|
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020 SB2330 Introduced 1/8/2020, by Sen. Thomas Cullerton SYNOPSIS AS INTRODUCED: |
| |
Creates the Data Transparency and Privacy Act. Provides that any business that processes personal information or deidentified information must, prior to processing, provide notice to the consumer to whom the information refers or belongs of specific information in the service agreement or somewhere readily accessible on the business' website or mobile application. Establishes a "right to know" for consumers and prescribes types of information that they may request of businesses. Provides that consumers have the right to opt out of agreements that entail the disclosure of personal information from the business to third parties and affiliates, the sale of personal information from the business to third parties and affiliates, and the processing of personal information by the business, third parties, and affiliates. Provides that consumers have the right to request that a business correct inaccurate personal information about the consumer or delete personal information about the consumer. Prescribes a protocol for the handling of consumer requests by businesses. Prescribes pricing incentives and prohibitions against discrimination. Provides that businesses, affiliates, and third parties must conduct risk assessments and provides requirements for the assessments. Provides that enforcement of the Act may arise through private actions or enforcement by the Attorney General. Provides that any waiver of the provisions of the Act is void and unenforceable. Contains home rule preemption and severability provisions. Effective July 1, 2021.
|
| |
| | A BILL FOR |
|
|
| | SB2330 | | LRB101 16295 KTG 65668 b |
|
|
1 | | AN ACT concerning business.
|
2 | | Be it enacted by the People of the State of Illinois,
|
3 | | represented in the General Assembly:
|
4 | | Section 1. Short title. This Act may be cited as the Data |
5 | | Transparency and Privacy Act. |
6 | | Section 5. Findings. The General Assembly finds and |
7 | | declares that: |
8 | | (1) The right to privacy is a personal and fundamental |
9 | | right protected by the United States Constitution. As such, |
10 | | all individuals have a right to privacy and a personal |
11 | | property interest in information pertaining to them and |
12 | | that information shall be adequately protected from |
13 | | unlawful invasions and takings. This State recognizes the |
14 | | importance of providing consumers with transparency about |
15 | | how their personal information is stored, used, and shared |
16 | | by businesses. This transparency is crucial for Illinois |
17 | | citizens to protect themselves and their families from |
18 | | cyber-crimes and identity thieves. |
19 | | (2) Businesses are now collecting, sharing, and |
20 | | selling personal information in ways not contemplated or |
21 | | properly covered by current law. |
22 | | (a) Some websites install tracking tools that |
23 | | record when consumers visit web pages and send personal |
|
| | SB2330 | - 2 - | LRB101 16295 KTG 65668 b |
|
|
1 | | information collected to third party marketers and |
2 | | data brokers. |
3 | | (b) Third-party data broker companies are buying, |
4 | | selling, and trading personal information obtained |
5 | | from mobile phones, financial institutions, social |
6 | | media sites, and other online and brick and mortar |
7 | | companies. |
8 | | (c) Social media companies, credit agencies and |
9 | | retail stores have all had their internal security |
10 | | systems breached, resulting in consumers' personal |
11 | | information being stolen and sold on the black market. |
12 | | (3) Illinois consumers must be better informed about |
13 | | what kinds of personal information are collected, how |
14 | | information is shared with third parties, and how |
15 | | businesses store consumers' personal information. With |
16 | | this specific information, consumers can knowledgeably |
17 | | choose to opt in, opt out, or choose among businesses that |
18 | | disclose information to third parties on the basis of how |
19 | | protective the business is of consumers' privacy in order |
20 | | to properly protect their privacy, property, personal |
21 | | safety, and financial security. |
22 | | Section 10. Definitions. As used in this Act: |
23 | | "Affiliate" means a legal entity that controls, is |
24 | | controlled by, or is under common control with another legal |
25 | | entity. |
|
| | SB2330 | - 3 - | LRB101 16295 KTG 65668 b |
|
|
1 | | "Business" means any sole proprietorship, partnership, |
2 | | limited liability company, corporation, association, or other |
3 | | legal entity that is organized or operated for the profit or |
4 | | financial benefit of its shareholders or other owners, that |
5 | | does business in the State of Illinois and meets one or more of |
6 | | the following thresholds: |
7 | | (1) The business collects or discloses the personal |
8 | | information of 50,000 or more persons, Illinois |
9 | | households, or the combination thereof. |
10 | | (2) The business derives 50% or more of its annual |
11 | | revenues from selling consumers' personal information.
