|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
1 | AN ACT concerning financial institutions.
| ||||||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| ||||||||||||||||||||||||
3 | represented in the General Assembly:
| ||||||||||||||||||||||||
4 | Section 1. Short title. This Act may be cited as the | ||||||||||||||||||||||||
5 | Illinois Financial Information Privacy Act . | ||||||||||||||||||||||||
6 | Section 5. Legislative purpose.
| ||||||||||||||||||||||||
7 | (a) The General Assembly intends for financial | ||||||||||||||||||||||||
8 | institutions to provide their consumers notice and meaningful | ||||||||||||||||||||||||
9 | choice about how consumers' nonpublic personal information is | ||||||||||||||||||||||||
10 | shared or sold by their financial institutions. | ||||||||||||||||||||||||
11 | (b) It is the intent of the General Assembly in enacting | ||||||||||||||||||||||||
12 | the Illinois Financial Information Privacy Act to afford | ||||||||||||||||||||||||
13 | persons greater privacy protections than those provided in | ||||||||||||||||||||||||
14 | Public Law 106-102, the federal Gramm-Leach-Bliley Act, and | ||||||||||||||||||||||||
15 | that this Act be interpreted to be
consistent with that | ||||||||||||||||||||||||
16 | purpose.
| ||||||||||||||||||||||||
17 | Section 10. Definitions.
For the purposes of this Act: | ||||||||||||||||||||||||
18 | (a) "Nonpublic personal information" means personally | ||||||||||||||||||||||||
19 | identifiable financial information (1) provided by a consumer | ||||||||||||||||||||||||
20 | to a financial institution, (2) resulting from any transaction | ||||||||||||||||||||||||
21 | with the consumer or any service performed for the consumer, or | ||||||||||||||||||||||||
22 | (3) otherwise obtained by the financial institution. Nonpublic | ||||||||||||||||||||||||
23 | personal information does not include publicly available | ||||||||||||||||||||||||
24 | information that the financial institution has a reasonable | ||||||||||||||||||||||||
25 | basis to believe is lawfully made available to the general | ||||||||||||||||||||||||
26 | public from (1) federal, state, or local government records, | ||||||||||||||||||||||||
27 | (2) widely distributed media, or (3) disclosures to the general | ||||||||||||||||||||||||
28 | public that are required to be made by federal, state, or local | ||||||||||||||||||||||||
29 | law. Nonpublic personal information shall include any list, | ||||||||||||||||||||||||
30 | description, or other grouping of consumers, and publicly | ||||||||||||||||||||||||
31 | available information pertaining to them, that is derived using |
| |||||||
| |||||||
1 | any nonpublic personal information other than publicly | ||||||
2 | available information, but shall not include any list, | ||||||
3 | description, or other grouping of consumers, and publicly | ||||||
4 | available information pertaining to them, that is derived | ||||||
5 | without using any nonpublic personal information. | ||||||
6 | (b) "Personally identifiable financial information" means | ||||||
7 | information (1) that a consumer provides to a financial | ||||||
8 | institution to obtain a product or service from the financial | ||||||
9 | institution, (2) about a consumer resulting from any | ||||||
10 | transaction involving a product or service between the | ||||||
11 | financial institution and a consumer, or (3) that the financial | ||||||
12 | institution otherwise obtains about a consumer in
connection | ||||||
13 | with providing a product or service to that consumer. Any | ||||||
14 | personally identifiable information is financial if it was | ||||||
15 | obtained by a financial institution in connection with | ||||||
16 | providing a financial product or service to a consumer. | ||||||
17 | Personally identifiable financial information includes all of | ||||||
18 | the following: | ||||||
19 | (1) Information a consumer provides to a financial | ||||||
20 | institution on an application to obtain a loan, credit | ||||||
21 | card, or other financial product or service. | ||||||
22 | (2) Account balance information, payment history, | ||||||
23 | overdraft history, and credit or debit card purchase | ||||||
24 | information. | ||||||
25 | (3) The fact that an individual is or has been a | ||||||
26 | consumer of a financial institution or has obtained a | ||||||
27 | financial product or service from a financial institution. | ||||||
28 | (4) Any information about a financial institution's | ||||||
29 | consumer if it is disclosed in a manner that indicates that | ||||||
30 | the individual is or has been the financial institution's | ||||||
31 | consumer. | ||||||
32 | (5) Any information that a consumer provides to a | ||||||
33 | financial institution or that a financial institution or | ||||||
34 | its agent otherwise obtains in connection with collecting | ||||||
35 | on a loan or servicing a loan. | ||||||
36 | (6) Any personally identifiable financial information |
| |||||||
| |||||||
1 | collected through an Internet cookie or an information | ||||||
2 | collecting device from a Web server. | ||||||
3 | (7) Information from a consumer report. | ||||||
4 | (c) "Financial institution" means any institution the | ||||||
5 | business of which is engaging in financial activities as | ||||||
6 | described in Section 1843(k) of Title 12 of the United States | ||||||
7 | Code and doing business in this State. An institution that is | ||||||
8 | not significantly engaged in financial activities is not a | ||||||
9 | financial institution. The term "financial institution" does | ||||||
10 | not include any institution that is primarily engaged in | ||||||
11 | providing hardware, software, or interactive services, | ||||||
12 | provided that it does not act as a debt collector, as defined | ||||||
13 | in 15 U.S.C. Sec. 1692a, or engage in activities for which the | ||||||
14 | institution is required to acquire a charter, license, or | ||||||
15 | registration from a state or federal governmental banking, | ||||||
16 | insurance, or securities agency. The term "financial | ||||||
17 | institution" does not include the Federal Agricultural | ||||||
18 | Mortgage Corporation or any entity chartered and operating | ||||||
19 | under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et | ||||||
20 | seq.), provided that the entity does not sell or transfer | ||||||
21 | nonpublic personal information to an affiliate or a | ||||||
22 | nonaffiliated third party. The term "financial institution" | ||||||
23 | does not include any provider of professional services, or any | ||||||
24 | wholly owned affiliate thereof, that is prohibited by rules of | ||||||
25 | professional ethics and applicable law from voluntarily | ||||||
26 | disclosing confidential client information without the consent | ||||||
27 | of the client. The term "financial institution" does not | ||||||
28 | include institutions chartered by Congress specifically to | ||||||
29 | engage in a proposed or actual securitization, secondary market | ||||||
30 | sale, including sales of servicing rights, or similar | ||||||
31 | transactions related
to a transaction of the consumer, as long | ||||||
32 | as those institutions do not sell or transfer nonpublic | ||||||
33 | personal information to a nonaffiliated third party. Nothing in | ||||||
34 | this Act applies to the Motor Vehicle Retail Installment Sales | ||||||
35 | Act, the Motor Vehicle Leasing Act, or the Retail Installment | ||||||
36 | Sales Act. |
| |||||||
| |||||||
1 | (d) "Affiliate" means any entity that controls, is | ||||||
2 | controlled by, or is under common control with, another entity, | ||||||
3 | but does not include a joint employee of the entity and the | ||||||
4 | affiliate. A franchisor, including any affiliate thereof, | ||||||
5 | shall be deemed an affiliate of the franchisee for purposes of | ||||||
6 | this Act. | ||||||
