103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB4447

 

Introduced 1/16/2024, by Rep. John M. Cabello

 

SYNOPSIS AS INTRODUCED:
 
815 ILCS 505/2EEEE new
815 ILCS 530/5
815 ILCS 530/55 new

    Amends the Consumer Fraud and Deceptive Business Practices Act. Provides that it is an unlawful practice within the meaning of the Act for any person to solicit the purchase of an extended warranty through the mail. Amends the Personal Information Protection Act. Provides that, annually, on or before January 31, a data broker operating in the State shall: (1) register with the Secretary of State; (2) pay a registration fee of $100; and (3) provide specified information. Provides penalties for data brokers that fail to register with the Secretary of State. Provides that the Attorney General may maintain an action in circuit court to collect penalties and to seek injunctive relief. Defines "data broker" and "brokered personal information".


LRB103 34729 SPS 64577 b

 

 

A BILL FOR

 

HB4447LRB103 34729 SPS 64577 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Consumer Fraud and Deceptive Business
5Practices Act is amended by adding Section 2EEEE as follows:
 
6    (815 ILCS 505/2EEEE new)
7    Sec. 2EEEE. Motor vehicle extended warranty.
8    (a) As used in this Section, "extended warranty" means any
9contract or agreement indemnifying the service agreement
10holder for the motor vehicle listed on the service agreement
11and arising out of the ownership, operation, and use of the
12motor vehicle against loss caused by failure of any mechanical
13or other component part, or any mechanical or other component
14part that does not function as it was originally intended.
15"Extended warranty" does not include the usual performance
16guarantees by manufacturers or dealers in connection with the
17sale of motor vehicles.
18    (b) It is an unlawful practice within the meaning of this
19Act for any person to solicit the purchase of an extended
20warranty through the mail.
 
21    Section 10. The Personal Information Protection Act is
22amended by changing Section 5 and by adding Section 55 as

 

 

HB4447- 2 -LRB103 34729 SPS 64577 b

1follows:
 
2    (815 ILCS 530/5)
3    Sec. 5. Definitions. In this Act:
4    "Brokered personal information" means one or more of the
5following computerized data elements about an individual, if
6categorized or organized for dissemination to third parties:
7        (1) Name.
8        (2) Address.
9        (3) Date of birth.
10        (4) Place of birth.
11        (5) Mother's maiden name.
12        (6) Unique biometric data generated from measurements
13    or technical analysis of human body characteristics used
14    by the owner or licensee of the data to identify or
15    authenticate the individual, such as a fingerprint, retina
16    or iris image, or other unique physical representation or
17    digital representation of biometric data;
18        (7) name or address of a member of the individual's
19    immediate family or household.
20        (8) Social Security number or other government-issued
21    identification number.
22        (9) Other information that, alone or in combination
23    with the other information sold or licensed, would allow a
24    reasonable person to identify the individual with
25    reasonable certainty.

 

 

HB4447- 3 -LRB103 34729 SPS 64577 b

1    "Brokered personal information" does not include publicly
2available information to the extent that it is related to an
3individual's business or profession.
4    "Data broker" means a business or a unit of a business,
5separately or together, that knowingly collects and sells or
6licenses to third parties the brokered personal information of
7an individual with whom the business does not have a direct
8relationship. A direct relationship with a business includes
9if the individual is a past or present: (i) customer, client,
10subscriber, user, or registered user of the business's goods
11or services; (ii) employee, contractor, or agent of the
12business; (iii) investor in the business; or (iv) donor to the
13business.
14    "Data broker" does not include a business that conducts
15the following activities and the collection, sale, or
16licensing of brokered personal information incidental to
17conducting the activities:
18        (1) developing or maintaining third-party e-commerce
19    or application platforms; or
20        (2) providing 411 directory assistance or directory
21    information services, including name, address, and
22    telephone number, on behalf of or as a function of a
23    telecommunications carrier;
24    "Data collector" may include, but is not limited to,
25government agencies, public and private universities,
26privately and publicly held corporations, financial

 

 

