Proposed Illinois Data Privacy Laws May Be Problematic

By

Debra Bernard and Daniel Burley

August 2, 2017, 11:12 AM EDT

Law360, New York (August 2, 2017, 11:12 AM EDT) --
Debra Bernard %>
Debra Bernard
Daniel Burley %>
Daniel Burley
Illinois is moving forward with legislation that will bolster its reputation for having the nation’s strictest data privacy laws. But the pending bills might stifle e-commerce while providing little relief to consumers.

Last month the General Assembly passed the Geolocation Privacy Protection Bill (GPPA), which would ban companies from collecting users’ location data without express consent. If signed by Gov. Bruce Rauner, the bill would be the first geolocation privacy protection law in the country.

Another measure, the Right to Know Act, is pending in a House committee after the Senate approved it in May. A companion bill also is waiting in a House committee. The act would require online companies to disclose to consumers what data about them has been gathered and shared with third parties.

Bill sponsors and privacy advocates say the measures will protect personal information collected online. But business groups and e-commerce companies fear the additional regulations and potential lawsuits will suffocate Illinois’ burgeoning technology industry.

Illinois’ data privacy laws are among the most far-reaching in the nation. In 2008, it passed the Biometric Information Privacy Act (BIPA), the first law of its kind. The act bans tech companies from using biometric identifiers — such as face scans and fingerprints — without express consent and several other disclosures. It has prompted a slew of class actions against internet and other companies.

Business and legal commentators say the new laws will generate more litigation. Many suspect the bills will be a boon for the plaintiffs bar rather than a lifeline for consumers.

“Illinois ... is solidifying its stature as the Mecca for privacy litigation pilgrimage,” Omri Ben-Shahar, a University of Chicago law professor and opponent of the bills, wrote in Forbes.

Geolocation Privacy Protection Bill

The GPPA limits the use of users’ geolocation information gathered from their smartphones. It prohibits an entity from collecting, using, storing, or disclosing geolocation information unless it receives “affirmative express consent.” That consent can only come after the entity provides “clear, prominent, and accurate” notice that: (1) informs the user that his or her geolocation information will be collected; (2) discloses “in writing” the specific purposes for using such information; and (3) provides the user a hyperlink or “comparably easily accessible means to access the information.”

Under the statute, “geolocation information” means information that is (1) not the contents of a communication; (2) generated or derived from the operation of a mobile device, including smartphones, tablets, or laptops; (3) and sufficient to determine the precise location of that device. Internet protocol addresses are not considered geolocation information.

The statute carves out a number of exceptions. For example, companies do not need consent to collect, use, store, or disclose information to allow parents to locate a minor child; to allow a court-appointed guardian to find a legally incapacitated person; for emergency services; or for “the limited purpose of providing storage, security, or authentication services.” In addition, the law excludes several entities, including health care providers or others subject to the Health Insurance Portability and Accountability Act; certain financial institutions; Internet, wireless, or telecommunications providers; public utilities; and licensed private detectives.

Notably, the statute provides no private cause of action. The state’s attorney general would enforce the law. Companies who break the law would violate the state Consumer Fraud and Deceptive Business Practices Act, and would face criminal penalties and damages of at least $1,000, plus attorney fees and court costs. The law allows entities 15 days to cure the violation after being notified by the attorney general’s office. Given the plaintiffs class action bar’s advocacy for this statute, it is likely that they will either find a way to assert private rights of action or advocate for amendments.

The Right to Know Act

The Right to Know Act is broader than the GPPA. It requires online businesses to tell consumers what data it collects and to whom it sells the data.

Under the law, a company’s website must provide all categories of personal information it collects. Such information includes “any information that identifies, relates to, describes, or is capable of being associated with a particular individual,” including a person’s name, physical characteristics, address, telephone number, financial information, employment history, and other identifying features. The website must list these categories in a “conspicuous location” that also describes the customer’s rights under the Right to Know Act.

In addition, the law allows customers to request the names of third parties who buy their personal information. Within 30 days, a company must provide a list of the third parties who received the customer’s information, and the categories of information the third parties received. A customer can request the free information only once in a 12-month period.

The statute provides no private cause of action, but notes that a violation of the Act does not prevent the consumer from filing a private BIPA lawsuit. The state’s attorney general would enforce the law. Companies who break the law would violate the state Consumer Fraud and Deceptive Business Practices Act, and would face criminal penalties and damages of at least $1,000, plus attorney fees and court costs. As with GPPA, the plaintiffs class action bar will either advocate for inclusion of private rights of action before the statute is passed or will likely attempt to exploit this statute as well if it passes.

Good for Consumers?

The bills’ sponsors and privacy advocates argue the measures would protect consumers without forcing companies to make major changes. They cite growing anxiety among internet users about data collection and hacks. For example, a recent poll conducted by Illinois Public Opinion Strategies showed more than 94 percent of Illinois residents disapprove of corporations collecting, sharing, or selling personal data without consent.

“The Wild West, anything-goes Era of the Internet is ending, and it’s time for the technology industry to grow up and take responsibility for the awesome power we now have over people’s personal lives,” Derek Eder, a partner at Chicago-based DataMade, wrote in April in Crain’s Chicago Business. “It is no longer acceptable for technology companies to violate the trust their users have put in them by abusing consumers’ privacy and shamefully hiding the fact that they are doing so.”

