Keypoint: Illinois lawmakers have proposed legislation that would create CCPA-like privacy rights for Illinois residents.

On January 8, 2020, Illinois state Senator Thomas Cullerton introduced the Illinois Data Transparency and Privacy Act (SB2330). This comes on the heels of last year’s legislative session in which two consumer privacy bills failed to pass.

Below is our analysis of the proposed legislation (as introduced).

To Whom Does it Apply?

Natural persons residing in Illinois, but not when they are acting in an employment context.

What Entities are Covered?

The Act would apply to “businesses,” which are defined as “any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that does business in the state of Illinois and meets one or more of the following thresholds: (1) The business collects or discloses the personal information of 50,000 or more persons, Illinois households, or a combination thereof. (2) The business derives 50% or more of its annual revenues from selling consumer’s personal information.”

The definition of business does not include “any third party that operates, hosts, or manages, but does not own, a website or online service on the owner’s behalf or by processing information on behalf of the owners, or any State and local governments or municipal corporations.”

What Information is Covered?

“Personal information,” which has a definition similar to the CCPA’s definition.

What Rights are Created?

• Right to know. Consumers could request (1) copies of the specific pieces of personal information about them that are processed by the business; (2) categories of sources for the personal information processed; and (3) the name and contact information for each third party and affiliate to whom the personal information is disclosed or sold.
• Right to opt-out. Consumers could opt out of (1) the disclosure of personal information from the business to third parties and affiliates; (2) the sale of personal information from the business to third parties and affiliates; and (3) the processing of personal information by the business, third parties, and affiliates.
• Right to correction. Consumers could request that a business correct inaccurate personal information.
• Right to deletion. Consumers could request that their personal information be deleted.

Notably, the Act defines “sale” differently than it is defined in the CCPA. For example, the definition is limited to exchanges for monetary consideration (as opposed to monetary or other valuable consideration as in the CCPA). Also excluded from the definition of sale would be instances in which a business uses personal information to “sell targeted advertising space to a third party as long as the personal information is not sold by the business to the third party or affiliate.”

The Act also uses a definition of “disclose” that creates a status similar to the CCPA’s definition of “service provider.” Specifically, the statute states that “disclose” does not include “disclosure of personal information by a business to a third party or service provider under a written contract authorizing the third party or service provider to use the personal information to perform services on behalf of the business . . . but only if: the contract prohibits the third party or service provider from using the personal information for any reason other than performing the specified service on behalf of the business and from disclosing any such personal information to additional third parties or service providers unless those additional third parties or service providers are allowed by the contract to further the specified services and the additional third parties and service providers [are] subject to the same restrictions.”

Are there Any Exemptions?

Yes. For example, the Act would not apply to personal information collected, processed, sold, or disclosed under the GLBA, HIPAA, and FCRA. As mentioned, the Act also excludes from the definition of personal information data in the employment context.

Would Companies Need to Update their Online Privacy Policies?

Yes. The Act would require businesses to provide the following notice to consumers in their service agreement or “somewhere readily accessible on the business’ website or mobile application”:

• All categories of personal information and deidentified information that the business processes about individual consumers;
• All categories of third parties and affiliates with whom the business may disclose or sell that personal information or deidentified information and the business purpose for the disclosure or sale;
• The process in which an individual consumer may exercise their rights; and
• The process in which the business notifies consumers of material changes to the notice.

How Would it be Enforced?

The Attorney General would have authority to enforce the Act as a violation of the Consumer Fraud and Deceptive Business Practices Act, subject to the remedies available under that Act.

Would it Create a Private Right of Action?

Yes, the Act would require businesses to implement reasonable measures to protect consumers’ personal information from unauthorized use, disclosure, or access. It would then create a private right of action for data breaches due to the failure to implement such measures and allow consumers to recover damages between $100 and $750 per incident.

When Would it be Effective?

July 1, 2021

Anything Else?

Businesses, affiliates and third parties would be required to conduct risk assessments on each of their processing activities involving personal information.

In addition to Illinois, consumer privacy bills have been filed in Virginia, Washington, Nebraska, New Hampshire and Hawaii. Our analysis of the Washington bill is available here. We will be providing an analysis of the other bills over the coming days.