Full Text of SB0731 102nd General Assembly
SB0731sam002 102ND GENERAL ASSEMBLY | Sen. Thomas Cullerton Filed: 4/9/2021
| | 10200SB0731sam002 | | LRB102 17247 KTG 24999 a |
|
| 1 | | AMENDMENT TO SENATE BILL 731
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 731 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 1. Short title. This Act may be cited as the Do | 5 | | Not Track Act. | 6 | | Section 5. Findings. The General Assembly finds and | 7 | | declares that: | 8 | | (1) The right to privacy is a personal and fundamental | 9 | | right protected by the United States Constitution. As | 10 | | such, all individuals have a right to privacy and a | 11 | | personal property interest in information pertaining to | 12 | | them and that information shall be adequately protected | 13 | | from unlawful invasions and takings. This State recognizes | 14 | | the importance of providing consumers with transparency | 15 | | about how their personal information is stored, used, and | 16 | | shared by businesses. This transparency is crucial for |
| | | 10200SB0731sam002 | - 2 - | LRB102 17247 KTG 24999 a |
|
| 1 | | Illinois citizens to protect themselves and their families | 2 | | from cyber-crimes and identity thieves. | 3 | | (2) Businesses are now collecting, sharing, and | 4 | | selling personal information in ways not contemplated or | 5 | | properly covered by current law. | 6 | | (a) Some websites install tracking tools that | 7 | | record when consumers visit web pages and send | 8 | | personal information collected to third party | 9 | | marketers and data brokers. | 10 | | (b) Third-party data broker companies are buying, | 11 | | selling, and trading personal information obtained | 12 | | from mobile phones, financial institutions, social | 13 | | media sites, and other online and brick and mortar | 14 | | companies. | 15 | | (c) Social media companies, credit agencies and | 16 | | retail stores have all had their internal security | 17 | | systems breached, resulting in consumers' personal | 18 | | information being stolen and sold on the black market. | 19 | | (3) Illinois consumers must be better informed about | 20 | | what kinds of personal information are collected, how | 21 | | information is shared with third parties, and how | 22 | | businesses store consumers' personal information. With | 23 | | this specific information, consumers can knowledgeably | 24 | | choose to opt in, opt out, or choose among businesses that | 25 | | disclose information to third parties on the basis of how | 26 | | protective the business is of consumers' privacy in order |
| | | 10200SB0731sam002 | - 3 - | LRB102 17247 KTG 24999 a |
|
| 1 | | to properly protect their privacy, property, personal | 2 | | safety, and financial security. | 3 | | Section 10. Definitions. As used in this Act: | 4 | | "Affiliate" means a legal entity that controls, is | 5 | | controlled by, or is under common control with another legal | 6 | | entity. | 7 | | "Business" means any sole proprietorship, partnership, | 8 | | limited liability company, corporation, association, or other | 9 | | legal entity that is organized or operated for the profit or | 10 | | financial benefit of its shareholders or other owners, that | 11 | | does business in the State of Illinois and meets one or more of | 12 | | the following thresholds: | 13 | | (1) The business collects or discloses the personal | 14 | | information of 50,000 or more persons, Illinois | 15 | | households, or the combination thereof. | 16 | | (2) The business derives 50% or more of its annual | 17 | | revenues from selling consumers' personal information.
