Bill Amendment: IL HB3358 | 2019-2020 | 101st General Assembly
NOTE: For additional amemendments please see the Bill Drafting List
Bill Title: BUSINESS-TECH
Status: 2019-07-03 - Senate Floor Amendment No. 3 Pursuant to Senate Rule 3-9(b) / Referred to Assignments [HB3358 Detail]
Download: Illinois-2019-HB3358-House_Amendment_002.html
Bill Title: BUSINESS-TECH
Status: 2019-07-03 - Senate Floor Amendment No. 3 Pursuant to Senate Rule 3-9(b) / Referred to Assignments [HB3358 Detail]
Download: Illinois-2019-HB3358-House_Amendment_002.html
| |||||||
| |||||||
| |||||||
1 | AMENDMENT TO HOUSE BILL 3358
| ||||||
2 | AMENDMENT NO. ______. Amend House Bill 3358 by replacing | ||||||
3 | everything after the enacting clause with the following:
| ||||||
4 | "Section 1. Short title. This Act may be cited as the Data | ||||||
5 | Transparency and Privacy Act.
| ||||||
6 | Section 5. Legislative findings. The General Assembly | ||||||
7 | hereby finds and declares that: | ||||||
8 | (1) The right to privacy is a personal and fundamental | ||||||
9 | right protected by the United States Constitution. As such, all | ||||||
10 | individuals have a right to privacy in information pertaining | ||||||
11 | to them. This State recognizes the importance of providing | ||||||
12 | consumers with transparency about how their personal | ||||||
13 | information, especially information relating to their | ||||||
14 | children, is shared by businesses. This transparency is crucial | ||||||
15 | for Illinois citizens to protect themselves and their families | ||||||
16 | from cyber-crimes and identity thieves. |
| |||||||
| |||||||
1 | (2) Furthermore, for free market forces to have a role in | ||||||
2 | shaping the privacy practices and for "opt-in" and "opt-out" | ||||||
3 | remedies to be effective, consumers must be more than vaguely | ||||||
4 | informed that a business might share personal information with | ||||||
5 | third parties. Consumers must be better informed about what | ||||||
6 | kinds of personal information is shared with other businesses. | ||||||
7 | With these specifics, consumers can knowledgeably choose to opt | ||||||
8 | in, opt out, or choose among businesses that disclose | ||||||
9 | information to third parties on the basis of how protective the | ||||||
10 | business is of consumers' privacy. | ||||||
11 | (3) Businesses are now collecting personal information and | ||||||
12 | sharing and selling it in ways not contemplated or properly | ||||||
13 | covered by the current law. Some websites are installing | ||||||
14 | tracking tools that record when consumers visit web pages, and | ||||||
15 | sending very personal information, such as age, gender, race, | ||||||
16 | income, health concerns, religion, and recent purchases to | ||||||
17 | third-party marketers and data brokers. Third-party data | ||||||
18 | broker companies are buying, selling, and trading personal | ||||||
19 | information obtained from mobile phones, financial | ||||||
20 | institutions, social media sites, and other online and brick | ||||||
21 | and mortar companies. Some mobile applications are sharing | ||||||
22 | personal information, such as location information, unique | ||||||
23 | phone identification numbers, and age, gender, and other | ||||||
24 | personal details with third-party companies. | ||||||
25 | (4) As such, consumers need to know the ways that their | ||||||
26 | personal information is being collected by companies and then |
| |||||||
| |||||||
1 | shared or sold to third parties in order to properly protect | ||||||
2 | their privacy, personal safety, and financial security.
