Full Text of HB3358 101st General Assembly
HB3358sam003 101ST GENERAL ASSEMBLY | Sen. Thomas Cullerton Filed: 5/29/2019
| | 10100HB3358sam003 | | LRB101 11180 HEP 61371 a |
|
| 1 | | AMENDMENT TO HOUSE BILL 3358
| 2 | | AMENDMENT NO. ______. Amend House Bill 3358 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 1. Short title. This Act may be cited as the Data | 5 | | Transparency and Privacy Act. | 6 | | Section 5. Findings. The General Assembly finds and | 7 | | declares that: | 8 | | (1) The right to privacy is a personal and fundamental | 9 | | right protected by the United States Constitution. As such, all | 10 | | individuals have a right to privacy and a personal property | 11 | | interest in information pertaining to them and that information | 12 | | shall be adequately protected from unlawful invasions and | 13 | | takings. This State recognizes the importance of providing | 14 | | consumers with transparency about how their personal | 15 | | information, especially information relating to their | 16 | | children, is shared by businesses. This transparency is crucial |
| | | 10100HB3358sam003 | - 2 - | LRB101 11180 HEP 61371 a |
|
| 1 | | for Illinois citizens to protect themselves and their families | 2 | | from cyber-crimes and identity thieves. | 3 | | (2) Furthermore, for free market forces to have a role in | 4 | | shaping the privacy practices and for "opt-in" and "opt-out" | 5 | | remedies to be effective, consumers must be more than vaguely | 6 | | informed that a business might share personal information with | 7 | | third parties. Consumers must be better informed about what | 8 | | kinds of personal information is shared with other businesses. | 9 | | With these specifics, consumers can knowledgeably choose to opt | 10 | | in, opt out, or choose among businesses that disclose | 11 | | information to third parties on the basis of how protective the | 12 | | business is of consumers' privacy. | 13 | | (3) Businesses are now collecting personal information and | 14 | | sharing and selling it in ways not contemplated or properly | 15 | | covered by the current law. Some websites are installing | 16 | | tracking tools that record when consumers visit web pages, and | 17 | | sending very personal information, such as age, gender, race, | 18 | | income, health concerns, religion, and recent purchases to | 19 | | third-party marketers and data brokers. Third-party data | 20 | | broker companies are buying, selling, and trading personal | 21 | | information obtained from mobile phones, financial | 22 | | institutions, social media sites, and other online and brick | 23 | | and mortar companies. Some mobile applications are sharing | 24 | | personal information, such as location information, unique | 25 | | phone identification numbers, and age, gender, and other | 26 | | personal details with third-party companies. |
| | | 10100HB3358sam003 | - 3 - | LRB101 11180 HEP 61371 a |
|
| 1 | | (4) As such, consumers need to know the ways that their | 2 | | personal information is being collected by companies and then | 3 | | shared or sold to third parties in order to properly protect | 4 | | their privacy, property, personal safety, and financial | 5 | | security. | 6 | | Section 10. Definitions. As used in this Act: | 7 | | "Affiliate" means a legal entity that controls, is | 8 | | controlled by, or is under common control with another legal | 9 | | entity. | 10 | | "Consumer" means a natural person residing in this State. | 11 | | "Consumer" does not include a natural person acting in an | 12 | | employment context. | 13 | | "Deidentified" means information that cannot reasonably be | 14 | | used to infer information about, or otherwise be linked to, a | 15 | | particular consumer. An operator that uses deidentified | 16 | | information: | 17 | | (1) must take reasonable measures to ensure that the | 18 | | data is deidentified; and | 19 | | (2) must publicly commit to maintain and use the data | 20 | | in a deidentified fashion and not to attempt to reidentify | 21 | | the data. | 22 | | If a company makes such deidentified data available to | 23 | | service providers or other third parties, then it must | 24 | | contractually prohibit such entities from attempting to | 25 | | reidentify the data. |
| | | 10100HB3358sam003 | - 4 - | LRB101 11180 HEP 61371 a |
|
| 1 | | "Designated request address" means an electronic mail | 2 | | address, online form, or toll-free telephone number that a | 3 | | consumer may use to request the information required to be | 4 | | provided pursuant to this Act. | 5 | | "Disclose" means to disclose, release, transfer, share, | 6 | | disseminate, make available, sell, or otherwise communicate | 7 | | orally, in writing, or by electronic or any other means a | 8 | | consumer's personal information to any affiliate or third | 9 | | party. | 10 | | "Disclose" does not include: | 11 | | (1) Disclosure of personal information by an operator | 12 | | to a third party or service provider under a written | 13 | | contract authorizing the third party or service provider to | 14 | | utilize the personal information to perform services on | 15 | | behalf of the operator, including, but not limited to, | 16 | | maintaining or servicing accounts, disclosure of personal | 17 | | information by an operator to a service provider, | 18 | | processing or fulfilling orders and transactions, | 19 | | verifying consumer information, processing payments, | 20 | | providing financing, or similar services, but only if: the | 21 | | contract prohibits the third party or service provider from | 22 | | using the personal information for any reason other than | 23 | | performing the specified service on behalf of the operator | 24 | | and from disclosing any such personal information to | 25 | | additional third parties or service providers unless those | 26 | | additional third parties or service providers (i) are |