| 18 | | "Business" does not include any third party that operates, | 19 | | hosts, or manages, but does not own, a website or online | 20 | | service on the owner's behalf or by processing information on | 21 | | behalf of the owners, or any State and local governments or | 22 | | municipal corporations. | 23 | | "Categories of sources" means types of entities from which | 24 | | a business collects personal information about consumers, | 25 | | including, but not limited to, the consumer directly, |
| | | 10200SB0731sam002 | - 4 - | LRB102 17247 KTG 24999 a |
|
| 1 | | government entities from which public records are obtained, | 2 | | and consumer data resellers. | 3 | | "Categories of third parties" means types of entities that | 4 | | do not collect personal information directly from consumers, | 5 | | including, but not limited to, advertising networks, internet | 6 | | service providers, data analytics providers, government | 7 | | entities, operating systems and platforms, social networks, | 8 | | and consumer data resellers. | 9 | | "Consumer" means a natural person residing in this State. | 10 | | "Consumer" does not include a natural person acting in an | 11 | | employment context. | 12 | | "Deidentified" means information that cannot reasonably | 13 | | identify, relate to, describe, be capable of being associated | 14 | | with, or be linked, directly or indirectly, to a particular | 15 | | consumer, provided that a business that uses deidentified | 16 | | information: | 17 | | (1) Has implemented technical safeguards that prohibit | 18 | | reidentification of the consumer to whom the information | 19 | | may pertain. | 20 | | (2) Has implemented business processes that | 21 | | specifically prohibit reidentification of the information. | 22 | | (3) Has implemented business processes to prevent | 23 | | inadvertent release of deidentified information. | 24 | | (4) Makes no attempt to reidentify the information. | 25 | | "Designated request address" means an electronic mail | 26 | | address, online form, mailing address, or toll-free telephone |
| | | 10200SB0731sam002 | - 5 - | LRB102 17247 KTG 24999 a |
|
| 1 | | number that a consumer may use to request information, opt out | 2 | | of the sale or disclosure of personal information, or correct | 3 | | or delete personal information, as required to be provided | 4 | | under this Act. | 5 | | "Disclose" means to disclose, release, transfer, share, | 6 | | disseminate, make available, or otherwise communicate orally, | 7 | | in writing, or by electronic or any other means a consumer's | 8 | | personal information to any affiliate or third party. | 9 | | "Disclose" does not include: | 10 | | (1) Disclosure of personal information by a business | 11 | | to a third party or service provider under a written | 12 | | contract authorizing the third party or service provider | 13 | | to use the personal information to perform services on | 14 | | behalf of the business, including, but not limited to, | 15 | | maintaining or servicing accounts, disclosure of personal | 16 | | information by a business to a service provider, | 17 | | processing or fulfilling orders and transactions, | 18 | | verifying consumer information, processing payments, | 19 | | providing financing, or similar services, but only if: the | 20 | | contract prohibits the third party or service provider | 21 | | from using the personal information for any reason other | 22 | | than performing the specified service on behalf of the | 23 | | business and from disclosing any such personal information | 24 | | to additional third parties or service providers unless | 25 | | those additional third parties or service providers are | 26 | | allowed by the contract to further the specified services |
| | | 10200SB0731sam002 | - 6 - | LRB102 17247 KTG 24999 a |
|
| 1 | | and the additional third parties and service providers and | 2 | | subject to the same restrictions imposed by this | 3 | | subsection. | 4 | | (2) Disclosure of personal information by a business | 5 | | to a third party based on a good faith belief that | 6 | | disclosure is required to comply with applicable law, | 7 | | regulation, legal process, or court order. | 8 | | (3) Disclosure of personal information by a business | 9 | | to a third party that is reasonably necessary to address | 10 | | fraud, risk management, security, or technical issues; to | 11 | | protect the disclosing business' right or property; or to | 12 | | protect consumers or the public from illegal activities. | 13 | | (4) Disclosure of personal information by a business | 14 | | to a third party in connection with the proposed or actual | 15 | | sale, merger, or bankruptcy of the business, to a third | 16 | | party. | 17 | | "Personal information" means information that identifies, | 18 | | relates to, describes, is reasonably capable of being | 19 | | associated with, or could reasonably be linked, directly or | 20 | | indirectly, with a particular consumer or household. Personal | 21 | | information includes, but is not limited to, the following: | 22 | | (1) Identifiers such as a real name, alias, signature, | 23 | | postal address, telephone number, unique personal | 24 | | identifier, online identifier Internet Protocol address, | 25 | | email address, account name, social security number, | 26 | | driver's license number, state identification number, |
