Full Text of HB4447 103rd General Assembly
HB4447ham001 103RD GENERAL ASSEMBLY | Rep. John M. Cabello Filed: 3/14/2024 | | 10300HB4447ham001 | | LRB103 34729 SPS 70757 a |
|
| 1 | | AMENDMENT TO HOUSE BILL 4447
| 2 | | AMENDMENT NO. ______. Amend House Bill 4447 by replacing | 3 | | everything after the enacting clause with the following: | 4 | | "Section 1. Short title. This Act may be cited as the Data | 5 | | Broker Registration Act. | 6 | | Section 5. Definitions. As used in this Act: | 7 | | "Brokered personal information" means one or more of the | 8 | | following computerized data elements about an individual, if | 9 | | categorized or organized for dissemination to third parties: | 10 | | (1) name; | 11 | | (2) address; | 12 | | (3) date of birth; | 13 | | (4) place of birth; | 14 | | (5) mother's maiden name; | 15 | | (6) unique biometric data generated from measurements | 16 | | or technical analysis of human body characteristics used |
| | | 10300HB4447ham001 | - 2 - | LRB103 34729 SPS 70757 a |
|
| 1 | | by the owner or licensee of the data to identify or | 2 | | authenticate the individual, such as a fingerprint, retina | 3 | | or iris image, or other unique physical representation or | 4 | | digital representation of biometric data; | 5 | | (7) name or address of a member of the individual's | 6 | | immediate family or household; | 7 | | (8) social Security number or other government-issued | 8 | | identification number; and | 9 | | (9) other information that, alone or in combination | 10 | | with the other information sold or licensed, would allow a | 11 | | reasonable person to identify the individual with | 12 | | reasonable certainty. | 13 | | "Brokered personal information" does not include publicly | 14 | | available information to the extent that it is related to an | 15 | | individual's business or profession. | 16 | | "Data broker" means a business or a unit of a business, | 17 | | separately or together, that knowingly collects and sells or | 18 | | licenses to third parties the brokered personal information of | 19 | | an individual with whom the business does not have a direct | 20 | | relationship. A direct relationship with a business includes | 21 | | if the individual is a past or present: (i) customer, client, | 22 | | subscriber, user, or registered user of the business's goods | 23 | | or services; (ii) employee, contractor, or agent of the | 24 | | business; (iii) investor in the business; or (iv) donor to the | 25 | | business. | 26 | | "Data broker" does not include a business that conducts |
| | | 10300HB4447ham001 | - 3 - | LRB103 34729 SPS 70757 a |
|
| 1 | | the following activities and the collection, sale, or | 2 | | licensing of brokered personal information incidental to | 3 | | conducting the activities: | 4 | | (1) developing or maintaining third-party e-commerce | 5 | | or application platforms; or | 6 | | (2) providing 411 directory assistance or directory | 7 | | information services, including name, address, and | 8 | | telephone number, on behalf of or as a function of a | 9 | | telecommunications carrier. | 10 | | Section 10. Annual registration. | 11 | | (a) Annually, on or before January 31, a data broker | 12 | | operating in this State shall: | 13 | | (1) register with the Secretary of State; | 14 | | (2) pay a registration fee of $100 for use by the | 15 | | Secretary of State to administer and enforce this Section; | 16 | | and | 17 | | (3) provide the following information: | 18 | | (A) the name and primary physical, e-mail, and | 19 | | Internet addresses of the data broker; | 20 | | (B) if the data broker permits an individual to | 21 | | opt out of the data broker's collection of brokered | 22 | | personal information, opt out of its databases, or opt | 23 | | out of certain sales of data: | 24 | | (i) the method for requesting an opt-out; | 25 | | (ii) which activities or sales the opt-out |
| | | 10300HB4447ham001 | - 4 - | LRB103 34729 SPS 70757 a |
|
