|
| | 102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
SB3081 Introduced 1/11/2022, by Sen. Thomas Cullerton SYNOPSIS AS INTRODUCED:
|
| |
Creates the Do Not Track Act. Prohibits a party to a user action from tracking another user whenever the party receives a do-not-track signal indicating a user preference not to be tracked, with some exceptions. Provides that data that has been sufficiently de-identified such that it is rendered anonymous data may be processed for any purpose. Provides that a party may disregard a user's do-not-track signal when the user has given express affirmative consent to track. Provides that an organization may process data for specified uses if the organization: (i) limits the amount of identifiable data collected; (ii) limits the retention of identifiable data to no longer than what is reasonably needed for the permitted uses; (iii) uses anonymous data; (iv) processes the data separately from systems that are used for purposes other than the permitted uses; and (v) does not process the data beyond the permitted uses. Requires an organization that engages in tracking to describe, in understandable language and syntax such that an ordinary user can comprehend, its practices with respect to do-not-track signals in its privacy statement or similar notice, available through a clear and prominent link on the home page of its website. Prohibits a party from blocking a user's do-not-track signal. Provides that the Attorney General shall enforce the Act. Permits a user whose identifiable information has been processed in violation of the Act to bring a civil action in any court of competent jurisdiction. Preempts home rule powers. Effective January 1, 2023.
|
| |
| | A BILL FOR |
|
|
| | SB3081 | | LRB102 23767 SPS 32958 b |
|
|
| 1 | | AN ACT concerning business.
|
| 2 | | Be it enacted by the People of the State of Illinois,
|
| 3 | | represented in the General Assembly:
|
| 4 | | Section 1. Short title. This Act may be cited as the Do Not |
| 5 | | Track Act.
|
| 6 | | Section 5. Definitions. As used in this Act: |
| 7 | | "Anonymous data" means data which does not relate to an |
| 8 | | identified or identifiable user. Identifiable data may be |
| 9 | | rendered anonymous data if it has become de-identified to an |
| 10 | | extent that no user can be singled out or identified, either |
| 11 | | directly or indirectly, by that data alone or in combination |
| 12 | | with other data. To determine whether a user can be identified |
| 13 | | from the data, account should be taken of all means reasonably |
| 14 | | likely to be used by any party to identify the user. Data that |
| 15 | | has been re-identified, is shown to be capable of |
| 16 | | re-identification, or that is capable of being used for |
| 17 | | personalization or profiling a user or a device used by a user |
| 18 | | is not anonymous data. |
| 19 | | "Collect" means to receive identifiable data in a network |
| 20 | | interaction and to retain that data after the network |
| 21 | | interaction is complete. |
| 22 | | "Commission" means the Federal Trade Commission. |
| 23 | | "Context" means a website or similar online resource, or a |
|
| | SB3081 | - 2 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | connected set of such resources. A connected set of resources |
| 2 | | that are controlled by the same party or jointly controlled by |
| 3 | | a set of parties can constitute a single context if a user |
| 4 | | would reasonably expect them to form a single context. Factors |
| 5 | | relevant to determining whether such a reasonable expectation |
| 6 | | exists include, but are not limited to, whether they share |
| 7 | | prominent branding, provide connected and integrated |
| 8 | | user-facing features, are offered under the same domain name |
| 9 | | or through a single app, use the same sign-in credentials, and |
| 10 | | are marketed or sold as a single product or service. |
| 11 | | "De-identify" means to alter data such that the likelihood |
| 12 | | of identifying a user from the data is reduced. |
| 13 | | De-identification includes a range of techniques and differing |
| 14 | | levels or re-identification risk. Data that is fully |
| 15 | | de-identified such that it becomes anonymous data is no longer |
| 16 | | identifiable data. Data that is de-identified to a lesser |
| 17 | | extent remains identifiable data. |
| 18 | | "Do-not-track signal" means a signal sent by a web browser |
| 19 | | or similar user agent that conveys a user's choice regarding |
| 20 | | online tracking, reflects a deliberate choice by the user, and |
| 21 | | otherwise complies with the latest Tracking Preference |
| 22 | | Expression (DNT) specifications published by the World Wide |
| 23 | | Web Consortium. |
| 24 | | "First party" means, with respect to a given user action, |
| 25 | | a party with which the user intends to interact, via one or |
| 26 | | more network interactions, as a result of that action. |
|
| | SB3081 | - 3 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | (1) Typically, when a user visits a website, the first |
| 2 | | party is the organization identified in the website URL or |
