Privacy Bill Essentials: Illinois

March 2, 2021
Hinshaw Privacy & Cyber Bytes

A new data protection and privacy bill has been introduced in Illinois. This comprehensive bill, titled Consumer Privacy Act (ICPA), would provide more explicit notice and extended rights on what consumers can do with the categories and specific pieces of personal information that a business collects.

To whom would it apply?

The ICPA would apply to for-profit businesses that:

  1. Have annual gross revenues in excess of $25 million;
  2. Alone or jointly with others engage with the data of 50,000 or more consumers; or
  3. Derive 50% or more of its annual revenue from the sale of consumers' personal information.

Additionally, the ICPA applies to any business that controls or is controlled by a business that shares common branding with the business.

What types of information would it cover?

This bill defines personal information to include identifiers of a consumer or household (e.g. name, alias, email address), characteristics of protected classifications under state or federal law, biometric information, medical information, geolocation data, professional/employment-related information, not publicly available education information, and commercial information.

What rights would it create?

The ICPA would create a number of consumer rights, including the right to:

What obligations would it impose?

Under the bill, businesses would be required to post an online privacy policy that includes:

How would it be enforced?

The ICPA would be enforced by the Attorney General. If a noticed violation is not cured within 30 days, then the Attorney General would be empowered to seek up to $2,500 for each unintentional violation or $7,500 for each intentional violation. The Attorney General would be required, on or before July 1, 2022, to solicit broad public participation and adopt rules to further the purposes of the ICPA. Enforcement actions would be not be permitted until 6 months after the publication of the final rules, or July 1, 2022, whichever is sooner.

The bill also creates a private cause of action for unauthorized access and exfiltration, theft, or disclosure of nonencrypted and nonredacted personal information—resulting from a business' violation of the duty to implement and maintain "reasonable security procedures and practices." The bill provides for damages up to $750 per consumer for each incident or actual damages, whichever is greater.

Where does it stand? 

The bill was introduced on Monday, February 22, 2021 and was referred to the Rules Committee on that same date.