95TH GENERAL ASSEMBLY
State of Illinois
2007 and 2008
HB3725

 

Introduced 2/28/2007, by Rep. Linda Chapa LaVia

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Illinois Financial Information Privacy Act. Allows a consumer to direct a financial institution to not share the nonpublic personal information with affiliated companies or with nonaffiliated financial companies with which the financial institution has contracted to provide financial products and services. Does not restrict or prohibit the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries or in certain other cases if both entities are regulated by the same functional regulator and are engaged in the same line of business, among other requirements. Requires the permission of the consumer before the financial institution may share the nonpublic personal information with other nonaffiliated companies. Provides that a financial institution shall not discriminate against or deny an otherwise qualified consumer a financial product or service because the consumer has not provided the necessary consent that would authorize the financial institution to disclose or share nonpublic personal information. Requires a financial institution to comply with the consumer's request regarding nonpublic personal information within 45 days of receipt of the request.


LRB095 07553 MJR 27703 b

FISCAL NOTE ACT MAY APPLY

 

 

A BILL FOR

 

HB3725 LRB095 07553 MJR 27703 b

1     AN ACT concerning regulation.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 1. Short title. This Act may be cited as the
5 Illinois Financial Information Privacy Act.
 
6     Section 5. Legislative purpose.
7     (a) The General Assembly intends for financial
8 institutions to provide their consumers notice and meaningful
9 choice about how consumers' nonpublic personal information is
10 shared or sold by their financial institutions.
11     (b) It is the intent of the General Assembly in enacting
12 the Illinois Financial Information Privacy Act to afford
13 persons greater privacy protections than those provided in
14 Public Law 106-102, the federal Gramm-Leach-Bliley Act, and
15 that this Act be interpreted to be consistent with that
16 purpose.
 
17     Section 10. Definitions. For the purposes of this Act:
18     (a) "Nonpublic personal information" means personally
19 identifiable financial information (1) provided by a consumer
20 to a financial institution, (2) resulting from any transaction
21 with the consumer or any service performed for the consumer, or
22 (3) otherwise obtained by the financial institution. Nonpublic

 

 

HB3725 - 2 - LRB095 07553 MJR 27703 b

1 personal information does not include publicly available
2 information that the financial institution has a reasonable
3 basis to believe is lawfully made available to the general
4 public from (1) federal, state, or local government records,
5 (2) widely distributed media, or (3) disclosures to the general
6 public that are required to be made by federal, state, or local
7 law. Nonpublic personal information shall include any list,
8 description, or other grouping of consumers, and publicly
9 available information pertaining to them, that is derived using
10 any nonpublic personal information other than publicly
11 available information, but shall not include any list,
12 description, or other grouping of consumers, and publicly
13 available information pertaining to them, that is derived
14 without using any nonpublic personal information.
15     (b) "Personally identifiable financial information" means
16 information (1) that a consumer provides to a financial
17 institution to obtain a product or service from the financial
18 institution, (2) about a consumer resulting from any
19 transaction involving a product or service between the
20 financial institution and a consumer, or (3) that the financial
21 institution otherwise obtains about a consumer in connection
22 with providing a product or service to that consumer. Any
23 personally identifiable information is financial if it was
24 obtained by a financial institution in connection with
25 providing a financial product or service to a consumer.
26 Personally identifiable financial information includes all of

 

 

HB3725 - 3 - LRB095 07553 MJR 27703 b

1 the following:
2         (1) Information a consumer provides to a financial
3     institution on an application to obtain a loan, credit
4     card, or other financial product or service.
5         (2) Account balance information, payment history,
6     overdraft history, and credit or debit card purchase
7     information.
8         (3) The fact that an individual is or has been a
9     consumer of a financial institution or has obtained a
10     financial product or service from a financial institution.
11         (4) Any information about a financial institution's
12     consumer if it is disclosed in a manner that indicates that
13     the individual is or has been the financial institution's
14     consumer.
15         (5) Any information that a consumer provides to a
16     financial institution or that a financial institution or
17     its agent otherwise obtains in connection with collecting
18     on a loan or servicing a loan.
19         (6) Any personally identifiable financial information
20     collected through an Internet cookie or an information
21     collecting device from a Web server.
22         (7) Information from a consumer report.
23     (c) "Financial institution" means any institution the
24 business of which is engaging in financial activities as
25 described in Section 1843(k) of Title 12 of the United States
26 Code and doing business in this State. An institution that is

 

 

HB3725 - 4 - LRB095 07553 MJR 27703 b

1 not significantly engaged in financial activities is not a
2 financial institution. The term "financial institution" does
3 not include any institution that is primarily engaged in
4 providing hardware, software, or interactive services,
5 provided that it does not act as a debt collector, as defined
6 in 15 U.S.C. Sec. 1692a, or engage in activities for which the
7 institution is required to acquire a charter, license, or
8 registration from a state or federal governmental banking,
9 insurance, or securities agency. The term "financial
10 institution" does not include the Federal Agricultural
11 Mortgage Corporation or any entity chartered and operating
12 under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et
13 seq.), provided that the entity does not sell or transfer
14 nonpublic personal information to an affiliate or a
15 nonaffiliated third party. The term "financial institution"
16 does not include any provider of professional services, or any
17 wholly owned affiliate thereof, that is prohibited by rules of
18 professional ethics and applicable law from voluntarily
19 disclosing confidential client information without the consent
20 of the client. The term "financial institution" does not
21 include institutions chartered by Congress specifically to
22 engage in a proposed or actual securitization, secondary market
23 sale, including sales of servicing rights, or similar
24 transactions related to a transaction of the consumer, as long
25 as those institutions do not sell or transfer nonpublic
26 personal information to a nonaffiliated third party. Nothing in

 

 

