SB3081 102ND GENERAL ASSEMBLY

  
  

 


 
102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
SB3081

 

Introduced 1/11/2022, by Sen. Thomas Cullerton

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Do Not Track Act. Prohibits a party to a user action from tracking another user whenever the party receives a do-not-track signal indicating a user preference not to be tracked, with some exceptions. Provides that data that has been sufficiently de-identified such that it is rendered anonymous data may be processed for any purpose. Provides that a party may disregard a user's do-not-track signal when the user has given express affirmative consent to track. Provides that an organization may process data for specified uses if the organization: (i) limits the amount of identifiable data collected; (ii) limits the retention of identifiable data to no longer than what is reasonably needed for the permitted uses; (iii) uses anonymous data; (iv) processes the data separately from systems that are used for purposes other than the permitted uses; and (v) does not process the data beyond the permitted uses. Requires an organization that engages in tracking to describe, in understandable language and syntax such that an ordinary user can comprehend, its practices with respect to do-not-track signals in its privacy statement or similar notice, available through a clear and prominent link on the home page of its website. Prohibits a party from blocking a user's do-not-track signal. Provides that the Attorney General shall enforce the Act. Permits a user whose identifiable information has been processed in violation of the Act to bring a civil action in any court of competent jurisdiction. Preempts home rule powers. Effective January 1, 2023.


LRB102 23767 SPS 32958 b

 

 

A BILL FOR

 

SB3081LRB102 23767 SPS 32958 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the Do Not
5Track Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Anonymous data" means data which does not relate to an
8identified or identifiable user. Identifiable data may be
9rendered anonymous data if it has become de-identified to an
10extent that no user can be singled out or identified, either
11directly or indirectly, by that data alone or in combination
12with other data. To determine whether a user can be identified
13from the data, account should be taken of all means reasonably
14likely to be used by any party to identify the user. Data that
15has been re-identified, is shown to be capable of
16re-identification, or that is capable of being used for
17personalization or profiling a user or a device used by a user
18is not anonymous data.
19    "Collect" means to receive identifiable data in a network
20interaction and to retain that data after the network
21interaction is complete.
22    "Commission" means the Federal Trade Commission.
23    "Context" means a website or similar online resource, or a

 

 

SB3081- 2 -LRB102 23767 SPS 32958 b

1connected set of such resources. A connected set of resources
2that are controlled by the same party or jointly controlled by
3a set of parties can constitute a single context if a user
4would reasonably expect them to form a single context. Factors
5relevant to determining whether such a reasonable expectation
6exists include, but are not limited to, whether they share
7prominent branding, provide connected and integrated
8user-facing features, are offered under the same domain name
9or through a single app, use the same sign-in credentials, and
10are marketed or sold as a single product or service.
11    "De-identify" means to alter data such that the likelihood
12of identifying a user from the data is reduced.
13De-identification includes a range of techniques and differing
14levels or re-identification risk. Data that is fully
15de-identified such that it becomes anonymous data is no longer
16identifiable data. Data that is de-identified to a lesser
17extent remains identifiable data.
18    "Do-not-track signal" means a signal sent by a web browser
19or similar user agent that conveys a user's choice regarding
20online tracking, reflects a deliberate choice by the user, and
21otherwise complies with the latest Tracking Preference
22Expression (DNT) specifications published by the World Wide
23Web Consortium.
24    "First party" means, with respect to a given user action,
25a party with which the user intends to interact, via one or
26more network interactions, as a result of that action.

 

 

SB3081- 3 -LRB102 23767 SPS 32958 b

1        (1) Typically, when a user visits a website, the first
2    party is the organization identified in the website URL or
3    whose branding is most prominent on the website.
4        (2) More than one party can be a first party with
5    regard to a given user action.
6        (3) The mere presence of a first party's website of
7    embedded content from another party does not make that
8    other party a first party, and merely hovering over,
9    muting, pausing, or closing a given piece of content does
10    not constitute a user's intent to interact with a party.
11    When a user visits an organization's website that displays
12    advertisements from a third-party ad network, the
13    organization is a first party and the ad network is a third
14    party. When a user signs into an organization's website
15    using a sign-in method provided by another party, the
16    organization is a first party and the sign-in provider is
17    a third party with respect to user actions in that
18    website.
19    "Identifiable data" means data from which the user can be
20singled out or identified, directly or indirectly, by that
21data alone or in combination with other data. Identifiable
22data includes, but is not limited to, a user's contact
23information, such as email addresses and phone numbers, unique
24persistent identifiers, such as IP addresses, cross-session
25cookie IDs, and device identifiers including derived through
26device fingerprinting and probabilistic techniques), and any

 

 

