What's to Come: Illinois Data Transparency and Privacy
Thursday, June 27, 2019
Posted by: Gary Hotze
Julia Kanouse, CEO, ITA & John Higginson, CTO, Enova and ITA Board Member
In the recently completed session the Illinois State Legislature considered (but did not pass) a law to govern how online businesses collect and use personal information. The law would affect several industries that do business in this state and provide consumers with notices on what personal data is used, collected, and sold and allow them to opt out of the sale of any data. Illinois’ discussion of such protection is not unique as the last two years have seen a raft of legislation aimed at protecting consumers: California passed their Consumer Privacy Act which takes effect in 2020, and at least eight other states are considering similar legislation.
In some ways, these laws are an understandable reaction to recent stories of misuse by some companies that seem to treat personal data as a kind of digital Divvy bike where everyone gets a share. Most of us as consumers would agree that our information deserves protection, but the “how” of it is critical to ensure those safeguards are achieved without crippling businesses and economic activity.
Ideally, any regulation of the use and retention of personal data would be decided at a Federal level giving companies doing business in the US a single standard to adhere to. Such Federal legislation would also “preempt” any state regulation already in place. However, with little action in Washington toward a comprehensive standard, state legislatures are attempting to fill the void with laws of their own. Given the borderless nature of online businesses, it’s easy for many companies — no matter where they are based — to be subject to these new privacy laws.
Though the Illinois version has not yet passed, it’s important for ITA members to understand its provisions and how you can help shape the law into something that balances consumer protection and business health.
Read on for more information about which companies are affected, what you’d need to do under the new law and how it will be enforced.
Illinois Act: Which Companies are Affected
All companies that do business in Illinois who have at least 50,000 annual visitors to their website or mobile application; or a business that receives personal information on 50,000 consumers. To put that in perspective, a business that averages just 137 visits or transactions per day would qualify. Unlike some other states, the Act does not have a threshold based on revenue or unit sales.
While the proposal seeks to require private entities that own an internet website or service that collects, maintains, or discloses personal information on Illinois residents, there is a lengthy list of exemptions to which the law (if enacted) would not apply. Exempted industries include health care providers subjected to HIPPA, financial institutions, contractors with the state, public utility companies, hospitals, retailers, and telecommunication companies. Industries not on that list would be subject to this proposal.
What is “Personal Information”
The Act has a fairly broad definition of personal information. In the current draft, the following types of data are protected:
• Real name
• Any alias the consumer is known by
• Physical address
• Telephone number
• Passport number
• Driver’s license number or state ID number
• Insurance policy number
• Bank account number or other financial account numbers
• Debit or credit card number
• Geolocation data
• IP Address
• Biometric data (such as a thumbprint).
What Companies Would Need to Do
All companies subject to the Act would be required to clearly disclose what data they collect and how it is used in a policy clearly visible to consumers, provide additional notices on any changes, and provide a way for consumers to opt out of such data collection. A response to that “opt out” request must occur within 45 days. If the consumer opts-out, that data must be destroyed or anonymized.
While this may seem straightforward, a company not already used to managing data under a similar standard like the UK’s GDPR will find that it takes a fair amount of work. Think of all the places you might have personal data outside of your transaction system — spreadsheets, backup tapes, log files. Any partner or vendor you work with who may provide you with personal information must be reviewed and managed appropriately.
The Attorney General of Illinois would be responsible for enforcing the Act under the Consumer Fraud and Deceptive Business Practices Act. However, one of the open points of debate in Springfield is whether consumers would also have a “private right of action” — the ability to file a civil claim for a privacy violation. For businesses, that would be a worrisome change. It opens the door to potentially frivolous lawsuits and could result in companies incurring significant legal expenses.
With the legislature adjourned for the summer and the Act not finalized there will be more debate. It is also possible that Illinois will convene a review board involving businesses and consumer groups to discuss the right structure of the law. This is something that Washington State is doing to try and achieve that balance between consumer and business concerns.
What you can do
While we all may have different perspectives on the law, it’s a safe bet that some form of regulation on the use of personal information is coming. Until there is a national standard, ITA members should make their voices heard:
• Contact your state senator or state representative.
• Contact the IL Chamber of Commerce: Tyler Diers, Director Legislative Affairs, at firstname.lastname@example.org or at 217-522-5512 ext. 296
• Follow ITA on social media to get the latest updates on the IL law and other developments.