7 | (e) "Nonaffiliated third party" means any entity that is | ||||||
8 | not an affiliate of, or related by common ownership or | ||||||
9 | affiliated by corporate control with, the financial | ||||||
10 | institution, but does not include a joint employee of that | ||||||
11 | institution and a third party. | ||||||
12 | (f) "Consumer" means an individual resident of this State, | ||||||
13 | or that individual's legal representative, who obtains or has | ||||||
14 | obtained from a financial institution a financial product or | ||||||
15 | service to be used primarily for personal, family, or household | ||||||
16 | purposes. For purposes of this Act, an individual resident of | ||||||
17 | this State is someone
whose last known mailing address, other | ||||||
18 | than an Armed Forces Post Office or Fleet Post Office address, | ||||||
19 | as shown in the records of the financial institution, is | ||||||
20 | located in this State. For purposes of this Act, an individual | ||||||
21 | is not a consumer of a financial institution solely because he | ||||||
22 | or she is (1) a participant or beneficiary of an employee | ||||||
23 | benefit plan that a financial institution administers or | ||||||
24 | sponsors, or for which the financial institution acts as a | ||||||
25 | trustee, insurer, or fiduciary, (2) covered under a group or | ||||||
26 | blanket insurance policy or group annuity contract issued by | ||||||
27 | the financial institution, (3) a beneficiary in a workers' | ||||||
28 | compensation plan, (4) a beneficiary of a trust for which the | ||||||
29 | financial institution is a trustee, or (5) a person who has | ||||||
30 | designated the financial institution as trustee for a trust, | ||||||
31 | provided that the financial institution provides all required | ||||||
32 | notices and rights required by this Act to the plan sponsor, | ||||||
33 | group or blanket
insurance policyholder, or group annuity | ||||||
34 | contract holder. | ||||||
35 | (g) "Control" means (1) ownership or power to vote 25 | ||||||
36 | percent or more of the outstanding shares of any class of |
| |||||||
| |||||||
1 | voting security of a company, acting through one or more | ||||||
2 | persons, (2) control in any manner over the election of a | ||||||
3 | majority of the directors, or of individuals exercising similar | ||||||
4 | functions, or (3) the power to exercise, directly or | ||||||
5 | indirectly, a controlling influence over the management or | ||||||
6 | policies of a company. However, for purposes of the
application | ||||||
7 | of the definition of control as it relates to credit unions, a | ||||||
8 | credit union has a controlling influence over the management or | ||||||
9 | policies of a credit union service organization (CUSO), as that | ||||||
10 | term is defined by state or federal law or regulation, if the | ||||||
11 | CUSO is at least 67 percent owned by credit unions. For | ||||||
12 | purposes of the application of the definition of control to a | ||||||
13 | financial
institution subject to regulation by the United | ||||||
14 | States Securities and Exchange Commission, a person who owns | ||||||
15 | beneficially, either directly or through one or more controlled | ||||||
16 | companies, more than 25 percent of the voting securities of a | ||||||
17 | company is presumed to control the company, and a person who | ||||||
18 | does not own more than 25 percent of the
voting securities of a | ||||||
19 | company is presumed not to control the company, and a | ||||||
20 | presumption regarding control may be rebutted by evidence, but | ||||||
21 | in the case of an investment company, the presumption shall | ||||||
22 | continue until the United States Securities and Exchange | ||||||
23 | Commission makes a decision to the contrary according to the | ||||||
24 | procedures described in Section 2(a)(9) of the federal | ||||||
25 | Investment Company Act of 1940. | ||||||
26 | (h) "Necessary to effect, administer, or enforce" means the | ||||||
27 | following: | ||||||
28 | (1) The disclosure is required, or is a usual, | ||||||
29 | appropriate, or acceptable method to carry out the | ||||||
30 | transaction or the product or service business of which the | ||||||
31 | transaction is a part, and record or service or maintain | ||||||
32 | the consumer's account in the ordinary course of providing | ||||||
33 | the financial service or financial product, or to | ||||||
34 | administer or service benefits or claims relating to the | ||||||
35 | transaction or the product or service business of which it | ||||||
36 | is a part, and includes the following:
|
| |||||||
| |||||||
1 | (A) Providing the consumer or the consumer's agent | ||||||
2 | or broker with a confirmation, statement, or other | ||||||
3 | record of the transaction, or information on the status | ||||||
4 | or value of the financial service or financial product.
| ||||||
5 | (B) The accrual or recognition of incentives, | ||||||
6 | discounts, or bonuses associated with the transaction | ||||||
7 | or communications to eligible existing consumers of | ||||||
8 | the financial institution regarding the availability | ||||||
9 | of those incentives, discounts, and bonuses that are | ||||||
10 | provided by the financial institution or another | ||||||
11 | party. | ||||||
12 | (C) In the case of a financial institution that has | ||||||
13 | issued a credit account bearing the name of a company | ||||||
14 | primarily engaged in retail sales or a name proprietary | ||||||
15 | to a company primarily engaged in retail sales, the | ||||||
16 | financial institution providing the retailer with | ||||||
17 | nonpublic personal information as follows: | ||||||
18 | (i) Providing the retailer, or licensees or | ||||||
19 | contractors of the retailer that provide products | ||||||
20 | or services in the name of the retailer and under a | ||||||
21 | contract with the retailer, with the names and | ||||||
22 | addresses of the consumers in whose name the | ||||||
23 | account is held and a record of the purchases made | ||||||
24 | using the credit account from a business | ||||||
25 | establishment, including a Web site or catalog, | ||||||
26 | bearing the brand name of the retailer.
| ||||||
27 | (ii) Where the credit account can only be used | ||||||
28 | for transactions with the retailer or affiliates | ||||||
29 | of that retailer that are also primarily engaged in | ||||||
30 | retail sales, providing the retailer, or licensees | ||||||
31 | or contractors of the retailer that provide | ||||||
32 | products or services in the name of the retailer | ||||||
33 | and under a contract with the retailer, with | ||||||
34 | nonpublic personal information concerning the | ||||||
35 | credit account, in connection with the offering or | ||||||
36 | provision of the products or services of the |
| |||||||
| |||||||
1 | retailer and those licensees or contractors. | ||||||
2 | (2) The disclosure is required or is one of the | ||||||
3 | lawful or appropriate methods to enforce the rights of | ||||||
4 | the financial institution or of other persons engaged | ||||||
5 | in carrying out the financial transaction or providing | ||||||
6 | the product or service. | ||||||
7 | (3) The disclosure is required, or is a usual, | ||||||
8 | appropriate, or acceptable method for insurance | ||||||
9 | underwriting or the placement of insurance products by | ||||||
10 | licensed agents and brokers with authorized insurance | ||||||
11 | companies at the consumer's request, for reinsurance, | ||||||
12 | stop loss insurance, or excess loss insurance | ||||||
13 | purposes, or for any of the following purposes as they | ||||||
14 | relate to a consumer's insurance: | ||||||
15 | (A) Account administration. | ||||||
16 | (B) Reporting, investigating, or preventing | ||||||
17 | fraud or material misrepresentation.
| ||||||
18 | (C) Processing premium payments.