| | | 10200SB0731sam002 | - 7 - | LRB102 17247 KTG 24999 a |
|
| 1 | | passport number, physical characteristics or description, | 2 | | insurance policy number, employment, employment history, | 3 | | bank account number, credit card number, debit card | 4 | | number, financial information, medical information, health | 5 | | insurance information, or other similar identifiers. | 6 | | (2) Characteristics of protected classifications under | 7 | | Illinois or federal law. | 8 | | (3) Commercial information, including records of | 9 | | personal property, products or services purchased, | 10 | | obtained, or considered, or other purchasing or consuming | 11 | | histories or tendencies. | 12 | | (4) Biometric information. | 13 | | (5) Internet or other electronic network activity | 14 | | information, including, but not limited to, browsing | 15 | | history, search history, and information regarding a | 16 | | consumer's interaction with an Internet website, | 17 | | application or advertisement. | 18 | | (6) Geolocation data. | 19 | | (7) Audio, electronic, visual, thermal, olfactory, or | 20 | | similar information. | 21 | | (8) Professional or employment-related information. | 22 | | (9) Educational information. | 23 | | (10) Inferences drawn from any of the information | 24 | | identified in this Section to create a profile about a | 25 | | consumer reflecting the consumer's preferences, | 26 | | characteristics, psychological trends, preferences, |
| | | 10200SB0731sam002 | - 8 - | LRB102 17247 KTG 24999 a |
|
| 1 | | predispositions, behavior, attitudes, intelligence, | 2 | | abilities, and aptitudes. | 3 | | "Personal information" does not include publicly available | 4 | | information which the business obtained directly from records | 5 | | lawfully made available from federal, state, or local | 6 | | government records. "Personal information" does not include | 7 | | consumer information that is deidentified or aggregate | 8 | | consumer information. | 9 | | "Process" or "processes" means any collection, use, | 10 | | storage, disclosure, analysis, deletion, or modification of | 11 | | personal information. | 12 | | "Request" means a consumer right set forth in this Act | 13 | | including one or more of the following: (i) for the disclosure | 14 | | of information regarding a consumer's personal information; | 15 | | (ii) the opt out of sale or disclosure of a consumer's personal | 16 | | information; (iii) the correction of inaccurate personal | 17 | | information; and (iv) the deletion of personal information. | 18 | | "Sale" or "sell" means the selling, renting, or licensing | 19 | | of a consumer's personal information by a business to a third | 20 | | party in direct exchange for monetary consideration, whereby, | 21 | | as a result of such transaction, the third party may use the | 22 | | personal information for its own commercial purposes.
"Sale" | 23 | | or "sell" does not include circumstances in which: | 24 | | (1) A consumer uses or directs the business to | 25 | | intentionally disclose personal information or uses the | 26 | | business to intentionally interact with a third party or |
| | | 10200SB0731sam002 | - 9 - | LRB102 17247 KTG 24999 a |
|
| 1 | | affiliate, provided the third party or affiliate does not | 2 | | also sell the personal information, unless that disclosure | 3 | | would be consistent with the provisions of this Act. An | 4 | | intentional interaction occurs when the consumer intends | 5 | | to interact with the third party by one or more deliberate | 6 | | interactions. Hovering over, muting, pausing, or closing a | 7 | | given piece of content does not constitute a consumer's | 8 | | intent to interact with a third party. | 9 | | (2) The business uses or shares an identifier for a | 10 | | consumer who has opted out of the sale of the consumer's | 11 | | personal information for the purposes of altering third | 12 | | parties or affiliates that the consumer has opted out of | 13 | | the sale of the consumer's personal information. | 14 | | (3) The business uses or shares with a service | 15 | | provider personal information of a consumer that is | 16 | | necessary to perform a business purpose or business | 17 | | purposes if the service provider does not further collect, | 18 | | sell, or use the personal information of the consumer | 19 | | except as necessary to perform the business purposes. | 20 | | (4) The business transfers to a third party the | 21 | | personal information of a consumer as an asset that is | 22 | | part of a merger, acquisition, bankruptcy, or other | 23 | | transaction in which the third party or affiliate assumes | 24 | | control of all or part of the business, provided that | 25 | | information is used or shared consistently with this Act. | 26 | | If a third party or affiliate materially alters how it |
