On the Radar: Illinois Proposed CCPA-Like Privacy Legislation with a Twist

January 2020

Illinois may follow in California’s footsteps if it passes Senate Bill 2330, the Illinois Data Transparency and Privacy Act (the “DTPA”). This act would regulate how businesses collect and process personal information from Illinois residents. If passed, businesses that are in Illinois or that have customers in the state could be exposed to significant liability if they do not comply with the DTPA, including from individual lawsuits and enforcement actions from the Illinois Attorney General. The DTPA would be similar to the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020 (see our most recent alert on the CCPA here).

Applicability

Like the CCPA, the DTPA is sweeping in its extraterritorial application to businesses. It would apply to any for-profit legal entity that does business in Illinois and (1) collects or discloses the personal information of 50,000 or more persons, Illinois households, or the combination thereof; or (2) derives 50% or more of its annual revenues from selling personal information of Illinois residents. However, unlike the CCPA, the DTPA takes a narrower approach to the definition of the “sale” of personal information. While the CCPA somewhat vaguely defines the “sale” of personal information as the disclosure for monetary or other valuable consideration, the DTPA’s definition of “sale” is limited to direct exchange for monetary consideration whereby a third party may use the personal information for its own commercial purpose.  The DTPA’s narrower definition should help businesses more easily determine whether they sell any personal information of Illinois residents and thus clearly identify their obligations under the DTPA.

Another notable aspect of the DTPA is its definitions of “personal information” and “consumer” and how those definitions limit the information that is protected under the DTPA. Like the CCPA, the DTPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and “consumer” as a natural person residing in Illinois. But, the DTPA specifically excludes persons acting in an employment context from the definition of “consumer.” This means that personal information gathered by businesses from their employees would not be covered by the DTPA, which greatly reduces the types of information protected by the DTPA.

Obligations

Under the DTPA, a business would have similar obligations to those created under the CCPA. For example, a business that processes personal information or deidentified information must, prior to any processing of such information, provide notice to the affected consumer regarding the categories of information it processes, categories of third parties with whom it discloses or sells the information, a description of the consumer’s rights, and the process to exercise such rights. A business may provide this notice in a service agreement (if applicable) or somewhere readily accessible on the business’s website or mobile application. 

The DTPA would also create obligations not found in the CCPA. For example, businesses, affiliates, and third parties would have to conduct risk assessments for each of their processing activities involving personal information, and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers. In addition, the DTPA would expand consumer rights beyond the limits of the CCPA. Under the DTPA, consumers would have the right to know, the right to opt out, the right to correct, and the right to delete their personal information. This right to opt-out would go beyond the CCPA’s right to opt-out just from the sale of personal information and instead include the right to opt out of agreements that entail (1) the sale or disclosure of personal information from a business to third parties and affiliates; and (2) the processing of personal information by the business, third parties, and affiliates.

Enforcement and Penalties

If enacted, the DTPA could be enforced through private actions or by the Attorney General, depending on the violation. Private actions from consumers would apply to data breaches (specifically, when unencrypted or unredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information), whereas the Attorney General could pursue any violation of the DTPA.

If passed, the DTPA would take effect July 21, 2021. The DTPA is one of a handful of CCPA-like laws being proposed in state legislatures, including Nebraska, New Hampshire, Virginia, and Washington. We will continue to monitor the progress of these laws, as well as federal privacy laws. If you have questions about the DTPA or other proposed privacy laws or you need assistance complying with the CCPA or other enacted privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
Client Alert

COVID-19 Rescue Plan Act Expands Paid Leave Availability but Does Not Revive Employer Mandates

More
Client Alert

The Changing Workplace Following the Latest CDC Mask Guidance

More
Client Alert

Model COBRA Notices Under the American Rescue Plan Act

More
Client Alert

EEOC Issues Updated Guidance on COVID Vaccination Policies

More
Client Alert

The New Standard Contractual Clauses: Scope, Impact, and Next Steps

More
Client Alert

DOL Publishes Cybersecurity Guidance for Benefits Plans

More
News

Jeremy P. Brummond Presents at Webinar for Experienced Construction Attorneys

More
Diversity & Inclusion

Lewis Rice Launches “Next Level” Diversity and Inclusion Programs

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
News

Brian P. Pezza Gives Advice on Vaccination Acceptance in the Workforce in Society for Human Resource Management Article

More
Client Alert

Federal Appellate Court Determines a Website Is Not a “Place of Public Accommodation” Under the ADA

More
News

Jeannine Moentmann Becomes President of St. Louis Paralegal Association for 2021-2022

More
Diversity & Inclusion

Lewis Rice Member Ronald A. Norwood Serves on Missouri Bar’s Special Committee on Lawyers of Color to Establish Diversity, Inclusion Programs

More
Client Alert

Temporary COBRA Changes Under the American Rescue Plan Act

More
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
News

Meghan S. Largent and Lindsay S. C. Brinton Negotiate $700,000 Award to Cobb County, Georgia Landowners in Rails-to-Trails Case

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More
News

Lewis Rice Welcomes 2021 Summer Associates

More
Client Alert

Public Access to Electronic Court Records in Missouri

More
Client Alert

Missouri Supreme Court Reverses Overtime Wages Judgment Resulting from Employer-Mandated Screenings Under the Portal-to-Portal Act

More