| ||||||
3 | Section 10. Definitions. As used in this Act: | ||||||
4 | "Consumer" means an individual residing in this State who | ||||||
5 | provides, either knowingly or unknowingly, personal | ||||||
6 | information to an operator, with or without an exchange of | ||||||
7 | consideration, in the course of purchasing, viewing, | ||||||
8 | accessing, renting, leasing, or otherwise using real or | ||||||
9 | personal property, or any interest therein, or obtaining a | ||||||
10 | product or service from the private entity, including | ||||||
11 | advertising or any other content. | ||||||
12 | "Designated request address" means an electronic email | ||||||
13 | address, online form, or toll-free telephone number that a | ||||||
14 | consumer may use to request the information required to be | ||||||
15 | provided pursuant to this Act. | ||||||
16 | "Disclose" means to disclose, release, transfer, share, | ||||||
17 | disseminate, make available, sell, or otherwise communicate | ||||||
18 | orally, in writing, or by electronic or any other means to any | ||||||
19 | third party. | ||||||
20 | "Disclose" does not include the disclosure of personal | ||||||
21 | information by a private entity to a third party under a | ||||||
22 | written contract authorizing the third party to utilize the | ||||||
23 | personal information for the limited purposes of performing | ||||||
24 | services on behalf of the private entity, including maintaining | ||||||
25 | or servicing accounts, disclosure of personal information by a |
| |||||||
| |||||||
1 | private entity to a transportation network company driver | ||||||
2 | providing consumer service, processing or fulfilling orders | ||||||
3 | and transactions, verifying consumer information, processing | ||||||
4 | payments, providing financing, or similar services, but only | ||||||
5 | if: | ||||||
6 | (1) the contract prohibits the third party or | ||||||
7 | transportation network company driver from using the | ||||||
8 | personal information for any reason other than performing | ||||||
9 | the specified service or services on behalf of the private | ||||||
10 | entity and from disclosing any such personal information to | ||||||
11 | additional third parties; and | ||||||
12 | (2) disclosure of personal information by a business to | ||||||
13 | a third party based on a good-faith belief that disclosure | ||||||
14 | is required to comply with applicable law, regulation, | ||||||
15 | legal process, or court order.
| ||||||
16 | "Disclose" does not include disclosure of personal | ||||||
17 | information by a private entity to a third party that is | ||||||
18 | reasonably necessary to address fraud, security, or technical | ||||||
19 | issues; to protect the disclosing private entity's rights or | ||||||
20 | property; or to protect consumers or the public from illegal | ||||||
21 | activities as required or permitted by law. | ||||||
22 | "Operator" means any private entity that owns an Internet | ||||||
23 | website or an online service that collects, maintains, or | ||||||
24 | discloses personal information of a consumer residing in this | ||||||
25 | State who uses or visits the website or online service if the | ||||||
26 | website or online service is operated for commercial purposes. |
| |||||||
| |||||||
1 | It does not include any third party that operates, hosts, or | ||||||
2 | manages, but does not own, a website or online service on the | ||||||
3 | owner's behalf or by processing information on behalf of the | ||||||
4 | owner. | ||||||
5 | "Personal information" means any information that | ||||||
6 | identifies, relates to, describes, or is capable of being | ||||||
7 | associated with, or could reasonably be linked, directly or | ||||||
8 | indirectly, with a particular consumer or household, | ||||||
9 | including, but not limited to identifiers such as a real name, | ||||||
10 | alias, signature, physical characteristics or description, | ||||||
11 | address, telephone number, passport number, driver's license | ||||||
12 | or State identification card number, insurance policy number, | ||||||
13 | education, employment, employment history, bank account | ||||||
