|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
1 | AN ACT concerning business.
| ||||||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| ||||||||||||||||||||||||
3 | represented in the General Assembly:
| ||||||||||||||||||||||||
4 | Section 1. Short title. This Act may be cited as the | ||||||||||||||||||||||||
5 | Consumer Protection Against Computer Spyware Act. | ||||||||||||||||||||||||
6 | Section 5. Definitions. In this Act: | ||||||||||||||||||||||||
7 | "Advertisement" means a communication that
includes the | ||||||||||||||||||||||||
8 | promotion of a commercial product or service,
including | ||||||||||||||||||||||||
9 | communication on an Internet website operated for a
commercial | ||||||||||||||||||||||||
10 | purpose.
| ||||||||||||||||||||||||
11 | "Cause computer software to be copied" means to
distribute | ||||||||||||||||||||||||
12 | or transfer computer software or a component of computer
| ||||||||||||||||||||||||
13 | software. The term does not include:
| ||||||||||||||||||||||||
14 | (1) the transmission or routing of computer
software or | ||||||||||||||||||||||||
15 | a component of the software;
| ||||||||||||||||||||||||
16 | (2) the provision of intermediate temporary
storage or | ||||||||||||||||||||||||
17 | caching of software;
| ||||||||||||||||||||||||
18 | (3) the provision of a storage medium, such as a
| ||||||||||||||||||||||||
19 | compact disk;
| ||||||||||||||||||||||||
20 | (4) a website; | ||||||||||||||||||||||||
21 | (5) the distribution of computer software by a
third | ||||||||||||||||||||||||
22 | party through a computer server; or
| ||||||||||||||||||||||||
23 | (6) the provision of an information location
tool, such |
| |||||||
| |||||||
1 | as a directory, index, reference, pointer, or hypertext
| ||||||
2 | link, through which the user of a computer is able to | ||||||
3 | locate
computer software.
| ||||||
4 | "Computer software" means a sequence of
instructions | ||||||
5 | written in a programming language that is executed on
a | ||||||
6 | computer. The term does not include:
| ||||||
7 | (1) a web page; or | ||||||
8 | (2) a data component of a web page that cannot be
| ||||||
9 | executed independently of that page.
| ||||||
10 | "Damage" means,
with respect to a computer, significant | ||||||
11 | impairment to the integrity or availability of data,
computer | ||||||
12 | software, a system, or information.
| ||||||
13 | "Execute" means, with respect to computer software,
to | ||||||
14 | perform a function or carry out instructions.
| ||||||
15 | "Keystroke-logging function" means a function of a
| ||||||
16 | computer software program that records all keystrokes made by a
| ||||||
17 | person using a computer and transfers that information from the
| ||||||
18 | computer to another person.
| ||||||
19 | "Owner or operator of a computer" means the owner
or lessee | ||||||
20 | of a computer or an individual using a computer with the
| ||||||
21 | authorization of the owner or lessee of the computer. "Owner or | ||||||
22 | operator of a computer" does not
include the person who owned | ||||||
23 | the computer before the date on which
the computer was sold if | ||||||
24 | a computer
was sold at retail.
| ||||||
25 | "Person" means any individual, partnership,
corporation, | ||||||
26 | limited liability company, or other organization or a
|
| |||||||
| |||||||
1 | combination of those organizations.
| ||||||
2 | "Personally identifiable information", with
respect to an | ||||||
3 | individual who is the owner or operator of a computer,
means:
| ||||||
4 | (1) the first name or first initial in combination
with | ||||||
5 | the last name;
| ||||||
6 | (2) a home or other physical address, including
street | ||||||
7 | name;
| ||||||
8 | (3) an electronic mail address; | ||||||
9 | (4) a credit or debit card number; | ||||||
10 | (5) a bank account number; | ||||||
11 | (6) a password or access code associated with a
credit | ||||||
12 | or debit card or bank account;
| ||||||
13 | (7) a social security number, tax identification
| ||||||
14 | number, driver's license number, passport number, or other
| ||||||
15 | government-issued identification number; or
| ||||||
16 | (8) any of the following information if the
information | ||||||
17 | alone or in combination with other information
personally | ||||||
18 | identifies the individual:
| ||||||
19 | (A) account balances; | ||||||
20 | (B) overdraft history; or | ||||||
21 | (C) payment history. | ||||||
22 | Section 10. Applicability of Act. | ||||||
23 | (a) Section
20, other than subdivision (1) of that Section, | ||||||
24 | and Sections
25 and 35 do not apply to a telecommunications | ||||||
25 | carrier,
cable operator, computer hardware or software |
| |||||||
| |||||||
1 | provider, or provider
of information service or interactive | ||||||
2 | computer service that
monitors or has interaction with a | ||||||
3 | subscriber's Internet or other
network connection or service or | ||||||
4 | a protected computer for the following:
| ||||||
5 | (1) network or computer security purposes; | ||||||
6 | (2) diagnostics, technical support, or repair
| ||||||
7 | purposes;
| ||||||
8 | (3) authorized updates of computer software or system
| ||||||
9 | firmware;
| ||||||
10 | (4) authorized remote system management; or | ||||||
11 | (5) detection or prevention of unauthorized use of or
| ||||||
12 | fraudulent or other illegal activities in connection with a
| ||||||
13 | network, service, or computer software, including scanning | ||||||
14 | for and
removing software proscribed under this Act.
