|
|
|
SB3036 Engrossed |
|
LRB094 18891 LJB 54335 b |
|
|
1 |
| AN ACT concerning business.
|
2 |
| Be it enacted by the People of the State of Illinois,
|
3 |
| represented in the General Assembly:
|
4 |
| Section 1. Short title. This Act may be cited as the |
5 |
| Consumer Protection Against Computer Spyware Act. |
6 |
| Section 5. Definitions. In this Act: |
7 |
| "Advertisement" means a communication that
includes the |
8 |
| promotion of a commercial product or service,
including |
9 |
| communication on an Internet website operated for a
commercial |
10 |
| purpose.
|
11 |
| "Cause computer software to be copied" means to
distribute |
12 |
| or transfer computer software or a component of computer
|
13 |
| software. The term does not include:
|
14 |
| (1) the transmission or routing of computer
software or |
15 |
| a component of the software;
|
16 |
| (2) the provision of intermediate temporary
storage or |
17 |
| caching of software;
|
18 |
| (3) the provision of a storage medium, such as a
|
19 |
| compact disk;
|
20 |
| (4) a website; |
21 |
| (5) the distribution of computer software by a
third |
22 |
| party through a computer server; or
|
23 |
| (6) the provision of an information location
tool, such |
24 |
| as a directory, index, reference, pointer, or hypertext
|
25 |
| link, through which the user of a computer is able to |
26 |
| locate
computer software.
|
27 |
| "Computer software" means a sequence of
instructions |
28 |
| written in a programming language that is executed on
a |
29 |
| computer. The term does not include:
|
30 |
| (1) a web page; or |
31 |
| (2) a data component of a web page that cannot be
|
32 |
| executed independently of that page.
|
|
|
|
SB3036 Engrossed |
- 2 - |
LRB094 18891 LJB 54335 b |
|
|
1 |
| "Damage" means,
with respect to a computer, significant |
2 |
| impairment to the integrity or availability of data,
computer |
3 |
| software, a system, or information.
|
4 |
| "Execute" means, with respect to computer software,
to |
5 |
| perform a function or carry out instructions.
|
6 |
| "Keystroke-logging function" means a function of a
|
7 |
| computer software program that records all keystrokes made by a
|
8 |
| person using a computer and transfers that information from the
|
9 |
| computer to another person.
|
10 |
| "Owner or operator of a computer" means the owner
or lessee |
11 |
| of a computer or an individual using a computer with the
|
12 |
| authorization of the owner or lessee of the computer. "Owner or |
13 |
| operator of a computer" does not
include the person who owned |
14 |
| the computer before the date on which
the computer was sold if |
15 |
| a computer
was sold at retail.
|
16 |
| "Person" means any individual, partnership,
corporation, |
17 |
| limited liability company, or other organization or a
|
18 |
| combination of those organizations.
|
19 |
| "Personally identifiable information", with
respect to an |
20 |
| individual who is the owner or operator of a computer,
means:
|
21 |
| (1) the first name or first initial in combination
with |
22 |
| the last name;
|
23 |
| (2) a home or other physical address, including
street |
24 |
| name;
|
25 |
| (3) an electronic mail address; |
26 |
| (4) a credit or debit card number; |
27 |
| (5) a bank account number; |
28 |
| (6) a password or access code associated with a
credit |
29 |
| or debit card or bank account;
|
30 |
| (7) a social security number, tax identification
|
31 |
| number, driver's license number, passport number, or other
|
32 |
| government-issued identification number; or
|
33 |
| (8) any of the following information if the
information |
34 |
| alone or in combination with other information
personally |
35 |
| identifies the individual:
|
36 |
| (A) account balances; |
|
|
|
SB3036 Engrossed |
- 3 - |
LRB094 18891 LJB 54335 b |
|
|
1 |
| (B) overdraft history; or |
2 |
| (C) payment history. |
3 |
| Section 10. Applicability of Act. |
4 |
| (a) Section
20, other than subdivision (1) of that Section, |
5 |
| and Sections
25 and 35 do not apply to a telecommunications |
6 |
| carrier,
cable operator, computer hardware or software |
7 |
| provider, or provider
of information service or interactive |
8 |
| computer service that
monitors or has interaction with a |
9 |
| subscriber's Internet or other
network connection or service or |
10 |
| a protected computer for the following:
|
11 |
| (1) network or computer security purposes; |
12 |
| (2) diagnostics, technical support, or repair
|
13 |
| purposes;
|
14 |
| (3) authorized updates of computer software or system
|
15 |
| firmware;
|
16 |
| (4) authorized remote system management; or |
17 |
| (5) detection or prevention of unauthorized use of or
|
18 |
| fraudulent or other illegal activities in connection with a
|
19 |
| network, service, or computer software, including scanning |
20 |
| for and
removing software proscribed under this Act.
