Rep. John M. Cabello

Filed: 3/22/2024

 

 


 

 


 
10300HB4447ham003LRB103 34729 SPS 71326 a

1
AMENDMENT TO HOUSE BILL 4447

2    AMENDMENT NO. ______. Amend House Bill 4447 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the Data
5Broker Registration Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Brokered personal information" means one or more of the
8following computerized data elements about an individual, if
9categorized or organized for dissemination to third parties:
10        (1) name;
11        (2) address;
12        (3) date of birth;
13        (4) place of birth;
14        (5) mother's maiden name;
15        (6) unique biometric data generated from measurements
16    or technical analysis of human body characteristics used

 

 

10300HB4447ham003- 2 -LRB103 34729 SPS 71326 a

1    by the owner or licensee of the data to identify or
2    authenticate the individual, such as a fingerprint, retina
3    or iris image, or other unique physical representation or
4    digital representation of biometric data;
5        (7) name or address of a member of the individual's
6    immediate family or household;
7        (8) social Security number or other government-issued
8    identification number; and
9        (9) other information that, alone or in combination
10    with the other information sold or licensed, would allow a
11    reasonable person to identify the individual with
12    reasonable certainty.
13    "Brokered personal information" does not include publicly
14available information.
15    "Data broker" means a business or a unit of a business,
16separately or together, that knowingly collects and sells or
17licenses to third parties the brokered personal information of
18an individual with whom the business does not have a direct
19relationship. A direct relationship with a business includes
20if the individual is a past or present: (i) customer, client,
21subscriber, user, or registered user of the business's goods
22or services; (ii) employee, contractor, or agent of the
23business; (iii) investor in the business; or (iv) donor to the
24business.
25    "Data broker" does not include a business that conducts
26the following activities and the collection, sale, or

 

 

10300HB4447ham003- 3 -LRB103 34729 SPS 71326 a

1licensing of brokered personal information incidental to
2conducting the activities:
3        (1) developing or maintaining third-party e-commerce
4    or application platforms;
5        (2) providing 411 directory assistance or directory
6    information services, including name, address, and
7    telephone number, on behalf of or as a function of a
8    telecommunications carrier;
9        (3) collecting or transmitting information to be
10    submitted to a State or federal agency for the purpose of
11    performing a lawful check of criminal history record
12    information using fingerprints or receiving the results of
13    that check;
14        (4) collecting, maintaining, disclosing, selling,
15    communicating, or using any personal information bearing
16    on a consumer's credit worthiness, credit standing, credit
17    capacity, character, general reputation, personal
18    characteristics, or mode of living by a consumer reporting
19    agency, furnisher, or user that provides information for
20    use in a consumer report, and by a user of a consumer
21    report, but only to the extent that the activity is
22    regulated by and authorized under the Fair Credit
23    Reporting Act, 15 U.S.C. 1681 et seq.;
24        (5) collecting, processing, selling, or disclosing
25    personal data in compliance with the federal Driver's
26    Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq.; or

 

 

10300HB4447ham003- 4 -LRB103 34729 SPS 71326 a

1        (6) preventing, detecting, protecting against, or
2    responding to security incidents, identity theft, fraud,
3    harassment, malicious or deceptive activities, or any
4    illegal activity; preserving the integrity or security of
5    systems; or investigating, reporting, or prosecuting
6    individuals responsible for any such action.
7    "Data broker" also does not include:
8        (1) financial institutions, affiliates of financial
9    institutions, or data subject to Title V of the
10    Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq.;
11        (2) insurance companies and insurance support
12    organizations; or
13        (3) law enforcement agencies, law enforcement support
14    organizations, and law enforcement vendors.
15    "Publicly available information" means information that is
16lawfully made available through federal, State, or local
17government records or information that a business has a
18reasonable basis to believe is lawfully made available to the
19general public through widely distributed media, by the
20consumer, or by a person to whom the consumer has disclosed the
21information, unless the consumer has restricted the
22information to a specific audience.
 
23    Section 10. Annual registration.
24    (a) Annually, on or before January 31, a data broker
25operating in this State shall:

 

 

10300HB4447ham003- 5 -LRB103 34729 SPS 71326 a

1        (1) register with the Secretary of State;
2        (2) pay a registration fee of $100 for use by the
3    Secretary of State to administer and enforce this Section;
4    and
5        (3) provide the following information:
6            (A) the name and primary physical, e-mail, and
7        Internet addresses of the data broker;
8            (B) if the data broker permits an individual to
9        opt out of the data broker's collection of brokered
10        personal information, opt out of its databases, or opt
11        out of certain sales of data:
12                (i) the method for requesting an opt-out;
13                (ii) which activities or sales the opt-out
14            applies to; and
15                (iii) whether the data broker permits an
16            individual to authorize a third party to perform
17            the opt-out on the individual's behalf;
18            (C) a statement specifying the data collection,
19        databases or sales activities from which an individual
20        may not opt out;
21            (D) a statement whether the data broker implements
22        a purchaser credentialing process;
23            (E) the number of data broker security breaches
24        that the data broker has experienced during the prior
25        year and, if known, the total number of individuals
26        affected by the breaches;

 

 