| ||||||
19 | (D) Processing insurance claims.
| ||||||
20 | (E) Administering insurance benefits, | ||||||
21 | including utilization review activities. | ||||||
22 | (F) Participating in research projects. | ||||||
23 | (G) As otherwise required or specifically | ||||||
24 | permitted by federal or state law.
| ||||||
25 | (4) The disclosure is required, or is a usual, | ||||||
26 | appropriate, or acceptable method, in connection with | ||||||
27 | the following:
| ||||||
28 | (A) The authorization, settlement, billing, | ||||||
29 | processing, clearing, transferring, reconciling, | ||||||
30 | or collection of amounts charged, debited, or | ||||||
31 | otherwise paid using a debit, credit or other | ||||||
32 | payment card,
check, or account number, or by other | ||||||
33 | payment means. | ||||||
34 | (B) The transfer of receivables, accounts, or | ||||||
35 | interests therein. | ||||||
36 | (C) The audit of debit, credit, or other |
| |||||||
| |||||||
1 | payment information. | ||||||
2 | (5) The disclosure is required in a transaction | ||||||
3 | covered by the federal Real Estate Settlement | ||||||
4 | Procedures Act (12 U.S.C. Sec. 2601 et seq.) in order | ||||||
5 | to offer settlement services prior to the close of | ||||||
6 | escrow (as those services are defined in 12 U.S.C. Sec. | ||||||
7 | 2602), provided that (A) the nonpublic personal | ||||||
8 | information is disclosed for the sole purpose of | ||||||
9 | offering those settlement services and (B) the | ||||||
10 | nonpublic personal information disclosed is limited to | ||||||
11 | that necessary to enable the financial institution to | ||||||
12 | offer those settlement services in that transaction. | ||||||
13 | (i) "Financial product or service" means any product or | ||||||
14 | service that a financial holding company could offer by | ||||||
15 | engaging in an activity that is financial in nature or | ||||||
16 | incidental to a financial activity under subsection (k) of | ||||||
17 | Section 1843 of Title 12 of the United States Code (the United | ||||||
18 | States Bank Holding Company Act of 1956). Financial service | ||||||
19 | includes a financial institution's evaluation or brokerage of | ||||||
20 | information that the financial institution
collects in | ||||||
21 | connection with a request or an application from a consumer for | ||||||
22 | a financial product or service. | ||||||
23 | (j) "Clear and conspicuous" means that a notice is | ||||||
24 | reasonably understandable and designed to call attention to the | ||||||
25 | nature and significance of the information contained in the | ||||||
26 | notice. | ||||||
27 | (k) "Widely distributed media" means media available to the | ||||||
28 | general public and includes a telephone book, a television or | ||||||
29 | radio program, a newspaper, or a Web site that is available to | ||||||
30 | the general public on an unrestricted basis.
| ||||||
31 | Section 15. Prior consent.
Except as provided in Sections | ||||||
32 | 25, 35, and 45, a financial institution shall not sell, share, | ||||||
33 | transfer, or otherwise disclose nonpublic personal information | ||||||
34 | to or with any nonaffiliated third parties without the explicit | ||||||
35 | prior consent of the consumer to whom the nonpublic personal |
| |||||||
| |||||||
1 | information relates. | ||||||
2 | Section 20. Disclosure.
| ||||||
3 | (a) A financial institution shall not disclose to, or share | ||||||
4 | a consumer's nonpublic personal information with, any | ||||||
5 | nonaffiliated third party as prohibited by Section 15, unless | ||||||
6 | the financial institution has obtained a consent | ||||||
7 | acknowledgment from the consumer that authorizes the financial | ||||||
8 | institution to disclose or share the nonpublic personal | ||||||
9 | information. Nothing in this Section shall prohibit or | ||||||
10 | otherwise apply to the disclosure of nonpublic personal | ||||||
11 | information as allowed in Section 40. A financial institution | ||||||
12 | shall not discriminate
against or deny an otherwise qualified | ||||||
13 | consumer a financial product or a financial service because the | ||||||
14 | consumer has not provided consent pursuant to this Section and | ||||||
15 | Section 15 to authorize the financial institution to disclose | ||||||
16 | or share nonpublic personal information pertaining to him or | ||||||
17 | her with any nonaffiliated third party. Nothing in this Section | ||||||
18 | shall prohibit a financial institution from denying a consumer | ||||||
19 | a financial product or service if the financial institution | ||||||
20 | could not provide the product or service to a consumer without | ||||||
21 | the consent to disclose the consumer's
nonpublic personal | ||||||
22 | information required by this Section and Section 15, and the | ||||||
23 | consumer has failed to provide consent. A financial institution | ||||||
24 | shall not be liable for failing to offer products and services | ||||||
25 | to a consumer solely because that consumer has failed to | ||||||
26 | provide consent pursuant to this Section and Section 15 and the | ||||||
27 | financial institution could not offer the product or service | ||||||
28 | without the consent to disclose the consumer's nonpublic | ||||||
29 | personal information required by this Section and Section 15, | ||||||
30 | and the consumer has failed to provide consent. Nothing in this | ||||||
31 | Section is intended to prohibit a financial institution from | ||||||
32 | offering incentives or discounts to elicit a specific response | ||||||
33 | to the notice. | ||||||
34 | (b)(1) A financial institution shall not disclose to, or | ||||||
35 | share a consumer's nonpublic personal information with, an |
| |||||||
| |||||||
1 | affiliate unless the financial institution has clearly and | ||||||
2 | conspicuously notified the consumer annually in writing | ||||||
3 | pursuant to subsection (d) that the nonpublic personal | ||||||
4 | information may be disclosed to an affiliate of the financial | ||||||
5 | institution and the consumer has not directed that the | ||||||
6 | nonpublic personal information not be disclosed. A financial | ||||||
7 | institution does not disclose information to, or share | ||||||
8 | information with, its affiliate merely because information is | ||||||
9 | maintained in common information systems or databases, and | ||||||
10 | employees of the financial institution and its affiliate have | ||||||
11 | access to those common information systems or databases, or a | ||||||
12 | consumer accesses a Web site
jointly operated or maintained | ||||||
13 | under a common name by or on behalf of the financial | ||||||
14 | institution and its affiliate, provided that where a consumer | ||||||
15 | has exercised his or her right to prohibit disclosure pursuant | ||||||
16 | to this Act, nonpublic personal information is not further | ||||||
17 | disclosed or used by an affiliate except as permitted by this | ||||||
18 | Act. | ||||||
19 | (2) Subsection (a) of this Section shall not prohibit the | ||||||
20 | release of nonpublic personal information by a financial | ||||||
21 | institution with whom the consumer has a relationship to a | ||||||
22 | nonaffiliated financial institution for purposes of jointly | ||||||
23 | offering a financial product or financial service pursuant to a | ||||||
24 | written agreement with the financial institution that receives | ||||||
25 | the nonpublic personal information provided that all of the | ||||||
