101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB2784
 
Introduced , by Rep. Ann M. Williams
 
SYNOPSIS AS INTRODUCED:
 

 
815 ILCS 530/5

     Amends the Personal Information Protection Act. Provides that "consumer marketing information" means information related to a consumer's online browsing history, online search history, or purchasing history, including, but not limited to, consumer profiles that are based upon the information. Provides that "geolocation information" means information that is (i) generated or derived from the operation or use of an electronic communications device, (ii) stored and sufficient to identify the street name and the name of the city or town in which an individual is located, and (iii) likely to enable someone to determine an individual's regular pattern of behavior. Provides that "geolocation information" does not include the contents of an electronic communication. Provides that "medical information" includes genetic information. Provides that "personal information" means an individual's first name or first initial and last name and email address. Adds geolocation information, consumer marketing information, and audio recordings to the list of data elements included in the definition of "personal information". 
  


LRB101 10655 TAE 55762 b

 
 
A BILL FOR
 

  
HB2784LRB101 10655 TAE 55762 b


  
1    AN ACT concerning business.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 5. The Personal Information Protection Act is 
5amended  by changing Section 5 as follows:
 
6    (815 ILCS 530/5)
7    Sec. 5. Definitions. In this Act: 
8    "Data collector" may include, but is not limited to,
  
9government agencies, public and private universities,

10privately and publicly held corporations, financial

11institutions, retail operators, and any other entity that, for  
12any purpose,  handles, collects, disseminates, or otherwise

13deals with nonpublic personal information.

14    "Breach of the security of the system data" or "breach" 
15means
unauthorized acquisition of computerized data that 
16compromises  the security, confidentiality, or integrity of 
17personal  information maintained by the data collector. "Breach 
18of the security of the system data" does not include good faith

19acquisition of personal information by an employee or agent of

20the data collector for a legitimate purpose of the data

21collector, provided that the personal information is not used

22for a purpose unrelated to the data collector's business or

23subject to further unauthorized disclosure.

 
 
HB2784- 2 -LRB101 10655 TAE 55762 b

1    "Consumer marketing information" means information related 
2to a consumer's online browsing history, online search history, 
3or purchasing history, including, but not limited to, consumer

4profiles that are based upon the information.
5    "Geolocation information" means information that is (i) 
6generated or derived from the operation or use of an electronic 
7communications device, (ii) stored and sufficient to identify 
8the street name and name of the city or town in which an 
9individual is located, and (iii) likely to enable someone to 
10determine an individual's regular pattern of behavior. 
11"Geolocation information" does not include the contents of an 
12electronic communication. 
13    "Health insurance information" means an individual's 
14health insurance policy number or subscriber identification 
15number, any unique identifier used by a health insurer to 
16identify the individual, or any medical information in an 
17individual's health insurance application and claims history, 
18including any appeals records.
19    "Medical information" means any information regarding an 
20individual's medical history, genetic information, mental or 
21physical condition, or medical treatment or diagnosis by a 
22healthcare professional, including such information provided 
23to a website or mobile application. 
24    "Personal information" means either of the following:
25        (1) An individual's first name or first initial and 
26    last name or email address An individual's first name or 
 
 
HB2784- 3 -LRB101 10655 TAE 55762 b

1    first initial and last name in combination with any one or 
2    more
  of the following data elements, when either the name 
3    or the  data elements are not encrypted or redacted or are 
4    encrypted or redacted but the keys to unencrypt or unredact 
5    or otherwise read the name or data elements have been 
6    acquired without authorization through the breach of 
7    security:

8            (A) Social Security number. 
9            (B) Driver's license number or State 
10        identification
      card number.

11            (C) Account number or credit or debit card number, 
12        or an
account number or credit card number in 
13        combination with
any required security code, access 
14        code, or password that



would permit access to an 
15        individual's financial account.

16            (D) Medical information.
17            (E) Health insurance information.
18            (F) Unique biometric data generated from 
19        measurements or technical analysis of human body 
20        characteristics used by the owner or licensee to 
21        authenticate an individual, such as a fingerprint, 
22        retina or iris image, or other unique physical 
23        representation or digital representation of biometric 
24        data.
25            (G) Geolocation information.
26            (H) Consumer marketing information.
 
 
HB2784- 4 -LRB101 10655 TAE 55762 b

1            (I) Audio recordings. 
2        (2) User name or email address, in combination with a 
3    password or security question and answer that would permit 
4    access to an online account, when either the user name or 
5    email address or password or security question and answer 
6    are not encrypted or redacted or are encrypted or redacted 
7    but the keys to unencrypt or unredact or otherwise read the 
8    data elements have been obtained through the breach of 
9    security. 
10    "Personal information" does not include publicly available

11information that is lawfully made available to the general
  
12public from federal, State, or local government records.


13(Source: P.A. 99-503, eff. 1-1-17.)