Bill Text: IL SB1502 | 2017-2018 | 100th General Assembly | Engrossed


Bill Title: Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms.

Spectrum: Partisan Bill (Democrat 60-0)

Status: (Engrossed) 2017-07-06 - Rule 19(a) / Re-referred to Rules Committee [SB1502 Detail]

Download: Illinois-2017-SB1502-Engrossed.html



SB1502 EngrossedLRB100 08019 RJF 18102 b
1 AN ACT concerning regulation.
2 Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
4 Section 1. Short title. This Act may be cited as the
5Illinois Right to Know Data Transparency and Privacy Protection
6Act.
7 Section 5. Findings and purpose.
8 The General Assembly hereby finds and declares that the
9right to privacy is a personal and fundamental right protected
10by the United States Constitution. As such, all individuals
11have a right to privacy in information pertaining to them. This
12State recognizes the importance of providing consumers with
13transparency about how their personal information, especially
14information relating to their children, is shared by
15businesses. This transparency is crucial for Illinois citizens
16to protect themselves and their families from cyber-crimes and
17identity thieves. Furthermore, for free market forces to have a
18role in shaping the privacy practices and for "opt-in" and
19"opt-out" remedies to be effective, consumers must be more than
20vaguely informed that a business might share personal
21information with third parties. Consumers must be better
22informed about what kinds of personal information are shared
23with other businesses. With these specifics, consumers can

SB1502 Engrossed- 2 -LRB100 08019 RJF 18102 b
1knowledgeably choose to opt-in, opt-out, or choose among
2businesses that disclose information to third parties on the
3basis of how protective the business is of consumers' privacy.
4 Businesses are now collecting personal information and
5sharing and selling it in ways not contemplated or properly
6covered by the current law. Some websites are installing
7tracking tools that record when consumers visit web pages, and
8sending very personal information, such as age, gender, race,
9income, health concerns, religion, and recent purchases to
10third party marketers and data brokers. Third party data broker
11companies are buying, selling, and trading personal
12information obtained from mobile phones, financial
13institutions, social media sites, and other online and brick
14and mortar companies. Some mobile applications are sharing
15personal information, such as location information, unique
16phone identification numbers, and age, gender, and other
17personal details with third party companies. As such, consumers
18need to know the ways that their personal information is being
19collected by companies and then shared or sold to third parties
20in order to properly protect their privacy, personal safety,
21and financial security.
22 Section 10. Definitions. As used in this Act:
23 "Categories of personal information" includes, but is not
24limited to, the following:
25 (a) Identity information including, but not limited

SB1502 Engrossed- 3 -LRB100 08019 RJF 18102 b
1 to, real name, alias, nickname, and user name.
2 (b) Address information, including, but not limited
3 to, postal or e-mail.
4 (c) Telephone number.
5 (d) Account name.
6 (e) Social security number or other government-issued
7 identification number, including, but not limited to,
8 social security number, driver's license number,
9 identification card number, and passport number.
10 (f) Birthdate or age.
11 (g) Physical characteristic information, including,
12 but not limited to, height and weight.
13 (h) Sexual information, including, but not limited to,
14 sexual orientation, sex, gender status, gender identity,
15 and gender expression.
16 (i) Race or ethnicity.
17 (j) Religious affiliation or activity.
18 (k) Political affiliation or activity.
19 (l) Professional or employment-related information.
20 (m) Educational information.
21 (n) Medical information, including, but not limited
22 to, medical conditions or drugs, therapies, mental health,
23 or medical products or equipment used.
24 (o) Financial information, including, but not limited
25 to, credit, debit, or account numbers, account balances,
26 payment history, or information related to assets,

