| ||||||||||||||||||||||||
| ||||||||||||||||||||||||
| ||||||||||||||||||||||||
| 1 | AN ACT concerning business. | |||||||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois, | |||||||||||||||||||||||
| 3 | represented in the General Assembly: | |||||||||||||||||||||||
| 4 | Section 1. Short title. This Act may be cited as the Data | |||||||||||||||||||||||
| 5 | Broker Registration and Accessible Deletion Mechanism Act. | |||||||||||||||||||||||
| 6 | Section 5. Definition. As used in this Act, "data broker" | |||||||||||||||||||||||
| 7 | means a business that knowingly collects and sells or licenses | |||||||||||||||||||||||
| 8 | to third parties the brokered personal information of an | |||||||||||||||||||||||
| 9 | individual with whom the business does not have a direct | |||||||||||||||||||||||
| 10 | relationship. "Data broker" does not include a business that | |||||||||||||||||||||||
| 11 | conducts the following activities and the collection, sale, or | |||||||||||||||||||||||
| 12 | licensing of brokered personal information incidental to | |||||||||||||||||||||||
| 13 | conducting the activities: | |||||||||||||||||||||||
| 14 | (1) developing or maintaining third-party e-commerce | |||||||||||||||||||||||
| 15 | or application platforms; | |||||||||||||||||||||||
| 16 | (2) providing 411 directory assistance or directory | |||||||||||||||||||||||
| 17 | information services, including name, address, and | |||||||||||||||||||||||
| 18 | telephone number, on behalf of or as a function of a | |||||||||||||||||||||||
| 19 | telecommunications carrier; | |||||||||||||||||||||||
| 20 | (3) collecting or transmitting information to be | |||||||||||||||||||||||
| 21 | submitted to a State or federal agency for the purpose of | |||||||||||||||||||||||
| 22 | performing a lawful check of criminal history record | |||||||||||||||||||||||
| 23 | information using fingerprints or receiving the results of | |||||||||||||||||||||||
| |||||||
| |||||||
| 1 | that check; | ||||||
| 2 | (4) collecting, maintaining, disclosing, selling, | ||||||
| 3 | communicating, or using any personal information bearing | ||||||
| 4 | on a consumer's credit worthiness, credit standing, credit | ||||||
| 5 | capacity, character, general reputation, personal | ||||||
| 6 | characteristics, or mode of living by a consumer reporting | ||||||
| 7 | agency, furnisher, or user that provides information for | ||||||
| 8 | use in a consumer report, and by a user of a consumer | ||||||
| 9 | report, but only to the extent that the activity is | ||||||
| 10 | regulated by and authorized under the Fair Credit | ||||||
| 11 | Reporting Act, 15 U.S.C. 1681 et seq. | ||||||
| 12 | Section 10. Annual registration. | ||||||
| 13 | (a) Annually, on or before January 31, a data broker | ||||||
| 14 | operating in this State shall register with the Attorney | ||||||
| 15 | General. | ||||||
| 16 | (b) In registering with the Attorney General, a data | ||||||
| 17 | broker shall pay a registration fee in an amount determined by | ||||||
| 18 | the Attorney General, not to exceed the reasonable costs of | ||||||
| 19 | establishing and maintaining the informational website | ||||||
| 20 | described in Section 60. A data broker shall also provide the | ||||||
| 21 | following information: | ||||||
| 22 | (1) the name of the data broker and its primary | ||||||
| 23 | physical, email, and website addresses; | ||||||
| 24 | (2) whether the data broker collects the personal | ||||||
| 25 | information of minors; | ||||||
| |||||||
| |||||||
| 1 | (3) whether the data broker collects consumers' | ||||||
| 2 | precise geolocation; | ||||||
| 3 | (4) whether the data broker collects consumers' | ||||||
| 4 | reproductive health care data; | ||||||
| 5 | (5) a link to a page on the data broker's website that | ||||||
| 6 | does not make use of any dark patterns; | ||||||
| 7 | (6) whether, and to what extent, the data broker or | ||||||
| 8 | any of its subsidiaries is regulated by any of the | ||||||
| 9 | following: | ||||||
| 10 | (A) the federal Fair Credit Reporting Act (15 | ||||||
| 11 | U.S.C. 1681 et seq.); and | ||||||
| 12 | (B) the Gramm-Leach-Bliley Act (Public Law | ||||||
| 13 | 106-102) and its implementing regulations; and | ||||||
| 14 | (7) any additional information or explanation the data | ||||||
| 15 | broker chooses to provide concerning its data collection | ||||||
| 16 | practices. | ||||||
| 17 | (d) The Attorney General shall create a page on its | ||||||
| 18 | website where the registration information provided in | ||||||
| 19 | subsection (c) shall be made accessible to the public. | ||||||
