Hello Tech Council members. Yesterday House Deputy Majority Leader Art Turner (D - Chicago) filed an amendment to HB 3357, creating the Data Transparency and Privacy Act. I've done a quick and dirty analysis of the bill and it appears to take many pieces of California's Consumer Privacy Act and some pieces of previous efforts in Illinois to enact so-called "Right to Know" legislation. In short, this legislation seeks to regulate businesses operating internet websites that collect data on Illinois consumers. The proposal would require businesses to provide publicly the data they collect from their website and give consumers the right to know what third-parties the data it is being disclosed to. It also provides for consumers to opt-out of the sale of data to third parties.
On its face, this amendment may seem straightforward. However, under such a proposal, businesses would be faced with an unprecedented regulatory regime never before enacted in Illinois. Many of you who had to become compliant with GDPR or recently California's CCPA understand what I am talking about. Businesses found not compliant with any of the provisions could be open to backdoor lawsuits under the Consumer Fraud and Deceptive Business Practices Act, threatening both innovators and small businesses alike.
Below you will find a quick run down of the amendment. Members are encouraged to take a look at the
and provide any feedback or concerns.
Analysis of the Illinois Data Transparency and Privacy Act:
- Sec. 5 opens up with a preamble on data privacy.
- Sec. 10 contains over 7 pages of definitions. Definitions in bills like these are crucial, however here are some of the key definitions:
- Private Entities: The bill seeks to regulate private entities in the state. This would include sole proprietorship, partnerships, corporations, associations, or any other legal entity operating for financial benefit that 1) have annual revenues in excess of $25M, 2) control personal information of 50K or more consumers' data, or 3) derives 50% or more of annual revenues from selling data.
- Consumers: Consumers are defined as those who reside in Illinois who provide knowingly or unknowingly personal information to an operator of a website in the course of purchasing, viewing, or accessing the online service.
- Personal Information: Personal information (or data) is defined as any information that identifies, relates to, or describes a consumer. Among those include real name, alias, signature, physical characteristics or descriptions, addresses, telephone numbers, passport numbers, driver's license numbers, insurance policy numbers, employment, bank account number, credit card numbers, IP addresses, geolocation information, biometric identification, and so on.
- Disclosure: The disclosure" of personal information means to disclose, release, transfer, share, disseminate, make available, or sell.
- Sec. 15: Right to Transparency
- Any website operator that collects personal information through the internet about consumers who use or visit a website must post in their consumer agreement 1) the categories of personal information collected; 2) all categories of third parties with whom the website operator is disclosing the information to; 3) state whether third parties may collect individual consumer's online activities over time; 4) provide the process for which an individual consumer who uses or visits a website can review or request chances to inaccurate information collected by the website operator; 5) process in which for which website operators notify consumers of changes to the collection of personal information; 6) state effective date of the notice, and; 7) description of consumer rights.
- Sec 20: Right to Know
- Any website operator that discloses personal information to a third party must make available to a consumer free of charge the categories of personal information that were disclosed to third parties and the names of those entities.
- Sec 25: Right to Opt Out
- Any website that sells personal information that is collected through a consumer's visit to a website, must post on their website a link that enables a consumer to opt out of the sale of their data.
- Sec. 30: Responses from Consumers
- Website operators that receive requests from consumers on this Act are required to respond to consumers within 45 days.
- Sec 35: Violation
- The Attorney General or the State's Attorney have the right to enforce this Act under the Consumer Fraud and Deceptive Business Practices Act.
- Sec 45:Who does this law not apply to?
- HIPPA regulated entities, banks, contractors/sub-contractors for the state or unit of local government, internet or telecommunications service providers, gas/electric utility suppliers, and hospitals.
- The proposal would also not restrict businesses' ability to collect or disclose consumer's personal information if the conduct takes place wholly outside of Illinois.
Keep in mind, this legislation is likely to receive amendments. This is a starting point for discussions on passing a data privacy bill here in Illinois.
Meanwhile, the Illinois Chamber has been leading a coalition of state and local chambers and trade associations nationwide in calling for lawmakers to proceed with caution in adopting state-by-state data privacy laws. Our preferred approach is for Congress to act by enacting a nationwide data privacy law. Today, we are releasing our letter nationwide and to members of Congress. You can view that letter
BILLS OUT OF COMMITTEE
Last week, two bills of concern passed out of the Senate Telecom and IT Committee o
(Castro) both passed with the agreement that they would both come back for an amendment. SB 1624, seeks to amend the state's data breach notification law (PIPA) by requiring a data collector to report breaches of more than 100 people to the Attorney General in 14 days. We received a draft amendment from the sponsor that appears to be a good faith effort to address our concerns. I plan on sitting down with the Senator to iron some remaining concerns with the hopes we can be neutral on the bill. More on that later.
(Castro) also passed out of Senate Telecom and IT Committee with the agreement the bill would come back with an amendment. This bill seeks to regulate microphone enabled devices (TV remotes, smart phones, refrigerators, IoT devices, cars, etc.). Under Sen. Castro's bill, the proposal would provide
that no private entity may turn on or enable, cause to be turned on or enabled, or otherwise use a digital device's microphone to listen for or collect information, including spoken words or other audible or inaudible sounds, unless a user first agrees to a written policy meeting specified criteria. The Chamber is opposed to this for several reasons. One, we don't believe Springfield should be regulating these devices (in addition to what is done at the federal level). This is best done at the federal level. Such a proposal would interrupt the supply chain for device manufacturers nationwide. Second, some of the definitions are unclear and would open up liability for businesses.
Right to Repair
Last week, the House Cyber Committee held a subject matter hearing (no votes taken) on
(Mussman). This bill would create the Digital Fair Repair Act and force original equipment manufacturers to provide proprietary diagnostic repair documentation to the owners and third party repair shops of any equipment or device (from tablets to tractors). The Chairman mentioned that this bill may receive another subject matter hearing, however, no date has been set. We remain opposed.
Work Verify Software
We continue to oppose
(Mussman). This proposal would require any private business that contract with the state for information-technology services over $500,000 to install tracking software on every computer that works on a state project. Contractors with the state would pay a per employee fee to the software tracking company for spyware to record every user's keystroke, mouse click, browsing history, program usage and time spent on a computer. Usernames, passwords, confidential and proprietary personal and company information would be captured by the third party.
The Chamber is opposed to this legislation as government contracting process already has thorough accountability and oversight.
In addition, this proposal would create a cybersecurity nightmare. Any business to contracts with the state should take a close look at this legislation. The Senate version is