26 | following requirements are met: | ||||||
27 | (A) The financial product or service offered is a | ||||||
28 | product or service of, and is provided by, at least one | ||||||
29 | of the financial institutions that is a party to the | ||||||
30 | written agreement. | ||||||
31 | (B) The financial product or service is jointly | ||||||
32 | offered, endorsed, or sponsored, and clearly and | ||||||
33 | conspicuously identifies for the consumer the | ||||||
34 | financial institutions that disclose and receive the | ||||||
35 | disclosed nonpublic personal information. | ||||||
36 | (C) The written agreement provides that the |
| |||||||
| |||||||
1 | financial institution that receives that nonpublic | ||||||
2 | personal information is required to maintain the | ||||||
3 | confidentiality of the information and is prohibited | ||||||
4 | from disclosing or using the information other than to | ||||||
5 | carry out the joint offering or servicing of a | ||||||
6 | financial product or financial service that is the | ||||||
7 | subject of the written agreement. | ||||||
8 | (D) The financial institution that releases the | ||||||
9 | nonpublic personal information has complied with | ||||||
10 | subsection (d) and the consumer has not directed that | ||||||
11 | the nonpublic personal information not be disclosed. | ||||||
12 | (E) Notwithstanding this Section, until January 1, | ||||||
13 | 2006, a financial institution may disclose nonpublic | ||||||
14 | personal information to a nonaffiliated financial | ||||||
15 | institution pursuant to a preexisting contract with | ||||||
16 | the nonaffiliated financial institution, for purposes
| ||||||
17 | of offering a financial product or financial service, | ||||||
18 | if that contract was entered into on or before January | ||||||
19 | 1, 2005. Beginning on January 1, 2006, no nonpublic | ||||||
20 | personal information may be disclosed pursuant to that | ||||||
21 | contract unless all the requirements of this | ||||||
22 | subsection are met. | ||||||
23 | (3) Nothing in this subsection shall prohibit a | ||||||
24 | financial institution from disclosing or sharing nonpublic | ||||||
25 | personal information as otherwise specifically permitted | ||||||
26 | by this Act. | ||||||
27 | (4) A financial institution shall not discriminate | ||||||
28 | against or deny an otherwise qualified consumer a financial | ||||||
29 | product or a financial service because the consumer has | ||||||
30 | directed pursuant to this subsection that nonpublic | ||||||
31 | personal information pertaining to him or her not be | ||||||
32 | disclosed. A financial institution shall not be required
to | ||||||
33 | offer or provide products or services offered through | ||||||
34 | affiliated entities or jointly with nonaffiliated | ||||||
35 | financial institutions pursuant to paragraph (2) of this | ||||||
36 | subsection where the consumer has directed that nonpublic |
| |||||||
| |||||||
1 | personal information not be disclosed pursuant to this | ||||||
2 | subsection and the financial institution could not offer or | ||||||
3 | provide the products or services to the consumer without | ||||||
4 | disclosure of the
consumer's nonpublic personal | ||||||
5 | information that the consumer has directed not be disclosed | ||||||
6 | pursuant to this subsection. A financial institution shall | ||||||
7 | not be liable for failing to offer or provide products or | ||||||
8 | services offered through affiliated entities or jointly | ||||||
9 | with nonaffiliated financial institutions pursuant to | ||||||
10 | paragraph (2) of this subsection solely because the | ||||||
11 | consumer has directed that nonpublic personal information | ||||||
12 | not be disclosed pursuant to this subsection and the
| ||||||
13 | financial institution could not offer or provide the | ||||||
14 | products or services to the consumer without disclosure of | ||||||
15 | the consumer's nonpublic personal information that the | ||||||
16 | consumer has directed not be disclosed to affiliates | ||||||
17 | pursuant to this subsection. Nothing in this Section is | ||||||
18 | intended to prohibit a financial institution from offering | ||||||
19 | incentives or discounts to elicit a specific response to | ||||||
20 | the notice set forth in this Act. Nothing in this Section | ||||||
21 | shall prohibit the disclosure of nonpublic personal | ||||||
22 | information allowed by Section 40. | ||||||
23 | (5) The financial institution may, at its option, | ||||||
24 | choose instead to comply with the requirements of | ||||||
25 | subsection (a). | ||||||
26 | (c) Nothing in this Act shall restrict or prohibit the
| ||||||
27 | sharing of nonpublic personal information between a financial | ||||||
28 | institution and its wholly owned financial institution | ||||||
29 | subsidiaries; among financial institutions that are each | ||||||
30 | wholly owned by the same financial institution; among financial | ||||||
31 | institutions that are wholly owned by the same holding company; | ||||||
32 | or among the insurance and management entities of a single | ||||||
33 | insurance holding company system
consisting of one or more | ||||||
34 | reciprocal insurance exchanges which has a single corporation | ||||||
35 | or its wholly owned subsidiaries providing management services | ||||||
36 | to the reciprocal insurance exchanges, provided that in each |
| |||||||
| |||||||
1 | case all of the following requirements are met: | ||||||
2 | (1) The financial institution disclosing the nonpublic | ||||||
3 | personal information and the financial institution | ||||||
4 | receiving it are regulated by the same functional | ||||||
5 | regulator; provided, however, that for purposes of this | ||||||
6 | subsection, financial institutions regulated by the Office | ||||||
7 | of the Comptroller of the Currency, Office of Thrift | ||||||
8 | Supervision, National Credit Union Administration, or a | ||||||
9 | state regulator of depository institutions shall be deemed | ||||||
10 | to be regulated by the same functional regulator; financial | ||||||
11 | institutions regulated by the Securities and Exchange | ||||||
12 | Commission, the United States Department of Labor, or a | ||||||
13 | state securities regulator shall be deemed to be regulated | ||||||
14 | by the same functional regulator; and insurers admitted in
| ||||||
15 | this State to transact insurance and licensed to write | ||||||
16 | insurance policies shall be deemed to be in compliance with | ||||||
17 | this paragraph. | ||||||
18 | (2) The financial institution disclosing the nonpublic | ||||||
19 | personal information and the financial institution | ||||||
20 | receiving it are both principally engaged in the same line | ||||||
21 | of business. For purposes of this subsection, "same line of | ||||||
22 | business" shall be one and only one of the following: | ||||||
23 | (A) Insurance. | ||||||
24 | (B) Banking. | ||||||
25 | (C) Securities. | ||||||
26 | (3) The financial institution disclosing the nonpublic | ||||||
27 | personal information and the financial institution | ||||||
28 | receiving it share a common brand, excluding a brand | ||||||
29 | consisting solely of a graphic element or symbol, within | ||||||
30 | their trademark, service mark, or trade name, which is
used | ||||||
31 | to identify the source of the products and services | ||||||
32 | provided. A wholly owned subsidiary shall include a | ||||||
33 | subsidiary wholly owned directly or wholly owned | ||||||
34 | indirectly in a chain of wholly owned subsidiaries.
