|
| | 10300HB4447ham001 | - 2 - | LRB103 34729 SPS 70757 a |
|
|
1 | | by the owner or licensee of the data to identify or |
2 | | authenticate the individual, such as a fingerprint, retina |
3 | | or iris image, or other unique physical representation or |
4 | | digital representation of biometric data; |
5 | | (7) name or address of a member of the individual's |
6 | | immediate family or household; |
7 | | (8) social Security number or other government-issued |
8 | | identification number; and |
9 | | (9) other information that, alone or in combination |
10 | | with the other information sold or licensed, would allow a |
11 | | reasonable person to identify the individual with |
12 | | reasonable certainty. |
13 | | "Brokered personal information" does not include publicly |
14 | | available information to the extent that it is related to an |
15 | | individual's business or profession. |
16 | | "Data broker" means a business or a unit of a business, |
17 | | separately or together, that knowingly collects and sells or |
18 | | licenses to third parties the brokered personal information of |
19 | | an individual with whom the business does not have a direct |
20 | | relationship. A direct relationship with a business includes |
21 | | if the individual is a past or present: (i) customer, client, |
22 | | subscriber, user, or registered user of the business's goods |
23 | | or services; (ii) employee, contractor, or agent of the |
24 | | business; (iii) investor in the business; or (iv) donor to the |
25 | | business. |
26 | | "Data broker" does not include a business that conducts |
|
| | 10300HB4447ham001 | - 3 - | LRB103 34729 SPS 70757 a |
|
|
1 | | the following activities and the collection, sale, or |
2 | | licensing of brokered personal information incidental to |
3 | | conducting the activities: |
4 | | (1) developing or maintaining third-party e-commerce |
5 | | or application platforms; or |
6 | | (2) providing 411 directory assistance or directory |
7 | | information services, including name, address, and |
8 | | telephone number, on behalf of or as a function of a |
9 | | telecommunications carrier. |
10 | | Section 10. Annual registration. |
11 | | (a) Annually, on or before January 31, a data broker |
12 | | operating in this State shall: |
13 | | (1) register with the Secretary of State; |
14 | | (2) pay a registration fee of $100 for use by the |
15 | | Secretary of State to administer and enforce this Section; |
16 | | and |
17 | | (3) provide the following information: |
18 | | (A) the name and primary physical, e-mail, and |
19 | | Internet addresses of the data broker; |
20 | | (B) if the data broker permits an individual to |
21 | | opt out of the data broker's collection of brokered |
22 | | personal information, opt out of its databases, or opt |
23 | | out of certain sales of data: |
24 | | (i) the method for requesting an opt-out; |
25 | | (ii) which activities or sales the opt-out |
|
| | 10300HB4447ham001 | - 4 - | LRB103 34729 SPS 70757 a |
|
|
1 | | applies to; and |
2 | | (iii) whether the data broker permits an |
3 | | individual to authorize a third party to perform |
4 | | the opt-out on the individual's behalf; |
5 | | (C) a statement specifying the data collection, |
6 | | databases or sales activities from which an individual |
7 | | may not opt out; |
8 | | (D) a statement whether the data broker implements |
9 | | a purchaser credentialing process; |
10 | | (E) the number of data broker security breaches |
11 | | that the data broker has experienced during the prior |
12 | | year and, if known, the total number of individuals |
13 | | affected by the breaches; |
14 | | (F) if the data broker has actual knowledge that |
15 | | it possesses the brokered personal information of |
16 | | minors, a separate statement detailing the data |
17 | | collection practices, databases, sales activities, and |
18 | | opt-out policies that are applicable to the brokered |
19 | | personal information of minors; and |
20 | | (G) any additional information or explanation the |
21 | | data broker chooses to provide concerning its data |
22 | | collection practices. |
23 | | (b) The Secretary of State shall publish on its website a |
24 | | list of registered data brokers and update the list annually. |
25 | | (c) A data broker that fails to register as required under |
26 | | this Section shall pay a civil penalty of $50 for each day, not |
|
| | 10300HB4447ham001 | - 5 - | LRB103 34729 SPS 70757 a |
|
|
1 | | to exceed a total of $10,000 for each year, it fails to |
2 | | register; (2) an amount equal to the fees due under this |
3 | | Section during the period it failed to register as required |
4 | | under this Section; and (3) other penalties imposed by law. |
5 | | (d) The Secretary of State may revoke or suspend the |
6 | | registration of an individual or entity for a period of up to |
7 | | one year, or bar an individual or entity from applying for |
8 | | registration for a period of up to one year, for failure to |
9 | | register or to pay any fee, fine, or penalty under this Act. |
10 | | All fees, fines, and penalties shall be paid prior to |
11 | | reinstatement or registration of any individual or entity |
12 | | required to register as a data broker. |
13 | | (e) The Secretary of State may adopt rules to implement |
14 | | and administer this Section. |
15 | | Section 15. Enforcement. A violation of this Act |
16 | | constitutes an unlawful practice under the Consumer Fraud and |
17 | | Deceptive Business Practices Act. All remedies, penalties, and |
18 | | authority granted to the Attorney General by the Consumer |
19 | | Fraud and Deceptive Business Practices Act shall be available |
20 | | to him or her for the enforcement of this Act. |