| 3 | | whose branding is most prominent on the website. |
| 4 | | (2) More than one party can be a first party with |
| 5 | | regard to a given user action. |
| 6 | | (3) The mere presence of a first party's website of |
| 7 | | embedded content from another party does not make that |
| 8 | | other party a first party, and merely hovering over, |
| 9 | | muting, pausing, or closing a given piece of content does |
| 10 | | not constitute a user's intent to interact with a party. |
| 11 | | When a user visits an organization's website that displays |
| 12 | | advertisements from a third-party ad network, the |
| 13 | | organization is a first party and the ad network is a third |
| 14 | | party. When a user signs into an organization's website |
| 15 | | using a sign-in method provided by another party, the |
| 16 | | organization is a first party and the sign-in provider is |
| 17 | | a third party with respect to user actions in that |
| 18 | | website. |
| 19 | | "Identifiable data" means data from which the user can be |
| 20 | | singled out or identified, directly or indirectly, by that |
| 21 | | data alone or in combination with other data. Identifiable |
| 22 | | data includes, but is not limited to, a user's contact |
| 23 | | information, such as email addresses and phone numbers, unique |
| 24 | | persistent identifiers, such as IP addresses, cross-session |
| 25 | | cookie IDs, and device identifiers including derived through |
| 26 | | device fingerprinting and probabilistic techniques), and any |
|
| | SB3081 | - 4 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | other data associated with such identifiers. Identifiable data |
| 2 | | does not include anonymous data. |
| 3 | | "Network interaction" means an online connection |
| 4 | | consisting of an HTTP or HTTPS request and as many |
| 5 | | corresponding responses as are necessary to respond to a |
| 6 | | single user action. A user interaction or session with a |
| 7 | | website or other resource frequently consists of many network |
| 8 | | interactions. |
| 9 | | "Organization" means a legal entity. Such term does not |
| 10 | | include government agencies or users. |
| 11 | | "Party" means a user, an organization, or a group of legal |
| 12 | | entities that share common ownership and control, operate as |
| 13 | | an integrated enterprise, and have a group identity that is |
| 14 | | easily discoverable by a user. Common branding or publishing a |
| 15 | | list of affiliates that is readily available online via a |
| 16 | | prominent link from a resource where a party describes its |
| 17 | | Tracking Preference Expression (DNT) practices are deemed |
| 18 | | easily discoverable. With respect to a user action, a party is |
| 19 | | either a first party or a third party, but not both. |
| 20 | | "Personalize" means to use identifiable data to alter the |
| 21 | | experience of a user, including, but not limited to, the |
| 22 | | content or advertising displayed to the user. |
| 23 | | "Process" means to collect, use, or share data. |
| 24 | | "Resource" means a single online destination or |
| 25 | | experience, such as a website, streaming service, online game, |
| 26 | | digital assistant, or other online service, accessed by a user |
|
| | SB3081 | - 5 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | through the use of a user agent. |
| 2 | | "Service provider" means an organization that processes |
| 3 | | identifiable data on behalf of another organization. A service |
| 4 | | provider has no right to use any identifiable data for its own |
| 5 | | purposes. |
| 6 | | "Share" means, with respect to collected data, to transfer |
| 7 | | or provide a copy of such data to any third party. |
| 8 | | "Third party" means, for any user action, any party other |
| 9 | | than the user, a first party to that user action, or a service |
| 10 | | provider action on behalf of either the user or a first party. |
| 11 | | "Tracking" or "track" means to (i) collect data regarding |
| 12 | | a user action of a particular user, (ii) process such data |
| 13 | | outside the context in which the user action occurred, (iii) |
| 14 | | facilitate the creation of a user profile, or (iv) personalize |
| 15 | | that user's online experience. For the purposes of this |
| 16 | | definition, processing data related to a device used by a user |
| 17 | | or the user's household shall be considered processing data |
| 18 | | related to the user. |
| 19 | | "User" means a natural person residing in this State who |
| 20 | | uses the Internet. |
| 21 | | "User action" means a deliberate online action by the |
| 22 | | user, via configuration, invocation, or selection, to initiate |
| 23 | | a network interaction. Selection of a link, submission of a |
| 24 | | form, and reloading a page are examples of user actions. |
| 25 | | "User agent" means any of the various client programs |
| 26 | | capable of initiating network interactions, including, but not |
|
| | SB3081 | - 6 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | limited to, browsers, web-based robots, command-line tools, |
| 2 | | native applications, mobile apps, or Internet-connected |
| 3 | | devices.
