On January 8, 2020, the Illinois legislature introduced Senate Bill 2330, the Illinois Data Transparency and Privacy Act. Following up on two consumer privacy bills that failed to pass during last year’s legislative session, the bill proposes more comprehensive privacy requirements for “personal information.” “Personal information” is broadly defined to mean information that identifies, describes, relates to, is capable of being associated with, or could be linked with a consumer residing in Illinois or an Illinois household. Publicly available information and information that is de-identified or aggregated are not considered to be personal information.
The bill provides for a number of rights for consumers, including:
- The right to transparency. Businesses that process either personal or de-identified information are required to provide prior notice to consumers through a service agreement or readily-accessible notice, on their website or app, of the following:
- The categories of information that the business will process.
- The categories of third parties and affiliates with whom the business may sell or disclose the information and the purpose of the sale or disclosure.
- The process through which a consumer may review his or her personal information collected by the business, request changes, opt out of the disclosure or sale of information, and request deletion of personal information.
- The way the business notifies consumers of material changes to this notice.
- The right to know. The bill gives consumers the ability to request copies of the consumer’s personal information processed by the business, the name and contact information for a third party or affiliation to whom the business discloses or sells the consumer’s personal information, and the types of entities from which the business collects personal information, including government entities holding public records and data resale organizations.
- The right to opt out. The bill allows consumers to request to opt out of the sale or disclosure of personal information from the business to its affiliates and other third parties, as well as the processing of personal information by the business, its affiliates, and third parties.
- The rights to correct and delete. A consumer may request that a business correct inaccurate personal information or delete the consumer’s personal information.
Notably, the bill applies to for-profit entities doing business in Illinois to the extent that they (i) collect or disclose the personal information of fifty thousand (50,000) or more persons, Illinois households, or a combination of each, or (ii) derive fifty percent (50%) or more of their annual revenues from selling consumers’ personal information. In addition to not-for-profit entities, organizations that operate, host, or manage, without owning, websites or online services are exempted from the proposed act, as are state and local governments and municipal corporations.
The bill also excludes from the definition of “disclose,” the disclosure of personal information to a party that has a written contract to provide services to the business, if that contract (i) prohibits the third party from using the personal information for any purpose other than to perform the specified services and (ii) prohibits the party from further disclosing the information (other than to subcontractors who also provide services to the business and are subject to the same restrictions).
Finally, the bill excludes personal information that is collected, processed, disclosed, or sold under the Health Insurance Portability and Accountability Act of 1996, the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act.
The bill gives the Illinois attorney general the authority to enforce its provisions and provides for a private right of action for data breach suits. If passed, the law will take effect on July 1, 2021.