HB3725 - 5 - LRB095 07553 MJR 27703 b

1 this Act applies to the Motor Vehicle Retail Installment Sales
2 Act, the Motor Vehicle Leasing Act, or the Retail Installment
3 Sales Act.
4     (d) "Affiliate" means any entity that controls, is
5 controlled by, or is under common control with, another entity,
6 but does not include a joint employee of the entity and the
7 affiliate. A franchisor, including any affiliate thereof,
8 shall be deemed an affiliate of the franchisee for purposes of
9 this Act.
10     (e) "Nonaffiliated third party" means any entity that is
11 not an affiliate of, or related by common ownership or
12 affiliated by corporate control with, the financial
13 institution, but does not include a joint employee of that
14 institution and a third party.
15     (f) "Consumer" means an individual resident of this State,
16 or that individual's legal representative, who obtains or has
17 obtained from a financial institution a financial product or
18 service to be used primarily for personal, family, or household
19 purposes. For purposes of this Act, an individual resident of
20 this State is someone whose last known mailing address, other
21 than an Armed Forces Post Office or Fleet Post Office address,
22 as shown in the records of the financial institution, is
23 located in this State. For purposes of this Act, an individual
24 is not a consumer of a financial institution solely because he
25 or she is (1) a participant or beneficiary of an employee
26 benefit plan that a financial institution administers or

 

 

HB3725 - 6 - LRB095 07553 MJR 27703 b

1 sponsors, or for which the financial institution acts as a
2 trustee, insurer, or fiduciary, (2) covered under a group or
3 blanket insurance policy or group annuity contract issued by
4 the financial institution, (3) a beneficiary in a workers'
5 compensation plan, (4) a beneficiary of a trust for which the
6 financial institution is a trustee, or (5) a person who has
7 designated the financial institution as trustee for a trust,
8 provided that the financial institution provides all required
9 notices and rights required by this Act to the plan sponsor,
10 group or blanket insurance policyholder, or group annuity
11 contract holder.
12     (g) "Control" means (1) ownership or power to vote 25
13 percent or more of the outstanding shares of any class of
14 voting security of a company, acting through one or more
15 persons, (2) control in any manner over the election of a
16 majority of the directors, or of individuals exercising similar
17 functions, or (3) the power to exercise, directly or
18 indirectly, a controlling influence over the management or
19 policies of a company. However, for purposes of the application
20 of the definition of control as it relates to credit unions, a
21 credit union has a controlling influence over the management or
22 policies of a credit union service organization (CUSO), as that
23 term is defined by state or federal law or regulation, if the
24 CUSO is at least 67 percent owned by credit unions. For
25 purposes of the application of the definition of control to a
26 financial institution subject to regulation by the United

 

 

HB3725 - 7 - LRB095 07553 MJR 27703 b

1 States Securities and Exchange Commission, a person who owns
2 beneficially, either directly or through one or more controlled
3 companies, more than 25 percent of the voting securities of a
4 company is presumed to control the company, and a person who
5 does not own more than 25 percent of the voting securities of a
6 company is presumed not to control the company, and a
7 presumption regarding control may be rebutted by evidence, but
8 in the case of an investment company, the presumption shall
9 continue until the United States Securities and Exchange
10 Commission makes a decision to the contrary according to the
11 procedures described in Section 2(a)(9) of the federal
12 Investment Company Act of 1940.
13     (h) "Necessary to effect, administer, or enforce" means the
14 following:
15         (1) The disclosure is required, or is a usual,
16     appropriate, or acceptable method to carry out the
17     transaction or the product or service business of which the
18     transaction is a part, and record or service or maintain
19     the consumer's account in the ordinary course of providing
20     the financial service or financial product, or to
21     administer or service benefits or claims relating to the
22     transaction or the product or service business of which it
23     is a part, and includes the following:
24             (A) Providing the consumer or the consumer's agent
25         or broker with a confirmation, statement, or other
26         record of the transaction, or information on the status

 

 

HB3725 - 8 - LRB095 07553 MJR 27703 b

1         or value of the financial service or financial product.
2             (B) The accrual or recognition of incentives,
3         discounts, or bonuses associated with the transaction
4         or communications to eligible existing consumers of
5         the financial institution regarding the availability
6         of those incentives, discounts, and bonuses that are
7         provided by the financial institution or another
8         party.
9             (C) In the case of a financial institution that has
10         issued a credit account bearing the name of a company
11         primarily engaged in retail sales or a name proprietary
12         to a company primarily engaged in retail sales, the
13         financial institution providing the retailer with
14         nonpublic personal information as follows:
15                 (i) Providing the retailer, or licensees or
16             contractors of the retailer that provide products
17             or services in the name of the retailer and under a
18             contract with the retailer, with the names and
19             addresses of the consumers in whose name the
20             account is held and a record of the purchases made
21             using the credit account from a business
22             establishment, including a Web site or catalog,
23             bearing the brand name of the retailer.
24                 (ii) Where the credit account can only be used
25             for transactions with the retailer or affiliates
26             of that retailer that are also primarily engaged in

 

 

HB3725 - 9 - LRB095 07553 MJR 27703 b

1             retail sales, providing the retailer, or licensees
2             or contractors of the retailer that provide
3             products or services in the name of the retailer
4             and under a contract with the retailer, with
5             nonpublic personal information concerning the
6             credit account, in connection with the offering or
7             provision of the products or services of the
8             retailer and those licensees or contractors.
9             (2) The disclosure is required or is one of the
10         lawful or appropriate methods to enforce the rights of
11         the financial institution or of other persons engaged
12         in carrying out the financial transaction or providing
13         the product or service.
14             (3) The disclosure is required, or is a usual,
15         appropriate, or acceptable method for insurance
16         underwriting or the placement of insurance products by
17         licensed agents and brokers with authorized insurance
18         companies at the consumer's request, for reinsurance,
19         stop loss insurance, or excess loss insurance
20         purposes, or for any of the following purposes as they
21         relate to a consumer's insurance:
22                 (A) Account administration.
23                 (B) Reporting, investigating, or preventing
24             fraud or material misrepresentation.
25                 (C) Processing premium payments.
26                 (D) Processing insurance claims.

