Data Privacy 

Bill: HB 2736

Sponsor: Rep. Buckner

Status: House Cybersecurity, Data Analytics & IT Committee

Position: Oppose

Description: Right to Know/Data Transparency and Privacy Protection Act

House Bill 2736, the Illinois Right to Know Data Transparency and Privacy Protection Act, requires an operator of a commercial website or online service that collects personally identifiable information about customers who reside in Illinois to disclose all categories of personal information collected and the names of the third parties that received the personal information available to a customer within 30 days of a request. Nothing in this Act shall be deemed to apply to the activities of an individual or entity to the extent that those activities are subject to Section 222 or 631 of the federal Communications Act of 1934.

 

Bill: HB 3923

Sponsor: Rep. Cabello

Status: House Rules Committee

Position: Oppose

Description: Public Safety & Justice Privacy

House Bill 3923 creates the Public Safety and Justice Privacy Act. The legislation provides that government agencies, persons, businesses, and associations shall not publicly post or display publicly available content that includes a law enforcement officer's, prosecutor's, public defender's, or probation officer's ("officials") personal information, provided that the government agency, person, business, or association has received a written request from the person that it refrain from disclosing the person's personal information. Provides that it is a Class 3 felony for any person to knowingly publicly post on the Internet the personal information of an official or an official's immediate family under specified circumstances.

 

Bill: HB 5288

Sponsor: Rep. Burke

Status: House Cybersecurity, Data Analytics & IT Committee

Position: Neutral

Description: Data Privacy Act

House Bill 5288 creates the Data Privacy Act. The legislation applies to any entity Illinois that controls or processes personal data of 100,000 or more consumers or derives over 50% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers. It provides for the regulation of the use and sale of personal data including consumer rights to 1) copies of information held by persons who control and process data,  2) the correction of inaccurate data 3) the deletion of data, 4) restrictions on the use of personal data, and 5) objection to processing of data. Consumer requests must be completed within 30 days and free of charge to the consumer. The Act will be enforced by the Attorney General and violations are subject to a civil penalty of $2500/each violation and $7500/each intentional violation which are to be deposited into a new Consumer Privacy Fund. The legislation also requires data controllers to conduct risk assessments. Preempts home rule and provides that the regulation of data use and privacy are exclusive powers and functions of the State.

 

Bill: HB 5374 (SB 3592 is companion bill)

Sponsor: Rep. Durkin

Status: House Rules Committee

Position: Neutral

Description: Biometric Information Privacy Act – Procedure – Limit Damages (IL Chamber Initiative)

House Bill 5374 amends the Biometric Information Privacy Act by limiting damages that may be brought in a civil action. It provides that an action brought under the Act shall be commenced within one year after the cause of action accrued if, prior to initiating any action against a private entity, the aggrieved person provides a private entity 30 days' written notice identifying the specific provisions the aggrieved person alleges have been or are being violated. If within the 30 days the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. If a private entity continues to violate the Act in breach of the express written statement, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. The legislation provides that a prevailing party may recover: against a private entity that negligently violates the Act, actual damages (rather than liquidated damages of $1,000 or actual damages, whichever is greater); or against a private entity that willfully (rather than intentionally or recklessly) violates the Act, actual damages plus liquidated damages up to the amount of actual damages (rather than liquidated damages of $5,000 or actual damages, whichever is greater). The Act would not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information.

 

Bill: HB 5375 (SB 3593 is companion bill)

Sponsor: Rep. Durkin

Status: House Rules Committee

Position: Neutral

Description: Biometric Information Privacy Act – Violation (IL Chamber Initiative)

House Bill 5374 amends the Biometric Information Privacy Act by removing the right to private action. The legislation provides instead that any violation that results from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes is subject to the enforcement authority of the Department of Labor. The bill provides that an employee or former employee may file a complaint with the Department a violation by submitting a signed, completed complaint form within one year from the date of the violation. The Act would not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information.

 

Bill: HB 5497

Sponsor: Rep. Williams

Status: House Rules Committee

Position: Oppose

Description: Geolocation Privacy Protection Act

House Bill 5497 creates the Geolocation Privacy Protection Act. The legislation provides that a private entity that owns, operates, or controls a location-based application on a user's device may not disclose geolocation information from a location-based application to a third party unless the private entity first receives the user's affirmative express consent after providing clear and accurate notice that informs the user the geolocation information will be disclosed, the purpose for which the geolocation information will be disclosed and identifies the names and categories of private entities to which geolocation information may be disclosed. The bill provides enforcement authority to the Attorney under the Consumer Fraud and Deceptive Business Practices Act. There shall be no private right of action to enforce a violation under the Act. The bill provides that the Act does not modify, limit, or supersede the operation of any other Illinois law or prevent a party from otherwise seeking relief under the Code of Civil Procedure.