|
12 | | "Business" does not include any third party that operates, |
13 | | hosts, or manages, but does not own, a website or online |
14 | | service on the owner's behalf or by processing information on |
15 | | behalf of the owners, or any State and local governments or |
16 | | municipal corporations. |
17 | | "Categories of sources" means types of entities from which |
18 | | a business collects personal information about consumers, |
19 | | including, but not limited to, the consumer directly, |
20 | | government entities from which public records are obtained, and |
21 | | consumer data resellers. |
22 | | "Categories of third parties" means types of entities that |
23 | | do not collect personal information directly from consumers, |
24 | | including, but not limited to, advertising networks, internet |
25 | | service providers, data analytics providers, government |
26 | | entities, operating systems and platforms, social networks, |
|
| | SB2330 | - 4 - | LRB101 16295 KTG 65668 b |
|
|
1 | | and consumer data resellers. |
2 | | "Consumer" means a natural person residing in this State. |
3 | | "Consumer" does not include a natural person acting in an |
4 | | employment context. |
5 | | "Deidentified" means information that cannot reasonably |
6 | | identify, relate to, describe, be capable of being associated |
7 | | with, or be linked, directly or indirectly, to a particular |
8 | | consumer, provided that a business that uses deidentified |
9 | | information: |
10 | | (1) Has implemented technical safeguards that prohibit |
11 | | reidentification of the consumer to whom the information |
12 | | may pertain. |
13 | | (2) Has implemented business processes that |
14 | | specifically prohibit reidentification of the information. |
15 | | (3) Has implemented business processes to prevent |
16 | | inadvertent release of deidentified information. |
17 | | (4) Makes no attempt to reidentify the information. |
18 | | "Designated request address" means an electronic mail |
19 | | address, online form, mailing address, or toll-free telephone |
20 | | number that a consumer may use to request information, opt out |
21 | | of the sale or disclosure of personal information, or correct |
22 | | or delete personal information, as required to be provided |
23 | | under this Act. |
24 | | "Disclose" means to disclose, release, transfer, share, |
25 | | disseminate, make available, or otherwise communicate orally, |
26 | | in writing, or by electronic or any other means a consumer's |
|
| | SB2330 | - 5 - | LRB101 16295 KTG 65668 b |
|
|
1 | | personal information to any affiliate or third party. |
2 | | "Disclose" does not include: |
3 | | (1) Disclosure of personal information by a business to |
4 | | a third party or service provider under a written contract |
5 | | authorizing the third party or service provider to use the |
6 | | personal information to perform services on behalf of the |
7 | | business, including, but not limited to, maintaining or |
8 | | servicing accounts, disclosure of personal information by |
9 | | a business to a service provider, processing or fulfilling |
10 | | orders and transactions, verifying consumer information, |
11 | | processing payments, providing financing, or similar |
12 | | services, but only if: the contract prohibits the third |
13 | | party or service provider from using the personal |
14 | | information for any reason other than performing the |
15 | | specified service on behalf of the business and from |
16 | | disclosing any such personal information to additional |
17 | | third parties or service providers unless those additional |
18 | | third parties or service providers are allowed by the |
19 | | contract to further the specified services and the |
20 | | additional third parties and service providers and subject |
21 | | to the same restrictions imposed by this subsection. |
22 | | (2) Disclosure of personal information by a business to |
23 | | a third party based on a good faith belief that disclosure |
24 | | is required to comply with applicable law, regulation, |
25 | | legal process, or court order. |
26 | | (3) Disclosure of personal information by a business to |
|
| | SB2330 | - 6 - | LRB101 16295 KTG 65668 b |
|
|
1 | | a third party that is reasonably necessary to address |
2 | | fraud, risk management, security, or technical issues; to |
3 | | protect the disclosing business' right or property; or to |
4 | | protect consumers or the public from illegal activities. |
5 | | (4) Disclosure of personal information by a business to |
6 | | a third party in connection with the proposed or actual |
7 | | sale, merger, or bankruptcy of the business, to a third |
8 | | party. |
9 | | "Personal information" means information that identifies, |
10 | | relates to, describes, is reasonably capable of being |
11 | | associated with, or could reasonably be linked, directly or |
12 | | indirectly, with a particular consumer or household. Personal |
13 | | information includes, but is not limited to, the following: |
