Happy Data Privacy Day! A Look at the State of Data Privacy Legislation and Court Rulings in Illinois
January 28, 2022, marks a variety of holidays, including International Lego Day, National Blueberry Pancake Day, National Kazoo Day, and Rubber Ducky Day, among others. Perhaps the most important holiday for businesses, however, is National Data Privacy Day. To commemorate National Data Privacy Day, the Baker Sterchi Illinois Law Blog reviews data privacy legislation proposed in Illinois in 2021, data privacy legislation that may be enacted in Illinois in 2022, and important Illinois court opinions related to data privacy likely to be issued in 2022.
Proposed Amendments to the Biometric Information Privacy Act
The Illinois Biometric Information Privacy Act (“BIPA”) continues to attract nationwide attention and form the basis for a flood of lawsuits. In 2021, three bills were introduced in an effort to reduce the number of BIPA lawsuits. Currently, however, the bills have failed to pass, instead stalling in committee assignments.
House Bill 559 and Senate Bill 330 would amend BIPA to allow private entities to obtain written “consent”, rather than a written “release,” to obtain a person’s biometric information. Additionally, the bills would amend BIPA so that a private entity in possession of biometric information need only make its written policy governing the retention/destruction of biometric information available to the person from whom biometric information is collected, rather than to the general public. The bills would further require an aggrieved person, before filing suit, to provide a private entity 30 days’ written notice identifying the specific provisions of BIPA the aggrieved person believes the entity violated. If, within 30 days, the entity cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and no further violation will occur, the person will not have the right to file suit against the entity. If the private entity continues to violate BIPA in breach of the written statement provided to the aggrieved person, the aggrieved person may initiate suit against the entity within one year after the cause of action accrued. Finally, the bills would limit an aggrieved person’s damages to: 1) their actual damages for negligent violations, or their actual damages plus liquidated damages up to the amount of actual damages for willful violations; 2) reasonable attorneys’ fees and costs; and 3) other relief, such as an injunction. The last action taken on House Bill 559 was on April 23, 2021, and the last action taken on Senate Bill 330 was on April 16, 2021.
House Bill 560 would amend BIPA so that any violation that results from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes would no longer give rise to a private right of action, but instead would be subject to enforcement by the Department of Labor. The bill further provides that any other violation of BIPA would constitute a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, subject to enforcement by the Illinois Attorney General or appropriate State’s Attorney. The bill also includes some proposed amendments included in House Bill 559 and Senate Bill 330. The last action taken on this bill was on March 27, 2021.
Consumer Privacy Act
House Bill 3910 would create the Illinois Consumer Privacy Act. Under this bill, a consumer would have the right to request that a business the collects the consumer’s personal information disclose to the consumer the categories and specific pieces of personal information the business has collected. The bill would require a business to, at or before the point of collection, inform a consumer of the categories of personal information to be collected and the purposes for which the categories of personal information would be used. Consumers also would have the right to request that businesses delete any personal information about the consumers, with some exceptions. Additionally, consumers would have the right, at any time, to opt out of the sale of their personal information to third parties. Businesses would be prohibited from discriminating against consumers who exercise any of the rights established by the Act. Finally, the bill would allow for private rights of action in certain circumstances and for enforcement actions by the Illinois Attorney General. The last action taken on this bill was on March 27, 2021.
Right to Know Act
House Bill 2404 would create the Illinois Right to Know Act. Under this bill, an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service must notify those customers of certain information relating to its personal information sharing practices. The bill would further require an operator of a commercial website or online service to make available certain information upon disclosing a customer’s personal information to a third-party, and to provide an e-mail address or toll-free telephone number through which customers may request or obtain that information. The bill also would allow for private rights of actions to customers whose rights are violated. Finally, any waiver of the provisions of the Act or any agreement that does not comply with the Act would be void and unenforceable. The last action taken on this bill was on March 27, 2021.
Automatic Listening Exploitation Act
Senate Bill 2080 would make it unlawful for a person, which is defined to include partnerships, corporations, associations, and other entities, who provides any smart service through a proprietary smart speaker to: 1) store or make a recording or transcript of any speech or sound captured by a smart speaker, or to use any storage or recording or transcript of any voice interaction by a user with the voice-user interface; or 2) transmit such a recording or transcript to a third-party, for any purpose, without first obtaining consent and permitting the user to require the deletion of any recording, transcript, or sound recorded by the speaker at any time. The bill also would make it unlawful for a person who provides any security monitoring or other service through a proprietary video doorbell to: 1) store or make a recording of any video, image, or audio captured by the video doorbell’s camera; or 2) use any storage recording of any video, image, or audio captured by the video doorbell’s camera, or transmit such a recording to a third-party. The bill would allow enforcement by the Illinois Attorney General or a State’s Attorney. The last action taken on this bill was on April 26, 2021.