SB1502 Engrossed- 4 -LRB100 08019 RJF 18102 b
1 liabilities, or general creditworthiness.
2 (p) Commercial information, including, but not limited
3 to, records of property, products or services provided,
4 obtained, or considered, or other purchasing or consumer
5 histories or tendencies.
6 (q) Location information.
7 (r) Internet or mobile activity information,
8 including, but not limited to, Internet protocol addresses
9 or information concerning the access or use of any Internet
10 or mobile-based site or service.
11 (s) Content, including text, photographs, audio or
12 video recordings, or other material generated by or
13 provided by the customer.
14 (t) Any of the above categories of information as they
15 pertain to the children of the customer.
16 "Customer" means an individual residing in Illinois who
17provides, either knowingly or unknowingly, personal
18information to a private entity, with or without an exchange of
19consideration, in the course of purchasing, viewing,
20accessing, renting, leasing, or otherwise using real or
21personal property, or any interest therein, or obtaining a
22product or service from the private entity, including
23advertising or any other content.
24 "Designated request address" means an e-mail address or
25toll-free telephone number whereby customers may request or
26obtain the information required to be provided under Section 15

SB1502 Engrossed- 5 -LRB100 08019 RJF 18102 b
1of this Act.
2 "Disclose" means to disclose, release, transfer, share,
3disseminate, make available, or otherwise communicate orally,
4in writing, or by electronic or any other means to any third
5party. "Disclose" does not include the following:
6 (a) Disclosure of personal information by a private
7 entity to a third party under a written contract
8 authorizing the third party to utilize the personal
9 information to perform services on behalf of the private
10 entity, including maintaining or servicing accounts,
11 providing customer service, processing or fulfilling
12 orders and transactions, verifying customer information,
13 processing payments, providing financing, or similar
14 services, but only if (i) the contract prohibits the third
15 party from using the personal information for any reason
16 other than performing the specified service or services on
17 behalf of the private entity and from disclosing any such
18 personal information to additional third parties; and (ii)
19 the private entity effectively enforces these
20 prohibitions.
21 (b) Disclosure of personal information by a business to
22 a third party based on a good-faith belief that disclosure
23 is required to comply with applicable law, regulation,
24 legal process, or court order.
25 (c) Disclosure of personal information by a private
26 entity to a third party that is reasonably necessary to

SB1502 Engrossed- 6 -LRB100 08019 RJF 18102 b
1 address fraud, security, or technical issues; to protect
2 the disclosing private entity's rights or property; or to
3 protect customers or the public from illegal activities as
4 required or permitted by law.
5 "Operator" means any person or entity that owns a website
6located on the Internet or an online service that collects and
7maintains personal information from a customer residing in
8Illinois who uses or visits the website or online service if
9the website or online service is operated for commercial
10purposes. "Operator" does not include businesses having 10 or
11fewer employees or any third party that operates, hosts, or
12manages, but does not own, a website or online service on the
13owner's behalf or by processing information on behalf of the
14owner.
15 "Personal information" means any information that
16identifies, relates to, describes, or is capable of being
17associated with, a particular individual, including, but not
18limited to, his or her name, signature, physical
19characteristics or description, address, telephone number,
20passport number, driver's license or State identification card
21number, insurance policy number, education, employment,
22employment history, bank account number, credit card number,
23debit card number, or any other financial information.
24"Personal information" also means any data or information
25pertaining to an individual's income, assets, liabilities,
26purchases, leases, or rentals of goods, services, or real

SB1502 Engrossed- 7 -LRB100 08019 RJF 18102 b
1property, if that information is disclosed, or is intended to
2be disclosed, with any identifying information, such as the
3individual's name, address, telephone number, or social
4security number.
5 "Third party" or "third parties" means (i) a private entity
6that is a separate legal entity from the private entity that
7has disclosed personal information; (ii) a private entity that
8does not share common ownership or common corporate control
9with the private entity that has disclosed personal
10information; or (iii) a private entity that does not share a
11brand name or common branding with the private entity that has
12disclosed personal information such that the affiliate
13relationship is clear to the customer.
14 Section 15. Notification of information sharing practices.
15An operator of a commercial website or online service that
16collects personal information through the Internet about
17individual customers residing in Illinois who use or visit its
18commercial website or online service shall, in its customer
19agreement or incorporated addendum or in another conspicuous
20location on its website or online service platform where
21similar notices are customarily posted: (i) identify all
22categories of personal information that the operator collects
23through the website or online service about individual
24customers who use or visit its commercial website or online
25service; and (ii) provide a description of a customer's rights,

