Full Text of HB3358 101st General Assembly
HB3358ham003 101ST GENERAL ASSEMBLY | Rep. Arthur Turner Filed: 4/9/2019
| | 10100HB3358ham003 | | LRB101 11180 TAE 59624 a |
|
| 1 | | AMENDMENT TO HOUSE BILL 3358
| 2 | | AMENDMENT NO. ______. Amend House Bill 3358, AS AMENDED, by | 3 | | replacing everything after the enacting clause with the | 4 | | following:
| 5 | | "Section 1. Short title. This Act may be cited as the Data | 6 | | Transparency and Privacy Act. | 7 | | Section 5. Legislative findings. The General Assembly | 8 | | hereby finds and declares that: | 9 | | (1) The right to privacy is a personal and fundamental | 10 | | right protected by the United States Constitution. As such, all | 11 | | individuals have a right to privacy and a personal property | 12 | | interest in information pertaining to them and that information | 13 | | shall be adequately protected from unlawful invasions and | 14 | | takings. This State recognizes the importance of providing | 15 | | consumers with transparency about how their personal | 16 | | information, especially information relating to their |
| | | 10100HB3358ham003 | - 2 - | LRB101 11180 TAE 59624 a |
|
| 1 | | children, is shared by businesses. This transparency is crucial | 2 | | for Illinois citizens to protect themselves and their families | 3 | | from cyber-crimes and identity thieves. | 4 | | (2) Furthermore, for free market forces to have a role in | 5 | | shaping the privacy practices and for "opt-in" and "opt-out" | 6 | | remedies to be effective, consumers must be more than vaguely | 7 | | informed that a business might share personal information with | 8 | | third parties. Consumers must be better informed about what | 9 | | kinds of personal information is shared with other businesses. | 10 | | With these specifics, consumers can knowledgeably choose to opt | 11 | | in, opt out, or choose among businesses that disclose | 12 | | information to third parties on the basis of how protective the | 13 | | business is of consumers' privacy. | 14 | | (3) Businesses are now collecting personal information and | 15 | | sharing and selling it in ways not contemplated or properly | 16 | | covered by the current law. Some websites are installing | 17 | | tracking tools that record when consumers visit web pages, and | 18 | | sending very personal information, such as age, gender, race, | 19 | | income, health concerns, religion, and recent purchases to | 20 | | third-party marketers and data brokers. Third-party data | 21 | | broker companies are buying, selling, and trading personal | 22 | | information obtained from mobile phones, financial | 23 | | institutions, social media sites, and other online and brick | 24 | | and mortar companies. Some mobile applications are sharing | 25 | | personal information, such as location information, unique | 26 | | phone identification numbers, and age, gender, and other |
| | | 10100HB3358ham003 | - 3 - | LRB101 11180 TAE 59624 a |
|
| 1 | | personal details with third-party companies. | 2 | | (4) As such, consumers need to know the ways that their | 3 | | personal information is being collected by companies and then | 4 | | shared or sold to third parties in order to properly protect | 5 | | their privacy, property, personal safety, and financial | 6 | | security. | 7 | | Section 10. Definitions. As used in this Act: | 8 | | "Consumer" means an individual residing in this State who | 9 | | provides, either knowingly or unknowingly, personal | 10 | | information to a private entity, with or without an exchange of | 11 | | consideration, in the course of purchasing, viewing, | 12 | | accessing, renting, leasing, or otherwise using real or | 13 | | personal property, or any interest therein, or obtaining a | 14 | | product or service from the private entity, including | 15 | | advertising or any other content. "Consumer" does not include a | 16 | | natural person from whom personal information is collected | 17 | | while that natural person is acting in an employment context. | 18 | | "Designated request address" means an electronic email | 19 | | address, online form, or toll-free telephone number that a | 20 | | consumer may use to request the information required to be | 21 | | provided pursuant to this Act. | 22 | | "Disclose" means to disclose, release, transfer, share, | 23 | | disseminate, make available, sell, or otherwise communicate | 24 | | orally, in writing, or by electronic or any other means a | 25 | | consumer's personal information to any third party. |
| | | 10100HB3358ham003 | - 4 - | LRB101 11180 TAE 59624 a |
|
