|
Sen. Thomas Cullerton
Filed: 4/12/2021
| | 10200SB0731sam003 | | LRB102 17247 KTG 25022 a |
|
|
| 1 | | AMENDMENT TO SENATE BILL 731
|
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 731 by replacing |
| 3 | | everything after the enacting clause with the following:
|
| 4 | | "Section 1. Short title. This Act may be cited as the Do |
| 5 | | Not Track Act.
|
| 6 | | Section 5. Definitions. As used in this Act: |
| 7 | | "Anonymous data" means data which does not relate to an |
| 8 | | identified or identifiable user. Identifiable data may be |
| 9 | | rendered anonymous data if it has become de-identified to an |
| 10 | | extent that no user can be singled out or identified, either |
| 11 | | directly or indirectly, by that data alone or in combination |
| 12 | | with other data. To determine whether a user can be identified |
| 13 | | from the data, account should be taken of all means reasonably |
| 14 | | likely to be used by any party to identify the user. Data that |
| 15 | | has been re-identified, is shown to be capable of |
| 16 | | re-identification, or that is capable of being used for |
|
| | 10200SB0731sam003 | - 2 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | personalization or profiling a user or a device used by a user |
| 2 | | is not anonymous data. |
| 3 | | "Collect" means to receive identifiable data in a network |
| 4 | | interaction and to retain that data after the network |
| 5 | | interaction is complete. |
| 6 | | "Commission" means the Federal Trade Commission. |
| 7 | | "Context" means a website or similar online resource, or a |
| 8 | | connected set of such resources. A connected set of resources |
| 9 | | that are controlled by the same party or jointly controlled by |
| 10 | | a set of parties can constitute a single context if a user |
| 11 | | would reasonably expect them to form a single context. Factors |
| 12 | | relevant to determining whether such a reasonable expectation |
| 13 | | exists include, but are not limited to, whether they share |
| 14 | | prominent branding, provide connected and integrated |
| 15 | | user-facing features, are offered under the same domain name |
| 16 | | or through a single app, use the same sign-in credentials, and |
| 17 | | are marketed or sold as a single product or service. |
| 18 | | "De-identify" means to alter data such that the likelihood |
| 19 | | of identifying a user from the data is reduced. |
| 20 | | De-identification includes a range of techniques and differing |
| 21 | | levels or re-identification risk. Data that is fully |
| 22 | | de-identified such that it becomes anonymous data is no longer |
| 23 | | identifiable data. Data that is de-identified to a lesser |
| 24 | | extent remains identifiable data. |
| 25 | | "Do-not-track signal" means a signal sent by a web browser |
| 26 | | or similar user agent that conveys a user's choice regarding |
|
| | 10200SB0731sam003 | - 3 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | online tracking, reflects a deliberate choice by the user, and |
| 2 | | otherwise complies with the latest Tracking Preference |
| 3 | | Expression (DNT) specifications published by the World Wide |
| 4 | | Web Consortium. |
| 5 | | "First party" means, with respect to a given user action, |
| 6 | | a party with which the user intends to interact, via one or |
| 7 | | more network interactions, as a result of that action. |
| 8 | | (1) Typically, when a user visits a website, the first |
| 9 | | party is the organization identified in the website URL or |
| 10 | | whose branding is most prominent on the website. |
| 11 | | (2) More than one party can be a first party with |
| 12 | | regard to a given user action. |
| 13 | | (3) The mere presence of a first party's website of |
| 14 | | embedded content from another party does not make that |
| 15 | | other party a first party, and merely hovering over, |
| 16 | | muting, pausing, or closing a given piece of content does |
| 17 | | not constitute a user's intent to interact with a party. |
| 18 | | When a user visits an organization's website that displays |
| 19 | | advertisements from a third-party ad network, the |
| 20 | | organization is a first party and the ad network is a third |
| 21 | | party. When a user signs into an organization's website |
| 22 | | using a sign-in method provided by another party, the |