14 | | (1) Identifiers such as a real name, alias, signature, |
15 | | postal address, telephone number, unique personal |
16 | | identifier, online identifier Internet Protocol address, |
17 | | email address, account name, social security number, |
18 | | driver's license number, state identification number, |
19 | | passport number, physical characteristics or description, |
20 | | insurance policy number, employment, employment history, |
21 | | bank account number, credit card number, debit card number, |
22 | | financial information, medical information, health |
23 | | insurance information, or other similar identifiers. |
24 | | (2) Characteristics of protected classifications under |
25 | | Illinois or federal law. |
26 | | (3) Commercial information, including records of |
|
| | SB2330 | - 7 - | LRB101 16295 KTG 65668 b |
|
|
1 | | personal property, products or services purchased, |
2 | | obtained, or considered, or other purchasing or consuming |
3 | | histories or tendencies. |
4 | | (4) Biometric information. |
5 | | (5) Internet or other electronic network activity |
6 | | information, including, but not limited to, browsing |
7 | | history, search history, and information regarding a |
8 | | consumer's interaction with an Internet website, |
9 | | application or advertisement. |
10 | | (6) Geolocation data. |
11 | | (7) Audio, electronic, visual, thermal, olfactory, or |
12 | | similar information. |
13 | | (8) Professional or employment-related information. |
14 | | (9) Educational information. |
15 | | (10) Inferences drawn from any of the information |
16 | | identified in this Section to create a profile about a |
17 | | consumer reflecting the consumer's preferences, |
18 | | characteristics, psychological trends, preferences, |
19 | | predispositions, behavior, attitudes, intelligence, |
20 | | abilities, and aptitudes. |
21 | | "Personal information" does not include publicly available |
22 | | information which the business obtained directly from records |
23 | | lawfully made available from federal, state, or local |
24 | | government records. "Personal information" does not include |
25 | | consumer information that is deidentified or aggregate |
26 | | consumer information. |
|
| | SB2330 | - 8 - | LRB101 16295 KTG 65668 b |
|
|
1 | | "Process" or "processes" means any collection, use, |
2 | | storage, disclosure, analysis, deletion, or modification of |
3 | | personal information. |
4 | | "Request" means a consumer right set forth in this Act |
5 | | including one or more of the following: (i) for the disclosure |
6 | | of information regarding a consumer's personal information; |
7 | | (ii) the opt out of sale or disclosure of a consumer's personal |
8 | | information; (iii) the correction of inaccurate personal |
9 | | information; and (iv) the deletion of personal information. |
10 | | "Sale" or "sell" means the selling, renting, or licensing |
11 | | of a consumer's personal information by a business to a third |
12 | | party in direct exchange for monetary consideration, whereby, |
13 | | as a result of such transaction, the third party may use the |
14 | | personal information for its own commercial purposes.
"Sale" or |
15 | | "sell" does not include circumstances in which: |
16 | | (1) A consumer uses or directs the business to |
17 | | intentionally disclose personal information or uses the |
18 | | business to intentionally interact with a third party or |
19 | | affiliate, provided the third party or affiliate does not |
20 | | also sell the personal information, unless that disclosure |
21 | | would be consistent with the provisions of this Act. An |
22 | | intentional interaction occurs when the consumer intends |
23 | | to interact with the third party by one or more deliberate |
24 | | interactions. Hovering over, muting, pausing, or closing a |
25 | | given piece of content does not constitute a consumer's |
26 | | intent to interact with a third party. |
|
| | SB2330 | - 9 - | LRB101 16295 KTG 65668 b |
|
|
1 | | (2) The business uses or shares an identifier for a |
2 | | consumer who has opted out of the sale of the consumer's |
3 | | personal information for the purposes of altering third |
4 | | parties or affiliates that the consumer has opted out of |
5 | | the sale of the consumer's personal information. |
6 | | (3) The business uses or shares with a service provider |
7 | | personal information of a consumer that is necessary to |
8 | | perform a business purpose or business purposes if the |
9 | | service provider does not further collect, sell, or use the |
10 | | personal information of the consumer except as necessary to |
11 | | perform the business purposes. |
12 | | (4) The business transfers to a third party the |
13 | | personal information of a consumer as an asset that is part |
14 | | of a merger, acquisition, bankruptcy, or other transaction |
15 | | in which the third party or affiliate assumes control of |
16 | | all or part of the business, provided that information is |