Nothing | ||||||
35 | in this subsection shall permit the disclosure by a
| ||||||
36 | financial institution of medical record information, as |
| |||||||
| |||||||
1 | defined in the Illinois Insurance Code, except in | ||||||
2 | compliance with the requirements of this Act, including the | ||||||
3 | requirements set forth in subsections (a) and (b). | ||||||
4 | (d)(1) The consumer shall be provided a reasonable | ||||||
5 | opportunity prior to disclosure of nonpublic personal | ||||||
6 | information to direct that nonpublic personal information not | ||||||
7 | be disclosed. A consumer may direct at any time that his or her | ||||||
8 | nonpublic personal information not be disclosed. A financial | ||||||
9 | institution shall comply with a consumer's directions | ||||||
10 | concerning the sharing of his or her nonpublic personal | ||||||
11 | information within 45 days of receipt by the financial | ||||||
12 | institution. When a consumer directs that nonpublic personal | ||||||
13 | information not be disclosed, that direction is in effect until | ||||||
14 | otherwise stated by the
consumer. A financial institution that | ||||||
15 | has not provided a consumer with annual notice pursuant to | ||||||
16 | subsection (b) shall provide the consumer with a form that | ||||||
17 | meets the requirements of this subsection, and shall allow 45 | ||||||
18 | days to lapse from the date of providing the form in person or | ||||||
19 | the postmark or other postal verification of mailing before | ||||||
20 | disclosing nonpublic personal information pertaining to the
| ||||||
21 | consumer.
Nothing in this subsection shall prohibit the | ||||||
22 | disclosure of nonpublic personal information as allowed by | ||||||
23 | subsection (c) or Section 40. | ||||||
24 | (2) A financial institution may elect to comply with the
| ||||||
25 | requirements of subsection (a) with respect to disclosure of | ||||||
26 | nonpublic personal information to an affiliate or with respect | ||||||
27 | to nonpublic personal information disclosed pursuant to | ||||||
28 | paragraph (2) of subsection (b), or subsection (c) of Section | ||||||
29 | 35. | ||||||
30 | (3) If a financial institution does not have a continuing | ||||||
31 | relationship with a consumer other than the initial transaction | ||||||
32 | in which the product or service is provided, no annual | ||||||
33 | disclosure requirement exists pursuant to this section as long | ||||||
34 | as the financial institution provides the consumer with the | ||||||
35 | form required by this
section at the time of the initial | ||||||
36 | transaction. As used in this section, "annually" means at least |
| |||||||
| |||||||
1 | once in any period of 12 consecutive months during which that | ||||||
2 | relationship exists. The financial institution may define the | ||||||
3 | 12-consecutive-month period, but shall apply it to the consumer | ||||||
4 | on a consistent basis. If, for example, a financial institution | ||||||
5 | defines the 12-consecutive-month
period as a calendar year and | ||||||
6 | provides the annual notice to the consumer once in each | ||||||
7 | calendar year, it complies with the requirement to send the | ||||||
8 | notice annually. | ||||||
9 | (4) A financial institution with assets in excess of | ||||||
10 | $25,000,000 shall include a self-addressed first class | ||||||
11 | business reply return envelope with the notice. A financial
| ||||||
12 | institution with assets of up to and including $25,000,000 | ||||||
13 | shall include a self-addressed return envelope with the notice. | ||||||
14 | In lieu of the first class business reply return envelope | ||||||
15 | required by this paragraph, a financial institution may offer a | ||||||
16 | self-addressed return envelope with the notice and at least two | ||||||
17 | alternative cost-free means for consumers to communicate their | ||||||
18 | privacy choices, such as calling a toll-free number, sending a | ||||||
19 | facsimile to a toll-free telephone number, or using electronic | ||||||
20 | means.
A financial institution shall clearly and conspicuously | ||||||
21 | disclose in the form required by this subsection the | ||||||
22 | information necessary to direct the consumer on how to | ||||||
23 | communicate his or her choices, including the toll-free or | ||||||
24 | facsimile number or Web site address that may be used, if those | ||||||
25 | means of communication are offered by the
financial | ||||||
26 | institution. | ||||||
27 | (5) A financial institution may provide a joint notice from | ||||||
28 | it and one or more of its affiliates or other financial | ||||||
29 | institutions, as identified in the notice, so long as the | ||||||
30 | notice is accurate with respect to the financial institution | ||||||
31 | and the affiliates and other
financial institutions. | ||||||
32 | (e) Nothing in this Act shall prohibit a financial
| ||||||
33 | institution from marketing its own products and services or the | ||||||
34 | products and services of affiliates or nonaffiliated third | ||||||
35 | parties to customers of the financial institution as long as | ||||||
36 | (1) nonpublic personal information is not disclosed in |
| |||||||
| |||||||
1 | connection with the delivery of the applicable marketing | ||||||
2 | materials to those customers except as permitted by Section 40 | ||||||
3 | and (2) in cases in which the applicable nonaffiliated third | ||||||
4 | party may extrapolate nonpublic personal information about the | ||||||
5 | consumer responding to those marketing materials, the | ||||||
6 | applicable nonaffiliated third party has signed a
contract with | ||||||
7 | the financial institution under the terms of which (A) the | ||||||
8 | nonaffiliated third party is prohibited from using that | ||||||
9 | information for any purpose other than the purpose for which it | ||||||
10 | was provided, as set forth in the contract, and (B) the | ||||||
11 | financial institution has the right by audit, inspections, or | ||||||
12 | other means to verify the nonaffiliated third party's | ||||||
13 | compliance with that contract.
| ||||||
14 | Section 25. Receipt of nonpublic personal information.
| ||||||
15 | Except as otherwise provided in this Act, an entity
that | ||||||
16 | receives nonpublic personal information from a financial | ||||||
17 | institution under this Act shall not disclose this information | ||||||
18 | to any other entity, unless the disclosure would be lawful if | ||||||
19 | made directly to the other entity by the financial institution. | ||||||
20 | An entity that receives nonpublic personal information | ||||||
21 | pursuant to any exception set forth in Section 45 shall not use | ||||||
22 | or disclose the information except in the ordinary course of | ||||||
23 | business to carry out
the activity covered by the exception | ||||||
24 | under which the information was received.
| ||||||
25 | Section 30. Notice. | ||||||
26 | (a) Nothing in this Act shall require a financial
| ||||||
27 | institution to provide a written notice to a consumer pursuant | ||||||
28 | to Section 20 if the financial institution does not disclose | ||||||
29 | nonpublic personal information to any nonaffiliated third | ||||||
30 | party or to any affiliate, except as allowed in this Act.
| ||||||
31 | (b) A notice provided to a member of a household pursuant | ||||||
32 | to Section 20 shall be considered notice to all members of that | ||||||
33 | household unless that household contains another individual | ||||||
34 | who also has a separate account with the financial institution. |
| |||||||
| |||||||
1 | (c)(1) The requirement to send a written notice to a | ||||||
2 | consumer may be fulfilled by electronic means if the following | ||||||
3 | requirements are met: | ||||||
4 | (A) The notice, and the manner in which it is sent, | ||||||
5 | meets all of the requirements for notices that are | ||||||
6 | required by law to be in writing, as set forth in | ||||||
7 | Section 101 of the federal Electronic Signatures in | ||||||
8 | Global and National Commerce Act. | ||||||
9 | (B) All other requirements applicable to the | ||||||
10 | notice, as set forth in this Act, are met, including, | ||||||
11 | but not limited to, requirements concerning content, | ||||||
12 | timing, form, and delivery. An electronic notice sent | ||||||
13 | pursuant to this section is not required to include a | ||||||
14 | return envelope.