21 | | Section 90. The Consumer Fraud and Deceptive Business |
22 | | Practices Act is amended by adding Section 2EEEE and 2FFFF as |
23 | | follows: |
|
| | 10300HB4447ham001 | - 6 - | LRB103 34729 SPS 70757 a |
|
|
1 | | (815 ILCS 505/2EEEE new) |
2 | | Sec. 2EEEE. Motor vehicle extended warranty. |
3 | | (a) As used in this Section, "extended warranty" means any |
4 | | contract or agreement indemnifying the service agreement |
5 | | holder for the motor vehicle listed on the service agreement |
6 | | and arising out of the ownership, operation, and use of the |
7 | | motor vehicle against loss caused by failure of any mechanical |
8 | | or other component part, or any mechanical or other component |
9 | | part that does not function as it was originally intended. |
10 | | "Extended warranty" does not include the usual performance |
11 | | guarantees by manufacturers or dealers in connection with the |
12 | | sale of motor vehicles. |
13 | | (b) It is an unlawful practice within the meaning of this |
14 | | Act for any person to solicit the purchase of an extended |
15 | | warranty through the mail. |
16 | | (c) This Section does not apply to the seller of a motor |
17 | | vehicle who solicits the purchase of an extended warranty for |
18 | | that motor vehicle. |
19 | | (815 ILCS 505/2FFFF new) |
20 | | Sec. 2FFFF. Violations of the Data Broker Registration |
21 | | Act. Any person who violates the Data Broker Registration Act |
22 | | commits an unlawful practice within the meaning of this Act. |
23 | | Section 95. The Personal Information Protection Act is |
24 | | amended by changing Section 5 as follows: |
|
| | 10300HB4447ham001 | - 7 - | LRB103 34729 SPS 70757 a |
|
|
1 | | (815 ILCS 530/5) |
2 | | Sec. 5. Definitions. In this Act: |
3 | | "Data collector" may include, but is not limited to, |
4 | | government agencies, public and private universities, |
5 | | privately and publicly held corporations, financial |
6 | | institutions, retail operators, and any other entity that, for |
7 | | any purpose, handles, collects, disseminates, or otherwise |
8 | | deals with nonpublic personal information. |
9 | | "Breach of the security of the system data" or "breach" |
10 | | means unauthorized acquisition of computerized data that |
11 | | compromises the security, confidentiality, or integrity of |
12 | | personal information maintained by the data collector. "Breach |
13 | | of the security of the system data" does not include good faith |
14 | | acquisition of personal information by an employee or agent of |
15 | | the data collector for a legitimate purpose of the data |
16 | | collector, provided that the personal information is not used |
17 | | for a purpose unrelated to the data collector's business or |
18 | | subject to further unauthorized disclosure. |
19 | | "Health insurance information" means an individual's |
20 | | health insurance policy number or subscriber identification |
21 | | number, any unique identifier used by a health insurer to |
22 | | identify the individual, or any medical information in an |
23 | | individual's health insurance application and claims history, |
24 | | including any appeals records. |
25 | | "Medical information" means any information regarding an |
|
| | 10300HB4447ham001 | - 8 - | LRB103 34729 SPS 70757 a |
|
|
1 | | individual's medical history, mental or physical condition, or |
2 | | medical treatment or diagnosis by a healthcare professional, |
3 | | including such information provided to a website or mobile |
4 | | application. |
5 | | "Personal information" means either of the following: |
6 | | (1) An individual's first name or first initial and |
7 | | last name in combination with any one or more of the |
8 | | following data elements, when either the name or the data |
9 | | elements are not encrypted or redacted or are encrypted or |
10 | | redacted but the keys to unencrypt or unredact or |
11 | | otherwise read the name or data elements have been |
12 | | acquired without authorization through the breach of |
13 | | security: |
14 | | (A) Social Security number. |
15 | | (B) Driver's license number or State |
16 | | identification card number. |
17 | | (C) Account number or credit or debit card number, |
18 | | or an account number or credit card number in |
19 | | combination with any required security code, access |
20 | | code, or password that would permit access to an |
21 | | individual's financial account. |
22 | | (D) Medical information. |
23 | | (E) Health insurance information. |
24 | | (F) Unique biometric data generated from |
25 | | measurements or technical analysis of human body |
26 | | characteristics used by the owner or licensee to |
|
| | 10300HB4447ham001 | - 9 - | LRB103 34729 SPS 70757 a |
|
|
1 | | authenticate an individual, such as a fingerprint, |
2 | | retina or iris image, or other unique physical |
3 | | representation or digital representation of biometric |
4 | | data. |
5 | | (G) Motor vehicle purchasing information. |
6 | | (H) Home purchasing information. |
7 | | (2) User name or email address, in combination with a |
8 | | password or security question and answer that would permit |
9 | | access to an online account, when either the user name or |
10 | | email address or password or security question and answer |
11 | | are not encrypted or redacted or are encrypted or redacted |
12 | | but the keys to unencrypt or unredact or otherwise read |
13 | | the data elements have been obtained through the breach of |
14 | | security. |
15 | | "Personal information" does not include publicly available |
16 | | information that is lawfully made available to the general |
17 | | public from federal, State, or local government records. |
18 | | (Source: P.A. 99-503, eff. 1-1-17 .)". |