Rep. Arthur Turner
Filed: 4/4/2017
 
 

 

 

 
10000HB2774ham004LRB100 08020 RJF 24758 a



1
AMENDMENT TO HOUSE BILL 2774




2    AMENDMENT NO. ______. Amend House Bill 2774, AS AMENDED, by 
3replacing everything after the enacting clause with the 
4following:

 
 
5    "Section 1. Short title. This Act may be cited as the Right 
6to Know Act.
 
7    Section 5. Findings and purpose.

8    The General Assembly hereby finds and declares that the 
9right to privacy is a personal and fundamental right protected 
10by the United States Constitution. As such, all individuals 
11have a right to privacy in information pertaining to them. This 
12State recognizes the importance of providing consumers with 
13transparency about how their personal information, especially 
14information relating to their children, is shared by 
15businesses. This transparency is crucial for Illinois citizens 
16to protect themselves and their families from cyber-crimes and 
 
 
10000HB2774ham004- 2 -LRB100 08020 RJF 24758 a

1identity thieves. Furthermore, for free market forces to have a 
2role in shaping the privacy practices and for "opt-in" and 
3"opt-out" remedies to be effective, consumers must be more than 
4vaguely informed that a business might share personal 
5information with third parties. Consumers must be better 
6informed about what kinds of personal information are shared 
7with other businesses. With these specifics, consumers can 
8knowledgeably choose to opt-in, opt-out, or choose among 
9businesses that disclose information to third parties on the 
10basis of how protective the business is of consumers' privacy.
11    Businesses are now collecting personal information and 
12sharing and selling it in ways not contemplated or properly 
13covered by the current law. Some websites are installing 
14tracking tools that record when consumers visit web pages, and 
15sending very personal information, such as age, gender, race, 
16income, health concerns, religion, and recent purchases to 
17third party marketers and data brokers. Third party data broker 
18companies are buying, selling, and trading personal 
19information obtained from mobile phones, financial 
20institutions, social media sites, and other online and brick 
21and mortar companies. Some mobile applications are sharing 
22personal information, such as location information, unique 
23phone identification numbers, and age, gender, and other 
24personal details with third party companies. As such, consumers 
25need to know the ways that their personal information is being 
26collected by companies and then shared or sold to third parties 
 
 
10000HB2774ham004- 3 -LRB100 08020 RJF 24758 a

1in order to properly protect their privacy, personal safety, 
2and financial security.

 
3    Section 10. Definitions.
As used in this Act:

4    "Categories of personal information" includes, but is not 
5limited to, the following:

6        (a)      Identity information including, but not limited 
7    to, real name, alias, nickname, and user name.

8        (b)       Address information, including, but not limited 
9    to, postal or e-mail.

10        (c)      Telephone number.

11        (d)    Account name.

12        (e)     Social security number or other government-issued 
13    identification number, including, but not limited to, 
14    social security number, driver's license number, 
15    identification card number, and passport number.

16        (f)        Birthdate or age.

17        (g)      Physical characteristic information, including, 
18    but not limited to, height and weight.

19        (h)      Sexual information, including, but not limited to, 
20    sexual orientation, sex, gender status, gender identity, 
21    and gender expression.

22        (i)    Race or ethnicity.

23        (j)    Religious affiliation or activity.

24        (k)    Political affiliation or activity.

25        (l)    Professional or employment-related information.

 
 
10000HB2774ham004- 4 -LRB100 08020 RJF 24758 a

1        (m)    Educational information.

2        (n)    Medical information, including, but not limited 
3    to, medical conditions or drugs, therapies, mental health, 
4    or medical products or equipment used.

5        (o) Financial information, including, but not limited 
6    to, credit, debit, or account numbers, account balances, 
7    payment history, or information related to assets, 
8    liabilities, or general creditworthiness.

9        (p) Commercial information, including, but not limited 
10    to, records of property, products or services provided, 
11    obtained, or considered, or other purchasing or consumer 
12    histories or tendencies.

13        (q) Location information.

14        (r) Internet or mobile activity information, 
15    including, but not limited to, Internet protocol addresses 
16    or information concerning the access or use of any Internet 
17    or mobile-based site or service.

18        (s) Content, including text, photographs, audio or 
19    video recordings, or other material generated by or 
20    provided by the customer.

21        (t) Any of the above categories of information as they 
22    pertain to the children of the customer.