| 20 | (e) A data broker that fails to register as required by | ||||||
| 21 | this Section shall be liable for civil penalties and costs in | ||||||
| 22 | an action brought by the Attorney General as follows: | ||||||
| 23 | (1) a civil penalty of $200 for each day the data | ||||||
| 24 | broker fails to register as required by this Section; | ||||||
| 25 | (2) an amount equal to the fees that were due during | ||||||
| 26 | the period it failed to register; and | ||||||
| |||||||
| |||||||
| 1 | (3) expenses incurred by the Attorney General in the | ||||||
| 2 | investigation and administration of the action as the | ||||||
| 3 | court deems appropriate. | ||||||
| 4 | (f) All moneys received by the Attorney General under this | ||||||
| 5 | Section shall be deposited into the Data Broker Registry Fund, | ||||||
| 6 | a special fund created in the State treasury, and shall be used | ||||||
| 7 | to administer and enforce this Act. | ||||||
| 8 | Section 15. Accessible deletion mechanism. | ||||||
| 9 | (a) No later than January 1, 2027, the Attorney General | ||||||
| 10 | shall establish an accessible deletion mechanism that does the | ||||||
| 11 | following: | ||||||
| 12 | (1) implements and maintains reasonable security | ||||||
| 13 | procedures and practices, including, but not limited to, | ||||||
| 14 | administrative, physical, and technical safeguards | ||||||
| 15 | appropriate to the nature of the information and the | ||||||
| 16 | purposes for which the personal information will be used | ||||||
| 17 | and to protect consumers' personal information from | ||||||
| 18 | unauthorized use, disclosure, access, destruction, or | ||||||
| 19 | modification; | ||||||
| 20 | (2) allows a consumer, through a single verifiable | ||||||
| 21 | consumer request, to request that every data broker that | ||||||
| 22 | maintains any personal information delete any personal | ||||||
| 23 | information related to that consumer held by the data | ||||||
| 24 | broker or associated service provider or contractor; | ||||||
| 25 | (3) allows a consumer to selectively exclude specific | ||||||
| |||||||
| |||||||
| 1 | data brokers from a request made under paragraph (2); and | ||||||
| 2 | (4) allows a consumer to make a request to alter a | ||||||
| 3 | previous request made under this subsection after at least | ||||||
| 4 | 45 days have passed since the consumer last made a request | ||||||
| 5 | under this Section. | ||||||
| 6 | (b) The accessible deletion mechanism established under | ||||||
| 7 | subsection (a) shall meet the following requirements: | ||||||
| 8 | (1) allow a consumer to request the deletion of all | ||||||
| 9 | personal information related to that consumer through a | ||||||
| 10 | single deletion request; | ||||||
| 11 | (2) permit a consumer to securely submit information | ||||||
| 12 | in one or more privacy-protecting ways determined by the | ||||||
| 13 | Attorney General to aid in the deletion request; | ||||||
| 14 | (3) allow data brokers registered with the Attorney | ||||||
| 15 | General to determine whether an individual has submitted a | ||||||
| 16 | verifiable consumer request to delete the personal | ||||||
| 17 | information related to that consumer as described in | ||||||
| 18 | paragraph (1) and shall not allow the disclosure of any | ||||||
| 19 | additional personal information when the data broker | ||||||
| 20 | accesses the accessible deletion mechanism unless | ||||||
| 21 | otherwise specified in this Act; | ||||||
| 22 | (4) allow a consumer to make a request described in | ||||||
| 23 | paragraph (1) using an Internet service operated by the | ||||||
| 24 | Attorney General; | ||||||
| 25 | (5) be accessible free of charge for a consumer to | ||||||
| 26 | make a request described in paragraph (1); | ||||||
| |||||||
| |||||||
| 1 | (6) allow a consumer to make a request described in | ||||||
| 2 | paragraph (1) in any language spoken by any consumer for | ||||||
| 3 | whom personal information has been collected by data | ||||||
| 4 | brokers; | ||||||
| 5 | (7) be readily accessible and usable by consumers with | ||||||
| 6 | disabilities; | ||||||
| 7 | (8) support the ability of a consumer's authorized | ||||||
| 8 | agents to aid in the deletion request; | ||||||
| 9 | (9) allow the consumer, or their authorized agent, to | ||||||
| 10 | verify the status of the consumer's deletion request; and | ||||||
| 11 | (10) provide a description of the following: | ||||||
| 12 | (A) the deletion permitted by this Section; | ||||||
| 13 | (B) the process for submitting a deletion request | ||||||