| | | 10100HB3358sam003 | - 5 - | LRB101 11180 HEP 61371 a |
|
| 1 | | allowed by the contract to further the specified services | 2 | | and (ii) the additional third parties are subject to the | 3 | | same restrictions imposed by this subsection. | 4 | | (2) Disclosure of personal information by an operator | 5 | | to a third party based on a good faith belief that | 6 | | disclosure is required to comply with applicable law, | 7 | | regulation, legal process, or court order. | 8 | | (3) Disclosure of personal information by an operator | 9 | | to a third party that is reasonably necessary to address | 10 | | fraud, risk management, security, or technical issues; to | 11 | | protect the disclosing operator's rights or property; or to | 12 | | protect consumers or the public from illegal activities. | 13 | | (4) Disclosure of personal information by an operator | 14 | | to a third party in connection with the proposed or actual | 15 | | sale, merger, or bankruptcy of the operator, to a third | 16 | | party. | 17 | | "Operator" means any private entity that owns an Internet | 18 | | website or an online service that collects, maintains, or | 19 | | discloses personal information of a consumer residing in this | 20 | | State who uses or visits the website or online service if the | 21 | | website or online service is operated for commercial purposes. | 22 | | It does not include any third party that operates, hosts, or | 23 | | manages, but does not own, a website or online service on the | 24 | | owner's behalf or by processing information on behalf of the | 25 | | owner. | 26 | | "Personal information" means any information that can |
| | | 10100HB3358sam003 | - 6 - | LRB101 11180 HEP 61371 a |
|
| 1 | | reasonably be used to infer information about, or otherwise be | 2 | | linked to, a particular consumer, including, but not limited | 3 | | to, identifiers such as a real name, alias, signature, address, | 4 | | telephone number, passport number, driver's license or State | 5 | | identification card number, insurance policy number, bank | 6 | | account number, credit card number, debit card number, or any | 7 | | other financial account information, unique personal | 8 | | identifier, geolocation, or biometric information. Personal | 9 | | information does not include data that has been deidentified. | 10 | | "Private entity" means a sole proprietorship, partnership, | 11 | | limited liability company, corporation, association, or other | 12 | | legal entity that is organized or operated for the profit or | 13 | | financial benefit of its shareholders or other owners, that | 14 | | does business in the State of Illinois, and that satisfies one | 15 | | or more of the following thresholds: | 16 | | (1) Annually buys, receives for the business' | 17 | | commercial purposes, sells, or shares for commercial | 18 | | purposes, alone or in combination, the personal | 19 | | information of 50,000 or more consumers, households, or | 20 | | devices. | 21 | | (2) Derives 50% or more of its annual revenues from | 22 | | selling consumers' personal information. | 23 | | "Process" or "processes" means any collection, use, | 24 | | storage, disclosure, analysis, deletion, or modification of | 25 | | personal information. | 26 | | "Sale" or "sell" means the selling, renting, or licensing |
| | | 10100HB3358sam003 | - 7 - | LRB101 11180 HEP 61371 a |
|
| 1 | | of a consumer's personal information by an operator to a third | 2 | | party in direct exchange for monetary consideration, whereby, | 3 | | as a result of such transaction, the third party may use the | 4 | | personal information for its own commercial purposes. | 5 | | "Sale" or "sell" does not include circumstances in which: | 6 | | (1) A consumer uses or directs the operator to | 7 | | intentionally disclose personal information or uses the | 8 | | operator to intentionally interact with a third party, | 9 | | provided the third party does not also sell the personal | 10 | | information, unless that disclosure would be consistent | 11 | | with the provisions of this Act. An intentional interaction | 12 | | occurs when the consumer intends to interact with the third | 13 | | party by one or more deliberate interactions. Hovering | 14 | | over, muting, pausing, or closing a given piece of content | 15 | | does not constitute a consumer's intent to interact with a | 16 | | third party. | 17 | | (2) The operator uses or shares an identifier for a | 18 | | consumer who has opted out of the sale of the consumer's | 19 | | personal information for the purposes of alerting third | 20 | | parties that the consumer has opted out of the sale of the | 21 | | consumer's personal information. | 22 | | (3) The operator uses or shares with a service provider | 23 | | personal information of a consumer that is necessary to | 24 | | perform a business purpose or business purposes if the | 25 | | service provider does not further collect, sell, or use the | 26 | | personal information of the consumer except as necessary to |
