Full Text of SB0731 102nd General Assembly
SB0731sam003 102ND GENERAL ASSEMBLY | Sen. Thomas Cullerton Filed: 4/12/2021
| | 10200SB0731sam003 | | LRB102 17247 KTG 25022 a |
|
| 1 | | AMENDMENT TO SENATE BILL 731
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 731 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 1. Short title. This Act may be cited as the Do | 5 | | Not Track Act. | 6 | | Section 5. Definitions. As used in this Act: | 7 | | "Anonymous data" means data which does not relate to an | 8 | | identified or identifiable user. Identifiable data may be | 9 | | rendered anonymous data if it has become de-identified to an | 10 | | extent that no user can be singled out or identified, either | 11 | | directly or indirectly, by that data alone or in combination | 12 | | with other data. To determine whether a user can be identified | 13 | | from the data, account should be taken of all means reasonably | 14 | | likely to be used by any party to identify the user. Data that | 15 | | has been re-identified, is shown to be capable of | 16 | | re-identification, or that is capable of being used for |
| | | 10200SB0731sam003 | - 2 - | LRB102 17247 KTG 25022 a |
|
| 1 | | personalization or profiling a user or a device used by a user | 2 | | is not anonymous data. | 3 | | "Collect" means to receive identifiable data in a network | 4 | | interaction and to retain that data after the network | 5 | | interaction is complete. | 6 | | "Commission" means the Federal Trade Commission. | 7 | | "Context" means a website or similar online resource, or a | 8 | | connected set of such resources. A connected set of resources | 9 | | that are controlled by the same party or jointly controlled by | 10 | | a set of parties can constitute a single context if a user | 11 | | would reasonably expect them to form a single context. Factors | 12 | | relevant to determining whether such a reasonable expectation | 13 | | exists include, but are not limited to, whether they share | 14 | | prominent branding, provide connected and integrated | 15 | | user-facing features, are offered under the same domain name | 16 | | or through a single app, use the same sign-in credentials, and | 17 | | are marketed or sold as a single product or service. | 18 | | "De-identify" means to alter data such that the likelihood | 19 | | of identifying a user from the data is reduced. | 20 | | De-identification includes a range of techniques and differing | 21 | | levels or re-identification risk. Data that is fully | 22 | | de-identified such that it becomes anonymous data is no longer | 23 | | identifiable data. Data that is de-identified to a lesser | 24 | | extent remains identifiable data. | 25 | | "Do-not-track signal" means a signal sent by a web browser | 26 | | or similar user agent that conveys a user's choice regarding |
| | | 10200SB0731sam003 | - 3 - | LRB102 17247 KTG 25022 a |
|
| 1 | | online tracking, reflects a deliberate choice by the user, and | 2 | | otherwise complies with the latest Tracking Preference | 3 | | Expression (DNT) specifications published by the World Wide | 4 | | Web Consortium. | 5 | | "First party" means, with respect to a given user action, | 6 | | a party with which the user intends to interact, via one or | 7 | | more network interactions, as a result of that action. | 8 | | (1) Typically, when a user visits a website, the first | 9 | | party is the organization identified in the website URL or | 10 | | whose branding is most prominent on the website. | 11 | | (2) More than one party can be a first party with | 12 | | regard to a given user action. | 13 | | (3) The mere presence of a first party's website of | 14 | | embedded content from another party does not make that | 15 | | other party a first party, and merely hovering over, | 16 | | muting, pausing, or closing a given piece of content does | 17 | | not constitute a user's intent to interact with a party. | 18 | | When a user visits an organization's website that displays | 19 | | advertisements from a third-party ad network, the | 20 | | organization is a first party and the ad network is a third | 21 | | party. When a user signs into an organization's website | 22 | | using a sign-in method provided by another party, the | 23 | | organization is a first party and the sign-in provider is | 24 | | a third party with respect to user actions in that | 25 | | website. | 26 | | "Identifiable data" means data from which the user can be |
| | | 10200SB0731sam003 | - 4 - | LRB102 17247 KTG 25022 a |
|
