|
| | 10300HB4447ham001 | - 2 - | LRB103 34729 SPS 70757 a |
|
|
| 1 | | by the owner or licensee of the data to identify or |
| 2 | | authenticate the individual, such as a fingerprint, retina |
| 3 | | or iris image, or other unique physical representation or |
| 4 | | digital representation of biometric data; |
| 5 | | (7) name or address of a member of the individual's |
| 6 | | immediate family or household; |
| 7 | | (8) social Security number or other government-issued |
| 8 | | identification number; and |
| 9 | | (9) other information that, alone or in combination |
| 10 | | with the other information sold or licensed, would allow a |
| 11 | | reasonable person to identify the individual with |
| 12 | | reasonable certainty. |
| 13 | | "Brokered personal information" does not include publicly |
| 14 | | available information to the extent that it is related to an |
| 15 | | individual's business or profession. |
| 16 | | "Data broker" means a business or a unit of a business, |
| 17 | | separately or together, that knowingly collects and sells or |
| 18 | | licenses to third parties the brokered personal information of |
| 19 | | an individual with whom the business does not have a direct |
| 20 | | relationship. A direct relationship with a business includes |
| 21 | | if the individual is a past or present: (i) customer, client, |
| 22 | | subscriber, user, or registered user of the business's goods |
| 23 | | or services; (ii) employee, contractor, or agent of the |
| 24 | | business; (iii) investor in the business; or (iv) donor to the |
| 25 | | business. |
| 26 | | "Data broker" does not include a business that conducts |
|
| | 10300HB4447ham001 | - 3 - | LRB103 34729 SPS 70757 a |
|
|
| 1 | | the following activities and the collection, sale, or |
| 2 | | licensing of brokered personal information incidental to |
| 3 | | conducting the activities: |
| 4 | | (1) developing or maintaining third-party e-commerce |
| 5 | | or application platforms; or |
| 6 | | (2) providing 411 directory assistance or directory |
| 7 | | information services, including name, address, and |
| 8 | | telephone number, on behalf of or as a function of a |
| 9 | | telecommunications carrier.
|
| 10 | | Section 10. Annual registration. |
| 11 | | (a) Annually, on or before January 31, a data broker |
| 12 | | operating in this State shall: |
| 13 | | (1) register with the Secretary of State; |
| 14 | | (2) pay a registration fee of $100 for use by the |
| 15 | | Secretary of State to administer and enforce this Section; |
| 16 | | and |
| 17 | | (3) provide the following information: |
| 18 | | (A) the name and primary physical, e-mail, and |
| 19 | | Internet addresses of the data broker; |
| 20 | | (B) if the data broker permits an individual to |
| 21 | | opt out of the data broker's collection of brokered |
| 22 | | personal information, opt out of its databases, or opt |
| 23 | | out of certain sales of data: |
| 24 | | (i) the method for requesting an opt-out; |
| 25 | | (ii) which activities or sales the opt-out |
|
| | 10300HB4447ham001 | - 4 - | LRB103 34729 SPS 70757 a |
|
|
| 1 | | applies to; and |
| 2 | | (iii) whether the data broker permits an |
| 3 | | individual to authorize a third party to perform |
| 4 | | the opt-out on the individual's behalf; |
| 5 | | (C) a statement specifying the data collection, |
| 6 | | databases or sales activities from which an individual |
| 7 | | may not opt out; |
| 8 | | (D) a statement whether the data broker implements |
| 9 | | a purchaser credentialing process; |
| 10 | | (E) the number of data broker security breaches |
| 11 | | that the data broker has experienced during the prior |
| 12 | | year and, if known, the total number of individuals |
| 13 | | affected by the breaches; |
| 14 | | (F) if the data broker has actual knowledge that |
| 15 | | it possesses the brokered personal information of |
| 16 | | minors, a separate statement detailing the data |
| 17 | | collection practices, databases, sales activities, and |
| 18 | | opt-out policies that are applicable to the brokered |
| 19 | | personal information of minors; and |
| 20 | | (G) any additional information or explanation the |
| 21 | | data broker chooses to provide concerning its data |
| 22 | | collection practices. |
| 23 | | (b) The Secretary of State shall publish on its website a |
| 24 | | list of registered data brokers and update the list annually. |
| 25 | | (c) A data broker that fails to register as required under |
| 26 | | this Section shall pay a civil penalty of $50 for each day, not |
|
| | 10300HB4447ham001 | - 5 - | LRB103 34729 SPS 70757 a |
|
|
| 1 | | to exceed a total of $10,000 for each year, it fails to |
| 2 | | register; (2) an amount equal to the fees due under this |
| 3 | | Section during the period it failed to register as required |
| 4 | | under this Section; and (3) other penalties imposed by law. |
| 5 | | (d) The Secretary of State may revoke or suspend the |
| 6 | | registration of an individual or entity for a period of up to |
| 7 | | one year, or bar an individual or entity from applying for |
| 8 | | registration for a period of up to one year, for failure to |
| 9 | | register or to pay any fee, fine, or penalty under this Act. |
| 10 | | All fees, fines, and penalties shall be paid prior to |
| 11 | | reinstatement or registration of any individual or entity |
| 12 | | required to register as a data broker. |
| 13 | | (e) The Secretary of State may adopt rules to implement |
| 14 | | and administer this Section.
|
| 15 | | Section 15. Enforcement. A violation of this Act |
| 16 | | constitutes an unlawful practice under the Consumer Fraud and |
| 17 | | Deceptive Business Practices Act. All remedies, penalties, and |
| 18 | | authority granted to the Attorney General by the Consumer |
| 19 | | Fraud and Deceptive Business Practices Act shall be available |
| 20 | | to him or her for the enforcement of this Act.
