Perhaps the third time will be the charm for the House Cybersecurity, Data Analytics & IT Committee. It posted for Thursday, March 5th at 10 m. Two bills of interested are posted to the committee:
(Buckner) creates the "Right to Know Act". This legislation would forbid an operator of a website or online service from disclosing personal information about users of its website, or application, residing in Illinois unless in the customer agreement they are notified about: i) the personal information collected; ii) all categories of third-party persons or entities with whom the operator may disclose, and iii) proving a description of an Illinois' residents rights under this Act. All website or online service operators that disclose personal information to a third party must maintain an email address or toll-free phone number to inform any Illinois resident that asks what personal information that was shared about them and to whom it was shared. All inquiries must be answered within 30 days. Most worrisome is that it creates a private right of action for failure to comply. As we have seen with BIPA, this can be abused.
(Williams) Urges Illinois to continue to be a leader in the protection of the privacy of its citizens by codifying the Illinois Constitution's fundamental right of privacy. Declares January 28, 2020, as "Data Privacy Day" in the State of Illinois.
There is no technology-related legislation posted in the Senate.
Other Legislative Updates
The Senate Assigned several technology bills tracked by the Chamber to the Judiciary Committee. Senate Democratic leadership indicated this week that they plan to have hearings on most of these issues this year and will likely wait to move them until next session. We will, of course, keep you updated as things progress. The following bills were assigned to Judiciary:
(Harmon)- This bill is based on the Washington Data Privacy Proposal. While there are some issues, it's much better than other proposals.
(T. Cullerton) - Data privacy bill based on the California legislation. This is much worse than the Harmon bill above.
(Holmes) - Amends the Local Governmental and Governmental Employees Tort Immunity Act. Provides that a public entity or a public employee is not liable for injury caused by any unauthorized access to government records, data, or electronic information systems by any person or entity.
(Rose) - Amends the Genetic Information Privacy Act. Provides that it is unlawful for any person or business to disclose an individual's genetic information to third parties specifically for marketing, advertising, or sales purposes unless the individual, or his or her legal guardian or legally authorized representative, consents in writing to the disclosure. Provides that any request for consent to disclose an individual's genetic information to third parties for marketing, advertising, or sales purposes must be provided in a written notice separate from any other communication that clearly and conspicuously states how the information will be disclosed, including to whom the information will be disclosed and how the information will be used by the recipient, seeks the individual's, or his or her legal guardian's or legally authorized representative's, consent to disclosure, and informs the individual, or his or her legal guardian or legally authorized representative, of how to cancel consent to disclosure once given.
(Fine) - Creates the Consumer Privacy Act. Provides that a consumer has the right to request that a business that collects the consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected. Requires a business to, at or before the point of collection, inform a consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. Requires the business to provide notice when collecting additional categories of personal information or when using a consumer's personal information for additional purposes. Provides that a consumer has the right to request that a business delete any personal information about the consumer that the business has collected from the consumer, with some exceptions. Requires a business that collects or sells a consumer's personal information to make certain disclosures to the consumer upon receipt of a verifiable consumer request. Provides that a consumer has the right, at any time, to opt-out of the sale of his or her personal information to third parties. Prohibits a business from discriminating against a consumer who exercises any of the rights established under the Act by denying goods or services or charging the consumer different prices or rates for goods or services. Permits a business to provide financial incentives to a consumer that authorizes the sale of his or her personal information. Contains provisions concerning deadlines for processing a consumer's disclosure request; categories of personal information that must be disclosed; notice requirements; consumer information that is not subject to the Act's requirements; civil penalties for violations of the Act; and other matters. Amends the State Finance Act. Creates the Consumer Privacy Fund. Effective January 1, 2021.
I spoke to Senator Fine about her bill last week. She says she is still studying this topic and most likely will not move her legislation (
(Wheeler) - was posted for the Commercial Law Subcommittee of the House Judiciary-Civil Committee. The Chamber supports this legislation and encourages others to join us in support. Creates the Cybersecurity Compliance Act. Defines terms. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program.
Finally, there are two bills still in House Rules/Senate Assignments Committee that I wanted to highlight:
(Williams) - Creates the Geolocation Privacy Protection Act. Provides that a private entity that owns, operates, or controls a location-based application on a user's device may not disclose geolocation information from a location-based application to a third party unless the private entity first receives the user's affirmative express consent after providing a specified notice to the user. Sets forth the purposes for which disclosure may be made. Provides that a violation of the Act constitutes an unlawful practice for which the Attorney General may take appropriate action under the Consumer Fraud and Deceptive Business Practices Act. Provides that the Act does not modify, limit, or supersede the operation of any other Illinois law or prevent a party from otherwise seeking relief under the Code of Civil Procedure. Provides that waiver of the provisions of the Act is void and unenforceable and an agreement that does not comply with the Act is void and unenforceable. Providers that the Act does not apply to certain entities.
(Hastings) - Amends the Personal Information Protection Act. Provides that data collectors that maintain or store, but do not own or license, computerized data that includes personal information and that are required to issue notice pursuant to this Section to the owner or licensee of the information that there has been a breach of the security of the data shall notify the Attorney General regarding the breach. Effective immediately.