|
| | 10200SB0731sam002 | - 2 - | LRB102 17247 KTG 24999 a |
|
|
1 | | Illinois citizens to protect themselves and their families |
2 | | from cyber-crimes and identity thieves. |
3 | | (2) Businesses are now collecting, sharing, and |
4 | | selling personal information in ways not contemplated or |
5 | | properly covered by current law. |
6 | | (a) Some websites install tracking tools that |
7 | | record when consumers visit web pages and send |
8 | | personal information collected to third party |
9 | | marketers and data brokers. |
10 | | (b) Third-party data broker companies are buying, |
11 | | selling, and trading personal information obtained |
12 | | from mobile phones, financial institutions, social |
13 | | media sites, and other online and brick and mortar |
14 | | companies. |
15 | | (c) Social media companies, credit agencies and |
16 | | retail stores have all had their internal security |
17 | | systems breached, resulting in consumers' personal |
18 | | information being stolen and sold on the black market. |
19 | | (3) Illinois consumers must be better informed about |
20 | | what kinds of personal information are collected, how |
21 | | information is shared with third parties, and how |
22 | | businesses store consumers' personal information. With |
23 | | this specific information, consumers can knowledgeably |
24 | | choose to opt in, opt out, or choose among businesses that |
25 | | disclose information to third parties on the basis of how |
26 | | protective the business is of consumers' privacy in order |
|
| | 10200SB0731sam002 | - 3 - | LRB102 17247 KTG 24999 a |
|
|
1 | | to properly protect their privacy, property, personal |
2 | | safety, and financial security. |
3 | | Section 10. Definitions. As used in this Act: |
4 | | "Affiliate" means a legal entity that controls, is |
5 | | controlled by, or is under common control with another legal |
6 | | entity. |
7 | | "Business" means any sole proprietorship, partnership, |
8 | | limited liability company, corporation, association, or other |
9 | | legal entity that is organized or operated for the profit or |
10 | | financial benefit of its shareholders or other owners, that |
11 | | does business in the State of Illinois and meets one or more of |
12 | | the following thresholds: |
13 | | (1) The business collects or discloses the personal |
14 | | information of 50,000 or more persons, Illinois |
15 | | households, or the combination thereof. |
16 | | (2) The business derives 50% or more of its annual |
17 | | revenues from selling consumers' personal information.
|
18 | | "Business" does not include any third party that operates, |
19 | | hosts, or manages, but does not own, a website or online |
20 | | service on the owner's behalf or by processing information on |
21 | | behalf of the owners, or any State and local governments or |
22 | | municipal corporations. |
23 | | "Categories of sources" means types of entities from which |
24 | | a business collects personal information about consumers, |
25 | | including, but not limited to, the consumer directly, |
|
| | 10200SB0731sam002 | - 4 - | LRB102 17247 KTG 24999 a |
|
|
1 | | government entities from which public records are obtained, |
2 | | and consumer data resellers. |
3 | | "Categories of third parties" means types of entities that |
4 | | do not collect personal information directly from consumers, |
5 | | including, but not limited to, advertising networks, internet |
6 | | service providers, data analytics providers, government |
7 | | entities, operating systems and platforms, social networks, |
8 | | and consumer data resellers. |
9 | | "Consumer" means a natural person residing in this State. |
10 | | "Consumer" does not include a natural person acting in an |
11 | | employment context. |
12 | | "Deidentified" means information that cannot reasonably |
13 | | identify, relate to, describe, be capable of being associated |
14 | | with, or be linked, directly or indirectly, to a particular |
15 | | consumer, provided that a business that uses deidentified |
16 | | information: |
17 | | (1) Has implemented technical safeguards that prohibit |
18 | | reidentification of the consumer to whom the information |
19 | | may pertain. |
20 | | (2) Has implemented business processes that |
21 | | specifically prohibit reidentification of the information. |
22 | | (3) Has implemented business processes to prevent |
23 | | inadvertent release of deidentified information. |
24 | | (4) Makes no attempt to reidentify the information. |
25 | | "Designated request address" means an electronic mail |
26 | | address, online form, mailing address, or toll-free telephone |
|
| | 10200SB0731sam002 | - 5 - | LRB102 17247 KTG 24999 a |
|
|
1 | | number that a consumer may use to request information, opt out |
2 | | of the sale or disclosure of personal information, or correct |
3 | | or delete personal information, as required to be provided |
4 | | under this Act. |
5 | | "Disclose" means to disclose, release, transfer, share, |
6 | | disseminate, make available, or otherwise communicate orally, |
7 | | in writing, or by electronic or any other means a consumer's |
8 | | personal information to any affiliate or third party. |
9 | | "Disclose" does not include: |
10 | | (1) Disclosure of personal information by a business |
11 | | to a third party or service provider under a written |
12 | | contract authorizing the third party or service provider |
