Bill Text: IL HB3358 | 2019-2020 | 101st General Assembly | Engrossed
Bill Title: Creates a Data Transparency and Privacy Act different than that contained in House Amendment No. 2. Finds that individuals have a right to privacy and a personal property interest in information pertaining to the individual. Provides that an entity that collects through the Internet personal information about individual consumers must make disclosures to the individual regarding the collection of the information. Exempts from the protections information collected while a natural person is acting in an employment context. Establishes that a consumer has a right to opt out of the sale of the consumer's information. Creates exemptions for certain retail transactions, credit arrangements, and government program utilization. Provides for enforcement by the Attorney General. Provides that there is no private right of action to enforce the Act. Effective April 1, 2020.
Spectrum: Strong Partisan Bill (Democrat 10-1)
Status: (Engrossed - Dead) 2019-07-03 - Senate Floor Amendment No. 3 Pursuant to Senate Rule 3-9(b) / Referred to Assignments [HB3358 Detail]
Download: Illinois-2019-HB3358-Engrossed.html
| |||||||
| |||||||
| |||||||
1 | AN ACT concerning business.
| ||||||
2 | Be it enacted by the People of the State of Illinois,
| ||||||
3 | represented in the General Assembly:
| ||||||
4 | Section 1. Short title. This Act may be cited as the Data | ||||||
5 | Transparency and Privacy Act.
| ||||||
6 | Section 5. Legislative findings. The General Assembly | ||||||
7 | hereby finds and declares that: | ||||||
8 | (1) The right to privacy is a personal and fundamental | ||||||
9 | right protected by the United States Constitution. As such, all | ||||||
10 | individuals have a right to privacy and a personal property | ||||||
11 | interest in information pertaining to them and that information | ||||||
12 | shall be adequately protected from unlawful invasions and | ||||||
13 | takings. This State recognizes the importance of providing | ||||||
14 | consumers with transparency about how their personal | ||||||
15 | information, especially information relating to their | ||||||
16 | children, is shared by businesses. This transparency is crucial | ||||||
17 | for Illinois citizens to protect themselves and their families | ||||||
18 | from cyber-crimes and identity thieves. | ||||||
19 | (2) Furthermore, for free market forces to have a role in | ||||||
20 | shaping the privacy practices and for "opt-in" and "opt-out" | ||||||
21 | remedies to be effective, consumers must be more than vaguely | ||||||
22 | informed that a business might share personal information with | ||||||
23 | third parties. Consumers must be better informed about what |
| |||||||
| |||||||
1 | kinds of personal information is shared with other businesses. | ||||||
2 | With these specifics, consumers can knowledgeably choose to opt | ||||||
3 | in, opt out, or choose among businesses that disclose | ||||||
4 | information to third parties on the basis of how protective the | ||||||
5 | business is of consumers' privacy. | ||||||
6 | (3) Businesses are now collecting personal information and | ||||||
7 | sharing and selling it in ways not contemplated or properly | ||||||
8 | covered by the current law. Some websites are installing | ||||||
9 | tracking tools that record when consumers visit web pages, and | ||||||
10 | sending very personal information, such as age, gender, race, | ||||||
11 | income, health concerns, religion, and recent purchases to | ||||||
12 | third-party marketers and data brokers. Third-party data | ||||||
13 | broker companies are buying, selling, and trading personal | ||||||
14 | information obtained from mobile phones, financial | ||||||
15 | institutions, social media sites, and other online and brick | ||||||
16 | and mortar companies. Some mobile applications are sharing | ||||||
17 | personal information, such as location information, unique | ||||||
18 | phone identification numbers, and age, gender, and other | ||||||
19 | personal details with third-party companies. | ||||||
20 | (4) As such, consumers need to know the ways that their | ||||||
21 | personal information is being collected by companies and then | ||||||
22 | shared or sold to third parties in order to properly protect | ||||||
23 | their privacy, property, personal safety, and financial | ||||||
24 | security.