| ||||||
15 | (b) This Act does not apply to the following: | ||||||
16 | (1) the use of a navigation device, any interaction
| ||||||
17 | with a navigation device, or the installation or use of | ||||||
18 | computer
software on a navigation device by a multichannel | ||||||
19 | video programming
distributor or video programmer in | ||||||
20 | connection with the provision of
multichannel video | ||||||
21 | programming or other services offered over a
multichannel | ||||||
22 | video programming system if the provision of the
| ||||||
23 | programming or other service is subject to 47 U.S.C. | ||||||
24 | Section 338
or 551; or
| ||||||
25 | (2) the collection or disclosure of subscriber
| ||||||
26 | information by a multichannel video programming |
| |||||||
| |||||||
1 | distributor or
video programmer in connection with the | ||||||
2 | provision of multichannel
video programming or other | ||||||
3 | services offered over a multichannel
video programming | ||||||
4 | system if the collection or disclosure of the
information | ||||||
5 | is subject to 47 U.S.C. Section 338 or 551.
| ||||||
6 | (c) In this Section, "multichannel video programming
| ||||||
7 | distributor" has the meaning assigned by 47 U.S.C. Section | ||||||
8 | 522(13).
| ||||||
9 | (d) A manufacturer or retailer of computer equipment shall | ||||||
10 | not be liable under this Act to the extent that the | ||||||
11 | manufacturer or retailer is providing third-party branded | ||||||
12 | software loaded on the equipment they are manufacturing or | ||||||
13 | selling. | ||||||
14 | Section 15. Unauthorized collection or culling of
| ||||||
15 | personally identifiable information. If a person is not the | ||||||
16 | owner
or operator of the computer, the person may not knowingly | ||||||
17 | cause
computer software to be copied to a computer in this | ||||||
18 | State and use
the software to do any of the following:
| ||||||
19 | (1) collect, through intentionally deceptive means: | ||||||
20 | (A) personally identifiable information by using
a | ||||||
21 | keystroke-logging function; or
| ||||||
22 | (B) personally identifiable information in a
| ||||||
23 | manner that correlates that information with | ||||||
24 | information regarding
all or substantially all of the | ||||||
25 | websites visited by the owner or
operator of the |
| |||||||
| |||||||
1 | computer, other than websites operated by the
person | ||||||
2 | collecting the information; or
| ||||||
3 | (2) gather, through intentionally deceptive means, the
| ||||||
4 | following kinds of personally identifiable information | ||||||
5 | from the
consumer's computer hard drive for a purpose | ||||||
6 | wholly unrelated to
any of the purposes of the software or | ||||||
7 | service described to an owner
or operator of the computer:
| ||||||
8 | (A) a credit or debit card number; | ||||||
9 | (B) a bank account number; | ||||||
10 | (C) a password or access code associated with a
| ||||||
11 | credit or debit card number or a bank account;
| ||||||
12 | (D) a social security number; | ||||||
13 | (E) account balances; or | ||||||
14 | (F) overdraft history. | ||||||
15 | Section 20. Unauthorized access to or modifications of
| ||||||
16 | computer settings; computer damage. If a person is not the | ||||||
17 | owner or
operator of the computer, the person may not knowingly | ||||||
18 | cause
computer software to be copied to a computer in this | ||||||
19 | State and use
the software to do any of the following:
| ||||||
20 | (1) Modify, through intentionally deceptive means, a
| ||||||
21 | setting that controls:
| ||||||
22 | (A) the page that appears when an Internet
browser | ||||||
23 | or a similar software program is launched to access and
| ||||||
24 | navigate the Internet;
| ||||||
25 | (B) the default provider or web proxy used to
|
| |||||||
| |||||||
1 | access or search the Internet; or
| ||||||
2 | (C) a list of bookmarks used to access web pages. | ||||||
3 | (2) Take control of the computer by: | ||||||
4 | (A) accessing or using the computer's modem or
| ||||||
5 | Internet service to:
| ||||||
6 | (i) cause damage to the computer; | ||||||
7 | (ii) cause the owner or operator of the
| ||||||
8 | computer to incur financial charges for a service | ||||||
9 | not previously
authorized by the owner or | ||||||
10 | operator; or
| ||||||
11 | (iii) cause a third party affected by the
| ||||||
12 | conduct to incur financial charges for a service | ||||||
13 | not previously
authorized by the third party; or
| ||||||
14 | (B) opening, without the consent of the owner or
| ||||||
15 | operator of the computer, an advertisement that:
| ||||||
16 | (i) is in the owner's or operator's Internet
| ||||||
17 | browser in a multiple, sequential, or stand-alone | ||||||
18 | form; and
| ||||||
19 | (ii) cannot be closed by an ordinarily
| ||||||
20 | reasonable person using the computer without | ||||||
21 | closing the browser or
shutting down the computer.
