[ Search ] [ Legislation ]
[ Home ] [ Back ] [ Bottom ]
91_SB1946 LRB9113314LDpr 1 AN ACT to create the Disclosure of Personal Information 2 Act. 3 Be it enacted by the People of the State of Illinois, 4 represented in the General Assembly: 5 Section 1. Short title. This Act may be cited as the 6 Disclosure of Personal Information Act. 7 Section 5. Definitions. For the purpose of this Act: 8 "Department" means the Department of Financial 9 Institutions. 10 "Financial institution" means any bank subject to the 11 Illinois Banking Act, including a branch of an out-of-state 12 bank as defined in Section 2 of the Illinois Banking Act, any 13 savings bank subject to the Savings Bank Act, any savings and 14 loan association subject to the Illinois Savings and Loan Act 15 of 1985, any credit union subject to the Illinois Credit 16 Union Act, and any federal chartered commercial bank, savings 17 bank, or savings and loan association organized and operated 18 in this State under the laws of the United States. 19 "Personal information" means personally identifiable 20 information provided by a consumer to a financial institution 21 in connection with any transaction with a consumer involving 22 any financial product or any financial service or otherwise 23 obtained by the financial institution. 24 "Unrelated use", when used with respect to information 25 collected by a financial institution in connection with any 26 transaction with a consumer in any financial product or any 27 financial service, means any use other than a use that is 28 necessary to effect, administer, or enforce such transaction. 29 "Affiliate" means any company that controls, is 30 controlled by, or is under common control with another 31 company. -2- LRB9113314LDpr 1 "Nonaffiliated third party" means any entity that is not 2 an affiliate of, related by common ownership to, or 3 affiliated by corporate control with a financial institution, 4 but does not include a joint employee of such institution. 5 "Consumer" means an individual who obtains from a 6 financial institution any financial products or services that 7 are to be used primarily for personal, family, or household 8 purposes and also includes the legal representative of such 9 an individual. 10 Section 10. Obligations with respect to personal 11 information. 12 (a) Except as otherwise provided in this Act, a 13 financial institution may not, directly or through any 14 affiliate, disclose or make an unrelated use of any personal 15 information collected by the financial institution in 16 connection with any transaction with a consumer in any 17 financial product or any financial service. 18 (b) (1) A financial institution may not make available 19 any personal information to any affiliate or other person 20 that is not an employee or agent of the institution, unless 21 the consumer to whom the information pertains: 22 (A) has affirmatively consented to the 23 transfer of such information; and 24 (B) has not withdrawn the consent. 25 (2) A financial institution shall not deny any 26 consumer a financial product or a financial service for 27 the refusal by the consumer to grant the consent required 28 by paragraph (1) of this subsection (b). 29 (c) Each financial institution that maintains a system 30 of records for personal information shall: 31 (1) upon request by any individual to gain access 32 to his or her record or to any information pertaining to 33 him or her that is contained in the system, permit him or -3- LRB9113314LDpr 1 her, upon his or her request, a person of his or her own 2 choosing to accompany him or her, to review the record 3 and have a copy made of all or any portion thereof in a 4 form comprehensible to him or her, except that the 5 financial institution may require the individual to 6 furnish a written statement authorizing discussion of 7 that individual's record in the accompanying person's 8 presence; 9 (2) permit the individual to request amendment of a 10 record pertaining to him or her and: 11 (A) not later than 10 days (excluding 12 Saturdays, Sundays, and legal public holidays) after 13 the date of receipt of such request, acknowledge in 14 writing receipt of the request; and 15 (B) promptly, either (i) make any correction 16 of any portion thereof that the individual believes 17 is not accurate, relevant, timely, or complete; or 18 (ii) inform the individual of its refusal to amend 19 the record in accordance with his or her request, 20 the reason for the refusal, the procedures 21 established by the financial institution for the 22 individual to request a review of that refusal by 23 the head of the financial institution or an officer 24 designated by the head of the financial institution, 25 and the name and business address of that officer; 26 (3) permit an individual who disagrees with the 27 refusal of the financial institution to amend his or her 28 record to request a review of such refusal and, not later 29 than 30 days (excluding Saturdays, Sundays, and legal 30 public holidays) from the date on which the individual 31 