| ||||||
25 | Section 10. Definitions. As used in this Act: |
| |||||||
| |||||||
1 | "Consumer" means an individual residing in this State who | ||||||
2 | provides, either knowingly or unknowingly, personal | ||||||
3 | information to a private entity, with or without an exchange of | ||||||
4 | consideration, in the course of purchasing, viewing, | ||||||
5 | accessing, renting, leasing, or otherwise using real or | ||||||
6 | personal property, or any interest therein, or obtaining a | ||||||
7 | product or service from the private entity, including | ||||||
8 | advertising or any other content. "Consumer" does not include a | ||||||
9 | natural person from whom personal information is collected | ||||||
10 | while that natural person is acting in an employment context. | ||||||
11 | "Designated request address" means an electronic email | ||||||
12 | address, online form, or toll-free telephone number that a | ||||||
13 | consumer may use to request the information required to be | ||||||
14 | provided pursuant to this Act. | ||||||
15 | "Disclose" means to disclose, release, transfer, share, | ||||||
16 | disseminate, make available, sell, or otherwise communicate | ||||||
17 | orally, in writing, or by electronic or any other means a | ||||||
18 | consumer's personal information to any third party. | ||||||
19 | "Disclose" does not include: | ||||||
20 | (1) the disclosure of personal information by a private | ||||||
21 | entity to a third party under a written contract | ||||||
22 | authorizing the third party to utilize the personal | ||||||
23 | information for the limited purposes of performing | ||||||
24 | services on behalf of the private entity, including | ||||||
25 | maintaining or servicing accounts, disclosure of personal | ||||||
26 | information by a private entity to a transportation network |
| |||||||
| |||||||
1 | company driver providing consumer service, processing or | ||||||
2 | fulfilling orders and transactions, verifying consumer | ||||||
3 | information, processing payments, providing financing, or | ||||||
4 | similar services, but only if: the contract prohibits the | ||||||
5 | third party or transportation network company driver from | ||||||
6 | using the personal information for any reason other than | ||||||
7 | performing the specified service or services on behalf of | ||||||
8 | the private entity and from disclosing any such personal | ||||||
9 | information to additional third parties unless those | ||||||
10 | additional third parties (i) are allowed by the contract to | ||||||
11 | further the specified services and (ii) the additional | ||||||
12 | third parties are subject to the same restrictions imposed | ||||||
13 | by this subsection; | ||||||
14 | (2) disclosure of personal information by a private | ||||||
15 | entity to a third party based on a good faith belief that | ||||||
16 | disclosure is required to comply with applicable law, | ||||||
17 | regulation, legal process, or court order; or | ||||||
18 | (3) disclosure of personal information by a private | ||||||
19 | entity to a third party that is reasonably necessary to | ||||||
20 | address fraud, security, or technical issues; to protect | ||||||
21 | the disclosing private entity's rights or property; or to | ||||||
22 | protect consumers or the public from illegal activities as | ||||||
23 | required or permitted by law. | ||||||
24 | "Operator" means any private entity that owns an Internet | ||||||
25 | website or an online service that collects, maintains, or | ||||||
26 | discloses personal information of a consumer residing in this |
| |||||||
| |||||||
1 | State who uses or visits the website or online service if the | ||||||
2 | website or online service is operated for commercial purposes. | ||||||
3 | It does not include any third party that operates, hosts, or | ||||||
4 | manages, but does not own, a website or online service on the | ||||||
5 | owner's behalf or by processing information on behalf of the | ||||||
6 | owner. | ||||||
7 | "Personal information" means any information that is | ||||||
8 | linked or can reasonably be linked, directly or indirectly, to | ||||||
9 | a particular consumer, including, but not limited to, | ||||||
10 | identifiers such as a real name, alias, signature, address, | ||||||
11 | telephone number, passport number, driver's license or State | ||||||
12 | identification card number, insurance policy number, bank | ||||||
13 | account number, credit card number, debit card number, or any | ||||||
14 | other financial account information, unique personal | ||||||
15 | identifier, geolocation, or biometric information. | ||||||
16 | "Private entity" means a sole proprietorship, partnership, | ||||||
17 | limited liability company, corporation, association, or other | ||||||
18 | legal entity that is organized or operated for the profit or | ||||||
