rules promulgated under that | ||||||
16 | Act. | ||||||
17 | (d) Nothing in this Act applies to a contractor, | ||||||
18 | subcontractor, or agent of a State agency or local unit of | ||||||
19 | government when working for that State agency or local unit of | ||||||
20 | government. | ||||||
21 | (e) Nothing in this Act applies to a public utility, an | ||||||
22 | alternative retail electric supplier, or an alternative gas | ||||||
23 | supplier, as those terms are defined in Sections 3-105, 16-102, | ||||||
24 | and 19-105 of the Public Utilities Act, or an electric | ||||||
25 | cooperative, as defined in Section 3.4 of the Electric Supplier | ||||||
26 | Act. |
| |||||||
| |||||||
1 | (f) Nothing in this Act applies to: (i) a hospital operated | ||||||
2 | under the Hospital Licensing Act; (ii) a hospital affiliate, as | ||||||
3 | defined under the Hospital Licensing Act; or (iii) a hospital | ||||||
4 | operated under the University of Illinois Hospital Act. | ||||||
5 | (g) Nothing in this Act applies to personal information | ||||||
6 | collected, processed, or disclosed by a retailer in connection | ||||||
7 | with a prospective or complete sale, transaction, or | ||||||
8 | communication conducted on, before, or after the effective date | ||||||
9 | of this Act that is related to business services or delivering | ||||||
10 | information, or selling, offering to sell, moving, or | ||||||
11 | delivering tangible personal property. As used in this Section, | ||||||
12 | "retailer" means an entity that holds itself out as being | ||||||
13 | engaged, or habitually engages, in selling, moving, or | ||||||
14 | delivering tangible personal property at retail and includes a | ||||||
15 | retailer's affiliates, subsidiaries, and service providers | ||||||
16 | collecting, processing, or disclosing personal information on | ||||||
17 | behalf of the retailer to facilitate a prospective or complete | ||||||
18 | sale, transaction, or communication related to business | ||||||
19 | services or delivering information, or selling, offering to | ||||||
20 | sell, moving, or delivering tangible personal property. | ||||||
21 | (h) Nothing in this Act applies to the following entities | ||||||
22 | and affiliates, as defined in 17 CFR 230.405, of any such | ||||||
23 | entities: telecommunications carriers as defined in Section | ||||||
24 | 13-202 of the Public Utilities Act and wireless carriers as | ||||||
25 | defined in Section 2 of the Emergency Telephone System Act. | ||||||
26 | (i) Nothing in this Act restricts an operator's ability to |
| |||||||
| |||||||
1 | collect or disclose a consumer's personal information if a | ||||||
2 | consumer's conduct takes place wholly outside of Illinois. For | ||||||
3 | purposes of this Act, conduct takes place wholly outside of | ||||||
4 | Illinois if the operator collected that information while the | ||||||
5 | consumer was outside of Illinois, no part of the sale of the | ||||||
6 | consumer's personal information occurred in Illinois, and no | ||||||
7 | personal information collected while the consumer was in | ||||||
8 | Illinois is disclosed. | ||||||
9 | (j) Nothing in this Act shall require an operator to (i) | ||||||
10 | retain any personal information collected for a single, | ||||||
11 | one-time transaction, if such information is not sold or | ||||||
12 | retained by the business or to reidentify or otherwise link | ||||||
13 | information that is not maintained in a manner that would be | ||||||
14 | considered personal information; or (ii) reidentify or | ||||||
15 | otherwise link any data that, in the ordinary course of | ||||||
16 | business, is not maintained in a manner that would be | ||||||
17 | considered personal information. | ||||||
18 | (k) Nothing in this Act shall be construed to modify, | ||||||
19 | limit, or supersede the operation of any other Illinois law or | ||||||
20 | prevent a party from otherwise seeking relief under the Code of | ||||||
21 | Civil Procedure. | ||||||
22 | Section 50. Severability. If any provision of this Act or | ||||||
23 | its application to any person or circumstance is held invalid, | ||||||
24 | the invalidity of that provision or application does not affect | ||||||
25 | other provisions or applications of this Act that can be given |
| |||||||
| |||||||
1 | effect without the invalid provision or application.
| ||||||
2 | Section 99. Effective date. This Act takes effect July 1, | ||||||
3 | 2020.".
|