103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB1381 Introduced , by Rep. Kam Buckner SYNOPSIS AS INTRODUCED: New Act Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms. LRB103 24899 DTM 51233 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB1381 Introduced , by Rep. Kam Buckner SYNOPSIS AS INTRODUCED: New Act New Act Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms. LRB103 24899 DTM 51233 b LRB103 24899 DTM 51233 b A BILL FOR
103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB1381 Introduced , by Rep. Kam Buckner SYNOPSIS AS INTRODUCED:
New Act New Act
New Act
Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms.
LRB103 24899 DTM 51233 b LRB103 24899 DTM 51233 b
LRB103 24899 DTM 51233 b
A BILL FOR
HB1381LRB103 24899 DTM 51233 b HB1381 LRB103 24899 DTM 51233 b
HB1381 LRB103 24899 DTM 51233 b
1 AN ACT concerning regulation.
2 Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
4 Section 1. Short title. This Act may be cited as the Right
5 to Know Act.
6 Section 5. Findings and purpose. The General Assembly
7 hereby finds and declares that the right to privacy is a
8 personal and fundamental right protected by the United States
9 Constitution. As such, all individuals have a right to privacy
10 in information pertaining to them. This State recognizes the
11 importance of providing consumers with transparency about how
12 their personal information, especially information relating to
13 their children, is shared by businesses. This transparency is
14 crucial for Illinois citizens to protect themselves and their
15 families from cyber-crimes and identity thieves. Furthermore,
16 for free market forces to have a role in shaping the privacy
17 practices and for "opt-in" and "opt-out" remedies to be
18 effective, consumers must be more than vaguely informed that a
19 business might share personal information with third parties.
20 Consumers must be better informed about what kinds of personal
21 information are shared with other businesses. With these
22 specifics, consumers can knowledgeably choose to opt in, opt
23 out, or choose among businesses that disclose information to
103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB1381 Introduced , by Rep. Kam Buckner SYNOPSIS AS INTRODUCED:
New Act New Act
New Act
Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms.
LRB103 24899 DTM 51233 b LRB103 24899 DTM 51233 b
LRB103 24899 DTM 51233 b
A BILL FOR
New Act
LRB103 24899 DTM 51233 b
HB1381 LRB103 24899 DTM 51233 b
HB1381- 2 -LRB103 24899 DTM 51233 b HB1381 - 2 - LRB103 24899 DTM 51233 b
HB1381 - 2 - LRB103 24899 DTM 51233 b
1 third parties on the basis of how protective the business is of
2 consumers' privacy.
3 Businesses are now collecting personal information and
4 sharing and selling it in ways not contemplated or properly
5 covered by the current law. Some websites are installing
6 tracking tools that record when consumers visit web pages, and
7 sending very personal information, such as age, gender, race,
8 income, health concerns, religion, and recent purchases to
9 third party marketers and data brokers. Third party data
10 broker companies are buying, selling, and trading personal
11 information obtained from mobile phones, financial
12 institutions, social media sites, and other online and brick
13 and mortar companies. Some mobile applications are sharing
14 personal information, such as location information, unique
15 phone identification numbers, and age, gender, and other
16 personal details with third party companies. As such,
17 consumers need to know the ways that their personal
18 information is being collected by companies and then shared or
19 sold to third parties in order to properly protect their
20 privacy, personal safety, and financial security.
21 Section 10. Definitions. As used in this Act:
22 "Categories of personal information" includes, but is not
23 limited to, the following:
24 (a) Identity information including, but not limited
25 to, real name, alias, nickname, and user name.
HB1381 - 2 - LRB103 24899 DTM 51233 b
HB1381- 3 -LRB103 24899 DTM 51233 b HB1381 - 3 - LRB103 24899 DTM 51233 b
HB1381 - 3 - LRB103 24899 DTM 51233 b
1 (b) Address information, including, but not limited
2 to, postal or e-mail.
3 (c) Telephone number.
4 (d) Account name.
5 (e) Social security number or other government-issued
6 identification number, including, but not limited to,
7 social security number, driver's license number,
8 identification card number, and passport number.
9 (f) Birthdate or age.
10 (g) Physical characteristic information, including,
11 but not limited to, height and weight.
12 (h) Sexual information, including, but not limited to,
13 sexual orientation, sex, gender status, gender identity,
14 and gender expression.
15 (i) Race or ethnicity.
16 (j) Religious affiliation or activity.
17 (k) Political affiliation or activity.
18 (l) Professional or employment-related information.
19 (m) Educational information.