19 | financial benefit of its shareholders or other owners, that | ||||||
20 | does business in the State of Illinois, and that satisfies one | ||||||
21 | or more of the following thresholds: | ||||||
22 | (1) Has annual gross revenues in excess of $25,000,000, | ||||||
23 | as adjusted in January of every odd-numbered year to | ||||||
24 | reflect any increase in the Consumer Price Index. | ||||||
25 | (2) Annually buys, receives for the business' | ||||||
26 | commercial purposes, sells, or shares for commercial |
| |||||||
| |||||||
1 | purposes, alone or in combination, the personal | ||||||
2 | information of 50,000 or more consumers, households, or | ||||||
3 | devices. | ||||||
4 | (3) Derives 50% or more of its annual revenues from | ||||||
5 | selling consumers' personal information. | ||||||
6 | "Process" or "processes" means any collection, use, | ||||||
7 | storage, disclosure, analysis, deletion, or modification of | ||||||
8 | personal information. | ||||||
9 | "Sale" or "sell" means the exchange of a consumer's | ||||||
10 | personal information for purposes of licensing, renting or | ||||||
11 | selling personal information by the private entity to a third | ||||||
12 | party for monetary or other valuable consideration. | ||||||
13 | "Sale" or "sell" does not include circumstances in which: | ||||||
14 | (1) A consumer uses or directs the business to | ||||||
15 | intentionally disclose personal information or uses the | ||||||
16 | business to intentionally interact with a third party, | ||||||
17 | provided the third party does not also sell the personal | ||||||
18 | information, unless that disclosure would be consistent | ||||||
19 | with the provisions of this Act. An intentional interaction | ||||||
20 | occurs when the consumer intends to interact with the third | ||||||
21 | party by one or more deliberate interactions. Hovering | ||||||
22 | over, muting, pausing, or closing a given piece of content | ||||||
23 | does not constitute a consumer's intent to interact with a | ||||||
24 | third party. | ||||||
25 | (2) The business uses or shares an identifier for a | ||||||
26 | consumer who has opted out of the sale of the consumer's |
| |||||||
| |||||||
1 | personal information for the purposes of alerting third | ||||||
2 | parties that the consumer has opted out of the sale of the | ||||||
3 | consumer's personal information. | ||||||
4 | (3) The business uses or shares with a service provider | ||||||
5 | personal information of a consumer that is necessary to | ||||||
6 | perform a business purpose if the service provider does not | ||||||
7 | further collect, sell, or use the personal information of | ||||||
8 | the consumer except as necessary to perform the business | ||||||
9 | purpose. | ||||||
10 | (4) The business transfers to a third party the | ||||||
11 | personal information of a consumer as an asset that is part | ||||||
12 | of a merger, acquisition, bankruptcy, or other transaction | ||||||
13 | in which the third party assumes control of all or part of | ||||||
14 | the business provided that information is used or shared | ||||||
15 | consistently with this Act. If a third party materially | ||||||
16 | alters how it uses or shares the personal information of a | ||||||
17 | consumer in a manner that is materially inconsistent with | ||||||
18 | the promises made at the time of collection, it shall | ||||||
19 | provide prior notice of the new or changed practice to the | ||||||
20 | consumer. The notice shall be sufficiently prominent and | ||||||
21 | robust to ensure that existing consumers can easily | ||||||
22 | exercise their choices consistently with Section 25. This | ||||||
23 | subparagraph does not authorize a business to make | ||||||
24 | material, retroactive privacy policy changes or make other | ||||||
25 | changes in their privacy policy in a manner that would | ||||||
26 | violate the Consumer Fraud and Deceptive Business |
| |||||||
| |||||||
1 | Practices Act. | ||||||
2 | "Third party" means:
| ||||||
3 | (1) a private entity that is a separate legal entity | ||||||
4 | from the private entity that has disclosed personal | ||||||
5 | information; | ||||||
6 | (2) a private entity that does not share common | ||||||
7 | ownership or common corporate control with the private | ||||||
8 | entity that has disclosed personal information; or | ||||||
9 | (3) a private entity that does not share a brand name | ||||||
10 | or common branding with the private entity that has | ||||||
11 | disclosed personal information such that the affiliate | ||||||
12 | relationship is clear to the consumer. | ||||||
13 | "Verified request" means the process through which a | ||||||
14 | consumer may submit a request to exercise a right or rights set | ||||||
15 | forth in this Act and by which an operator can reasonably | ||||||
16 | authenticate the request.
