Full Text of HB2774 100th General Assembly
HB2774ham004 100TH GENERAL ASSEMBLY | Rep. Arthur Turner Filed: 4/4/2017
| | 10000HB2774ham004 | | LRB100 08020 RJF 24758 a |
|
| 1 | | AMENDMENT TO HOUSE BILL 2774
| 2 | | AMENDMENT NO. ______. Amend House Bill 2774, AS AMENDED, by | 3 | | replacing everything after the enacting clause with the | 4 | | following:
| 5 | | "Section 1. Short title. This Act may be cited as the Right | 6 | | to Know Act. | 7 | | Section 5. Findings and purpose.
| 8 | | The General Assembly hereby finds and declares that the | 9 | | right to privacy is a personal and fundamental right protected | 10 | | by the United States Constitution. As such, all individuals | 11 | | have a right to privacy in information pertaining to them. This | 12 | | State recognizes the importance of providing consumers with | 13 | | transparency about how their personal information, especially | 14 | | information relating to their children, is shared by | 15 | | businesses. This transparency is crucial for Illinois citizens | 16 | | to protect themselves and their families from cyber-crimes and |
| | | 10000HB2774ham004 | - 2 - | LRB100 08020 RJF 24758 a |
|
| 1 | | identity thieves. Furthermore, for free market forces to have a | 2 | | role in shaping the privacy practices and for "opt-in" and | 3 | | "opt-out" remedies to be effective, consumers must be more than | 4 | | vaguely informed that a business might share personal | 5 | | information with third parties. Consumers must be better | 6 | | informed about what kinds of personal information are shared | 7 | | with other businesses. With these specifics, consumers can | 8 | | knowledgeably choose to opt-in, opt-out, or choose among | 9 | | businesses that disclose information to third parties on the | 10 | | basis of how protective the business is of consumers' privacy. | 11 | | Businesses are now collecting personal information and | 12 | | sharing and selling it in ways not contemplated or properly | 13 | | covered by the current law. Some websites are installing | 14 | | tracking tools that record when consumers visit web pages, and | 15 | | sending very personal information, such as age, gender, race, | 16 | | income, health concerns, religion, and recent purchases to | 17 | | third party marketers and data brokers. Third party data broker | 18 | | companies are buying, selling, and trading personal | 19 | | information obtained from mobile phones, financial | 20 | | institutions, social media sites, and other online and brick | 21 | | and mortar companies. Some mobile applications are sharing | 22 | | personal information, such as location information, unique | 23 | | phone identification numbers, and age, gender, and other | 24 | | personal details with third party companies. As such, consumers | 25 | | need to know the ways that their personal information is being | 26 | | collected by companies and then shared or sold to third parties |
| | | 10000HB2774ham004 | - 3 - | LRB100 08020 RJF 24758 a |
|
| 1 | | in order to properly protect their privacy, personal safety, | 2 | | and financial security.
| 3 | | Section 10. Definitions.
As used in this Act:
| 4 | | "Categories of personal information" includes, but is not | 5 | | limited to, the following:
| 6 | | (a) Identity information including, but not limited | 7 | | to, real name, alias, nickname, and user name.
| 8 | | (b) Address information, including, but not limited | 9 | | to, postal or e-mail.
| 10 | | (c) Telephone number.
| 11 | | (d) Account name.
| 12 | | (e) Social security number or other government-issued | 13 | | identification number, including, but not limited to, | 14 | | social security number, driver's license number, | 15 | | identification card number, and passport number.
| 16 | | (f) Birthdate or age.
| 17 | | (g) Physical characteristic information, including, | 18 | | but not limited to, height and weight.
| 19 | | (h) Sexual information, including, but not limited to, | 20 | | sexual orientation, sex, gender status, gender identity, | 21 | | and gender expression.
| 22 | | (i) Race or ethnicity.
| 23 | | (j) Religious affiliation or activity.
| 24 | | (k) Political affiliation or activity.
