|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
1 | AN ACT concerning regulation.
| ||||||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| ||||||||||||||||||||||||
3 | represented in the General Assembly:
| ||||||||||||||||||||||||
4 | Section 1. Short title. This Act may be cited as the | ||||||||||||||||||||||||
5 | Illinois Financial Information Privacy Act. | ||||||||||||||||||||||||
6 | Section 5. Legislative purpose.
| ||||||||||||||||||||||||
7 | (a) The General Assembly intends for financial | ||||||||||||||||||||||||
8 | institutions to provide their consumers notice and meaningful | ||||||||||||||||||||||||
9 | choice about how consumers' nonpublic personal information is | ||||||||||||||||||||||||
10 | shared or sold by their financial institutions. | ||||||||||||||||||||||||
11 | (b) It is the intent of the General Assembly in enacting | ||||||||||||||||||||||||
12 | the Illinois Financial Information Privacy Act to afford | ||||||||||||||||||||||||
13 | persons greater privacy protections than those provided in | ||||||||||||||||||||||||
14 | Public Law 106-102, the federal Gramm-Leach-Bliley Act, and | ||||||||||||||||||||||||
15 | that this Act be interpreted to be
consistent with that | ||||||||||||||||||||||||
16 | purpose.
| ||||||||||||||||||||||||
17 | Section 10. Definitions.
For the purposes of this Act: | ||||||||||||||||||||||||
18 | (a) "Nonpublic personal information" means personally | ||||||||||||||||||||||||
19 | identifiable financial information (1) provided by a consumer | ||||||||||||||||||||||||
20 | to a financial institution, (2) resulting from any transaction | ||||||||||||||||||||||||
21 | with the consumer or any service performed for the consumer, or | ||||||||||||||||||||||||
22 | (3) otherwise obtained by the financial institution. Nonpublic |
| |||||||
| |||||||
1 | personal information does not include publicly available | ||||||
2 | information that the financial institution has a reasonable | ||||||
3 | basis to believe is lawfully made available to the general | ||||||
4 | public from (1) federal, state, or local government records, | ||||||
5 | (2) widely distributed media, or (3) disclosures to the general | ||||||
6 | public that are required to be made by federal, state, or local | ||||||
7 | law. Nonpublic personal information shall include any list, | ||||||
8 | description, or other grouping of consumers, and publicly | ||||||
9 | available information pertaining to them, that is derived using | ||||||
10 | any nonpublic personal information other than publicly | ||||||
11 | available information, but shall not include any list, | ||||||
12 | description, or other grouping of consumers, and publicly | ||||||
13 | available information pertaining to them, that is derived | ||||||
14 | without using any nonpublic personal information. | ||||||
15 | (b) "Personally identifiable financial information" means | ||||||
16 | information (1) that a consumer provides to a financial | ||||||
17 | institution to obtain a product or service from the financial | ||||||
18 | institution, (2) about a consumer resulting from any | ||||||
19 | transaction involving a product or service between the | ||||||
20 | financial institution and a consumer, or (3) that the financial | ||||||
21 | institution otherwise obtains about a consumer in
connection | ||||||
22 | with providing a product or service to that consumer. Any | ||||||
23 | personally identifiable information is financial if it was | ||||||
24 | obtained by a financial institution in connection with | ||||||
25 | providing a financial product or service to a consumer. | ||||||
26 | Personally identifiable financial information includes all of |
| |||||||
| |||||||
1 | the following: | ||||||
2 | (1) Information a consumer provides to a financial | ||||||
3 | institution on an application to obtain a loan, credit | ||||||
4 | card, or other financial product or service. | ||||||
5 | (2) Account balance information, payment history, | ||||||
6 | overdraft history, and credit or debit card purchase | ||||||
7 | information. | ||||||
8 | (3) The fact that an individual is or has been a | ||||||
9 | consumer of a financial institution or has obtained a | ||||||
10 | financial product or service from a financial institution. | ||||||
11 | (4) Any information about a financial institution's | ||||||
12 | consumer if it is disclosed in a manner that indicates that | ||||||
13 | the individual is or has been the financial institution's | ||||||
14 | consumer. | ||||||
15 | (5) Any information that a consumer provides to a | ||||||
16 | financial institution or that a financial institution or | ||||||
17 | its agent otherwise obtains in connection with collecting | ||||||
18 | on a loan or servicing a loan. | ||||||
19 | (6) Any personally identifiable financial information | ||||||
20 | collected through an Internet cookie or an information | ||||||
21 | collecting device from a Web server. | ||||||
22 | (7) Information from a consumer report. | ||||||
23 | (c) "Financial institution" means any institution the | ||||||
24 | business of which is engaging in financial activities as | ||||||
25 | described in Section 1843(k) of Title 12 of the United States | ||||||
26 | Code and doing business in this State. An institution that is |
| |||||||
| |||||||
1 | not significantly engaged in financial activities is not a | ||||||
2 | financial institution. The term "financial institution" does | ||||||
3 | not include any institution that is primarily engaged in | ||||||
4 | providing hardware, software, or interactive services, | ||||||
5 | provided that it does not act as a debt collector, as defined | ||||||
6 | in 15 U.S.C. Sec. 1692a, or engage in activities for which the | ||||||
7 | institution is required to acquire a charter, license, or | ||||||
8 | registration from a state or federal governmental banking, | ||||||
9 | insurance, or securities agency. The term "financial | ||||||
10 | institution" does not include the Federal Agricultural | ||||||
11 | Mortgage Corporation or any entity chartered and operating | ||||||
12 | under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et | ||||||
13 | seq.), provided that the entity does not sell or transfer | ||||||
14 | nonpublic personal information to an affiliate or a | ||||||
15 | nonaffiliated third party. The term "financial institution" | ||||||
16 | does not include any provider of professional services, or any | ||||||
17 | wholly owned affiliate thereof, that is prohibited by rules of | ||||||
18 | professional ethics and applicable law from voluntarily | ||||||
19 | disclosing confidential client information without the consent | ||||||
20 | of the client. The term "financial institution" does not | ||||||
21 | include institutions chartered by Congress specifically to | ||||||
22 | engage in a proposed or actual securitization, secondary market | ||||||
23 | sale, including sales of servicing rights, or similar | ||||||
24 | transactions related
to a transaction of the consumer, as long | ||||||
25 | as those institutions do not sell or transfer nonpublic | ||||||
26 | personal information to a nonaffiliated third party. Nothing in |
| |||||||
| |||||||
1 | this Act applies to the Motor Vehicle Retail Installment Sales | ||||||
2 | Act, the Motor Vehicle Leasing Act, or the Retail Installment | ||||||
3 | Sales Act. | ||||||
4 | (d) "Affiliate" means any entity that controls, is | ||||||
5 | controlled by, or is under common control with, another entity, | ||||||
6 | but does not include a joint employee of the entity and the | ||||||
7 | affiliate. A franchisor, including any affiliate thereof, | ||||||
8 | shall be deemed an affiliate of the franchisee for purposes of | ||||||
9 | this Act. | ||||||
10 | (e) "Nonaffiliated third party" means any entity that is | ||||||
11 | not an affiliate of, or related by common ownership or | ||||||
