Rep. John M. Cabello

Filed: 3/14/2024

 

 


 

 


 
10300HB4447ham001LRB103 34729 SPS 70757 a

1
AMENDMENT TO HOUSE BILL 4447

2    AMENDMENT NO. ______. Amend House Bill 4447 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the Data
5Broker Registration Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Brokered personal information" means one or more of the
8following computerized data elements about an individual, if
9categorized or organized for dissemination to third parties:
10        (1) name;
11        (2) address;
12        (3) date of birth;
13        (4) place of birth;
14        (5) mother's maiden name;
15        (6) unique biometric data generated from measurements
16    or technical analysis of human body characteristics used

 

 

10300HB4447ham001- 2 -LRB103 34729 SPS 70757 a

1    by the owner or licensee of the data to identify or
2    authenticate the individual, such as a fingerprint, retina
3    or iris image, or other unique physical representation or
4    digital representation of biometric data;
5        (7) name or address of a member of the individual's
6    immediate family or household;
7        (8) social Security number or other government-issued
8    identification number; and
9        (9) other information that, alone or in combination
10    with the other information sold or licensed, would allow a
11    reasonable person to identify the individual with
12    reasonable certainty.
13    "Brokered personal information" does not include publicly
14available information to the extent that it is related to an
15individual's business or profession.
16    "Data broker" means a business or a unit of a business,
17separately or together, that knowingly collects and sells or
18licenses to third parties the brokered personal information of
19an individual with whom the business does not have a direct
20relationship. A direct relationship with a business includes
21if the individual is a past or present: (i) customer, client,
22subscriber, user, or registered user of the business's goods
23or services; (ii) employee, contractor, or agent of the
24business; (iii) investor in the business; or (iv) donor to the
25business.
26    "Data broker" does not include a business that conducts

 

 

10300HB4447ham001- 3 -LRB103 34729 SPS 70757 a

1the following activities and the collection, sale, or
2licensing of brokered personal information incidental to
3conducting the activities:
4        (1) developing or maintaining third-party e-commerce
5    or application platforms; or
6        (2) providing 411 directory assistance or directory
7    information services, including name, address, and
8    telephone number, on behalf of or as a function of a
9    telecommunications carrier.
 
10    Section 10. Annual registration.
11    (a) Annually, on or before January 31, a data broker
12operating in this State shall:
13        (1) register with the Secretary of State;
14        (2) pay a registration fee of $100 for use by the
15    Secretary of State to administer and enforce this Section;
16    and
17        (3) provide the following information:
18            (A) the name and primary physical, e-mail, and
19        Internet addresses of the data broker;
20            (B) if the data broker permits an individual to
21        opt out of the data broker's collection of brokered
22        personal information, opt out of its databases, or opt
23        out of certain sales of data:
24                (i) the method for requesting an opt-out;
25                (ii) which activities or sales the opt-out

 

 

10300HB4447ham001- 4 -LRB103 34729 SPS 70757 a

1            applies to; and
2                (iii) whether the data broker permits an
3            individual to authorize a third party to perform
4            the opt-out on the individual's behalf;
5            (C) a statement specifying the data collection,
6        databases or sales activities from which an individual
7        may not opt out;
8            (D) a statement whether the data broker implements
9        a purchaser credentialing process;
10            (E) the number of data broker security breaches
11        that the data broker has experienced during the prior
12        year and, if known, the total number of individuals
13        affected by the breaches;
14            (F) if the data broker has actual knowledge that
15        it possesses the brokered personal information of
16        minors, a separate statement detailing the data
17        collection practices, databases, sales activities, and
18        opt-out policies that are applicable to the brokered
19        personal information of minors; and
20            (G) any additional information or explanation the
21        data broker chooses to provide concerning its data
22        collection practices.
23    (b) The Secretary of State shall publish on its website a
24list of registered data brokers and update the list annually.
25    (c) A data broker that fails to register as required under
26this Section shall pay a civil penalty of $50 for each day, not

 

 

10300HB4447ham001- 5 -LRB103 34729 SPS 70757 a

1to exceed a total of $10,000 for each year, it fails to
2register; (2) an amount equal to the fees due under this
3Section during the period it failed to register as required
4under this Section; and (3) other penalties imposed by law.
5    (d) The Secretary of State may revoke or suspend the
6registration of an individual or entity for a period of up to
7one year, or bar an individual or entity from applying for
8registration for a period of up to one year, for failure to
9register or to pay any fee, fine, or penalty under this Act.
10All fees, fines, and penalties shall be paid prior to
11reinstatement or registration of any individual or entity
12required to register as a data broker.
13    (e) The Secretary of State may adopt rules to implement
14and administer this Section.
 