| | | 10200SB0731sam002 | - 10 - | LRB102 17247 KTG 24999 a |
|
| 1 | | uses or shares the personal information of a consumer in a | 2 | | manner that is materially inconsistent with the promises | 3 | | made at the time of collection, it shall provide prior | 4 | | notice of the new or changed practice to the consumer. The | 5 | | notice shall be sufficiently prominent and robust to | 6 | | ensure that existing consumers can easily exercise their | 7 | | choices consistent with Section 20 and Section 25. This | 8 | | subparagraph does not authorize a business to make | 9 | | material, retroactive privacy policy changes or make other | 10 | | changes in their privacy policy in a manner that would | 11 | | violate the Consumer Fraud and Deceptive Business | 12 | | Practices Act. | 13 | | (5) A business uses a consumer's personal information | 14 | | to sell targeted advertising space to a third party as | 15 | | long as the personal information is not sold by the | 16 | | business to the third party or affiliate. | 17 | | (6) The disclosure or transfer of personal information | 18 | | to an affiliate of the business. | 19 | | "Service provider" means the natural or legal person that | 20 | | processes personal information on behalf of the business. | 21 | | "Third party" means a business that is: (1) not an | 22 | | affiliate of the business that has collected, disclosed, or | 23 | | sold personal information; or (2) an affiliate with the | 24 | | business that has collected, disclosed, or sold personal | 25 | | information and the affiliate relationship is not clear to the | 26 | | consumer. |
| | | 10200SB0731sam002 | - 11 - | LRB102 17247 KTG 24999 a |
|
| 1 | | Section 15. Right to transparency. Any business that | 2 | | processes personal information or deidentified information | 3 | | must, prior to processing, provide notice to the consumer of | 4 | | the following in the service agreement or somewhere readily | 5 | | accessible on the business' website or mobile application: | 6 | | (1) All categories of personal information and | 7 | | deidentified information that the business processes about | 8 | | individual consumers; | 9 | | (2) All categories of third parties and affiliates | 10 | | with whom the business may disclose or sell that personal | 11 | | information or deidentified information and the business | 12 | | purpose for the disclosure or sale; | 13 | | (3) The process in which an individual consumer may: | 14 | | (A) review the personal information collected by | 15 | | the business; | 16 | | (B) request changes to inaccurate personal | 17 | | information; | 18 | | (C) opt out of the disclosure or sale of personal | 19 | | information; and | 20 | | (D) request deletion of personal information; and | 21 | | (4) The process in which the business notifies | 22 | | consumers of material changes to the notice required to be | 23 | | made available under this Section. | 24 | | Section 20. Right to know. Consumers may request the |
| | | 10200SB0731sam002 | - 12 - | LRB102 17247 KTG 24999 a |
|
| 1 | | following information of businesses: | 2 | | (1) Copies of specific pieces of personal information | 3 | | about the consumer processed by the business. | 4 | | (2) Categories of sources for the personal information | 5 | | processed. | 6 | | (3) Name and contact information for each third party | 7 | | and affiliate to whom the personal information is | 8 | | disclosed or sold. | 9 | | Section 25. Right to opt out, correct, and delete. | 10 | | Consumers have the following rights concerning their personal | 11 | | information: | 12 | | (1) The right to request to opt out of the following: | 13 | | (A) the disclosure of personal information from | 14 | | the business to third parties and affiliates; | 15 | | (B) the sale of personal information from the | 16 | | business to third parties and affiliates; and | 17 | | (C) the processing of personal information by the | 18 | | business, third parties, and affiliates. | 19 | | (2) The right to request that a business correct | 20 | | inaccurate personal information about the consumer. | 21 | | (3) The right to request that a business delete | 22 | | personal information about the consumer. | 23 | | Section 30. Consumer requests and business responses. | 24 | | (a) Businesses shall establish a process for collecting |
| | | 10200SB0731sam002 | - 13 - | LRB102 17247 KTG 24999 a |
|