|
| 4 | | Section 10. Response to do-not-track signals. |
| 5 | | (a) In general. Except as permitted in this Section, a |
| 6 | | party to a user action that receives a do-not-track signal |
| 7 | | indicating a user preference not to be tracked shall not |
| 8 | | track. |
| 9 | | (b) Exceptions. |
| 10 | | (1) First party. A first party to a user action within |
| 11 | | a context to which the user has affirmatively signed in |
| 12 | | may process data received from such user action, including |
| 13 | | for personalized content, services, and advertising, |
| 14 | | within that context. However, a first party shall not |
| 15 | | share such data with a third party. For the purposes of |
| 16 | | this paragraph, a user is signed into a context when the |
| 17 | | user has affirmatively authenticated and identified |
| 18 | | oneself by entering a username and password, or similar |
| 19 | | credentials. |
| 20 | | (2) Anonymous data. Data that has been sufficiently |
| 21 | | de-identified such that it is rendered anonymous data may |
| 22 | | be processed for any purpose, including outside the |
| 23 | | context of the user actions from which it originates, or |
| 24 | | across multiple contexts. |
| 25 | | (3) Consent. A party may disregard a user's |
|
| | SB3081 | - 7 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | do-not-track signal when the user has given express |
| 2 | | affirmative consent to track. A user may give consent |
| 3 | | through a technical means defined in the Tracking |
| 4 | | Preference Expression (DNT) specification published by the |
| 5 | | World Wide Web Consortium or through a separate mechanism |
| 6 | | such as an online or offline consent form that |
| 7 | | demonstrates a specific and voluntary choice of the user. |
| 8 | | For instance, accepting a general or broad terms of use |
| 9 | | document that contains a clause regarding tracing does not |
| 10 | | constitute express affirmation consent for the purposes of |
| 11 | | this Act. Likewise, agreement obtained through a user |
| 12 | | interface designed or manipulated with the purpose of |
| 13 | | substantial effect of subverting or impairing user |
| 14 | | autonomy, decision-making, or choice does not constitute |
| 15 | | consent for the purposes of this Act. When relying on |
| 16 | | consent from a user given through a separate mechanism, a |
| 17 | | party must provide notice in accordance with Section 20. |
| 18 | | (4) Permitted uses. |
| 19 | | (A) In general. An organization may process data |
| 20 | | for the uses specified in subparagraphs (B), (C), (D), |
| 21 | | (E), (F), and (G), provided the organization: |
| 22 | | (i) limits the amount of identifiable data |
| 23 | | collected to that which is strictly needed for the |
| 24 | | permitted uses; |
| 25 | | (ii) limits the retention of identifiable data |
| 26 | | to no longer than what is reasonably needed for |
|
| | SB3081 | - 8 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | the permitted uses; |
| 2 | | (iii) uses anonymous data to the extent the |
| 3 | | permitted uses can be achieved with such data, or |
| 4 | | otherwise de-identifies the identifiable data to |
| 5 | | the greatest extent that is compatible with the |
| 6 | | permitted uses; |
| 7 | | (iv) processes the data separately from |
| 8 | | systems that are used for purposes other than the |
| 9 | | permitted uses specified in this Section; and |
| 10 | | (v) does not process the data beyond the |
| 11 | | permitted uses. |
| 12 | | (B) Providing a service. An organization may |
| 13 | | process data to the extent necessary to effectuate a |
| 14 | | transaction with the user, or to provide a product or |
| 15 | | service to a user, provided the user has consented to |
| 16 | | or authorized the transaction or the provision of the |
| 17 | | product or service and any tracking, including |
| 18 | | personalization, that is a necessary or inherent part |
| 19 | | of that transaction, product, or service would have |
| 20 | | been clear to the user at the time of such consent or |
| 21 | | authorization. If such processing requires sharing |
| 22 | | data with a third party, such third party may not |
| 23 | | process the data for any other purpose. |
| 24 | | (C) Security. An organization may process data to |
| 25 | | the extent reasonably necessary to detect security |
| 26 | | incidents, protect the website or other resource |
|
| | SB3081 | - 9 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | accessed by the user against malicious, deceptive, |
| 2 | | fraudulent, or illegal activity, and prosecute those |
| 3 | | responsible for such activity. |
| 4 | | (D) Debugging. An organization may process data |
| 5 | | for debugging purposes to identify and repair errors |
| 6 | | that impair the existing functionality of the website |
| 7 | | or other resource accessed by the user. |
| 8 | | (E) Financial logging. An organization may process |
| 9 | | data for billing and auditing related to network |
| 10 | | interactions and related transactions. |
| 11 | | (F) Research. An organization may process data to |
| 12 | | conduct security research. |
| 13 | | (G) Journalism. An organization may process data |
| 14 | | as necessary for news gathering purposes by |
| 15 | | journalists or other purposes protected by the First |
| 16 | | Amendment of the United States Constitution. |
| 17 | | (5) Technical errors. Data that is processed by a |
| 18 | | party due to a technical error does not violate this Act if |
| 19 | | such error is unintentional and unexpected, and within 30 |
| 20 | | days of the party discovering or receiving a report of the |
| 21 | | error: (i) the error is corrected, (ii) any processing by |
| 22 | | the party that is otherwise prohibited is stopped, and |
| 23 | | (iii) the party deletes any data that should not have been |
| 24 | | collected.
