Illinois General Assembly - Full Text of HB3358
Illinois General Assembly

Previous General Assemblies

Full Text of HB3358  101st General Assembly

HB3358sam003 101ST GENERAL ASSEMBLY

Sen. Thomas Cullerton

Filed: 5/29/2019

 

 


 

 


 
10100HB3358sam003LRB101 11180 HEP 61371 a

1
AMENDMENT TO HOUSE BILL 3358

2    AMENDMENT NO. ______. Amend House Bill 3358 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the Data
5Transparency and Privacy Act.
 
6    Section 5. Findings. The General Assembly finds and
7declares that:
8    (1) The right to privacy is a personal and fundamental
9right protected by the United States Constitution. As such, all
10individuals have a right to privacy and a personal property
11interest in information pertaining to them and that information
12shall be adequately protected from unlawful invasions and
13takings. This State recognizes the importance of providing
14consumers with transparency about how their personal
15information, especially information relating to their
16children, is shared by businesses. This transparency is crucial

 

 

10100HB3358sam003- 2 -LRB101 11180 HEP 61371 a

1for Illinois citizens to protect themselves and their families
2from cyber-crimes and identity thieves.
3    (2) Furthermore, for free market forces to have a role in
4shaping the privacy practices and for "opt-in" and "opt-out"
5remedies to be effective, consumers must be more than vaguely
6informed that a business might share personal information with
7third parties. Consumers must be better informed about what
8kinds of personal information is shared with other businesses.
9With these specifics, consumers can knowledgeably choose to opt
10in, opt out, or choose among businesses that disclose
11information to third parties on the basis of how protective the
12business is of consumers' privacy.
13    (3) Businesses are now collecting personal information and
14sharing and selling it in ways not contemplated or properly
15covered by the current law. Some websites are installing
16tracking tools that record when consumers visit web pages, and
17sending very personal information, such as age, gender, race,
18income, health concerns, religion, and recent purchases to
19third-party marketers and data brokers. Third-party data
20broker companies are buying, selling, and trading personal
21information obtained from mobile phones, financial
22institutions, social media sites, and other online and brick
23and mortar companies. Some mobile applications are sharing
24personal information, such as location information, unique
25phone identification numbers, and age, gender, and other
26personal details with third-party companies.

 

 

10100HB3358sam003- 3 -LRB101 11180 HEP 61371 a

1    (4) As such, consumers need to know the ways that their
2personal information is being collected by companies and then
3shared or sold to third parties in order to properly protect
4their privacy, property, personal safety, and financial
5security.
 
6    Section 10. Definitions. As used in this Act:
7    "Affiliate" means a legal entity that controls, is
8controlled by, or is under common control with another legal
9entity.
10    "Consumer" means a natural person residing in this State.
11"Consumer" does not include a natural person acting in an
12employment context.
13    "Deidentified" means information that cannot reasonably be
14used to infer information about, or otherwise be linked to, a
15particular consumer. An operator that uses deidentified
16information:
17        (1) must take reasonable measures to ensure that the
18    data is deidentified; and
19        (2) must publicly commit to maintain and use the data
20    in a deidentified fashion and not to attempt to reidentify
21    the data.
22    If a company makes such deidentified data available to
23service providers or other third parties, then it must
24contractually prohibit such entities from attempting to
25reidentify the data.

 

 

10100HB3358sam003- 4 -LRB101 11180 HEP 61371 a

1    "Designated request address" means an electronic mail
2address, online form, or toll-free telephone number that a
3consumer may use to request the information required to be
4provided pursuant to this Act.
5    "Disclose" means to disclose, release, transfer, share,
6disseminate, make available, sell, or otherwise communicate
7orally, in writing, or by electronic or any other means a
8consumer's personal information to any affiliate or third
9party.
10    "Disclose" does not include:
11        (1) Disclosure of personal information by an operator
12    to a third party or service provider under a written
13    contract authorizing the third party or service provider to
14    utilize the personal information to perform services on
15    behalf of the operator, including, but not limited to,
16    maintaining or servicing accounts, disclosure of personal
17    information by an operator to a service provider,
18    processing or fulfilling orders and transactions,
19    verifying consumer information, processing payments,
20    providing financing, or similar services, but only if: the
21    contract prohibits the third party or service provider from
22    using the personal information for any reason other than
23    performing the specified service on behalf of the operator
24    and from disclosing any such personal information to
25    additional third parties or service providers unless those
26    additional third parties or service providers (i) are

 

 