| 23 | | organization is a first party and the sign-in provider is |
| 24 | | a third party with respect to user actions in that |
| 25 | | website. |
| 26 | | "Identifiable data" means data from which the user can be |
|
| | 10200SB0731sam003 | - 4 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | singled out or identified, directly or indirectly, by that |
| 2 | | data alone or in combination with other data. Identifiable |
| 3 | | data includes, but is not limited to, a user's contact |
| 4 | | information, such as email addresses and phone numbers, unique |
| 5 | | persistent identifiers, such as IP addresses, cross-session |
| 6 | | cookie IDs, and device identifiers including derived through |
| 7 | | device fingerprinting and probabilistic techniques), and any |
| 8 | | other data associated with such identifiers. Identifiable data |
| 9 | | does not include anonymous data. |
| 10 | | "Network interaction" means an online connection |
| 11 | | consisting of an HTTP or HTTPS request and as many |
| 12 | | corresponding responses as are necessary to respond to a |
| 13 | | single user action. A user interaction or session with a |
| 14 | | website or other resource frequently consists of many network |
| 15 | | interactions. |
| 16 | | "Organization" means a legal entity. Such term does not |
| 17 | | include government agencies or users. |
| 18 | | "Party" means a user, an organization, or a group of legal |
| 19 | | entities that share common ownership and control, operate as |
| 20 | | an integrated enterprise, and have a group identity that is |
| 21 | | easily discoverable by a user. Common branding or publishing a |
| 22 | | list of affiliates that is readily available online via a |
| 23 | | prominent link from a resource where a party describes its |
| 24 | | Tracking Preference Expression (DNT) practices are deemed |
| 25 | | easily discoverable. With respect to a user action, a party is |
| 26 | | either a first party or a third party, but not both. |
|
| | 10200SB0731sam003 | - 5 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | "Personalize" means to use identifiable data to alter the |
| 2 | | experience of a user, including, but not limited to, the |
| 3 | | content or advertising displayed to the user. |
| 4 | | "Process" means to collect, use, or share data. |
| 5 | | "Resource" means a single online destination or |
| 6 | | experience, such as a website, streaming service, online game, |
| 7 | | digital assistant, or other online service, accessed by a user |
| 8 | | through the use of a user agent. |
| 9 | | "Service provider" means an organization that processes |
| 10 | | identifiable data on behalf of another organization. A service |
| 11 | | provider has no right to use any identifiable data for its own |
| 12 | | purposes. |
| 13 | | "Share" means, with respect to collected data, to transfer |
| 14 | | or provide a copy of such data to any third party. |
| 15 | | "Third party" means, for any user action, any party other |
| 16 | | than the user, a first party to that user action, or a service |
| 17 | | provider action on behalf of either the user or a first party. |
| 18 | | "Tracking" or "track" means to (i) collect data regarding |
| 19 | | a user action of a particular user, (ii) process such data |
| 20 | | outside the context in which the user action occurred, (iii) |
| 21 | | facilitate the creation of a user profile, or (iv) personalize |
| 22 | | that user's online experience. For the purposes of this |
| 23 | | definition, processing data related to a device used by a user |
| 24 | | or the user's household shall be considered processing data |
| 25 | | related to the user. |
| 26 | | "User" means a natural person residing in this State who |
|
| | 10200SB0731sam003 | - 6 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | uses the Internet. |
| 2 | | "User action" means a deliberate online action by the |
| 3 | | user, via configuration, invocation, or selection, to initiate |
| 4 | | a network interaction. Selection of a link, submission of a |
| 5 | | form, and reloading a page are examples of user actions. |
| 6 | | "User agent" means any of the various client programs |
| 7 | | capable of initiating network interactions, including, but not |
| 8 | | limited to, browsers, web-based robots, command-line tools, |
| 9 | | native applications, mobile apps, or Internet-connected |
| 10 | | devices.