| | | 10100HB3358sam003 | - 8 - | LRB101 11180 HEP 61371 a |
|
| 1 | | perform the business purpose or business purposes. | 2 | | (4) The operator transfers to a third party the | 3 | | personal information of a consumer as an asset that is part | 4 | | of a merger, acquisition, bankruptcy, or other transaction | 5 | | in which the third party assumes control of all or part of | 6 | | the business provided that information is used or shared | 7 | | consistently with this Act. If a third party materially | 8 | | alters how it uses or shares the personal information of a | 9 | | consumer in a manner that is materially inconsistent with | 10 | | the promises made at the time of collection, it shall | 11 | | provide prior notice of the new or changed practice to the | 12 | | consumer. The notice shall be sufficiently prominent and | 13 | | robust to ensure that existing consumers can easily | 14 | | exercise their choices consistently with Section 25. This | 15 | | subparagraph does not authorize a business to make | 16 | | material, retroactive privacy policy changes or make other | 17 | | changes in their privacy policy in a manner that would | 18 | | violate the Consumer Fraud and Deceptive Business | 19 | | Practices Act. | 20 | | (5) An operator uses a consumer's personal information | 21 | | to sell targeted advertising space to a third party as long | 22 | | as the personal information is not sold by the operator to | 23 | | the third party. | 24 | | (6) The disclosure or transfer of personal information | 25 | | to an affiliate of the operator. | 26 | | "Service provider" means the natural or legal person that |
| | | 10100HB3358sam003 | - 9 - | LRB101 11180 HEP 61371 a |
|
| 1 | | processes personal information on behalf of the operator. | 2 | | "Third party" means a private entity that is: (1) not an | 3 | | affiliate of the private entity that has disclosed personal | 4 | | information; or (2) a private entity that is an affiliate with | 5 | | the private entity that has disclosed personal information and | 6 | | the affiliate relationship is not clear to the consumer. | 7 | | "Verified request" means the process through which a | 8 | | consumer may submit a request to exercise a right or rights set | 9 | | forth in this Act and by which an operator can reasonably | 10 | | authenticate the request.
A consumer shall not be required to | 11 | | create an account with the operator in order to make a verified | 12 | | request, and the method for exercising the rights set forth in | 13 | | this Act shall be reasonably accessible and not be overly | 14 | | burdensome on the consumer. | 15 | | Section 15. Right to transparency. An operator that | 16 | | collects personal information or deidentified information | 17 | | through the Internet about individual consumers who use or | 18 | | visit its Internet website or online service, in its consumer | 19 | | service agreement or incorporated addendum or any other similar | 20 | | and readily available mechanism accessible to the consumer, | 21 | | shall: | 22 | | (1) identify all categories of personal information | 23 | | and deidentified information that the operator processes | 24 | | about individual consumers collected through its Internet | 25 | | website or online service; |
| | | 10100HB3358sam003 | - 10 - | LRB101 11180 HEP 61371 a |
|
| 1 | | (2) identify all categories of third parties with whom | 2 | | the operator may disclose that personal information or | 3 | | deidentified information; | 4 | | (3) disclose whether a third party may collect personal | 5 | | information or deidentified information about an | 6 | | individual consumer's online activities over time and | 7 | | across different Internet websites or online services when | 8 | | the consumer uses the Internet website or online service of | 9 | | the operator; | 10 | | (4) provide a description of the process, if any such | 11 | | process exists, for an individual consumer who uses or | 12 | | visits the Internet website or online service to review and | 13 | | request changes to inaccurate personal information that is | 14 | | collected by the operator as a result of the consumer's use | 15 | | or visits to the Internet website or online service; | 16 | | (5) describe the process by which the operator notifies | 17 | | consumers who use or visit its Internet website or online | 18 | | service of material changes to the notice required to be | 19 | | made available under this Section; | 20 | | (6) state the effective date of the notice; | 21 | | (7) provide a description of a consumer's rights, as | 22 | | required by this Act, accompanied by one or more designated | 23 | | request addresses. | 24 | | Section 20. Right to know. | 25 | | (a) An operator that discloses personal information of a |