12 | affiliated by corporate control with, the financial | ||||||
13 | institution, but does not include a joint employee of that | ||||||
14 | institution and a third party. | ||||||
15 | (f) "Consumer" means an individual resident of this State, | ||||||
16 | or that individual's legal representative, who obtains or has | ||||||
17 | obtained from a financial institution a financial product or | ||||||
18 | service to be used primarily for personal, family, or household | ||||||
19 | purposes. For purposes of this Act, an individual resident of | ||||||
20 | this State is someone
whose last known mailing address, other | ||||||
21 | than an Armed Forces Post Office or Fleet Post Office address, | ||||||
22 | as shown in the records of the financial institution, is | ||||||
23 | located in this State. For purposes of this Act, an individual | ||||||
24 | is not a consumer of a financial institution solely because he | ||||||
25 | or she is (1) a participant or beneficiary of an employee | ||||||
26 | benefit plan that a financial institution administers or |
| |||||||
| |||||||
1 | sponsors, or for which the financial institution acts as a | ||||||
2 | trustee, insurer, or fiduciary, (2) covered under a group or | ||||||
3 | blanket insurance policy or group annuity contract issued by | ||||||
4 | the financial institution, (3) a beneficiary in a workers' | ||||||
5 | compensation plan, (4) a beneficiary of a trust for which the | ||||||
6 | financial institution is a trustee, or (5) a person who has | ||||||
7 | designated the financial institution as trustee for a trust, | ||||||
8 | provided that the financial institution provides all required | ||||||
9 | notices and rights required by this Act to the plan sponsor, | ||||||
10 | group or blanket
insurance policyholder, or group annuity | ||||||
11 | contract holder. | ||||||
12 | (g) "Control" means (1) ownership or power to vote 25 | ||||||
13 | percent or more of the outstanding shares of any class of | ||||||
14 | voting security of a company, acting through one or more | ||||||
15 | persons, (2) control in any manner over the election of a | ||||||
16 | majority of the directors, or of individuals exercising similar | ||||||
17 | functions, or (3) the power to exercise, directly or | ||||||
18 | indirectly, a controlling influence over the management or | ||||||
19 | policies of a company. However, for purposes of the
application | ||||||
20 | of the definition of control as it relates to credit unions, a | ||||||
21 | credit union has a controlling influence over the management or | ||||||
22 | policies of a credit union service organization (CUSO), as that | ||||||
23 | term is defined by state or federal law or regulation, if the | ||||||
24 | CUSO is at least 67 percent owned by credit unions. For | ||||||
25 | purposes of the application of the definition of control to a | ||||||
26 | financial
institution subject to regulation by the United |
| |||||||
| |||||||
1 | States Securities and Exchange Commission, a person who owns | ||||||
2 | beneficially, either directly or through one or more controlled | ||||||
3 | companies, more than 25 percent of the voting securities of a | ||||||
4 | company is presumed to control the company, and a person who | ||||||
5 | does not own more than 25 percent of the
voting securities of a | ||||||
6 | company is presumed not to control the company, and a | ||||||
7 | presumption regarding control may be rebutted by evidence, but | ||||||
8 | in the case of an investment company, the presumption shall | ||||||
9 | continue until the United States Securities and Exchange | ||||||
10 | Commission makes a decision to the contrary according to the | ||||||
11 | procedures described in Section 2(a)(9) of the federal | ||||||
12 | Investment Company Act of 1940. | ||||||
13 | (h) "Necessary to effect, administer, or enforce" means the | ||||||
14 | following: | ||||||
15 | (1) The disclosure is required, or is a usual, | ||||||
16 | appropriate, or acceptable method to carry out the | ||||||
17 | transaction or the product or service business of which the | ||||||
18 | transaction is a part, and record or service or maintain | ||||||
19 | the consumer's account in the ordinary course of providing | ||||||
20 | the financial service or financial product, or to | ||||||
21 | administer or service benefits or claims relating to the | ||||||
22 | transaction or the product or service business of which it | ||||||
23 | is a part, and includes the following:
| ||||||
24 | (A) Providing the consumer or the consumer's agent | ||||||
25 | or broker with a confirmation, statement, or other | ||||||
26 | record of the transaction, or information on the status |
| |||||||
| |||||||
1 | or value of the financial service or financial product.
| ||||||
2 | (B) The accrual or recognition of incentives, | ||||||
3 | discounts, or bonuses associated with the transaction | ||||||
4 | or communications to eligible existing consumers of | ||||||
5 | the financial institution regarding the availability | ||||||
6 | of those incentives, discounts, and bonuses that are | ||||||
7 | provided by the financial institution or another | ||||||
8 | party. | ||||||
9 | (C) In the case of a financial institution that has | ||||||
10 | issued a credit account bearing the name of a company | ||||||
11 | primarily engaged in retail sales or a name proprietary | ||||||
12 | to a company primarily engaged in retail sales, the | ||||||
13 | financial institution providing the retailer with | ||||||
14 | nonpublic personal information as follows: | ||||||
15 | (i) Providing the retailer, or licensees or | ||||||
16 | contractors of the retailer that provide products | ||||||
17 | or services in the name of the retailer and under a | ||||||
18 | contract with the retailer, with the names and | ||||||
19 | addresses of the consumers in whose name the | ||||||
20 | account is held and a record of the purchases made | ||||||
21 | using the credit account from a business | ||||||
22 | establishment, including a Web site or catalog, | ||||||
23 | bearing the brand name of the retailer.
| ||||||
24 | (ii) Where the credit account can only be used | ||||||
25 | for transactions with the retailer or affiliates | ||||||
26 | of that retailer that are also primarily engaged in |
| |||||||
| |||||||
1 | retail sales, providing the retailer, or licensees | ||||||
2 | or contractors of the retailer that provide | ||||||
3 | products or services in the name of the retailer | ||||||
4 | and under a contract with the retailer, with | ||||||
5 | nonpublic personal information concerning the | ||||||
6 | credit account, in connection with the offering or | ||||||
7 | provision of the products or services of the | ||||||
8 | retailer and those licensees or contractors. | ||||||
9 | (2) The disclosure is required or is one of the | ||||||
10 | lawful or appropriate methods to enforce the rights of | ||||||
11 | the financial institution or of other persons engaged | ||||||
12 | in carrying out the financial transaction or providing | ||||||
13 | the product or service. | ||||||
14 | (3) The disclosure is required, or is a usual, | ||||||
15 | appropriate, or acceptable method for insurance | ||||||
16 | underwriting or the placement of insurance products by | ||||||
17 | licensed agents and brokers with authorized insurance | ||||||
18 | companies at the consumer's request, for reinsurance, | ||||||
19 | stop loss insurance, or excess loss insurance | ||||||
20 | purposes, or for any of the following purposes as they | ||||||
21 | relate to a consumer's insurance: | ||||||
22 | (A) Account administration. | ||||||
23 | (B) Reporting, investigating, or preventing | ||||||
24 | fraud or material misrepresentation.
| ||||||
25 | (C) Processing premium payments.
| ||||||
26 | (D) Processing insurance claims.