| 1 | | "Disclose" does not include: | 2 | | (1) the disclosure of personal information by a private | 3 | | entity to a third party under a written contract | 4 | | authorizing the third party to utilize the personal | 5 | | information for the limited purposes of performing | 6 | | services on behalf of the private entity, including | 7 | | maintaining or servicing accounts, disclosure of personal | 8 | | information by a private entity to a transportation network | 9 | | company driver providing consumer service, processing or | 10 | | fulfilling orders and transactions, verifying consumer | 11 | | information, processing payments, providing financing, or | 12 | | similar services, but only if: the contract prohibits the | 13 | | third party or transportation network company driver from | 14 | | using the personal information for any reason other than | 15 | | performing the specified service or services on behalf of | 16 | | the private entity and from disclosing any such personal | 17 | | information to additional third parties unless those | 18 | | additional third parties (i) are allowed by the contract to | 19 | | further the specified services and (ii) the additional | 20 | | third parties are subject to the same restrictions imposed | 21 | | by this subsection; | 22 | | (2) disclosure of personal information by a private | 23 | | entity to a third party based on a good faith belief that | 24 | | disclosure is required to comply with applicable law, | 25 | | regulation, legal process, or court order; or | 26 | | (3) disclosure of personal information by a private |
| | | 10100HB3358ham003 | - 5 - | LRB101 11180 TAE 59624 a |
|
| 1 | | entity to a third party that is reasonably necessary to | 2 | | address fraud, security, or technical issues; to protect | 3 | | the disclosing private entity's rights or property; or to | 4 | | protect consumers or the public from illegal activities as | 5 | | required or permitted by law. | 6 | | "Operator" means any private entity that owns an Internet | 7 | | website or an online service that collects, maintains, or | 8 | | discloses personal information of a consumer residing in this | 9 | | State who uses or visits the website or online service if the | 10 | | website or online service is operated for commercial purposes. | 11 | | It does not include any third party that operates, hosts, or | 12 | | manages, but does not own, a website or online service on the | 13 | | owner's behalf or by processing information on behalf of the | 14 | | owner. | 15 | | "Personal information" means any information that is | 16 | | linked or can reasonably be linked, directly or indirectly, to | 17 | | a particular consumer, including, but not limited to, | 18 | | identifiers such as a real name, alias, signature, address, | 19 | | telephone number, passport number, driver's license or State | 20 | | identification card number, insurance policy number, bank | 21 | | account number, credit card number, debit card number, or any | 22 | | other financial account information, unique personal | 23 | | identifier, geolocation, or biometric information. | 24 | | "Private entity" means a sole proprietorship, partnership, | 25 | | limited liability company, corporation, association, or other | 26 | | legal entity that is organized or operated for the profit or |
| | | 10100HB3358ham003 | - 6 - | LRB101 11180 TAE 59624 a |
|
| 1 | | financial benefit of its shareholders or other owners, that | 2 | | does business in the State of Illinois, and that satisfies one | 3 | | or more of the following thresholds: | 4 | | (1) Has annual gross revenues in excess of $25,000,000, | 5 | | as adjusted in January of every odd-numbered year to | 6 | | reflect any increase in the Consumer Price Index. | 7 | | (2) Annually buys, receives for the business' | 8 | | commercial purposes, sells, or shares for commercial | 9 | | purposes, alone or in combination, the personal | 10 | | information of 50,000 or more consumers, households, or | 11 | | devices. | 12 | | (3) Derives 50% or more of its annual revenues from | 13 | | selling consumers' personal information. | 14 | | "Process" or "processes" means any collection, use, | 15 | | storage, disclosure, analysis, deletion, or modification of | 16 | | personal information. | 17 | | "Sale" or "sell" means the exchange of a consumer's | 18 | | personal information for purposes of licensing, renting or | 19 | | selling personal information by the private entity to a third | 20 | | party for monetary or other valuable consideration. | 21 | | "Sale" or "sell" does not include circumstances in which: | 22 | | (1) A consumer uses or directs the business to | 23 | | intentionally disclose personal information or uses the | 24 | | business to intentionally interact with a third party, | 25 | | provided the third party does not also sell the personal | 26 | | information, unless that disclosure would be consistent |