13 | | to use the personal information to perform services on |
14 | | behalf of the business, including, but not limited to, |
15 | | maintaining or servicing accounts, disclosure of personal |
16 | | information by a business to a service provider, |
17 | | processing or fulfilling orders and transactions, |
18 | | verifying consumer information, processing payments, |
19 | | providing financing, or similar services, but only if: the |
20 | | contract prohibits the third party or service provider |
21 | | from using the personal information for any reason other |
22 | | than performing the specified service on behalf of the |
23 | | business and from disclosing any such personal information |
24 | | to additional third parties or service providers unless |
25 | | those additional third parties or service providers are |
26 | | allowed by the contract to further the specified services |
|
| | 10200SB0731sam002 | - 6 - | LRB102 17247 KTG 24999 a |
|
|
1 | | and the additional third parties and service providers and |
2 | | subject to the same restrictions imposed by this |
3 | | subsection. |
4 | | (2) Disclosure of personal information by a business |
5 | | to a third party based on a good faith belief that |
6 | | disclosure is required to comply with applicable law, |
7 | | regulation, legal process, or court order. |
8 | | (3) Disclosure of personal information by a business |
9 | | to a third party that is reasonably necessary to address |
10 | | fraud, risk management, security, or technical issues; to |
11 | | protect the disclosing business' right or property; or to |
12 | | protect consumers or the public from illegal activities. |
13 | | (4) Disclosure of personal information by a business |
14 | | to a third party in connection with the proposed or actual |
15 | | sale, merger, or bankruptcy of the business, to a third |
16 | | party. |
17 | | "Personal information" means information that identifies, |
18 | | relates to, describes, is reasonably capable of being |
19 | | associated with, or could reasonably be linked, directly or |
20 | | indirectly, with a particular consumer or household. Personal |
21 | | information includes, but is not limited to, the following: |
22 | | (1) Identifiers such as a real name, alias, signature, |
23 | | postal address, telephone number, unique personal |
24 | | identifier, online identifier Internet Protocol address, |
25 | | email address, account name, social security number, |
26 | | driver's license number, state identification number, |
|
| | 10200SB0731sam002 | - 7 - | LRB102 17247 KTG 24999 a |
|
|
1 | | passport number, physical characteristics or description, |
2 | | insurance policy number, employment, employment history, |
3 | | bank account number, credit card number, debit card |
4 | | number, financial information, medical information, health |
5 | | insurance information, or other similar identifiers. |
6 | | (2) Characteristics of protected classifications under |
7 | | Illinois or federal law. |
8 | | (3) Commercial information, including records of |
9 | | personal property, products or services purchased, |
10 | | obtained, or considered, or other purchasing or consuming |
11 | | histories or tendencies. |
12 | | (4) Biometric information. |
13 | | (5) Internet or other electronic network activity |
14 | | information, including, but not limited to, browsing |
15 | | history, search history, and information regarding a |
16 | | consumer's interaction with an Internet website, |
17 | | application or advertisement. |
18 | | (6) Geolocation data. |
19 | | (7) Audio, electronic, visual, thermal, olfactory, or |
20 | | similar information. |
21 | | (8) Professional or employment-related information. |
22 | | (9) Educational information. |
23 | | (10) Inferences drawn from any of the information |
24 | | identified in this Section to create a profile about a |
25 | | consumer reflecting the consumer's preferences, |
26 | | characteristics, psychological trends, preferences, |
|
| | 10200SB0731sam002 | - 8 - | LRB102 17247 KTG 24999 a |
|
|
1 | | predispositions, behavior, attitudes, intelligence, |
2 | | abilities, and aptitudes. |
3 | | "Personal information" does not include publicly available |
4 | | information which the business obtained directly from records |
5 | | lawfully made available from federal, state, or local |
6 | | government records. "Personal information" does not include |
7 | | consumer information that is deidentified or aggregate |
8 | | consumer information. |
9 | | "Process" or "processes" means any collection, use, |
10 | | storage, disclosure, analysis, deletion, or modification of |
11 | | personal information. |
12 | | "Request" means a consumer right set forth in this Act |
13 | | including one or more of the following: (i) for the disclosure |
14 | | of information regarding a consumer's personal information; |
15 | | (ii) the opt out of sale or disclosure of a consumer's personal |
16 | | information; (iii) the correction of inaccurate personal |
17 | | information; and (iv) the deletion of personal information. |
18 | | "Sale" or "sell" means the selling, renting, or licensing |
19 | | of a consumer's personal information by a business to a third |
20 | | party in direct exchange for monetary consideration, whereby, |
21 | | as a result of such transaction, the third party may use the |
22 | | personal information for its own commercial purposes.
