| |||||||
| |||||||
| |||||||
| 1 | AN ACT concerning business.
| ||||||
| 2 | Be it enacted by the People of the State of Illinois,
| ||||||
| 3 | represented in the General Assembly:
| ||||||
| 4 | Section 5. The Personal Information Protection Act is | ||||||
| 5 | amended by changing Sections 5 and 10 and by adding Sections 45 | ||||||
| 6 | and 50 as follows: | ||||||
| 7 | (815 ILCS 530/5)
| ||||||
| 8 | Sec. 5. Definitions. In this Act: | ||||||
| 9 | "Data Collector" may include, but is not limited to,
| ||||||
| 10 | government agencies, public and private universities,
| ||||||
| 11 | privately and publicly held corporations, financial
| ||||||
| 12 | institutions, retail operators, and any other entity that, for | ||||||
| 13 | any purpose, handles, collects, disseminates, or otherwise
| ||||||
| 14 | deals with nonpublic personal information.
| ||||||
| 15 | "Breach of the security of the system data" or "breach" | ||||||
| 16 | means
unauthorized acquisition of computerized data that | ||||||
| 17 | compromises the security, confidentiality, or integrity of | ||||||
| 18 | personal information maintained by the data collector. "Breach | ||||||
| 19 | of the security of the system data" does not include good faith
| ||||||
| 20 | acquisition of personal information by an employee or agent of
| ||||||
| 21 | the data collector for a legitimate purpose of the data
| ||||||
| 22 | collector, provided that the personal information is not used
| ||||||
| 23 | for a purpose unrelated to the data collector's business or
| ||||||
| |||||||
| |||||||
| 1 | subject to further unauthorized disclosure.
| ||||||
| 2 | "Consumer marketing information" means information related | ||||||
| 3 | to a consumer's online browsing history, online search history, | ||||||
| 4 | or purchasing history. | ||||||
| 5 | "Geolocation information" means information generated or | ||||||
| 6 | derived from the operation or use of an electronic | ||||||
| 7 | communications device that is sufficient to identify the street | ||||||
| 8 | name and name of the city or town in which the device is | ||||||
| 9 | located. "Geolocation information" does not include the | ||||||
| 10 | contents of an electronic communication. | ||||||
| 11 | "Health insurance information" means an individual's | ||||||
| 12 | health insurance policy number or subscriber identification | ||||||
| 13 | number, any unique identifier used by a health insurer to | ||||||
| 14 | identify the individual, or any information in an individual's | ||||||
| 15 | health insurance application and claims history, including any | ||||||
| 16 | appeals records. | ||||||
| 17 | "Medical information" means any information regarding an | ||||||
| 18 | individual's medical history, mental or physical condition, or | ||||||
| 19 | medical treatment or diagnosis by a healthcare professional, | ||||||
| 20 | including health information provided to a website or mobile | ||||||
| 21 | application. | ||||||
| 22 | "Personal information" means either of the following: | ||||||
| 23 | (1) an individual's first name or first initial and | ||||||
| 24 | last name in combination with any one or more
of the | ||||||
| 25 | following data elements, when either the name or the data | ||||||
| 26 | elements are not encrypted or redacted or are encrypted or | ||||||
| |||||||
| |||||||
| 1 | redacted but the keys to unencrypt or unredact or otherwise | ||||||
| 2 | read the name or data elements have been acquired without | ||||||
| 3 | authorization through the breach of security:
| ||||||
| 4 | (A) (1) Social Security number. | ||||||
| 5 | (B) (2) Driver's license number or State | ||||||
| 6 | identification
card number.
| ||||||
| 7 | (C) (3) Account number or credit or debit card | ||||||
| 8 | number, or an
account number or credit card number in | ||||||
| 9 | combination with
any required security code, access | ||||||
| 10 | code, or password that
would permit access to an | ||||||
| 11 | individual's financial account.