HB4447- 4 -LRB103 34729 SPS 64577 b

1institutions, retail operators, and any other entity that, for
2any purpose, handles, collects, disseminates, or otherwise
3deals with nonpublic personal information.
4    "Breach of the security of the system data" or "breach"
5means unauthorized acquisition of computerized data that
6compromises the security, confidentiality, or integrity of
7personal information maintained by the data collector. "Breach
8of the security of the system data" does not include good faith
9acquisition of personal information by an employee or agent of
10the data collector for a legitimate purpose of the data
11collector, provided that the personal information is not used
12for a purpose unrelated to the data collector's business or
13subject to further unauthorized disclosure.
14    "Health insurance information" means an individual's
15health insurance policy number or subscriber identification
16number, any unique identifier used by a health insurer to
17identify the individual, or any medical information in an
18individual's health insurance application and claims history,
19including any appeals records.
20    "Medical information" means any information regarding an
21individual's medical history, mental or physical condition, or
22medical treatment or diagnosis by a healthcare professional,
23including such information provided to a website or mobile
24application.
25    "Personal information" means either of the following:
26        (1) An individual's first name or first initial and

 

 

HB4447- 5 -LRB103 34729 SPS 64577 b

1    last name in combination with any one or more of the
2    following data elements, when either the name or the data
3    elements are not encrypted or redacted or are encrypted or
4    redacted but the keys to unencrypt or unredact or
5    otherwise read the name or data elements have been
6    acquired without authorization through the breach of
7    security:
8            (A) Social Security number.
9            (B) Driver's license number or State
10        identification card number.
11            (C) Account number or credit or debit card number,
12        or an account number or credit card number in
13        combination with any required security code, access
14        code, or password that would permit access to an
15        individual's financial account.
16            (D) Medical information.
17            (E) Health insurance information.
18            (F) Unique biometric data generated from
19        measurements or technical analysis of human body
20        characteristics used by the owner or licensee to
21        authenticate an individual, such as a fingerprint,
22        retina or iris image, or other unique physical
23        representation or digital representation of biometric
24        data.
25            (G) Motor vehicle purchasing information.
26            (H) Home purchasing information.

 

 

HB4447- 6 -LRB103 34729 SPS 64577 b

1        (2) User name or email address, in combination with a
2    password or security question and answer that would permit
3    access to an online account, when either the user name or
4    email address or password or security question and answer
5    are not encrypted or redacted or are encrypted or redacted
6    but the keys to unencrypt or unredact or otherwise read
7    the data elements have been obtained through the breach of
8    security.
9    "Personal information" does not include publicly available
10information that is lawfully made available to the general
11public from federal, State, or local government records.
12(Source: P.A. 99-503, eff. 1-1-17.)
 
13    (815 ILCS 530/55 new)
14    Sec. 55. Annual registration.
15    (a) Annually, on or before January 31, a data broker
16operating in this State shall:
17        (1) register with the Secretary of State;
18        (2) pay a registration fee of $100; and
19        (3) provide the following information:
20            (A) the name and primary physical, e-mail, and
21        Internet addresses of the data broker;
22            (B) if the data broker permits an individual to
23    opt out of the data broker's collection of brokered
24    personal information, opt out of its databases, or opt out
25    of certain sales of data:

 

 

HB4447- 7 -LRB103 34729 SPS 64577 b

1                (i) the method for requesting an opt-out;
2                (ii) which activities or sales the opt-out
3            applies to; and
4                (iii) whether the data broker permits an
5            individual to authorize a third party to perform
6            the opt-out on the individual's behalf;
7            (C) a statement specifying the data collection,
8    databases or sales activities from which an individual may
9    not opt out;
10            (D) a statement whether the data broker implements
11    a purchaser credentialing process;
12            (E) the number of data broker security breaches
13    that the data broker has experienced during the prior year
14    and, if known, the total number of individuals affected by
15    the breaches;
16            (F) if the data broker has actual knowledge that
17    it possesses the brokered personal information of minors,
18    a separate statement detailing the data collection
19    practices, databases, sales activities, and opt-out
20    policies that are applicable to the brokered personal
21    information of minors; and
22            (G) any additional information or explanation the
23    data broker chooses to provide concerning its data
24    collection practices.
25    (b) The Secretary of State shall publish on its website a
26list of registered data brokers and update the list annually.

 

 

HB4447- 8 -LRB103 34729 SPS 64577 b

1    (c) A data broker that fails to register as required under
2this Section shall pay a civil penalty of $50 for each day, not
3to exceed a total of $10,000 for each year, it fails to
4register; (2) an amount equal to the fees due under this
5Section during the period it failed to register as required
6under this Section; and (3) other penalties imposed by law.
7    (d) The Attorney General may maintain an action in circuit
8court to collect the penalties imposed by this Section and to
9seek injunctive relief.