103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
SB1365

 

Introduced 2/6/2023, by Sen. Michael W. Halpin

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms.


LRB103 29024 DTM 55410 b

 

 

A BILL FOR

 

SB1365LRB103 29024 DTM 55410 b

1    AN ACT concerning regulation.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the Right
5to Know Act.
 
6    Section 5. Findings and purpose. The General Assembly
7hereby finds and declares that the right to privacy is a
8personal and fundamental right protected by the United States
9Constitution. As such, all individuals have a right to privacy
10in information pertaining to them. This State recognizes the
11importance of providing consumers with transparency about how
12their personal information, especially information relating to
13their children, is shared by businesses. This transparency is
14crucial for Illinois citizens to protect themselves and their
15families from cyber-crimes and identity thieves. Furthermore,
16for free market forces to have a role in shaping the privacy
17practices and for "opt-in" and "opt-out" remedies to be
18effective, consumers must be more than vaguely informed that a
19business might share personal information with third parties.
20Consumers must be better informed about what kinds of personal
21information are shared with other businesses. With these
22specifics, consumers can knowledgeably choose to opt in, opt
23out, or choose among businesses that disclose information to

 

 

SB1365- 2 -LRB103 29024 DTM 55410 b

1third parties on the basis of how protective the business is of
2consumers' privacy.
3    Businesses are now collecting personal information and
4sharing and selling it in ways not contemplated or properly
5covered by the current law. Some websites are installing
6tracking tools that record when consumers visit web pages, and
7sending very personal information, such as age, gender, race,
8income, health concerns, religion, and recent purchases to
9third party marketers and data brokers. Third party data
10broker companies are buying, selling, and trading personal
11information obtained from mobile phones, financial
12institutions, social media sites, and other online and brick
13and mortar companies. Some mobile applications are sharing
14personal information, such as location information, unique
15phone identification numbers, and age, gender, and other
16personal details with third party companies. As such,
17consumers need to know the ways that their personal
18information is being collected by companies and then shared or
19sold to third parties in order to properly protect their
20privacy, personal safety, and financial security.
 
21    Section 10. Definitions. As used in this Act:
22    "Categories of personal information" includes, but is not
23limited to, the following:
24        (a) Identity information including, but not limited
25    to, real name, alias, nickname, and user name.

 

 

SB1365- 3 -LRB103 29024 DTM 55410 b

1        (b) Address information, including, but not limited
2    to, postal or email.
3        (c) Telephone number.
4        (d) Account name.
5        (e) Social security number or other government-issued
6    identification number, including, but not limited to,
7    social security number, driver's license number,
8    identification card number, and passport number.
9        (f) Birthdate or age.
10        (g) Physical characteristic information, including,
11    but not limited to, height and weight.
12        (h) Sexual information, including, but not limited to,
13    sexual orientation, sex, gender status, gender identity,
14    and gender expression.
15        (i) Race or ethnicity.
16        (j) Religious affiliation or activity.
17        (k) Political affiliation or activity.
18        (l) Professional or employment-related information.
19        (m) Educational information.
20        (n) Medical information, including, but not limited
21    to, medical conditions or drugs, therapies, mental health,
22    or medical products or equipment used.
23        (o) Financial information, including, but not limited
24    to, credit, debit, or account numbers, account balances,
25    payment history, or information related to assets,
26    liabilities, or general creditworthiness.

 

 

SB1365- 4 -LRB103 29024 DTM 55410 b

1        (p) Commercial information, including, but not limited
2    to, records of property, products or services provided,
3    obtained, or considered, or other purchasing or consumer
4    histories or tendencies.
5        (q) Location information.
6        (r) Internet or mobile activity information,
7    including, but not limited to, Internet protocol addresses
8    or information concerning the access or use of any
9    Internet or mobile-based site or service.
10        (s) Content, including text, photographs, audio or
11    video recordings, or other material generated by or
12    provided by the customer.
13        (t) Any of the above categories of information as they
14    pertain to the children of the customer.
15    "Customer" means an individual residing in Illinois who
16provides, either knowingly or unknowingly, personal
17information to a private entity, with or without an exchange
18of consideration, in the course of purchasing, viewing,
19accessing, renting, leasing, or otherwise using real or
20personal property, or any interest therein, or obtaining a
21product or service from the private entity, including
22advertising or any other content.
23    "Designated request address" means an email address or
24toll-free telephone number whereby customers may request or
25obtain the information required to be provided under Section
2615 of this Act.

 

 

SB1365- 5 -LRB103 29024 DTM 55410 b

1    "Disclose" means to disclose, release, transfer, share,
2disseminate, make available, or otherwise communicate orally,
3in writing, or by electronic or any other means to any third
4party. "Disclose" does not include the following:
5        (a) Disclosure of personal information by a private
6    entity to a third party under a written contract
7    authorizing the third party to utilize the personal
8    information to perform services on behalf of the private
9    entity, including maintaining or servicing accounts,
10    providing customer service, processing or fulfilling
11    orders and transactions, verifying customer information,
12    processing payments, providing financing, or similar
13    services, but only if (i) the contract prohibits the third
14    party from using the personal information for any reason
15    other than performing the specified service or services on
16    behalf of the private entity and from disclosing any such
17    personal information to additional third parties, and (ii)
18    the private entity effectively enforces these
19    prohibitions.
20        (b) Disclosure of personal information by a business
21    to a third party based on a good-faith belief that
22    disclosure is required to comply with applicable law,
23    regulation, legal process, or court order.
24        (c) Disclosure of personal information by a private
25    entity to a third party (i) that is reasonably necessary
26    to address fraud, security, or technical issues, (ii) to