14 | number, credit card number, debit card number, or any other | ||||||
15 | financial information, unique personal identifier, Internet | ||||||
16 | Protocol address, geolocation, biometric information, audio, | ||||||
17 | visual, thermal, olfactory, or similar information. | ||||||
18 | "Personal information" also means professional or | ||||||
19 | employment-related information, education information, defined | ||||||
20 | as information that is not publicly available personally | ||||||
21 | identifiable information as defined in the Family Educational | ||||||
22 | Rights and Privacy Act (20 U.S.C. 1232g and 34 CFR 99) records | ||||||
23 | of income, assets, liabilities, purchases, leases, products or | ||||||
24 | services purchases, obtained, or considered, or other | ||||||
25 | purchasing or consuming histories or tendencies, or real | ||||||
26 | property. |
| |||||||
| |||||||
1 | "Private entity" means a sole proprietorship, partnership, | ||||||
2 | limited liability company, corporation, association, or other | ||||||
3 | legal entity that is organized or operated for the profit or | ||||||
4 | financial benefit of its shareholders or other owners, that | ||||||
5 | does business in the State of Illinois, and that satisfies one | ||||||
6 | or more of the following thresholds: | ||||||
7 | (1) Has annual gross revenues in excess of $25,000,000, | ||||||
8 | as adjusted in January of every odd-numbered year to | ||||||
9 | reflect any increase in the Consumer Price Index. | ||||||
10 | (2) Annually buys, receives for the business' | ||||||
11 | commercial purposes, sells, or shares for commercial | ||||||
12 | purposes, alone or in combination, the personal | ||||||
13 | information of 50,000 or more consumers, households, or | ||||||
14 | devices. | ||||||
15 | (3) Derives 50% or more of its annual revenues from | ||||||
16 | selling consumers' personal information. | ||||||
17 | "Process" or "processes" means any collection, use, | ||||||
18 | storage, disclosure, analysis, deletion, or modification of | ||||||
19 | personal information. | ||||||
20 | "Third party" means:
| ||||||
21 | (1) a private entity that is a separate legal entity | ||||||
22 | from the private entity that has disclosed personal | ||||||
23 | information; | ||||||
24 | (2) a private entity that does not share common | ||||||
25 | ownership or common corporate control with the private | ||||||
26 | entity that has disclosed personal information; or |
| |||||||
| |||||||
1 | (3) a private entity that does not share a brand name | ||||||
2 | or common branding with the private entity that has | ||||||
3 | disclosed personal information such that the affiliate | ||||||
4 | relationship is clear to the consumer. | ||||||
5 | "Sell" means selling, renting, releasing, disclosing, | ||||||
6 | disseminating, making available, transferring, or otherwise | ||||||
7 | communicating orally, in writing, or by electronic or other | ||||||
8 | means, a consumer's personal information by the business to | ||||||
9 | another business or a third party for monetary or other | ||||||
10 | valuable consideration. | ||||||
11 | "Unique identifier" means a persistent identifier that can | ||||||
12 | be used to recognize a consumer, a family, or a device that is | ||||||
13 | linked to a consumer or family, over time and across different | ||||||
14 | services, including, but not limited to, a device identifier; | ||||||
15 | an Internet Protocol address; cookies, beacons, pixel tags, | ||||||
16 | mobile ad identifiers, or similar technology; consumer number, | ||||||
17 | unique pseudonym, or user alias; telephone numbers, or other | ||||||
18 | forms of persistent or probabilistic identifiers that can be | ||||||
19 | used to identify a particular consumer or device. For purposes | ||||||
20 | of this definition, "family" means a custodial parent or | ||||||
21 | guardian and any minor children over which the parent or | ||||||
22 | guardian has custody. | ||||||
23 | "Verified request" means the process through which a | ||||||
24 | consumer may submit a request to exercise a right or rights set | ||||||
25 | forth in this Act and by which an operator can reasonably | ||||||
26 | authenticate the request.