|
| |||||||
| |||||||
1 | (E) Administering insurance benefits, | ||||||
2 | including utilization review activities. | ||||||
3 | (F) Participating in research projects. | ||||||
4 | (G) As otherwise required or specifically | ||||||
5 | permitted by federal or state law.
| ||||||
6 | (4) The disclosure is required, or is a usual, | ||||||
7 | appropriate, or acceptable method, in connection with | ||||||
8 | the following:
| ||||||
9 | (A) The authorization, settlement, billing, | ||||||
10 | processing, clearing, transferring, reconciling, | ||||||
11 | or collection of amounts charged, debited, or | ||||||
12 | otherwise paid using a debit, credit or other | ||||||
13 | payment card,
check, or account number, or by other | ||||||
14 | payment means. | ||||||
15 | (B) The transfer of receivables, accounts, or | ||||||
16 | interests therein. | ||||||
17 | (C) The audit of debit, credit, or other | ||||||
18 | payment information. | ||||||
19 | (5) The disclosure is required in a transaction | ||||||
20 | covered by the federal Real Estate Settlement | ||||||
21 | Procedures Act (12 U.S.C. Sec. 2601 et seq.) in order | ||||||
22 | to offer settlement services prior to the close of | ||||||
23 | escrow (as those services are defined in 12 U.S.C. Sec. | ||||||
24 | 2602), provided that (A) the nonpublic personal | ||||||
25 | information is disclosed for the sole purpose of | ||||||
26 | offering those settlement services and (B) the |
| |||||||
| |||||||
1 | nonpublic personal information disclosed is limited to | ||||||
2 | that necessary to enable the financial institution to | ||||||
3 | offer those settlement services in that transaction. | ||||||
4 | (i) "Financial product or service" means any product or | ||||||
5 | service that a financial holding company could offer by | ||||||
6 | engaging in an activity that is financial in nature or | ||||||
7 | incidental to a financial activity under subsection (k) of | ||||||
8 | Section 1843 of Title 12 of the United States Code (the United | ||||||
9 | States Bank Holding Company Act of 1956). Financial service | ||||||
10 | includes a financial institution's evaluation or brokerage of | ||||||
11 | information that the financial institution
collects in | ||||||
12 | connection with a request or an application from a consumer for | ||||||
13 | a financial product or service. | ||||||
14 | (j) "Clear and conspicuous" means that a notice is | ||||||
15 | reasonably understandable and designed to call attention to the | ||||||
16 | nature and significance of the information contained in the | ||||||
17 | notice. | ||||||
18 | (k) "Widely distributed media" means media available to the | ||||||
19 | general public and includes a telephone book, a television or | ||||||
20 | radio program, a newspaper, or a Web site that is available to | ||||||
21 | the general public on an unrestricted basis.
| ||||||
22 | Section 15. Prior consent.
Except as provided in Sections | ||||||
23 | 25, 35, and 45, a financial institution shall not sell, share, | ||||||
24 | transfer, or otherwise disclose nonpublic personal information | ||||||
25 | to or with any nonaffiliated third parties without the explicit |
| |||||||
| |||||||
1 | prior consent of the consumer to whom the nonpublic personal | ||||||
2 | information relates. | ||||||
3 | Section 20. Disclosure.
| ||||||
4 | (a) A financial institution shall not disclose to, or share | ||||||
5 | a consumer's nonpublic personal information with, any | ||||||
6 | nonaffiliated third party as prohibited by Section 15, unless | ||||||
7 | the financial institution has obtained a consent | ||||||
8 | acknowledgment from the consumer that authorizes the financial | ||||||
9 | institution to disclose or share the nonpublic personal | ||||||
10 | information. Nothing in this Section shall prohibit or | ||||||
11 | otherwise apply to the disclosure of nonpublic personal | ||||||
12 | information as allowed in Section 40. A financial institution | ||||||
13 | shall not discriminate
against or deny an otherwise qualified | ||||||
14 | consumer a financial product or a financial service because the | ||||||
15 | consumer has not provided consent pursuant to this Section and | ||||||
16 | Section 15 to authorize the financial institution to disclose | ||||||
17 | or share nonpublic personal information pertaining to him or | ||||||
18 | her with any nonaffiliated third party. Nothing in this Section | ||||||
19 | shall prohibit a financial institution from denying a consumer | ||||||
20 | a financial product or service if the financial institution | ||||||
21 | could not provide the product or service to a consumer without | ||||||
22 | the consent to disclose the consumer's
nonpublic personal | ||||||
23 | information required by this Section and Section 15, and the | ||||||
24 | consumer has failed to provide consent. A financial institution | ||||||
25 | shall not be liable for failing to offer products and services |
| |||||||
| |||||||
1 | to a consumer solely because that consumer has failed to | ||||||
2 | provide consent pursuant to this Section and Section 15 and the | ||||||
3 | financial institution could not offer the product or service | ||||||
4 | without the consent to disclose the consumer's nonpublic | ||||||
5 | personal information required by this Section and Section 15, | ||||||
6 | and the consumer has failed to provide consent. Nothing in this | ||||||
7 | Section is intended to prohibit a financial institution from | ||||||
8 | offering incentives or discounts to elicit a specific response | ||||||
9 | to the notice. | ||||||
10 | (b)(1) A financial institution shall not disclose to, or | ||||||
11 | share a consumer's nonpublic personal information with, an | ||||||
12 | affiliate unless the financial institution has clearly and | ||||||
13 | conspicuously notified the consumer annually in writing | ||||||
14 | pursuant to subsection (d) that the nonpublic personal | ||||||
15 | information may be disclosed to an affiliate of the financial | ||||||
16 | institution and the consumer has not directed that the | ||||||
17 | nonpublic personal information not be disclosed. A financial | ||||||
18 | institution does not disclose information to, or share | ||||||
19 | information with, its affiliate merely because information is | ||||||
20 | maintained in common information systems or databases, and | ||||||
21 | employees of the financial institution and its affiliate have | ||||||
22 | access to those common information systems or databases, or a | ||||||
23 | consumer accesses a Web site
jointly operated or maintained | ||||||
24 | under a common name by or on behalf of the financial | ||||||
25 | institution and its affiliate, provided that where a consumer | ||||||
26 | has exercised his or her right to prohibit disclosure pursuant |
| |||||||
| |||||||
1 | to this Act, nonpublic personal information is not further | ||||||
2 | disclosed or used by an affiliate except as permitted by this | ||||||
3 | Act. | ||||||
4 | (2) Subsection (a) of this Section shall not prohibit the | ||||||
5 | release of nonpublic personal information by a financial | ||||||
6 | institution with whom the consumer has a relationship to a | ||||||
7 | nonaffiliated financial institution for purposes of jointly | ||||||
8 | offering a financial product or financial service pursuant to a | ||||||
9 | written agreement with the financial institution that receives | ||||||
10 | the nonpublic personal information provided that all of the | ||||||
11 | following requirements are met: | ||||||