| 25 | | (l) Professional or employment-related information.
|
| | | 10000HB2774ham004 | - 4 - | LRB100 08020 RJF 24758 a |
|
| 1 | | (m) Educational information.
| 2 | | (n) Medical information, including, but not limited | 3 | | to, medical conditions or drugs, therapies, mental health, | 4 | | or medical products or equipment used.
| 5 | | (o) Financial information, including, but not limited | 6 | | to, credit, debit, or account numbers, account balances, | 7 | | payment history, or information related to assets, | 8 | | liabilities, or general creditworthiness.
| 9 | | (p) Commercial information, including, but not limited | 10 | | to, records of property, products or services provided, | 11 | | obtained, or considered, or other purchasing or consumer | 12 | | histories or tendencies.
| 13 | | (q) Location information.
| 14 | | (r) Internet or mobile activity information, | 15 | | including, but not limited to, Internet protocol addresses | 16 | | or information concerning the access or use of any Internet | 17 | | or mobile-based site or service.
| 18 | | (s) Content, including text, photographs, audio or | 19 | | video recordings, or other material generated by or | 20 | | provided by the customer.
| 21 | | (t) Any of the above categories of information as they | 22 | | pertain to the children of the customer.
| 23 | | "Customer" means an individual residing in Illinois who | 24 | | provides, either knowingly or unknowingly, personal | 25 | | information to a private entity, with or without an exchange of | 26 | | consideration, in the course of purchasing, viewing, |
| | | 10000HB2774ham004 | - 5 - | LRB100 08020 RJF 24758 a |
|
| 1 | | accessing, renting, leasing, or otherwise using real or | 2 | | personal property, or any interest therein, or obtaining a | 3 | | product or service from the private entity, including | 4 | | advertising or any other content.
| 5 | | "Designated request address" means an e-mail address or | 6 | | toll-free telephone number whereby customers may request or | 7 | | obtain the information required to be provided under Section 15 | 8 | | of this Act.
| 9 | | "Disclose" means to disclose, release, transfer, share, | 10 | | disseminate, make available, or otherwise communicate orally, | 11 | | in writing, or by electronic or any other means to any third | 12 | | party. "Disclose" does not include the following: | 13 | | (a) Disclosure of personal information by a private | 14 | | entity to a third party under a written contract | 15 | | authorizing the third party to utilize the personal | 16 | | information to perform services on behalf of the private | 17 | | entity, including maintaining or servicing accounts, | 18 | | providing customer service, processing or fulfilling | 19 | | orders and transactions, verifying customer information, | 20 | | processing payments, providing financing, or similar | 21 | | services, but only if (i) the contract prohibits the third | 22 | | party from using the personal information for any reason | 23 | | other than performing the specified service or services on | 24 | | behalf of the private entity and from disclosing any such | 25 | | personal information to additional third parties; and (ii) | 26 | | the private entity effectively enforces these |
| | | 10000HB2774ham004 | - 6 - | LRB100 08020 RJF 24758 a |
|
| 1 | | prohibitions. | 2 | | (b) Disclosure of personal information by a business to | 3 | | a third party based on a good-faith belief that disclosure | 4 | | is required to comply with applicable law, regulation, | 5 | | legal process, or court order. | 6 | | (c) Disclosure of personal information by a private | 7 | | entity to a third party that is reasonably necessary to | 8 | | address fraud, security, or technical issues; to protect | 9 | | the disclosing private entity's rights or property; or to | 10 | | protect customers or the public from illegal activities as | 11 | | required or permitted by law.
| 12 | | "Operator" means any person or entity that owns a website | 13 | | located on the Internet or an online service that collects and | 14 | | maintains personal information from a customer residing in | 15 | | Illinois who uses or visits the website or online service if | 16 | | the website or online service is operated for commercial | 17 | | purposes. "Operator" does not include businesses having 5 or | 18 | | fewer employees or any third party that operates, hosts, or | 19 | | manages, but does not own, a website or online service on the | 20 | | owner's behalf or by processing information on behalf of the | 21 | | owner.