| 1 | | consumer requests and reasonably authenticating consumers | 2 | | making the requests and reasonably authenticating any request | 3 | | to correct inaccurate personal information. The method by | 4 | | which a consumer may submit a request under Section 20 and | 5 | | Section 25 shall be done in a form and manner determined by the | 6 | | business in a way that is not overly burdensome on the | 7 | | consumer. | 8 | | (b) A business shall post on its website, online service, | 9 | | and within any mobile application, a link to a designated | 10 | | request address web page maintained by the business for the | 11 | | purpose of collecting and processing consumer requests. The | 12 | | business shall also post a designated request street address | 13 | | for consumers to submit requests by mail. | 14 | | (c) A parent or legal guardian of a consumer under the age | 15 | | of 13 may submit a request on behalf of that consumer. | 16 | | (d) A business that receives a request from a consumer | 17 | | through a designated request address shall promptly take steps | 18 | | to disclose and deliver, free of charge to the consumer, the | 19 | | personal information required or confirmation of the | 20 | | consumer's opt out, correction or deletion request and | 21 | | business' compliance. | 22 | | (1) The information may be delivered by mail or | 23 | | electronically, and if provided electronically, the | 24 | | information shall be in a portable and, to the extent | 25 | | technically feasible, in a readily usable format that | 26 | | allows the consumer to transmit this information to |
| | | 10200SB0731sam002 | - 14 - | LRB102 17247 KTG 24999 a |
|
| 1 | | another entity without hindrance. | 2 | | (2) A business that has received a request to opt out | 3 | | of the disclosure or sale of a consumer's personal | 4 | | information shall be prohibited from selling or disclosing | 5 | | that consumer's personal information after its receipt of | 6 | | the consumer's request, unless the consumer subsequently | 7 | | provides express authorization for the sale or disclosure | 8 | | of the consumer's personal information. | 9 | | (3) A business that receives a request to delete the | 10 | | consumer's personal information, shall delete the | 11 | | consumer's personal information from its records and | 12 | | direct any third party or affiliate with whom the personal | 13 | | information was disclosed, to delete the consumer's | 14 | | personal information from their records. | 15 | | (4) A business shall not be required to comply with a | 16 | | consumer's request to delete the consumer's personal | 17 | | information if it is necessary for the business to | 18 | | maintain the consumer's personal information in order to: | 19 | | (i) Complete the transaction for which the | 20 | | personal information was collected, provide a good or | 21 | | service requested by the consumer, or reasonably | 22 | | anticipated within the context of a business' ongoing | 23 | | business relationship with the consumer, or otherwise | 24 | | perform a contract between the business and the | 25 | | consumer. | 26 | | (ii) Detect security incidents, protect against |
| | | 10200SB0731sam002 | - 15 - | LRB102 17247 KTG 24999 a |
|
| 1 | | malicious, deceptive, fraudulent, or illegal activity; | 2 | | or prosecute those responsible for that activity. | 3 | | (iii) Debug to identify and repair errors that | 4 | | impair existing intended functionality. | 5 | | (iv) Exercise free speech, ensure the right of | 6 | | another consumer to exercise their right of free | 7 | | speech, or exercise another right provided for by law. | 8 | | (v) Engage in public or peer-reviewed scientific, | 9 | | historical, or statistical research in the public | 10 | | interest that adheres to all other applicable ethics | 11 | | and privacy laws, when the business' deletion of the | 12 | | information is likely to render impossible or | 13 | | seriously impair the achievement of such research, if | 14 | | the consumer has provided informed consent. | 15 | | (vi) To enable solely internal uses that are | 16 | | reasonably aligned with the expectations of the | 17 | | consumer based on the consumer's relationship with the | 18 | | business. | 19 | | (vii) Comply with a legal obligation. | 20 | | (viii) Otherwise use the consumer's personal | 21 | | information, internally, in a lawful manner that is | 22 | | compatible with the context in which the consumer | 23 | | provided the information. | 24 | | (e) A business must provide a response to the consumer | 25 | | within 45 days of a request under Section 20 and Section 25. | 26 | | (1) The business shall promptly take steps to verify |
| | | 10200SB0731sam002 | - 16 - | LRB102 17247 KTG 24999 a |
|
| 1 | | the request, but shall not extend the business' duty to | 2 | | disclose and deliver the information within 45 days of | 3 | | receipt of the consumer's request. The time period to | 4 | | provide the required information may be extended once by | 5 | | an additional 45 days when reasonably necessary, provided | 6 | | the consumer is provided notice of the extension within | 7 | | the first 45-day period. | 8 | | (2) The disclosure shall cover at least the 12-month | 9 | | period preceding the business' receipt of the request. The | 10 | | business shall not require the consumer to create an | 11 | | account with the business in order to make a request. | 12 | | (3) If requests from a consumer are manifestly | 13 | | unfounded or excessive, in particular because of their | 14 | | repetitive character, a business may either charge a | 15 | | reasonable fee, taking into account the administrative | 16 | | costs of providing the information or communication or | 17 | | taking the action requested or refuse to act on the | 18 | | request and notify the consumer of the reason for refusing | 19 | | the request. The business shall bear the burden of | 20 | | demonstrating that any consumer request is manifestly | 21 | | unfounded or excessive. | 22 | | (f) A business shall not be required to respond to a | 23 | | request made by or on behalf of the same consumer more than | 24 | | once in any 12-month period. | 25 | | Section 35. Businesses, affiliates, and third parties. |