12 | (A) The financial product or service offered is a | ||||||
13 | product or service of, and is provided by, at least one | ||||||
14 | of the financial institutions that is a party to the | ||||||
15 | written agreement. | ||||||
16 | (B) The financial product or service is jointly | ||||||
17 | offered, endorsed, or sponsored, and clearly and | ||||||
18 | conspicuously identifies for the consumer the | ||||||
19 | financial institutions that disclose and receive the | ||||||
20 | disclosed nonpublic personal information. | ||||||
21 | (C) The written agreement provides that the | ||||||
22 | financial institution that receives that nonpublic | ||||||
23 | personal information is required to maintain the | ||||||
24 | confidentiality of the information and is prohibited | ||||||
25 | from disclosing or using the information other than to | ||||||
26 | carry out the joint offering or servicing of a |
| |||||||
| |||||||
1 | financial product or financial service that is the | ||||||
2 | subject of the written agreement. | ||||||
3 | (D) The financial institution that releases the | ||||||
4 | nonpublic personal information has complied with | ||||||
5 | subsection (d) and the consumer has not directed that | ||||||
6 | the nonpublic personal information not be disclosed. | ||||||
7 | (E) Notwithstanding this Section, until January 1, | ||||||
8 | 2006, a financial institution may disclose nonpublic | ||||||
9 | personal information to a nonaffiliated financial | ||||||
10 | institution pursuant to a preexisting contract with | ||||||
11 | the nonaffiliated financial institution, for purposes
| ||||||
12 | of offering a financial product or financial service, | ||||||
13 | if that contract was entered into on or before January | ||||||
14 | 1, 2005. Beginning on January 1, 2006, no nonpublic | ||||||
15 | personal information may be disclosed pursuant to that | ||||||
16 | contract unless all the requirements of this | ||||||
17 | subsection are met. | ||||||
18 | (3) Nothing in this subsection shall prohibit a | ||||||
19 | financial institution from disclosing or sharing nonpublic | ||||||
20 | personal information as otherwise specifically permitted | ||||||
21 | by this Act. | ||||||
22 | (4) A financial institution shall not discriminate | ||||||
23 | against or deny an otherwise qualified consumer a financial | ||||||
24 | product or a financial service because the consumer has | ||||||
25 | directed pursuant to this subsection that nonpublic | ||||||
26 | personal information pertaining to him or her not be |
| |||||||
| |||||||
1 | disclosed. A financial institution shall not be required
to | ||||||
2 | offer or provide products or services offered through | ||||||
3 | affiliated entities or jointly with nonaffiliated | ||||||
4 | financial institutions pursuant to paragraph (2) of this | ||||||
5 | subsection where the consumer has directed that nonpublic | ||||||
6 | personal information not be disclosed pursuant to this | ||||||
7 | subsection and the financial institution could not offer or | ||||||
8 | provide the products or services to the consumer without | ||||||
9 | disclosure of the
consumer's nonpublic personal | ||||||
10 | information that the consumer has directed not be disclosed | ||||||
11 | pursuant to this subsection. A financial institution shall | ||||||
12 | not be liable for failing to offer or provide products or | ||||||
13 | services offered through affiliated entities or jointly | ||||||
14 | with nonaffiliated financial institutions pursuant to | ||||||
15 | paragraph (2) of this subsection solely because the | ||||||
16 | consumer has directed that nonpublic personal information | ||||||
17 | not be disclosed pursuant to this subsection and the
| ||||||
18 | financial institution could not offer or provide the | ||||||
19 | products or services to the consumer without disclosure of | ||||||
20 | the consumer's nonpublic personal information that the | ||||||
21 | consumer has directed not be disclosed to affiliates | ||||||
22 | pursuant to this subsection. Nothing in this Section is | ||||||
23 | intended to prohibit a financial institution from offering | ||||||
24 | incentives or discounts to elicit a specific response to | ||||||
25 | the notice set forth in this Act. Nothing in this Section | ||||||
26 | shall prohibit the disclosure of nonpublic personal |
| |||||||
| |||||||
1 | information allowed by Section 40. | ||||||
2 | (5) The financial institution may, at its option, | ||||||
3 | choose instead to comply with the requirements of | ||||||
4 | subsection (a). | ||||||
5 | (c) Nothing in this Act shall restrict or prohibit the
| ||||||
6 | sharing of nonpublic personal information between a financial | ||||||
7 | institution and its wholly owned financial institution | ||||||
8 | subsidiaries; among financial institutions that are each | ||||||
9 | wholly owned by the same financial institution; among financial | ||||||
10 | institutions that are wholly owned by the same holding company; | ||||||
11 | or among the insurance and management entities of a single | ||||||
12 | insurance holding company system
consisting of one or more | ||||||
13 | reciprocal insurance exchanges which has a single corporation | ||||||
14 | or its wholly owned subsidiaries providing management services | ||||||
15 | to the reciprocal insurance exchanges, provided that in each | ||||||
16 | case all of the following requirements are met: | ||||||
17 | (1) The financial institution disclosing the nonpublic | ||||||
18 | personal information and the financial institution | ||||||
19 | receiving it are regulated by the same functional | ||||||
20 | regulator; provided, however, that for purposes of this | ||||||
21 | subsection, financial institutions regulated by the Office | ||||||
22 | of the Comptroller of the Currency, Office of Thrift | ||||||
23 | Supervision, National Credit Union Administration, or a | ||||||
24 | state regulator of depository institutions shall be deemed | ||||||
25 | to be regulated by the same functional regulator; financial | ||||||
26 | institutions regulated by the Securities and Exchange |
| |||||||
| |||||||
1 | Commission, the United States Department of Labor, or a | ||||||
2 | state securities regulator shall be deemed to be regulated | ||||||
3 | by the same functional regulator; and insurers admitted in
| ||||||
4 | this State to transact insurance and licensed to write | ||||||
5 | insurance policies shall be deemed to be in compliance with | ||||||
6 | this paragraph. | ||||||
7 | (2) The financial institution disclosing the nonpublic | ||||||
8 | personal information and the financial institution | ||||||
9 | receiving it are both principally engaged in the same line | ||||||
10 | of business. For purposes of this subsection, "same line of | ||||||
11 | business" shall be one and only one of the following: | ||||||
12 | (A) Insurance. | ||||||
13 | (B) Banking. | ||||||
14 | (C) Securities. | ||||||
15 | (3) The financial institution disclosing the nonpublic | ||||||
16 | personal information and the financial institution | ||||||
17 | receiving it share a common brand, excluding a brand | ||||||
18 | consisting solely of a graphic element or symbol, within | ||||||
19 | their trademark, service mark, or trade name, which is
used | ||||||
20 | to identify the source of the products and services | ||||||
21 | provided. A wholly owned subsidiary shall include a | ||||||
22 | subsidiary wholly owned directly or wholly owned | ||||||
23 | indirectly in a chain of wholly owned subsidiaries.