"Sale" |
23 | | or "sell" does not include circumstances in which: |
24 | | (1) A consumer uses or directs the business to |
25 | | intentionally disclose personal information or uses the |
26 | | business to intentionally interact with a third party or |
|
| | 10200SB0731sam002 | - 9 - | LRB102 17247 KTG 24999 a |
|
|
1 | | affiliate, provided the third party or affiliate does not |
2 | | also sell the personal information, unless that disclosure |
3 | | would be consistent with the provisions of this Act. An |
4 | | intentional interaction occurs when the consumer intends |
5 | | to interact with the third party by one or more deliberate |
6 | | interactions. Hovering over, muting, pausing, or closing a |
7 | | given piece of content does not constitute a consumer's |
8 | | intent to interact with a third party. |
9 | | (2) The business uses or shares an identifier for a |
10 | | consumer who has opted out of the sale of the consumer's |
11 | | personal information for the purposes of altering third |
12 | | parties or affiliates that the consumer has opted out of |
13 | | the sale of the consumer's personal information. |
14 | | (3) The business uses or shares with a service |
15 | | provider personal information of a consumer that is |
16 | | necessary to perform a business purpose or business |
17 | | purposes if the service provider does not further collect, |
18 | | sell, or use the personal information of the consumer |
19 | | except as necessary to perform the business purposes. |
20 | | (4) The business transfers to a third party the |
21 | | personal information of a consumer as an asset that is |
22 | | part of a merger, acquisition, bankruptcy, or other |
23 | | transaction in which the third party or affiliate assumes |
24 | | control of all or part of the business, provided that |
25 | | information is used or shared consistently with this Act. |
26 | | If a third party or affiliate materially alters how it |
|
| | 10200SB0731sam002 | - 10 - | LRB102 17247 KTG 24999 a |
|
|
1 | | uses or shares the personal information of a consumer in a |
2 | | manner that is materially inconsistent with the promises |
3 | | made at the time of collection, it shall provide prior |
4 | | notice of the new or changed practice to the consumer. The |
5 | | notice shall be sufficiently prominent and robust to |
6 | | ensure that existing consumers can easily exercise their |
7 | | choices consistent with Section 20 and Section 25. This |
8 | | subparagraph does not authorize a business to make |
9 | | material, retroactive privacy policy changes or make other |
10 | | changes in their privacy policy in a manner that would |
11 | | violate the Consumer Fraud and Deceptive Business |
12 | | Practices Act. |
13 | | (5) A business uses a consumer's personal information |
14 | | to sell targeted advertising space to a third party as |
15 | | long as the personal information is not sold by the |
16 | | business to the third party or affiliate. |
17 | | (6) The disclosure or transfer of personal information |
18 | | to an affiliate of the business. |
19 | | "Service provider" means the natural or legal person that |
20 | | processes personal information on behalf of the business. |
21 | | "Third party" means a business that is: (1) not an |
22 | | affiliate of the business that has collected, disclosed, or |
23 | | sold personal information; or (2) an affiliate with the |
24 | | business that has collected, disclosed, or sold personal |
25 | | information and the affiliate relationship is not clear to the |
26 | | consumer. |
|
| | 10200SB0731sam002 | - 11 - | LRB102 17247 KTG 24999 a |
|
|
1 | | Section 15. Right to transparency. Any business that |
2 | | processes personal information or deidentified information |
3 | | must, prior to processing, provide notice to the consumer of |
4 | | the following in the service agreement or somewhere readily |
5 | | accessible on the business' website or mobile application: |
6 | | (1) All categories of personal information and |
7 | | deidentified information that the business processes about |
8 | | individual consumers; |
9 | | (2) All categories of third parties and affiliates |
10 | | with whom the business may disclose or sell that personal |
11 | | information or deidentified information and the business |
12 | | purpose for the disclosure or sale; |
13 | | (3) The process in which an individual consumer may: |
14 | | (A) review the personal information collected by |