| | | 10200SB0731sam002 | - 17 - | LRB102 17247 KTG 24999 a |
|
| 1 | | (a) A business is not required to retain any personal | 2 | | information collected for a single, one-time transaction, if | 3 | | such information is not sold or retained by the business or to | 4 | | reidentify or otherwise link information that is not | 5 | | maintained in a manner that would be considered personal | 6 | | information. | 7 | | (b) A business shall not reidentify any deidentified | 8 | | consumer information, unless the consumer subsequently | 9 | | provides express authorization for reidentification of | 10 | | deidentified information. | 11 | | (c) A business shall not sell the personal information of | 12 | | any consumer for which the business has actual knowledge that | 13 | | the consumer is less than 16 years of age. A business that | 14 | | willfully disregards the consumer's age shall be deemed to | 15 | | have had actual knowledge of the consumer's age. | 16 | | (d) A business shall not use a consumer's personal | 17 | | information for any purpose other than those disclosed in the | 18 | | notice at collection. If the business intends to use a | 19 | | consumer's personal information for a purpose that was not | 20 | | previously disclosed to the consumer in the notice at | 21 | | collection, the business shall directly notify the consumer of | 22 | | this new use and obtain explicit consent from the consumer to | 23 | | use it for this new purpose. | 24 | | (e) A business shall not collect categories of personal | 25 | | information other than those disclosed in the notice at | 26 | | collection. If the business intends to collect additional |
| | | 10200SB0731sam002 | - 18 - | LRB102 17247 KTG 24999 a |
|
| 1 | | categories of personal information, the business shall provide | 2 | | a new notice at collection. | 3 | | (f) If a business does not give the notice at collection to | 4 | | the consumer at or before the collection of their personal | 5 | | information, the business shall not collect personal | 6 | | information from the consumer. | 7 | | (g) Affiliates and third parties shall not sell consumer | 8 | | personal information purchased from a business unless the | 9 | | consumer has received notice and is provided an opportunity to | 10 | | opt out of the resale of the consumer's personal information. | 11 | | (h) Pricing incentives and prohibition of discrimination. | 12 | | (1) A business shall not discriminate against a | 13 | | consumer because the consumer exercised any of the | 14 | | consumer's rights in this Act, including, but not limited | 15 | | to: | 16 | | (A) Denying goods or services to the consumer. | 17 | | (B) Charging different prices or rates for goods | 18 | | or services, including through the use of discounts or | 19 | | other benefits or imposing penalties. | 20 | | (C) Providing a different level or quality of | 21 | | goods or services to the consumer, if the consumer | 22 | | exercises the consumer's rights under this Act. | 23 | | (D) Suggesting that the consumer will receive a | 24 | | different price or rate for goods or services or a | 25 | | different level or quality of goods or services. | 26 | | (2) Nothing shall prohibit a business from charging a |
| | | 10200SB0731sam002 | - 19 - | LRB102 17247 KTG 24999 a |
|
| 1 | | consumer a different price or rate, or from providing a | 2 | | different level or quality of goods or services to the | 3 | | consumer, if that difference is reasonably related to the | 4 | | value provided to the consumer by the consumer's data. | 5 | | (3) A business may offer financial incentives, | 6 | | including payments to consumers as compensation, for the | 7 | | collection of personal information, the sale of personal | 8 | | information, or the deletion of personal information. A | 9 | | business may also offer a different price, rate, level, or | 10 | | quality of goods or services to the consumer if that price | 11 | | or difference is directly related to the value provided to | 12 | | the consumer by the consumer's data. | 13 | | (A) A business that offers any financial | 14 | | incentives regarding consumer personal information or | 15 | | deidentified information, shall notify consumers of | 16 | | the financial incentives in the consumer service | 17 | | agreement, website, online service or mobile | 18 | | application. | 19 | | (B) A business may enter a consumer into a | 20 | | financial incentive program only if the consumer gives | 21 | | the business prior opt-in consent which clearly | 22 | | describes the material terms of the financial | 23 | | incentive program, and which may be revoked by the | 24 | | consumer at any time. | 25 | | (C) A business shall not use financial incentive | 26 | | practices that are unjust, unreasonable, or coercive. |