Nothing | ||||||
24 | in this subsection shall permit the disclosure by a
| ||||||
25 | financial institution of medical record information, as | ||||||
26 | defined in the Illinois Insurance Code, except in |
| |||||||
| |||||||
1 | compliance with the requirements of this Act, including the | ||||||
2 | requirements set forth in subsections (a) and (b). | ||||||
3 | (d)(1) The consumer shall be provided a reasonable | ||||||
4 | opportunity prior to disclosure of nonpublic personal | ||||||
5 | information to direct that nonpublic personal information not | ||||||
6 | be disclosed. A consumer may direct at any time that his or her | ||||||
7 | nonpublic personal information not be disclosed. A financial | ||||||
8 | institution shall comply with a consumer's directions | ||||||
9 | concerning the sharing of his or her nonpublic personal | ||||||
10 | information within 45 days of receipt by the financial | ||||||
11 | institution. When a consumer directs that nonpublic personal | ||||||
12 | information not be disclosed, that direction is in effect until | ||||||
13 | otherwise stated by the
consumer. A financial institution that | ||||||
14 | has not provided a consumer with annual notice pursuant to | ||||||
15 | subsection (b) shall provide the consumer with a form that | ||||||
16 | meets the requirements of this subsection, and shall allow 45 | ||||||
17 | days to lapse from the date of providing the form in person or | ||||||
18 | the postmark or other postal verification of mailing before | ||||||
19 | disclosing nonpublic personal information pertaining to the
| ||||||
20 | consumer.
Nothing in this subsection shall prohibit the | ||||||
21 | disclosure of nonpublic personal information as allowed by | ||||||
22 | subsection (c) or Section 40. | ||||||
23 | (2) A financial institution may elect to comply with the
| ||||||
24 | requirements of subsection (a) with respect to disclosure of | ||||||
25 | nonpublic personal information to an affiliate or with respect | ||||||
26 | to nonpublic personal information disclosed pursuant to |
| |||||||
| |||||||
1 | paragraph (2) of subsection (b), or subsection (c) of Section | ||||||
2 | 35. | ||||||
3 | (3) If a financial institution does not have a continuing | ||||||
4 | relationship with a consumer other than the initial transaction | ||||||
5 | in which the product or service is provided, no annual | ||||||
6 | disclosure requirement exists pursuant to this section as long | ||||||
7 | as the financial institution provides the consumer with the | ||||||
8 | form required by this
section at the time of the initial | ||||||
9 | transaction. As used in this section, "annually" means at least | ||||||
10 | once in any period of 12 consecutive months during which that | ||||||
11 | relationship exists. The financial institution may define the | ||||||
12 | 12-consecutive-month period, but shall apply it to the consumer | ||||||
13 | on a consistent basis. If, for example, a financial institution | ||||||
14 | defines the 12-consecutive-month
period as a calendar year and | ||||||
15 | provides the annual notice to the consumer once in each | ||||||
16 | calendar year, it complies with the requirement to send the | ||||||
17 | notice annually. | ||||||
18 | (4) A financial institution with assets in excess of | ||||||
19 | $25,000,000 shall include a self-addressed first class | ||||||
20 | business reply return envelope with the notice. A financial
| ||||||
21 | institution with assets of up to and including $25,000,000 | ||||||
22 | shall include a self-addressed return envelope with the notice. | ||||||
23 | In lieu of the first class business reply return envelope | ||||||
24 | required by this paragraph, a financial institution may offer a | ||||||
25 | self-addressed return envelope with the notice and at least two | ||||||
26 | alternative cost-free means for consumers to communicate their |
| |||||||
| |||||||
1 | privacy choices, such as calling a toll-free number, sending a | ||||||
2 | facsimile to a toll-free telephone number, or using electronic | ||||||
3 | means.
A financial institution shall clearly and conspicuously | ||||||
4 | disclose in the form required by this subsection the | ||||||
5 | information necessary to direct the consumer on how to | ||||||
6 | communicate his or her choices, including the toll-free or | ||||||
7 | facsimile number or Web site address that may be used, if those | ||||||
8 | means of communication are offered by the
financial | ||||||
9 | institution. | ||||||
10 | (5) A financial institution may provide a joint notice from | ||||||
11 | it and one or more of its affiliates or other financial | ||||||
12 | institutions, as identified in the notice, so long as the | ||||||
13 | notice is accurate with respect to the financial institution | ||||||
14 | and the affiliates and other
financial institutions. | ||||||
15 | (e) Nothing in this Act shall prohibit a financial
| ||||||
16 | institution from marketing its own products and services or the | ||||||
17 | products and services of affiliates or nonaffiliated third | ||||||
18 | parties to customers of the financial institution as long as | ||||||
19 | (1) nonpublic personal information is not disclosed in | ||||||
20 | connection with the delivery of the applicable marketing | ||||||
21 | materials to those customers except as permitted by Section 40 | ||||||
22 | and (2) in cases in which the applicable nonaffiliated third | ||||||
23 | party may extrapolate nonpublic personal information about the | ||||||
24 | consumer responding to those marketing materials, the | ||||||
25 | applicable nonaffiliated third party has signed a
contract with | ||||||
26 | the financial institution under the terms of which (A) the |
| |||||||
| |||||||
1 | nonaffiliated third party is prohibited from using that | ||||||
2 | information for any purpose other than the purpose for which it | ||||||
3 | was provided, as set forth in the contract, and (B) the | ||||||
4 | financial institution has the right by audit, inspections, or | ||||||
5 | other means to verify the nonaffiliated third party's | ||||||
6 | compliance with that contract.
| ||||||
7 | Section 25. Receipt of nonpublic personal information.
| ||||||
8 | Except as otherwise provided in this Act, an entity
that | ||||||
9 | receives nonpublic personal information from a financial | ||||||
10 | institution under this Act shall not disclose this information | ||||||
11 | to any other entity, unless the disclosure would be lawful if | ||||||
12 | made directly to the other entity by the financial institution. | ||||||
13 | An entity that receives nonpublic personal information | ||||||
14 | pursuant to any exception set forth in Section 45 shall not use | ||||||
15 | or disclose the information except in the ordinary course of | ||||||
16 | business to carry out
the activity covered by the exception | ||||||
17 | under which the information was received.
| ||||||
18 | Section 30. Notice. | ||||||
19 | (a) Nothing in this Act shall require a financial
| ||||||
20 | institution to provide a written notice to a consumer pursuant | ||||||
21 | to Section 20 if the financial institution does not disclose | ||||||
22 | nonpublic personal information to any nonaffiliated third | ||||||
23 | party or to any affiliate, except as allowed in this Act.
| ||||||
24 | (b) A notice provided to a member of a household pursuant |
| |||||||
| |||||||
1 | to Section 20 shall be considered notice to all members of that | ||||||
2 | household unless that household contains another individual | ||||||
3 | who also has a separate account with the financial institution. | ||||||
4 | (c)(1) The requirement to send a written notice to a | ||||||
5 | consumer may be fulfilled by electronic means if the following | ||||||
6 | requirements are met: | ||||||
7 | (A) The notice, and the manner in which it is sent, | ||||||
8 | meets all of the requirements for notices that are | ||||||
9 | required by law to be in writing, as set forth in | ||||||
10 | Section 101 of the federal Electronic Signatures in | ||||||
11 | Global and National Commerce Act. | ||||||
12 | (B) All other requirements applicable to the | ||||||
13 | notice, as set forth in this Act, are met, including, | ||||||
14 | but not limited to, requirements concerning content, | ||||||
15 | timing, form, and delivery. An electronic notice sent | ||||||
16 | pursuant to this section is not required to include a | ||||||
17 | return envelope.