|
21 |
| (b) This Act does not apply to the following: |
22 |
| (1) the use of a navigation device, any interaction
|
23 |
| with a navigation device, or the installation or use of |
24 |
| computer
software on a navigation device by a multichannel |
25 |
| video programming
distributor or video programmer in |
26 |
| connection with the provision of
multichannel video |
27 |
| programming or other services offered over a
multichannel |
28 |
| video programming system if the provision of the
|
29 |
| programming or other service is subject to 47 U.S.C. |
30 |
| Section 338(i)
or 551; or
|
31 |
| (2) the collection or disclosure of subscriber
|
32 |
| information by a multichannel video programming |
33 |
| distributor or
video programmer in connection with the |
34 |
| provision of multichannel
video programming or other |
35 |
| services offered over a multichannel
video programming |
|
|
|
SB3036 Engrossed |
- 4 - |
LRB094 18891 LJB 54335 b |
|
|
1 |
| system if the collection or disclosure of the
information |
2 |
| is subject to 47 U.S.C. Section 338(i) or 551.
|
3 |
| (c) In this Section, "multichannel video programming
|
4 |
| distributor" has the meaning assigned by 47 U.S.C. Section |
5 |
| 522(13).
|
6 |
| (d) A manufacturer or retailer of computer equipment shall |
7 |
| not be liable under this Act to the extent that the |
8 |
| manufacturer or retailer is providing third-party branded |
9 |
| software loaded on the equipment they are manufacturing or |
10 |
| selling. |
11 |
| Section 15. Unauthorized collection or culling of
|
12 |
| personally identifiable information. If a person is not the |
13 |
| owner
or operator of the computer, the person may not knowingly |
14 |
| cause
computer software to be copied to a computer in this |
15 |
| State and use
the software to do any of the following:
|
16 |
| (1) collect, through intentionally deceptive means: |
17 |
| (A) personally identifiable information by using
a |
18 |
| keystroke-logging function; or
|
19 |
| (B) personally identifiable information in a
|
20 |
| manner that correlates that information with |
21 |
| information regarding
all or substantially all of the |
22 |
| websites visited by the owner or
operator of the |
23 |
| computer, other than websites operated by the
person |
24 |
| collecting the information; or
|
25 |
| (2) gather, through intentionally deceptive means, the
|
26 |
| following kinds of personally identifiable information |
27 |
| from the
consumer's computer hard drive for a purpose |
28 |
| wholly unrelated to
any of the purposes of the software or |
29 |
| service described to an owner
or operator of the computer:
|
30 |
| (A) a credit or debit card number; |
31 |
| (B) a bank account number; |
32 |
| (C) a password or access code associated with a
|
33 |
| credit or debit card number or a bank account;
|
34 |
| (D) a social security number; |
35 |
| (E) account balances; or |
|
|
|
SB3036 Engrossed |
- 5 - |
LRB094 18891 LJB 54335 b |
|
|
1 |
| (F) overdraft history. |
2 |
| Section 20. Unauthorized access to or modifications of
|
3 |
| computer settings; computer damage. If a person is not the |
4 |
| owner or
operator of the computer, the person may not knowingly |
5 |
| cause
computer software to be copied to a computer in this |
6 |
| State and use
the software to do any of the following:
|
7 |
| (1) Modify, through intentionally deceptive means, a
|
8 |
| setting that controls:
|
9 |
| (A) the page that appears when an Internet
browser |
10 |
| or a similar software program is launched to access and
|
11 |
| navigate the Internet;
|
12 |
| (B) the default provider or web proxy used to
|
13 |
| access or search the Internet; or
|
14 |
| (C) a list of bookmarks used to access web pages. |
15 |
| (2) Take control of the computer by: |
16 |
| (A) accessing or using the computer's modem or
|
17 |
| Internet service to:
|
18 |
| (i) cause damage to the computer; |
19 |
| (ii) cause the owner or operator of the
|
20 |
| computer to incur financial charges for a service |
21 |
| not previously
authorized by the owner or |
22 |
| operator; or
|
23 |
| (iii) cause a third party affected by the
|
24 |
| conduct to incur financial charges for a service |
25 |
| not previously
authorized by the third party; or
|
26 |
| (B) opening, without the consent of the owner or
|
27 |
| operator of the computer, an advertisement that:
|
28 |
| (i) is in the owner's or operator's Internet
|
29 |
| browser in a multiple, sequential, or stand-alone |
30 |
| form; and
|
31 |
| (ii) cannot be closed by an ordinarily
|
32 |
| reasonable person using the computer without |
33 |
| closing the browser or
shutting down the computer.