10100HB3358sam003- 5 -LRB101 11180 HEP 61371 a

1    allowed by the contract to further the specified services
2    and (ii) the additional third parties are subject to the
3    same restrictions imposed by this subsection.
4        (2) Disclosure of personal information by an operator
5    to a third party based on a good faith belief that
6    disclosure is required to comply with applicable law,
7    regulation, legal process, or court order.
8        (3) Disclosure of personal information by an operator
9    to a third party that is reasonably necessary to address
10    fraud, risk management, security, or technical issues; to
11    protect the disclosing operator's rights or property; or to
12    protect consumers or the public from illegal activities.
13        (4) Disclosure of personal information by an operator
14    to a third party in connection with the proposed or actual
15    sale, merger, or bankruptcy of the operator, to a third
16    party.
17    "Operator" means any private entity that owns an Internet
18website or an online service that collects, maintains, or
19discloses personal information of a consumer residing in this
20State who uses or visits the website or online service if the
21website or online service is operated for commercial purposes.
22It does not include any third party that operates, hosts, or
23manages, but does not own, a website or online service on the
24owner's behalf or by processing information on behalf of the
25owner.
26    "Personal information" means any information that can

 

 

10100HB3358sam003- 6 -LRB101 11180 HEP 61371 a

1reasonably be used to infer information about, or otherwise be
2linked to, a particular consumer, including, but not limited
3to, identifiers such as a real name, alias, signature, address,
4telephone number, passport number, driver's license or State
5identification card number, insurance policy number, bank
6account number, credit card number, debit card number, or any
7other financial account information, unique personal
8identifier, geolocation, or biometric information. Personal
9information does not include data that has been deidentified.
10    "Private entity" means a sole proprietorship, partnership,
11limited liability company, corporation, association, or other
12legal entity that is organized or operated for the profit or
13financial benefit of its shareholders or other owners, that
14does business in the State of Illinois, and that satisfies one
15or more of the following thresholds:
16        (1) Annually buys, receives for the business'
17    commercial purposes, sells, or shares for commercial
18    purposes, alone or in combination, the personal
19    information of 50,000 or more consumers, households, or
20    devices.
21        (2) Derives 50% or more of its annual revenues from
22    selling consumers' personal information.
23    "Process" or "processes" means any collection, use,
24storage, disclosure, analysis, deletion, or modification of
25personal information.
26    "Sale" or "sell" means the selling, renting, or licensing

 

 

10100HB3358sam003- 7 -LRB101 11180 HEP 61371 a

1of a consumer's personal information by an operator to a third
2party in direct exchange for monetary consideration, whereby,
3as a result of such transaction, the third party may use the
4personal information for its own commercial purposes.
5    "Sale" or "sell" does not include circumstances in which:
6        (1) A consumer uses or directs the operator to
7    intentionally disclose personal information or uses the
8    operator to intentionally interact with a third party,
9    provided the third party does not also sell the personal
10    information, unless that disclosure would be consistent
11    with the provisions of this Act. An intentional interaction
12    occurs when the consumer intends to interact with the third
13    party by one or more deliberate interactions. Hovering
14    over, muting, pausing, or closing a given piece of content
15    does not constitute a consumer's intent to interact with a
16    third party.
17        (2) The operator uses or shares an identifier for a
18    consumer who has opted out of the sale of the consumer's
19    personal information for the purposes of alerting third
20    parties that the consumer has opted out of the sale of the
21    consumer's personal information.
22        (3) The operator uses or shares with a service provider
23    personal information of a consumer that is necessary to
24    perform a business purpose or business purposes if the
25    service provider does not further collect, sell, or use the
26    personal information of the consumer except as necessary to

 

 

10100HB3358sam003- 8 -LRB101 11180 HEP 61371 a

1    perform the business purpose or business purposes.
2        (4) The operator transfers to a third party the
3    personal information of a consumer as an asset that is part
4    of a merger, acquisition, bankruptcy, or other transaction
5    in which the third party assumes control of all or part of
6    the business provided that information is used or shared
7    consistently with this Act. If a third party materially
8    alters how it uses or shares the personal information of a
9    consumer in a manner that is materially inconsistent with
10    the promises made at the time of collection, it shall
11    provide prior notice of the new or changed practice to the
12    consumer. The notice shall be sufficiently prominent and
13    robust to ensure that existing consumers can easily
14    exercise their choices consistently with Section 25. This
15    subparagraph does not authorize a business to make
16    material, retroactive privacy policy changes or make other
17    changes in their privacy policy in a manner that would
18    violate the Consumer Fraud and Deceptive Business
19    Practices Act.
20        (5) An operator uses a consumer's personal information
21    to sell targeted advertising space to a third party as long
22    as the personal information is not sold by the operator to
23    the third party.
24        (6) The disclosure or transfer of personal information
25    to an affiliate of the operator.
26    "Service provider" means the natural or legal person that

 

 

10100HB3358sam003- 9 -LRB101 11180 HEP 61371 a

1processes personal information on behalf of the operator.
2    "Third party" means a private entity that is: (1) not an
3affiliate of the private entity that has disclosed personal
4information; or (2) a private entity that is an affiliate with
5the private entity that has disclosed personal information and
6the affiliate relationship is not clear to the consumer.
7    "Verified request" means the process through which a
8consumer may submit a request to exercise a right or rights set
9forth in this Act and by which an operator can reasonably
10authenticate the request. A consumer shall not be required to
11create an account with the operator in order to make a verified
12request, and the method for exercising the rights set forth in
13this Act shall be reasonably accessible and not be overly
14burdensome on the consumer.
 