 

 

HB3725 - 10 - LRB095 07553 MJR 27703 b

1                 (E) Administering insurance benefits,
2             including utilization review activities.
3                 (F) Participating in research projects.
4                 (G) As otherwise required or specifically
5             permitted by federal or state law.
6             (4) The disclosure is required, or is a usual,
7         appropriate, or acceptable method, in connection with
8         the following:
9                 (A) The authorization, settlement, billing,
10             processing, clearing, transferring, reconciling,
11             or collection of amounts charged, debited, or
12             otherwise paid using a debit, credit or other
13             payment card, check, or account number, or by other
14             payment means.
15                 (B) The transfer of receivables, accounts, or
16             interests therein.
17                 (C) The audit of debit, credit, or other
18             payment information.
19             (5) The disclosure is required in a transaction
20         covered by the federal Real Estate Settlement
21         Procedures Act (12 U.S.C. Sec. 2601 et seq.) in order
22         to offer settlement services prior to the close of
23         escrow (as those services are defined in 12 U.S.C. Sec.
24         2602), provided that (A) the nonpublic personal
25         information is disclosed for the sole purpose of
26         offering those settlement services and (B) the

 

 

HB3725 - 11 - LRB095 07553 MJR 27703 b

1         nonpublic personal information disclosed is limited to
2         that necessary to enable the financial institution to
3         offer those settlement services in that transaction.
4     (i) "Financial product or service" means any product or
5 service that a financial holding company could offer by
6 engaging in an activity that is financial in nature or
7 incidental to a financial activity under subsection (k) of
8 Section 1843 of Title 12 of the United States Code (the United
9 States Bank Holding Company Act of 1956). Financial service
10 includes a financial institution's evaluation or brokerage of
11 information that the financial institution collects in
12 connection with a request or an application from a consumer for
13 a financial product or service.
14     (j) "Clear and conspicuous" means that a notice is
15 reasonably understandable and designed to call attention to the
16 nature and significance of the information contained in the
17 notice.
18     (k) "Widely distributed media" means media available to the
19 general public and includes a telephone book, a television or
20 radio program, a newspaper, or a Web site that is available to
21 the general public on an unrestricted basis.
 
22     Section 15. Prior consent. Except as provided in Sections
23 25, 35, and 45, a financial institution shall not sell, share,
24 transfer, or otherwise disclose nonpublic personal information
25 to or with any nonaffiliated third parties without the explicit

 

 

HB3725 - 12 - LRB095 07553 MJR 27703 b

1 prior consent of the consumer to whom the nonpublic personal
2 information relates.
 
3     Section 20. Disclosure.
4     (a) A financial institution shall not disclose to, or share
5 a consumer's nonpublic personal information with, any
6 nonaffiliated third party as prohibited by Section 15, unless
7 the financial institution has obtained a consent
8 acknowledgment from the consumer that authorizes the financial
9 institution to disclose or share the nonpublic personal
10 information. Nothing in this Section shall prohibit or
11 otherwise apply to the disclosure of nonpublic personal
12 information as allowed in Section 40. A financial institution
13 shall not discriminate against or deny an otherwise qualified
14 consumer a financial product or a financial service because the
15 consumer has not provided consent pursuant to this Section and
16 Section 15 to authorize the financial institution to disclose
17 or share nonpublic personal information pertaining to him or
18 her with any nonaffiliated third party. Nothing in this Section
19 shall prohibit a financial institution from denying a consumer
20 a financial product or service if the financial institution
21 could not provide the product or service to a consumer without
22 the consent to disclose the consumer's nonpublic personal
23 information required by this Section and Section 15, and the
24 consumer has failed to provide consent. A financial institution
25 shall not be liable for failing to offer products and services

 

 

HB3725 - 13 - LRB095 07553 MJR 27703 b

1 to a consumer solely because that consumer has failed to
2 provide consent pursuant to this Section and Section 15 and the
3 financial institution could not offer the product or service
4 without the consent to disclose the consumer's nonpublic
5 personal information required by this Section and Section 15,
6 and the consumer has failed to provide consent. Nothing in this
7 Section is intended to prohibit a financial institution from
8 offering incentives or discounts to elicit a specific response
9 to the notice.
10     (b)(1) A financial institution shall not disclose to, or
11 share a consumer's nonpublic personal information with, an
12 affiliate unless the financial institution has clearly and
13 conspicuously notified the consumer annually in writing
14 pursuant to subsection (d) that the nonpublic personal
15 information may be disclosed to an affiliate of the financial
16 institution and the consumer has not directed that the
17 nonpublic personal information not be disclosed. A financial
18 institution does not disclose information to, or share
19 information with, its affiliate merely because information is
20 maintained in common information systems or databases, and
21 employees of the financial institution and its affiliate have
22 access to those common information systems or databases, or a
23 consumer accesses a Web site jointly operated or maintained
24 under a common name by or on behalf of the financial
25 institution and its affiliate, provided that where a consumer
26 has exercised his or her right to prohibit disclosure pursuant

 

 