| ||||||
18 | (C) The notice is delivered to the consumer in a | ||||||
19 | form the consumer may keep. | ||||||
20 | (2) A notice that is made available to a consumer, and | ||||||
21 | is not delivered to the consumer, does not satisfy the | ||||||
22 | requirements of paragraph (1). | ||||||
23 | (3) Any electronic consumer reply to an electronic | ||||||
24 | notice sent pursuant to this Act is effective. A person | ||||||
25 | that electronically sends a notice required by this Act to | ||||||
26 | a consumer may not by contract, or otherwise, eliminate the |
| |||||||
| |||||||
1 | effectiveness of the consumer's electronic reply. | ||||||
2 | (4) This Act modifies the provisions of Section 101 of | ||||||
3 | the federal Electronic Signatures in Global and National | ||||||
4 | Commerce Act. However, it does not modify, limit, or | ||||||
5 | supersede the provisions of subsection (c), (d), (e), (f), | ||||||
6 | or (h) of Section 101 of the federal Electronic Signatures | ||||||
7 | in Global and National Commerce Act, nor does it authorize | ||||||
8 | electronic delivery of any notice of the type described
in | ||||||
9 | subsection (b) of Section 103 of that federal act.
| ||||||
10 | Section 35. Affinity partners.
| ||||||
11 | (a) When a financial institution and an organization or
| ||||||
12 | business entity that is not a financial institution ("affinity | ||||||
13 | partner") have an agreement to issue a credit card in the name | ||||||
14 | of the affinity partner ("affinity card"), the financial | ||||||
15 | institution shall be permitted to disclose to the affinity | ||||||
16 | partner in whose name the card is issued only the following | ||||||
17 | information pertaining to the financial institution's | ||||||
18 | customers who are in receipt of the affinity
card: (1) name, | ||||||
19 | address, telephone number, and electronic mail address and (2) | ||||||
20 | record of purchases made using the affinity card in a business | ||||||
21 | establishment, including a Web site, bearing the brand name of | ||||||
22 | the affinity partner. | ||||||
23 | (b) When a financial institution and an affinity partner | ||||||
24 | have an agreement to issue a financial product or service, | ||||||
25 | other than a credit card, on behalf of the affinity partner |
| |||||||
| |||||||
1 | ("affinity financial product or service"), the financial | ||||||
2 | institution shall be permitted to disclose to the affinity | ||||||
3 | partner only the following information pertaining to the | ||||||
4 | financial institution's customers who obtained the affinity | ||||||
5 | financial product or service: name, address, telephone number, | ||||||
6 | and electronic mail address. | ||||||
7 | (c) The disclosures specified in subsections (a) and (b) | ||||||
8 | shall be permitted only if the following requirements are met: | ||||||
9 |
(1) The financial institution has provided the | ||||||
10 | consumer a notice meeting the requirements of subsection | ||||||
11 | (d) of Section 20, and the consumer has not directed that | ||||||
12 | nonpublic personal information not be disclosed. A | ||||||
13 | response to a notice meeting the requirements of subsection | ||||||
14 | (d) directing the financial institution to not disclose
| ||||||
15 | nonpublic personal information to a nonaffiliated | ||||||
16 | financial
institution shall be deemed a direction to the | ||||||
17 | financial institution to not disclose nonpublic personal | ||||||
18 | information to an affinity partner, unless the form | ||||||
19 | containing the notice provides the consumer with a separate | ||||||
20 | choice for disclosure to affinity partners.
| ||||||
21 | (2) The financial institution has a contractual | ||||||
22 | agreement with the affinity partner that requires the | ||||||
23 | affinity partner to maintain the confidentiality of the | ||||||
24 | nonpublic personal information and prohibits affinity | ||||||
25 | partners from using the information for any purposes other
| ||||||
26 | than verifying membership, verifying the consumer's |
| |||||||
| |||||||
1 | contact
information, or offering the affinity partner's | ||||||
2 | own products or services to the consumer. | ||||||
3 | (3) The customer list is not disclosed in any way that | ||||||
4 | reveals or permits extrapolation of any additional | ||||||
5 | nonpublic personal information about any customer on the | ||||||
6 | list. | ||||||
7 | (4) If the affinity partner sends any message to any | ||||||
8 | electronic mail addresses obtained pursuant to this | ||||||
9 | section, the message shall include at least both of the | ||||||
10 | following: | ||||||
11 | (A) The identity of the sender of the message. | ||||||
12 | (B) A cost-free means for the recipient to notify | ||||||
13 | the sender not to electronically mail any further | ||||||
14 | message to the recipient. | ||||||
15 | (d) Nothing in this Section shall prohibit the disclosure | ||||||
16 | of nonpublic personal information pursuant to Section 40. | ||||||
17 | (e) This Section does not apply to credit cards issued in | ||||||
18 | the name of an entity primarily engaged in retail sales or a | ||||||
19 | name proprietary to a company primarily engaged in retail | ||||||
20 | sales.
| ||||||
21 | Section 40. Release of nonpublic personal information.
| ||||||
22 | (a) This Act shall not apply to information that is
not | ||||||
23 | personally identifiable to a particular person. | ||||||
24 | (b) Notwithstanding Sections 15, 20, 30, and 35, a | ||||||
25 | financial institution may release nonpublic personal |
| |||||||
| |||||||
1 | information under the following circumstances: | ||||||
2 | (1) The nonpublic personal information is necessary to | ||||||
3 | effect, administer, or enforce a transaction requested or | ||||||
4 | authorized by the consumer, or in connection with servicing | ||||||
5 | or processing a financial product or service requested or | ||||||
6 | authorized by the consumer, or in connection with | ||||||
7 | maintaining or servicing the consumer's account with
the | ||||||
8 | financial institution, or with another entity as part of a | ||||||
9 | private label credit card program or other extension of | ||||||
10 | credit on behalf of that entity, or in connection with a | ||||||
11 | proposed or actual securitization or secondary market | ||||||
12 | sale, including sales of servicing rights, or similar | ||||||
13 | transactions related to a transaction of the consumer. | ||||||
14 | (2) The nonpublic personal information is released | ||||||
15 | with the consent of or at the direction of the consumer. | ||||||
16 | (3) The nonpublic personal information is: | ||||||
17 | (A) Released to protect the confidentiality or | ||||||
18 | security of the financial institution's records | ||||||
19 | pertaining to the consumer, the service or product, or | ||||||
20 | the transaction therein. | ||||||
21 | (B) Released to protect against or prevent actual | ||||||
22 | or potential fraud, identity theft, unauthorized | ||||||
23 | transactions, claims, or other liability. | ||||||
24 | (C) Released for required institutional risk | ||||||
25 | control, or for resolving customer disputes or | ||||||
26 | inquiries. |
| |||||||
| |||||||
1 | (D) Released to persons holding a legal or | ||||||
2 | beneficial interest relating to the consumer, | ||||||
3 | including for purposes of debt collection. | ||||||
4 | (E) Released to persons acting in a fiduciary or | ||||||
5 | representative capacity on behalf of the consumer. | ||||||