|
| 21 | | Section 90. The Consumer Fraud and Deceptive Business |
| 22 | | Practices Act is amended by adding Section 2EEEE and 2FFFF as |
| 23 | | follows:
|
|
| | 10300HB4447ham001 | - 6 - | LRB103 34729 SPS 70757 a |
|
|
| 1 | | (815 ILCS 505/2EEEE new) |
| 2 | | Sec. 2EEEE. Motor vehicle extended warranty. |
| 3 | | (a) As used in this Section, "extended warranty" means any |
| 4 | | contract or agreement indemnifying the service agreement |
| 5 | | holder for the motor vehicle listed on the service agreement |
| 6 | | and arising out of the ownership, operation, and use of the |
| 7 | | motor vehicle against loss caused by failure of any mechanical |
| 8 | | or other component part, or any mechanical or other component |
| 9 | | part that does not function as it was originally intended. |
| 10 | | "Extended warranty" does not include the usual performance |
| 11 | | guarantees by manufacturers or dealers in connection with the |
| 12 | | sale of motor vehicles. |
| 13 | | (b) It is an unlawful practice within the meaning of this |
| 14 | | Act for any person to solicit the purchase of an extended |
| 15 | | warranty through the mail. |
| 16 | | (c) This Section does not apply to the seller of a motor |
| 17 | | vehicle who solicits the purchase of an extended warranty for |
| 18 | | that motor vehicle.
|
| 19 | | (815 ILCS 505/2FFFF new) |
| 20 | | Sec. 2FFFF. Violations of the Data Broker Registration |
| 21 | | Act. Any person who violates the Data Broker Registration Act |
| 22 | | commits an unlawful practice within the meaning of this Act.
|
| 23 | | Section 95. The Personal Information Protection Act is |
| 24 | | amended by changing Section 5 as follows:
|
|
| | 10300HB4447ham001 | - 7 - | LRB103 34729 SPS 70757 a |
|
|
| 1 | | (815 ILCS 530/5) |
| 2 | | Sec. 5. Definitions. In this Act: |
| 3 | | "Data collector" may include, but is not limited to, |
| 4 | | government agencies, public and private universities, |
| 5 | | privately and publicly held corporations, financial |
| 6 | | institutions, retail operators, and any other entity that, for |
| 7 | | any purpose, handles, collects, disseminates, or otherwise |
| 8 | | deals with nonpublic personal information. |
| 9 | | "Breach of the security of the system data" or "breach" |
| 10 | | means unauthorized acquisition of computerized data that |
| 11 | | compromises the security, confidentiality, or integrity of |
| 12 | | personal information maintained by the data collector. "Breach |
| 13 | | of the security of the system data" does not include good faith |
| 14 | | acquisition of personal information by an employee or agent of |
| 15 | | the data collector for a legitimate purpose of the data |
| 16 | | collector, provided that the personal information is not used |
| 17 | | for a purpose unrelated to the data collector's business or |
| 18 | | subject to further unauthorized disclosure. |
| 19 | | "Health insurance information" means an individual's |
| 20 | | health insurance policy number or subscriber identification |
| 21 | | number, any unique identifier used by a health insurer to |
| 22 | | identify the individual, or any medical information in an |
| 23 | | individual's health insurance application and claims history, |
| 24 | | including any appeals records. |
| 25 | | "Medical information" means any information regarding an |
|
| | 10300HB4447ham001 | - 8 - | LRB103 34729 SPS 70757 a |
|
|
| 1 | | individual's medical history, mental or physical condition, or |
| 2 | | medical treatment or diagnosis by a healthcare professional, |
| 3 | | including such information provided to a website or mobile |
| 4 | | application. |
| 5 | | "Personal information" means either of the following: |
| 6 | | (1) An individual's first name or first initial and |
| 7 | | last name in combination with any one or more of the |
| 8 | | following data elements, when either the name or the data |
| 9 | | elements are not encrypted or redacted or are encrypted or |
| 10 | | redacted but the keys to unencrypt or unredact or |
| 11 | | otherwise read the name or data elements have been |
| 12 | | acquired without authorization through the breach of |
| 13 | | security: |
| 14 | | (A) Social Security number. |
| 15 | | (B) Driver's license number or State |
| 16 | | identification card number. |
| 17 | | (C) Account number or credit or debit card number, |
| 18 | | or an account number or credit card number in |
| 19 | | combination with any required security code, access |
| 20 | | code, or password that would permit access to an |
| 21 | | individual's financial account. |
| 22 | | (D) Medical information. |
| 23 | | (E) Health insurance information. |
| 24 | | (F) Unique biometric data generated from |
| 25 | | measurements or technical analysis of human body |
| 26 | | characteristics used by the owner or licensee to |
|
| | 10300HB4447ham001 | - 9 - | LRB103 34729 SPS 70757 a |
|
|
| 1 | | authenticate an individual, such as a fingerprint, |
| 2 | | retina or iris image, or other unique physical |
| 3 | | representation or digital representation of biometric |
| 4 | | data. |
| 5 | | (G) Motor vehicle purchasing information. |
| 6 | | (H) Home purchasing information. |
| 7 | | (2) User name or email address, in combination with a |
| 8 | | password or security question and answer that would permit |
| 9 | | access to an online account, when either the user name or |
| 10 | | email address or password or security question and answer |
| 11 | | are not encrypted or redacted or are encrypted or redacted |
| 12 | | but the keys to unencrypt or unredact or otherwise read |
| 13 | | the data elements have been obtained through the breach of |
| 14 | | security. |
| 15 | | "Personal information" does not include publicly available |
| 16 | | information that is lawfully made available to the general |
| 17 | | public from federal, State, or local government records. |
| 18 | | (Source: P.A. 99-503, eff. 1-1-17.)". |