15 | | the business; |
16 | | (B) request changes to inaccurate personal |
17 | | information; |
18 | | (C) opt out of the disclosure or sale of personal |
19 | | information; and |
20 | | (D) request deletion of personal information; and |
21 | | (4) The process in which the business notifies |
22 | | consumers of material changes to the notice required to be |
23 | | made available under this Section. |
24 | | Section 20. Right to know. Consumers may request the |
|
| | 10200SB0731sam002 | - 12 - | LRB102 17247 KTG 24999 a |
|
|
1 | | following information of businesses: |
2 | | (1) Copies of specific pieces of personal information |
3 | | about the consumer processed by the business. |
4 | | (2) Categories of sources for the personal information |
5 | | processed. |
6 | | (3) Name and contact information for each third party |
7 | | and affiliate to whom the personal information is |
8 | | disclosed or sold. |
9 | | Section 25. Right to opt out, correct, and delete. |
10 | | Consumers have the following rights concerning their personal |
11 | | information: |
12 | | (1) The right to request to opt out of the following: |
13 | | (A) the disclosure of personal information from |
14 | | the business to third parties and affiliates; |
15 | | (B) the sale of personal information from the |
16 | | business to third parties and affiliates; and |
17 | | (C) the processing of personal information by the |
18 | | business, third parties, and affiliates. |
19 | | (2) The right to request that a business correct |
20 | | inaccurate personal information about the consumer. |
21 | | (3) The right to request that a business delete |
22 | | personal information about the consumer. |
23 | | Section 30. Consumer requests and business responses. |
24 | | (a) Businesses shall establish a process for collecting |
|
| | 10200SB0731sam002 | - 13 - | LRB102 17247 KTG 24999 a |
|
|
1 | | consumer requests and reasonably authenticating consumers |
2 | | making the requests and reasonably authenticating any request |
3 | | to correct inaccurate personal information. The method by |
4 | | which a consumer may submit a request under Section 20 and |
5 | | Section 25 shall be done in a form and manner determined by the |
6 | | business in a way that is not overly burdensome on the |
7 | | consumer. |
8 | | (b) A business shall post on its website, online service, |
9 | | and within any mobile application, a link to a designated |
10 | | request address web page maintained by the business for the |
11 | | purpose of collecting and processing consumer requests. The |
12 | | business shall also post a designated request street address |
13 | | for consumers to submit requests by mail. |
14 | | (c) A parent or legal guardian of a consumer under the age |
15 | | of 13 may submit a request on behalf of that consumer. |
16 | | (d) A business that receives a request from a consumer |
17 | | through a designated request address shall promptly take steps |
18 | | to disclose and deliver, free of charge to the consumer, the |
19 | | personal information required or confirmation of the |
20 | | consumer's opt out, correction or deletion request and |
21 | | business' compliance. |
22 | | (1) The information may be delivered by mail or |
23 | | electronically, and if provided electronically, the |
24 | | information shall be in a portable and, to the extent |
25 | | technically feasible, in a readily usable format that |
26 | | allows the consumer to transmit this information to |
|
| | 10200SB0731sam002 | - 14 - | LRB102 17247 KTG 24999 a |
|
|
1 | | another entity without hindrance. |
2 | | (2) A business that has received a request to opt out |
3 | | of the disclosure or sale of a consumer's personal |
4 | | information shall be prohibited from selling or disclosing |
5 | | that consumer's personal information after its receipt of |
6 | | the consumer's request, unless the consumer subsequently |
7 | | provides express authorization for the sale or disclosure |
8 | | of the consumer's personal information. |
9 | | (3) A business that receives a request to delete the |
10 | | consumer's personal information, shall delete the |
11 | | consumer's personal information from its records and |
12 | | direct any third party or affiliate with whom the personal |
13 | | information was disclosed, to delete the consumer's |
14 | | personal information from their records. |
15 | | (4) A business shall not be required to comply with a |
