|
| | 10000SB1035sam001 | - 2 - | LRB100 07588 RJF 27311 a |
|
|
| 1 | | identity thieves. Furthermore, for free market forces to have a |
| 2 | | role in shaping the privacy practices and for "opt-in" and |
| 3 | | "opt-out" remedies to be effective, consumers must be more than |
| 4 | | vaguely informed that a business might share personal |
| 5 | | information with third parties. Consumers must be better |
| 6 | | informed about what kinds of personal information are shared |
| 7 | | with other businesses. With these specifics, consumers can |
| 8 | | knowledgeably choose to opt-in, opt-out, or choose among |
| 9 | | businesses that disclose information to third parties on the |
| 10 | | basis of how protective the business is of consumers' privacy. |
| 11 | | Businesses are now collecting personal information and |
| 12 | | sharing and selling it in ways not contemplated or properly |
| 13 | | covered by the current law. Some websites are installing |
| 14 | | tracking tools that record when consumers visit web pages, and |
| 15 | | sending very personal information, such as age, gender, race, |
| 16 | | income, health concerns, religion, and recent purchases to |
| 17 | | third party marketers and data brokers. Third party data broker |
| 18 | | companies are buying, selling, and trading personal |
| 19 | | information obtained from mobile phones, financial |
| 20 | | institutions, social media sites, and other online and brick |
| 21 | | and mortar companies. Some mobile applications are sharing |
| 22 | | personal information, such as location information, unique |
| 23 | | phone identification numbers, and age, gender, and other |
| 24 | | personal details with third party companies. As such, consumers |
| 25 | | need to know the ways that their personal information is being |
| 26 | | collected by companies and then shared or sold to third parties |
|
| | 10000SB1035sam001 | - 3 - | LRB100 07588 RJF 27311 a |
|
|
| 1 | | in order to properly protect their privacy, personal safety, |
| 2 | | and financial security.
|
| 3 | | Section 10. Definitions.
As used in this Act:
|
| 4 | | "Categories of personal information" includes, but is not |
| 5 | | limited to, the following:
|
| 6 | | (a) Identity information including, but not limited |
| 7 | | to, real name, alias, nickname, and user name.
|
| 8 | | (b) Address information, including, but not limited |
| 9 | | to, postal or e-mail.
|
| 10 | | (c) Telephone number.
|
| 11 | | (d) Account name.
|
| 12 | | (e) Social security number or other government-issued |
| 13 | | identification number, including, but not limited to, |
| 14 | | social security number, driver's license number, |
| 15 | | identification card number, and passport number.
|
| 16 | | (f) Birthdate or age.
|
| 17 | | (g) Physical characteristic information, including, |
| 18 | | but not limited to, height and weight.
|
| 19 | | (h) Sexual information, including, but not limited to, |
| 20 | | sexual orientation, sex, gender status, gender identity, |
| 21 | | and gender expression.
|
| 22 | | (i) Race or ethnicity.
|
| 23 | | (j) Religious affiliation or activity.
|
| 24 | | (k) Political affiliation or activity.
|
| 25 | | (l) Professional or employment-related information.
|
|
| | 10000SB1035sam001 | - 4 - | LRB100 07588 RJF 27311 a |
|
|
| 1 | | (m) Educational information.
|
| 2 | | (n) Medical information, including, but not limited |
| 3 | | to, medical conditions or drugs, therapies, mental health, |
| 4 | | or medical products or equipment used.
|
| 5 | | (o) Financial information, including, but not limited |
| 6 | | to, credit, debit, or account numbers, account balances, |
| 7 | | payment history, or information related to assets, |
| 8 | | liabilities, or general creditworthiness.
|
| 9 | | (p) Commercial information, including, but not limited |
| 10 | | to, records of property, products or services provided, |
| 11 | | obtained, or considered, or other purchasing or consumer |
| 12 | | histories or tendencies.
|
| 13 | | (q) Location information.
|
| 14 | | (r) Internet or mobile activity information, |
| 15 | | including, but not limited to, Internet protocol addresses |
| 16 | | or information concerning the access or use of any Internet |
| 17 | | or mobile-based site or service.
|
| 18 | | (s) Content, including text, photographs, audio or |
| 19 | | video recordings, or other material generated by or |
| 20 | | provided by the customer.
|
| 21 | | (t) Any of the above categories of information as they |
| 22 | | pertain to the children of the customer.
|
| 23 | | "Customer" means an individual residing in Illinois who |
| 24 | | provides, either knowingly or unknowingly, personal |
| 25 | | information to a private entity, with or without an exchange of |
| 26 | | consideration, in the course of purchasing, viewing, |
|
| | 10000SB1035sam001 | - 5 - | LRB100 07588 RJF 27311 a |
|
|
| 1 | | accessing, renting, leasing, or otherwise using real or |
| 2 | | personal property, or any interest therein, or obtaining a |
| 3 | | product or service from the private entity, including |
| 4 | | advertising or any other content.