10300HB4447ham003- 6 -LRB103 34729 SPS 71326 a

1            (F) if the data broker has actual knowledge that
2        it possesses the brokered personal information of
3        minors, a separate statement detailing the data
4        collection practices, databases, sales activities, and
5        opt-out policies that are applicable to the brokered
6        personal information of minors; and
7            (G) any additional information or explanation the
8        data broker chooses to provide concerning its data
9        collection practices.
10    (b) The Secretary of State shall publish on its website a
11list of registered data brokers and update the list annually.
12    (c) A data broker that fails to register as required under
13this Section shall pay a civil penalty of $50 for each day, not
14to exceed a total of $10,000 for each year, it fails to
15register; (2) an amount equal to the fees due under this
16Section during the period it failed to register as required
17under this Section; and (3) other penalties imposed by law.
18    (d) The Secretary of State may revoke or suspend the
19registration of an individual or entity for a period of up to
20one year, or bar an individual or entity from applying for
21registration for a period of up to one year, for failure to
22register or to pay any fee, fine, or penalty under this Act.
23All fees, fines, and penalties shall be paid prior to
24reinstatement or registration of any individual or entity
25required to register as a data broker.
26    (e) The Secretary of State may adopt rules to implement

 

 

10300HB4447ham003- 7 -LRB103 34729 SPS 71326 a

1and administer this Section.
 
2    Section 15. Enforcement. A violation of this Act
3constitutes an unlawful practice under the Consumer Fraud and
4Deceptive Business Practices Act. All remedies, penalties, and
5authority granted to the Attorney General by the Consumer
6Fraud and Deceptive Business Practices Act shall be available
7to him or her for the enforcement of this Act.
 
8    Section 90. The Consumer Fraud and Deceptive Business
9Practices Act is amended by adding Section 2EEEE and 2FFFF as
10follows:
 
11    (815 ILCS 505/2EEEE new)
12    Sec. 2EEEE. Motor vehicle extended warranty.
13    (a) As used in this Section, "extended warranty" means any
14contract or agreement indemnifying the service agreement
15holder for the motor vehicle listed on the service agreement
16and arising out of the ownership, operation, and use of the
17motor vehicle against loss caused by failure of any mechanical
18or other component part, or any mechanical or other component
19part that does not function as it was originally intended.
20"Extended warranty" does not include the usual performance
21guarantees by manufacturers or dealers in connection with the
22sale of motor vehicles.
23    (b) It is an unlawful practice within the meaning of this

 

 

10300HB4447ham003- 8 -LRB103 34729 SPS 71326 a

1Act for any person to solicit the purchase of an extended
2warranty through the mail.
3    (c) This Section does not apply to the seller of a motor
4vehicle who solicits the purchase of an extended warranty for
5that motor vehicle.
 
6    (815 ILCS 505/2FFFF new)
7    Sec. 2FFFF. Violations of the Data Broker Registration
8Act. Any person who violates the Data Broker Registration Act
9commits an unlawful practice within the meaning of this Act.
 
10    Section 95. The Personal Information Protection Act is
11amended by changing Section 5 as follows:
 
12    (815 ILCS 530/5)
13    Sec. 5. Definitions. In this Act:
14    "Data collector" may include, but is not limited to,
15government agencies, public and private universities,
16privately and publicly held corporations, financial
17institutions, retail operators, and any other entity that, for
18any purpose, handles, collects, disseminates, or otherwise
19deals with nonpublic personal information.
20    "Breach of the security of the system data" or "breach"
21means unauthorized acquisition of computerized data that
22compromises the security, confidentiality, or integrity of
23personal information maintained by the data collector. "Breach

 

 

10300HB4447ham003- 9 -LRB103 34729 SPS 71326 a

1of the security of the system data" does not include good faith
2acquisition of personal information by an employee or agent of
3the data collector for a legitimate purpose of the data
4collector, provided that the personal information is not used
5for a purpose unrelated to the data collector's business or
6subject to further unauthorized disclosure.
7    "Health insurance information" means an individual's
8health insurance policy number or subscriber identification
9number, any unique identifier used by a health insurer to
10identify the individual, or any medical information in an
11individual's health insurance application and claims history,
12including any appeals records.
13    "Medical information" means any information regarding an
14individual's medical history, mental or physical condition, or
15medical treatment or diagnosis by a healthcare professional,
16including such information provided to a website or mobile
17application.
18    "Personal information" means either of the following:
19        (1) An individual's first name or first initial and
20    last name in combination with any one or more of the
21    following data elements, when either the name or the data
22    elements are not encrypted or redacted or are encrypted or
23    redacted but the keys to unencrypt or unredact or
24    otherwise read the name or data elements have been
25    acquired without authorization through the breach of
26    security:

 

 

10300HB4447ham003- 10 -LRB103 34729 SPS 71326 a

1            (A) Social Security number.
2            (B) Driver's license number or State
3        identification card number.
4            (C) Account number or credit or debit card number,
5        or an account number or credit card number in
6        combination with any required security code, access
7        code, or password that would permit access to an
8        individual's financial account.
9            (D) Medical information.
10            (E) Health insurance information.
11            (F) Unique biometric data generated from
12        measurements or technical analysis of human body
13        characteristics used by the owner or licensee to
14        authenticate an individual, such as a fingerprint,
15        retina or iris image, or other unique physical
16        representation or digital representation of biometric
17        data.
18            (G) Home purchasing information.
19        (2) User name or email address, in combination with a
20    password or security question and answer that would permit
21    access to an online account, when either the user name or
22    email address or password or security question and answer
23    are not encrypted or redacted or are encrypted or redacted
24    but the keys to unencrypt or unredact or otherwise read
25    the data elements have been obtained through the breach of
26    security.

 

 

10300HB4447ham003- 11 -LRB103 34729 SPS 71326 a

1    "Personal information" does not include publicly available
2information that is lawfully made available to the general
3public from federal, State, or local government records.
4(Source: P.A. 99-503, eff. 1-1-17.)".