HB3725 - 14 - LRB095 07553 MJR 27703 b

1 to this Act, nonpublic personal information is not further
2 disclosed or used by an affiliate except as permitted by this
3 Act.
4     (2) Subsection (a) of this Section shall not prohibit the
5 release of nonpublic personal information by a financial
6 institution with whom the consumer has a relationship to a
7 nonaffiliated financial institution for purposes of jointly
8 offering a financial product or financial service pursuant to a
9 written agreement with the financial institution that receives
10 the nonpublic personal information provided that all of the
11 following requirements are met:
12             (A) The financial product or service offered is a
13         product or service of, and is provided by, at least one
14         of the financial institutions that is a party to the
15         written agreement.
16             (B) The financial product or service is jointly
17         offered, endorsed, or sponsored, and clearly and
18         conspicuously identifies for the consumer the
19         financial institutions that disclose and receive the
20         disclosed nonpublic personal information.
21             (C) The written agreement provides that the
22         financial institution that receives that nonpublic
23         personal information is required to maintain the
24         confidentiality of the information and is prohibited
25         from disclosing or using the information other than to
26         carry out the joint offering or servicing of a

 

 

HB3725 - 15 - LRB095 07553 MJR 27703 b

1         financial product or financial service that is the
2         subject of the written agreement.
3             (D) The financial institution that releases the
4         nonpublic personal information has complied with
5         subsection (d) and the consumer has not directed that
6         the nonpublic personal information not be disclosed.
7             (E) Notwithstanding this Section, until January 1,
8         2006, a financial institution may disclose nonpublic
9         personal information to a nonaffiliated financial
10         institution pursuant to a preexisting contract with
11         the nonaffiliated financial institution, for purposes
12         of offering a financial product or financial service,
13         if that contract was entered into on or before January
14         1, 2005. Beginning on January 1, 2006, no nonpublic
15         personal information may be disclosed pursuant to that
16         contract unless all the requirements of this
17         subsection are met.
18         (3) Nothing in this subsection shall prohibit a
19     financial institution from disclosing or sharing nonpublic
20     personal information as otherwise specifically permitted
21     by this Act.
22         (4) A financial institution shall not discriminate
23     against or deny an otherwise qualified consumer a financial
24     product or a financial service because the consumer has
25     directed pursuant to this subsection that nonpublic
26     personal information pertaining to him or her not be

 

 

HB3725 - 16 - LRB095 07553 MJR 27703 b

1     disclosed. A financial institution shall not be required to
2     offer or provide products or services offered through
3     affiliated entities or jointly with nonaffiliated
4     financial institutions pursuant to paragraph (2) of this
5     subsection where the consumer has directed that nonpublic
6     personal information not be disclosed pursuant to this
7     subsection and the financial institution could not offer or
8     provide the products or services to the consumer without
9     disclosure of the consumer's nonpublic personal
10     information that the consumer has directed not be disclosed
11     pursuant to this subsection. A financial institution shall
12     not be liable for failing to offer or provide products or
13     services offered through affiliated entities or jointly
14     with nonaffiliated financial institutions pursuant to
15     paragraph (2) of this subsection solely because the
16     consumer has directed that nonpublic personal information
17     not be disclosed pursuant to this subsection and the
18     financial institution could not offer or provide the
19     products or services to the consumer without disclosure of
20     the consumer's nonpublic personal information that the
21     consumer has directed not be disclosed to affiliates
22     pursuant to this subsection. Nothing in this Section is
23     intended to prohibit a financial institution from offering
24     incentives or discounts to elicit a specific response to
25     the notice set forth in this Act. Nothing in this Section
26     shall prohibit the disclosure of nonpublic personal

 

 

HB3725 - 17 - LRB095 07553 MJR 27703 b

1     information allowed by Section 40.
2         (5) The financial institution may, at its option,
3     choose instead to comply with the requirements of
4     subsection (a).
5     (c) Nothing in this Act shall restrict or prohibit the
6 sharing of nonpublic personal information between a financial
7 institution and its wholly owned financial institution
8 subsidiaries; among financial institutions that are each
9 wholly owned by the same financial institution; among financial
10 institutions that are wholly owned by the same holding company;
11 or among the insurance and management entities of a single
12 insurance holding company system consisting of one or more
13 reciprocal insurance exchanges which has a single corporation
14 or its wholly owned subsidiaries providing management services
15 to the reciprocal insurance exchanges, provided that in each
16 case all of the following requirements are met:
17         (1) The financial institution disclosing the nonpublic
18     personal information and the financial institution
19     receiving it are regulated by the same functional
20     regulator; provided, however, that for purposes of this
21     subsection, financial institutions regulated by the Office
22     of the Comptroller of the Currency, Office of Thrift
23     Supervision, National Credit Union Administration, or a
24     state regulator of depository institutions shall be deemed
25     to be regulated by the same functional regulator; financial
26     institutions regulated by the Securities and Exchange

 

 

HB3725 - 18 - LRB095 07553 MJR 27703 b

1     Commission, the United States Department of Labor, or a
2     state securities regulator shall be deemed to be regulated
3     by the same functional regulator; and insurers admitted in
4     this State to transact insurance and licensed to write
5     insurance policies shall be deemed to be in compliance with
6     this paragraph.
7         (2) The financial institution disclosing the nonpublic
8     personal information and the financial institution
9     receiving it are both principally engaged in the same line
10     of business. For purposes of this subsection, "same line of
11     business" shall be one and only one of the following:
12             (A) Insurance.
13             (B) Banking.
14             (C) Securities.
15         (3) The financial institution disclosing the nonpublic
16     personal information and the financial institution
17     receiving it share a common brand, excluding a brand
18     consisting solely of a graphic element or symbol, within
19     their trademark, service mark, or trade name, which is used
20     to identify the source of the products and services
21     provided. A wholly owned subsidiary shall include a
22     subsidiary wholly owned directly or wholly owned
23     indirectly in a chain of wholly owned subsidiaries. Nothing
24     in this subsection shall permit the disclosure by a
25     financial institution of medical record information, as
26     defined in the Illinois Insurance Code, except in

 

 