| 22 | | "Personal information" means any information that | 23 | | identifies, relates to, describes, or is capable of being | 24 | | associated with, a particular individual, including, but not | 25 | | limited to, his or her name, signature, physical | 26 | | characteristics or description, address, telephone number, |
| | | 10000HB2774ham004 | - 7 - | LRB100 08020 RJF 24758 a |
|
| 1 | | passport number, driver's license or State identification card | 2 | | number, insurance policy number, education, employment, | 3 | | employment history, bank account number, credit card number, | 4 | | debit card number, or any other financial information. | 5 | | "Personal information" also means any data or information | 6 | | pertaining to an individual's income, assets, liabilities, | 7 | | purchases, leases, or rentals of goods, services, or real | 8 | | property, if that information is disclosed, or is intended to | 9 | | be disclosed, with any identifying information, such as the | 10 | | individual's name, address, telephone number, or social | 11 | | security number.
| 12 | | "Third party" or "third parties" means (i) a private entity | 13 | | that is a separate legal entity from the private entity that | 14 | | has disclosed personal information; (ii) a private entity that | 15 | | does not share common ownership or common corporate control | 16 | | with the private entity that has disclosed personal | 17 | | information; or (iii) a private entity that does not share a | 18 | | brand name or common branding with the private entity that has | 19 | | disclosed personal information such that the affiliate | 20 | | relationship is clear to the customer. | 21 | | Section 15. Notification of information sharing practices. | 22 | | An operator of a commercial website or online service that | 23 | | collects personal information through the Internet about | 24 | | individual customers residing in Illinois who use or visit its | 25 | | commercial website or online service shall, in its customer |
| | | 10000HB2774ham004 | - 8 - | LRB100 08020 RJF 24758 a |
|
| 1 | | agreement or incorporated addendum: (i) identify all | 2 | | categories of personal information that the operator collects | 3 | | through the website or online service about individual | 4 | | customers who use or visit its commercial website or online | 5 | | service; (ii) identify all categories of third party persons or | 6 | | entities with whom the operator may disclose that personal | 7 | | information; and (iii) provide a description of a customer's | 8 | | rights, as required under Section 25 of this Act, accompanied | 9 | | by one or more designated request addresses. | 10 | | Section 20. Disclosure of a customer's personal | 11 | | information to a third party.
| 12 | | (a) An operator that discloses a customer's personal | 13 | | information to a third party shall make the following | 14 | | information available to the customer free of charge:
| 15 | | (1) all categories of personal information that were | 16 | | disclosed; and
| 17 | | (2) the names of all third parties that received the | 18 | | customer's personal information.
| 19 | | (b) This Section applies only to personal information | 20 | | disclosed after the effective date of this Act.
| 21 | | Section 25. Information availability service.
| 22 | | (a) An operator required to comply with Section 20 shall | 23 | | make the required information available by providing a | 24 | | designated request address in its customer agreement or |
| | | 10000HB2774ham004 | - 9 - | LRB100 08020 RJF 24758 a |
|
| 1 | | incorporated addendum, and, upon receipt of a request under | 2 | | this Section, shall provide the customer with the information | 3 | | required under Section 20 for all disclosures occurring in the | 4 | | prior 12 months.
| 5 | | (b) An operator that receives a request from a customer | 6 | | under this Section at one of the designated addresses shall | 7 | | provide a response to the customer within 30 days.