23    "Customer" means an individual residing in Illinois who 
24provides, either knowingly or unknowingly, personal 
25information to a private entity, with or without an exchange of 
26consideration, in the course of purchasing, viewing, 
 
 
10000HB2774ham004- 5 -LRB100 08020 RJF 24758 a

1accessing, renting, leasing, or otherwise using real or 
2personal property, or any interest therein, or obtaining a 
3product or service from the private entity, including 
4advertising or any other content.

5    "Designated request address" means an e-mail address or 
6toll-free telephone number whereby customers may request or 
7obtain the information required to be provided under Section 15 
8of this Act.

9    "Disclose" means to disclose, release, transfer, share, 
10disseminate, make available, or otherwise communicate orally, 
11in writing, or by electronic or any other means to any third 
12party. "Disclose" does not include the following:
13        (a)    Disclosure of personal information by a private 
14    entity to a third party under a written contract 
15    authorizing the third party to utilize the personal 
16    information to perform services on behalf of the private 
17    entity, including maintaining or servicing accounts, 
18    providing customer service, processing or fulfilling 
19    orders and transactions, verifying customer information, 
20    processing payments, providing financing, or similar 
21    services, but only if (i) the contract prohibits the third 
22    party from using the personal information for any reason 
23    other than performing the specified service or services on 
24    behalf of the private entity and from disclosing any such 
25    personal information to additional third parties; and (ii) 
26    the private entity effectively enforces these 
 
 
10000HB2774ham004- 6 -LRB100 08020 RJF 24758 a

1    prohibitions.
2        (b)     Disclosure of personal information by a business to 
3    a third party based on a good-faith belief that disclosure 
4    is required to comply with applicable law, regulation, 
5    legal process, or court order.
6        (c)     Disclosure of personal information by a private 
7    entity to a third party that is reasonably necessary to 
8    address fraud, security, or technical issues; to protect 
9    the disclosing private entity's rights or property; or to 
10    protect customers or the public from illegal activities as 
11    required or permitted by law.

12    "Operator" means any person or entity that owns a website 
13located on the Internet or an online service that collects and 
14maintains personal information from a customer residing in 
15Illinois who uses or visits the website or online service if 
16the website or online service is operated for commercial 
17purposes. "Operator" does not include businesses having 5 or 
18fewer employees or any third party that operates, hosts, or 
19manages, but does not own, a website or online service on the 
20owner's behalf or by processing information on behalf of the 
21owner.

22    "Personal information" means any information that 
23identifies, relates to, describes, or is capable of being 
24associated with, a particular individual, including, but not 
25limited to, his or her name, signature, physical 
26characteristics or description, address, telephone number, 
 
 
10000HB2774ham004- 7 -LRB100 08020 RJF 24758 a

1passport number, driver's license or State identification card 
2number, insurance policy number, education, employment, 
3employment history, bank account number, credit card number, 
4debit card number, or any other financial information. 
5"Personal information" also means any data or information 
6pertaining to an individual's income, assets, liabilities, 
7purchases, leases, or rentals of goods, services, or real 
8property, if that information is disclosed, or is intended to 
9be disclosed, with any identifying information, such as the 
10individual's name, address, telephone number, or social 
11security number.

12    "Third party" or "third parties" means (i) a private entity 
13that is a separate legal entity from the private entity that 
14has disclosed personal information; (ii) a private entity that 
15does not share common ownership or common corporate control 
16with the private entity that has disclosed personal 
17information; or (iii) a private entity that does not share a 
18brand name or common branding with the private entity that has 
19disclosed personal information such that the affiliate 
20relationship is clear to the customer.
 
21    Section 15. Notification of information sharing practices. 
22An operator of a commercial website or online service that 
23collects personal information through the Internet about 
24individual customers residing in Illinois who use or visit its 
25commercial website or online service shall, in its customer 
 
 
10000HB2774ham004- 8 -LRB100 08020 RJF 24758 a

1agreement or incorporated addendum: (i)  identify all 
2categories of personal information that the operator collects 
3through the website or online service about individual 
4customers who use or visit its commercial website or online 
5service; (ii) identify all categories of third party persons or 
6entities with whom the operator may disclose that personal 
7information; and (iii) provide a description of a customer's 
8rights, as required under Section 25 of this Act, accompanied 
9by one or more designated request addresses.
 
10    Section 20. Disclosure of a customer's personal 
11information to a third party.

12    (a)    An operator that discloses a customer's personal 
13information to a third party shall make the following 
14information available to the customer free of charge:
     
15        (1)    all categories of personal information that were 
16    disclosed; and
     
17        (2)    the names of all third parties that received the 
18    customer's personal information.