| | | 10100HB3358ham003 | - 7 - | LRB101 11180 TAE 59624 a |
|
| 1 | | with the provisions of this Act. An intentional interaction | 2 | | occurs when the consumer intends to interact with the third | 3 | | party by one or more deliberate interactions. Hovering | 4 | | over, muting, pausing, or closing a given piece of content | 5 | | does not constitute a consumer's intent to interact with a | 6 | | third party. | 7 | | (2) The business uses or shares an identifier for a | 8 | | consumer who has opted out of the sale of the consumer's | 9 | | personal information for the purposes of alerting third | 10 | | parties that the consumer has opted out of the sale of the | 11 | | consumer's personal information. | 12 | | (3) The business uses or shares with a service provider | 13 | | personal information of a consumer that is necessary to | 14 | | perform a business purpose if the service provider does not | 15 | | further collect, sell, or use the personal information of | 16 | | the consumer except as necessary to perform the business | 17 | | purpose. | 18 | | (4) The business transfers to a third party the | 19 | | personal information of a consumer as an asset that is part | 20 | | of a merger, acquisition, bankruptcy, or other transaction | 21 | | in which the third party assumes control of all or part of | 22 | | the business provided that information is used or shared | 23 | | consistently with this Act. If a third party materially | 24 | | alters how it uses or shares the personal information of a | 25 | | consumer in a manner that is materially inconsistent with | 26 | | the promises made at the time of collection, it shall |
| | | 10100HB3358ham003 | - 8 - | LRB101 11180 TAE 59624 a |
|
| 1 | | provide prior notice of the new or changed practice to the | 2 | | consumer. The notice shall be sufficiently prominent and | 3 | | robust to ensure that existing consumers can easily | 4 | | exercise their choices consistently with Section 25. This | 5 | | subparagraph does not authorize a business to make | 6 | | material, retroactive privacy policy changes or make other | 7 | | changes in their privacy policy in a manner that would | 8 | | violate the Consumer Fraud and Deceptive Business | 9 | | Practices Act. | 10 | | "Third party" means:
| 11 | | (1) a private entity that is a separate legal entity | 12 | | from the private entity that has disclosed personal | 13 | | information; | 14 | | (2) a private entity that does not share common | 15 | | ownership or common corporate control with the private | 16 | | entity that has disclosed personal information; or | 17 | | (3) a private entity that does not share a brand name | 18 | | or common branding with the private entity that has | 19 | | disclosed personal information such that the affiliate | 20 | | relationship is clear to the consumer. | 21 | | "Verified request" means the process through which a | 22 | | consumer may submit a request to exercise a right or rights set | 23 | | forth in this Act and by which an operator can reasonably | 24 | | authenticate the request.
A consumer shall not be required to | 25 | | create an account with the operator in order to make a verified | 26 | | request, and the method for exercising the rights set forth in |
| | | 10100HB3358ham003 | - 9 - | LRB101 11180 TAE 59624 a |
|
| 1 | | this Act shall be reasonably accessible and not be overly | 2 | | burdensome on the consumer. | 3 | | Section 15. Right to transparency. An operator that | 4 | | collects personal information through the Internet about | 5 | | individual consumers who use or visit its Internet website or | 6 | | online service, in its consumer service agreement or | 7 | | incorporated addendum or any other similar and readily | 8 | | available mechanism accessible to the consumer, shall: | 9 | | (1) identify all categories of personal information | 10 | | that the operator processes about individual consumers | 11 | | collected through its Internet website or online service; | 12 | | (2) identify all categories of third parties with whom | 13 | | the operator may disclose that personal information; | 14 | | (3) disclose whether a third party may collect personal | 15 | | information about an individual consumer's online | 16 | | activities over time and across different Internet | 17 | | websites or online services when the consumer uses the | 18 | | Internet website or online service of the operator; | 19 | | (4) provide a description of the process, if any such | 20 | | process exists, for an individual consumer who uses or | 21 | | visits the Internet website or online service to review and | 22 | | request changes to inaccurate personal information that is | 23 | | collected by the operator as a result of the consumer's use | 24 | | or visits to the Internet website or online service; | 25 | | (5) describe the process by which the operator notifies |