| | | 10200SB0731sam002 | - 20 - | LRB102 17247 KTG 24999 a |
|
| 1 | | (i) A business that discloses personal information to a | 2 | | service provider shall not be liable under this Act if the | 3 | | service provider receiving the personal information uses it in | 4 | | violation of the restrictions set forth in the Act, provided | 5 | | that, at the time of disclosing the personal information, the | 6 | | business does not have actual knowledge, or reason to believe, | 7 | | that the service provider intends to commit such a violation. | 8 | | A service provider shall likewise not be liable under this Act | 9 | | for the obligations of a business for which it provides | 10 | | services as set forth in this Act. | 11 | | (j) The obligations imposed on businesses by this Act do | 12 | | not restrict a business' ability to: | 13 | | (1) Comply with federal, state, or local laws, rules, | 14 | | regulations, or enforceable guidance. | 15 | | (2) Comply with a civil, criminal, or regulatory | 16 | | inquiry, investigation, subpoena, or summons by federal, | 17 | | state, or local authorities. | 18 | | (3) Cooperate with law enforcement agencies concerning | 19 | | conduct or activity that the business, service provider, | 20 | | or third party reasonably and in good faith believes may | 21 | | violate federal, state, or local law. | 22 | | (4) Exercise or defend legal claims. | 23 | | (5) Prevent, detect, or respond to identity theft, | 24 | | fraud, or other malicious or illegal activity. | 25 | | (6) Collect, use, retain, sell, or disclose consumer's | 26 | | personal information that is deidentified or in the |
| | | 10200SB0731sam002 | - 21 - | LRB102 17247 KTG 24999 a |
|
| 1 | | aggregate consumer information. | 2 | | (k) Businesses, affiliates, and third parties shall take | 3 | | reasonable measures to protect customer's personal information | 4 | | from unauthorized use, disclosure, or access. | 5 | | (1) In implementing security measures required by this | 6 | | subsection, a business, affiliate, and third party shall | 7 | | take into account each of the following factors: | 8 | | (A) The nature and scope of the business;, | 9 | | affiliate's, or third party's activities; | 10 | | (B) The sensitivity of the data processed; | 11 | | (C) The size of the business, affiliate, or third | 12 | | party; and | 13 | | (D) The technical feasibility of the security | 14 | | measures. | 15 | | (2) A business, affiliate, or third party may employ | 16 | | any lawful measure that allows the business, affiliate, or | 17 | | third party to comply with the requirements of this | 18 | | subsection. | 19 | | (l) Risk assessments. | 20 | | (1) Businesses, affiliates, and third parties must | 21 | | conduct, to the extent not previously conducted, a risk | 22 | | assessment of each of their processing activities | 23 | | involving personal information and an additional risk | 24 | | assessment any time there is a change in processing that | 25 | | materially increases the risk to consumers. Such risk | 26 | | assessments must take into account the type of personal |
| | | 10200SB0731sam002 | - 22 - | LRB102 17247 KTG 24999 a |
|
| 1 | | data to be processed by the business, affiliate, or third | 2 | | party, including the extent to which the personal | 3 | | information is sensitive information or otherwise | 4 | | sensitive in nature, and the context in which the personal | 5 | | information is to be processed. | 6 | | (2) Risk assessments conducted under subsection (a) | 7 | | must identify and weigh the benefits that may flow | 8 | | directly and indirectly from the processing to the | 9 | | business, consumer, other stakeholders, and the public, | 10 | | against the potential risks to the rights of the consumer | 11 | | associated with such processing, as mitigated by | 12 | | safeguards that can be employed by the business to reduce | 13 | | such risks. The use of deidentified data and the | 14 | | reasonable expectations of consumers, as well as the | 15 | | context of the processing and the relationship between the | 16 | | business, affiliate, or third party and the consumer whose | 17 | | personal data will be processed, must factor into this | 18 | | assessment by the business, affiliate, or third party. | 19 | | (3) If the risk assessment conducted under subsection | 20 | | (a) of this Section determines that the potential risks of | 21 | | privacy harm to consumers are substantial and outweigh the | 22 | | interests of the business, consumer, other stakeholders, | 23 | | and the public in processing the personal information of | 24 | | the consumer, the business may only engage in such | 25 | | processing with the consent of the consumer or if another | 26 | | exemption under this Act applies. To the extent the |
