IL
Illinois House Bill HB1381

Illinois 2023-2024 Regular Session

Illinois House Bill HB1381 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB1381 Introduced , by Rep. Kam Buckner SYNOPSIS AS INTRODUCED: New Act Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms. LRB103 24899 DTM 51233 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB1381 Introduced , by Rep. Kam Buckner SYNOPSIS AS INTRODUCED: New Act New Act Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms. LRB103 24899 DTM 51233 b LRB103 24899 DTM 51233 b A BILL FOR
22 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB1381 Introduced , by Rep. Kam Buckner SYNOPSIS AS INTRODUCED:
33 New Act New Act
44 New Act
55 Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms.
66 LRB103 24899 DTM 51233 b LRB103 24899 DTM 51233 b
77 LRB103 24899 DTM 51233 b
88 A BILL FOR
99 HB1381LRB103 24899 DTM 51233 b HB1381 LRB103 24899 DTM 51233 b
1010 HB1381 LRB103 24899 DTM 51233 b
1111 1 AN ACT concerning regulation.
1212 2 Be it enacted by the People of the State of Illinois,
1313 3 represented in the General Assembly:
1414 4 Section 1. Short title. This Act may be cited as the Right
1515 5 to Know Act.
1616 6 Section 5. Findings and purpose. The General Assembly
1717 7 hereby finds and declares that the right to privacy is a
1818 8 personal and fundamental right protected by the United States
1919 9 Constitution. As such, all individuals have a right to privacy
2020 10 in information pertaining to them. This State recognizes the
2121 11 importance of providing consumers with transparency about how
2222 12 their personal information, especially information relating to
2323 13 their children, is shared by businesses. This transparency is
2424 14 crucial for Illinois citizens to protect themselves and their
2525 15 families from cyber-crimes and identity thieves. Furthermore,
2626 16 for free market forces to have a role in shaping the privacy
2727 17 practices and for "opt-in" and "opt-out" remedies to be
2828 18 effective, consumers must be more than vaguely informed that a
2929 19 business might share personal information with third parties.
3030 20 Consumers must be better informed about what kinds of personal
3131 21 information are shared with other businesses. With these
3232 22 specifics, consumers can knowledgeably choose to opt in, opt
3333 23 out, or choose among businesses that disclose information to
3434
3535
3636
3737 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB1381 Introduced , by Rep. Kam Buckner SYNOPSIS AS INTRODUCED:
3838 New Act New Act
3939 New Act
4040 Creates the Right to Know Act. Provides that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service shall notify those customers of certain specified information pertaining to its personal information sharing practices. Requires an operator to make available certain specified information upon disclosing a customer's personal information to a third party, and to provide an e-mail address or toll-free telephone number whereby customers may request or obtain that information. Provides for a data protection safety plan. Provides for a right of action to customers whose rights are violated under the Act. Provides that any waiver of the provisions of the Act or any agreement that does not comply with the applicable provisions of the Act shall be void and unenforceable. Provides that no provision of the Act shall be construed to conflict with or apply to certain specified provisions of federal law or certain interactions with State or local government. Provides findings and purpose. Defines terms.
4141 LRB103 24899 DTM 51233 b LRB103 24899 DTM 51233 b
4242 LRB103 24899 DTM 51233 b
4343 A BILL FOR
4444
4545
4646
4747
4848
4949 New Act
5050
5151
5252
5353 LRB103 24899 DTM 51233 b
5454
5555
5656
5757
5858
5959
6060
6161
6262
6363 HB1381 LRB103 24899 DTM 51233 b
6464
6565
6666 HB1381- 2 -LRB103 24899 DTM 51233 b HB1381 - 2 - LRB103 24899 DTM 51233 b
6767 HB1381 - 2 - LRB103 24899 DTM 51233 b
6868 1 third parties on the basis of how protective the business is of
6969 2 consumers' privacy.