HB3725 - 19 - LRB095 07553 MJR 27703 b

1     compliance with the requirements of this Act, including the
2     requirements set forth in subsections (a) and (b).
3     (d)(1) The consumer shall be provided a reasonable
4 opportunity prior to disclosure of nonpublic personal
5 information to direct that nonpublic personal information not
6 be disclosed. A consumer may direct at any time that his or her
7 nonpublic personal information not be disclosed. A financial
8 institution shall comply with a consumer's directions
9 concerning the sharing of his or her nonpublic personal
10 information within 45 days of receipt by the financial
11 institution. When a consumer directs that nonpublic personal
12 information not be disclosed, that direction is in effect until
13 otherwise stated by the consumer. A financial institution that
14 has not provided a consumer with annual notice pursuant to
15 subsection (b) shall provide the consumer with a form that
16 meets the requirements of this subsection, and shall allow 45
17 days to lapse from the date of providing the form in person or
18 the postmark or other postal verification of mailing before
19 disclosing nonpublic personal information pertaining to the
20 consumer. Nothing in this subsection shall prohibit the
21 disclosure of nonpublic personal information as allowed by
22 subsection (c) or Section 40.
23     (2) A financial institution may elect to comply with the
24 requirements of subsection (a) with respect to disclosure of
25 nonpublic personal information to an affiliate or with respect
26 to nonpublic personal information disclosed pursuant to

 

 

HB3725 - 20 - LRB095 07553 MJR 27703 b

1 paragraph (2) of subsection (b), or subsection (c) of Section
2 35.
3     (3) If a financial institution does not have a continuing
4 relationship with a consumer other than the initial transaction
5 in which the product or service is provided, no annual
6 disclosure requirement exists pursuant to this section as long
7 as the financial institution provides the consumer with the
8 form required by this section at the time of the initial
9 transaction. As used in this section, "annually" means at least
10 once in any period of 12 consecutive months during which that
11 relationship exists. The financial institution may define the
12 12-consecutive-month period, but shall apply it to the consumer
13 on a consistent basis. If, for example, a financial institution
14 defines the 12-consecutive-month period as a calendar year and
15 provides the annual notice to the consumer once in each
16 calendar year, it complies with the requirement to send the
17 notice annually.
18     (4) A financial institution with assets in excess of
19 $25,000,000 shall include a self-addressed first class
20 business reply return envelope with the notice. A financial
21 institution with assets of up to and including $25,000,000
22 shall include a self-addressed return envelope with the notice.
23 In lieu of the first class business reply return envelope
24 required by this paragraph, a financial institution may offer a
25 self-addressed return envelope with the notice and at least two
26 alternative cost-free means for consumers to communicate their

 

 

HB3725 - 21 - LRB095 07553 MJR 27703 b

1 privacy choices, such as calling a toll-free number, sending a
2 facsimile to a toll-free telephone number, or using electronic
3 means. A financial institution shall clearly and conspicuously
4 disclose in the form required by this subsection the
5 information necessary to direct the consumer on how to
6 communicate his or her choices, including the toll-free or
7 facsimile number or Web site address that may be used, if those
8 means of communication are offered by the financial
9 institution.
10     (5) A financial institution may provide a joint notice from
11 it and one or more of its affiliates or other financial
12 institutions, as identified in the notice, so long as the
13 notice is accurate with respect to the financial institution
14 and the affiliates and other financial institutions.
15     (e) Nothing in this Act shall prohibit a financial
16 institution from marketing its own products and services or the
17 products and services of affiliates or nonaffiliated third
18 parties to customers of the financial institution as long as
19 (1) nonpublic personal information is not disclosed in
20 connection with the delivery of the applicable marketing
21 materials to those customers except as permitted by Section 40
22 and (2) in cases in which the applicable nonaffiliated third
23 party may extrapolate nonpublic personal information about the
24 consumer responding to those marketing materials, the
25 applicable nonaffiliated third party has signed a contract with
26 the financial institution under the terms of which (A) the

 

 

HB3725 - 22 - LRB095 07553 MJR 27703 b

1 nonaffiliated third party is prohibited from using that
2 information for any purpose other than the purpose for which it
3 was provided, as set forth in the contract, and (B) the
4 financial institution has the right by audit, inspections, or
5 other means to verify the nonaffiliated third party's
6 compliance with that contract.
 
7     Section 25. Receipt of nonpublic personal information.
8 Except as otherwise provided in this Act, an entity that
9 receives nonpublic personal information from a financial
10 institution under this Act shall not disclose this information
11 to any other entity, unless the disclosure would be lawful if
12 made directly to the other entity by the financial institution.
13 An entity that receives nonpublic personal information
14 pursuant to any exception set forth in Section 45 shall not use
15 or disclose the information except in the ordinary course of
16 business to carry out the activity covered by the exception
17 under which the information was received.
 
18     Section 30. Notice.
19     (a) Nothing in this Act shall require a financial
20 institution to provide a written notice to a consumer pursuant
21 to Section 20 if the financial institution does not disclose
22 nonpublic personal information to any nonaffiliated third
23 party or to any affiliate, except as allowed in this Act.
24     (b) A notice provided to a member of a household pursuant

 

 

HB3725 - 23 - LRB095 07553 MJR 27703 b

1 to Section 20 shall be considered notice to all members of that
2 household unless that household contains another individual
3 who also has a separate account with the financial institution.
4     (c)(1) The requirement to send a written notice to a
5 consumer may be fulfilled by electronic means if the following
6 requirements are met:
7             (A) The notice, and the manner in which it is sent,
8         meets all of the requirements for notices that are
9         required by law to be in writing, as set forth in
10         Section 101 of the federal Electronic Signatures in
11         Global and National Commerce Act.
12             (B) All other requirements applicable to the
13         notice, as set forth in this Act, are met, including,
14         but not limited to, requirements concerning content,
15         timing, form, and delivery. An electronic notice sent
16         pursuant to this section is not required to include a
17         return envelope.
18             (C) The notice is delivered to the consumer in a
19         form the consumer may keep.
20         (2) A notice that is made available to a consumer, and
21     is not delivered to the consumer, does not satisfy the
22     requirements of paragraph (1).
23         (3) Any electronic consumer reply to an electronic
24     notice sent pursuant to this Act is effective. A person
25     that electronically sends a notice required by this Act to
26     a consumer may not by contract, or otherwise, eliminate the