| | | 10100HB3358ham003 | - 10 - | LRB101 11180 TAE 59624 a |
|
| 1 | | consumers who use or visit its Internet website or online | 2 | | service of material changes to the notice required to be | 3 | | made available under this Section; | 4 | | (6) state the effective date of the notice; | 5 | | (7) provide a description of a consumer's rights, as | 6 | | required by this Act, accompanied by one or more designated | 7 | | request addresses. | 8 | | Section 20. Right to know. | 9 | | (a) An operator that discloses personal information to a | 10 | | third party shall make the following information available to a | 11 | | consumer, free of charge, upon receipt of a verified request: | 12 | | (1) the categories of personal information that were | 13 | | disclosed about the consumer; and | 14 | | (2) the categories of third parties and the approximate | 15 | | number of third parties that received the consumer's | 16 | | personal information. | 17 | | (b) Notwithstanding the other provisions of this Section, a | 18 | | parent or legal guardian of a consumer under the age of 13 may | 19 | | submit a verified request under this Section on behalf of that | 20 | | consumer. | 21 | | (c) This Section applies only to personal information | 22 | | disclosed after the effective date of this Act. | 23 | | Section 25. Right to opt out. An operator that sells the | 24 | | personal information of a consumer collected through the |
| | | 10100HB3358ham003 | - 11 - | LRB101 11180 TAE 59624 a |
|
| 1 | | consumer's use of or visit to the operator's Internet website | 2 | | or online service shall clearly and conspicuously post, on its | 3 | | Internet website or online service or in another prominently | 4 | | and easily accessible location the operator maintains for | 5 | | consumer privacy settings, a link to an Internet web page | 6 | | maintained by the operator that enables a consumer, by verified | 7 | | request through a designated request address, to opt out of the | 8 | | sale of the consumer's personal information to third parties. | 9 | | The method by which a consumer may opt out shall be done in a | 10 | | way and fashion that is not overly burdensome, shall not | 11 | | require a consumer to establish an account with the operator in | 12 | | order to opt out of the sale of a consumer's personal | 13 | | information, and shall be posted in a conspicuous place that is | 14 | | readily and easily accessible to a consumer. This Section | 15 | | applies only to operators that sell personal information. This | 16 | | Section only applies to personal information sold after the | 17 | | effective date of this Act. | 18 | | Section 30. Response to verified requests. | 19 | | (a) An operator that receives a verified request from a | 20 | | consumer through a designated request address under this Act | 21 | | shall provide a response to the consumer within 45 days of the | 22 | | request. | 23 | | (b) An operator shall not be required to respond to a | 24 | | request made by the same consumer or made by the same parent or | 25 | | legal guardian on behalf of a consumer under the age of 13 more |
| | | 10100HB3358ham003 | - 12 - | LRB101 11180 TAE 59624 a |
|
| 1 | | than once in any 12-month period. | 2 | | Section 35. Enforcement. The Attorney General shall have | 3 | | exclusive authority to enforce this Act, and there shall be no | 4 | | private right of action to enforce violations under this Act. | 5 | | Nothing in this Act shall be construed to modify, limit, or | 6 | | supersede the operation of any other Illinois law or prevent a | 7 | | party from otherwise seeking relief under the Code of Civil | 8 | | Procedure.
| 9 | | Section 40. Waivers; contracts. Any waiver of the | 10 | | provisions of this Act is void and unenforceable. Any agreement | 11 | | that does not comply with the applicable provisions of this Act | 12 | | is void and unenforceable. | 13 | | Section 45. Construction. | 14 | | (a) The obligations imposed on operators by this Act shall | 15 | | not restrict an operator's ability to: | 16 | | (1) Comply with federal, state, or local laws. | 17 | | (2) Comply with a civil, criminal, or regulatory | 18 | | inquiry, investigation, subpoena, or summons by federal, | 19 | | state, or local authorities. | 20 | | (3) Cooperate with law enforcement agencies concerning | 21 | | conduct or activity that the operator, service provider, or | 22 | | third party reasonably and in good faith believes may | 23 | | violate federal, state, or local law. |
| | | 10100HB3358ham003 | - 13 - | LRB101 11180 TAE 59624 a |
|
| 1 | | (4) Exercise or defend legal claims.