| | | 10100HB3358sam003 | - 11 - | LRB101 11180 HEP 61371 a |
|
| 1 | | consumer collected through the consumer's use of or visit to | 2 | | the operator's website or online service to a third party shall | 3 | | make the following information available to a consumer, free of | 4 | | charge, upon receipt of a verified request: | 5 | | (1) the categories of personal information that were | 6 | | disclosed about an individual consumer and the approximate | 7 | | number of all third parties that received the consumer's | 8 | | personal information; or | 9 | | (2) all categories of personal information about | 10 | | consumers that were disclosed and the approximate number of | 11 | | all third parties that received any consumer's personal | 12 | | information. | 13 | | (b) An operator may establish processes for reasonably | 14 | | authenticating consumers making the request if the operator | 15 | | seeks to provide the consumer with information about the | 16 | | individual consumer pursuant to item(1) of subsection (a). | 17 | | (c) Notwithstanding the other provisions of this Section, a | 18 | | parent or legal guardian of a consumer under the age of 13 may | 19 | | submit a verified request under this Section on behalf of that | 20 | | consumer. | 21 | | (d) This Section applies only to personal information | 22 | | disclosed after the effective date of this Act. | 23 | | Section 25. Right to opt out. An operator that sells the | 24 | | personal information of a consumer collected through the | 25 | | consumer's use of or visit to the operator's Internet website |
| | | 10100HB3358sam003 | - 12 - | LRB101 11180 HEP 61371 a |
|
| 1 | | or online service shall clearly and conspicuously post, on its | 2 | | Internet website or online service or in another prominently | 3 | | and easily accessible location the operator maintains for | 4 | | consumer privacy settings, a link to an Internet web page | 5 | | maintained by the operator that enables a consumer, by verified | 6 | | request through a designated request address, to opt out of | 7 | | such sale of the consumer's personal information to third | 8 | | parties. The method by which a consumer may opt out shall be | 9 | | done in a form and manner determined by the operator in a way | 10 | | and fashion that is not overly burdensome, shall not require a | 11 | | consumer to establish an account with the operator in order to | 12 | | opt out of the sale of a consumer's personal information, and | 13 | | shall be posted in a conspicuous place that is readily and | 14 | | easily accessible to a consumer. This Section applies only to | 15 | | operators that sell personal information. This Section only | 16 | | applies to personal information sold after the effective date | 17 | | of this Act. | 18 | | Section 30. Response to verified requests. | 19 | | (a) An operator that receives a verified request from a | 20 | | consumer through a designated request address under this Act | 21 | | shall provide a response to the consumer within 45 days of the | 22 | | request. | 23 | | (b) An operator shall not be required to respond to a | 24 | | request made by the same consumer or made by the same parent or | 25 | | legal guardian on behalf of a consumer under the age of 13 more |
| | | 10100HB3358sam003 | - 13 - | LRB101 11180 HEP 61371 a |
|
| 1 | | than once in any 12-month period. | 2 | | Section 35. Enforcement. A violation of this Act | 3 | | constitutes an unlawful practice under the Consumer Fraud and | 4 | | Deceptive Business Practices Act. The Attorney General has | 5 | | exclusive authority to enforce this Act as a violation of the | 6 | | Consumer Fraud and Deceptive Business Practices Act, subject to | 7 | | the remedies available to the Attorney General pursuant to the | 8 | | Consumer Fraud and Deceptive Business Practices Act. There | 9 | | shall be no private right of action to enforce violations under | 10 | | this Act. | 11 | | Section 40. Waivers; contracts. Any waiver of the | 12 | | provisions of this Act is void and unenforceable. If a party | 13 | | violates any provision of this Act, the non-violating party's | 14 | | obligations under any agreement between the parties are | 15 | | terminated. | 16 | | Section 45. Construction. | 17 | | (a) The obligations imposed on operators by this Act shall | 18 | | not restrict an operator's ability to: | 19 | | (1) Comply with federal, state, or local laws, rules, | 20 | | regulations, or enforceable guidance. | 21 | | (2) Comply with a civil, criminal, or regulatory | 22 | | inquiry, investigation, subpoena, or summons by federal, | 23 | | state, or local authorities. |
| | | 10100HB3358sam003 | - 14 - | LRB101 11180 HEP 61371 a |
|
| 1 | | (3) Cooperate with law enforcement agencies concerning | 2 | | conduct or activity that the operator, service provider, or | 3 | | third party reasonably and in good faith believes may | 4 | | violate federal, state, or local law. | 5 | | (4) Exercise or defend legal claims.