 

 

HB3725 - 24 - LRB095 07553 MJR 27703 b

1     effectiveness of the consumer's electronic reply.
2         (4) This Act modifies the provisions of Section 101 of
3     the federal Electronic Signatures in Global and National
4     Commerce Act. However, it does not modify, limit, or
5     supersede the provisions of subsection (c), (d), (e), (f),
6     or (h) of Section 101 of the federal Electronic Signatures
7     in Global and National Commerce Act, nor does it authorize
8     electronic delivery of any notice of the type described in
9     subsection (b) of Section 103 of that federal act.
 
10     Section 35. Affinity partners.
11     (a) When a financial institution and an organization or
12 business entity that is not a financial institution ("affinity
13 partner") have an agreement to issue a credit card in the name
14 of the affinity partner ("affinity card"), the financial
15 institution shall be permitted to disclose to the affinity
16 partner in whose name the card is issued only the following
17 information pertaining to the financial institution's
18 customers who are in receipt of the affinity card: (1) name,
19 address, telephone number, and electronic mail address and (2)
20 record of purchases made using the affinity card in a business
21 establishment, including a Web site, bearing the brand name of
22 the affinity partner.
23     (b) When a financial institution and an affinity partner
24 have an agreement to issue a financial product or service,
25 other than a credit card, on behalf of the affinity partner

 

 

HB3725 - 25 - LRB095 07553 MJR 27703 b

1 ("affinity financial product or service"), the financial
2 institution shall be permitted to disclose to the affinity
3 partner only the following information pertaining to the
4 financial institution's customers who obtained the affinity
5 financial product or service: name, address, telephone number,
6 and electronic mail address.
7     (c) The disclosures specified in subsections (a) and (b)
8 shall be permitted only if the following requirements are met:
9          (1) The financial institution has provided the
10     consumer a notice meeting the requirements of subsection
11     (d) of Section 20, and the consumer has not directed that
12     nonpublic personal information not be disclosed. A
13     response to a notice meeting the requirements of subsection
14     (d) directing the financial institution to not disclose
15     nonpublic personal information to a nonaffiliated
16     financial institution shall be deemed a direction to the
17     financial institution to not disclose nonpublic personal
18     information to an affinity partner, unless the form
19     containing the notice provides the consumer with a separate
20     choice for disclosure to affinity partners.
21         (2) The financial institution has a contractual
22     agreement with the affinity partner that requires the
23     affinity partner to maintain the confidentiality of the
24     nonpublic personal information and prohibits affinity
25     partners from using the information for any purposes other
26     than verifying membership, verifying the consumer's

 

 

HB3725 - 26 - LRB095 07553 MJR 27703 b

1     contact information, or offering the affinity partner's
2     own products or services to the consumer.
3         (3) The customer list is not disclosed in any way that
4     reveals or permits extrapolation of any additional
5     nonpublic personal information about any customer on the
6     list.
7         (4) If the affinity partner sends any message to any
8     electronic mail addresses obtained pursuant to this
9     section, the message shall include at least both of the
10     following:
11             (A) The identity of the sender of the message.
12             (B) A cost-free means for the recipient to notify
13         the sender not to electronically mail any further
14         message to the recipient.
15     (d) Nothing in this Section shall prohibit the disclosure
16 of nonpublic personal information pursuant to Section 40.
17     (e) This Section does not apply to credit cards issued in
18 the name of an entity primarily engaged in retail sales or a
19 name proprietary to a company primarily engaged in retail
20 sales.
 
21     Section 40. Release of nonpublic personal information.
22     (a) This Act shall not apply to information that is not
23 personally identifiable to a particular person.
24     (b) Notwithstanding Sections 15, 20, 30, and 35, a
25 financial institution may release nonpublic personal

 

 

HB3725 - 27 - LRB095 07553 MJR 27703 b

1 information under the following circumstances:
2         (1) The nonpublic personal information is necessary to
3     effect, administer, or enforce a transaction requested or
4     authorized by the consumer, or in connection with servicing
5     or processing a financial product or service requested or
6     authorized by the consumer, or in connection with
7     maintaining or servicing the consumer's account with the
8     financial institution, or with another entity as part of a
9     private label credit card program or other extension of
10     credit on behalf of that entity, or in connection with a
11     proposed or actual securitization or secondary market
12     sale, including sales of servicing rights, or similar
13     transactions related to a transaction of the consumer.
14         (2) The nonpublic personal information is released
15     with the consent of or at the direction of the consumer.
16         (3) The nonpublic personal information is:
17             (A) Released to protect the confidentiality or
18         security of the financial institution's records
19         pertaining to the consumer, the service or product, or
20         the transaction therein.
21             (B) Released to protect against or prevent actual
22         or potential fraud, identity theft, unauthorized
23         transactions, claims, or other liability.
24             (C) Released for required institutional risk
25         control, or for resolving customer disputes or
26         inquiries.