Keep Internet Devices Safe Act
Senate Bill 2082 provides that a private entity may turn on/enable, cause to be turned on/enabled, or otherwise use a digital device’s microphone to listen for or collect information, including spoken words or other audible or inaudible sounds, if the private entity makes specified disclosures in its customer agreement or an incorporated addendum. If a private entity collects, stores, or transmits any information collected through a digital device’s microphone concerning an Illinois resident, the entity must implement and maintain reasonable security measures. A violation of this Act would constitute an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act, which allows for a private right of action. The last action taken on this bill was on February 26, 2021.
Cybersecurity Compliance Act
House Bill 3030 would create an affirmative defense to any tort action that alleges that the failure to implement reasonable information security controls resulted in a data breach concerning personal information. The affirmative defense would be available to every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. A covered entity is defined as a business that accesses, maintains, communicates, or processes personal information or restriction information in or through one or more systems, networks, or services located in or outside of Illinois. Finally, the bill sets forth certain requirements the cybersecurity program must meet in order to qualify for the affirmative defense. The last action taken on this bill was on March 27, 2021.
Insurance Data Security Act:
House Bill 3040 required any person licensed, authorized to operate, or registered as an insurer in accordance with the insurance laws of Illinois to conduct a risk assessment of cybersecurity threats, implement appropriate security measures, and no less than annually assess the effectiveness of the safeguards' key controls, systems, and procedures. “Person” is defined to include individuals and any non-governmental entities. The bill also sets forth certain requirements for licensees, which is defined as any person licensed, authorized to operate, or registered as an insurer, or required to be licensed, authorized, or registered in accordance with the insurance laws of Illinois. Under the bill, licensees must: 1) develop, implement, and maintain a written information security program based on the licensee's risk assessment; 2) establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations; 3) licensees domiciled in Illinois must annually submit a written certification of compliance to the Director of Insurance; and 4) notify the Illinois Director of Insurance as promptly as possible, but not later than 72 hours from a determination that a cybersecurity event has occurred in specified circumstances. The bill further provides standards and procedures for risk management, data security, and notification and investigation of cybersecurity events resulting in unauthorized access to, disruption of, or misuse of nonpublic data. The Director of Insurance would be granted authority to investigate and determine whether a licensee has been engaged in any conduct in violation of the Act, and any materials or documents obtained pursuant to the Act would be confidential, privileged, and not subject to the Freedom of Information Act. The last action taken on this bill was on March 27, 2021.
Protecting Household Privacy Act
The Protecting Household Privacy Act passed on May 31, 2021, and became effective on January 1, 2022. Under the Act, law enforcement agencies may not obtain household electronic data or direct the acquisition of such data from private third parties, unless: 1) the agencies first obtain a warrant under the Illinois Criminal Code of Procedure; 2) a specified emergency situation exists; or 3) the owner of the household electronic device or person in actual or construction possession of the device provides lawful consent. If a law enforcement agency obtains household electronic data, the agency must destroy all information obtained within 30 days, subject to limited exceptions.
Geolocation Privacy Protection Act
This bill provides that a private entity that owns, operates, or controls a location-based application on a user’s device may not disclose geolocation information from a location-based application to a third-party unless the private entity first receives the user’s express consent after providing a specified notice to the user. A violation of the Act would constitute an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act, enforceable by the Illinois Attorney General. The last action taken on this bill was on January 11, 2022, when it was assigned to the Cybersecurity, Data Analytics, and IT Committee.
Do Not Track Act
Senate Bill 3081, introduced on January 11, 2022, would prohibit a party to a user action from tracking another user whenever the party receives a do-not-track signal indicating a user preference not to be tracked, with some exceptions. A “user action” is defined as a deliberate online action by a user, via configuration, invocation, or selection, to initiate a network interaction. Examples of user action include selection of a link, submission of a form, and reloading a page. A party may disregard a user’s do-not-track signal when the user has given express affirmative consent to track. Under the bill, an organization may process data for specified uses if the organization: 1) limits the amount of identifiable data collected; 2) limits the retention of identifiable data to no longer than what is reasonably necessary for the permitted uses; 3) uses anonymous data; 4) processes the data separately from the systems that are used for purposes other than the permitted uses; and 5) does not process the data beyond the permitted used. The bill also would require an organization that engages in tracking to describe, in understandable language and syntax such that an ordinary user can comprehend, its practices with respect to do-not-track signals in its privacy statement or similar notice, available through a clear and prominent link on the home page of its website. Parties also would be prohibited from blocking a user’s do-not-track signal. Finally, the Act would be enforceable by the Illinois Attorney General, although a user whose identifiable information has been processed in violation of the Act would have the right to a private action.