SB3081- 4 -LRB102 23767 SPS 32958 b

1other data associated with such identifiers. Identifiable data
2does not include anonymous data.
3    "Network interaction" means an online connection
4consisting of an HTTP or HTTPS request and as many
5corresponding responses as are necessary to respond to a
6single user action. A user interaction or session with a
7website or other resource frequently consists of many network
8interactions.
9    "Organization" means a legal entity. Such term does not
10include government agencies or users.
11    "Party" means a user, an organization, or a group of legal
12entities that share common ownership and control, operate as
13an integrated enterprise, and have a group identity that is
14easily discoverable by a user. Common branding or publishing a
15list of affiliates that is readily available online via a
16prominent link from a resource where a party describes its
17Tracking Preference Expression (DNT) practices are deemed
18easily discoverable. With respect to a user action, a party is
19either a first party or a third party, but not both.
20    "Personalize" means to use identifiable data to alter the
21experience of a user, including, but not limited to, the
22content or advertising displayed to the user.
23    "Process" means to collect, use, or share data.
24    "Resource" means a single online destination or
25experience, such as a website, streaming service, online game,
26digital assistant, or other online service, accessed by a user

 

 

SB3081- 5 -LRB102 23767 SPS 32958 b

1through the use of a user agent.
2    "Service provider" means an organization that processes
3identifiable data on behalf of another organization. A service
4provider has no right to use any identifiable data for its own
5purposes.
6    "Share" means, with respect to collected data, to transfer
7or provide a copy of such data to any third party.
8    "Third party" means, for any user action, any party other
9than the user, a first party to that user action, or a service
10provider action on behalf of either the user or a first party.
11    "Tracking" or "track" means to (i) collect data regarding
12a user action of a particular user, (ii) process such data
13outside the context in which the user action occurred, (iii)
14facilitate the creation of a user profile, or (iv) personalize
15that user's online experience. For the purposes of this
16definition, processing data related to a device used by a user
17or the user's household shall be considered processing data
18related to the user.
19    "User" means a natural person residing in this State who
20uses the Internet.
21    "User action" means a deliberate online action by the
22user, via configuration, invocation, or selection, to initiate
23a network interaction. Selection of a link, submission of a
24form, and reloading a page are examples of user actions.
25    "User agent" means any of the various client programs
26capable of initiating network interactions, including, but not

 

 

SB3081- 6 -LRB102 23767 SPS 32958 b

1limited to, browsers, web-based robots, command-line tools,
2native applications, mobile apps, or Internet-connected
3devices.
 
4    Section 10. Response to do-not-track signals.
5    (a) In general. Except as permitted in this Section, a
6party to a user action that receives a do-not-track signal
7indicating a user preference not to be tracked shall not
8track.
9    (b) Exceptions.
10        (1) First party. A first party to a user action within
11    a context to which the user has affirmatively signed in
12    may process data received from such user action, including
13    for personalized content, services, and advertising,
14    within that context. However, a first party shall not
15    share such data with a third party. For the purposes of
16    this paragraph, a user is signed into a context when the
17    user has affirmatively authenticated and identified
18    oneself by entering a username and password, or similar
19    credentials.
20        (2) Anonymous data. Data that has been sufficiently
21    de-identified such that it is rendered anonymous data may
22    be processed for any purpose, including outside the
23    context of the user actions from which it originates, or
24    across multiple contexts.
25        (3) Consent. A party may disregard a user's

 

 

SB3081- 7 -LRB102 23767 SPS 32958 b

1    do-not-track signal when the user has given express
2    affirmative consent to track. A user may give consent
3    through a technical means defined in the Tracking
4    Preference Expression (DNT) specification published by the
5    World Wide Web Consortium or through a separate mechanism
6    such as an online or offline consent form that
7    demonstrates a specific and voluntary choice of the user.
8    For instance, accepting a general or broad terms of use
9    document that contains a clause regarding tracing does not
10    constitute express affirmation consent for the purposes of
11    this Act. Likewise, agreement obtained through a user
12    interface designed or manipulated with the purpose of
13    substantial effect of subverting or impairing user
14    autonomy, decision-making, or choice does not constitute
15    consent for the purposes of this Act. When relying on
16    consent from a user given through a separate mechanism, a
17    party must provide notice in accordance with Section 20.
18        (4) Permitted uses.
19            (A) In general. An organization may process data
20        for the uses specified in subparagraphs (B), (C), (D),
21        (E), (F), and (G), provided the organization:
22                (i) limits the amount of identifiable data
23            collected to that which is strictly needed for the
24            permitted uses;
25                (ii) limits the retention of identifiable data
26            to no longer than what is reasonably needed for

 

 

SB3081- 8 -LRB102 23767 SPS 32958 b

1            the permitted uses;
2                (iii) uses anonymous data to the extent the
3            permitted uses can be achieved with such data, or
4            otherwise de-identifies the identifiable data to
5            the greatest extent that is compatible with the
6            permitted uses;
7                (iv) processes the data separately from
8            systems that are used for purposes other than the
9            permitted uses specified in this Section; and
10                (v) does not process the data beyond the
11            permitted uses.
12            (B) Providing a service. An organization may
13        process data to the extent necessary to effectuate a
14        transaction with the user, or to provide a product or
15        service to a user, provided the user has consented to
16        or authorized the transaction or the provision of the
17        product or service and any tracking, including
18        personalization, that is a necessary or inherent part
19        of that transaction, product, or service would have
20        been clear to the user at the time of such consent or
21        authorization. If such processing requires sharing
22        data with a third party, such third party may not
23        process the data for any other purpose.
24            (C) Security. An organization may process data to
25        the extent reasonably necessary to detect security
26        incidents, protect the website or other resource