SB1502 Engrossed- 8 -LRB100 08019 RJF 18102 b
1as required under Section 25 of this Act, accompanied by one or
2more designated request addresses.
3 Section 20. Disclosure of a customer's personal
4information to a third party.
5 (a) An operator that discloses a customer's personal
6information to a third party shall make the following
7information available to the customer free of charge:
8 (1) all categories of personal information that were
9 disclosed; and
10 (2) the names of all third parties that received the
11 customer's personal information.
12 (b) This Section applies only to personal information
13disclosed after the effective date of this Act.
14 Section 25. Information availability service.
15 (a) An operator required to comply with Section 20 shall
16make the required information available by providing a
17designated request address in its customer agreement or
18incorporated addendum or in another conspicuous location on its
19website or online service platform where similar notices are
20customarily posted, and, upon receipt of a request under this
21Section, shall provide the customer with the information
22required under Section 20 for all disclosures occurring in the
23prior 12 months.
24 (b) An operator that receives a request from a customer

SB1502 Engrossed- 9 -LRB100 08019 RJF 18102 b
1under this Section at one of the designated addresses shall
2provide a response to the customer within 30 days.
3 (c) An operator shall not be required to respond to a
4request made by the same customer more than once in a given
512-month period.
6 (d) Notwithstanding the provisions of this Section, a
7parent or legal guardian of a customer under the age of 18 may
8submit a request under this Section on behalf of that customer.
9An operator shall not be required to respond to a request made
10by the same parent or legal guardian on behalf of a customer
11under the age of 18 more than once within a given 12-month
12period.
13 Section 30. Violation. A violation of this Act constitutes
14a violation of the Consumer Fraud and Deceptive Business
15Practices Act. The Office of the Attorney General or the
16appropriate State's Attorney's Office shall have sole
17enforcement authority of the provisions of this Act and may
18enforce a violation of this Act as an unlawful practice under
19the Consumer Fraud and Deceptive Business Practices Act.
20Nothing in this Section shall prevent a person from seeking a
21right of action for a violation of the Biometric Information
22Privacy Act or otherwise seeking relief under the Code of Civil
23Procedure.
24 Section 35. Waivers; contracts. Any waiver of the

SB1502 Engrossed- 10 -LRB100 08019 RJF 18102 b
1provisions of this Act shall be void and unenforceable. Any
2agreement that does not comply with the applicable provisions
3of this Act shall be void and unenforceable.
4 Section 40. Construction.
5 (a) Nothing in this Act shall be construed to conflict with
6the federal Health Insurance Portability and Accountability
7Act of 1996 and the rules promulgated under that Act.
8 (b) Nothing in this Act shall be deemed to apply in any
9manner to a financial institution or an affiliate of a
10financial institution that is subject to Title V of the federal
11Gramm-Leach-Bliley Act of 1999 and the rules promulgated under
12that Act.
13 (c) Nothing in this Act shall be construed to apply to any
14State agency, federal agency, unit of local government, or any
15contractor, subcontractor, or agent thereof, when working for
16that State agency, federal agency, or unit of local government.
17 (d) Nothing in this Act shall be construed to apply to any
18entity recognized as a tax-exempt organization under 501(c)(3)
19or 501(c)(4) of the Internal Revenue Code of 1986.
20 (e) Nothing in this Act shall be construed to apply to a
21public utility, an alternative retail electric supplier, or an
22alternative gas supplier, as those terms are defined in
23Sections 3-105, 16-102, and 19-105 of the Public Utilities Act.
feedback