| 14 | under this Section; and | ||||||
| 15 | (C) examples of the types of information that may | ||||||
| 16 | be deleted. | ||||||
| 17 | (c) Beginning on August 1, 2027, a data broker shall | ||||||
| 18 | access the accessible deletion mechanism established under | ||||||
| 19 | subsection (a) at least once every 45 days and do the | ||||||
| 20 | following: | ||||||
| 21 | (1) within 45 days after receiving a request made | ||||||
| 22 | under this Section, process all deletion requests made | ||||||
| 23 | under this Section and delete all personal information | ||||||
| 24 | related to the consumers making the requests consistent | ||||||
| 25 | with the requirements of this Section; | ||||||
| 26 | (2) in cases where a data broker denies a consumer | ||||||
| |||||||
| |||||||
| 1 | request to delete under this title because the request | ||||||
| 2 | cannot be verified, process the request as an opt-out of | ||||||
| 3 | the sale or sharing of the consumer's personal | ||||||
| 4 | information; | ||||||
| 5 | (3) direct all service providers or contractors | ||||||
| 6 | associated with the data broker to delete all personal | ||||||
| 7 | information in their possession related to the consumers | ||||||
| 8 | making the requests described in paragraph (1); and | ||||||
| 9 | (4) direct all service providers or contractors | ||||||
| 10 | associated with the data broker to process a request | ||||||
| 11 | described by paragraph (2) as an opt-out of the sale or | ||||||
| 12 | sharing of the consumer's personal information. | ||||||
| 13 | (d) Beginning on August 1, 2027, after a consumer has | ||||||
| 14 | submitted a deletion request and a data broker has deleted the | ||||||
| 15 | consumer's data as described in subsection (c), the data | ||||||
| 16 | broker shall delete all personal information of the consumer | ||||||
| 17 | at least once every 45 days unless the consumer requests | ||||||
| 18 | otherwise or the deletion is not required. | ||||||
| 19 | (e) Beginning on August 1, 2027, after a consumer has | ||||||
| 20 | submitted a deletion request and a data broker has deleted the | ||||||
| 21 | consumer's data as described in subsection (c), the data | ||||||
| 22 | broker shall not sell or share new personal information of the | ||||||
| 23 | consumer unless the consumer requests otherwise or selling or | ||||||
| 24 | sharing the personal information is permitted. | ||||||
| 25 | (e) Beginning on January 1, 2029, and every 3 years | ||||||
| 26 | thereafter, a data broker shall undergo an audit by an | ||||||
| |||||||
| |||||||
| 1 | independent third party to determine compliance with this | ||||||
| 2 | Section. The data broker shall submit a report resulting from | ||||||
| 3 | the audit and any related materials to the Attorney General | ||||||
| 4 | within 5 business days after receiving a written request from | ||||||
| 5 | the Attorney General. A data broker shall maintain the report | ||||||
| 6 | resulting from the audit for at least 6 years. | ||||||
| 7 | (f) The Attorney General may charge an access fee to a data | ||||||
| 8 | broker when the data broker accesses the accessible deletion | ||||||
| 9 | mechanism that does not exceed the reasonable costs of | ||||||
| 10 | providing that access to the accessible deletion mechanism. | ||||||
| 11 | Section 20. Enforcement. A violation of Section 15 of this | ||||||
| 12 | Act constitutes an unlawful practice under the Consumer Fraud | ||||||
| 13 | and Deceptive Business Practices Act. All remedies, penalties, | ||||||
| 14 | and authority granted to the Attorney General by the Consumer | ||||||
| 15 | Fraud and Deceptive Business Practices Act shall be available | ||||||
| 16 | to him or her for the enforcement of this Act. | ||||||
| 17 | Section 25. Enforcement. The Attorney General may adopt | ||||||
| 18 | rules to implement and administer this Act. | ||||||
| 19 | Section 90. The State Finance Act is amended by adding | ||||||
| 20 | Section 5.1030 as follows: | ||||||
| 21 | (30 ILCS 105/5.1030 new) | ||||||
| 22 | Sec. 5.1030. The Data Broker Registry Fund. | ||||||
| |||||||
| |||||||
| 1 | Section 95. The Consumer Fraud and Deceptive Business | ||||||
| 2 | Practices Act is amended by adding Section 2HHHH as follows: | ||||||
| 3 | (815 ILCS 505/2HHHH new) | ||||||
| 4 | Sec. 2HHHH. Violations of the Data Broker Registration and | ||||||
| 5 | Accessible Deletion Mechanism Act. A person who violates | ||||||
| 6 | Section 15 of the Data Broker Registration and Accessible | ||||||
| 7 | Deletion Mechanism Act commits an unlawful practice within the | ||||||
| 8 | meaning of this Act. | ||||||