19    (b)    This Section applies only to personal information 
20disclosed after the effective date of this Act.

 
21    Section 25. Information availability service.

22    (a)   An operator required to comply with Section 20 shall 
23make the required information available by providing a 
24designated request address in its customer agreement or 
 
 
10000HB2774ham004- 9 -LRB100 08020 RJF 24758 a

1incorporated addendum, and, upon receipt of a request under 
2this Section, shall provide the customer with the information 
3required under Section 20 for all disclosures occurring in the 
4prior 12 months.

5    (b)   An operator that receives a request from a customer 
6under this Section at one of the designated addresses shall 
7provide a response to the customer within 30 days.

8    (c) The parent or legal guardian of a customer under the 
9age of 18 may submit a request under this Section  on behalf of 
10that customer.
11    (d) An operator shall not be required to respond to a 
12request made by the same customer more than once within a given 
1312-month period.
 
14    Section 30. Violation; right of action. A violation of this 
15Act constitutes a violation of the Consumer Fraud and Deceptive 
16Business Practices Act. Any lawsuits filed under the Consumer 
17Fraud and Deceptive Business Practices Act for a violation of 
18this Act shall only be filed by the Office of the Attorney 
19General or the appropriate State's Attorney's Office on behalf 
20of the plaintiff. On any award granted for a violation of this 
21Act, the amount awarded shall be deposited into the 
22Cyber-secure Illinois Educational Advancement Fund created by 
23this Act. Any operator bound to the requirements of this Act 
24that makes a good faith effort to respond to a customer's 
25request for information under Section 25 shall not be liable 
 
 
10000HB2774ham004- 10 -LRB100 08020 RJF 24758 a

1for a violation of this Act. Any person whose rights under this 
2Act are violated shall also have, in addition to any rights 
3under the Consumer Fraud and Deceptive Business Practices Act, 
4a right of action against an offending party to seek injunctive 
5relief, if appropriate. Nothing in this Section shall prevent a 
6person from seeking a right of action for a violation of the 
7Biometric Information Privacy Act or otherwise seeking relief 
8under the Code of Civil Procedure.
 
9    Section 35. The Cyber-secure Illinois Educational 
10Advancement Fund.  The Cyber-secure Illinois Educational 
11Advancement Fund is created as a special fund in the State 
12Treasury. All moneys in the Fund shall be appropriated for the 
13public interest by the State of Illinois university system to 
14fund the enhancement and creation of partnerships between 
15employers, schools, and community organizations that focus on 
16cyber security skill shortages and the education of the next 
17generation of cyber security experts in the State of Illinois.
 
18    Section 40. Waivers; contracts. Any waiver of the 
19provisions of this Act shall be void and unenforceable. Any 
20agreement that does not comply with the applicable provisions 
21of this Act shall be void and unenforceable.
 
22    Section 45. Construction.

23    (a)    Nothing in this Act shall be construed to conflict with 
 
 
10000HB2774ham004- 11 -LRB100 08020 RJF 24758 a

1the federal Health Insurance Portability and Accountability 
2Act of 1996 and the rules promulgated under that Act.

3    (b)   Nothing in this Act shall be deemed to apply in any 
4manner to a financial institution or an affiliate of a 
5financial institution that is subject to Title V of the federal 
6Gramm-Leach-Bliley Act of 1999 and the rules promulgated under 
7that Act.

8    (c)   Nothing in this Act shall be deemed to apply to the 
9activities of an individual or entity to the extent that those 
10activities are subject to Section 222 or 631 of the federal 
11Communications Act of 1934.

12    (d)    Nothing in this Act shall be construed to apply to any 
13State agency, federal agency, unit of local government, or any

14contractor, subcontractor, or agent thereof, when working for 
15that State agency, federal agency, or unit of local government.
16    (e)    Nothing in this Act shall be construed to apply to any 
17entity recognized as a tax-exempt organization under 501(c)(3) 
18or 501(c)(4) of the Internal Revenue Code of 1986.
19    (f)   Nothing in this Act shall be construed to apply to a 
20public utility, an alternative retail electric supplier, or an 
21alternative gas supplier, as those terms are defined in 
22Sections 3-105, 16-102, and 19-105 of the Public Utilities Act.


 
23    Section 100. The State Finance Act is amended by adding 
24Section 5.878 as follows:
 
 
 
10000HB2774ham004- 12 -LRB100 08020 RJF 24758 a

1    (30 ILCS 105/5.878 new)
2    Sec. 5.878. The Cyber-secure Illinois Educational 
3Advancement Fund.".