Keypoint: Illinois lawmakers have proposed legislation that would create CCPA-like privacy rights for Illinois residents.
On January 8, 2020, Illinois state Senator Thomas Cullerton introduced the Illinois Data Transparency and Privacy Act ( To Whom Does it Apply?
Natural persons residing in Illinois, but not when they are acting in an employment context.
What Entities are Covered?
The Act would apply to “businesses,” which are defined as “any sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that does business in the state of Illinois and meets one or more of the following thresholds: (1) The business collects or discloses the personal information of 50,000 or more persons, Illinois households, or a combination thereof. (2) The business derives 50% or more of its annual revenues from selling consumer’s personal information.”
The definition of business does not include “any third party that operates, hosts, or manages, but does not own, a website or online service on the owner’s behalf or by processing information on behalf of the owners, or any State and local governments or municipal corporations.”
What Information is Covered?
“Personal information,” which has a definition similar to the CCPA’s definition.
What Rights are Created?
Notably, the Act defines “sale” differently than it is defined in the CCPA. For example, the definition is limited to exchanges for monetary consideration (as opposed to monetary or other valuable consideration as in the CCPA). Also excluded from the definition of sale would be instances in which a business uses personal information to “sell targeted advertising space to a third party as long as the personal information is not sold by the business to the third party or affiliate.”
The Act also uses a definition of “disclose” that creates a status similar to the CCPA’s definition of “service provider.” Specifically, the statute states that “disclose” does not include “disclosure of personal information by a business to a third party or service provider under a written contract authorizing the third party or service provider to use the personal information to perform services on behalf of the business . . . but only if: the contract prohibits the third party or service provider from using the personal information for any reason other than performing the specified service on behalf of the business and from disclosing any such personal information to additional third parties or service providers unless those additional third parties or service providers are allowed by the contract to further the specified services and the additional third parties and service providers [are] subject to the same restrictions.”
Are there Any Exemptions?
Yes. For example, the Act would not apply to personal information collected, processed, sold, or disclosed under the GLBA, HIPAA, and FCRA. As mentioned, the Act also excludes from the definition of personal information data in the employment context.
Would Companies Need to Update their Online Privacy Policies?
Yes. The Act would require businesses to provide the following notice to consumers in their service agreement or “somewhere readily accessible on the business’ website or mobile application”:
How Would it be Enforced?
The Attorney General would have authority to enforce the Act as a violation of the Consumer Fraud and Deceptive Business Practices Act, subject to the remedies available under that Act.
Would it Create a Private Right of Action?
Yes, the Act would require businesses to implement reasonable measures to protect consumers’ personal information from unauthorized use, disclosure, or access. It would then create a private right of action for data breaches due to the failure to implement such measures and allow consumers to recover damages between $100 and $750 per incident.
When Would it be Effective?
Anything Else?
Businesses, affiliates and third parties would be required to conduct risk assessments on each of their processing activities involving personal information.
In addition to Illinois, consumer privacy bills have been filed in Virginia, Washington, Nebraska, New Hampshire and Hawaii. Our analysis of the Washington bill is available here. We will be providing an analysis of the other bills over the coming days. Those interested should subscribe to our blog. It is anticipated that similar bills will be filed in more states over the coming weeks.
David routinely counsels clients on complying with privacy laws such as the EU’s General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws. David is certified by the International Association of Privacy Professionals as…
David routinely counsels clients on complying with privacy laws such as the EU’s General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US and EU), Certified Information Privacy Technologist, and Fellow of Information Privacy.