| 6 | | (5) Prevent, detect, or respond to identity theft, | 7 | | fraud, or other malicious or illegal activity. | 8 | | (b) Nothing in this Act applies to a health care provider | 9 | | or other covered entity subject to the Federal Health Insurance | 10 | | Portability and Accountability Act of 1996 and the rules | 11 | | promulgated under that Act. | 12 | | (c) Nothing in this Act applies in any manner to a | 13 | | financial institution or an affiliate of a financial | 14 | | institution that is subject to Title V of the Federal | 15 | | Gramm-Leach-Bliley Act and the rules promulgated under that | 16 | | Act. | 17 | | (d) Nothing in this Act applies to a contractor, | 18 | | subcontractor, or agent of a State agency or local unit of | 19 | | government when working for that State agency or local unit of | 20 | | government. | 21 | | (e) Nothing in this Act applies to a public utility, an | 22 | | alternative retail electric supplier, or an alternative gas | 23 | | supplier, as those terms are defined in Sections 3-105, 16-102, | 24 | | and 19-105 of the Public Utilities Act, or an electric | 25 | | cooperative, as defined in Section 3.4 of the Electric Supplier | 26 | | Act. |
| | | 10100HB3358sam003 | - 15 - | LRB101 11180 HEP 61371 a |
|
| 1 | | (f) Nothing in this Act applies to: (i) a hospital operated | 2 | | under the Hospital Licensing Act; (ii) a hospital affiliate, as | 3 | | defined under the Hospital Licensing Act; or (iii) a hospital | 4 | | operated under the University of Illinois Hospital Act. | 5 | | (g) Nothing in this Act applies to personal information or | 6 | | deidentified information collected, processed, or disclosed by | 7 | | a retailer in connection with a prospective or complete sale, | 8 | | transaction, or communication conducted on, before, or after | 9 | | the effective date of this Act that is related to business | 10 | | services or delivering information, or selling, offering to | 11 | | sell, moving, or delivering tangible personal property. As used | 12 | | in this Section, "retailer" means an entity that holds itself | 13 | | out as being engaged, or habitually engages, in selling, | 14 | | moving, or delivering tangible personal property at retail and | 15 | | includes a retailer's affiliates, subsidiaries, and service | 16 | | providers collecting, processing, or disclosing personal | 17 | | information or deidentified information on behalf of the | 18 | | retailer to facilitate a prospective or complete sale, | 19 | | transaction, or communication related to business services or | 20 | | delivering information, or selling, offering to sell, moving, | 21 | | or delivering tangible personal property. | 22 | | (h) Nothing in this Act applies to the following entities | 23 | | and affiliates, as defined in 17 CFR 230.405, of any such | 24 | | entities: telecommunications carriers as defined in Section | 25 | | 13-202 of the Public Utilities Act and wireless carriers as | 26 | | defined in Section 2 of the Emergency Telephone System Act. |
| | | 10100HB3358sam003 | - 16 - | LRB101 11180 HEP 61371 a |
|
| 1 | | (i) Nothing in this Act restricts an operator's ability to | 2 | | collect or disclose a consumer's personal information if a | 3 | | consumer's conduct takes place wholly outside of Illinois. For | 4 | | purposes of this Act, conduct takes place wholly outside of | 5 | | Illinois if the operator collected that information while the | 6 | | consumer was outside of Illinois, no part of the sale of the | 7 | | consumer's personal information occurred in Illinois, and no | 8 | | personal information collected while the consumer was in | 9 | | Illinois is disclosed. | 10 | | (j) Nothing in this Act shall require an operator to (i) | 11 | | retain any personal information collected for a single, | 12 | | one-time transaction, if such information is not sold or | 13 | | retained by the business or to reidentify or otherwise link | 14 | | information that is not maintained in a manner that would be | 15 | | considered personal information; or (ii) reidentify or | 16 | | otherwise link any data that, in the ordinary course of | 17 | | business, is not maintained in a manner that would be | 18 | | considered personal information. | 19 | | (k) Nothing in this Act shall be construed to modify, | 20 | | limit, or supersede the operation of any other Illinois law or | 21 | | prevent a party from otherwise seeking relief under the Code of | 22 | | Civil Procedure. | 23 | | Section 50. Severability. If any provision of this Act or | 24 | | its application to any person or circumstance is held invalid, | 25 | | the invalidity of that provision or application does not affect |
| | | 10100HB3358sam003 | - 17 - | LRB101 11180 HEP 61371 a |
|
| 1 | | other provisions or applications of this Act that can be given | 2 | | effect without the invalid provision or application.
| 3 | | Section 99. Effective date. This Act takes effect July 1, | 4 | | 2020.".
|
|