| 1 | | singled out or identified, directly or indirectly, by that | 2 | | data alone or in combination with other data. Identifiable | 3 | | data includes, but is not limited to, a user's contact | 4 | | information, such as email addresses and phone numbers, unique | 5 | | persistent identifiers, such as IP addresses, cross-session | 6 | | cookie IDs, and device identifiers including derived through | 7 | | device fingerprinting and probabilistic techniques), and any | 8 | | other data associated with such identifiers. Identifiable data | 9 | | does not include anonymous data. | 10 | | "Network interaction" means an online connection | 11 | | consisting of an HTTP or HTTPS request and as many | 12 | | corresponding responses as are necessary to respond to a | 13 | | single user action. A user interaction or session with a | 14 | | website or other resource frequently consists of many network | 15 | | interactions. | 16 | | "Organization" means a legal entity. Such term does not | 17 | | include government agencies or users. | 18 | | "Party" means a user, an organization, or a group of legal | 19 | | entities that share common ownership and control, operate as | 20 | | an integrated enterprise, and have a group identity that is | 21 | | easily discoverable by a user. Common branding or publishing a | 22 | | list of affiliates that is readily available online via a | 23 | | prominent link from a resource where a party describes its | 24 | | Tracking Preference Expression (DNT) practices are deemed | 25 | | easily discoverable. With respect to a user action, a party is | 26 | | either a first party or a third party, but not both. |
| | | 10200SB0731sam003 | - 5 - | LRB102 17247 KTG 25022 a |
|
| 1 | | "Personalize" means to use identifiable data to alter the | 2 | | experience of a user, including, but not limited to, the | 3 | | content or advertising displayed to the user. | 4 | | "Process" means to collect, use, or share data. | 5 | | "Resource" means a single online destination or | 6 | | experience, such as a website, streaming service, online game, | 7 | | digital assistant, or other online service, accessed by a user | 8 | | through the use of a user agent. | 9 | | "Service provider" means an organization that processes | 10 | | identifiable data on behalf of another organization. A service | 11 | | provider has no right to use any identifiable data for its own | 12 | | purposes. | 13 | | "Share" means, with respect to collected data, to transfer | 14 | | or provide a copy of such data to any third party. | 15 | | "Third party" means, for any user action, any party other | 16 | | than the user, a first party to that user action, or a service | 17 | | provider action on behalf of either the user or a first party. | 18 | | "Tracking" or "track" means to (i) collect data regarding | 19 | | a user action of a particular user, (ii) process such data | 20 | | outside the context in which the user action occurred, (iii) | 21 | | facilitate the creation of a user profile, or (iv) personalize | 22 | | that user's online experience. For the purposes of this | 23 | | definition, processing data related to a device used by a user | 24 | | or the user's household shall be considered processing data | 25 | | related to the user. | 26 | | "User" means a natural person residing in this State who |
| | | 10200SB0731sam003 | - 6 - | LRB102 17247 KTG 25022 a |
|
| 1 | | uses the Internet. | 2 | | "User action" means a deliberate online action by the | 3 | | user, via configuration, invocation, or selection, to initiate | 4 | | a network interaction. Selection of a link, submission of a | 5 | | form, and reloading a page are examples of user actions. | 6 | | "User agent" means any of the various client programs | 7 | | capable of initiating network interactions, including, but not | 8 | | limited to, browsers, web-based robots, command-line tools, | 9 | | native applications, mobile apps, or Internet-connected | 10 | | devices. | 11 | | Section 10. Response to do-not-track signals. | 12 | | (a) In general. Except as permitted in this Section, a | 13 | | party to a user action that receives a do-not-track signal | 14 | | indicating a user preference not to be tracked shall not | 15 | | track. | 16 | | (b) Exceptions. | 17 | | (1) First party. A first party to a user action within | 18 | | a context to which the user has affirmatively signed in | 19 | | may process data received from such user action, including | 20 | | for personalized content, services, and advertising, | 21 | | within that context. However, a first party shall not | 22 | | share such data with a third party. For the purposes of | 23 | | this paragraph, a user is signed into a context when the | 24 | | user has affirmatively authenticated and identified | 25 | | oneself by entering a username and password, or similar |
| | | 10200SB0731sam003 | - 7 - | LRB102 17247 KTG 25022 a |
|