 

 

SB3081- 9 -LRB102 23767 SPS 32958 b

1        accessed by the user against malicious, deceptive,
2        fraudulent, or illegal activity, and prosecute those
3        responsible for such activity.
4            (D) Debugging. An organization may process data
5        for debugging purposes to identify and repair errors
6        that impair the existing functionality of the website
7        or other resource accessed by the user.
8            (E) Financial logging. An organization may process
9        data for billing and auditing related to network
10        interactions and related transactions.
11            (F) Research. An organization may process data to
12        conduct security research.
13            (G) Journalism. An organization may process data
14        as necessary for news gathering purposes by
15        journalists or other purposes protected by the First
16        Amendment of the United States Constitution.
17        (5) Technical errors. Data that is processed by a
18    party due to a technical error does not violate this Act if
19    such error is unintentional and unexpected, and within 30
20    days of the party discovering or receiving a report of the
21    error: (i) the error is corrected, (ii) any processing by
22    the party that is otherwise prohibited is stopped, and
23    (iii) the party deletes any data that should not have been
24    collected.
 
25    Section 15. Contractual obligations and liability. A first

 

 

SB3081- 10 -LRB102 23767 SPS 32958 b

1party that enables or permits a third party to engage in
2tracking on or through the first party's website or other
3resource:
4        (1) Must require the third party, through a contract,
5    terms of service, or similar binding and enforceable legal
6    agreement, to comply with this Act.
7        (2) Shall be liable for the third party's
8    non-compliance with this Act if the first party knew or
9    could have upon the exercise of due diligence known of the
10    third party's non-compliance and failed to take adequate
11    corrective action.
 
12    Section 20. Transparency. An organization that engages in
13tracking shall describe, in understandable language and syntax
14such that an ordinary user can comprehend, its practices with
15respect to do-not-track signals in its privacy statement or
16similar notice, available through a clear and prominent link
17on the home page of its website. The description required
18under this paragraph must include at least the following
19information:
20        (1) the exceptions or permitted uses under this Act
21    under which the organization processes data;
22        (2) the effects on the user, if any, resulting from a
23    do-not-track signal, including if any webpages, features,
24    or services are not available or reduced in functionality;
25        (3) if the organization obtains out-of-band consent to

 

 

SB3081- 11 -LRB102 23767 SPS 32958 b

1    disregard the do-not-track signal, a description of how a
2    user may give and revoke consent, and the scope of any such
3    consent, and the anticipated effect of the consent or
4    revocation on the user;
5        (4) the time period or periods for which identifiable
6    data collected by the organization is retained or the
7    criteria used to determine such time periods, and whether
8    such identifiable data is rendered anonymous data in lieu
9    of being deleted; and
10        (5) how a user may contact the organization with any
11    inquiries or complaints regarding the organization's
12    do-not-track practices.
 
13    Section 25. No circumvention. A party shall not block or
14take similar actions to avoid receiving a user's do-not-track
15signal. Nor shall any party take other actions to circumvent
16the effectiveness of do-not-track signals.
 
17    Section 30. Enforcement.
18    (a) De facto and de jure harm. Users from whom
19identifiable information has been processed in violation of
20this Act shall be deemed to have been harmed by such
21violations.
22    (b) Enforcement by the Attorney General. Whenever the
23Attorney General has reasonable cause to believe that a party
24or organization has engaged in a violation of this Act, the

 

 

SB3081- 12 -LRB102 23767 SPS 32958 b

1Attorney General shall enforce the provisions of this Act by
2bringing a civil action on behalf of the people of this State
3in a court of competent jurisdiction:
4        (1) to enjoin further violation of this Act by the
5    defendant; or
6        (2) to obtain damages on behalf of the people of this
7    State, in the amount authorized under State law or as
8    permitted under federal law, whichever is greater.
9    (c) A user from whom identifiable information has been
10processed in violation of this Act may bring a civil action in
11any court of competent jurisdiction:
12        (1) to enjoin further violation of this Act by the
13    defendant; or
14        (2) to obtain damages, in the amount of $1,000 or
15    actual damages shown, whichever is greater.
16    (d) Attorney fees. In the case of any successful action
17under this Section, the court, in its discretion, may award
18the costs of the action and reasonable attorney fees to the
19State or the user.
 
20    Section 35. Home rule preemption. Except as otherwise
21provided in this Act, the regulation of the activities
22described in this Act are the exclusive powers and functions
23of the State. Except as otherwise provided in this Act, a unit
24of local government, including a home rule unit, may not
25regulate the activities described in this Act. This Section is

 

 

SB3081- 13 -LRB102 23767 SPS 32958 b

1a denial and limitation of home rule powers and functions
2under subsection (h) of Section 6 of Article VII of the
3Illinois Constitution.
 
4    Section 97. Severability. The provisions of this Act are
5severable under Section 1.31 of the Statute on Statutes.
 
6    Section 99. Effective date. This Act takes effect January
71, 2023.