20 (n) Medical information, including, but not limited
21 to, medical conditions or drugs, therapies, mental health,
22 or medical products or equipment used.
23 (o) Financial information, including, but not limited
24 to, credit, debit, or account numbers, account balances,
25 payment history, or information related to assets,
26 liabilities, or general creditworthiness.
HB1381 - 3 - LRB103 24899 DTM 51233 b
HB1381- 4 -LRB103 24899 DTM 51233 b HB1381 - 4 - LRB103 24899 DTM 51233 b
HB1381 - 4 - LRB103 24899 DTM 51233 b
1 (p) Commercial information, including, but not limited
2 to, records of property, products or services provided,
3 obtained, or considered, or other purchasing or consumer
4 histories or tendencies.
5 (q) Location information.
6 (r) Internet or mobile activity information,
7 including, but not limited to, Internet protocol addresses
8 or information concerning the access or use of any
9 Internet or mobile-based site or service.
10 (s) Content, including text, photographs, audio or
11 video recordings, or other material generated by or
12 provided by the customer.
13 (t) Any of the above categories of information as they
14 pertain to the children of the customer.
15 "Customer" means an individual residing in Illinois who
16 provides, either knowingly or unknowingly, personal
17 information to a private entity, with or without an exchange
18 of consideration, in the course of purchasing, viewing,
19 accessing, renting, leasing, or otherwise using real or
20 personal property, or any interest therein, or obtaining a
21 product or service from the private entity, including
22 advertising or any other content.
23 "Designated request address" means an e-mail address or
24 toll-free telephone number whereby customers may request or
25 obtain the information required to be provided under Section
26 15 of this Act.
HB1381 - 4 - LRB103 24899 DTM 51233 b
HB1381- 5 -LRB103 24899 DTM 51233 b HB1381 - 5 - LRB103 24899 DTM 51233 b
HB1381 - 5 - LRB103 24899 DTM 51233 b
1 "Disclose" means to disclose, release, transfer, share,
2 disseminate, make available, or otherwise communicate orally,
3 in writing, or by electronic or any other means to any third
4 party. "Disclose" does not include the following:
5 (a) Disclosure of personal information by a private
6 entity to a third party under a written contract
7 authorizing the third party to utilize the personal
8 information to perform services on behalf of the private
9 entity, including maintaining or servicing accounts,
10 providing customer service, processing or fulfilling
11 orders and transactions, verifying customer information,
12 processing payments, providing financing, or similar
13 services, but only if (i) the contract prohibits the third
14 party from using the personal information for any reason
15 other than performing the specified service or services on
16 behalf of the private entity and from disclosing any such
17 personal information to additional third parties, and (ii)
18 the private entity effectively enforces these
19 prohibitions.
20 (b) Disclosure of personal information by a business
21 to a third party based on a good-faith belief that
22 disclosure is required to comply with applicable law,
23 regulation, legal process, or court order.
24 (c) Disclosure of personal information by a private
25 entity to a third party (i) that is reasonably necessary
26 to address fraud, security, or technical issues, (ii) to
HB1381 - 5 - LRB103 24899 DTM 51233 b
HB1381- 6 -LRB103 24899 DTM 51233 b HB1381 - 6 - LRB103 24899 DTM 51233 b
HB1381 - 6 - LRB103 24899 DTM 51233 b
1 protect the disclosing private entity's rights or
2 property, or (iii) to protect customers or the public from
3 illegal activities as required or permitted by law.
4 "Operator" means any person or entity that owns a website
5 located on the Internet or an online service that collects and
6 maintains personally identifiable information from a customer
7 residing in Illinois who uses or visits the website or online
8 service if the website or online service is operated for
9 commercial purposes. It does not include any third party that
10 operates, hosts, or manages, but does not own, a website or
11 online service on the owner's behalf or by processing
12 information on behalf of the owner.
13 "Personal information" means any information that
14 identifies, relates to, describes, or is capable of being
15 associated with, a particular individual, including, but not
16 limited to, his or her name, signature, physical
17 characteristics or description, address, telephone number,
18 passport number, driver's license or State identification card
19 number, insurance policy number, education, employment,
20 employment history, bank account number, credit card number,
21 debit card number, or any other financial information.
22 "Personal information" also means any data or information
23 pertaining to an individual's income, assets, liabilities,
24 purchases, leases, or rentals of goods, services, or real
25 property, if that information is disclosed, or is intended to
26 be disclosed, with any identifying information, such as the
HB1381 - 6 - LRB103 24899 DTM 51233 b
HB1381- 7 -LRB103 24899 DTM 51233 b HB1381 - 7 - LRB103 24899 DTM 51233 b
HB1381 - 7 - LRB103 24899 DTM 51233 b
1 individual's name, address, telephone number, or social
2 security number.
