Illinois Considering Data Privacy Law

Beginning with the EU General Data Protection Regulation (GDPR) in 2018 and continuing with the California Consumer Privacy Act (CCPA) in 2020, governments have become increasingly active in regulating how businesses use personal information of consumers. Legislation is currently pending before the Illinois General Assembly that would adopt a similar data protection framework for Illinois residents. Businesses that collect, store, or use personal information of Illinois residents should be aware that they may soon have new obligations to provide disclosures, respond to consumer requests about their data, and comply with other requirements. 

The Illinois “Data Transparency and Privacy Act,” proposed as SB2330, would apply to any “business” that processes “personal information or deidentified information.”  A “business” would encompass any for-profit, legal entity that does business in Illinois and that collects or discloses the personal information of more than 50,000 Illinois residents or derives 50% or more of its annual revenues from selling personal information. Notably, this law would not apply to not-for-profit corporations or third parties that host or manage websites or information on behalf of the owner. The Data Transparency and Privacy Act (“DTPA”), adopts a broad definition of “personal information” that includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. This would cover obvious information, like names, addresses, and Social Security numbers, but also less obvious information, such as IP addresses, geolocation data, browsing history, and even thermal or olfactory information. Under this definition, virtually any information about a person or his or her activities would be covered. However, the DTPA grants exceptions for information lawfully obtained from government sources and information protected under the Gramm-Leach-Bliley Act, HIPAA and the Fair Credit Reporting Act.

Businesses subject to the DTPA would be required to comply with consumer requests related to their personal information, to provide disclosures about personal information, and to allow consumers to “opt-out” of the sale or use of their information.  Under the DPTA, consumers would have the right to review their personal information collected by a business, to request correction of inaccurate information, to opt out of the sale or disclosure of the information, and to request deletion of the information. At the point of collecting personal information, the business must provide certain disclosures to the consumer, including a description of the categories of personal information the business collects, how the business may use the information, and how the consumer can exercise DTPA rights to the information. Any collection or use of the information beyond what was described to the consumer is prohibited, unless the business obtains express consent from the consumer.

The DTPA requires businesses to set up a process for handling, authenticating, and responding to consumer requests. Businesses must post a notice on their webpages describing where requests may be submitted, which must include a street address for receiving notices by mail. Any business receiving a request must respond promptly, usually within 45 days, and free of charge to the consumer. Once a business receives a request form a consumer to “opt out” of the sale or disclosure of the consumer’s information, the business must immediately cease selling or disclosing the information. 

In addition to consumer rights to personal information, the DTPA requires businesses to implement and maintain reasonable security measures to protect the information from unauthorized use, disclosure, or access. What is reasonable will depend upon the sensitivity of the information; the nature, size, and scope of the business; and technical limitations.

Businesses subject to the DTPA will be required to conduct risk assessments.  Before each processing activity involving personal information, a business is required to weigh the benefits of processing the information with the potential risks to the consumer. If the risk of harm to the consumer is substantial, then the business will not be able to process the information without the consumer’s express consent.

For remedies, the DTPA proposes a private right of action by the consumer for any unauthorized access, theft, or disclosure of personal information if the business violates its duty to secure the personal information. The Attorney General will also have enforcement powers, with the authority to enforce violations under the Consumer Fraud and Deceptive Business Practices Act. 

We will continue to monitor the DTPA for changes to the law as it proceeds through the legislative process. If the DTPA becomes law, regulations will likely be issued providing additional details about the law’s provisions and how it will be enforced. Businesses that could be subject to the DTPA should be planning now to update policies, design architecture, and train employees to comply with it when it is proposed to become effective on July 1, 2021.  

This article is provided for general information and should not be relied upon as legal advice for a specific situation. If you are in need of specific advice or legal representation, please do not hesitate to contact us.

©2020 Bea & VandenBerk