requests such review, complete such review and make a 32 final determination unless, for good cause shown, the 33 head of the financial institution extends such 30-day 34 period; and if, after his or her review, the reviewing -4- LRB9113314LDpr 1 officer also refuses to amend the record in accordance 2 with the request, permit the individual to file with the 3 financial institution a concise statement setting forth 4 the reasons for his or her disagreement with the refusal 5 of the financial institution and notify the individual of 6 the provisions for judicial review of the reviewing 7 officer's determination under subsection (d) of Section 8 20; and 9 (4) in any disclosure containing information about 10 which the individual has filed a statement of 11 disagreement occurring after the filing of the statement 12 under paragraph (3) of this subsection, clearly note any 13 portion of the record that is disputed and provide copies 14 of the statement and, if the financial institution deems 15 it appropriate, copies of a concise statement of the 16 reasons of the financial institution for not making the 17 amendments requested, to persons or other agencies to 18 whom the disputed record has been disclosed. Nothing in 19 this subsection (c) shall allow an individual access to 20 any information compiled in reasonable anticipation of a 21 civil action or proceeding. 22 (d) A financial institution shall not disclose any 23 personal information to any affiliate or any nonaffiliated 24 third party for use in telemarketing, direct mail marketing, 25 or other marketing through electronic mail or other 26 electronic means to the consumer. 27 (e) Except as otherwise provided in this Act, an 28 affiliate or a nonaffiliated third party that receives from a 29 financial institution personal information under this Section 30 10 shall not, directly or through an affiliate of such 31 receiving third party, disclose such information to any other 32 person that is an affiliate or a nonaffiliated third party of 33 both the financial institution and such receiving third 34 party, unless such disclosure would be lawful if made -5- LRB9113314LDpr 1 directly to such other person by the financial institution. 2 (f) Subsections (a) and (b) of this Section 10 shall not 3 prohibit the disclosure of personal information: 4 (1) as necessary to effect, administer, or enforce 5 a transaction requested or authorized by the consumer, or 6 in connection with; 7 (A) servicing or processing a financial 8 product or service requested or authorized by a 9 consumer; 10 (B) maintaining or servicing a consumer's 11 account with the financial institution; or 12 (C) a proposed or actual securitization, 13 secondary market sale (including sales of servicing 14 rights), or similar transaction related to a 15 transaction of a consumer; 16 (2) with the consent or at the direction of the 17 consumer; 18 (3) to protect the confidentiality or security of 19 the financial institution's records pertaining to the 20 consumer, the service or product, or the transaction 21 therein; 22 (4) to protect against or prevent actual or 23 potential fraud, unauthorized transactions, claims, or 24 other liability; 25 (5) for required institutional risk control, or for 26 resolving consumer disputes or inquiries; 27 (6) to persons holding a legal or beneficial 28 interest relating to the consumer; 29 (7) to persons acting in a fiduciary or 30 representative capacity on behalf of the consumer; 31 (8) to provide information to insurance rate 32 advisory organizations, guaranty funds or agencies, 33 applicable rating agencies of the financial institution, 34 and the institution's attorneys, accountants, and -6- LRB9113314LDpr 1 auditors; 2 (9) to the extent specifically permitted or 3 required under other provisions of law and in accordance 4 with the Right to Financial Privacy Act of 1978, to law 5 enforcement agencies (including a Federal functional 6 regulator, the Secretary of the Treasury with respect to 7 subchapter II of chapter 53 of title 31, United States 8 Code, and chapter 2 of title I of Public Law 91-508 (12 9 U.S.C. 1951-1959), a State insurance authority, or the 10 Federal Trade Commission), self-regulatory organizations, 11 or for an investigation on a matter related to public 12 safety; 13 (10) to a consumer reporting agency in accordance 14 with the Fair Credit Reporting Act, 15 (11) from a consumer report reported by a consumer 16 reporting agency in accordance with the Fair Credit 17 Reporting Act; 18 (12) in connection with a proposed or actual sale, 19 merger, transfer, or exchange of all or a portion of a 20 business or operating unit if the disclosure of personal 21 information concerns solely consumers of such business or 22 unit; or 23 (13) to comply with federal, State, or local laws, 24 rules, and other applicable legal requirements; to comply 25 with a properly authorized civil, criminal, or regulatory 26 investigation or subpoena or summons by federal, State, 27 or local authorities; or to respond to judicial process 28 or government regulatory authorities having jurisdiction 29 over the financial institution for examination, 30 compliance, or other purposes as authorized by law. 31 Section 15. Notice concerning disclosing information. 