 

 

HB3725 - 28 - LRB095 07553 MJR 27703 b

1             (D) Released to persons holding a legal or
2         beneficial interest relating to the consumer,
3         including for purposes of debt collection.
4             (E) Released to persons acting in a fiduciary or
5         representative capacity on behalf of the consumer.
6         (4) The nonpublic personal information is released to
7     provide information to insurance rate advisory
8     organizations, guaranty funds or agencies, applicable
9     rating agencies of the financial institution, persons
10     assessing the institution's compliance with industry
11     standards, and the institution's attorneys, accountants,
12     and auditors.
13         (5) The nonpublic personal information is released to
14     the extent specifically required or specifically permitted
15     under other provisions of law and in accordance with the
16     Right to Financial Privacy Act of 1978 (12 U.S.C. Sec. 3401
17     et seq.), to law enforcement agencies, including a federal
18     functional regulator, the Secretary of the Treasury with
19     respect to subchapter II of Chapter 53 of Title 31, and
20     Chapter 2 of Title I of Public Law 91-508 (12 U.S.C. Secs.
21     1951-1959), the Illinois Department of Insurance, or the
22     Federal Trade Commission, and self-regulatory
23     organizations, or for an investigation on a matter related
24     to public safety.
25         (6) The nonpublic personal information is released in
26     connection with a proposed or actual sale, merger,

 

 

HB3725 - 29 - LRB095 07553 MJR 27703 b

1     transfer, or exchange of all or a portion of a business or
2     operating unit if the disclosure of nonpublic personal
3     information concerns solely consumers of the business or
4     unit.
5         (7) The nonpublic personal information is released to
6     comply with federal, state, or local laws, rules, and other
7     applicable legal requirements; to comply with a properly
8     authorized civil, criminal, administrative, or regulatory
9     investigation or subpoena or summons by federal, state, or
10     local authorities; or to respond to judicial process or
11     government regulatory authorities having jurisdiction over
12     the financial institution for examination, compliance, or
13     other purposes as authorized by law.
14         (8) When a financial institution is reporting a known
15     or suspected instance of elder or dependent adult financial
16     abuse or is cooperating with a local adult protective
17     services agency investigation of known or suspected elder
18     or dependent adult financial abuse pursuant to the Elder
19     Abuse and Neglect Act.
20         (9) The nonpublic personal information is released to
21     an affiliate or a nonaffiliated third party in order for
22     the affiliate or nonaffiliated third party to perform
23     business or professional services, such as printing,
24     mailing services, data processing or analysis, or customer
25     surveys, on behalf of the financial institution, provided
26     that all of the following requirements are met:

 

 

HB3725 - 30 - LRB095 07553 MJR 27703 b

1             (A) The services to be performed by the affiliate
2         or nonaffiliated third party could lawfully be
3         performed by the financial institution.
4             (B) There is a written contract between the
5         affiliate or nonaffiliated third party and the
6         financial institution that prohibits the affiliate or
7         nonaffiliated third party, as the case may be, from
8         disclosing or using the nonpublic personal information
9         other than to carry out the purpose for which the
10         financial institution disclosed the information, as
11         set forth in the written contract.
12             (C) The nonpublic personal information provided to
13         the affiliate or nonaffiliated third party is limited
14         to that which is necessary for the affiliate or
15         nonaffiliated third party to perform the services
16         contracted for on behalf of the financial institution.
17             (D) The financial institution does not receive any
18         payment from or through the affiliate or nonaffiliated
19         third party in connection with, or as a result of, the
20         release of the nonpublic personal information.
21         (10) The nonpublic personal information is released to
22     identify or locate missing and abducted children,
23     witnesses, criminals and fugitives, parties to lawsuits,
24     parents delinquent in child support payments, organ and
25     bone marrow donors, pension fund beneficiaries, and
26     missing heirs.

 

 

HB3725 - 31 - LRB095 07553 MJR 27703 b

1         (11) The nonpublic personal information is released to
2     a real estate appraiser licensed or certified by the State
3     and the nonpublic personal information is compiled
4     strictly to complete other real estate appraisals and is
5     not used for any other purpose.
6         (12) The nonpublic personal information is released as
7     required by Title III of the federal United and
8     Strengthening America by Providing Appropriate Tools
9     Required to Intercept and Obstruct Terrorism Act of 2001
10     (USA Patriot Act; P.L. 107-56).
11         (13) The nonpublic personal information is released
12     either to a consumer reporting agency pursuant to the Fair
13     Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) or from
14     a consumer report reported by a consumer reporting agency.
15         (14) The nonpublic personal information is released in
16     connection with a written agreement between a consumer and
17     a broker-dealer registered under the Securities Exchange
18     Act of 1934 or an investment adviser registered under the
19     Investment Advisers Act of 1940 to provide investment
20     management services, portfolio advisory services, or
21     financial planning, and the nonpublic personal information
22     is released for the sole purpose of providing the products
23     and services covered by that agreement.
24     (c) Nothing in this Act is intended to change existing law
25 relating to access by law enforcement agencies to information
26 held by financial institutions.
 

 

 

HB3725 - 32 - LRB095 07553 MJR 27703 b

1     Section 45. Application.
2     (a) The provisions of this Act do not apply to any person
3 or entity that meets the requirements of paragraph (1) or (2)
4 below. However, when nonpublic personal information is being or
5 will be shared by a person or entity meeting the requirements
6 of paragraph (1) or (2) with an affiliate or nonaffiliated
7 third party, this Act shall apply.
8         (1) The person or entity is licensed in one or both of
9     the following categories and is acting within the scope of
10     the respective license or certificate:
11             (A) As an insurance producer, certified under the
12         Illinois Insurance Code, as a registered investment
13         adviser under the Illinois Securities Law of 1953, or
14         as an investment adviser pursuant to Section
15         202(a)(11) of the federal Investment Advisers Act of
16         1940.
17             (B) Is licensed to sell securities by the National
18         Association of Securities Dealers (NASD).
19         (2) The person or entity meets the requirements in
20         paragraph (1) and has a written contractual agreement
21         with another person or entity described in paragraph
22         (1) and the contract clearly and explicitly includes
23         the following:
24             (A) The rights and obligations between the
25         licensees arising out of the business relationship