|
34 |
| (3) Modify settings on the computer that relate to
|
35 |
| access to or use of the Internet and protection of |
|
|
|
SB3036 Engrossed |
- 6 - |
LRB094 18891 LJB 54335 b |
|
|
1 |
| information for
purposes of stealing personally |
2 |
| identifiable information of the
owner or operator of the |
3 |
| computer.
|
4 |
| (4) Modify security settings on the computer relating
|
5 |
| to access to or use of the Internet for purposes of causing |
6 |
| damage
to one or more computers.
|
7 |
| Section 25. Unauthorized interference with installation
or |
8 |
| disabling of computer software. If a person is not the owner or
|
9 |
| operator of the computer, the person may not knowingly cause
|
10 |
| computer software to be copied to a computer in this State and |
11 |
| use
the software to do any of the following:
|
12 |
| (1) Prevent, through intentionally deceptive means,
|
13 |
| reasonable efforts of the owner or operator of the computer |
14 |
| to block
the installation or execution of or to disable |
15 |
| computer software by
causing computer software that the |
16 |
| owner or operator has properly
removed or disabled to |
17 |
| automatically reinstall or reactivate on the
computer.
|
18 |
| (2) Intentionally misrepresent to another that
|
19 |
| computer software will be uninstalled or disabled by the |
20 |
| actions of
the owner or operator of the computer.
|
21 |
| (3) Remove, disable, or render inoperative, through
|
22 |
| intentionally deceptive means, security, antispyware, or |
23 |
| antivirus
computer software installed on the computer. |
24 |
| (4) Prevent the owner's or operator's reasonable
|
25 |
| efforts to block the installation of or to disable computer
|
26 |
| software by:
|
27 |
| (A) presenting the owner or operator with an
option |
28 |
| to decline the installation of software knowing that, |
29 |
| when
the option is selected, the installation process |
30 |
| will continue to
proceed; or
|
31 |
| (B) misrepresenting that software has been
|
32 |
| disabled.
|
33 |
| (5) Change the name, location, or other designation of
|
34 |
| computer software to prevent the owner from locating and |
35 |
| removing
the software.
|
|
|
|
SB3036 Engrossed |
- 7 - |
LRB094 18891 LJB 54335 b |
|
|
1 |
| (6) Create randomized or intentionally deceptive file
|
2 |
| names or random or intentionally deceptive directory |
3 |
| folders,
formats, or registry entries to avoid detection |
4 |
| and prevent the
owner from removing computer software.
|
5 |
| Section 30. Knowing violation. A person knowingly
violates |
6 |
| Section 15, 20, or 25 if the person does either of the |
7 |
| following:
|
8 |
| (1) acts with actual knowledge of the facts that
|
9 |
| constitute the violation; or
|
10 |
| (2) consciously avoids information that would
|
11 |
| establish actual knowledge of those facts.
|
12 |
| Section 35. Other prohibited conduct. If a person is not
|
13 |
| the owner or operator of the computer, the person may not do |
14 |
| any of the following:
|
15 |
| (1) induce the owner or operator of a computer in this
|
16 |
| State to install a computer software component to the |
17 |
| computer by
intentionally misrepresenting the extent to |
18 |
| which the installation
is necessary for security or privacy |
19 |
| reasons, to open or view text,
or to play a particular type |
20 |
| of musical or other content; or
|
21 |
| (2) copy and execute or cause the copying and
execution |
22 |
| of a computer software component to a computer in this
|
23 |
| State in a deceptive manner with the intent of causing the |
24 |
| owner or
operator of the computer to use the component in a |
25 |
| manner that
violates this Act.
|
26 |
| Section 40. Deceptive act or omission. For purposes of
this |
27 |
| Act, a person is considered to have acted through
intentionally |
28 |
| deceptive means if the person, with the intent to
deceive an |
29 |
| owner or operator of a computer does any of the following:
|
30 |
| (1) intentionally makes a materially false or
|
31 |
| fraudulent statement;
|
32 |
| (2) intentionally makes a statement or uses a
|
33 |
| description that omits or misrepresents material |
|
|
|
SB3036 Engrossed |
- 8 - |
LRB094 18891 LJB 54335 b |
|
|
1 |
| information; or
|
2 |
| (3) intentionally and materially fails to provide to
|
3 |
| the owner or operator any notice regarding the installation |
4 |
| or
execution of computer software.