A consumer shall not be required to | ||||||
17 | create an account with the operator in order to make a verified | ||||||
18 | request, and the method for exercising the rights set forth in | ||||||
19 | this Act shall be reasonably accessible and not be overly | ||||||
20 | burdensome on the consumer.
| ||||||
21 | Section 15. Right to transparency. An operator that | ||||||
22 | collects personal information through the Internet about | ||||||
23 | individual consumers who use or visit its Internet website or | ||||||
24 | online service, in its consumer service agreement or | ||||||
25 | incorporated addendum or any other similar and readily |
| |||||||
| |||||||
1 | available mechanism accessible to the consumer, shall: | ||||||
2 | (1) identify all categories of personal information | ||||||
3 | that the operator processes about individual consumers | ||||||
4 | collected through its Internet website or online service; | ||||||
5 | (2) identify all categories of third parties with whom | ||||||
6 | the operator may disclose that personal information; | ||||||
7 | (3) disclose whether a third party may collect personal | ||||||
8 | information about an individual consumer's online | ||||||
9 | activities over time and across different Internet | ||||||
10 | websites or online services when the consumer uses the | ||||||
11 | Internet website or online service of the operator; | ||||||
12 | (4) provide a description of the process, if any such | ||||||
13 | process exists, for an individual consumer who uses or | ||||||
14 | visits the Internet website or online service to review and | ||||||
15 | request changes to inaccurate personal information that is | ||||||
16 | collected by the operator as a result of the consumer's use | ||||||
17 | or visits to the Internet website or online service; | ||||||
18 | (5) describe the process by which the operator notifies | ||||||
19 | consumers who use or visit its Internet website or online | ||||||
20 | service of material changes to the notice required to be | ||||||
21 | made available under this Section; | ||||||
22 | (6) state the effective date of the notice; | ||||||
23 | (7) provide a description of a consumer's rights, as | ||||||
24 | required by this Act, accompanied by one or more designated | ||||||
25 | request addresses.
|
| |||||||
| |||||||
1 | Section 20. Right to know. | ||||||
2 | (a) An operator that discloses personal information to a | ||||||
3 | third party shall make the following information available to a | ||||||
4 | consumer, free of charge, upon receipt of a verified request: | ||||||
5 | (1) the categories of personal information that were | ||||||
6 | disclosed about the consumer; and | ||||||
7 | (2) the categories of third parties and the approximate | ||||||
8 | number of third parties that received the consumer's | ||||||
9 | personal information. | ||||||
10 | (b) Notwithstanding the other provisions of this Section, a | ||||||
11 | parent or legal guardian of a consumer under the age of 13 may | ||||||
12 | submit a verified request under this Section on behalf of that | ||||||
13 | consumer. | ||||||
14 | (c) This Section applies only to personal information | ||||||
15 | disclosed after the effective date of this Act.