| ||||||
15 | (C) The notice is delivered to the consumer in a | ||||||
16 | form the consumer may keep. | ||||||
17 | (2) A notice that is made available to a consumer, and | ||||||
18 | is not delivered to the consumer, does not satisfy the | ||||||
19 | requirements of paragraph (1). | ||||||
20 | (3) Any electronic consumer reply to an electronic | ||||||
21 | notice sent pursuant to this Act is effective. A person | ||||||
22 | that electronically sends a notice required by this Act to | ||||||
23 | a consumer may not by contract, or otherwise, eliminate the | ||||||
24 | effectiveness of the consumer's electronic reply. | ||||||
25 | (4) This Act modifies the provisions of Section 101 of | ||||||
26 | the federal Electronic Signatures in Global and National | ||||||
27 | Commerce Act. However, it does not modify, limit, or | ||||||
28 | supersede the provisions of subsection (c), (d), (e), (f), | ||||||
29 | or (h) of Section 101 of the federal Electronic Signatures | ||||||
30 | in Global and National Commerce Act, nor does it authorize | ||||||
31 | electronic delivery of any notice of the type described
in | ||||||
32 | subsection (b) of Section 103 of that federal act.
| ||||||
33 | Section 35. Affinity partners.
| ||||||
34 | (a) When a financial institution and an organization or
| ||||||
35 | business entity that is not a financial institution ("affinity |
| |||||||
| |||||||
1 | partner") have an agreement to issue a credit card in the name | ||||||
2 | of the affinity partner ("affinity card"), the financial | ||||||
3 | institution shall be permitted to disclose to the affinity | ||||||
4 | partner in whose name the card is issued only the following | ||||||
5 | information pertaining to the financial institution's | ||||||
6 | customers who are in receipt of the affinity
card: (1) name, | ||||||
7 | address, telephone number, and electronic mail address and (2) | ||||||
8 | record of purchases made using the affinity card in a business | ||||||
9 | establishment, including a Web site, bearing the brand name of | ||||||
10 | the affinity partner. | ||||||
11 | (b) When a financial institution and an affinity partner | ||||||
12 | have an agreement to issue a financial product or service, | ||||||
13 | other than a credit card, on behalf of the affinity partner | ||||||
14 | ("affinity financial product or service"), the financial | ||||||
15 | institution shall be permitted to disclose to the affinity | ||||||
16 | partner only the following information pertaining to the | ||||||
17 | financial institution's customers who obtained the affinity | ||||||
18 | financial product or service: name, address, telephone number, | ||||||
19 | and electronic mail address. | ||||||
20 | (c) The disclosures specified in subsections (a) and (b) | ||||||
21 | shall be permitted only if the following requirements are met: | ||||||
22 |
(1) The financial institution has provided the | ||||||
23 | consumer a notice meeting the requirements of subsection | ||||||
24 | (d) of Section 20, and the consumer has not directed that | ||||||
25 | nonpublic personal information not be disclosed. A | ||||||
26 | response to a notice meeting the requirements of subsection | ||||||
27 | (d) directing the financial institution to not disclose
| ||||||
28 | nonpublic personal information to a nonaffiliated | ||||||
29 | financial
institution shall be deemed a direction to the | ||||||
30 | financial institution to not disclose nonpublic personal | ||||||
31 | information to an affinity partner, unless the form | ||||||
32 | containing the notice provides the consumer with a separate | ||||||
33 | choice for disclosure to affinity partners.
| ||||||
34 | (2) The financial institution has a contractual | ||||||
35 | agreement with the affinity partner that requires the | ||||||
36 | affinity partner to maintain the confidentiality of the |
| |||||||
| |||||||
1 | nonpublic personal information and prohibits affinity | ||||||
2 | partners from using the information for any purposes other
| ||||||
3 | than verifying membership, verifying the consumer's | ||||||
4 | contact
information, or offering the affinity partner's | ||||||
5 | own products or services to the consumer. | ||||||
6 | (3) The customer list is not disclosed in any way that | ||||||
7 | reveals or permits extrapolation of any additional | ||||||
8 | nonpublic personal information about any customer on the | ||||||
9 | list. | ||||||
10 | (4) If the affinity partner sends any message to any | ||||||
11 | electronic mail addresses obtained pursuant to this | ||||||
12 | section, the message shall include at least both of the | ||||||
13 | following: | ||||||
14 | (A) The identity of the sender of the message. | ||||||
15 | (B) A cost-free means for the recipient to notify | ||||||
16 | the sender not to electronically mail any further | ||||||
17 | message to the recipient. | ||||||
18 | (d) Nothing in this Section shall prohibit the disclosure | ||||||
19 | of nonpublic personal information pursuant to Section 40. | ||||||
20 | (e) This Section does not apply to credit cards issued in | ||||||
21 | the name of an entity primarily engaged in retail sales or a | ||||||
22 | name proprietary to a company primarily engaged in retail | ||||||
23 | sales.
| ||||||
24 | Section 40. Release of nonpublic personal information.
| ||||||
25 | (a) This Act shall not apply to information that is
not | ||||||
26 | personally identifiable to a particular person. | ||||||
27 | (b) Notwithstanding Sections 15, 20, 30, and 35, a | ||||||
28 | financial institution may release nonpublic personal | ||||||
29 | information under the following circumstances: | ||||||
30 | (1) The nonpublic personal information is necessary to | ||||||
31 | effect, administer, or enforce a transaction requested or | ||||||
32 | authorized by the consumer, or in connection with servicing | ||||||
33 | or processing a financial product or service requested or | ||||||
34 | authorized by the consumer, or in connection with | ||||||
35 | maintaining or servicing the consumer's account with
the |
| |||||||
| |||||||
1 | financial institution, or with another entity as part of a | ||||||
2 | private label credit card program or other extension of | ||||||
3 | credit on behalf of that entity, or in connection with a | ||||||
4 | proposed or actual securitization or secondary market | ||||||
5 | sale, including sales of servicing rights, or similar | ||||||
6 | transactions related to a transaction of the consumer. | ||||||
7 | (2) The nonpublic personal information is released | ||||||
8 | with the consent of or at the direction of the consumer. | ||||||
9 | (3) The nonpublic personal information is: | ||||||
10 | (A) Released to protect the confidentiality or | ||||||
11 | security of the financial institution's records | ||||||
12 | pertaining to the consumer, the service or product, or | ||||||
13 | the transaction therein. | ||||||
14 | (B) Released to protect against or prevent actual | ||||||
15 | or potential fraud, identity theft, unauthorized | ||||||
16 | transactions, claims, or other liability. | ||||||
17 | (C) Released for required institutional risk | ||||||
18 | control, or for resolving customer disputes or | ||||||
19 | inquiries. | ||||||
20 | (D) Released to persons holding a legal or | ||||||
21 | beneficial interest relating to the consumer, | ||||||
22 | including for purposes of debt collection. | ||||||
23 | (E) Released to persons acting in a fiduciary or | ||||||
24 | representative capacity on behalf of the consumer. | ||||||