16 | | consumer's request to delete the consumer's personal |
17 | | information if it is necessary for the business to |
18 | | maintain the consumer's personal information in order to: |
19 | | (i) Complete the transaction for which the |
20 | | personal information was collected, provide a good or |
21 | | service requested by the consumer, or reasonably |
22 | | anticipated within the context of a business' ongoing |
23 | | business relationship with the consumer, or otherwise |
24 | | perform a contract between the business and the |
25 | | consumer. |
26 | | (ii) Detect security incidents, protect against |
|
| | 10200SB0731sam002 | - 15 - | LRB102 17247 KTG 24999 a |
|
|
1 | | malicious, deceptive, fraudulent, or illegal activity; |
2 | | or prosecute those responsible for that activity. |
3 | | (iii) Debug to identify and repair errors that |
4 | | impair existing intended functionality. |
5 | | (iv) Exercise free speech, ensure the right of |
6 | | another consumer to exercise their right of free |
7 | | speech, or exercise another right provided for by law. |
8 | | (v) Engage in public or peer-reviewed scientific, |
9 | | historical, or statistical research in the public |
10 | | interest that adheres to all other applicable ethics |
11 | | and privacy laws, when the business' deletion of the |
12 | | information is likely to render impossible or |
13 | | seriously impair the achievement of such research, if |
14 | | the consumer has provided informed consent. |
15 | | (vi) To enable solely internal uses that are |
16 | | reasonably aligned with the expectations of the |
17 | | consumer based on the consumer's relationship with the |
18 | | business. |
19 | | (vii) Comply with a legal obligation. |
20 | | (viii) Otherwise use the consumer's personal |
21 | | information, internally, in a lawful manner that is |
22 | | compatible with the context in which the consumer |
23 | | provided the information. |
24 | | (e) A business must provide a response to the consumer |
25 | | within 45 days of a request under Section 20 and Section 25. |
26 | | (1) The business shall promptly take steps to verify |
|
| | 10200SB0731sam002 | - 16 - | LRB102 17247 KTG 24999 a |
|
|
1 | | the request, but shall not extend the business' duty to |
2 | | disclose and deliver the information within 45 days of |
3 | | receipt of the consumer's request. The time period to |
4 | | provide the required information may be extended once by |
5 | | an additional 45 days when reasonably necessary, provided |
6 | | the consumer is provided notice of the extension within |
7 | | the first 45-day period. |
8 | | (2) The disclosure shall cover at least the 12-month |
9 | | period preceding the business' receipt of the request. The |
10 | | business shall not require the consumer to create an |
11 | | account with the business in order to make a request. |
12 | | (3) If requests from a consumer are manifestly |
13 | | unfounded or excessive, in particular because of their |
14 | | repetitive character, a business may either charge a |
15 | | reasonable fee, taking into account the administrative |
16 | | costs of providing the information or communication or |
17 | | taking the action requested or refuse to act on the |
18 | | request and notify the consumer of the reason for refusing |
19 | | the request. The business shall bear the burden of |
20 | | demonstrating that any consumer request is manifestly |
21 | | unfounded or excessive. |
22 | | (f) A business shall not be required to respond to a |
23 | | request made by or on behalf of the same consumer more than |
24 | | once in any 12-month period. |
25 | | Section 35. Businesses, affiliates, and third parties. |
|
| | 10200SB0731sam002 | - 17 - | LRB102 17247 KTG 24999 a |
|
|
1 | | (a) A business is not required to retain any personal |
2 | | information collected for a single, one-time transaction, if |
3 | | such information is not sold or retained by the business or to |
4 | | reidentify or otherwise link information that is not |
5 | | maintained in a manner that would be considered personal |
6 | | information. |
7 | | (b) A business shall not reidentify any deidentified |
8 | | consumer information, unless the consumer subsequently |
9 | | provides express authorization for reidentification of |
10 | | deidentified information. |
11 | | (c) A business shall not sell the personal information of |
12 | | any consumer for which the business has actual knowledge that |