| ||||||
16 | Section 25. Right to opt out. An operator that sells the | ||||||
17 | personal information of a consumer collected through the | ||||||
18 | consumer's use of or visit to the operator's Internet website | ||||||
19 | or online service shall clearly and conspicuously post, on its | ||||||
20 | Internet website or online service or in another prominently | ||||||
21 | and easily accessible location the operator maintains for | ||||||
22 | consumer privacy settings, a link to an Internet web page | ||||||
23 | maintained by the operator that enables a consumer, by verified | ||||||
24 | request through a designated request address, to opt out of the | ||||||
25 | sale of the consumer's personal information to third parties. |
| |||||||
| |||||||
1 | The method by which a consumer may opt out shall be done in a | ||||||
2 | way and fashion that is not overly burdensome, shall not | ||||||
3 | require a consumer to establish an account with the operator in | ||||||
4 | order to opt out of the sale of a consumer's personal | ||||||
5 | information, and shall be posted in a conspicuous place that is | ||||||
6 | readily and easily accessible to a consumer. This Section | ||||||
7 | applies only to operators that sell personal information. This | ||||||
8 | Section only applies to personal information sold after the | ||||||
9 | effective date of this Act.
| ||||||
10 | Section 30. Response to verified requests. | ||||||
11 | (a) An operator that receives a verified request from a | ||||||
12 | consumer through a designated request address under this Act | ||||||
13 | shall provide a response to the consumer within 45 days of the | ||||||
14 | request. | ||||||
15 | (b) An operator shall not be required to respond to a | ||||||
16 | request made by the same consumer or made by the same parent or | ||||||
17 | legal guardian on behalf of a consumer under the age of 13 more | ||||||
18 | than once in any 12-month period.
| ||||||
19 | Section 35. Enforcement. The Attorney General shall have | ||||||
20 | exclusive authority to enforce this Act, and there shall be no | ||||||
21 | private right of action to enforce violations under this Act. | ||||||
22 | Nothing in this Act shall be construed to modify, limit, or | ||||||
23 | supersede the operation of any other Illinois law or prevent a | ||||||
24 | party from otherwise seeking relief under the Code of Civil |
| |||||||
| |||||||
1 | Procedure.
| ||||||
2 | Section 40. Waivers; contracts. Any waiver of the | ||||||
3 | provisions of this Act is void and unenforceable. Any agreement | ||||||
4 | that does not comply with the applicable provisions of this Act | ||||||
5 | is void and unenforceable.
| ||||||
6 | Section 45. Construction. | ||||||
7 | (a) The obligations imposed on operators by this Act shall | ||||||
8 | not restrict an operator's ability to: | ||||||
9 | (1) Comply with federal, state, or local laws. | ||||||
10 | (2) Comply with a civil, criminal, or regulatory | ||||||
11 | inquiry, investigation, subpoena, or summons by federal, | ||||||
12 | state, or local authorities. | ||||||
13 | (3) Cooperate with law enforcement agencies concerning | ||||||
14 | conduct or activity that the operator, service provider, or | ||||||
15 | third party reasonably and in good faith believes may | ||||||
16 | violate federal, state, or local law. | ||||||
17 | (4) Exercise or defend legal claims.