Anticipated Illinois Court Opinions
On December 7, 2021, the Seventh Circuit Court of Appeals issued an opinion in the case Cothron v. White Castle Sys., No. 20-3202, 2021 U.S. App. LEXIS 37593 (7th Cir. Dec. 20, 2021). There was much anticipation for the court’s ruling, as the Seventh Circuit was set to determine whether claims asserted under Sections 15(b) and 15(d) of BIPA accrue only once upon the initial collection or disclosure of a person’s biometric information, or each time an entity collects or discloses biometric information. At the district court level, White Castle argued that the plaintiff’s claims were time-barred because they accrued in 2008, when her fingerprint was first scanned after BIPA went into effect. The plaintiff argued that each scan of her fingerprint in violation of BIPA constituted a new, separate violation of the Act, meaning that a new claim accrued with each scan. Despite the anticipation, the Seventh Circuit declined to rule on the merits, instead certifying the issue to the Illinois Supreme Court. The Illinois Supreme Court accepted certification on December 23, 2021.
On December 15, 2021, the Illinois First District Court of Appeals addressed this issue in the case Watson v. Legacy Healthcare Financial Services, LLC, 2021 IL App (1st) 210279. In that case, the court determined that claims under Section 15(b) of BIPA accrue “each and every” time a defendant captures and uses biometric information. A petition for leave to appeal is currently pending with the Illinois Supreme Court.
The Illinois Supreme Court also appears poised to address the statute of limitations for BIPA claims in 2022. In September 2021, the Illinois First District Court of Appeals determined that claims under Sections 15(c) and 15(d) have a one-year statute of limitations. The court explained that these claims involve publication of biometric information and, therefore, equated the claims to violations of the right of privacy, which have a one-year limitation period. By contrast, the court concluded that claims under Sections 15(a), 15(b), and 15(e) of BIPA do not involve publication and, therefore, are governed by Illinois’ five-year “catch-all” statute of limitations. Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563. On January 26, 2022, the Illinois Supreme Court granted a petition for leave to appeal. The Illinois Third District Court of Appeals also should weigh in on this issue in 2022. Pending before it is the case Marion v. Ring Container Techs., LLC, No. 3-20-0184 (Ill. App. Ct., 3d Dist.).
Finally, the Illinois Supreme Court is likely to resolve whether the Illinois Workers’ Compensation Act bars a claim for statutory damages under BIPA by an employee against an employer. In 2020, the Illinois First District Court of Appeals determined that such claims do not involve the type of injury that fits within the purview of the Workers’ Compensation Act and, therefore, the exclusivity provisions of the Workers’ Compensation Act do not bar employees from pursuing claims for statutory damages under BIPA against their employers. McDonald v. Symphony Bronzeville Park, LLC, 2020 IL App (1st) 192398. The Illinois Supreme Court heard oral arguments in this case in September 2021, but it has yet to issue a ruling.
As illustrated above and discussed in prior blog posts here, here, here, here, here, here, here and here, Illinois poses unique risks and challenges to businesses due to its expansive data privacy legislation and court opinions relating to BIPA. For employers, it is particularly important to be aware of Illinois data privacy legislation and case law, as telework and the use of biometric technology for employee monitoring appears to be the new normal due to the COVID-19 pandemic. For example, the number of employees working from home has risen by 159 percent since 2009, and approximately 62 percent of employees aged 22 to 65 work remotely at least occasionally. While the number of U.S. employees teleworking has decreased from 24.3 percent in August 2020 to 11.1 percent in December 2021, this decrease appears to have plateaued, suggesting the permanent role teleworking may play in the post-pandemic U.S. In December 2021, 42.4 percent of workdays in the U.S. were worked from home. Looking ahead, 75 percent of professionals expect telework to become the new standard, while 97 percent of employees indicate a preference for the flexibility to both telework and work in an office.
The increase in telework has given rise to the increased use of biometric technology for employee monitoring. One study determined that 60 percent of companies with at least 1,000 employees had adopted the use of biometric technology for employee monitoring, compared to only 30 percent prior to the COVID-19 pandemic. This number is expected to increase to 70 percent within the next three years.
Overall, with the convergence of new data privacy legislation, the increase in telework, and the continued expansion of biometric technology in the workforce, businesses operating in Illinois must remain vigilant to avoid the many pitfalls associated with biometric and data collection. Businesses should use this National Data Privacy Day as an opportunity to evaluate their current operations and policies and determine if they are in compliance with Illinois law.