| 2 | | (b) Nothing in this Act applies to a health care provider | 3 | | or other covered entity subject to the Federal Health Insurance | 4 | | Portability and Accountability Act of 1996 and the rules | 5 | | promulgated under that Act. | 6 | | (c) Nothing in this Act applies in any manner to a | 7 | | financial institution or an affiliate of a financial | 8 | | institution that is subject to Title V of the Federal | 9 | | Gramm-Leach-Bliley Act and the rules promulgated under that | 10 | | Act. | 11 | | (d) Nothing in this Act applies to a contractor, | 12 | | subcontractor, or agent of a State agency or local unit of | 13 | | government when working for that State agency or local unit of | 14 | | government. | 15 | | (e) Nothing in this Act applies to a public utility, an | 16 | | alternative retail electric supplier, or an alternative gas | 17 | | supplier, as those terms are defined in Sections 3-105, 16-102, | 18 | | and 19-105 of the Public Utilities Act, or an electric | 19 | | cooperative, as defined in Section 3.4 of the Electric Supplier | 20 | | Act. | 21 | | (f) Nothing in this Act applies to: (i) a hospital operated | 22 | | under the Hospital Licensing Act; (ii) a hospital affiliate, as | 23 | | defined under the Hospital Licensing Act; or (iii) a hospital | 24 | | operated under the University of Illinois Hospital Act. | 25 | | (g) Nothing in this Act applies to an entity maintaining a | 26 | | place of business in this State that collects sales taxes under |
| | | 10100HB3358ham003 | - 14 - | LRB101 11180 TAE 59624 a |
|
| 1 | | the Retailers' Occupation Tax Act who uses personal information | 2 | | for purposes of selling, moving, or delivering tangible | 3 | | personal property at retail with respect to such sales at | 4 | | retail and (i) is a retailer's wholly owned retail subsidiary | 5 | | or service provider processing personal information on behalf | 6 | | of the retailer; (ii) is a party to a merchant card agreement | 7 | | to process a consumer transaction at the sale of retail in | 8 | | accordance with the agreement; (iii) administers a private | 9 | | label credit card or owns a private label administered by a | 10 | | third party in accordance with the agreement; (iv) collects | 11 | | sales tax on behalf of the consumer as a result of a sale at | 12 | | retail as authorized by the Department of Revenue; (v) is | 13 | | subject to the Federal Health Insurance Portability and | 14 | | Accountability Act of 1996 and the rules promulgated | 15 | | thereunder; (vi) provides Medicaid benefits to Illinois | 16 | | consumers through sales at retail as is authorized by the | 17 | | Department of Healthcare and Family Services; or (vii) provides | 18 | | Supplemental Nutrition Assistance Program (SNAP) or special | 19 | | supplemental nutrition program for women, infants, and | 20 | | children (WIC) benefits to consumers in Illinois through sales | 21 | | at retail as authorized by the United States Department of | 22 | | Agriculture and the Illinois Department of Human Services. | 23 | | (h) Nothing in this Act applies to the following entities | 24 | | and affiliates, as defined in 17 CFR 230.405, of any such | 25 | | entities: telecommunications carriers as defined in Section | 26 | | 13-202 of the Public Utilities Act and wireless carriers as |
| | | 10100HB3358ham003 | - 15 - | LRB101 11180 TAE 59624 a |
|
| 1 | | defined in Section 2 of the Emergency Telephone System Act. | 2 | | (i) Nothing in this Act restricts a private entity's | 3 | | ability to collect or disclose a consumer's personal | 4 | | information if a consumer's conduct takes place wholly outside | 5 | | of Illinois. For purposes of this Act, conduct takes place | 6 | | wholly outside of Illinois if the private entity collected that | 7 | | information while the consumer was outside of Illinois, no part | 8 | | of the sale of the consumer's personal information occurred in | 9 | | Illinois, and no personal information collected while the | 10 | | consumer was in Illinois is disclosed. | 11 | | Section 50. Severability. If any provision of this Act or | 12 | | its application to any person or circumstance is held invalid, | 13 | | the invalidity of that provision or application does not affect | 14 | | other provisions or applications of this Act that can be given | 15 | | effect without the invalid provision or application.
| 16 | | Section 99. Effective date. This Act takes effect April 1, | 17 | | 2020.".
|
|