| ||||||
22 | (3) Modify settings on the computer that relate to
| ||||||
23 | access to or use of the Internet and protection of | ||||||
24 | information for
purposes of stealing personally | ||||||
25 | identifiable information of the
owner or operator of the | ||||||
26 | computer.
|
| |||||||
| |||||||
1 | (4) Modify security settings on the computer relating
| ||||||
2 | to access to or use of the Internet for purposes of causing | ||||||
3 | damage
to one or more computers.
| ||||||
4 | Section 25. Unauthorized interference with installation
or | ||||||
5 | disabling of computer software. If a person is not the owner or
| ||||||
6 | operator of the computer, the person may not knowingly cause
| ||||||
7 | computer software to be copied to a computer in this State and | ||||||
8 | use
the software to do any of the following:
| ||||||
9 | (1) Prevent, through intentionally deceptive means,
| ||||||
10 | reasonable efforts of the owner or operator of the computer | ||||||
11 | to block
the installation or execution of or to disable | ||||||
12 | computer software by
causing computer software that the | ||||||
13 | owner or operator has properly
removed or disabled to | ||||||
14 | automatically reinstall or reactivate on the
computer.
| ||||||
15 | (2) Intentionally misrepresent to another that
| ||||||
16 | computer software will be uninstalled or disabled by the | ||||||
17 | actions of
the owner or operator of the computer.
| ||||||
18 | (3) Remove, disable, or render inoperative, through
| ||||||
19 | intentionally deceptive means, security, antispyware, or | ||||||
20 | antivirus
computer software installed on the computer. | ||||||
21 | (4) Prevent the owner's or operator's reasonable
| ||||||
22 | efforts to block the installation of or to disable computer
| ||||||
23 | software by:
| ||||||
24 | (A) presenting the owner or operator with an
option | ||||||
25 | to decline the installation of software knowing that, |
| |||||||
| |||||||
1 | when
the option is selected, the installation process | ||||||
2 | will continue to
proceed; or
| ||||||
3 | (B) misrepresenting that software has been
| ||||||
4 | disabled.
| ||||||
5 | (5) Change the name, location, or other designation of
| ||||||
6 | computer software to prevent the owner from locating and | ||||||
7 | removing
the software.
| ||||||
8 | (6) Create randomized or intentionally deceptive file
| ||||||
9 | names or random or intentionally deceptive directory | ||||||
10 | folders,
formats, or registry entries to avoid detection | ||||||
11 | and prevent the
owner from removing computer software.
| ||||||
12 | Section 30. Knowing violation. A person knowingly
violates | ||||||
13 | Section 15, 20, or 25 if the person does either of the | ||||||
14 | following:
| ||||||
15 | (1) acts with actual knowledge of the facts that
| ||||||
16 | constitute the violation; or
| ||||||
17 | (2) consciously avoids information that would
| ||||||
18 | establish actual knowledge of those facts.
| ||||||
19 | Section 35. Other prohibited conduct. If a person is not
| ||||||
20 | the owner or operator of the computer, the person may not do | ||||||
21 | any of the following:
| ||||||
22 | (1) induce the owner or operator of a computer in this
| ||||||
23 | State to install a computer software component to the | ||||||
24 | computer by
intentionally misrepresenting the extent to |
| |||||||
| |||||||
1 | which the installation
is necessary for security or privacy | ||||||
2 | reasons, to open or view text,
or to play a particular type | ||||||
3 | of musical or other content; or
| ||||||
4 | (2) copy and execute or cause the copying and
execution | ||||||
5 | of a computer software component to a computer in this
| ||||||
6 | State in a deceptive manner with the intent of causing the | ||||||
7 | owner or
operator of the computer to use the component in a | ||||||
8 | manner that
violates this Act.
| ||||||
9 | Section 40. Deceptive act or omission. For purposes of
this | ||||||
10 | Act, a person is considered to have acted through
intentionally | ||||||
11 | deceptive means if the person, with the intent to
deceive an | ||||||
12 | owner or operator of a computer, does any of the following:
| ||||||
13 | (1) intentionally makes a materially false or
| ||||||
14 | fraudulent statement;
| ||||||
15 | (2) intentionally makes a statement or uses a
| ||||||
16 | description that omits or misrepresents material | ||||||
17 | information; or
| ||||||
18 | (3) intentionally and materially fails to provide to
| ||||||
19 | the owner or operator any notice regarding the installation | ||||||
20 | or
execution of computer software.