17 | | used or shared consistently with this Act. If a third party |
18 | | or affiliate materially alters how it uses or shares the |
19 | | personal information of a consumer in a manner that is |
20 | | materially inconsistent with the promises made at the time |
21 | | of collection, it shall provide prior notice of the new or |
22 | | changed practice to the consumer. The notice shall be |
23 | | sufficiently prominent and robust to ensure that existing |
24 | | consumers can easily exercise their choices consistent |
25 | | with Section 20 and Section 25. This subparagraph does not |
26 | | authorize a business to make material, retroactive privacy |
|
| | SB2330 | - 10 - | LRB101 16295 KTG 65668 b |
|
|
1 | | policy changes or make other changes in their privacy |
2 | | policy in a manner that would violate the Consumer Fraud |
3 | | and Deceptive Business Practices Act. |
4 | | (5) A business uses a consumer's personal information |
5 | | to sell targeted advertising space to a third party as long |
6 | | as the personal information is not sold by the business to |
7 | | the third party or affiliate. |
8 | | (6) The disclosure or transfer of personal information |
9 | | to an affiliate of the business. |
10 | | "Service provider" means the natural or legal person that |
11 | | processes personal information on behalf of the business. |
12 | | "Third party" means a business that is: (1) not an |
13 | | affiliate of the business that has collected, disclosed, or |
14 | | sold personal information; or (2) an affiliate with the |
15 | | business that has collected, disclosed, or sold personal |
16 | | information and the affiliate relationship is not clear to the |
17 | | consumer. |
18 | | Section 15. Right to transparency. Any business that |
19 | | processes personal information or deidentified information |
20 | | must, prior to processing, provide notice to the consumer of |
21 | | the following in the service agreement or somewhere readily |
22 | | accessible on the business' website or mobile application: |
23 | | (1) All categories of personal information and |
24 | | deidentified information that the business processes about |
25 | | individual consumers; |
|
| | SB2330 | - 11 - | LRB101 16295 KTG 65668 b |
|
|
1 | | (2) All categories of third parties and affiliates with |
2 | | whom the business may disclose or sell that personal |
3 | | information or deidentified information and the business |
4 | | purpose for the disclosure or sale; |
5 | | (3) The process in which an individual consumer may: |
6 | | (A) review the personal information collected by |
7 | | the business; |
8 | | (B) request changes to inaccurate personal |
9 | | information; |
10 | | (C) opt out of the disclosure or sale of personal |
11 | | information; and |
12 | | (D) request deletion of personal information; and |
13 | | (4) The process in which the business notifies |
14 | | consumers of material changes to the notice required to be |
15 | | made available under this Section. |
16 | | Section 20. Right to know. Consumers may request the |
17 | | following information of businesses: |
18 | | (1) Copies of specific pieces of personal information |
19 | | about the consumer processed by the business. |
20 | | (2) Categories of sources for the personal information |
21 | | processed. |
22 | | (3) Name and contact information for each third party |
23 | | and affiliate to whom the personal information is disclosed |
24 | | or sold. |
|
| | SB2330 | - 12 - | LRB101 16295 KTG 65668 b |
|
|
1 | | Section 25. Right to opt out, correct, and delete. |
2 | | Consumers have the following rights concerning their personal |
3 | | information: |
4 | | (1) The right to request to opt out of the following: |
5 | | (A) the disclosure of personal information from |
6 | | the business to third parties and affiliates; |
7 | | (B) the sale of personal information from the |
8 | | business to third parties and affiliates; and |
9 | | (C) the processing of personal information by the |
10 | | business, third parties, and affiliates. |
11 | | (2) The right to request that a business correct |
12 | | inaccurate personal information about the consumer. |
13 | | (3) The right to request that a business delete |
14 | | personal information about the consumer. |
15 | | Section 30. Consumer requests and business responses. |
16 | | (a) Businesses shall establish a process for collecting |
17 | | consumer requests and reasonably authenticating consumers |
18 | | making the requests and reasonably authenticating any request |
19 | | to correct inaccurate personal information. The method by which |
20 | | a consumer may submit a request under Section 20 and Section 25 |
21 | | shall be done in a form and manner determined by the business |
22 | | in a way that is not overly burdensome on the consumer. |
23 | | (b) A business shall post on its website, online service, |
24 | | and within any mobile application, a link to a designated |
25 | | request address web page maintained by the business for the |
|