| 1 | | applies to; and | 2 | | (iii) whether the data broker permits an | 3 | | individual to authorize a third party to perform | 4 | | the opt-out on the individual's behalf; | 5 | | (C) a statement specifying the data collection, | 6 | | databases or sales activities from which an individual | 7 | | may not opt out; | 8 | | (D) a statement whether the data broker implements | 9 | | a purchaser credentialing process; | 10 | | (E) the number of data broker security breaches | 11 | | that the data broker has experienced during the prior | 12 | | year and, if known, the total number of individuals | 13 | | affected by the breaches; | 14 | | (F) if the data broker has actual knowledge that | 15 | | it possesses the brokered personal information of | 16 | | minors, a separate statement detailing the data | 17 | | collection practices, databases, sales activities, and | 18 | | opt-out policies that are applicable to the brokered | 19 | | personal information of minors; and | 20 | | (G) any additional information or explanation the | 21 | | data broker chooses to provide concerning its data | 22 | | collection practices. | 23 | | (b) The Secretary of State shall publish on its website a | 24 | | list of registered data brokers and update the list annually. | 25 | | (c) A data broker that fails to register as required under | 26 | | this Section shall pay a civil penalty of $50 for each day, not |
| | | 10300HB4447ham001 | - 5 - | LRB103 34729 SPS 70757 a |
|
| 1 | | to exceed a total of $10,000 for each year, it fails to | 2 | | register; (2) an amount equal to the fees due under this | 3 | | Section during the period it failed to register as required | 4 | | under this Section; and (3) other penalties imposed by law. | 5 | | (d) The Secretary of State may revoke or suspend the | 6 | | registration of an individual or entity for a period of up to | 7 | | one year, or bar an individual or entity from applying for | 8 | | registration for a period of up to one year, for failure to | 9 | | register or to pay any fee, fine, or penalty under this Act. | 10 | | All fees, fines, and penalties shall be paid prior to | 11 | | reinstatement or registration of any individual or entity | 12 | | required to register as a data broker. | 13 | | (e) The Secretary of State may adopt rules to implement | 14 | | and administer this Section. | 15 | | Section 15. Enforcement. A violation of this Act | 16 | | constitutes an unlawful practice under the Consumer Fraud and | 17 | | Deceptive Business Practices Act. All remedies, penalties, and | 18 | | authority granted to the Attorney General by the Consumer | 19 | | Fraud and Deceptive Business Practices Act shall be available | 20 | | to him or her for the enforcement of this Act. | 21 | | Section 90. The Consumer Fraud and Deceptive Business | 22 | | Practices Act is amended by adding Section 2EEEE and 2FFFF as | 23 | | follows: |
| | | 10300HB4447ham001 | - 6 - | LRB103 34729 SPS 70757 a |
|
| 1 | | (815 ILCS 505/2EEEE new) | 2 | | Sec. 2EEEE. Motor vehicle extended warranty. | 3 | | (a) As used in this Section, "extended warranty" means any | 4 | | contract or agreement indemnifying the service agreement | 5 | | holder for the motor vehicle listed on the service agreement | 6 | | and arising out of the ownership, operation, and use of the | 7 | | motor vehicle against loss caused by failure of any mechanical | 8 | | or other component part, or any mechanical or other component | 9 | | part that does not function as it was originally intended. | 10 | | "Extended warranty" does not include the usual performance | 11 | | guarantees by manufacturers or dealers in connection with the | 12 | | sale of motor vehicles. | 13 | | (b) It is an unlawful practice within the meaning of this | 14 | | Act for any person to solicit the purchase of an extended | 15 | | warranty through the mail. | 16 | | (c) This Section does not apply to the seller of a motor | 17 | | vehicle who solicits the purchase of an extended warranty for | 18 | | that motor vehicle. | 19 | | (815 ILCS 505/2FFFF new) | 20 | | Sec. 2FFFF. Violations of the Data Broker Registration | 21 | | Act. Any person who violates the Data Broker Registration Act | 22 | | commits an unlawful practice within the meaning of this Act. | 23 | | Section 95. The Personal Information Protection Act is | 24 | | amended by changing Section 5 as follows: |