13 | | the consumer is less than 16 years of age. A business that |
14 | | willfully disregards the consumer's age shall be deemed to |
15 | | have had actual knowledge of the consumer's age. |
16 | | (d) A business shall not use a consumer's personal |
17 | | information for any purpose other than those disclosed in the |
18 | | notice at collection. If the business intends to use a |
19 | | consumer's personal information for a purpose that was not |
20 | | previously disclosed to the consumer in the notice at |
21 | | collection, the business shall directly notify the consumer of |
22 | | this new use and obtain explicit consent from the consumer to |
23 | | use it for this new purpose. |
24 | | (e) A business shall not collect categories of personal |
25 | | information other than those disclosed in the notice at |
26 | | collection. If the business intends to collect additional |
|
| | 10200SB0731sam002 | - 18 - | LRB102 17247 KTG 24999 a |
|
|
1 | | categories of personal information, the business shall provide |
2 | | a new notice at collection. |
3 | | (f) If a business does not give the notice at collection to |
4 | | the consumer at or before the collection of their personal |
5 | | information, the business shall not collect personal |
6 | | information from the consumer. |
7 | | (g) Affiliates and third parties shall not sell consumer |
8 | | personal information purchased from a business unless the |
9 | | consumer has received notice and is provided an opportunity to |
10 | | opt out of the resale of the consumer's personal information. |
11 | | (h) Pricing incentives and prohibition of discrimination. |
12 | | (1) A business shall not discriminate against a |
13 | | consumer because the consumer exercised any of the |
14 | | consumer's rights in this Act, including, but not limited |
15 | | to: |
16 | | (A) Denying goods or services to the consumer. |
17 | | (B) Charging different prices or rates for goods |
18 | | or services, including through the use of discounts or |
19 | | other benefits or imposing penalties. |
20 | | (C) Providing a different level or quality of |
21 | | goods or services to the consumer, if the consumer |
22 | | exercises the consumer's rights under this Act. |
23 | | (D) Suggesting that the consumer will receive a |
24 | | different price or rate for goods or services or a |
25 | | different level or quality of goods or services. |
26 | | (2) Nothing shall prohibit a business from charging a |
|
| | 10200SB0731sam002 | - 19 - | LRB102 17247 KTG 24999 a |
|
|
1 | | consumer a different price or rate, or from providing a |
2 | | different level or quality of goods or services to the |
3 | | consumer, if that difference is reasonably related to the |
4 | | value provided to the consumer by the consumer's data. |
5 | | (3) A business may offer financial incentives, |
6 | | including payments to consumers as compensation, for the |
7 | | collection of personal information, the sale of personal |
8 | | information, or the deletion of personal information. A |
9 | | business may also offer a different price, rate, level, or |
10 | | quality of goods or services to the consumer if that price |
11 | | or difference is directly related to the value provided to |
12 | | the consumer by the consumer's data. |
13 | | (A) A business that offers any financial |
14 | | incentives regarding consumer personal information or |
15 | | deidentified information, shall notify consumers of |
16 | | the financial incentives in the consumer service |
17 | | agreement, website, online service or mobile |
18 | | application. |
19 | | (B) A business may enter a consumer into a |
20 | | financial incentive program only if the consumer gives |
21 | | the business prior opt-in consent which clearly |
22 | | describes the material terms of the financial |
23 | | incentive program, and which may be revoked by the |
24 | | consumer at any time. |
25 | | (C) A business shall not use financial incentive |
26 | | practices that are unjust, unreasonable, or coercive. |
|
| | 10200SB0731sam002 | - 20 - | LRB102 17247 KTG 24999 a |
|
|
1 | | (i) A business that discloses personal information to a |
2 | | service provider shall not be liable under this Act if the |
3 | | service provider receiving the personal information uses it in |
4 | | violation of the restrictions set forth in the Act, provided |
5 | | that, at the time of disclosing the personal information, the |