| 1 | | credentials. | 2 | | (2) Anonymous data. Data that has been sufficiently | 3 | | de-identified such that it is rendered anonymous data may | 4 | | be processed for any purpose, including outside the | 5 | | context of the user actions from which it originates, or | 6 | | across multiple contexts. | 7 | | (3) Consent. A party may disregard a user's | 8 | | do-not-track signal when the user has given express | 9 | | affirmative consent to track. A user may give consent | 10 | | through a technical means defined in the Tracking | 11 | | Preference Expression (DNT) specification published by the | 12 | | World Wide Web Consortium or through a separate mechanism | 13 | | such as an online or offline consent form that | 14 | | demonstrates a specific and voluntary choice of the user. | 15 | | For instance, accepting a general or broad terms of use | 16 | | document that contains a clause regarding tracing does not | 17 | | constitute express affirmation consent for the purposes of | 18 | | this Act. Likewise, agreement obtained through a user | 19 | | interface designed or manipulated with the purpose of | 20 | | substantial effect of subverting or impairing user | 21 | | autonomy, decision-making, or choice does not constitute | 22 | | consent for the purposes of this Act. When relying on | 23 | | consent from a user given through a separate mechanism, a | 24 | | party must provide notice in accordance with Section 20. | 25 | | (4) Permitted uses. | 26 | | (A) In general. An organization may process data |
| | | 10200SB0731sam003 | - 8 - | LRB102 17247 KTG 25022 a |
|
| 1 | | for the uses specified in subparagraphs (B), (C), (D), | 2 | | (E), (F), and (G), provided the organization: | 3 | | (i) limits the amount of identifiable data | 4 | | collected to that which is strictly needed for the | 5 | | permitted uses; | 6 | | (ii) limits the retention of identifiable data | 7 | | to no longer than what is reasonably needed for | 8 | | the permitted uses; | 9 | | (iii) uses anonymous data to the extent the | 10 | | permitted uses can be achieved with such data, or | 11 | | otherwise de-identifies the identifiable data to | 12 | | the greatest extent that is compatible with the | 13 | | permitted uses; | 14 | | (iv) processes the data separately from | 15 | | systems that are used for purposes other than the | 16 | | permitted uses specified in this Section; and | 17 | | (v) does not process the data beyond the | 18 | | permitted uses. | 19 | | (B) Providing a service. An organization may | 20 | | process data to the extent necessary to effectuate a | 21 | | transaction with the user, or to provide a product or | 22 | | service to a user, provided the user has consented to | 23 | | or authorized the transaction or the provision of the | 24 | | product or service and any tracking, including | 25 | | personalization, that is a necessary or inherent part | 26 | | of that transaction, product, or service would have |
| | | 10200SB0731sam003 | - 9 - | LRB102 17247 KTG 25022 a |
|
| 1 | | been clear to the user at the time of such consent or | 2 | | authorization. If such processing requires sharing | 3 | | data with a third party, such third party may not | 4 | | process the data for any other purpose. | 5 | | (C) Security. An organization may process data to | 6 | | the extent reasonably necessary to detect security | 7 | | incidents, protect the website or other resource | 8 | | accessed by the user against malicious, deceptive, | 9 | | fraudulent, or illegal activity, and prosecute those | 10 | | responsible for such activity. | 11 | | (D) Debugging. An organization may process data | 12 | | for debugging purposes to identify and repair errors | 13 | | that impair the existing functionality of the website | 14 | | or other resource accessed by the user. | 15 | | (E) Financial logging. An organization may process | 16 | | data for billing and auditing related to network | 17 | | interactions and related transactions. | 18 | | (F) Research. An organization may process data to | 19 | | conduct security research. | 20 | | (G) Journalism. An organization may process data | 21 | | as necessary for news gathering purposes by | 22 | | journalists or other purposes protected by the First | 23 | | Amendment of the United States Constitution. | 24 | | (5) Technical errors. Data that is processed by a | 25 | | party due to a technical error does not violate this Act if | 26 | | such error is unintentional and unexpected, and within 30 |
| | | 10200SB0731sam003 | - 10 - | LRB102 17247 KTG 25022 a |
|