6 | (4) The nonpublic personal information is released to | ||||||
7 | provide information to insurance rate advisory | ||||||
8 | organizations, guaranty funds or agencies, applicable | ||||||
9 | rating agencies of the financial institution, persons | ||||||
10 | assessing the institution's compliance with industry
| ||||||
11 | standards, and the institution's attorneys, accountants, | ||||||
12 | and auditors. | ||||||
13 | (5) The nonpublic personal information is released to | ||||||
14 | the extent specifically required or specifically permitted | ||||||
15 | under other provisions of law and in accordance with the | ||||||
16 | Right to Financial Privacy Act of 1978 (12 U.S.C. Sec. 3401 | ||||||
17 | et seq.), to law enforcement agencies, including a federal | ||||||
18 | functional regulator, the
Secretary of the Treasury with | ||||||
19 | respect to subchapter II of Chapter 53 of Title 31, and | ||||||
20 | Chapter 2 of Title I of Public Law 91-508 (12 U.S.C. Secs. | ||||||
21 | 1951-1959), the Illinois Department of Insurance, or the | ||||||
22 | Federal Trade Commission, and self-regulatory | ||||||
23 | organizations, or for an investigation on a
matter related | ||||||
24 | to public safety. | ||||||
25 | (6) The nonpublic personal information is released in | ||||||
26 | connection with a proposed or actual sale, merger, |
| |||||||
| |||||||
1 | transfer, or exchange of all or a portion of a business or | ||||||
2 | operating unit if the disclosure of nonpublic personal | ||||||
3 | information concerns solely consumers of the business or | ||||||
4 | unit. | ||||||
5 | (7) The nonpublic personal information is released to | ||||||
6 | comply with federal, state, or local laws, rules, and other | ||||||
7 | applicable legal requirements; to comply with a properly | ||||||
8 | authorized civil, criminal, administrative, or regulatory | ||||||
9 | investigation or subpoena or summons by federal, state, or | ||||||
10 | local authorities; or to respond to judicial process or | ||||||
11 | government regulatory authorities having jurisdiction over
| ||||||
12 | the financial institution for examination, compliance, or | ||||||
13 | other purposes as authorized by law. | ||||||
14 | (8) When a financial institution is reporting a known | ||||||
15 | or suspected instance of elder or dependent adult financial | ||||||
16 | abuse or is cooperating with a local adult protective | ||||||
17 | services agency investigation of known or suspected elder | ||||||
18 | or dependent adult financial abuse pursuant to the Elder | ||||||
19 | Abuse and Neglect Act. | ||||||
20 | (9) The nonpublic personal information is released to | ||||||
21 | an affiliate or a nonaffiliated third party in order for | ||||||
22 | the affiliate or nonaffiliated third party to perform | ||||||
23 | business or professional services, such as printing, | ||||||
24 | mailing services, data processing or analysis, or customer | ||||||
25 | surveys, on behalf of the financial institution, provided | ||||||
26 | that all of the following requirements are met: |
| |||||||
| |||||||
1 | (A) The services to be performed by the affiliate | ||||||
2 | or nonaffiliated third party could lawfully be | ||||||
3 | performed by the financial institution. | ||||||
4 | (B) There is a written contract between the | ||||||
5 | affiliate or nonaffiliated third party and the | ||||||
6 | financial institution that prohibits the affiliate or | ||||||
7 | nonaffiliated third party, as the case may be, from | ||||||
8 | disclosing or using the nonpublic personal information | ||||||
9 | other than to carry out the purpose for which the | ||||||
10 | financial institution disclosed the information, as | ||||||
11 | set forth in the written
contract. | ||||||
12 | (C) The nonpublic personal information provided to | ||||||
13 | the affiliate or nonaffiliated third party is limited | ||||||
14 | to that which is necessary for the affiliate or | ||||||
15 | nonaffiliated third party to perform the services | ||||||
16 | contracted for on behalf of the financial institution. | ||||||
17 | (D) The financial institution does not receive any | ||||||
18 | payment from or through the affiliate or nonaffiliated | ||||||
19 | third party in connection with, or as a result of, the | ||||||
20 | release of the nonpublic personal information. | ||||||
21 | (10) The nonpublic personal information is released to | ||||||
22 | identify or locate missing and abducted children, | ||||||
23 | witnesses, criminals and fugitives, parties to lawsuits, | ||||||
24 | parents delinquent in child support payments, organ and | ||||||
25 | bone marrow donors, pension fund beneficiaries, and | ||||||
26 | missing heirs. |
| |||||||
| |||||||
1 | (11) The nonpublic personal information is released to | ||||||
2 | a real estate appraiser licensed or certified by the State | ||||||
3 | and the nonpublic personal information is compiled | ||||||
4 | strictly to complete other real estate appraisals and is | ||||||
5 | not used for any other purpose.
| ||||||
6 | (12) The nonpublic personal information is released as | ||||||
7 | required by Title III of the federal United and | ||||||
8 | Strengthening America by Providing Appropriate Tools | ||||||
9 | Required to Intercept and Obstruct Terrorism Act of 2001 | ||||||
10 | (USA Patriot Act; P.L. 107-56). | ||||||
11 | (13) The nonpublic personal information is released | ||||||
12 | either to a consumer reporting agency pursuant to the Fair | ||||||
13 | Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) or from | ||||||
14 | a consumer report reported by a consumer reporting agency. | ||||||
15 | (14) The nonpublic personal information is released in | ||||||
16 | connection with a written agreement between a consumer and | ||||||
17 | a broker-dealer registered under the Securities Exchange | ||||||
18 | Act of 1934 or an investment adviser registered under the | ||||||
19 | Investment Advisers Act of 1940 to provide investment | ||||||
20 | management services, portfolio advisory services, or | ||||||
21 | financial planning, and the nonpublic personal information | ||||||
22 | is released for the sole purpose of providing the products | ||||||
23 | and services covered by that agreement. | ||||||
24 | (c) Nothing in this Act is intended to change existing law | ||||||
25 | relating to access by law enforcement agencies to information | ||||||
26 | held by financial institutions.
|
| |||||||
| |||||||
1 | Section 45. Application.
| ||||||
2 | (a) The provisions of this Act do not apply to any
person | ||||||
3 | or entity that meets the requirements of paragraph (1) or (2) | ||||||
4 | below. However, when nonpublic personal information is being or | ||||||
5 | will be shared by a person or entity meeting the requirements | ||||||
6 | of paragraph (1) or (2) with an affiliate or nonaffiliated | ||||||
7 | third party, this Act shall apply. | ||||||
8 | (1) The person or entity is licensed in one or both of | ||||||
9 | the following categories and is acting within the scope of | ||||||
10 | the respective license or certificate: | ||||||
11 | (A) As an insurance producer, certified under the | ||||||
12 | Illinois Insurance Code, as a registered investment | ||||||
13 | adviser under the Illinois Securities Law of 1953, or | ||||||
14 | as an investment adviser pursuant to Section | ||||||
15 | 202(a)(11) of the federal Investment Advisers Act of | ||||||
16 | 1940. | ||||||
17 | (B) Is licensed to sell securities by the National | ||||||
18 | Association of Securities Dealers (NASD).