| ||||||
| 12 | (D) Medical information. | ||||||
| 13 | (E) Health insurance information. | ||||||
| 14 | (F) Unique biometric data, such as a fingerprint, | ||||||
| 15 | retina or iris image, or other unique physical | ||||||
| 16 | representation or digital representation of biometric | ||||||
| 17 | data. | ||||||
| 18 | (G) Geolocation information. | ||||||
| 19 | (H) Consumer marketing information. | ||||||
| 20 | (I) Any 2 of the following data elements: | ||||||
| 21 | (i) home address, telephone number, or email | ||||||
| 22 | address; | ||||||
| 23 | (ii) mother's maiden name; | ||||||
| 24 | (iii) month, day, and year of birth. | ||||||
| 25 | (2) user name or email address, in combination with a | ||||||
| 26 | password or security question and answer that would permit | ||||||
| |||||||
| |||||||
| 1 | access to an online account, when either the user name or | ||||||
| 2 | email address or password or security question and answer | ||||||
| 3 | are not encrypted or redacted or are encrypted or redacted | ||||||
| 4 | but the keys to unencrypt or unredact or otherwise read the | ||||||
| 5 | data elements have been obtained through the breach of | ||||||
| 6 | security. | ||||||
| 7 | "Personal information" does not include publicly available
| ||||||
| 8 | information that is lawfully made available to the general
| ||||||
| 9 | public from federal, State, or local government records.
| ||||||
| 10 | (Source: P.A. 97-483, eff. 1-1-12.) | ||||||
| 11 | (815 ILCS 530/10)
| ||||||
| 12 | Sec. 10. Notice of Breach. | ||||||
| 13 | (a) Any data collector that owns or licenses personal | ||||||
| 14 | information, excluding geolocation information and consumer | ||||||
| 15 | marketing information, concerning an Illinois resident shall | ||||||
| 16 | notify the
resident at no charge that there has been a breach | ||||||
| 17 | of the security of the
system data following discovery or | ||||||
| 18 | notification of the breach.
The disclosure notification shall | ||||||
| 19 | be made in the most
expedient time possible and without | ||||||
| 20 | unreasonable delay,
consistent with any measures necessary to | ||||||
| 21 | determine the
scope of the breach and restore the reasonable | ||||||
| 22 | integrity,
security, and confidentiality of the data system. | ||||||
| 23 | The disclosure notification to an Illinois resident shall | ||||||
| 24 | include, but need not be limited to, information as follows: | ||||||
| 25 | (1) With respect to personal information as defined in | ||||||
| |||||||
| |||||||
| 1 | Section 5 in paragraph (1) of the definition of "personal | ||||||
| 2 | information": | ||||||
| 3 | (A) (i) the toll-free numbers and addresses for | ||||||
| 4 | consumer reporting agencies; , | ||||||
| 5 | (B) (ii) the toll-free number, address, and | ||||||
| 6 | website address for the Federal Trade Commission; , and | ||||||
| 7 | (C) (iii) a statement that the individual can | ||||||
| 8 | obtain information from these sources about fraud | ||||||
| 9 | alerts and security freezes. | ||||||
| 10 | The notification shall not, however, include information | ||||||
| 11 | concerning the number of Illinois residents affected by the | ||||||
| 12 | breach. | ||||||
| 13 | (2) With respect to personal information defined in | ||||||
| 14 | Section 5 in paragraph (2) of the definition of "personal | ||||||
| 15 | information", notice may be provided in electronic or other | ||||||
| 16 | form directing the Illinois resident whose personal | ||||||
| 17 | information has been breached to promptly change his or her | ||||||
| 18 | username or password and security question or answer, as | ||||||
| 19 | applicable, or to take other steps appropriate to protect | ||||||
| 20 | all online accounts for which the resident uses the same | ||||||
| 21 | user name or email address and password or security | ||||||
| 22 | question and answer. | ||||||
| 23 | (b) Any data collector that maintains or stores, but does | ||||||
| 24 | not own or license, computerized data that
includes personal | ||||||
| 25 | information that the data collector does not own or license | ||||||
| 26 | shall notify the owner or licensee of the information of any | ||||||
| |||||||
| |||||||
| 1 | breach of the security of the data immediately following | ||||||
| 2 | discovery, if the personal information was, or is reasonably | ||||||
| 3 | believed to have been, acquired by
an unauthorized person. In | ||||||
| 4 | addition to providing such notification to the owner or | ||||||
| 5 | licensee, the data collector shall cooperate with the owner or | ||||||
| 6 | licensee in matters relating to the breach. That cooperation | ||||||
| 7 | shall include, but need not be limited to, (i) informing the | ||||||
| 8 | owner or licensee of the breach, including giving notice of the | ||||||
| 9 | date or approximate date of the breach and the nature of the | ||||||
| 10 | breach, and (ii) informing the owner or licensee of any steps | ||||||
| 11 | the data collector has taken or plans to take relating to the | ||||||
| 12 | breach. The data collector's cooperation shall not, however, be | ||||||
| 13 | deemed to require either the disclosure of confidential | ||||||
| 14 | business information or trade secrets or the notification of an | ||||||
| 15 | Illinois resident who may have been affected by the breach.