| | SB2330 | - 13 - | LRB101 16295 KTG 65668 b |
|
|
1 | | purpose of collecting and processing consumer requests. The |
2 | | business shall also post a designated request street address |
3 | | for consumers to submit requests by mail. |
4 | | (c) A parent or legal guardian of a consumer under the age |
5 | | of 13 may submit a request on behalf of that consumer. |
6 | | (d) A business that receives a request from a consumer |
7 | | through a designated request address shall promptly take steps |
8 | | to disclose and deliver, free of charge to the consumer, the |
9 | | personal information required or confirmation of the consumers |
10 | | opt out, correction or deletion request and business' |
11 | | compliance. |
12 | | (1) The information may be delivered by mail or |
13 | | electronically, and if provided electronically, the |
14 | | information shall be in a portable and, to the extent |
15 | | technically feasible, in a readily usable format that |
16 | | allows the consumer to transmit this information to another |
17 | | entity without hindrance. |
18 | | (2) A business that has received a request to opt out |
19 | | of the disclosure or sale of a consumer's personal |
20 | | information shall be prohibited from selling or disclosing |
21 | | that consumer's personal information after its receipt of |
22 | | the consumer's request, unless the consumer subsequently |
23 | | provides express authorization for the sale or disclosure |
24 | | of the consumer's personal information. |
25 | | (3) A business that receives a request to delete the |
26 | | consumer's personal information, shall delete the |
|
| | SB2330 | - 14 - | LRB101 16295 KTG 65668 b |
|
|
1 | | consumer's personal information from its records and |
2 | | direct any third party or affiliate with whom the personal |
3 | | information was disclosed, to delete the consumer's |
4 | | personal information from their records. |
5 | | (4) A business shall not be required to comply with a |
6 | | consumer's request to delete the consumer's personal |
7 | | information if it is necessary for the business to maintain |
8 | | the consumer's personal information in order to: |
9 | | (i) Complete the transaction for which the |
10 | | personal information was collected, provide a good or |
11 | | service requested by the consumer, or reasonably |
12 | | anticipated within the context of a business' ongoing |
13 | | business relationship with the consumer, or otherwise |
14 | | perform a contract between the business and the |
15 | | consumer. |
16 | | (ii) Detect security incidents, protect against |
17 | | malicious, deceptive, fraudulent, or illegal activity; |
18 | | or prosecute those responsible for that activity. |
19 | | (iii) Debug to identify and repair errors that |
20 | | impair existing intended functionality. |
21 | | (iv) Exercise free speech, ensure the right of |
22 | | another consumer to exercise their right of free |
23 | | speech, or exercise another right provided for by law. |
24 | | (v) Engage in public or peer-reviewed scientific, |
25 | | historical, or statistical research in the public |
26 | | interest that adheres to all other applicable ethics |
|
| | SB2330 | - 15 - | LRB101 16295 KTG 65668 b |
|
|
1 | | and privacy laws, when the business' deletion of the |
2 | | information is likely to render impossible or |
3 | | seriously impair the achievement of such research, if |
4 | | the consumer has provided informed consent. |
5 | | (vi) To enable solely internal uses that are |
6 | | reasonably aligned with the expectations of the |
7 | | consumer based on the consumer's relationship with the |
8 | | business. |
9 | | (vii) Comply with a legal obligation. |
10 | | (viii) Otherwise use the consumer's personal |
11 | | information, internally, in a lawful manner that is |
12 | | compatible with the context in which the consumer |
13 | | provided the information. |
14 | | (e) A business must provide a response to the consumer |
15 | | within 45 days of a request under Section 20 and Section 25. |
16 | | (1) The business shall promptly take steps to verify |
17 | | the request, but shall not extend the business' duty to |
18 | | disclose and deliver the information within 45 days of |
19 | | receipt of the consumer's request. The time period to |
20 | | provide the required information may be extended once by an |
21 | | additional 45 days when reasonably necessary, provided the |
22 | | consumer is provided notice of the extension within the |
23 | | first 45-day period. |
24 | | (2) The disclosure shall cover at least the 12-month |
25 | | period preceding the business' receipt of the request. The |
26 | | business shall not require the consumer to create an |
|
| | SB2330 | - 16 - | LRB101 16295 KTG 65668 b |
|
|
1 | | account with the business in order to make a request. |
2 | | (3) If requests from a consumer are manifestly |
3 | | unfounded or excessive, in particular because of their |
4 | | repetitive character, a business may either charge a |