7070 3 Businesses are now collecting personal information and
7171 4 sharing and selling it in ways not contemplated or properly
7272 5 covered by the current law. Some websites are installing
7373 6 tracking tools that record when consumers visit web pages, and
7474 7 sending very personal information, such as age, gender, race,
7575 8 income, health concerns, religion, and recent purchases to
7676 9 third party marketers and data brokers. Third party data
7777 10 broker companies are buying, selling, and trading personal
7878 11 information obtained from mobile phones, financial
7979 12 institutions, social media sites, and other online and brick
8080 13 and mortar companies. Some mobile applications are sharing
8181 14 personal information, such as location information, unique
8282 15 phone identification numbers, and age, gender, and other
8383 16 personal details with third party companies. As such,
8484 17 consumers need to know the ways that their personal
8585 18 information is being collected by companies and then shared or
8686 19 sold to third parties in order to properly protect their
8787 20 privacy, personal safety, and financial security.
8888 21 Section 10. Definitions. As used in this Act:
8989 22 "Categories of personal information" includes, but is not
9090 23 limited to, the following:
9191 24 (a) Identity information including, but not limited
9292 25 to, real name, alias, nickname, and user name.
9393
9494
9595
9696
9797
9898 HB1381 - 2 - LRB103 24899 DTM 51233 b
9999
100100
101101 HB1381- 3 -LRB103 24899 DTM 51233 b HB1381 - 3 - LRB103 24899 DTM 51233 b
102102 HB1381 - 3 - LRB103 24899 DTM 51233 b
103103 1 (b) Address information, including, but not limited
104104 2 to, postal or e-mail.
105105 3 (c) Telephone number.
106106 4 (d) Account name.
107107 5 (e) Social security number or other government-issued
108108 6 identification number, including, but not limited to,
109109 7 social security number, driver's license number,
110110 8 identification card number, and passport number.
111111 9 (f) Birthdate or age.
112112 10 (g) Physical characteristic information, including,
113113 11 but not limited to, height and weight.
114114 12 (h) Sexual information, including, but not limited to,
115115 13 sexual orientation, sex, gender status, gender identity,
116116 14 and gender expression.
117117 15 (i) Race or ethnicity.
118118 16 (j) Religious affiliation or activity.
119119 17 (k) Political affiliation or activity.
120120 18 (l) Professional or employment-related information.
121121 19 (m) Educational information.
122122 20 (n) Medical information, including, but not limited
123123 21 to, medical conditions or drugs, therapies, mental health,
124124 22 or medical products or equipment used.
125125 23 (o) Financial information, including, but not limited
126126 24 to, credit, debit, or account numbers, account balances,
127127 25 payment history, or information related to assets,
128128 26 liabilities, or general creditworthiness.
129129
130130
131131
132132
133133
134134 HB1381 - 3 - LRB103 24899 DTM 51233 b
135135
136136
137137 HB1381- 4 -LRB103 24899 DTM 51233 b HB1381 - 4 - LRB103 24899 DTM 51233 b
138138 HB1381 - 4 - LRB103 24899 DTM 51233 b
139139 1 (p) Commercial information, including, but not limited
140140 2 to, records of property, products or services provided,
141141 3 obtained, or considered, or other purchasing or consumer
142142 4 histories or tendencies.
143143 5 (q) Location information.
144144 6 (r) Internet or mobile activity information,
145145 7 including, but not limited to, Internet protocol addresses
146146 8 or information concerning the access or use of any
147147 9 Internet or mobile-based site or service.
148148 10 (s) Content, including text, photographs, audio or
149149 11 video recordings, or other material generated by or
150150 12 provided by the customer.
151151 13 (t) Any of the above categories of information as they
152152 14 pertain to the children of the customer.
153153 15 "Customer" means an individual residing in Illinois who
154154 16 provides, either knowingly or unknowingly, personal
155155 17 information to a private entity, with or without an exchange
156156 18 of consideration, in the course of purchasing, viewing,
157157 19 accessing, renting, leasing, or otherwise using real or
158158 20 personal property, or any interest therein, or obtaining a
159159 21 product or service from the private entity, including
160160 22 advertising or any other content.
161161 23 "Designated request address" means an e-mail address or
162162 24 toll-free telephone number whereby customers may request or
163163 25 obtain the information required to be provided under Section
164164 26 15 of this Act.