|
| 11 | | Section 10. Response to do-not-track signals. |
| 12 | | (a) In general. Except as permitted in this Section, a |
| 13 | | party to a user action that receives a do-not-track signal |
| 14 | | indicating a user preference not to be tracked shall not |
| 15 | | track. |
| 16 | | (b) Exceptions. |
| 17 | | (1) First party. A first party to a user action within |
| 18 | | a context to which the user has affirmatively signed in |
| 19 | | may process data received from such user action, including |
| 20 | | for personalized content, services, and advertising, |
| 21 | | within that context. However, a first party shall not |
| 22 | | share such data with a third party. For the purposes of |
| 23 | | this paragraph, a user is signed into a context when the |
| 24 | | user has affirmatively authenticated and identified |
| 25 | | oneself by entering a username and password, or similar |
|
| | 10200SB0731sam003 | - 7 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | credentials. |
| 2 | | (2) Anonymous data. Data that has been sufficiently |
| 3 | | de-identified such that it is rendered anonymous data may |
| 4 | | be processed for any purpose, including outside the |
| 5 | | context of the user actions from which it originates, or |
| 6 | | across multiple contexts. |
| 7 | | (3) Consent. A party may disregard a user's |
| 8 | | do-not-track signal when the user has given express |
| 9 | | affirmative consent to track. A user may give consent |
| 10 | | through a technical means defined in the Tracking |
| 11 | | Preference Expression (DNT) specification published by the |
| 12 | | World Wide Web Consortium or through a separate mechanism |
| 13 | | such as an online or offline consent form that |
| 14 | | demonstrates a specific and voluntary choice of the user. |
| 15 | | For instance, accepting a general or broad terms of use |
| 16 | | document that contains a clause regarding tracing does not |
| 17 | | constitute express affirmation consent for the purposes of |
| 18 | | this Act. Likewise, agreement obtained through a user |
| 19 | | interface designed or manipulated with the purpose of |
| 20 | | substantial effect of subverting or impairing user |
| 21 | | autonomy, decision-making, or choice does not constitute |
| 22 | | consent for the purposes of this Act. When relying on |
| 23 | | consent from a user given through a separate mechanism, a |
| 24 | | party must provide notice in accordance with Section 20. |
| 25 | | (4) Permitted uses. |
| 26 | | (A) In general. An organization may process data |
|
| | 10200SB0731sam003 | - 8 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | for the uses specified in subparagraphs (B), (C), (D), |
| 2 | | (E), (F), and (G), provided the organization: |
| 3 | | (i) limits the amount of identifiable data |
| 4 | | collected to that which is strictly needed for the |
| 5 | | permitted uses; |
| 6 | | (ii) limits the retention of identifiable data |
| 7 | | to no longer than what is reasonably needed for |
| 8 | | the permitted uses; |
| 9 | | (iii) uses anonymous data to the extent the |
| 10 | | permitted uses can be achieved with such data, or |
| 11 | | otherwise de-identifies the identifiable data to |
| 12 | | the greatest extent that is compatible with the |
| 13 | | permitted uses; |
| 14 | | (iv) processes the data separately from |
| 15 | | systems that are used for purposes other than the |
| 16 | | permitted uses specified in this Section; and |
| 17 | | (v) does not process the data beyond the |
| 18 | | permitted uses. |
| 19 | | (B) Providing a service. An organization may |
| 20 | | process data to the extent necessary to effectuate a |
| 21 | | transaction with the user, or to provide a product or |
| 22 | | service to a user, provided the user has consented to |
| 23 | | or authorized the transaction or the provision of the |
| 24 | | product or service and any tracking, including |
| 25 | | personalization, that is a necessary or inherent part |
| 26 | | of that transaction, product, or service would have |
|
| | 10200SB0731sam003 | - 9 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | been clear to the user at the time of such consent or |
| 2 | | authorization. If such processing requires sharing |
| 3 | | data with a third party, such third party may not |
| 4 | | process the data for any other purpose. |
| 5 | | (C) Security. An organization may process data to |
| 6 | | the extent reasonably necessary to detect security |
| 7 | | incidents, protect the website or other resource |
| 8 | | accessed by the user against malicious, deceptive, |
| 9 | | fraudulent, or illegal activity, and prosecute those |
| 10 | | responsible for such activity. |
| 11 | | (D) Debugging. An organization may process data |
| 12 | | for debugging purposes to identify and repair errors |
| 13 | | that impair the existing functionality of the website |
| 14 | | or other resource accessed by the user. |
| 15 | | (E) Financial logging. An organization may process |
| 16 | | data for billing and auditing related to network |
| 17 | | interactions and related transactions. |
| 18 | | (F) Research. An organization may process data to |
| 19 | | conduct security research. |
| 20 | | (G) Journalism. An organization may process data |
| 21 | | as necessary for news gathering purposes by |
| 22 | | journalists or other purposes protected by the First |
| 23 | | Amendment of the United States Constitution. |
| 24 | | (5) Technical errors. Data that is processed by a |
| 25 | | party due to a technical error does not violate this Act if |
| 26 | | such error is unintentional and unexpected, and within 30 |
|
| | 10200SB0731sam003 | - 10 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | days of the party discovering or receiving a report of the |
| 2 | | error: (i) the error is corrected, (ii) any processing by |
| 3 | | the party that is otherwise prohibited is stopped, and |
| 4 | | (iii) the party deletes any data that should not have been |
| 5 | | collected.
|
| 6 | | Section 15. Contractual obligations and liability. A first |
| 7 | | party that enables or permits a third party to engage in |
| 8 | | tracking on or through the first party's website or other |
| 9 | | resource: |
| 10 | | (1) Must require the third party, through a contract, |
| 11 | | terms of service, or similar binding and enforceable legal |
| 12 | | agreement, to comply with this Act. |
| 13 | | (2) Shall be liable for the third party's |
| 14 | | non-compliance with this Act if the first party knew or |
| 15 | | could have upon the exercise of due diligence known of the |
| 16 | | third party's non-compliance and failed to take adequate |
| 17 | | corrective action.