| ||||||
21 | Section 45. Civil remedy. | ||||||
22 | (a) The following persons, if
adversely affected by the | ||||||
23 | violation, may bring a civil action
against a person who | ||||||
24 | violates this Act:
|
| |||||||
| |||||||
1 | (1) a provider of computer hardware or software; | ||||||
2 | (2) an owner of a web page or trademark; | ||||||
3 | (3) a telecommunications carrier; | ||||||
4 | (4) a cable operator; or | ||||||
5 | (5) an Internet service provider. | ||||||
6 | (b) In addition to any other remedy provided by law and
| ||||||
7 | except as provided by subsection (g) of this Section, a person | ||||||
8 | bringing an action
under this Section may:
| ||||||
9 | (1) seek injunctive relief to restrain the violator
| ||||||
10 | from continuing the violation;
| ||||||
11 | (2) recover damages in an amount equal to the greater
| ||||||
12 | of:
| ||||||
13 | (A) actual damages arising from the violation; or | ||||||
14 | (B) $100,000 for each violation of the same
nature; | ||||||
15 | or
| ||||||
16 | (3) both seek injunctive relief and recover damages as
| ||||||
17 | provided by this subsection (b).
| ||||||
18 | (c) The circuit court may increase an award of actual | ||||||
19 | damages in an
action brought under subsection (b) to an amount | ||||||
20 | not to exceed 3
times the actual damages sustained if the court | ||||||
21 | finds that the
violations have occurred with a frequency as to | ||||||
22 | constitute a
pattern or practice.
| ||||||
23 | (d) A plaintiff who prevails in an action filed under
| ||||||
24 | subsection (b) is entitled to recover reasonable attorneys' | ||||||
25 | fees
and court costs.
| ||||||
26 | (e) Each separate violation of this Act is an actionable
|
| |||||||
| |||||||
1 | violation.
| ||||||
2 | (f) For purposes of subsection (b), violations are of the
| ||||||
3 | same nature if the violations consist of the same course of | ||||||
4 | conduct
or action, regardless of the number of times the | ||||||
5 | conduct or act
occurred.
| ||||||
6 | (g) In the case of a violation of Section 20 that causes
a | ||||||
7 | telecommunications carrier or cable operator to incur costs for
| ||||||
8 | the origination, transportation, or termination of a call | ||||||
9 | triggered
using the modem of a customer of the | ||||||
10 | telecommunications carrier or
cable operator as a result of the | ||||||
11 | violation and in addition to any
other remedy provided by law, | ||||||
12 | a telecommunications carrier or cable
operator bringing an | ||||||
13 | action under this Section may:
| ||||||
14 | (1) apply to a court for an order to enjoin the
| ||||||
15 | violation;
| ||||||
16 | (2) recover the charges the telecommunications
carrier | ||||||
17 | or cable operator is obligated to pay to a
| ||||||
18 | telecommunications carrier, a cable operator, an other | ||||||
19 | provider of
transmission capability, or an information | ||||||
20 | service provider as a
result of the violation, including | ||||||
21 | charges for the origination,
transportation, or | ||||||
22 | termination of the call;
| ||||||
23 | (3) recover the costs of handling customer inquiries
or | ||||||
24 | complaints with respect to amounts billed for calls as a | ||||||
25 | result
of the violation;
| ||||||
26 | (4) recover other costs, including court costs, and
|
| |||||||
| |||||||
1 | reasonable attorneys' fees; or
| ||||||
2 | (5) both apply for injunctive relief and recover
| ||||||
3 | charges and other costs as provided by this subsection (g).
| ||||||
4 | Section 50. Civil penalty; injunction. | ||||||
5 | (a) A person who
violates this Act is liable to the State | ||||||
6 | for a civil penalty in
an amount not to exceed $100,000 for | ||||||
7 | each violation. The Attorney
General may bring suit to recover | ||||||
8 | the civil penalty imposed by this
subsection (a).
| ||||||
9 | (b) If it appears to the Attorney General that a person is
| ||||||
10 | engaging in, has engaged in, or is about to engage in conduct | ||||||
11 | that
violates this Act, the Attorney General may bring an | ||||||
12 | action in
the name of this State against the person to restrain | ||||||
13 | the violation
by a temporary restraining order or a permanent | ||||||
14 | or temporary
injunction.
| ||||||
15 | (c) The Attorney General is entitled to recover reasonable
| ||||||
16 | expenses incurred in obtaining injunctive relief, civil | ||||||
17 | penalties,
or both under this Section, including reasonable | ||||||
18 | attorney's fees
and court costs.
|