| ||||||
18 | (b) Nothing in this Act applies to a health care provider | ||||||
19 | or other covered entity subject to the Federal Health Insurance | ||||||
20 | Portability and Accountability Act of 1996 and the rules | ||||||
21 | promulgated under that Act. | ||||||
22 | (c) Nothing in this Act applies in any manner to a | ||||||
23 | financial institution or an affiliate of a financial | ||||||
24 | institution that is subject to Title V of the Federal |
| |||||||
| |||||||
1 | Gramm-Leach-Bliley Act and the rules promulgated under that | ||||||
2 | Act. | ||||||
3 | (d) Nothing in this Act applies to a contractor, | ||||||
4 | subcontractor, or agent of a State agency or local unit of | ||||||
5 | government when working for that State agency or local unit of | ||||||
6 | government. | ||||||
7 | (e) Nothing in this Act applies to a public utility, an | ||||||
8 | alternative retail electric supplier, or an alternative gas | ||||||
9 | supplier, as those terms are defined in Sections 3-105, 16-102, | ||||||
10 | and 19-105 of the Public Utilities Act, or an electric | ||||||
11 | cooperative, as defined in Section 3.4 of the Electric Supplier | ||||||
12 | Act. | ||||||
13 | (f) Nothing in this Act applies to: (i) a hospital operated | ||||||
14 | under the Hospital Licensing Act; (ii) a hospital affiliate, as | ||||||
15 | defined under the Hospital Licensing Act; or (iii) a hospital | ||||||
16 | operated under the University of Illinois Hospital Act. | ||||||
17 | (g) Nothing in this Act applies to an entity maintaining a | ||||||
18 | place of business in this State that collects sales taxes under | ||||||
19 | the Retailers' Occupation Tax Act who uses personal information | ||||||
20 | for purposes of selling, moving, or delivering tangible | ||||||
21 | personal property at retail with respect to such sales at | ||||||
22 | retail and (i) is a retailer's wholly owned retail subsidiary | ||||||
23 | or service provider processing personal information on behalf | ||||||
24 | of the retailer; (ii) is a party to a merchant card agreement | ||||||
25 | to process a consumer transaction at the sale of retail in | ||||||
26 | accordance with the agreement; (iii) administers a private |
| |||||||
| |||||||
1 | label credit card or owns a private label administered by a | ||||||
2 | third party in accordance with the agreement; (iv) collects | ||||||
3 | sales tax on behalf of the consumer as a result of a sale at | ||||||
4 | retail as authorized by the Department of Revenue; (v) is | ||||||
5 | subject to the Federal Health Insurance Portability and | ||||||
6 | Accountability Act of 1996 and the rules promulgated | ||||||
7 | thereunder; (vi) provides Medicaid benefits to Illinois | ||||||
8 | consumers through sales at retail as is authorized by the | ||||||
9 | Department of Healthcare and Family Services; or (vii) provides | ||||||
10 | Supplemental Nutrition Assistance Program (SNAP) or special | ||||||
11 | supplemental nutrition program for women, infants, and | ||||||
12 | children (WIC) benefits to consumers in Illinois through sales | ||||||
13 | at retail as authorized by the United States Department of | ||||||
14 | Agriculture and the Illinois Department of Human Services. | ||||||
15 | (h) Nothing in this Act applies to the following entities | ||||||
16 | and affiliates, as defined in 17 CFR 230.405, of any such | ||||||
17 | entities: telecommunications carriers as defined in Section | ||||||
18 | 13-202 of the Public Utilities Act and wireless carriers as | ||||||
19 | defined in Section 2 of the Emergency Telephone System Act. | ||||||
20 | (i) Nothing in this Act restricts a private entity's | ||||||
21 | ability to collect or disclose a consumer's personal | ||||||
22 | information if a consumer's conduct takes place wholly outside | ||||||
23 | of Illinois. For purposes of this Act, conduct takes place | ||||||
24 | wholly outside of Illinois if the private entity collected that | ||||||
25 | information while the consumer was outside of Illinois, no part | ||||||
26 | of the sale of the consumer's personal information occurred in |
| |||||||
| |||||||
1 | Illinois, and no personal information collected while the | ||||||
2 | consumer was in Illinois is disclosed.
| ||||||
3 | Section 50. Severability. If any provision of this Act or | ||||||
4 | its application to any person or circumstance is held invalid, | ||||||
5 | the invalidity of that provision or application does not affect | ||||||
6 | other provisions or applications of this Act that can be given | ||||||
7 | effect without the invalid provision or application.
| ||||||
8 | Section 99. Effective date. This Act takes effect April 1, | ||||||
9 | 2020.
|