Privacy Bill Essentials: Illinois
A new data protection and privacy bill has been introduced in Illinois. This comprehensive bill, titled Consumer Privacy Act (ICPA), would provide more explicit notice and extended rights on what consumers can do with the categories and specific pieces of personal information that a business collects.
To whom would it apply?
The ICPA would apply to for-profit businesses that:
- Do business in Illinois;
- Collect personal information about consumers, or is the entity on behalf of which the information is collected;
- Determine the purposes and means of processing consumer's personal information; and
- Meet at least one of the following thresholds:
- Have annual gross revenues in excess of $25 million;
- Alone or jointly with others engage with the data of 50,000 or more consumers; or
- Derive 50% or more of its annual revenue from the sale of consumers' personal information.
Additionally, the ICPA applies to any business that controls or is controlled by a business that shares common branding with the business.
What types of information would it cover?
This bill defines personal information to include identifiers of a consumer or household (e.g. name, alias, email address), characteristics of protected classifications under state or federal law, biometric information, medical information, geolocation data, professional/employment-related information, not publicly available education information, and commercial information.
What rights would it create?
The ICPA would create a number of consumer rights, including the right to:
- Request a report of the specific information that the business collects about the consumer;
- Request notice of how that information is used;
- Limit the sale or transfer of that information;
- Have the right to opt out of the sale or transfer of that information;
- Be notified of the purpose for which the information is collected; and
- Have their information deleted.
What obligations would it impose?
- Any Illinois-specific consumer privacy rights; along with a separate link to the "Do Not Sell My Personal Information"
- A description of a consumer's rights;
- At least one designated method for submitting requests;
- The categories of personal information the business has collected about consumers in the preceding 12 months;
- The categories, if any, of personal information the business has sold about consumers in the preceding 12 months;
- A statement, if applicable, disclosing that the business has not disclosed consumers' personal information for a business purpose in the preceding 12 months;
- The right to opt-out of the sale or sharing to third-parties; and
- The right to request a deletion of certain personal information.
How would it be enforced?
The ICPA would be enforced by the Attorney General. If a noticed violation is not cured within 30 days, then the Attorney General would be empowered to seek up to $2,500 for each unintentional violation or $7,500 for each intentional violation. The Attorney General would be required, on or before July 1, 2022, to solicit broad public participation and adopt rules to further the purposes of the ICPA. Enforcement actions would be not be permitted until 6 months after the publication of the final rules, or July 1, 2022, whichever is sooner.
The bill also creates a private cause of action for unauthorized access and exfiltration, theft, or disclosure of nonencrypted and nonredacted personal information—resulting from a business' violation of the duty to implement and maintain "reasonable security procedures and practices." The bill provides for damages up to $750 per consumer for each incident or actual damages, whichever is greater.
Where does it stand?
The bill was introduced on Monday, February 22, 2021 and was referred to the Rules Committee on that same date.