3 "Third party" or "third parties" means (i) a private
4 entity that is a separate legal entity from the private entity
5 that has disclosed personal information, (ii) a private entity
6 that does not share common ownership or common corporate
7 control with the private entity that has disclosed personal
8 information, or (iii) a private entity that does not share a
9 brand name or common branding with the private entity that has
10 disclosed personal information such that the affiliate
11 relationship is clear to the customer.
12 Section 15. Notification of information sharing practices.
13 An operator of a commercial website or online service that
14 collects personally identifiable information through the
15 Internet about individual customers residing in Illinois who
16 use or visit its commercial website or online service shall,
17 in its customer agreement or incorporated addendum (i)
18 identify all categories of personal information that the
19 operator collects through the website or online service about
20 individual customers who use or visit its commercial website
21 or online service, (ii) identify all categories of third party
22 persons or entities with whom the operator may disclose that
23 personally identifiable information, and (iii) provide a
24 description of a customer's rights, as required under Section
25 25 of this Act, accompanied by one or more designated request
HB1381 - 7 - LRB103 24899 DTM 51233 b
HB1381- 8 -LRB103 24899 DTM 51233 b HB1381 - 8 - LRB103 24899 DTM 51233 b
HB1381 - 8 - LRB103 24899 DTM 51233 b
1 addresses.
2 Section 20. Disclosure of a customer's personal
3 information to a third party.
4 (a) An operator that discloses a customer's personal
5 information to a third party shall make the following
6 information available to the customer free of charge:
7 (1) all categories of personal information that were
8 disclosed; and
9 (2) the names of all third parties that received the
10 customer's personal information.
11 (b) This Section applies only to personal information
12 disclosed after the effective date of this Act.
13 Section 25. Information availability service.
14 (a) An operator required to comply with Section 20 shall
15 make the required information available by providing a
16 designated request address in its customer agreement or
17 incorporated addendum, and, upon receipt of a request under
18 this Section, shall provide the customer with the information
19 required under Section 20 for all disclosures occurring in the
20 prior 12 months.
21 (b) An operator that receives a request from a customer
22 under this Section at one of the designated addresses shall
23 provide a response to the customer within 30 days.
HB1381 - 8 - LRB103 24899 DTM 51233 b
HB1381- 9 -LRB103 24899 DTM 51233 b HB1381 - 9 - LRB103 24899 DTM 51233 b
HB1381 - 9 - LRB103 24899 DTM 51233 b
1 Section 30. Data protection safety plan. Each manufacturer
2 or company doing business in this State, or which collects
3 personal information from customers who are residents of this
4 State, shall develop a safety plan for the protection of
5 customer data.
6 Section 35. Right of action. Any person whose rights under
7 this Act are violated shall have a right of action against an
8 offending party, and shall recover: (i) liquidated damages of
9 $10 or actual damages, whichever is greater; (ii) injunctive
10 relief, if appropriate; and (iii) reasonable attorneys' fees,
11 costs, and expenses.
12 Section 40. Waivers; contracts. Any waiver of the
13 provisions of this Act shall be void and unenforceable. Any
14 agreement that does not comply with the applicable provisions
15 of this Act shall be void and unenforceable.
16 Section 45. Construction.
17 (a) Nothing in this Act shall be construed to conflict
18 with the federal Health Insurance Portability and
19 Accountability Act of 1996 and the rules promulgated under
20 that Act.
21 (b) Nothing in this Act shall be deemed to apply in any
22 manner to a financial institution or an affiliate of a
23 financial institution that is subject to Title V of the
HB1381 - 9 - LRB103 24899 DTM 51233 b
HB1381- 10 -LRB103 24899 DTM 51233 b HB1381 - 10 - LRB103 24899 DTM 51233 b
HB1381 - 10 - LRB103 24899 DTM 51233 b
1 federal Gramm-Leach-Bliley Act of 1999 and the rules
2 promulgated under that Act.
3 (c) Nothing in this Act shall be deemed to apply to the
4 activities of an individual or entity to the extent that those
5 activities are subject to Section 222 or 631 of the federal
6 Communications Act of 1934.
7 (d) Nothing in this Act shall be construed to apply to a
8 contractor, subcontractor, or agent of a State agency or local
9 unit of government when working for that State agency or local
10 unit of government.
HB1381 - 10 - LRB103 24899 DTM 51233 b