| 1 | | days of the party discovering or receiving a report of the | 2 | | error: (i) the error is corrected, (ii) any processing by | 3 | | the party that is otherwise prohibited is stopped, and | 4 | | (iii) the party deletes any data that should not have been | 5 | | collected. | 6 | | Section 15. Contractual obligations and liability. A first | 7 | | party that enables or permits a third party to engage in | 8 | | tracking on or through the first party's website or other | 9 | | resource: | 10 | | (1) Must require the third party, through a contract, | 11 | | terms of service, or similar binding and enforceable legal | 12 | | agreement, to comply with this Act. | 13 | | (2) Shall be liable for the third party's | 14 | | non-compliance with this Act if the first party knew or | 15 | | could have upon the exercise of due diligence known of the | 16 | | third party's non-compliance and failed to take adequate | 17 | | corrective action. | 18 | | Section 20. Transparency. An organization that engages in | 19 | | tracking shall describe, in understandable language and syntax | 20 | | such that an ordinary user can comprehend, its practices with | 21 | | respect to do-not-track signals in its privacy statement or | 22 | | similar notice, available through a clear and prominent link | 23 | | on the home page of its website. The description required | 24 | | under this paragraph must include at least the following |
| | | 10200SB0731sam003 | - 11 - | LRB102 17247 KTG 25022 a |
|
| 1 | | information: | 2 | | (1) the exceptions or permitted uses under this Act | 3 | | under which the organization processes data; | 4 | | (2) the effects on the user, if any, resulting from a | 5 | | do-not-track signal, including if any webpages, features, | 6 | | or services are not available or reduced in functionality; | 7 | | (3) if the organization obtains out-of-band consent to | 8 | | disregard the do-not-track signal, a description of how a | 9 | | user may give and revoke consent, and the scope of any such | 10 | | consent, and the anticipated effect of the consent or | 11 | | revocation on the user; | 12 | | (4) the time period or periods for which identifiable | 13 | | data collected by the organization is retained or the | 14 | | criteria used to determine such time periods, and whether | 15 | | such identifiable data is rendered anonymous data in lieu | 16 | | of being deleted; and | 17 | | (5) how a user may contact the organization with any | 18 | | inquiries or complaints regarding the organization's | 19 | | do-not-track practices. | 20 | | Section 25. No circumvention. A party shall not block or | 21 | | take similar actions to avoid receiving a user's do-not-track | 22 | | signal. Nor shall any party take other actions to circumvent | 23 | | the effectiveness of do-not-track signals. | 24 | | Section 30. Enforcement. |
| | | 10200SB0731sam003 | - 12 - | LRB102 17247 KTG 25022 a |
|
| 1 | | (a) De facto and de jure harm. Users from whom | 2 | | identifiable information has been processed in violation of | 3 | | this Act shall be deemed to have been harmed by such | 4 | | violations. | 5 | | (b) Enforcement by the Attorney General. Whenever the | 6 | | Attorney General has reasonable cause to believe that a party | 7 | | or organization has engaged in a violation of this Act, the | 8 | | Attorney General shall enforce the provisions of this Act by | 9 | | bringing a civil action on behalf of the people of this State | 10 | | in a court of competent jurisdiction: | 11 | | (1) to enjoin further violation of this Act by the | 12 | | defendant; or | 13 | | (2) to obtain damages on behalf of the people of this | 14 | | State, in the amount authorized under State law or as | 15 | | permitted under federal law, whichever is greater. | 16 | | (c) A user from whom identifiable information has been | 17 | | processed in violation of this Act may bring a civil action in | 18 | | any court of competent jurisdiction: | 19 | | (1) to enjoin further violation of this Act by the | 20 | | defendant; or | 21 | | (2) to obtain damages, in the amount of $1,000 or | 22 | | actual damages shown, whichever is greater. | 23 | | (d) Attorney fees. In the case of any successful action | 24 | | under this Section, the court, in its discretion, may award | 25 | | the costs of the action and reasonable attorney fees to the | 26 | | State or the user. |
| | | 10200SB0731sam003 | - 13 - | LRB102 17247 KTG 25022 a |
|
| 1 | | Section 35. Home rule preemption. Except as otherwise | 2 | | provided in this Act, the regulation of the activities | 3 | | described in this Act are the exclusive powers and functions | 4 | | of the State. Except as otherwise provided in this Act, a unit | 5 | | of local government, including a home rule unit, may not | 6 | | regulate the activities described in this Act. This Section is | 7 | | a denial and limitation of home rule powers and functions | 8 | | under subsection (h) of Section 6 of Article VII of the | 9 | | Illinois Constitution. | 10 | | Section 97. Severability. The provisions of this Act are | 11 | | severable under Section 1.31 of the Statute on Statutes.
| 12 | | Section 99. Effective date. This Act takes effect January | 13 | | 1, 2022.".
|
|