| 8 | | (c) The parent or legal guardian of a customer under the | 9 | | age of 18 may submit a request under this Section on behalf of | 10 | | that customer. | 11 | | (d) An operator shall not be required to respond to a | 12 | | request made by the same customer more than once within a given | 13 | | 12-month period. | 14 | | Section 30. Violation; right of action. A violation of this | 15 | | Act constitutes a violation of the Consumer Fraud and Deceptive | 16 | | Business Practices Act. Any lawsuits filed under the Consumer | 17 | | Fraud and Deceptive Business Practices Act for a violation of | 18 | | this Act shall only be filed by the Office of the Attorney | 19 | | General or the appropriate State's Attorney's Office on behalf | 20 | | of the plaintiff. On any award granted for a violation of this | 21 | | Act, the amount awarded shall be deposited into the | 22 | | Cyber-secure Illinois Educational Advancement Fund created by | 23 | | this Act. Any operator bound to the requirements of this Act | 24 | | that makes a good faith effort to respond to a customer's | 25 | | request for information under Section 25 shall not be liable |
| | | 10000HB2774ham004 | - 10 - | LRB100 08020 RJF 24758 a |
|
| 1 | | for a violation of this Act. Any person whose rights under this | 2 | | Act are violated shall also have, in addition to any rights | 3 | | under the Consumer Fraud and Deceptive Business Practices Act, | 4 | | a right of action against an offending party to seek injunctive | 5 | | relief, if appropriate. Nothing in this Section shall prevent a | 6 | | person from seeking a right of action for a violation of the | 7 | | Biometric Information Privacy Act or otherwise seeking relief | 8 | | under the Code of Civil Procedure. | 9 | | Section 35. The Cyber-secure Illinois Educational | 10 | | Advancement Fund. The Cyber-secure Illinois Educational | 11 | | Advancement Fund is created as a special fund in the State | 12 | | Treasury. All moneys in the Fund shall be appropriated for the | 13 | | public interest by the State of Illinois university system to | 14 | | fund the enhancement and creation of partnerships between | 15 | | employers, schools, and community organizations that focus on | 16 | | cyber security skill shortages and the education of the next | 17 | | generation of cyber security experts in the State of Illinois. | 18 | | Section 40. Waivers; contracts. Any waiver of the | 19 | | provisions of this Act shall be void and unenforceable. Any | 20 | | agreement that does not comply with the applicable provisions | 21 | | of this Act shall be void and unenforceable. | 22 | | Section 45. Construction.
| 23 | | (a) Nothing in this Act shall be construed to conflict with |
| | | 10000HB2774ham004 | - 11 - | LRB100 08020 RJF 24758 a |
|
| 1 | | the federal Health Insurance Portability and Accountability | 2 | | Act of 1996 and the rules promulgated under that Act.
| 3 | | (b) Nothing in this Act shall be deemed to apply in any | 4 | | manner to a financial institution or an affiliate of a | 5 | | financial institution that is subject to Title V of the federal | 6 | | Gramm-Leach-Bliley Act of 1999 and the rules promulgated under | 7 | | that Act.
| 8 | | (c) Nothing in this Act shall be deemed to apply to the | 9 | | activities of an individual or entity to the extent that those | 10 | | activities are subject to Section 222 or 631 of the federal | 11 | | Communications Act of 1934.
| 12 | | (d) Nothing in this Act shall be construed to apply to any | 13 | | State agency, federal agency, unit of local government, or any
| 14 | | contractor, subcontractor, or agent thereof, when working for | 15 | | that State agency, federal agency, or unit of local government. | 16 | | (e) Nothing in this Act shall be construed to apply to any | 17 | | entity recognized as a tax-exempt organization under 501(c)(3) | 18 | | or 501(c)(4) of the Internal Revenue Code of 1986. | 19 | | (f) Nothing in this Act shall be construed to apply to a | 20 | | public utility, an alternative retail electric supplier, or an | 21 | | alternative gas supplier, as those terms are defined in | 22 | | Sections 3-105, 16-102, and 19-105 of the Public Utilities Act.
| 23 | | Section 100. The State Finance Act is amended by adding | 24 | | Section 5.878 as follows: |
| | | 10000HB2774ham004 | - 12 - | LRB100 08020 RJF 24758 a |
|
| 1 | | (30 ILCS 105/5.878 new) | 2 | | Sec. 5.878. The Cyber-secure Illinois Educational | 3 | | Advancement Fund. ".
|
|