|
| |||||||
| |||||||
1 | Section 15. Right to transparency. An operator that | ||||||
2 | collects personal information through the Internet about | ||||||
3 | individual consumers who use or visit its online service, in | ||||||
4 | its consumer service agreement or incorporated addendum or any | ||||||
5 | other similar and readily available mechanism accessible to the | ||||||
6 | consumer, shall: | ||||||
7 | (1) identify all categories of personal information | ||||||
8 | that the operator processes about individual consumers | ||||||
9 | collected through its Internet website or online service; | ||||||
10 | (2) identify all categories of third parties with whom | ||||||
11 | the operator may disclose that personal information; | ||||||
12 | (3) disclose whether a third party may collect personal | ||||||
13 | information about an individual consumer's online | ||||||
14 | activities over time and across different Internet | ||||||
15 | websites or online services when the consumer uses the | ||||||
16 | Internet website or online service of the operator; | ||||||
17 | (4) provide a description of the process, if any such | ||||||
18 | process exists, for an individual consumer who uses or | ||||||
19 | visits the Internet website or online service to review and | ||||||
20 | request changes to inaccurate personal information that is | ||||||
21 | collected by the operator as a result of the consumer's use | ||||||
22 | or visits to the Internet website or online service; | ||||||
23 | (5) describe the process by which the operator notifies | ||||||
24 | consumers who use or visit its Internet website or online | ||||||
25 | service of material changes to the notice required to be |
| |||||||
| |||||||
1 | made available under this Section; | ||||||
2 | (6) state the effective date of the notice; | ||||||
3 | (7) provide a description of a consumer's rights, as | ||||||
4 | required by this Act, accompanied by one or more designated | ||||||
5 | request addresses.
| ||||||
6 | Section 20. Right to know. | ||||||
7 | (a) An operator that discloses personal information to a | ||||||
8 | third party shall make the following information available to a | ||||||
9 | consumer upon request free of charge: | ||||||
10 | (1) the categories of personal information that were | ||||||
11 | disclosed about the consumer and the name or names of all | ||||||
12 | third parties that received the consumer's personal | ||||||
13 | information; or | ||||||
14 | (2) all categories of personal information about | ||||||
15 | consumers that were disclosed and the name or names of all | ||||||
16 | third parties that received any consumer's personal | ||||||
17 | information. | ||||||
18 | (b) Notwithstanding the provisions of this Section, a | ||||||
19 | parent or legal guardian of a consumer under the age of 18 may | ||||||
20 | submit a verified request under this Section on behalf of that | ||||||
21 | consumer. | ||||||
22 | (c) This Section applies only to personal information | ||||||
23 | disclosed after the effective date of this Act.
| ||||||
24 | Section 25. Right to opt out. An operator that sells the |
| |||||||
| |||||||
1 | personal information of a consumer collected through the | ||||||
2 | consumer's use of or visit to the operator's Internet website | ||||||
3 | or online service shall clearly and conspicuously post, on its | ||||||
4 | Internet website or online service or in another prominently | ||||||
5 | and easily accessible location the operator maintains for | ||||||
6 | consumer privacy settings, a link to an Internet web page | ||||||
7 | maintained by the operator that enables a consumer, by verified | ||||||
8 | request through a designated request address, to opt out of the | ||||||
9 | sale of the consumer's personal information to third parties. | ||||||
10 | The method by which a consumer may opt out shall not be overly | ||||||
11 | burdensome and shall not require a consumer to establish an | ||||||
12 | account with the operator in order to opt out of the sale of a | ||||||
13 | consumer's personal information. The Attorney General's Office | ||||||
14 | shall adopt rules and procedures to facilitate and govern the | ||||||
15 | submission of a request by a consumer to opt out of the sale of | ||||||
16 | personal information pursuant to this Section.
| ||||||
17 | Section 30. Response to verified requests. | ||||||
18 | (a) An operator that receives a verified request from a | ||||||
19 | consumer through a designated request address under this Act | ||||||
20 | shall provide a response to the consumer within 45 days of the | ||||||
21 | request. | ||||||
22 | (b) An operator shall not be required to respond to a | ||||||
23 | request made by the same consumer or made by the same parent or | ||||||
24 | legal guardian on behalf of a consumer under the age of 18 more | ||||||
25 | than once in any 12-month period.
|
| |||||||
| |||||||
1 | Section 35. Violations. The Attorney General shall have | ||||||
2 | exclusive authority to enforce this Act. Nothing in this Act | ||||||
3 | shall be construed to modify, limit, or supersede the operation | ||||||
4 | of any privacy or security provision in any other Illinois law, | ||||||
5 | or from otherwise seeking relief under the Code of Civil | ||||||
6 | Procedure.