|
| 25 | | Section 15. Contractual obligations and liability. A first |
|
| | SB3081 | - 10 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | party that enables or permits a third party to engage in |
| 2 | | tracking on or through the first party's website or other |
| 3 | | resource: |
| 4 | | (1) Must require the third party, through a contract, |
| 5 | | terms of service, or similar binding and enforceable legal |
| 6 | | agreement, to comply with this Act. |
| 7 | | (2) Shall be liable for the third party's |
| 8 | | non-compliance with this Act if the first party knew or |
| 9 | | could have upon the exercise of due diligence known of the |
| 10 | | third party's non-compliance and failed to take adequate |
| 11 | | corrective action.
|
| 12 | | Section 20. Transparency. An organization that engages in |
| 13 | | tracking shall describe, in understandable language and syntax |
| 14 | | such that an ordinary user can comprehend, its practices with |
| 15 | | respect to do-not-track signals in its privacy statement or |
| 16 | | similar notice, available through a clear and prominent link |
| 17 | | on the home page of its website. The description required |
| 18 | | under this paragraph must include at least the following |
| 19 | | information: |
| 20 | | (1) the exceptions or permitted uses under this Act |
| 21 | | under which the organization processes data; |
| 22 | | (2) the effects on the user, if any, resulting from a |
| 23 | | do-not-track signal, including if any webpages, features, |
| 24 | | or services are not available or reduced in functionality; |
| 25 | | (3) if the organization obtains out-of-band consent to |
|
| | SB3081 | - 11 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | disregard the do-not-track signal, a description of how a |
| 2 | | user may give and revoke consent, and the scope of any such |
| 3 | | consent, and the anticipated effect of the consent or |
| 4 | | revocation on the user; |
| 5 | | (4) the time period or periods for which identifiable |
| 6 | | data collected by the organization is retained or the |
| 7 | | criteria used to determine such time periods, and whether |
| 8 | | such identifiable data is rendered anonymous data in lieu |
| 9 | | of being deleted; and |
| 10 | | (5) how a user may contact the organization with any |
| 11 | | inquiries or complaints regarding the organization's |
| 12 | | do-not-track practices.
|
| 13 | | Section 25. No circumvention. A party shall not block or |
| 14 | | take similar actions to avoid receiving a user's do-not-track |
| 15 | | signal. Nor shall any party take other actions to circumvent |
| 16 | | the effectiveness of do-not-track signals.
|
| 17 | | Section 30. Enforcement. |
| 18 | | (a) De facto and de jure harm. Users from whom |
| 19 | | identifiable information has been processed in violation of |
| 20 | | this Act shall be deemed to have been harmed by such |
| 21 | | violations. |
| 22 | | (b) Enforcement by the Attorney General. Whenever the |
| 23 | | Attorney General has reasonable cause to believe that a party |
| 24 | | or organization has engaged in a violation of this Act, the |
|
| | SB3081 | - 12 - | LRB102 23767 SPS 32958 b |
|
|
| 1 | | Attorney General shall enforce the provisions of this Act by |
| 2 | | bringing a civil action on behalf of the people of this State |
| 3 | | in a court of competent jurisdiction: |
| 4 | | (1) to enjoin further violation of this Act by the |
| 5 | | defendant; or |
| 6 | | (2) to obtain damages on behalf of the people of this |
| 7 | | State, in the amount authorized under State law or as |
| 8 | | permitted under federal law, whichever is greater. |
| 9 | | (c) A user from whom identifiable information has been |
| 10 | | processed in violation of this Act may bring a civil action in |
| 11 | | any court of competent jurisdiction: |
| 12 | | (1) to enjoin further violation of this Act by the |
| 13 | | defendant; or |
| 14 | | (2) to obtain damages, in the amount of $1,000 or |
| 15 | | actual damages shown, whichever is greater. |
| 16 | | (d) Attorney fees. In the case of any successful action |
| 17 | | under this Section, the court, in its discretion, may award |
| 18 | | the costs of the action and reasonable attorney fees to the |
| 19 | | State or the user.
|
| 20 | | Section 35. Home rule preemption. Except as otherwise |
| 21 | | provided in this Act, the regulation of the activities |
| 22 | | described in this Act are the exclusive powers and functions |
| 23 | | of the State. Except as otherwise provided in this Act, a unit |
| 24 | | of local government, including a home rule unit, may not |
| 25 | | regulate the activities described in this Act. This Section is |