5 | | reasonable fee, taking into account the administrative |
6 | | costs of providing the information or communication or |
7 | | taking the action requested or refuse to act on the request |
8 | | and notify the consumer of the reason for refusing the |
9 | | request. The business shall bear the burden of |
10 | | demonstrating that any consumer request is manifestly |
11 | | unfounded or excessive. |
12 | | (f) A business shall not be required to respond to a |
13 | | request made by or on behalf of the same consumer more than |
14 | | once in any 12-month period. |
15 | | Section 35. Businesses, affiliates, and third parties. |
16 | | (a) A business is not required to retain any personal |
17 | | information collected for a single, one-time transaction, if |
18 | | such information is not sold or retained by the business or to |
19 | | reidentify or otherwise link information that is not maintained |
20 | | in a manner that would be considered personal information. |
21 | | (b) A business shall not reidentify any deidentified |
22 | | consumer information, unless the consumer subsequently |
23 | | provides express authorization for reidentification of |
24 | | deidentified information. |
25 | | (c) A business shall not sell the personal information of |
|
| | SB2330 | - 17 - | LRB101 16295 KTG 65668 b |
|
|
1 | | any consumer for which the business has actual knowledge that |
2 | | the consumer is less than 16 years of age. A business that |
3 | | willfully disregards the consumer's age shall be deemed to have |
4 | | had actual knowledge of the consumer's age. |
5 | | (d) A business shall not use a consumer's personal |
6 | | information for any purpose other than those disclosed in the |
7 | | notice at collection. If the business intends to use a |
8 | | consumer's personal information for a purpose that was not |
9 | | previously disclosed to the consumer in the notice at |
10 | | collection, the business shall directly notify the consumer of |
11 | | this new use and obtain explicit consent from the consumer to |
12 | | use it for this new purpose. |
13 | | (e) A business shall not collect categories of personal |
14 | | information other than those disclosed in the notice at |
15 | | collection. If the business intends to collect additional |
16 | | categories of personal information, the business shall provide |
17 | | a new notice at collection. |
18 | | (f) If a business does not give the notice at collection to |
19 | | the consumer at or before the collection of their personal |
20 | | information, the business shall not collect personal |
21 | | information from the consumer. |
22 | | (g) Affiliates and third parties shall not sell consumer |
23 | | personal information purchased from a business unless the |
24 | | consumer has received notice and is provided an opportunity to |
25 | | opt out of the resale of the consumer's personal information. |
26 | | (h) Pricing incentives and prohibition of discrimination. |
|
| | SB2330 | - 18 - | LRB101 16295 KTG 65668 b |
|
|
1 | | (1) A business shall not discriminate against a |
2 | | consumer because the consumer exercised any of the |
3 | | consumer's rights in this Act, including, but not limited |
4 | | to: |
5 | | (A) Denying goods or services to the consumer. |
6 | | (B) Charging different prices or rates for goods or |
7 | | services, including through the use of discounts or |
8 | | other benefits or imposing penalties. |
9 | | (C) Providing a different level or quality of goods |
10 | | or services to the consumer, if the consumer exercises |
11 | | the consumer's rights under this Act. |
12 | | (D) Suggesting that the consumer will receive a |
13 | | different price or rate for goods or services or a |
14 | | different level or quality of goods or services. |
15 | | (2) Nothing shall prohibit a business from charging a |
16 | | consumer a different price or rate, or from providing a |
17 | | different level or quality of goods or services to the |
18 | | consumer, if that difference is reasonably related to the |
19 | | value provided to the consumer by the consumer's data. |
20 | | (3) A business may offer financial incentives, |
21 | | including payments to consumers as compensation, for the |
22 | | collection of personal information, the sale of personal |
23 | | information, or the deletion of personal information. A |
24 | | business may also offer a different price, rate, level, or |
25 | | quality of goods or services to the consumer if that price |
26 | | or difference is directly related to the value provided to |
|
| | SB2330 | - 19 - | LRB101 16295 KTG 65668 b |
|
|
1 | | the consumer by the consumer's data. |
2 | | (A) A business that offers any financial |
3 | | incentives regarding consumer personal information or |
4 | | deidentified information, shall notify consumers of |
5 | | the financial incentives in the consumer service |
6 | | agreement, website, online service or mobile |
7 | | application. |
8 | | (B) A business may enter a consumer into a |
9 | | financial incentive program only if the consumer gives |