| ||||||
| 16 | (b-5) The notification to an Illinois resident required by | ||||||
| 17 | subsection (a) of this Section may be delayed if an appropriate | ||||||
| 18 | law enforcement agency determines that notification will | ||||||
| 19 | interfere with a criminal investigation and provides the data | ||||||
| 20 | collector with a written request for the delay. However, the | ||||||
| 21 | data collector must notify the Illinois resident as soon as | ||||||
| 22 | notification will no longer interfere with the investigation.
| ||||||
| 23 | (c) For purposes of this Section, notice to consumers may | ||||||
| 24 | be provided by one of the following methods:
| ||||||
| 25 | (1) written notice; | ||||||
| 26 | (2) electronic notice, if the notice provided is
| ||||||
| |||||||
| |||||||
| 1 | consistent with the provisions regarding electronic
| ||||||
| 2 | records and signatures for notices legally required to be
| ||||||
| 3 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
| 4 | United States Code;
or | ||||||
| 5 | (3) substitute notice, if the data collector
| ||||||
| 6 | demonstrates that the cost of providing notice would exceed
| ||||||
| 7 | $250,000 or that the affected class of subject persons to | ||||||
| 8 | be notified exceeds 500,000, or the data collector does not
| ||||||
| 9 | have sufficient contact information. Substitute notice | ||||||
| 10 | shall consist of all of the following: (i) email notice if | ||||||
| 11 | the data collector has an email address for the subject | ||||||
| 12 | persons; (ii) conspicuous posting of the notice on the data
| ||||||
| 13 | collector's web site page if the data collector maintains
| ||||||
| 14 | one; and (iii) notification to major statewide media or, if | ||||||
| 15 | the breach impacts residents in one geographic area, to | ||||||
| 16 | prominent local media in areas where affected individuals | ||||||
| 17 | are likely to reside if such notice is reasonably | ||||||
| 18 | calculated to give actual notice to persons whom notice is | ||||||
| 19 | required. | ||||||
| 20 | (d) Notwithstanding any other subsection in this Section, a | ||||||
| 21 | data collector
that maintains its own notification procedures | ||||||
| 22 | as part of an
information security policy for the treatment of | ||||||
| 23 | personal
information and is otherwise consistent with the | ||||||
| 24 | timing requirements of this Act, shall be deemed in compliance
| ||||||
| 25 | with the notification requirements of this Section if the
data | ||||||
| 26 | collector notifies subject persons in accordance with its | ||||||
| |||||||
| |||||||
| 1 | policies in the event of a breach of the security of the system | ||||||
| 2 | data.