|
| 18 | | Section 20. Transparency. An organization that engages in |
| 19 | | tracking shall describe, in understandable language and syntax |
| 20 | | such that an ordinary user can comprehend, its practices with |
| 21 | | respect to do-not-track signals in its privacy statement or |
| 22 | | similar notice, available through a clear and prominent link |
| 23 | | on the home page of its website. The description required |
| 24 | | under this paragraph must include at least the following |
|
| | 10200SB0731sam003 | - 11 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | information: |
| 2 | | (1) the exceptions or permitted uses under this Act |
| 3 | | under which the organization processes data; |
| 4 | | (2) the effects on the user, if any, resulting from a |
| 5 | | do-not-track signal, including if any webpages, features, |
| 6 | | or services are not available or reduced in functionality; |
| 7 | | (3) if the organization obtains out-of-band consent to |
| 8 | | disregard the do-not-track signal, a description of how a |
| 9 | | user may give and revoke consent, and the scope of any such |
| 10 | | consent, and the anticipated effect of the consent or |
| 11 | | revocation on the user; |
| 12 | | (4) the time period or periods for which identifiable |
| 13 | | data collected by the organization is retained or the |
| 14 | | criteria used to determine such time periods, and whether |
| 15 | | such identifiable data is rendered anonymous data in lieu |
| 16 | | of being deleted; and |
| 17 | | (5) how a user may contact the organization with any |
| 18 | | inquiries or complaints regarding the organization's |
| 19 | | do-not-track practices.
|
| 20 | | Section 25. No circumvention. A party shall not block or |
| 21 | | take similar actions to avoid receiving a user's do-not-track |
| 22 | | signal. Nor shall any party take other actions to circumvent |
| 23 | | the effectiveness of do-not-track signals.
|
| 24 | | Section 30. Enforcement. |
|
| | 10200SB0731sam003 | - 12 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | (a) De facto and de jure harm. Users from whom |
| 2 | | identifiable information has been processed in violation of |
| 3 | | this Act shall be deemed to have been harmed by such |
| 4 | | violations. |
| 5 | | (b) Enforcement by the Attorney General. Whenever the |
| 6 | | Attorney General has reasonable cause to believe that a party |
| 7 | | or organization has engaged in a violation of this Act, the |
| 8 | | Attorney General shall enforce the provisions of this Act by |
| 9 | | bringing a civil action on behalf of the people of this State |
| 10 | | in a court of competent jurisdiction: |
| 11 | | (1) to enjoin further violation of this Act by the |
| 12 | | defendant; or |
| 13 | | (2) to obtain damages on behalf of the people of this |
| 14 | | State, in the amount authorized under State law or as |
| 15 | | permitted under federal law, whichever is greater. |
| 16 | | (c) A user from whom identifiable information has been |
| 17 | | processed in violation of this Act may bring a civil action in |
| 18 | | any court of competent jurisdiction: |
| 19 | | (1) to enjoin further violation of this Act by the |
| 20 | | defendant; or |
| 21 | | (2) to obtain damages, in the amount of $1,000 or |
| 22 | | actual damages shown, whichever is greater. |
| 23 | | (d) Attorney fees. In the case of any successful action |
| 24 | | under this Section, the court, in its discretion, may award |
| 25 | | the costs of the action and reasonable attorney fees to the |
| 26 | | State or the user.
|
|
| | 10200SB0731sam003 | - 13 - | LRB102 17247 KTG 25022 a |
|
|
| 1 | | Section 35. Home rule preemption. Except as otherwise |
| 2 | | provided in this Act, the regulation of the activities |
| 3 | | described in this Act are the exclusive powers and functions |
| 4 | | of the State. Except as otherwise provided in this Act, a unit |
| 5 | | of local government, including a home rule unit, may not |
| 6 | | regulate the activities described in this Act. This Section is |
| 7 | | a denial and limitation of home rule powers and functions |
| 8 | | under subsection (h) of Section 6 of Article VII of the |
| 9 | | Illinois Constitution.
|
| 10 | | Section 97. Severability. The provisions of this Act are |
| 11 | | severable under Section 1.31 of the Statute on Statutes.
|
| 12 | | Section 99. Effective date. This Act takes effect January |
| 13 | | 1, 2022.".
|