6 | | business does not have actual knowledge, or reason to believe, |
7 | | that the service provider intends to commit such a violation. |
8 | | A service provider shall likewise not be liable under this Act |
9 | | for the obligations of a business for which it provides |
10 | | services as set forth in this Act. |
11 | | (j) The obligations imposed on businesses by this Act do |
12 | | not restrict a business' ability to: |
13 | | (1) Comply with federal, state, or local laws, rules, |
14 | | regulations, or enforceable guidance. |
15 | | (2) Comply with a civil, criminal, or regulatory |
16 | | inquiry, investigation, subpoena, or summons by federal, |
17 | | state, or local authorities. |
18 | | (3) Cooperate with law enforcement agencies concerning |
19 | | conduct or activity that the business, service provider, |
20 | | or third party reasonably and in good faith believes may |
21 | | violate federal, state, or local law. |
22 | | (4) Exercise or defend legal claims. |
23 | | (5) Prevent, detect, or respond to identity theft, |
24 | | fraud, or other malicious or illegal activity. |
25 | | (6) Collect, use, retain, sell, or disclose consumer's |
26 | | personal information that is deidentified or in the |
|
| | 10200SB0731sam002 | - 21 - | LRB102 17247 KTG 24999 a |
|
|
1 | | aggregate consumer information. |
2 | | (k) Businesses, affiliates, and third parties shall take |
3 | | reasonable measures to protect customer's personal information |
4 | | from unauthorized use, disclosure, or access. |
5 | | (1) In implementing security measures required by this |
6 | | subsection, a business, affiliate, and third party shall |
7 | | take into account each of the following factors: |
8 | | (A) The nature and scope of the business;, |
9 | | affiliate's, or third party's activities; |
10 | | (B) The sensitivity of the data processed; |
11 | | (C) The size of the business, affiliate, or third |
12 | | party; and |
13 | | (D) The technical feasibility of the security |
14 | | measures. |
15 | | (2) A business, affiliate, or third party may employ |
16 | | any lawful measure that allows the business, affiliate, or |
17 | | third party to comply with the requirements of this |
18 | | subsection. |
19 | | (l) Risk assessments. |
20 | | (1) Businesses, affiliates, and third parties must |
21 | | conduct, to the extent not previously conducted, a risk |
22 | | assessment of each of their processing activities |
23 | | involving personal information and an additional risk |
24 | | assessment any time there is a change in processing that |
25 | | materially increases the risk to consumers. Such risk |
26 | | assessments must take into account the type of personal |
|
| | 10200SB0731sam002 | - 22 - | LRB102 17247 KTG 24999 a |
|
|
1 | | data to be processed by the business, affiliate, or third |
2 | | party, including the extent to which the personal |
3 | | information is sensitive information or otherwise |
4 | | sensitive in nature, and the context in which the personal |
5 | | information is to be processed. |
6 | | (2) Risk assessments conducted under subsection (a) |
7 | | must identify and weigh the benefits that may flow |
8 | | directly and indirectly from the processing to the |
9 | | business, consumer, other stakeholders, and the public, |
10 | | against the potential risks to the rights of the consumer |
11 | | associated with such processing, as mitigated by |
12 | | safeguards that can be employed by the business to reduce |
13 | | such risks. The use of deidentified data and the |
14 | | reasonable expectations of consumers, as well as the |
15 | | context of the processing and the relationship between the |
16 | | business, affiliate, or third party and the consumer whose |
17 | | personal data will be processed, must factor into this |
18 | | assessment by the business, affiliate, or third party. |
19 | | (3) If the risk assessment conducted under subsection |
20 | | (a) of this Section determines that the potential risks of |
21 | | privacy harm to consumers are substantial and outweigh the |
22 | | interests of the business, consumer, other stakeholders, |
23 | | and the public in processing the personal information of |
24 | | the consumer, the business may only engage in such |
25 | | processing with the consent of the consumer or if another |
26 | | exemption under this Act applies. To the extent the |
|
| | 10200SB0731sam002 | - 23 - | LRB102 17247 KTG 24999 a |
|
|
