On January 8, 2020, the Illinois legislature introduced Senate Bill 2330, the Illinois Data Transparency and Privacy Act. Following up on two consumer privacy bills that failed to pass during last year’s legislative session, the bill proposes more comprehensive privacy requirements for “personal information.” “Personal information” is broadly defined to mean information that identifies, describes, relates to, is capable of being associated with, or could be linked with a consumer residing in Illinois or an Illinois household. Publicly available information and information that is de-identified or aggregated are not considered to be personal information.
The bill provides for a number of rights for consumers, including:
Notably, the bill applies to for-profit entities doing business in Illinois to the extent that they (i) collect or disclose the personal information of fifty thousand (50,000) or more persons, Illinois households, or a combination of each, or (ii) derive fifty percent (50%) or more of their annual revenues from selling consumers’ personal information. In addition to not-for-profit entities, organizations that operate, host, or manage, without owning, websites or online services are exempted from the proposed act, as are state and local governments and municipal corporations.
The bill also excludes from the definition of “disclose,” the disclosure of personal information to a party that has a written contract to provide services to the business, if that contract (i) prohibits the third party from using the personal information for any purpose other than to perform the specified services and (ii) prohibits the party from further disclosing the information (other than to subcontractors who also provide services to the business and are subject to the same restrictions).
Finally, the bill excludes personal information that is collected, processed, disclosed, or sold under the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.
The bill gives the Illinois attorney general the authority to enforce its provisions and provides for a private right of action for data breach suits. If passed, the law will take effect on July 1, 2021.