 

 

SB1365- 6 -LRB103 29024 DTM 55410 b

1    protect the disclosing private entity's rights or
2    property, or (iii) to protect customers or the public from
3    illegal activities as required or permitted by law.
4    "Operator" means any person or entity that owns a website
5located on the Internet or an online service that collects and
6maintains personally identifiable information from a customer
7residing in Illinois who uses or visits the website or online
8service if the website or online service is operated for
9commercial purposes. It does not include any third party that
10operates, hosts, or manages, but does not own, a website or
11online service on the owner's behalf or by processing
12information on behalf of the owner.
13    "Personal information" means any information that
14identifies, relates to, describes, or is capable of being
15associated with, a particular individual, including, but not
16limited to, his or her name, signature, physical
17characteristics or description, address, telephone number,
18passport number, driver's license or State identification card
19number, insurance policy number, education, employment,
20employment history, bank account number, credit card number,
21debit card number, or any other financial information.
22"Personal information" also means any data or information
23pertaining to an individual's income, assets, liabilities,
24purchases, leases, or rentals of goods, services, or real
25property, if that information is disclosed, or is intended to
26be disclosed, with any identifying information, such as the

 

 

SB1365- 7 -LRB103 29024 DTM 55410 b

1individual's name, address, telephone number, or social
2security number.
3    "Third party" or "third parties" means (i) a private
4entity that is a separate legal entity from the private entity
5that has disclosed personal information, (ii) a private entity
6that does not share common ownership or common corporate
7control with the private entity that has disclosed personal
8information, or (iii) a private entity that does not share a
9brand name or common branding with the private entity that has
10disclosed personal information such that the affiliate
11relationship is clear to the customer.
 
12    Section 15. Notification of information sharing practices.
13An operator of a commercial website or online service that
14collects personally identifiable information through the
15Internet about individual customers residing in Illinois who
16use or visit its commercial website or online service shall,
17in its customer agreement or incorporated addendum (i)
18identify all categories of personal information that the
19operator collects through the website or online service about
20individual customers who use or visit its commercial website
21or online service, (ii) identify all categories of third party
22persons or entities with whom the operator may disclose that
23personally identifiable information, and (iii) provide a
24description of a customer's rights, as required under Section
2525 of this Act, accompanied by one or more designated request

 

 

SB1365- 8 -LRB103 29024 DTM 55410 b

1addresses.
 
2    Section 20. Disclosure of a customer's personal
3information to a third party.
4    (a) An operator that discloses a customer's personal
5information to a third party shall make the following
6information available to the customer free of charge:
7        (1) all categories of personal information that were
8    disclosed; and
9        (2) the names of all third parties that received the
10    customer's personal information.
11    (b) This Section applies only to personal information
12disclosed after the effective date of this Act.
 
13    Section 25. Information availability service.
14    (a) An operator required to comply with Section 20 shall
15make the required information available by providing a
16designated request address in its customer agreement or
17incorporated addendum, and, upon receipt of a request under
18this Section, shall provide the customer with the information
19required under Section 20 for all disclosures occurring in the
20prior 12 months.
21    (b) An operator that receives a request from a customer
22under this Section at one of the designated addresses shall
23provide a response to the customer within 30 days.
 

 

 

SB1365- 9 -LRB103 29024 DTM 55410 b

1    Section 30. Data protection safety plan. Each manufacturer
2or company doing business in this State, or which collects
3personal information from customers who are residents of this
4State, shall develop a safety plan for the protection of
5customer data.
 
6    Section 35. Right of action. Any person whose rights under
7this Act are violated shall have a right of action against an
8offending party, and shall recover: (i) liquidated damages of
9$10 or actual damages, whichever is greater; (ii) injunctive
10relief, if appropriate; and (iii) reasonable attorneys' fees,
11costs, and expenses.
 
12    Section 40. Waivers; contracts. Any waiver of the
13provisions of this Act shall be void and unenforceable. Any
14agreement that does not comply with the applicable provisions
15of this Act shall be void and unenforceable.
 
16    Section 45. Construction.
17    (a) Nothing in this Act shall be construed to conflict
18with the federal Health Insurance Portability and
19Accountability Act of 1996 and the regulations promulgated
20under that Act.
21    (b) Nothing in this Act shall be deemed to apply in any
22manner to a financial institution or an affiliate of a
23financial institution that is subject to Title V of the

 

 

SB1365- 10 -LRB103 29024 DTM 55410 b

1federal Gramm-Leach-Bliley Act of 1999 and the regulations
2promulgated under that Act.
3    (c) Nothing in this Act shall be deemed to apply to the
4activities of an individual or entity to the extent that those
5activities are subject to Section 222 or 631 of the federal
6Communications Act of 1934.
7    (d) Nothing in this Act shall be construed to apply to a
8contractor, subcontractor, or agent of a State agency or local
9unit of government when working for that State agency or local
10unit of government.