|
| 5 | | "Designated request address" means an e-mail address, |
| 6 | | toll-free telephone number, or webform whereby customers may |
| 7 | | request or
obtain the information required to be provided under |
| 8 | | Section 15
of this Act.
|
| 9 | | "Disclose" means to disclose, release, transfer, share, |
| 10 | | disseminate, make available, or otherwise communicate orally, |
| 11 | | in writing, or by electronic or any other means to any third |
| 12 | | party. "Disclose" does not include the following: |
| 13 | | (a) Disclosure of personal information by a private |
| 14 | | entity to a third party under a written contract |
| 15 | | authorizing the third party to utilize the personal |
| 16 | | information to perform services on behalf of the private |
| 17 | | entity, including maintaining or servicing accounts, |
| 18 | | providing customer service, processing or fulfilling |
| 19 | | orders and transactions, verifying customer information, |
| 20 | | processing payments, providing financing, or similar |
| 21 | | services, but only if the contract prohibits the third |
| 22 | | party from using the personal information for any reason |
| 23 | | other than performing the specified service or services on |
| 24 | | behalf of the private entity and from disclosing any such |
| 25 | | personal information to additional third parties. |
| 26 | | (b) Disclosure of personal information by a business to |
|
| | 10000SB1035sam001 | - 6 - | LRB100 07588 RJF 27311 a |
|
|
| 1 | | a third party based on a good-faith belief that disclosure |
| 2 | | is required to comply with applicable law, regulation, |
| 3 | | legal process, or court order. |
| 4 | | (c) Disclosure of personal information by a private |
| 5 | | entity to a third party that is reasonably necessary to |
| 6 | | address fraud, security, or technical issues; to protect |
| 7 | | the disclosing private entity's rights or property; or to |
| 8 | | protect customers or the public from illegal activities as |
| 9 | | required or permitted by law.
|
| 10 | | (d) Disclosure of personal information by a private |
| 11 | | entity to a transportation network company driver or TNC |
| 12 | | driver as defined under the Transportation Network |
| 13 | | Providers Act. |
| 14 | | "Operator" means any person or entity that owns a website |
| 15 | | located on the Internet or an online service that collects and |
| 16 | | maintains personal information from a customer residing in |
| 17 | | Illinois who uses or visits the website or online service if |
| 18 | | the website or online service is operated for commercial |
| 19 | | purposes. "Operator" does not include businesses having 10 or |
| 20 | | fewer employees or any third party that operates, hosts, or |
| 21 | | manages, but does not own, a website or online service on the |
| 22 | | owner's behalf or by processing information on behalf of the |
| 23 | | owner.
|
| 24 | | "Personal information" means any information that |
| 25 | | identifies, relates to, describes, or is capable of being |
| 26 | | associated with, a particular individual, including, but not |
|
| | 10000SB1035sam001 | - 7 - | LRB100 07588 RJF 27311 a |
|
|
| 1 | | limited to, his or her name, signature, physical |
| 2 | | characteristics or description, address, telephone number, |
| 3 | | passport number, driver's license or State identification card |
| 4 | | number, insurance policy number, education, employment, |
| 5 | | employment history, bank account number, credit card number, |
| 6 | | debit card number, or any other financial information. |
| 7 | | "Personal information" also means any data or information |
| 8 | | pertaining to an individual's income, assets, liabilities, |
| 9 | | purchases, leases, or rentals of goods, services, or real |
| 10 | | property, if that information is disclosed, or is intended to |
| 11 | | be disclosed, with any identifying information, such as the |
| 12 | | individual's name, address, telephone number, or social |
| 13 | | security number.
|
| 14 | | "Third party" or "third parties" means (i) a private entity |
| 15 | | that is a separate legal entity from the private entity that |
| 16 | | has disclosed personal information; (ii) a private entity that |
| 17 | | does not share common ownership or common corporate control |
| 18 | | with the private entity that has disclosed personal |
| 19 | | information; or (iii) a private entity that does not share a |
| 20 | | brand name or common branding with the private entity that has |
| 21 | | disclosed personal information such that the affiliate |
| 22 | | relationship is clear to the customer.
|
| 23 | | Section 15. Notification of information sharing practices. |
| 24 | | An operator of a commercial website or online service that |
| 25 | | collects personal information through the Internet about |
|
| | 10000SB1035sam001 | - 8 - | LRB100 07588 RJF 27311 a |
|
|
| 1 | | individual customers residing in Illinois who use or visit its |
| 2 | | commercial website or online service shall, in its customer |
| 3 | | agreement or incorporated addendum or in another conspicuous |
| 4 | | location on its website or online service platform where |
| 5 | | similar notices are customarily posted: (i) identify all |
| 6 | | categories of personal information that the operator collects |
| 7 | | through the website or online service about individual |
| 8 | | customers who use or visit its commercial website or online |
| 9 | | service; and (ii) provide a description of a customer's rights, |
| 10 | | as required under Section 25 of this Act, accompanied by one or |
| 11 | | more designated request addresses.
|
| 12 | | Section 20. Disclosure of a customer's personal |
| 13 | | information to a third party.