32 (a) All financial institutions, through the use of a 33 form that complies with subsection (b) of this Section 15, -7- LRB9113314LDpr 1 must clearly and conspicuously disclose to the consumer at 2 the time of establishing a customer relationship with a 3 consumer and not less than annually during the continuation 4 of such relationship: 5 (1) the categories of personal information that are 6 collected by the financial institution; 7 (2) the practices and policies of the financial 8 institution with respect to disclosing personal information 9 or making unrelated uses of such information, including: 10 (A) the categories of persons to whom the 11 information is or may be disclosed or who may be 12 permitted to make unrelated uses of such information, 13 other than the persons to whom the information must be 14 provided to effect, administer, or enforce a transaction; 15 and 16 (B) the practices and policies of the institution 17 with respect to disclosing or making unrelated uses of 18 personal information of persons who have ceased to be 19 consumers of the financial institution; 20 (3) the policies that the institution maintains to 21 protect the confidentiality and security of personal 22 information; 23 (4) the practices and policies of the institution with 24 respect to providing consumers the opportunity to examine and 25 dispute information pursuant to subsection (c) of Section 10; 26 and 27 (5) the right of the consumer under Section 10 to 28 examine, upon request, the personal information, to dispute 29 the accuracy of any of such information, and to present 30 evidence thereon. 31 (b) Financial institutions must provide consumers with a 32 clear and conspicuous disclosure that permits them to compare 33 differences in the measures that the financial institution 34 takes and the policies that the institution has established -8- LRB9113314LDpr 1 to protect the consumer's privacy as compared to the measures 2 taken and the policies established by other financial 3 institutions. The disclosure shall specifically identify the 4 rights the institution affords consumers to grant or deny 5 consent to (i) the disclosing of personal information for any 6 purpose other than as required in order to effect, 7 administer, or enforce the consumer's transaction, or (ii) 8 the making of an unrelated use of such information. 9 Section 20. Enforcement. 10 (a) This Act shall be enforced by the Department and the 11 Attorney General with respect to financial institutions and 12 other persons subject to their jurisdiction under applicable 13 law. 14 (b) In addition to such other remedies as are provided 15 under State law, if the Department or the Attorney General 16 has reason to believe that any person has violated or is 17 violating this Act, the State: 18 (1) may bring an action to enjoin such violation in 19 any court of competent jurisdiction; and 20 (2) may bring an action on behalf of the residents 21 of this State to enforce compliance with this Act, to 22 obtain damages, restitution, or other compensation on 23 behalf of residents of this State, or to obtain such 24 further and other relief as the court may deem 25 appropriate. 26 (c) For purposes of bringing any action under this 27 Section 20, no provision of this Section shall be construed 28 as preventing the Director of Financial Institutions or the 29 Attorney General from exercising the powers conferred to them 30 by the laws of this State to conduct investigations or to 31 administer oaths or affirmations or to compel the attendance 32 of witnesses or the production of documentary and other 33 evidence. -9- LRB9113314LDpr 1 (d) If a financial institution fails to comply with any 2 provision of this Act in such a way as to have an adverse 3 effect on an individual, the individual may bring a civil 4 action against the financial institution in any court of 5 competent jurisdiction. In any suit brought pursuant to this 6 subsection (d), the court may order the financial institution 7 to take such action as is necessary to remedy violations of 8 this Act, including but not limited to: 9 (1) amending the individual's record in accordance 10 with his or her request or in such other way as the court 11 may direct; 12 (2) enjoining the financial institution from 13 withholding the complainant's records and order the 14 production to the complainant of any financial 15 institution records improperly withheld from him or her, 16 in which case the court may examine the contents of any 17 financial institution records in camera to determine 18 whether the records or any portion thereof may be 19 withheld; and 20 (3) enjoining the financial institution from 21 transferring to any affiliate or nonaffiliated third 22 party financial information. 