| ||||||
7 | Section 40. Waivers; contracts. Any waiver of the | ||||||
8 | provisions of this Act is void and unenforceable. Any agreement | ||||||
9 | that does not comply with the applicable provisions of this Act | ||||||
10 | is void and unenforceable.
| ||||||
11 | Section 45. Construction. | ||||||
12 | (a) The obligations imposed on operators by this Act shall | ||||||
13 | not restrict an operator's ability to: | ||||||
14 | (1) Comply with federal, state, or local laws. | ||||||
15 | (2) Comply with a civil, criminal, or regulatory | ||||||
16 | inquiry, investigation, subpoena, or summons by federal, | ||||||
17 | state, or local authorities. | ||||||
18 | (3) Cooperate with law enforcement agencies concerning | ||||||
19 | conduct or activity that the business, service provider, or | ||||||
20 | third party reasonably and in good faith believes may | ||||||
21 | violate federal, state, or local law. | ||||||
22 | (4) Exercise or defend legal claims.
| ||||||
23 | (b) Nothing in this Act shall be construed to conflict with |
| |||||||
| |||||||
1 | the Federal Health Insurance Portability and Accountability | ||||||
2 | Act of 1996 and the rules promulgated under that Act. | ||||||
3 | (c) Nothing in this Act shall be deemed to apply in any | ||||||
4 | manner to a financial institution or an affiliate of a | ||||||
5 | financial institution that is subject to Title V of the Federal | ||||||
6 | Gramm-Leach-Bliley Act and the rules promulgated under that | ||||||
7 | Act. | ||||||
8 | (d) Nothing in this Act shall be construed to apply to a | ||||||
9 | contractor, subcontractor, or agent of a State agency or local | ||||||
10 | unit of government when working for that State agency or local | ||||||
11 | unit of government. | ||||||
12 | (e) Nothing in this Act shall be construed to apply to: (i) | ||||||
13 | Internet, wireless, or telecommunications service providers; | ||||||
14 | or (ii) a public utility, an alternative retail electric | ||||||
15 | supplier, or an alternative gas supplier, as those terms are | ||||||
16 | defined in Sections 3-105, 16-102, and 19-105 of the Public | ||||||
17 | Utilities Act, or an electric cooperative, as defined in | ||||||
18 | Section 3.4 of the Electric Supplier Act. | ||||||
19 | (f) Nothing in this Act shall be construed to apply to: (i) | ||||||
20 | a hospital operated under the Hospital Licensing Act; (ii) a | ||||||
21 | hospital affiliate, as defined under the Hospital Licensing | ||||||
22 | Act; or (iii) a hospital operated under the University of | ||||||
23 | Illinois Hospital Act. | ||||||
24 | (g) Nothing in this Act shall restrict a business' ability | ||||||
25 | to collect or disclose a consumer's personal information if a | ||||||
26 | consumer's conduct takes place wholly outside of Illinois. For |
| |||||||
| |||||||
1 | purposes of this Act, conduct takes place wholly outside of | ||||||
2 | Illinois if the business collected that information while the | ||||||
3 | consumer was outside of Illinois, no part of the sale of the | ||||||
4 | consumer's personal information occurred in Illinois, and no | ||||||
5 | personal information collected while the consumer was in | ||||||
6 | Illinois is disclosed. | ||||||
7 | (h) The Attorney General may adopt additional rules as | ||||||
8 | necessary to further the purposes of this Act.
| ||||||
9 | Section 50. Severability. If any provision of this Act or | ||||||
10 | its application to any person or circumstance is held invalid, | ||||||
11 | the invalidity of that provision or application does not affect | ||||||
12 | other provisions or applications of this Act that can be given | ||||||
13 | effect without the invalid provision or application.
| ||||||
14 | Section 99. Effective date. This Act takes effect April 1, | ||||||
15 | 2020.".
|