165165
166166
167167
168168
169169
170170 HB1381 - 4 - LRB103 24899 DTM 51233 b
171171
172172
173173 HB1381- 5 -LRB103 24899 DTM 51233 b HB1381 - 5 - LRB103 24899 DTM 51233 b
174174 HB1381 - 5 - LRB103 24899 DTM 51233 b
175175 1 "Disclose" means to disclose, release, transfer, share,
176176 2 disseminate, make available, or otherwise communicate orally,
177177 3 in writing, or by electronic or any other means to any third
178178 4 party. "Disclose" does not include the following:
179179 5 (a) Disclosure of personal information by a private
180180 6 entity to a third party under a written contract
181181 7 authorizing the third party to utilize the personal
182182 8 information to perform services on behalf of the private
183183 9 entity, including maintaining or servicing accounts,
184184 10 providing customer service, processing or fulfilling
185185 11 orders and transactions, verifying customer information,
186186 12 processing payments, providing financing, or similar
187187 13 services, but only if (i) the contract prohibits the third
188188 14 party from using the personal information for any reason
189189 15 other than performing the specified service or services on
190190 16 behalf of the private entity and from disclosing any such
191191 17 personal information to additional third parties, and (ii)
192192 18 the private entity effectively enforces these
193193 19 prohibitions.
194194 20 (b) Disclosure of personal information by a business
195195 21 to a third party based on a good-faith belief that
196196 22 disclosure is required to comply with applicable law,
197197 23 regulation, legal process, or court order.
198198 24 (c) Disclosure of personal information by a private
199199 25 entity to a third party (i) that is reasonably necessary
200200 26 to address fraud, security, or technical issues, (ii) to
201201
202202
203203
204204
205205
206206 HB1381 - 5 - LRB103 24899 DTM 51233 b
207207
208208
209209 HB1381- 6 -LRB103 24899 DTM 51233 b HB1381 - 6 - LRB103 24899 DTM 51233 b
210210 HB1381 - 6 - LRB103 24899 DTM 51233 b
211211 1 protect the disclosing private entity's rights or
212212 2 property, or (iii) to protect customers or the public from
213213 3 illegal activities as required or permitted by law.
214214 4 "Operator" means any person or entity that owns a website
215215 5 located on the Internet or an online service that collects and
216216 6 maintains personally identifiable information from a customer
217217 7 residing in Illinois who uses or visits the website or online
218218 8 service if the website or online service is operated for
219219 9 commercial purposes. It does not include any third party that
220220 10 operates, hosts, or manages, but does not own, a website or
221221 11 online service on the owner's behalf or by processing
222222 12 information on behalf of the owner.
223223 13 "Personal information" means any information that
224224 14 identifies, relates to, describes, or is capable of being
225225 15 associated with, a particular individual, including, but not
226226 16 limited to, his or her name, signature, physical
227227 17 characteristics or description, address, telephone number,
228228 18 passport number, driver's license or State identification card
229229 19 number, insurance policy number, education, employment,
230230 20 employment history, bank account number, credit card number,
231231 21 debit card number, or any other financial information.
232232 22 "Personal information" also means any data or information
233233 23 pertaining to an individual's income, assets, liabilities,
234234 24 purchases, leases, or rentals of goods, services, or real
235235 25 property, if that information is disclosed, or is intended to
236236 26 be disclosed, with any identifying information, such as the
237237
238238
239239
240240
241241
242242 HB1381 - 6 - LRB103 24899 DTM 51233 b
243243
244244
245245 HB1381- 7 -LRB103 24899 DTM 51233 b HB1381 - 7 - LRB103 24899 DTM 51233 b
246246 HB1381 - 7 - LRB103 24899 DTM 51233 b
247247 1 individual's name, address, telephone number, or social
248248 2 security number.
249249 3 "Third party" or "third parties" means (i) a private
250250 4 entity that is a separate legal entity from the private entity
251251 5 that has disclosed personal information, (ii) a private entity
252252 6 that does not share common ownership or common corporate
253253 7 control with the private entity that has disclosed personal
254254 8 information, or (iii) a private entity that does not share a
255255 9 brand name or common branding with the private entity that has
256256 10 disclosed personal information such that the affiliate
257257 11 relationship is clear to the customer.
258258 12 Section 15. Notification of information sharing practices.