 

 

HB3725 - 33 - LRB095 07553 MJR 27703 b

1         relating to insurance or securities transactions.
2             (B) An explicit limitation on the use of nonpublic
3         personal information about a consumer to transactions
4         authorized by the contract and permitted pursuant to
5         this Act.
6             (C) A requirement that transactions specified in
7         the contract fall within the scope of activities
8         permitted by the licenses of the parties.
9     (b) The restrictions on disclosure and use of nonpublic
10 personal information, and the requirement for notification and
11 disclosure provided in this Act, shall not limit the ability of
12 insurance producers and brokers to respond to written or
13 electronic, including telephone, requests from consumers
14 seeking price quotes on insurance products and services or to
15 obtain competitive quotes to renew an existing insurance
16 contract, provided that any nonpublic personal information
17 disclosed pursuant to this subsection shall not be used or
18 disclosed except in the ordinary course of business in order to
19 obtain those quotes.
20     (c)(1) The disclosure or sharing of personal information
21 from an insurer, as defined in Article XL of the Illinois
22 Insurance Code, or its affiliates to an agent whose contractual
23 or employment relationship requires that the agent offer only
24 the insurer's policies for sale or financial products or
25 services that meet the requirements of paragraph (2) of
26 subsection (b) of Section 20 and are authorized by the insurer,

 

 

HB3725 - 34 - LRB095 07553 MJR 27703 b

1 or whose contractual or employment relationship with an insurer
2 gives the insurer the right of first refusal for all policies
3 of insurance by the agent, and who may not share nonpublic
4 personal information with any insurer other than the insurer
5 with whom the agent has a contractual or employment
6 relationship as described above, is not a violation of this
7 Act, provided that the agent may not disclose nonpublic
8 personal information to any party except as permitted by this
9 Act. An insurer or its affiliates do not disclose or share
10 nonpublic personal information with exclusive agents merely
11 because information is maintained in common information
12 systems or databases, and exclusive agents of the insurer or
13 its affiliates have access to those common information systems
14 or databases, provided that where a consumer has exercised his
15 or her rights to prohibit disclosure pursuant to this Act,
16 nonpublic personal information is not further disclosed or used
17 by an exclusive agent except as permitted by this Act.
18     (2) Nothing in this subsection is intended to affect the
19 sharing of information allowed in subsection (a) or subsection
20 (b).
 
21     Section 50. Negligence.
22     (a) An entity that negligently discloses or shares
23 nonpublic personal information in violation of this Act shall
24 be liable, irrespective of the amount of damages suffered by
25 the consumer as a result of that violation, for a civil penalty

 

 

HB3725 - 35 - LRB095 07553 MJR 27703 b

1 not to exceed $2,500 per violation. However, if the disclosure
2 or sharing results in the release of nonpublic personal
3 information of more than one individual, the total civil
4 penalty awarded pursuant to this subsection shall not exceed
5 $500,000.
6     (b) An entity that knowingly and willfully obtains,
7 discloses, shares, or uses nonpublic personal information in
8 violation of this Act shall be liable for a civil penalty not
9 to exceed $2,500 per individual violation, irrespective of the
10 amount of damages suffered by the consumer as a result of that
11 violation.
12     (c) In determining the penalty to be assessed pursuant to a
13 violation of this Act, the court shall take into account the
14 following factors:
15         (1) The total assets and net worth of the violating
16     entity.
17         (2) The nature and seriousness of the violation.
18         (3) The persistence of the violation, including any
19     attempts to correct the situation leading to the violation.
20         (4) The length of time over which the violation
21     occurred.
22         (5) The number of times the entity has violated this
23     Act.
24         (6) The harm caused to consumers by the violation.
25         (7) The level of proceeds derived from the violation.
26         (8) The impact of possible penalties on the overall

 

 

HB3725 - 36 - LRB095 07553 MJR 27703 b

1     fiscal solvency of the violating entity.
2     (d) In the event a violation of this Act results in the
3 identity theft of a consumer, as defined by Article 16g of the
4 Criminal Code, the civil penalties set forth in this Section
5 shall be doubled.
6     (e) The civil penalties provided for in this Section shall
7 be exclusively assessed and recovered in a civil action brought
8 in the name of the people of the State of Illinois in any court
9 of competent jurisdiction by any of the following:
10         (1) The Attorney General.
11         (2) The functional regulator with jurisdiction over
12     regulation of the financial institution as follows:
13             (A) In the case of banks, savings associations,
14         credit unions, commercial lending companies, and bank
15         holding companies, by the Department of Financial
16         Institutions or the Office of Banks and Real Estate, or
17         the appropriate federal authority;
18             (B) in the case of any person engaged in the
19         business of insurance, by the Department of Insurance;
20             (C) in the case of any investment broker or dealer,
21         investment company, investment advisor, residential
22         mortgage lender or finance lender, by the Illinois
23         Secretary of State; and
24             (D) in the case of a financial institution not
25         subject to the jurisdiction of any functional
26         regulator listed under subparagraphs (A) to (C),

 

 

HB3725 - 37 - LRB095 07553 MJR 27703 b

1         inclusive, above, by the Attorney General.
 
2     Section 55. Authority of departments or agencies. Nothing
3 in this Act shall be construed as altering or annulling the
4 authority of any department or agency of the state to regulate
5 any financial institution subject to its jurisdiction.
 
6     Section 90. Severability. The provisions of this Act shall
7 be severable, and if any phrase, clause, sentence, or provision
8 is declared to be invalid or is preempted by federal law or
9 regulation, the validity of the remainder of this Act shall not
10 be affected thereby.