| | | 10300HB4447ham001 | - 7 - | LRB103 34729 SPS 70757 a |
|
| 1 | | (815 ILCS 530/5) | 2 | | Sec. 5. Definitions. In this Act: | 3 | | "Data collector" may include, but is not limited to, | 4 | | government agencies, public and private universities, | 5 | | privately and publicly held corporations, financial | 6 | | institutions, retail operators, and any other entity that, for | 7 | | any purpose, handles, collects, disseminates, or otherwise | 8 | | deals with nonpublic personal information. | 9 | | "Breach of the security of the system data" or "breach" | 10 | | means unauthorized acquisition of computerized data that | 11 | | compromises the security, confidentiality, or integrity of | 12 | | personal information maintained by the data collector. "Breach | 13 | | of the security of the system data" does not include good faith | 14 | | acquisition of personal information by an employee or agent of | 15 | | the data collector for a legitimate purpose of the data | 16 | | collector, provided that the personal information is not used | 17 | | for a purpose unrelated to the data collector's business or | 18 | | subject to further unauthorized disclosure. | 19 | | "Health insurance information" means an individual's | 20 | | health insurance policy number or subscriber identification | 21 | | number, any unique identifier used by a health insurer to | 22 | | identify the individual, or any medical information in an | 23 | | individual's health insurance application and claims history, | 24 | | including any appeals records. | 25 | | "Medical information" means any information regarding an |
| | | 10300HB4447ham001 | - 8 - | LRB103 34729 SPS 70757 a |
|
| 1 | | individual's medical history, mental or physical condition, or | 2 | | medical treatment or diagnosis by a healthcare professional, | 3 | | including such information provided to a website or mobile | 4 | | application. | 5 | | "Personal information" means either of the following: | 6 | | (1) An individual's first name or first initial and | 7 | | last name in combination with any one or more of the | 8 | | following data elements, when either the name or the data | 9 | | elements are not encrypted or redacted or are encrypted or | 10 | | redacted but the keys to unencrypt or unredact or | 11 | | otherwise read the name or data elements have been | 12 | | acquired without authorization through the breach of | 13 | | security: | 14 | | (A) Social Security number. | 15 | | (B) Driver's license number or State | 16 | | identification card number. | 17 | | (C) Account number or credit or debit card number, | 18 | | or an account number or credit card number in | 19 | | combination with any required security code, access | 20 | | code, or password that would permit access to an | 21 | | individual's financial account. | 22 | | (D) Medical information. | 23 | | (E) Health insurance information. | 24 | | (F) Unique biometric data generated from | 25 | | measurements or technical analysis of human body | 26 | | characteristics used by the owner or licensee to |
| | | 10300HB4447ham001 | - 9 - | LRB103 34729 SPS 70757 a |
|
| 1 | | authenticate an individual, such as a fingerprint, | 2 | | retina or iris image, or other unique physical | 3 | | representation or digital representation of biometric | 4 | | data. | 5 | | (G) Motor vehicle purchasing information. | 6 | | (H) Home purchasing information. | 7 | | (2) User name or email address, in combination with a | 8 | | password or security question and answer that would permit | 9 | | access to an online account, when either the user name or | 10 | | email address or password or security question and answer | 11 | | are not encrypted or redacted or are encrypted or redacted | 12 | | but the keys to unencrypt or unredact or otherwise read | 13 | | the data elements have been obtained through the breach of | 14 | | security. | 15 | | "Personal information" does not include publicly available | 16 | | information that is lawfully made available to the general | 17 | | public from federal, State, or local government records. | 18 | | (Source: P.A. 99-503, eff. 1-1-17 .)". |
|