15    Section 15. Right to transparency. An operator that
16collects personal information or deidentified information
17through the Internet about individual consumers who use or
18visit its Internet website or online service, in its consumer
19service agreement or incorporated addendum or any other similar
20and readily available mechanism accessible to the consumer,
21shall:
22        (1) identify all categories of personal information
23    and deidentified information that the operator processes
24    about individual consumers collected through its Internet
25    website or online service;

 

 

10100HB3358sam003- 10 -LRB101 11180 HEP 61371 a

1        (2) identify all categories of third parties with whom
2    the operator may disclose that personal information or
3    deidentified information;
4        (3) disclose whether a third party may collect personal
5    information or deidentified information about an
6    individual consumer's online activities over time and
7    across different Internet websites or online services when
8    the consumer uses the Internet website or online service of
9    the operator;
10        (4) provide a description of the process, if any such
11    process exists, for an individual consumer who uses or
12    visits the Internet website or online service to review and
13    request changes to inaccurate personal information that is
14    collected by the operator as a result of the consumer's use
15    or visits to the Internet website or online service;
16        (5) describe the process by which the operator notifies
17    consumers who use or visit its Internet website or online
18    service of material changes to the notice required to be
19    made available under this Section;
20        (6) state the effective date of the notice;
21        (7) provide a description of a consumer's rights, as
22    required by this Act, accompanied by one or more designated
23    request addresses.
 
24    Section 20. Right to know.
25    (a) An operator that discloses personal information of a

 

 

10100HB3358sam003- 11 -LRB101 11180 HEP 61371 a

1consumer collected through the consumer's use of or visit to
2the operator's website or online service to a third party shall
3make the following information available to a consumer, free of
4charge, upon receipt of a verified request:
5        (1) the categories of personal information that were
6    disclosed about an individual consumer and the approximate
7    number of all third parties that received the consumer's
8    personal information; or
9        (2) all categories of personal information about
10    consumers that were disclosed and the approximate number of
11    all third parties that received any consumer's personal
12    information.
13    (b) An operator may establish processes for reasonably
14authenticating consumers making the request if the operator
15seeks to provide the consumer with information about the
16individual consumer pursuant to item(1) of subsection (a).
17    (c) Notwithstanding the other provisions of this Section, a
18parent or legal guardian of a consumer under the age of 13 may
19submit a verified request under this Section on behalf of that
20consumer.
21    (d) This Section applies only to personal information
22disclosed after the effective date of this Act.
 
23    Section 25. Right to opt out. An operator that sells the
24personal information of a consumer collected through the
25consumer's use of or visit to the operator's Internet website

 

 

10100HB3358sam003- 12 -LRB101 11180 HEP 61371 a

1or online service shall clearly and conspicuously post, on its
2Internet website or online service or in another prominently
3and easily accessible location the operator maintains for
4consumer privacy settings, a link to an Internet web page
5maintained by the operator that enables a consumer, by verified
6request through a designated request address, to opt out of
7such sale of the consumer's personal information to third
8parties. The method by which a consumer may opt out shall be
9done in a form and manner determined by the operator in a way
10and fashion that is not overly burdensome, shall not require a
11consumer to establish an account with the operator in order to
12opt out of the sale of a consumer's personal information, and
13shall be posted in a conspicuous place that is readily and
14easily accessible to a consumer. This Section applies only to
15operators that sell personal information. This Section only
16applies to personal information sold after the effective date
17of this Act.
 
18    Section 30. Response to verified requests.
19    (a) An operator that receives a verified request from a
20consumer through a designated request address under this Act
21shall provide a response to the consumer within 45 days of the
22request.
23    (b) An operator shall not be required to respond to a
24request made by the same consumer or made by the same parent or
25legal guardian on behalf of a consumer under the age of 13 more

 

 

10100HB3358sam003- 13 -LRB101 11180 HEP 61371 a

1than once in any 12-month period.
 
2    Section 35. Enforcement.     A violation of this Act
3constitutes an unlawful practice under the Consumer Fraud and
4Deceptive Business Practices Act. The Attorney General has
5exclusive authority to enforce this Act as a violation of the
6Consumer Fraud and Deceptive Business Practices Act, subject to
7the remedies available to the Attorney General pursuant to the
8Consumer Fraud and Deceptive Business Practices Act. There
9shall be no private right of action to enforce violations under
10this Act.
 