259259 13 An operator of a commercial website or online service that
260260 14 collects personally identifiable information through the
261261 15 Internet about individual customers residing in Illinois who
262262 16 use or visit its commercial website or online service shall,
263263 17 in its customer agreement or incorporated addendum (i)
264264 18 identify all categories of personal information that the
265265 19 operator collects through the website or online service about
266266 20 individual customers who use or visit its commercial website
267267 21 or online service, (ii) identify all categories of third party
268268 22 persons or entities with whom the operator may disclose that
269269 23 personally identifiable information, and (iii) provide a
270270 24 description of a customer's rights, as required under Section
271271 25 25 of this Act, accompanied by one or more designated request
272272
273273
274274
275275
276276
277277 HB1381 - 7 - LRB103 24899 DTM 51233 b
278278
279279
280280 HB1381- 8 -LRB103 24899 DTM 51233 b HB1381 - 8 - LRB103 24899 DTM 51233 b
281281 HB1381 - 8 - LRB103 24899 DTM 51233 b
282282 1 addresses.
283283 2 Section 20. Disclosure of a customer's personal
284284 3 information to a third party.
285285 4 (a) An operator that discloses a customer's personal
286286 5 information to a third party shall make the following
287287 6 information available to the customer free of charge:
288288 7 (1) all categories of personal information that were
289289 8 disclosed; and
290290 9 (2) the names of all third parties that received the
291291 10 customer's personal information.
292292 11 (b) This Section applies only to personal information
293293 12 disclosed after the effective date of this Act.
294294 13 Section 25. Information availability service.
295295 14 (a) An operator required to comply with Section 20 shall
296296 15 make the required information available by providing a
297297 16 designated request address in its customer agreement or
298298 17 incorporated addendum, and, upon receipt of a request under
299299 18 this Section, shall provide the customer with the information
300300 19 required under Section 20 for all disclosures occurring in the
301301 20 prior 12 months.
302302 21 (b) An operator that receives a request from a customer
303303 22 under this Section at one of the designated addresses shall
304304 23 provide a response to the customer within 30 days.
305305
306306
307307
308308
309309
310310 HB1381 - 8 - LRB103 24899 DTM 51233 b
311311
312312
313313 HB1381- 9 -LRB103 24899 DTM 51233 b HB1381 - 9 - LRB103 24899 DTM 51233 b
314314 HB1381 - 9 - LRB103 24899 DTM 51233 b
315315 1 Section 30. Data protection safety plan. Each manufacturer
316316 2 or company doing business in this State, or which collects
317317 3 personal information from customers who are residents of this
318318 4 State, shall develop a safety plan for the protection of
319319 5 customer data.
320320 6 Section 35. Right of action. Any person whose rights under
321321 7 this Act are violated shall have a right of action against an
322322 8 offending party, and shall recover: (i) liquidated damages of
323323 9 $10 or actual damages, whichever is greater; (ii) injunctive
324324 10 relief, if appropriate; and (iii) reasonable attorneys' fees,
325325 11 costs, and expenses.
326326 12 Section 40. Waivers; contracts. Any waiver of the
327327 13 provisions of this Act shall be void and unenforceable. Any
328328 14 agreement that does not comply with the applicable provisions
329329 15 of this Act shall be void and unenforceable.
330330 16 Section 45. Construction.
331331 17 (a) Nothing in this Act shall be construed to conflict
332332 18 with the federal Health Insurance Portability and
333333 19 Accountability Act of 1996 and the rules promulgated under
334334 20 that Act.
335335 21 (b) Nothing in this Act shall be deemed to apply in any
336336 22 manner to a financial institution or an affiliate of a
337337 23 financial institution that is subject to Title V of the
338338
339339
340340
341341
342342
343343 HB1381 - 9 - LRB103 24899 DTM 51233 b
344344
345345
346346 HB1381- 10 -LRB103 24899 DTM 51233 b HB1381 - 10 - LRB103 24899 DTM 51233 b
347347 HB1381 - 10 - LRB103 24899 DTM 51233 b
348348 1 federal Gramm-Leach-Bliley Act of 1999 and the rules
349349 2 promulgated under that Act.
350350 3 (c) Nothing in this Act shall be deemed to apply to the
351351 4 activities of an individual or entity to the extent that those
352352 5 activities are subject to Section 222 or 631 of the federal
353353 6 Communications Act of 1934.
354354 7 (d) Nothing in this Act shall be construed to apply to a
355355 8 contractor, subcontractor, or agent of a State agency or local
356356 9 unit of government when working for that State agency or local
357357 10 unit of government.
358358
359359
360360
361361
362362
363363 HB1381 - 10 - LRB103 24899 DTM 51233 b