1 | | business seeks consumer consent for processing, such |
2 | | consent shall be as easy to withdraw as to give. |
3 | | (4) Processing for a business purpose shall be |
4 | | presumed to be permissible unless: (i) it involves the |
5 | | processing of sensitive data; and (ii) the risk of |
6 | | processing cannot be reduced through the use of |
7 | | appropriate administrative and technical safeguards. |
8 | | (5) The business, affiliate, and third party must make |
9 | | the risk assessment available to the Office of the |
10 | | Attorney General upon request. Risk assessments are |
11 | | confidential and exempt from public inspection and copying |
12 | | under the Freedom of Information Act. |
13 | | Section 40. Enforcement. |
14 | | (a) Private right of action. |
15 | | (1) Any consumer whose unencrypted or unredacted |
16 | | personal information is subject to an unauthorized access |
17 | | and exfiltration, theft, or disclosure as a result of the |
18 | | business' violation of the duty to implement and maintain |
19 | | reasonable security procedures and practices appropriate |
20 | | to the nature of the information to protect the personal |
21 | | information may institute a civil action for any of the |
22 | | following: |
23 | | (A) To recover damages in an amount not less than |
24 | | $100 and not greater than $750 per customer per |
25 | | incident or actual damages, whichever is greater. |
|
| | 10200SB0731sam002 | - 24 - | LRB102 17247 KTG 24999 a |
|
|
1 | | (B) Injunctive or declaratory relief. |
2 | | (C) Any other relief the court deems proper. |
3 | | (2) In assessing the amount of statutory damages, the |
4 | | court shall consider any one or more of the relevant |
5 | | circumstances presented by any of the parties to the case, |
6 | | including, but not limited to, the nature and seriousness |
7 | | of the misconduct, the number of violations, the |
8 | | persistence of the misconduct, the length of time over |
9 | | which the misconduct occurred, the willfulness of the |
10 | | defendant's misconduct, and the defendant's assets, |
11 | | liabilities, and net worth. |
12 | | (3) Nothing in this Act shall be interpreted to serve |
13 | | as the basis for a private right of action under any other |
14 | | law. This shall not be construed to relieve any party from |
15 | | any duties or obligations imposed under other law or the |
16 | | United States or Illinois Constitution. |
17 | | (b) Attorney General enforcement. A violation of this Act |
18 | | constitutes an unlawful practice under the Consumer Fraud and |
19 | | Deceptive Business Practices Act. The Attorney General has |
20 | | authority to enforce this Act as a violation of the Consumer |
21 | | Fraud and Deceptive Business Practices Act, subject to the |
22 | | remedies available to the Attorney General under the Consumer |
23 | | Fraud and Deceptive Business Practices Act. |
24 | | Section 45. Applicability. |
25 | | (a) This Act does not apply to personal information |
|
| | 10200SB0731sam002 | - 25 - | LRB102 17247 KTG 24999 a |
|
|
1 | | collected, processed, sold, or disclosed under: |
2 | | (1) The Gramm-Leach-Bliley Act, and the rules |
3 | | promulgated under that Act. |
4 | | (2) The Health Insurance Portability and |
5 | | Accountability Act of 1996, and the rules promulgated |
6 | | under that Act. |
7 | | (3) The Fair Credit Reporting Act, and the rules |
8 | | promulgated under that Act. |
9 | | (b) Nothing in this Act restricts a business' ability to |
10 | | collect or disclose a consumer's personal information if a |
11 | | consumer's conduct takes place wholly outside of Illinois. For |
12 | | purposes of this Act, conduct takes place wholly outside of |
13 | | Illinois if the business collected that information while the |
14 | | consumer was outside of Illinois, no part of the sale of the |
15 | | consumer's personal information occurred in Illinois, and no |
16 | | personal information collected while the consumer was in |
17 | | Illinois is disclosed. |
18 | | Section 50. Waivers; contracts. Any waiver of the |
19 | | provisions of this Act is void and unenforceable. |
20 | | Section 55. Home rule preemption. Except as otherwise |
21 | | provided in this Act, the regulation of the activities |
22 | | described in this Act are the exclusive powers and functions |
23 | | of the State. Except as otherwise provided in this Act, a unit |
24 | | of local government, including a home rule unit, may not |