10 | | the business prior opt-in consent which clearly |
11 | | describes the material terms of the financial |
12 | | incentive program, and which may be revoked by the |
13 | | consumer at any time. |
14 | | (C) A business shall not use financial incentive |
15 | | practices that are unjust, unreasonable, or coercive. |
16 | | (i) A business that discloses personal information to a |
17 | | service provider shall not be liable under this Act if the |
18 | | service provider receiving the personal information uses it in |
19 | | violation of the restrictions set forth in the Act, provided |
20 | | that, at the time of disclosing the personal information, the |
21 | | business does not have actual knowledge, or reason to believe, |
22 | | that the service provider intends to commit such a violation. A |
23 | | service provider shall likewise not be liable under this Act |
24 | | for the obligations of a business for which it provides |
25 | | services as set forth in this Act. |
26 | | (j) The obligations imposed on businesses by this Act do |
|
| | SB2330 | - 20 - | LRB101 16295 KTG 65668 b |
|
|
1 | | not restrict a business' ability to: |
2 | | (1) Comply with federal, state, or local laws, rules, |
3 | | regulations, or enforceable guidance. |
4 | | (2) Comply with a civil, criminal, or regulatory |
5 | | inquiry, investigation, subpoena, or summons by federal, |
6 | | state, or local authorities. |
7 | | (3) Cooperate with law enforcement agencies concerning |
8 | | conduct or activity that the business, service provider, or |
9 | | third party reasonably and in good faith believes may |
10 | | violate federal, state, or local law. |
11 | | (4) Exercise or defend legal claims. |
12 | | (5) Prevent, detect, or respond to identity theft, |
13 | | fraud, or other malicious or illegal activity. |
14 | | (6) Collect, use, retain, sell, or disclose consumer's |
15 | | personal information that is deidentified or in the |
16 | | aggregate consumer information. |
17 | | (k) Businesses, affiliates, and third parties shall take |
18 | | reasonable measures to protect customer's personal information |
19 | | from unauthorized use, disclosure, or access. |
20 | | (1) In implementing security measures required by this |
21 | | subsection, a business, affiliate, and third party shall |
22 | | take into account each of the following factors: |
23 | | (A) The nature and scope of the business;, |
24 | | affiliate's, or third party's activities; |
25 | | (B) The sensitivity of the data processed; |
26 | | (C) The size of the business, affiliate, or third |
|
| | SB2330 | - 21 - | LRB101 16295 KTG 65668 b |
|
|
1 | | party; and |
2 | | (D) The technical feasibility of the security |
3 | | measures. |
4 | | (2) A business, affiliate, or third party may employ |
5 | | any lawful measure that allows the business, affiliate, or |
6 | | third party to comply with the requirements of this |
7 | | subsection. |
8 | | (l) Risk assessments. |
9 | | (1) Businesses, affiliates, and third parties must |
10 | | conduct, to the extent not previously conducted, a risk |
11 | | assessment of each of their processing activities |
12 | | involving personal information and an additional risk |
13 | | assessment any time there is a change in processing that |
14 | | materially increases the risk to consumers. Such risk |
15 | | assessments must take into account the type of personal |
16 | | data to be processed by the business, affiliate, or third |
17 | | party, including the extent to which the personal |
18 | | information is sensitive information or otherwise |
19 | | sensitive in nature, and the context in which the personal |
20 | | information is to be processed. |
21 | | (2) Risk assessments conducted under subsection (a) |
22 | | must identify and weigh the benefits that may flow directly |
23 | | and indirectly from the processing to the business, |
24 | | consumer, other stakeholders, and the public, against the |
25 | | potential risks to the rights of the consumer associated |
26 | | with such processing, as mitigated by safeguards that can |
|
| | SB2330 | - 22 - | LRB101 16295 KTG 65668 b |
|
|
1 | | be employed by the business to reduce such risks. The use |
2 | | of deidentified data and the reasonable expectations of |
3 | | consumers, as well as the context of the processing and the |
4 | | relationship between the business, affiliate, or third |
5 | | party and the consumer whose personal data will be |
6 | | processed, must factor into this assessment by the |
7 | | business, affiliate, or third party. |
8 | | (3) If the risk assessment conducted under subsection |
9 | | (a) of this Section determines that the potential risks of |
10 | | privacy harm to consumers are substantial and outweigh the |
11 | | interests of the business, consumer, other stakeholders, |
12 | | and the public in processing the personal information of |
13 | | the consumer, the business may only engage in such |
14 | | processing with the consent of the consumer or if another |