| ||||||
19 | (2) The person or entity meets the requirements in | ||||||
20 | paragraph (1) and has a written contractual agreement | ||||||
21 | with another person or entity described in paragraph | ||||||
22 | (1) and the contract clearly and explicitly includes | ||||||
23 | the following: | ||||||
24 | (A) The rights and obligations between the | ||||||
25 | licensees arising out of the business relationship |
| |||||||
| |||||||
1 | relating to insurance or securities transactions. | ||||||
2 | (B) An explicit limitation on the use of nonpublic | ||||||
3 | personal information about a consumer to transactions | ||||||
4 | authorized by the contract and permitted pursuant to | ||||||
5 | this Act. | ||||||
6 | (C) A requirement that transactions specified in | ||||||
7 | the contract fall within the scope of activities | ||||||
8 | permitted by the licenses of the parties. | ||||||
9 | (b) The restrictions on disclosure and use of nonpublic | ||||||
10 | personal information, and the requirement for notification and | ||||||
11 | disclosure provided in this Act, shall not limit the ability of | ||||||
12 | insurance producers and brokers to respond to written or | ||||||
13 | electronic, including telephone, requests from consumers | ||||||
14 | seeking price quotes on insurance products and services or to | ||||||
15 | obtain competitive quotes to renew an
existing insurance | ||||||
16 | contract, provided that any nonpublic personal information | ||||||
17 | disclosed pursuant to this subsection shall not be used or | ||||||
18 | disclosed except in the ordinary course of business in order to | ||||||
19 | obtain those quotes. | ||||||
20 | (c)(1) The disclosure or sharing of personal
information | ||||||
21 | from an insurer, as defined in Article XL of the Illinois | ||||||
22 | Insurance Code, or its affiliates to an agent whose contractual | ||||||
23 | or employment relationship requires that the agent offer only | ||||||
24 | the insurer's policies for sale or
financial products or | ||||||
25 | services that meet the requirements of paragraph (2) of | ||||||
26 | subsection (b) of Section 20 and are authorized by the insurer, |
| |||||||
| |||||||
1 | or whose contractual or employment relationship with an insurer | ||||||
2 | gives the insurer the right of first refusal for all policies | ||||||
3 | of insurance by the agent, and who may not share nonpublic | ||||||
4 | personal information with any insurer other than the insurer | ||||||
5 | with
whom the agent has a contractual or employment | ||||||
6 | relationship as described above, is not a violation of this | ||||||
7 | Act, provided that the agent may not disclose nonpublic | ||||||
8 | personal information to any party except as permitted by this | ||||||
9 | Act. An insurer or its affiliates do not disclose or share | ||||||
10 | nonpublic personal information with exclusive agents merely | ||||||
11 | because information is maintained in common information | ||||||
12 | systems or databases, and exclusive agents of the insurer or | ||||||
13 | its affiliates have access to those common information
systems | ||||||
14 | or databases, provided that where a consumer has exercised his | ||||||
15 | or her rights to prohibit disclosure pursuant to this Act, | ||||||
16 | nonpublic personal information is not further disclosed or used | ||||||
17 | by an exclusive agent except as permitted by this Act. | ||||||
18 | (2) Nothing in this subsection is intended to affect the | ||||||
19 | sharing of information allowed in subsection (a) or subsection | ||||||
20 | (b).
| ||||||
21 | Section 50. Negligence.
| ||||||
22 | (a) An entity that negligently discloses or shares
| ||||||
23 | nonpublic personal information in violation of this Act shall | ||||||
24 | be liable, irrespective of the amount of damages suffered by | ||||||
25 | the consumer as a result of that violation, for a civil penalty |
| |||||||
| |||||||
1 | not to exceed $2,500 per violation. However, if the disclosure | ||||||
2 | or sharing results in the release of nonpublic personal | ||||||
3 | information of more than one individual, the total civil | ||||||
4 | penalty awarded pursuant to this subsection shall not exceed | ||||||
5 | $500,000. | ||||||
6 | (b) An entity that knowingly and willfully obtains, | ||||||
7 | discloses, shares, or uses nonpublic personal information in | ||||||
8 | violation of this Act shall be liable for a civil penalty not | ||||||
9 | to exceed $2,500 per individual violation, irrespective of the | ||||||
10 | amount of damages suffered by the consumer as a result of that | ||||||
11 | violation. | ||||||
12 | (c) In determining the penalty to be assessed pursuant to a | ||||||
13 | violation of this Act, the court shall take into account the | ||||||
14 | following factors:
| ||||||
15 | (1) The total assets and net worth of the violating | ||||||
16 | entity. | ||||||
17 | (2) The nature and seriousness of the violation. | ||||||
18 | (3) The persistence of the violation, including any | ||||||
19 | attempts to correct the situation leading to the violation.
| ||||||
20 | (4) The length of time over which the violation | ||||||
21 | occurred. | ||||||
22 | (5) The number of times the entity has violated this | ||||||
23 | Act. | ||||||
24 | (6) The harm caused to consumers by the violation. | ||||||
25 | (7) The level of proceeds derived from the violation. | ||||||
26 | (8) The impact of possible penalties on the overall |
| |||||||
| |||||||
1 | fiscal solvency of the violating entity. | ||||||
2 | (d) In the event a violation of this Act results in the
| ||||||
3 | identity theft of a consumer, as defined by Article 16g of the | ||||||
4 | Criminal Code, the civil penalties set forth in this Section | ||||||
5 | shall be doubled. | ||||||
6 | (e) The civil penalties provided for in this Section shall | ||||||
7 | be exclusively assessed and recovered in a civil action brought | ||||||
8 | in the name of the people of the State of Illinois in any court | ||||||
9 | of competent jurisdiction by any of the following: | ||||||
10 | (1) The Attorney General. | ||||||
11 | (2) The functional regulator with jurisdiction over | ||||||
12 | regulation of the financial institution as follows: | ||||||
13 | (A) In the case of banks, savings associations, | ||||||
14 | credit unions, commercial lending companies, and bank | ||||||
15 | holding companies, by the Department of Financial | ||||||
16 | Institutions or the Office of Banks and Real Estate, or | ||||||
17 | the appropriate federal authority; | ||||||
18 | (B) in the case of any person engaged in the | ||||||
19 | business of insurance, by the Department of Insurance; | ||||||
20 | (C) in the case of any investment broker or dealer, | ||||||
21 | investment company, investment advisor, residential | ||||||
22 | mortgage lender or finance lender, by the Illinois | ||||||
23 | Secretary of State; and | ||||||
24 | (D) in the case of a financial institution not | ||||||
25 | subject to the jurisdiction of any functional | ||||||
26 | regulator listed under subparagraphs (A) to (C), |
| |||||||
| |||||||
1 | inclusive, above, by the Attorney General.
| ||||||
2 | Section 55. Authority of departments or agencies.
Nothing | ||||||
3 | in this Act shall be construed as altering or annulling the | ||||||
4 | authority of any department or agency of the state to regulate | ||||||
5 | any financial institution subject to its jurisdiction.
| ||||||
6 | Section 90. Severability.
The provisions of this Act shall | ||||||
7 | be severable, and if any phrase, clause, sentence, or provision | ||||||
8 | is declared to be invalid or is preempted by federal law or | ||||||
9 | regulation, the validity of the remainder of this Act shall not | ||||||
10 | be affected thereby.
|