11    Section 40. Waivers; contracts. Any waiver of the
12provisions of this Act is void and unenforceable. If a party
13violates any provision of this Act, the non-violating party's
14obligations under any agreement between the parties are
15terminated.
 
16    Section 45. Construction.
17    (a) The obligations imposed on operators by this Act shall
18not restrict an operator's ability to:
19        (1) Comply with federal, state, or local laws, rules,
20    regulations, or enforceable guidance.
21        (2) Comply with a civil, criminal, or regulatory
22    inquiry, investigation, subpoena, or summons by federal,
23    state, or local authorities.

 

 

10100HB3358sam003- 14 -LRB101 11180 HEP 61371 a

1        (3) Cooperate with law enforcement agencies concerning
2    conduct or activity that the operator, service provider, or
3    third party reasonably and in good faith believes may
4    violate federal, state, or local law.
5        (4) Exercise or defend legal claims.
6        (5) Prevent, detect, or respond to identity theft,
7    fraud, or other malicious or illegal activity.
8    (b) Nothing in this Act applies to a health care provider
9or other covered entity subject to the Federal Health Insurance
10Portability and Accountability Act of 1996 and the rules
11promulgated under that Act.
12    (c) Nothing in this Act applies in any manner to a
13financial institution or an affiliate of a financial
14institution that is subject to Title V of the Federal
15Gramm-Leach-Bliley Act and the rules promulgated under that
16Act.
17    (d) Nothing in this Act applies to a contractor,
18subcontractor, or agent of a State agency or local unit of
19government when working for that State agency or local unit of
20government.
21    (e) Nothing in this Act applies to a public utility, an
22alternative retail electric supplier, or an alternative gas
23supplier, as those terms are defined in Sections 3-105, 16-102,
24and 19-105 of the Public Utilities Act, or an electric
25cooperative, as defined in Section 3.4 of the Electric Supplier
26Act.

 

 

10100HB3358sam003- 15 -LRB101 11180 HEP 61371 a

1    (f) Nothing in this Act applies to: (i) a hospital operated
2under the Hospital Licensing Act; (ii) a hospital affiliate, as
3defined under the Hospital Licensing Act; or (iii) a hospital
4operated under the University of Illinois Hospital Act.
5    (g) Nothing in this Act applies to personal information or
6deidentified information collected, processed, or disclosed by
7a retailer in connection with a prospective or complete sale,
8transaction, or communication conducted on, before, or after
9the effective date of this Act that is related to business
10services or delivering information, or selling, offering to
11sell, moving, or delivering tangible personal property. As used
12in this Section, "retailer" means an entity that holds itself
13out as being engaged, or habitually engages, in selling,
14moving, or delivering tangible personal property at retail and
15includes a retailer's affiliates, subsidiaries, and service
16providers collecting, processing, or disclosing personal
17information or deidentified information on behalf of the
18retailer to facilitate a prospective or complete sale,
19transaction, or communication related to business services or
20delivering information, or selling, offering to sell, moving,
21or delivering tangible personal property.
22    (h) Nothing in this Act applies to the following entities
23and affiliates, as defined in 17 CFR 230.405, of any such
24entities: telecommunications carriers as defined in Section
2513-202 of the Public Utilities Act and wireless carriers as
26defined in Section 2 of the Emergency Telephone System Act.

 

 

10100HB3358sam003- 16 -LRB101 11180 HEP 61371 a

1    (i) Nothing in this Act restricts an operator's ability to
2collect or disclose a consumer's personal information if a
3consumer's conduct takes place wholly outside of Illinois. For
4purposes of this Act, conduct takes place wholly outside of
5Illinois if the operator collected that information while the
6consumer was outside of Illinois, no part of the sale of the
7consumer's personal information occurred in Illinois, and no
8personal information collected while the consumer was in
9Illinois is disclosed.
10    (j) Nothing in this Act shall require an operator to (i)
11retain any personal information collected for a single,
12one-time transaction, if such information is not sold or
13retained by the business or to reidentify or otherwise link
14information that is not maintained in a manner that would be
15considered personal information; or (ii) reidentify or
16otherwise link any data that, in the ordinary course of
17business, is not maintained in a manner that would be
18considered personal information.
19    (k) Nothing in this Act shall be construed to modify,
20limit, or supersede the operation of any other Illinois law or
21prevent a party from otherwise seeking relief under the Code of
22Civil Procedure.
 
23    Section 50. Severability. If any provision of this Act or
24its application to any person or circumstance is held invalid,
25the invalidity of that provision or application does not affect

 

 

10100HB3358sam003- 17 -LRB101 11180 HEP 61371 a

1other provisions or applications of this Act that can be given
2effect without the invalid provision or application.
 
3    Section 99. Effective date. This Act takes effect July 1,
42020.".