| ||||||
| 3 | (e) Notice to Attorney General. | ||||||
| 4 | (1) Any data collector that suffers a single breach of | ||||||
| 5 | the security of the data concerning the personal | ||||||
| 6 | information of more than 250 Illinois residents shall | ||||||
| 7 | provide notice to the Attorney General of the breach, | ||||||
| 8 | including: | ||||||
| 9 | (A) A description of the personal information | ||||||
| 10 | compromised in the breach. | ||||||
| 11 | (B) The number of Illinois residents affected by | ||||||
| 12 | such incident at the time of notification. | ||||||
| 13 | (C) Any steps the data collector has taken or plans | ||||||
| 14 | to take relating to notification of the breach to | ||||||
| 15 | consumers. | ||||||
| 16 | (D) The date and timeframe of the breach, if known | ||||||
| 17 | at the time notification is provided. | ||||||
| 18 | Such notification must be made within 30 business days | ||||||
| 19 | of the data collector's discovery of the security breach or | ||||||
| 20 | 2 days before the data collector provides any notice to | ||||||
| 21 | consumers required by this Section, whichever is sooner, | ||||||
| 22 | unless the data collector has good cause for reasonable | ||||||
| 23 | delay to determine the scope of the breach and restore the | ||||||
| 24 | integrity, security, and confidentiality of the data | ||||||
| 25 | system, or when law enforcement requests in writing to | ||||||
| 26 | withhold disclosure of some or all of the information | ||||||
| |||||||
| |||||||
| 1 | required in the notification under this Section. If the | ||||||
| 2 | date or timeframe of the breach is unknown at the time the | ||||||
| 3 | notice is sent to the Attorney General, the data collector | ||||||
| 4 | shall send the Attorney General the date or timeframe of | ||||||
| 5 | the breach as soon as possible. | ||||||
| 6 | (2) Any data collector that maintains or stores, but | ||||||
| 7 | does not own or license, computerized data that includes | ||||||
| 8 | personal information that suffers a single breach of the | ||||||
| 9 | security of the data concerning the personal information of | ||||||
| 10 | more than 250 Illinois residents shall notify the Attorney | ||||||
| 11 | General of the following: | ||||||
| 12 | (A) A description of the personal information | ||||||
| 13 | compromised in the breach. | ||||||
| 14 | (B) The number of Illinois residents affected by | ||||||
| 15 | such incident at the time of notification. | ||||||
| 16 | (C) Any steps the data collector has taken or plans | ||||||
| 17 | to take relating to notification of the owner or | ||||||
| 18 | licensee of the breach and what measures, if any, the | ||||||
| 19 | data collector has taken to notify Illinois residents. | ||||||
| 20 | (D) The date and timeframe of the breach, if known | ||||||
| 21 | at the time notification is provided. | ||||||
| 22 | Such notification must be made within 30 business days | ||||||
| 23 | of the data collector's discovery of the security breach or | ||||||
| 24 | when the data collector provides notice to the owner or | ||||||
| 25 | licensee of the information pursuant to this Section, | ||||||
| 26 | whichever is sooner, unless the data collector has good | ||||||
| |||||||
| |||||||
| 1 | cause for reasonable delay to determine the scope of the | ||||||
| 2 | breach and restore the integrity, security, and | ||||||
| 3 | confidentiality of the data system, or when law enforcement | ||||||
| 4 | requests in writing to withhold disclosure of some or all | ||||||
| 5 | of the information required in the notification under this | ||||||
| 6 | Section. If the date or timeframe of the breach is unknown | ||||||
| 7 | at the time the notice is sent to the Attorney General, the | ||||||
| 8 | data collector shall send the Attorney General the date or | ||||||
| 9 | timeframe of the breach as soon as possible. | ||||||
| 10 | (f) A data collector that suffers a breach subject to the | ||||||
| 11 | breach notification standards established pursuant to the | ||||||
| 12 | federal Health Information Technology Act, 42 U.S.C. Section | ||||||
| 13 | 17932, shall be deemed to be in compliance with the provisions | ||||||