| | | 10200SB0731sam002 | - 23 - | LRB102 17247 KTG 24999 a |
|
| 1 | | business seeks consumer consent for processing, such | 2 | | consent shall be as easy to withdraw as to give. | 3 | | (4) Processing for a business purpose shall be | 4 | | presumed to be permissible unless: (i) it involves the | 5 | | processing of sensitive data; and (ii) the risk of | 6 | | processing cannot be reduced through the use of | 7 | | appropriate administrative and technical safeguards. | 8 | | (5) The business, affiliate, and third party must make | 9 | | the risk assessment available to the Office of the | 10 | | Attorney General upon request. Risk assessments are | 11 | | confidential and exempt from public inspection and copying | 12 | | under the Freedom of Information Act. | 13 | | Section 40. Enforcement. | 14 | | (a) Private right of action. | 15 | | (1) Any consumer whose unencrypted or unredacted | 16 | | personal information is subject to an unauthorized access | 17 | | and exfiltration, theft, or disclosure as a result of the | 18 | | business' violation of the duty to implement and maintain | 19 | | reasonable security procedures and practices appropriate | 20 | | to the nature of the information to protect the personal | 21 | | information may institute a civil action for any of the | 22 | | following: | 23 | | (A) To recover damages in an amount not less than | 24 | | $100 and not greater than $750 per customer per | 25 | | incident or actual damages, whichever is greater. |
| | | 10200SB0731sam002 | - 24 - | LRB102 17247 KTG 24999 a |
|
| 1 | | (B) Injunctive or declaratory relief. | 2 | | (C) Any other relief the court deems proper. | 3 | | (2) In assessing the amount of statutory damages, the | 4 | | court shall consider any one or more of the relevant | 5 | | circumstances presented by any of the parties to the case, | 6 | | including, but not limited to, the nature and seriousness | 7 | | of the misconduct, the number of violations, the | 8 | | persistence of the misconduct, the length of time over | 9 | | which the misconduct occurred, the willfulness of the | 10 | | defendant's misconduct, and the defendant's assets, | 11 | | liabilities, and net worth. | 12 | | (3) Nothing in this Act shall be interpreted to serve | 13 | | as the basis for a private right of action under any other | 14 | | law. This shall not be construed to relieve any party from | 15 | | any duties or obligations imposed under other law or the | 16 | | United States or Illinois Constitution. | 17 | | (b) Attorney General enforcement. A violation of this Act | 18 | | constitutes an unlawful practice under the Consumer Fraud and | 19 | | Deceptive Business Practices Act. The Attorney General has | 20 | | authority to enforce this Act as a violation of the Consumer | 21 | | Fraud and Deceptive Business Practices Act, subject to the | 22 | | remedies available to the Attorney General under the Consumer | 23 | | Fraud and Deceptive Business Practices Act. | 24 | | Section 45. Applicability. | 25 | | (a) This Act does not apply to personal information |
| | | 10200SB0731sam002 | - 25 - | LRB102 17247 KTG 24999 a |
|
| 1 | | collected, processed, sold, or disclosed under: | 2 | | (1) The Gramm-Leach-Bliley Act, and the rules | 3 | | promulgated under that Act. | 4 | | (2) The Health Insurance Portability and | 5 | | Accountability Act of 1996, and the rules promulgated | 6 | | under that Act. | 7 | | (3) The Fair Credit Reporting Act, and the rules | 8 | | promulgated under that Act. | 9 | | (b) Nothing in this Act restricts a business' ability to | 10 | | collect or disclose a consumer's personal information if a | 11 | | consumer's conduct takes place wholly outside of Illinois. For | 12 | | purposes of this Act, conduct takes place wholly outside of | 13 | | Illinois if the business collected that information while the | 14 | | consumer was outside of Illinois, no part of the sale of the | 15 | | consumer's personal information occurred in Illinois, and no | 16 | | personal information collected while the consumer was in | 17 | | Illinois is disclosed. | 18 | | Section 50. Waivers; contracts. Any waiver of the | 19 | | provisions of this Act is void and unenforceable. | 20 | | Section 55. Home rule preemption. Except as otherwise | 21 | | provided in this Act, the regulation of the activities | 22 | | described in this Act are the exclusive powers and functions | 23 | | of the State. Except as otherwise provided in this Act, a unit | 24 | | of local government, including a home rule unit, may not |
| | | 10200SB0731sam002 | - 26 - | LRB102 17247 KTG 24999 a |
|
| 1 | | regulate the activities described in this Act. This Section is | 2 | | a denial and limitation of home rule powers and functions | 3 | | under subsection (h) of Section 6 of Article VII of the | 4 | | Illinois Constitution. | 5 | | Section 97. Severability. The provisions of this Act are | 6 | | severable under Section 1.31 of the Statute on Statutes.
| 7 | | Section 99. Effective date. This Act takes effect January | 8 | | 1, 2022.".
|
|