On the Radar: Illinois Proposed CCPA-Like Privacy Legislation with a TwistJanuary 2020
Illinois may follow in California’s footsteps if it passes Senate Bill 2330, the Illinois Data Transparency and Privacy Act (the “DTPA”). This act would regulate how businesses collect and process personal information from Illinois residents. If passed, businesses that are in Illinois or that have customers in the state could be exposed to significant liability if they do not comply with the DTPA, including from individual lawsuits and enforcement actions from the Illinois Attorney General. The DTPA would be similar to the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020 (see our most recent alert on the CCPA here).
Like the CCPA, the DTPA is sweeping in its extraterritorial application to businesses. It would apply to any for-profit legal entity that does business in Illinois and (1) collects or discloses the personal information of 50,000 or more persons, Illinois households, or the combination thereof; or (2) derives 50% or more of its annual revenues from selling personal information of Illinois residents. However, unlike the CCPA, the DTPA takes a narrower approach to the definition of the “sale” of personal information. While the CCPA somewhat vaguely defines the “sale” of personal information as the disclosure for monetary or other valuable consideration, the DTPA’s definition of “sale” is limited to direct exchange for monetary consideration whereby a third party may use the personal information for its own commercial purpose. The DTPA’s narrower definition should help businesses more easily determine whether they sell any personal information of Illinois residents and thus clearly identify their obligations under the DTPA.
Another notable aspect of the DTPA is its definitions of “personal information” and “consumer” and how those definitions limit the information that is protected under the DTPA. Like the CCPA, the DTPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and “consumer” as a natural person residing in Illinois. But, the DTPA specifically excludes persons acting in an employment context from the definition of “consumer.” This means that personal information gathered by businesses from their employees would not be covered by the DTPA, which greatly reduces the types of information protected by the DTPA.
Under the DTPA, a business would have similar obligations to those created under the CCPA. For example, a business that processes personal information or deidentified information must, prior to any processing of such information, provide notice to the affected consumer regarding the categories of information it processes, categories of third parties with whom it discloses or sells the information, a description of the consumer’s rights, and the process to exercise such rights. A business may provide this notice in a service agreement (if applicable) or somewhere readily accessible on the business’s website or mobile application.
The DTPA would also create obligations not found in the CCPA. For example, businesses, affiliates, and third parties would have to conduct risk assessments for each of their processing activities involving personal information, and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers. In addition, the DTPA would expand consumer rights beyond the limits of the CCPA. Under the DTPA, consumers would have the right to know, the right to opt out, the right to correct, and the right to delete their personal information. This right to opt-out would go beyond the CCPA’s right to opt-out just from the sale of personal information and instead include the right to opt out of agreements that entail (1) the sale or disclosure of personal information from a business to third parties and affiliates; and (2) the processing of personal information by the business, third parties, and affiliates.
Enforcement and Penalties
If enacted, the DTPA could be enforced through private actions or by the Attorney General, depending on the violation. Private actions from consumers would apply to data breaches (specifically, when unencrypted or unredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information), whereas the Attorney General could pursue any violation of the DTPA.
If passed, the DTPA would take effect July 21, 2021. The DTPA is one of a handful of CCPA-like laws being proposed in state legislatures, including Nebraska, New Hampshire, Virginia, and Washington. We will continue to monitor the progress of these laws, as well as federal privacy laws. If you have questions about the DTPA or other proposed privacy laws or you need assistance complying with the CCPA or other enacted privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.