25 | (4) The nonpublic personal information is released to | ||||||
26 | provide information to insurance rate advisory | ||||||
27 | organizations, guaranty funds or agencies, applicable | ||||||
28 | rating agencies of the financial institution, persons | ||||||
29 | assessing the institution's compliance with industry
| ||||||
30 | standards, and the institution's attorneys, accountants, | ||||||
31 | and auditors. | ||||||
32 | (5) The nonpublic personal information is released to | ||||||
33 | the extent specifically required or specifically permitted | ||||||
34 | under other provisions of law and in accordance with the | ||||||
35 | Right to Financial Privacy Act of 1978 (12 U.S.C. Sec. 3401 | ||||||
36 | et seq.), to law enforcement agencies, including a federal |
| |||||||
| |||||||
1 | functional regulator, the
Secretary of the Treasury with | ||||||
2 | respect to subchapter II of Chapter 53 of Title 31, and | ||||||
3 | Chapter 2 of Title I of Public Law 91-508 (12 U.S.C. Secs. | ||||||
4 | 1951-1959), the Illinois Department of Insurance, or the | ||||||
5 | Federal Trade Commission, and self-regulatory | ||||||
6 | organizations, or for an investigation on a
matter related | ||||||
7 | to public safety. | ||||||
8 | (6) The nonpublic personal information is released in | ||||||
9 | connection with a proposed or actual sale, merger, | ||||||
10 | transfer, or exchange of all or a portion of a business or | ||||||
11 | operating unit if the disclosure of nonpublic personal | ||||||
12 | information concerns solely consumers of the business or | ||||||
13 | unit. | ||||||
14 | (7) The nonpublic personal information is released to | ||||||
15 | comply with federal, state, or local laws, rules, and other | ||||||
16 | applicable legal requirements; to comply with a properly | ||||||
17 | authorized civil, criminal, administrative, or regulatory | ||||||
18 | investigation or subpoena or summons by federal, state, or | ||||||
19 | local authorities; or to respond to judicial process or | ||||||
20 | government regulatory authorities having jurisdiction over
| ||||||
21 | the financial institution for examination, compliance, or | ||||||
22 | other purposes as authorized by law. | ||||||
23 | (8) When a financial institution is reporting a known | ||||||
24 | or suspected instance of elder or dependent adult financial | ||||||
25 | abuse or is cooperating with a local adult protective | ||||||
26 | services agency investigation of known or suspected elder | ||||||
27 | or dependent adult financial abuse pursuant to the Elder | ||||||
28 | Abuse and Neglect Act. | ||||||
29 | (9) The nonpublic personal information is released to | ||||||
30 | an affiliate or a nonaffiliated third party in order for | ||||||
31 | the affiliate or nonaffiliated third party to perform | ||||||
32 | business or professional services, such as printing, | ||||||
33 | mailing services, data processing or analysis, or customer | ||||||
34 | surveys, on behalf of the financial institution, provided | ||||||
35 | that all of the following requirements are met: | ||||||
36 | (A) The services to be performed by the affiliate |
| |||||||
| |||||||
1 | or nonaffiliated third party could lawfully be | ||||||
2 | performed by the financial institution. | ||||||
3 | (B) There is a written contract between the | ||||||
4 | affiliate or nonaffiliated third party and the | ||||||
5 | financial institution that prohibits the affiliate or | ||||||
6 | nonaffiliated third party, as the case may be, from | ||||||
7 | disclosing or using the nonpublic personal information | ||||||
8 | other than to carry out the purpose for which the | ||||||
9 | financial institution disclosed the information, as | ||||||
10 | set forth in the written
contract. | ||||||
11 | (C) The nonpublic personal information provided to | ||||||
12 | the affiliate or nonaffiliated third party is limited | ||||||
13 | to that which is necessary for the affiliate or | ||||||
14 | nonaffiliated third party to perform the services | ||||||
15 | contracted for on behalf of the financial institution. | ||||||
16 | (D) The financial institution does not receive any | ||||||
17 | payment from or through the affiliate or nonaffiliated | ||||||
18 | third party in connection with, or as a result of, the | ||||||
19 | release of the nonpublic personal information. | ||||||
20 | (10) The nonpublic personal information is released to | ||||||
21 | identify or locate missing and abducted children, | ||||||
22 | witnesses, criminals and fugitives, parties to lawsuits, | ||||||
23 | parents delinquent in child support payments, organ and | ||||||
24 | bone marrow donors, pension fund beneficiaries, and | ||||||
25 | missing heirs. | ||||||
26 | (11) The nonpublic personal information is released to | ||||||
27 | a real estate appraiser licensed or certified by the State | ||||||
28 | and the nonpublic personal information is compiled | ||||||
29 | strictly to complete other real estate appraisals and is | ||||||
30 | not used for any other purpose.
| ||||||
31 | (12) The nonpublic personal information is released as | ||||||
32 | required by Title III of the federal United and | ||||||
33 | Strengthening America by Providing Appropriate Tools | ||||||
34 | Required to Intercept and Obstruct Terrorism Act of 2001 | ||||||
35 | (USA Patriot Act; P.L. 107-56). | ||||||
36 | (13) The nonpublic personal information is released |
| |||||||
| |||||||
1 | either to a consumer reporting agency pursuant to the Fair | ||||||
2 | Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) or from | ||||||
3 | a consumer report reported by a consumer reporting agency. | ||||||
4 | (14) The nonpublic personal information is released in | ||||||
5 | connection with a written agreement between a consumer and | ||||||
6 | a broker-dealer registered under the Securities Exchange | ||||||
7 | Act of 1934 or an investment adviser registered under the | ||||||
8 | Investment Advisers Act of 1940 to provide investment | ||||||
9 | management services, portfolio advisory services, or | ||||||
10 | financial planning, and the nonpublic personal information | ||||||
11 | is released for the sole purpose of providing the products | ||||||
12 | and services covered by that agreement. | ||||||
13 | (c) Nothing in this Act is intended to change existing law | ||||||
14 | relating to access by law enforcement agencies to information | ||||||
15 | held by financial institutions.
| ||||||
16 | Section 45. Application.
| ||||||
17 | (a) The provisions of this Act do not apply to any
person | ||||||
18 | or entity that meets the requirements of paragraph (1) or (2) | ||||||
19 | below. However, when nonpublic personal information is being or | ||||||
20 | will be shared by a person or entity meeting the requirements | ||||||
21 | of paragraph (1) or (2) with an affiliate or nonaffiliated | ||||||
22 | third party, this Act shall apply. | ||||||
23 | (1) The person or entity is licensed in one or both of | ||||||
24 | the following categories and is acting within the scope of | ||||||
25 | the respective license or certificate: | ||||||
26 | (A) As an insurance producer, certified under the | ||||||
27 | Illinois Insurance Code, as a registered investment | ||||||
28 | adviser under the Illinois Securities Law of 1953, or | ||||||
29 | as an investment adviser pursuant to Section | ||||||
30 | 202(a)(11) of the federal Investment Advisers Act of | ||||||
31 | 1940. | ||||||
32 | (B) Is licensed to sell securities by the National | ||||||
33 | Association of Securities Dealers (NASD).