|
| 14 | | (a) An operator that discloses personal information to a |
| 15 | | third party shall make the following information available to a |
| 16 | | customer upon request free of charge:
|
| 17 | | (1) the categories of personal information that were |
| 18 | | disclosed about the customer, and the name or names of all |
| 19 | | third parties that received the customer's personal |
| 20 | | information; or
|
| 21 | | (2) all categories of personal information about |
| 22 | | customers that were disclosed, and the name or names of all |
| 23 | | third parties that received any customer's personal |
| 24 | | information. |
| 25 | | (b) This Section applies only to personal information |
|
| | 10000SB1035sam001 | - 9 - | LRB100 07588 RJF 27311 a |
|
|
| 1 | | disclosed after the effective date of this Act.
|
| 2 | | Section 25. Information availability service.
|
| 3 | | (a) An operator required to comply with Section 20 shall |
| 4 | | make the required information available by providing a |
| 5 | | designated request address in its customer agreement or |
| 6 | | incorporated addendum or in another conspicuous location on its |
| 7 | | website or online service platform where similar notices are |
| 8 | | customarily posted, and, upon receipt of a request under this |
| 9 | | Section, shall provide the customer with the information |
| 10 | | required under Section 20 for all disclosures occurring in the |
| 11 | | prior 12 months.
|
| 12 | | (b) An operator that receives a request from a customer |
| 13 | | under this Section at one of the designated addresses shall |
| 14 | | provide a response to the customer within 30 days.
|
| 15 | | (c) An operator shall not be required to respond to a |
| 16 | | request made by the same customer more than once in a given |
| 17 | | 12-month period. |
| 18 | | (d) Notwithstanding the provisions of this Section, a |
| 19 | | parent or legal guardian of a customer under the age of 18 may |
| 20 | | submit a request under this Section on behalf of that customer. |
| 21 | | An operator shall not be required to respond to a
request made |
| 22 | | by the same parent or legal guardian on behalf of a customer |
| 23 | | under the age of 18 more than once within a given
12-month |
| 24 | | period.
|
|
| | 10000SB1035sam001 | - 10 - | LRB100 07588 RJF 27311 a |
|
|
| 1 | | Section 30. Violation. A violation of this Act constitutes |
| 2 | | a violation of the Consumer Fraud and Deceptive Business |
| 3 | | Practices Act. The Office of the Attorney General shall have |
| 4 | | sole enforcement authority of the provisions of this Act and |
| 5 | | may enforce a violation of this Act as an unlawful practice |
| 6 | | under the Consumer Fraud and Deceptive Business Practices Act. |
| 7 | | An operator in violation of this Act shall have 90 days after |
| 8 | | being notified of a violation to rectify that violation before |
| 9 | | the Attorney General seeks an enforcement action against that |
| 10 | | operator.
|
| 11 | | Section 35. Waivers; contracts. Any waiver of the |
| 12 | | provisions of this Act shall be void and unenforceable.
|
| 13 | | Section 40. Construction.
|
| 14 | | (a) Nothing in this Act shall be construed to conflict with |
| 15 | | the federal Health Insurance Portability and Accountability |
| 16 | | Act of 1996 and the rules promulgated under that Act.
|
| 17 | | (b) Nothing in this Act shall be deemed to apply in any |
| 18 | | manner to a financial institution or an affiliate of a |
| 19 | | financial institution that is subject to Title V of the federal |
| 20 | | Gramm-Leach-Bliley Act of 1999 and the rules promulgated under |
| 21 | | that Act.
|
| 22 | | (c) Nothing in this Act shall be construed to apply to any |
| 23 | | State agency, federal agency, unit of local government, or any |
| 24 | | contractor, subcontractor, or agent thereof, when working for |
|
| | 10000SB1035sam001 | - 11 - | LRB100 07588 RJF 27311 a |
|
|
| 1 | | that State agency, federal agency, or unit of local government.
|
| 2 | | (d) Nothing in this Act shall be construed to apply to any |
| 3 | | entity recognized as a tax-exempt organization under 501(c)(3) |
| 4 | | or 501(c)(4) of the Internal Revenue Code of 1986. |
| 5 | | (e) Nothing in this Act shall be construed to apply to: (i) |
| 6 | | internet, wireless, or telecommunications service providers; |
| 7 | | or (ii) a
public utility, an alternative retail electric |
| 8 | | supplier, or an
alternative gas supplier, as those terms are |
| 9 | | defined in
Sections 3-105, 16-102, and 19-105 of the Public |
| 10 | | Utilities
Act, or an electric cooperative, as defined in |
| 11 | | Section 3.4 of the Electric Supplier Act. |
| 12 | | (f) Nothing in this Act shall be construed to apply to: (i) |
| 13 | | a hospital operated under the Hospital Licensing Act; (ii) a |
| 14 | | hospital affiliate, as defined under the Hospital Licensing |
| 15 | | Act; or (iii) a hospital operated under the University of |
| 16 | | Illinois Hospital Act.".
|