23 (e) In any suit brought pursuant to subsection (d) of 24 this Section in which the court determines that the financial 25 institution violated this Act, the financial institution 26 shall be liable to the individual in an amount equal to the 27 sum of: 28 (1) actual damages sustained by the individual as a 29 result of the refusal or failure, but in no case shall a 30 person entitled to recovery receive less than the sum of 31 $1,000; and 32 (2) reasonable attorney fees and other litigation 33 costs reasonably incurred in any case brought under this 34 Section 20 related to those claims on which the -10- LRB9113314LDpr 1 complainant has substantially prevailed. 2 (f) An action to enforce any liability created under 3 this Section may be brought in any court of competent 4 jurisdiction, without regard to the amount in controversy, 5 within 2 years from the date on which the cause of action 6 arises, except that where a financial institution has 7 materially and willfully misrepresented any information 8 required to be disclosed to an individual under this Section 9 and the information so misrepresented is material to 10 establishment of the liability of the financial institution 11 to the individual under this Section, the action may be 12 brought at any time within 2 years after discovery by the 13 individual of the misrepresentation. 14 (g) For the purposes of this Section, the parent of any 15 minor or the legal guardian of any individual who has been 16 declared to be incompetent due to physical or mental 17 incapacity or age by a court of competent jurisdiction may 18 act on behalf of the individual. 19 (h) The terms used in subsection (a) that are not 20 defined in this Act or otherwise defined in section 3(s) of 21 the Federal Deposit Insurance Act shall have the meaning 22 given to them in section 1(b) of the International Banking 23 Act of 1978. 24 Section 25. Effect on Fair Credit Reporting Act. Nothing 25 in this Act shall be construed to modify, limit, or supersede 26 the operation of the Fair Credit Reporting Act and no 27 inference shall be drawn on the basis of the provisions of 28 this Act regarding whether information is transaction or 29 experience information under section 603 of the Fair Credit 30 Reporting Act. 31 Section 30. Relation to other State laws. This Act shall 32 not be construed as superseding, altering, or affecting any -11- LRB9113314LDpr 1 statutes, rules, orders, or interpretations in effect in this 2 State, except to the extent that such statutes, rules, 3 orders, or interpretations are inconsistent with the 4 provisions of this Act and then only to the extent of the 5 inconsistency. 6 Section 35. Personal information that is necessary to 7 effect or administer a transaction. The disclosing or use of 8 personal information shall be treated as necessary to effect 9 or administer a transaction with a consumer if the disclosing 10 or use: 11 (1) is required or is a usual, appropriate, or 12 acceptable method to carry out the transaction or the product 13 or service business of which the transaction is a part and 14 record, service or maintain the consumer's account in the 15 ordinary course of providing the financial service or a 16 financial product or to administer or service benefits or 17 claims relating to the transaction or the product or service 18 business of which it is a part, and includes: 19 (A) providing the consumer or the consumer's agent 20 or broker with a confirmation, statement, or other record 21 of the transaction or information on the status or value 22 of the financial service or financial product; and 23 (B) the accrual or recognition of incentives or 24 bonuses associated with the transaction that are provided 25 by the financial institution or any other party; 26 (2) is required or is one of the lawful or appropriate 27 methods to enforce the rights of the financial institution or 28 of other persons engaged in carrying out the financial 29 transaction or providing the product or service; 30 (3) is required or is a usual, appropriate, or 31 acceptable method for insurance underwriting at the 32 consumer's request or for reinsurance purposes, or for any of 33 the following purposes as they relate to a consumer's -12- LRB9113314LDpr 1 insurance: account administration, reporting, investigating, 2 or preventing fraud or material misrepresentation, processing 3 premium payments, processing insurance claims, administering 4 insurance benefits (including utilization review activities), 5 participating in research projects, or as otherwise required 6 or specifically permitted by federal or State law; or 7 (4) the disclosure is required or is a usual, 8 appropriate, or acceptable method in connection with: 9 (A) the authorization, settlement, billing, 10 processing, clearing, transferring, reconciling, or 11 collection of amounts charged, debited, or otherwise paid 12 using a debit, credit, or other payment card, check, or 13 account number, or by other payment means; 14 (B) the transfer of receivables, accounts, or 15 interests therein; or 16 (C) the audit of debit, credit, or other payment 17 information.