| 14 | of this Section if that data collector does the following: (1) | ||||||
| 15 | provides notification to individuals in compliance with the | ||||||
| 16 | federal Health Information Technology Act and implementing | ||||||
| 17 | regulations and (2) provides notification to the Attorney | ||||||
| 18 | General pursuant to subsection (e). | ||||||
| 19 | (Source: P.A. 97-483, eff. 1-1-12.) | ||||||
| 20 | (815 ILCS 530/45 new) | ||||||
| 21 | Sec. 45. Data security. | ||||||
| 22 | (a) A data collector that owns or licenses, or maintains or | ||||||
| 23 | stores but does not own or license, records that contain | ||||||
| 24 | personal information concerning an Illinois resident shall | ||||||
| 25 | implement and maintain reasonable security measures to protect | ||||||
| |||||||
| |||||||
| 1 | those records from unauthorized access, acquisition, | ||||||
| 2 | destruction, use, modification, or disclosure. | ||||||
| 3 | (b) A contract for the disclosure of personal information | ||||||
| 4 | concerning an Illinois resident that is maintained by a data | ||||||
| 5 | collector must include a provision requiring the person to whom | ||||||
| 6 | the information is disclosed to implement and maintain | ||||||
| 7 | reasonable security measures to protect those records from | ||||||
| 8 | unauthorized access, acquisition, destruction, use, | ||||||
| 9 | modification, or disclosure. | ||||||
| 10 | (c) If a state or federal law requires a data collector to | ||||||
| 11 | provide greater protection to records that contain personal | ||||||
| 12 | information concerning an Illinois resident that are | ||||||
| 13 | maintained by the data collector and the data collector is in | ||||||
| 14 | compliance with the provisions of that state or federal law, | ||||||
| 15 | the data collector shall be deemed to be in compliance with the | ||||||
| 16 | provisions of this Section. | ||||||
| 17 | (d) A data collector that is subject to and in compliance | ||||||
| 18 | with the security standards for the protection of electronic | ||||||
| 19 | health information, 45 C.F.R. Parts 160 and 164, established | ||||||
| 20 | pursuant to the federal Health Insurance Portability and | ||||||
| 21 | Accountability Act of 1996 shall be deemed to be in compliance | ||||||
| 22 | with the provisions of this Section. | ||||||
| 23 | (e) A data collector that is subject to and in compliance | ||||||
| 24 | with the standards established pursuant to Section 501(b) of | ||||||
| 25 | the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, | ||||||
| 26 | shall be deemed to be in compliance with the provisions of this | ||||||
| |||||||
| |||||||
| 1 | Section. | ||||||
| 2 | (815 ILCS 530/50 new) | ||||||
| 3 | Sec. 50. Posting of privacy policy. | ||||||
| 4 | (a) As used in this Section: | ||||||
| 5 | "Conspicuously post" means posting the privacy policy | ||||||
| 6 | through any of the following: | ||||||
| 7 | (1) A Web page on which the actual privacy policy is | ||||||
| 8 | posted if the Web page is the homepage or first significant | ||||||
| 9 | page after entering the Web site. | ||||||
| 10 | (2) An icon that hyperlinks to a Web page on which the | ||||||
| 11 | actual privacy policy is posted, if the icon is located on | ||||||
| 12 | the homepage or the first significant page after entering | ||||||
| 13 | the Web site, and if the icon contains the word "privacy". | ||||||
| 14 | The icon shall also use a color that contrasts with the | ||||||
| 15 | background color of the Web page or is otherwise | ||||||
| 16 | distinguishable. | ||||||
| 17 | (3) A text link that hyperlinks to a Web page on which | ||||||
| 18 | the actual privacy policy is posted, if the text link is | ||||||
| 19 | located on the homepage or first significant page after | ||||||
| 20 | entering the Web site, and if the text link does one of the | ||||||
| 21 | following: | ||||||
| 22 | (A) Includes the word "privacy". | ||||||
| 23 | (B) Is written in capital letters equal to or | ||||||
| 24 | greater in size than the surrounding text. | ||||||
| 25 | (C) Is written in larger type than the surrounding | ||||||
| |||||||
| |||||||
