What Lies Ahead: Proposed Privacy Legislation in Illinois
While it might not garner the attention of Halloween, Thanksgiving, or Christmas, January 28th is an international holiday; specifically, Data Privacy Day. The holiday is meant to raise awareness and promote privacy and data protection best practices. For more information on Data Privacy Day, please visit this link. For this year’s Data Privacy Day, we at Baker Sterchi Cowden & Rice are looking ahead to potential data privacy laws proposed in Illinois and evaluating the potential impact of those laws.
App Privacy Protection Act
One such proposed law is the App Privacy Protection Act. This law would require an entity that owns, controls, or operates a website, online service, or software application to identify in its customer agreements or applicable terms whether third parties collection electronic information directly from the digital devices of individuals in Illinois who use or visit its website, online service, or software application. The law would further require the disclosure of the names of those third parties and the categories of information collected. Perhaps most importantly, the law would amend the Illinois Consumer Fraud and Deceptive Business Practices Act to provide that a violation of the law constitutes a violation of the Consumer Fraud Act. Much like the Illinois Biometric Information Privacy Act, this law would create a private right of action for violations, albeit through the Consumer Fraud Act. The citation for this proposed law is 815 ILCS 505/2Z. The last legislative action taken on this proposed law was on March 29, 2019. You can find information about the proposed law at this link.
Data Transparency and Privacy Act
The Illinois House also passed HB 3358, known as the Data Transparency and Privacy Act, in 2019. This bill resembled the California Consumer Privacy Act, which went into effect on January 1, 2020. Under this bill, entities that collect through the Internet personal information about individual consumers would be required to make disclosures to the individuals regarding the collection of the information. The bill also allowed individuals to opt out of the sale of their information. A violation of the proposed law could be enforced only by the Illinois Attorney General. The bill exempted several entities from its scope, including hospitals, public utilities, retailers, and telecom companies. After its passage, the Illinois Senate proposed several amendments to the bill, largely to address the ability to seek relief for violations of the Act. Ultimately, the proposed law stalled, failing to pass both chambers before the General Assembly ended its legislative session.
On January 8, 2020, however, the Illinois Senate breathed new life into the issue, with Senator Thomas Cullerton sponsoring SB 2330, an updated version of the Data Transparency Privacy Act. Under this version of the proposed law, businesses that process personal or deidentified information must, prior to processing, provide notice of certain information to consumers. The bill also grants consumers the right to obtain certain information from businesses regarding their personal information and the right to request to opt out of certain practices related to their personal information. The bill provides a private right of action to consumers, and allows the Illinois Attorney General to enforce the provisions of the bill through the Consumer Fraud Act. You can monitor the status of this legislation at this link.
Biometric Information Privacy Act
Illinois also has considered amending one of the more controversial provisions of the Biometric Information Privacy Act. Senate Bill 2134 would delete language in the Act creating a private right of action. Under this bill, any violation that results from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes would be subject to enforcement by the Department of Labor. The bill further provides that any violation of the Act would constitute a violation of the Consumer Fraud Act and would be enforceable by the Illinois Attorney General. If enacted, this legislation could have a significant impact by reducing the amount of legislation filed under the Biometric and Information Privacy Act. The last action taken on this bill was on March 28, 2019. You can find more information about the status of the bill at this link.
Geolocation Privacy Protection Act
The Geolocation Privacy Protection Act (House Bill 2785) was introduced by Rep. Ann M. Williams in February 2019. Under the proposed bill, affirmative express consent would be required before geolocation information can be collected, used, stored or disclosed from a location-based application on a user's device. Similar to the App Privacy Protection Act discussed above, the Geolocation Privacy Protection Act provides that a violation of the Geolocation Privacy Protection Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act, thereby amending Section 2Z of the Illinois Consumer Fraud Act. In addition, a user's rights under the Act cannot be waived. The last action on the bill occurred on March 229, 2019, when it was re-referred to the Rule's Committee. More information regarding the status of the bill can be found at this link.
Right to Know Data Transparency and Privacy Act
Another proposed law is the Right to Know Data Transparency and Privacy Act which would require that an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual customers residing in Illinois who use or visit its commercial website or online service notify those customers of certain specified information pertaining to its personal information sharing practices. The Act would also require an operator to make available to customers all categories of personal information that were disclosed, as well as the names of all third parties that received the customer's personal information. Further, customers whose rights are violated under the Act have a private right of action. The Act is comprised of Senate Bill 2149, introduced by Sen. Michael E. Hastings, and House Bill 2736, introduced by Rep. Kambium Buckner, in February 2019. The last action taken on both bills was on March 29, 2019. You can find out more information about the Right to Know Act here.
Genetic Information Privacy Act
In addition to an increase in proposed legislation related to data privacy, the expansion of existing privacy laws in Illinois is already occurring with new amendments which went into effect on January 1, 2020. For example, due to the growing popularity of direct-to-consumer genetic testing kits sold by companies such as Ancestry and 23andMe, House Bill 2189 was signed into law by Governor Pritzker on July 26, 2019. The amendment expands the definition of “genetic testing” under the Genetic Information Privacy Act to include direct-to-consumer genetic testing kits. In addition, the amendment specifically prohibits the sharing of any testing or personally identifiable information with health insurance and life insurance companies without the written consent of the consumer.
Artificial Intelligence Video Interview Act
Further, Illinois law now provides for protections related to the use and disclosure of information gained using artificial intelligence software by prospective employers during video interviews. Additional details regarding the Artificial Intelligence Video Interview Act can be found in a prior post here.
As you can see, companies doing business in Illinois need to remain vigilant about privacy legislation in Illinois. Not only do companies need to be aware of new legislation on this issue, but they need to understand how various privacy laws interact with each other. Consumer privacy appears to be an important issue to the Illinois legislature, and as the legislation discussed above illustrates, one that will continue to develop in 2020.