|
5 |
| Section 45. Civil remedy. |
6 |
| (a) The following persons, if
adversely affected by the |
7 |
| violation, may bring a civil action
against a person who |
8 |
| violates this Act:
|
9 |
| (1) a provider of computer hardware or software; |
10 |
| (2) an owner of a web page or trademark; |
11 |
| (3) a telecommunications carrier; |
12 |
| (4) a cable operator; or |
13 |
| (5) an Internet service provider. |
14 |
| (b) In addition to any other remedy provided by law and
|
15 |
| except as provided by subsection (g) of this Section, a person |
16 |
| bringing an action
under this Section may:
|
17 |
| (1) seek injunctive relief to restrain the violator
|
18 |
| from continuing the violation;
|
19 |
| (2) recover damages in an amount equal to the greater
|
20 |
| of:
|
21 |
| (A) actual damages arising from the violation; or |
22 |
| (B) $100,000 for each violation of the same
nature; |
23 |
| or
|
24 |
| (3) both seek injunctive relief and recover damages as
|
25 |
| provided by this subsection (b).
|
26 |
| (c) The circuit court may increase an award of actual |
27 |
| damages in an
action brought under subsection (b) to an amount |
28 |
| not to exceed 3
times the actual damages sustained if the court |
29 |
| finds that the
violations have occurred with a frequency as to |
30 |
| constitute a
pattern or practice.
|
31 |
| (d) A plaintiff who prevails in an action filed under
|
32 |
| subsection (b) is entitled to recover reasonable attorney's |
33 |
| fees
and court costs.
|
34 |
| (e) Each separate violation of this Act is an actionable
|
35 |
| violation.
|
|
|
|
SB3036 Engrossed |
- 9 - |
LRB094 18891 LJB 54335 b |
|
|
1 |
| (f) For purposes of subsection (b), violations are of the
|
2 |
| same nature if the violations consist of the same course of |
3 |
| conduct
or action, regardless of the number of times the |
4 |
| conduct or act
occurred.
|
5 |
| (g) In the case of a violation of Section 20 that causes
a |
6 |
| telecommunications carrier or cable operator to incur costs for
|
7 |
| the origination, transportation, or termination of a call |
8 |
| triggered
using the modem of a customer of the |
9 |
| telecommunications carrier or
cable operator as a result of the |
10 |
| violation and in addition to any
other remedy provided by law, |
11 |
| a telecommunications carrier or cable
operator bringing an |
12 |
| action under this Section may:
|
13 |
| (1) apply to a court for an order to enjoin the
|
14 |
| violation;
|
15 |
| (2) recover the charges the telecommunications
carrier |
16 |
| or cable operator is obligated to pay to a
|
17 |
| telecommunications carrier, a cable operator, an other |
18 |
| provider of
transmission capability, or an information |
19 |
| service provider as a
result of the violation, including |
20 |
| charges for the origination,
transportation, or |
21 |
| termination of the call;
|
22 |
| (3) recover the costs of handling customer inquiries
or |
23 |
| complaints with respect to amounts billed for calls as a |
24 |
| result
of the violation;
|
25 |
| (4) recover other costs, including court costs, and
|
26 |
| reasonable attorney's fees; or
|
27 |
| (5) both apply for injunctive relief and recover
|
28 |
| charges and other costs as provided by this subsection (g).
|
29 |
| Section 50. Civil penalty; injunction. |
30 |
| (a) A person who
violates this Act is liable to the State |
31 |
| for a civil penalty in
an amount not to exceed $100,000 for |
32 |
| each violation. The Attorney
General may bring suit to recover |
33 |
| the civil penalty imposed by this
subsection (a).
|
34 |
| (b) If it appears to the Attorney General that a person is
|
35 |
| engaging in, has engaged in, or is about to engage in conduct |
|
|
|
SB3036 Engrossed |
- 10 - |
LRB094 18891 LJB 54335 b |
|
|
1 |
| that
violates this Act, the Attorney General may bring an |
2 |
| action in
the name of this State against the person to restrain |
3 |
| the violation
by a temporary restraining order or a permanent |
4 |
| or temporary
injunction.
|
5 |
| (c) The Attorney General is entitled to recover reasonable
|
6 |
| expenses incurred in obtaining injunctive relief, civil |
7 |
| penalties,
or both under this Section, including reasonable |
8 |
| attorney's fees
and court costs.
|