15    Section 15. Enforcement. A violation of this Act
16constitutes an unlawful practice under the Consumer Fraud and
17Deceptive Business Practices Act. All remedies, penalties, and
18authority granted to the Attorney General by the Consumer
19Fraud and Deceptive Business Practices Act shall be available
20to him or her for the enforcement of this Act.
 
21    Section 90. The Consumer Fraud and Deceptive Business
22Practices Act is amended by adding Section 2EEEE and 2FFFF as
23follows:
 

 

 

10300HB4447ham001- 6 -LRB103 34729 SPS 70757 a

1    (815 ILCS 505/2EEEE new)
2    Sec. 2EEEE. Motor vehicle extended warranty.
3    (a) As used in this Section, "extended warranty" means any
4contract or agreement indemnifying the service agreement
5holder for the motor vehicle listed on the service agreement
6and arising out of the ownership, operation, and use of the
7motor vehicle against loss caused by failure of any mechanical
8or other component part, or any mechanical or other component
9part that does not function as it was originally intended.
10"Extended warranty" does not include the usual performance
11guarantees by manufacturers or dealers in connection with the
12sale of motor vehicles.
13    (b) It is an unlawful practice within the meaning of this
14Act for any person to solicit the purchase of an extended
15warranty through the mail.
16    (c) This Section does not apply to the seller of a motor
17vehicle who solicits the purchase of an extended warranty for
18that motor vehicle.
 
19    (815 ILCS 505/2FFFF new)
20    Sec. 2FFFF. Violations of the Data Broker Registration
21Act. Any person who violates the Data Broker Registration Act
22commits an unlawful practice within the meaning of this Act.
 
23    Section 95. The Personal Information Protection Act is
24amended by changing Section 5 as follows:
 

 

 

10300HB4447ham001- 7 -LRB103 34729 SPS 70757 a

1    (815 ILCS 530/5)
2    Sec. 5. Definitions. In this Act:
3    "Data collector" may include, but is not limited to,
4government agencies, public and private universities,
5privately and publicly held corporations, financial
6institutions, retail operators, and any other entity that, for
7any purpose, handles, collects, disseminates, or otherwise
8deals with nonpublic personal information.
9    "Breach of the security of the system data" or "breach"
10means unauthorized acquisition of computerized data that
11compromises the security, confidentiality, or integrity of
12personal information maintained by the data collector. "Breach
13of the security of the system data" does not include good faith
14acquisition of personal information by an employee or agent of
15the data collector for a legitimate purpose of the data
16collector, provided that the personal information is not used
17for a purpose unrelated to the data collector's business or
18subject to further unauthorized disclosure.
19    "Health insurance information" means an individual's
20health insurance policy number or subscriber identification
21number, any unique identifier used by a health insurer to
22identify the individual, or any medical information in an
23individual's health insurance application and claims history,
24including any appeals records.
25    "Medical information" means any information regarding an

 

 

10300HB4447ham001- 8 -LRB103 34729 SPS 70757 a

1individual's medical history, mental or physical condition, or
2medical treatment or diagnosis by a healthcare professional,
3including such information provided to a website or mobile
4application.
5    "Personal information" means either of the following:
6        (1) An individual's first name or first initial and
7    last name in combination with any one or more of the
8    following data elements, when either the name or the data
9    elements are not encrypted or redacted or are encrypted or
10    redacted but the keys to unencrypt or unredact or
11    otherwise read the name or data elements have been
12    acquired without authorization through the breach of
13    security:
14            (A) Social Security number.
15            (B) Driver's license number or State
16        identification card number.
17            (C) Account number or credit or debit card number,
18        or an account number or credit card number in
19        combination with any required security code, access
20        code, or password that would permit access to an
21        individual's financial account.
22            (D) Medical information.
23            (E) Health insurance information.
24            (F) Unique biometric data generated from
25        measurements or technical analysis of human body
26        characteristics used by the owner or licensee to

 

 

10300HB4447ham001- 9 -LRB103 34729 SPS 70757 a

1        authenticate an individual, such as a fingerprint,
2        retina or iris image, or other unique physical
3        representation or digital representation of biometric
4        data.
5            (G) Motor vehicle purchasing information.
6            (H) Home purchasing information.
7        (2) User name or email address, in combination with a
8    password or security question and answer that would permit
9    access to an online account, when either the user name or
10    email address or password or security question and answer
11    are not encrypted or redacted or are encrypted or redacted
12    but the keys to unencrypt or unredact or otherwise read
13    the data elements have been obtained through the breach of
14    security.
15    "Personal information" does not include publicly available
16information that is lawfully made available to the general
17public from federal, State, or local government records.
18(Source: P.A. 99-503, eff. 1-1-17.)".