Several privacy supporters argue the regulations would be easy to implement. For example, under the GPPA, a company that collects data must only receive permission once and add a few details to their privacy policy. The law does not apply to companies that don’t collect such data. What constitutes sufficient consent may be an issue subject to debate.

A collection of small businesses have supported the law. More than 20 tech startups, enterprise software companies, and web developers sent a letter urging Gov. Rauner to sign the measures if they cross his desk. The businesspeople pointed to eroding consumer trust as a potential pitfall to the Chicago tech industry.

“By encouraging transparency and trust between businesses and consumers, we can provide benefits to Chicago’s tech startups struggling to gain traction with their markets,” the letter said. “When consumers know how and where their personal data is used in exchange for services online, their trust in that service increases and they share in a manner that’s beneficial to both themselves and the companies they share information with.”

Bad for Businesses?

Legislative opponents and many commercial groups say the bills would do little for consumers while increasing the burden on small businesses.

For consumers, the GPPA might not have a large real-world impact. Most devices and applications, such as Google Maps, already ask users for permission before using location data. Moreover, consumers already have control over the ability of smartphone apps to collect location data. Smartphone users can turn off data collection when they install the app, or through the smartphone’s operating system. And, since most users don’t use such controls, the GPPA might induce what one commentator calls “notice fatigue.”

“More notices would merely annoy these users, numbing them to potentially more meaningful alerts,” Ben-Shahar wrote in Forbes.

Ben-Shahar, who wrote a book on the failure of consumer-disclosure laws, believes the Right to Know Act is not motivated by user distrust. He says consumers “rarely if ever consult such disclosures.”

“If we can infer anything from the consumers’ indifference, it is their desire not to know,” he wrote. “Surely, it is a desire not to be bothered by lengthy legal notices that pop up too often and slow down smartphone functionality.”

While the bills’ effect on consumers is unclear, most business groups argue the measures would restrict innovation and slow small businesses.

Many fear the red tape of the Right to Know Act. The legislation requires companies to respond within 30 days or risk liability. In addition, it requires websites to draft complicated privacy policy statements. Such an undertaking could mean legal fees too costly for start-ups with three or four employees.

Others note the bills’ broad reach. Companies that use the internet for mundane activities such as creating email lists would be forced to pay new compliance and legal costs.

What Your Client Needs to Know

It’s unclear whether Rauner will sign the GPPA, and the Right to Know Act faces an uncertain path. But attorneys should start preparing their clients for the legislation’s potential implications.

While many companies already inform app users about their privacy policies, others lag behind. Attorneys should encourage clients to double-check or rewrite their privacy policies to ensure it properly tells consumers the type of information the app collects. Similarly, attorneys should remind clients to make sure the policies notify users about who can access their information, especially if the company sells data to third parties.

Companies also should verify their website tells consumers how to request privacy information. Attorneys should advise clients to make contact information easily accessible on their websites so consumers know where to ask for copies of the data that is collected. In addition, companies should use browse-wrap or click-wrap agreements to ensure that users agree to allow their information to be collected.

The bills’ faults have led many business leaders to question whether the true motivation behind the legislation isn’t the plaintiffs bar. They point to the clause in the Right to Know Act that allows consumers to file private rights of action under BIPA.

“This is as thinly veiled as pro-trial lawyer legislation comes,” Todd Maisch, president and CEO of the Illinois Chamber of Commerce, wrote in an April op-ed in the Springfield Journal-Register.

No matter the result of the Illinois legislation, technology commentators say the proposals are the new normal in the industry. States are filling the void left by Congress after it voted in March to undo the Federal Communications Commission’s broadband privacy rule. Since the repeal, more than a dozen states have proposed or passed bills aimed at protecting consumer data.

But no data privacy proposals are as stringent as Illinois'.

“When private investors look to do business in Illinois, they will see these heavy regulations as a red flag and look to invest in another state,” Maisch wrote. “Illinois would be foolish to undercut the growing economic potential of the state’s tech and innovation economy with a regulatory scheme far too focused on business liability.”


Debra Bernard is a partner in the Chicago office of Perkins Coie LLP. Daniel Burley is a summer associate at the firm, going into his third year at the University of Illinois College of Law.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

View comments

Source : https://www.law360.com/articles/946875/proposed-illinois-data-privacy-laws-may-be-problematic

Proposed Illinois Data Privacy Laws May Be Problematic
UK Law Proposal to Criminalize Re-Identification of Anonymized User Data
Leak of proposed US law reveals plans for widespread use of multiple surveillance technologies at borders
Secure Your Data Collection, Governance Practices for GDPR Compliance
Proceedings of the 12th International Conference on Availability, Reliability and Security
Proposed Illinois Gun Laws Would Impose 3-10 Year Minimum Sentences for Simply Possessing a Gun
How Peter Thiel's Secretive Data Company Pushed Into Policing
New law could criminalise uncovering personal data abuses, advocate warns
Trump Administration Moves to Expand Deportation Dragnet to Jails
Proposed Illinois Data Privacy Laws May Be Problematic