| ||||||
34 | (2) The person or entity meets the requirements in | ||||||
35 | paragraph (1) and has a written contractual agreement |
| |||||||
| |||||||
1 | with another person or entity described in paragraph | ||||||
2 | (1) and the contract clearly and explicitly includes | ||||||
3 | the following: | ||||||
4 | (A) The rights and obligations between the | ||||||
5 | licensees arising out of the business relationship | ||||||
6 | relating to insurance or securities transactions. | ||||||
7 | (B) An explicit limitation on the use of nonpublic | ||||||
8 | personal information about a consumer to transactions | ||||||
9 | authorized by the contract and permitted pursuant to | ||||||
10 | this Act. | ||||||
11 | (C) A requirement that transactions specified in | ||||||
12 | the contract fall within the scope of activities | ||||||
13 | permitted by the licenses of the parties. | ||||||
14 | (b) The restrictions on disclosure and use of nonpublic | ||||||
15 | personal information, and the requirement for notification and | ||||||
16 | disclosure provided in this Act, shall not limit the ability of | ||||||
17 | insurance producers and brokers to respond to written or | ||||||
18 | electronic, including telephone, requests from consumers | ||||||
19 | seeking price quotes on insurance products and services or to | ||||||
20 | obtain competitive quotes to renew an
existing insurance | ||||||
21 | contract, provided that any nonpublic personal information | ||||||
22 | disclosed pursuant to this subsection shall not be used or | ||||||
23 | disclosed except in the ordinary course of business in order to | ||||||
24 | obtain those quotes. | ||||||
25 | (c)(1) The disclosure or sharing of personal
information | ||||||
26 | from an insurer, as defined in Article XL of the Illinois | ||||||
27 | Insurance Code, or its affiliates to an agent whose contractual | ||||||
28 | or employment relationship requires that the agent offer only | ||||||
29 | the insurer's policies for sale or
financial products or | ||||||
30 | services that meet the requirements of paragraph (2) of | ||||||
31 | subsection (b) of Section 20 and are authorized by the insurer, | ||||||
32 | or whose contractual or employment relationship with an insurer | ||||||
33 | gives the insurer the right of first refusal for all policies | ||||||
34 | of insurance by the agent, and who may not share nonpublic | ||||||
35 | personal information with any insurer other than the insurer | ||||||
36 | with
whom the agent has a contractual or employment |
| |||||||
| |||||||
1 | relationship as described above, is not a violation of this | ||||||
2 | Act, provided that the agent may not disclose nonpublic | ||||||
3 | personal information to any party except as permitted by this | ||||||
4 | Act. An insurer or its affiliates do not disclose or share | ||||||
5 | nonpublic personal information with exclusive agents merely | ||||||
6 | because information is maintained in common information | ||||||
7 | systems or databases, and exclusive agents of the insurer or | ||||||
8 | its affiliates have access to those common information
systems | ||||||
9 | or databases, provided that where a consumer has exercised his | ||||||
10 | or her rights to prohibit disclosure pursuant to this Act, | ||||||
11 | nonpublic personal information is not further disclosed or used | ||||||
12 | by an exclusive agent except as permitted by this Act. | ||||||
13 | (2) Nothing in this subsection is intended to affect the | ||||||
14 | sharing of information allowed in subsection (a) or subsection | ||||||
15 | (b).
| ||||||
16 | Section 50. Negligence.
| ||||||
17 | (a) An entity that negligently discloses or shares
| ||||||
18 | nonpublic personal information in violation of this Act shall | ||||||
19 | be liable, irrespective of the amount of damages suffered by | ||||||
20 | the consumer as a result of that violation, for a civil penalty | ||||||
21 | not to exceed $2,500 per violation. However, if the disclosure | ||||||
22 | or sharing results in the release of nonpublic personal | ||||||
23 | information of more than one individual, the total civil | ||||||
24 | penalty awarded pursuant to this subsection shall not exceed | ||||||
25 | $500,000. | ||||||
26 | (b) An entity that knowingly and willfully obtains, | ||||||
27 | discloses, shares, or uses nonpublic personal information in | ||||||
28 | violation of this Act shall be liable for a civil penalty not | ||||||
29 | to exceed $2,500 per individual violation, irrespective of the | ||||||
30 | amount of damages suffered by the consumer as a result of that | ||||||
31 | violation. | ||||||
32 | (c) In determining the penalty to be assessed pursuant to a | ||||||
33 | violation of this Act, the court shall take into account the | ||||||
34 | following factors:
| ||||||
35 | (1) The total assets and net worth of the violating |
| |||||||
| |||||||
1 | entity. | ||||||
2 | (2) The nature and seriousness of the violation. | ||||||
3 | (3) The persistence of the violation, including any | ||||||
4 | attempts to correct the situation leading to the violation.
| ||||||
5 | (4) The length of time over which the violation | ||||||
6 | occurred. | ||||||
7 | (5) The number of times the entity has violated this | ||||||
8 | Act. | ||||||
9 | (6) The harm caused to consumers by the violation. | ||||||
10 | (7) The level of proceeds derived from the violation. | ||||||
11 | (8) The impact of possible penalties on the overall | ||||||
12 | fiscal solvency of the violating entity. | ||||||
13 | (d) In the event a violation of this Act results in the
| ||||||
14 | identity theft of a consumer, as defined by Article 16g of the | ||||||
15 | Criminal Code, the civil penalties set forth in this Section | ||||||
16 | shall be doubled. | ||||||
17 | (e) The civil penalties provided for in this Section shall | ||||||
18 | be exclusively assessed and recovered in a civil action brought | ||||||
19 | in the name of the people of the State of Illinois in any court | ||||||
20 | of competent jurisdiction by any of the following: | ||||||
21 | (1) The Attorney General. | ||||||
22 | (2) The functional regulator with jurisdiction over | ||||||
23 | regulation of the financial institution as follows: | ||||||
24 | (A) In the case of banks, savings associations, | ||||||
25 | credit unions, commercial lending companies, and bank | ||||||
26 | holding companies, by the Department of Financial | ||||||
27 | Institutions or the Office of Banks and Real Estate, or | ||||||
28 | the appropriate federal authority; | ||||||
29 | (B) in the case of any person engaged in the | ||||||
30 | business of insurance, by the Department of Insurance; | ||||||
31 | (C) in the case of any investment broker or dealer, | ||||||
32 | investment company, investment advisor, residential | ||||||
33 | mortgage lender or finance lender, by the Illinois | ||||||
34 | Secretary of State; and | ||||||
35 | (D) in the case of a financial institution not | ||||||
36 | subject to the jurisdiction of any functional |
| |||||||
| |||||||
1 | regulator listed under subparagraphs (A) to (C), | ||||||
2 | inclusive, above, by the Attorney General.
| ||||||
3 | Section 55. Authority of departments or agencies.
Nothing | ||||||
4 | in this Act shall be construed as altering or annulling the | ||||||
5 | authority of any department or agency of the state to regulate | ||||||
6 | any financial institution subject to its jurisdiction.
| ||||||
7 | Section 60. Severability.
The provisions of this Act shall | ||||||
8 | be severable, and if any phrase, clause, sentence, or provision | ||||||
9 | is declared to be invalid or is preempted by federal law or | ||||||
10 | regulation, the validity of the remainder of this Act shall not | ||||||
11 | be affected thereby.
|