15 | | exemption under this Act applies. To the extent the |
16 | | business seeks consumer consent for processing, such |
17 | | consent shall be as easy to withdraw as to give. |
18 | | (4) Processing for a business purpose shall be presumed |
19 | | to be permissible unless: (i) it involves the processing of |
20 | | sensitive data; and (ii) the risk of processing cannot be |
21 | | reduced through the use of appropriate administrative and |
22 | | technical safeguards. |
23 | | (5) The business, affiliate, and third party must make |
24 | | the risk assessment available to the Office of the Attorney |
25 | | General upon request. Risk assessments are confidential |
26 | | and exempt from public inspection and copying under the |
|
| | SB2330 | - 23 - | LRB101 16295 KTG 65668 b |
|
|
1 | | Freedom of Information Act. |
2 | | Section 40. Enforcement. |
3 | | (a) Private right of action. |
4 | | (1) Any consumer whose unencrypted or unredacted |
5 | | personal information is subject to an unauthorized access |
6 | | and exfiltration, theft, or disclosure as a result of the |
7 | | business' violation of the duty to implement and maintain |
8 | | reasonable security procedures and practices appropriate |
9 | | to the nature of the information to protect the personal |
10 | | information may institute a civil action for any of the |
11 | | following: |
12 | | (A) To recover damages in an amount not less than |
13 | | $100 and not greater than $750 per customer per |
14 | | incident or actual damages, whichever is greater. |
15 | | (B) Injunctive or declaratory relief. |
16 | | (C) Any other relief the court deems proper. |
17 | | (2) In assessing the amount of statutory damages, the |
18 | | court shall consider any one or more of the relevant |
19 | | circumstances presented by any of the parties to the case, |
20 | | including, but not limited to, the nature and seriousness |
21 | | of the misconduct, the number of violations, the |
22 | | persistence of the misconduct, the length of time over |
23 | | which the misconduct occurred, the willfulness of the |
24 | | defendant's misconduct, and the defendant's assets, |
25 | | liabilities, and net worth. |
|
| | SB2330 | - 24 - | LRB101 16295 KTG 65668 b |
|
|
1 | | (3) Nothing in this Act shall be interpreted to serve |
2 | | as the basis for a private right of action under any other |
3 | | law. This shall not be construed to relieve any party from |
4 | | any duties or obligations imposed under other law or the |
5 | | United States or Illinois Constitution. |
6 | | (b) Attorney General enforcement. A violation of this Act |
7 | | constitutes an unlawful practice under the Consumer Fraud and |
8 | | Deceptive Business Practices Act. The Attorney General has |
9 | | authority to enforce this Act as a violation of the Consumer |
10 | | Fraud and Deceptive Business Practices Act, subject to the |
11 | | remedies available to the Attorney General under the Consumer |
12 | | Fraud and Deceptive Business Practices Act. |
13 | | Section 45. Applicability. |
14 | | (a) This Act does not apply to personal information |
15 | | collected, processed, sold, or disclosed under: |
16 | | (1) The Gramm-Leach-Bliley Act, and the rules |
17 | | promulgated under that Act. |
18 | | (2) The Health Insurance Portability and |
19 | | Accountability Act of 1996, and the rules promulgated under |
20 | | that Act. |
21 | | (3) The Fair Credit Reporting Act, and the rules |
22 | | promulgated under that Act. |
23 | | (b) Nothing in this Act restricts a business' ability to |
24 | | collect or disclose a consumer's personal information if a |
25 | | consumer's conduct takes place wholly outside of Illinois. For |
|
| | SB2330 | - 25 - | LRB101 16295 KTG 65668 b |
|
|
1 | | purposes of this Act, conduct takes place wholly outside of |
2 | | Illinois if the business collected that information while the |
3 | | consumer was outside of Illinois, no part of the sale of the |
4 | | consumer's personal information occurred in Illinois, and no |
5 | | personal information collected while the consumer was in |
6 | | Illinois is disclosed. |
7 | | Section 50. Waivers; contracts. Any waiver of the |
8 | | provisions of this Act is void and unenforceable. |
9 | | Section 55. Home rule preemption. Except as otherwise |
10 | | provided in this Act, the regulation of the activities |
11 | | described in this Act are the exclusive powers and functions of |
12 | | the State. Except as otherwise provided in this Act, a unit of |
13 | | local government, including a home rule unit, may not regulate |
14 | | the activities described in this Act. This Section is a denial |
15 | | and limitation of home rule powers and functions under |
16 | | subsection (h) of Section 6 of Article VII of the Illinois |
17 | | Constitution. |
18 | | Section 97. Severability. The provisions of this Act are |
19 | | severable under Section 1.31 of the Statute on Statutes.
|
20 | | Section 99. Effective date. This Act takes effect July 1, |
21 | | 2021.
|