| 1 | text, or in contrasting type, font, or color to the | ||||||
| 2 | surrounding text of the same size, or set off from the | ||||||
| 3 | surrounding text of the same size by symbols or other | ||||||
| 4 | marks that call attention to the language. | ||||||
| 5 | (4) Any other functional hyperlink that is displayed in | ||||||
| 6 | a noticeable manner. | ||||||
| 7 | (5) In the case of an online service, any other | ||||||
| 8 | reasonably accessible means of making the privacy policy | ||||||
| 9 | available for a consumer of the online service. | ||||||
| 10 | "Operator" means any person or entity that owns a Web site | ||||||
| 11 | located on the Internet or an online service that collects and | ||||||
| 12 | maintains personal information from a consumer residing in | ||||||
| 13 | Illinois who uses or visits the Web site or online service if | ||||||
| 14 | the Web site or online service is operated for commercial | ||||||
| 15 | purposes. It does not include any third party that operates, | ||||||
| 16 | hosts, or manages, but does not own, a Web site or online | ||||||
| 17 | service on the owner's behalf or by processing information on | ||||||
| 18 | behalf of the owner. | ||||||
| 19 | (b) An operator of a commercial Web site or online service | ||||||
| 20 | that collects personal information through the Internet about | ||||||
| 21 | individual consumers residing in Illinois who use or visit its | ||||||
| 22 | commercial Web site or online service shall conspicuously post | ||||||
| 23 | its privacy policy on its Web site or online service. An | ||||||
| 24 | operator shall be in violation of this subdivision only if the | ||||||
| 25 | operator fails to post its policy within 30 days after being | ||||||
| 26 | notified of noncompliance. | ||||||
| |||||||
| |||||||
| 1 | (c) The privacy policy required by subsection (b) shall, at | ||||||
| 2 | a minimum, do the following: | ||||||
| 3 | (1) Identify the categories of personal information | ||||||
| 4 | that the operator collects through the Web site or online | ||||||
| 5 | service about individual consumers who use or visit its | ||||||
| 6 | commercial Web site or online service and the categories of | ||||||
| 7 | third-party persons or entities with whom the operator may | ||||||
| 8 | share that personal information. | ||||||
| 9 | (2) If the operator maintains a process for an | ||||||
| 10 | individual consumer who uses or visits its commercial Web | ||||||
| 11 | site or online service to review and request changes to any | ||||||
| 12 | of his or her personal information that is collected | ||||||
| 13 | through the Web site or online service, provide a | ||||||
| 14 | description of that process. | ||||||
| 15 | (3) Describe the process by which the operator notifies | ||||||
| 16 | consumers who use or visit its commercial Web site or | ||||||
| 17 | online service of material changes to the operator's | ||||||
| 18 | privacy policy for that Web site or online service. | ||||||
| 19 | (4) Identify its effective date. | ||||||
| 20 | (5) Disclose how the operator responds to Web browser | ||||||
| 21 | "do not track" signals or other mechanisms that provide | ||||||
| 22 | consumers the ability to exercise choice regarding the | ||||||
| 23 | collection of personal information about an individual | ||||||
| 24 | consumer's online activities over time and across | ||||||
| 25 | third-party Web sites or online services, if the operator | ||||||
| 26 | engages in that collection. | ||||||
| |||||||
| |||||||
| 1 | (6) Disclose whether other parties may collect | ||||||
| 2 | personal information about an individual consumer's online | ||||||
| 3 | activities over time and across different Web sites or | ||||||
| 4 | online services when a consumer uses the operator's Web | ||||||
| 5 | site or online service. | ||||||
| 6 | An operator may satisfy the requirement of paragraph (5) by | ||||||
| 7 | providing a clear and conspicuous hyperlink in the operator's | ||||||
| 8 | privacy policy to an online location containing a description, | ||||||
| 9 | including the effects, of any program or protocol the operator | ||||||
| 10 | follows that offers the consumer that choice.
| ||||||