 

Bill: HB 5603 (SB 3299 is a companion bill)

Sponsor: Rep. Mussman

Status: House Rules Committee

Position: Oppose

Description: Consumer Privacy Act

House Bill 5603 creates the Consumer Privacy Act:

  • Provides that a consumer has the right to request that a business disclose to that consumer the categories and specific pieces of personal information the business has collected.
  • Requires a business to, at or before the point of collection, inform a consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. Also, requires the business to provide notice when collecting additional categories of personal information or when using a consumer's personal information for additional purposes.
  • Provides that a consumer has the right to request that a business delete any personal information about the consumer that the business has collected from the consumer and direct any service providers to delete the consumer’s personal information from their records, with some exceptions if necessary to maintain the information.
  • Requires a business that collects or sells a consumer's personal information to disclose to the consumer upon request:
    • The categories of personal information collected
    • The categories of sources from which personal information is collected
    • The business purpose for collecting or selling personal information
    • The categories of third parties with whom the business shares personal information
    • The specific pieces of personal information collected
    • Provides that a consumer has the right, at any time, to opt out of the sale of personal information to third parties.
    • Prohibits a business from discriminating against a consumer who exercises any of the rights established under the Act by denying goods or services or charging the consumer different prices or rates for goods or services. Permits a business to provide financial incentives to a consumer that authorizes the sale of his or her personal information.
    • Provides for enforcement by the Attorney General and for civil actions brought by consumers.

 

Bill: HB 5638

Sponsor: Rep. Pappas

Status: House Rules Committee

Position: Oppose

Description: Internet Confidentiality

House Bill 5638 provides that Internet service provider offering services to an Illinois consumer shall keep all customer information confidential unless written consent is provided by the customer. A violation is a violation of the Consumer Fraud and Deceptive Business Practices Act and is subject to a $500 penalty for each violation.

 

Bill: SB 1719

Sponsor: Sen. Cristina Castro/Rep. Chris Welch

Status: House Rules Committee (Passed Senate 39-14)

Position: Oppose

Description: Keep Internet Devices Safe Act

Senate Bill 1719 creates the Keep Internet Devices Safe Act. The legislation prohibits any private entity from turning on or enabling a digital device’s microphone to listen for or collect information unless a user first agrees to the following information in a consumer agreement or privacy notice:

  • that the microphone will be turned on or enabled
  • what command or action will turn on or enable the microphone
  • the categories of sounds the microphone will be listening for, recording, or disclosing
  • the categories of third parties to which the sounds may be disclosed

The legislation defines a microphone as any instrument capable of detecting sound waves. The Attorney General will have exclusive authority to enforce the act.

 

Bill: SB 2263

Sponsor: President Harmon

Status: Senate Judiciary Committee

Position: Neutral

Description: Data Privacy Act

Senate Bill 2263 creates the Data Privacy Act. The legislation applies to any business in Illinois that controls or possesses the data of 100,000 or more consumers or derives more than 50% of gross revenue from the sale of personal data and processes or controls personal data of 25,00 or more consumers. The legislation strictly regulates the use and sale of personal data:

  • Upon request, an entity must confirm to the consumer if personal data is being processed or sold and where such information is being processed. The entity must provide the consumer access to the personal data the entity maintains upon request.
  • Upon request, the entity must provide to the consumer a copy of the personal data the entity maintains
  • Requires the entity to correct inaccurate personal data upon request
  • Requires the entity to delete personal data under certain circumstances

Violations of the Act are enforced by the Attorney General. The legislation allows for civil penalties up to $2500 for each violation or up to $7500 for each intentional violation. The bill preempts home rule and provides that the regulation of data use and privacy are exclusive powers and functions of the State.

 

Bill: SB 2273

Sponsor: Sen. Castro

Status: Senate Judiciary Committee

Position: Oppose

Description: Automatic Listening Exploitation Act

Senate Bill 2273 creates the Automatic Listening Exploitation Act. The bill provides that it is unlawful for a person who provides any smart service through a proprietary smart speaker to:

  • store or make a recording or transcript of any speech or sound captured by a smart speaker unless the smart speaker is specifically activated or
  • to use the recording or transcript of any voice interaction by a user or transmit such a recording or transcript to a third party, for any purpose, without obtaining express informed consent and permitting the user to require the deletion of any recording, transcript, or sound recorded by the speaker at any time.

The bill also makes it unlawful for a person who provides any security monitoring or other service through a proprietary video doorbell to:

  • store or make a recording of any video, image, or audio captured by the video doorbell's camera, unless the video doorbell is specifically activated or
  • use any storage recording of any video, image, or audio captured by the video doorbell's camera, or transmit such a recording to a third party.

Provides that, if the Attorney General or a State's Attorney has reason to believe that any person has violated or is violating the Act, he or she may, in addition to any authority he or she may have to bring an action in State court under consumer protection law, bring a civil action in any court of competent jurisdiction to enjoin further violation by the defendant, enforce compliance with the Act, or obtain civil penalties not to exceed $40,000 per violation.

 

Bill: SB 2330

Sponsor: Sen. Tom Cullerton

Status: Senate Judiciary Committee

Position: Oppose

Description: Right to Know / Data Transparency and Privacy Act

Senate Bill 2330 creates the Data Transparency and Privacy Act. It applies to any private entity

  • that collects or discloses the personal information of 50,000 or more persons, Illinois households, or combination thereof
  • derives 50% or more of its annual revenue from selling consumers' personal information.

The bill provides numerous regulatory provisions for qualifying businesses with regard to consumer notification and handling or personal information:

 

Right to Transparency: Requires notice to the consumer of the following specific information in the service agreement, website or mobile application:

  1. All categories of personal information the business processes
  2. All categories of affiliates and third parties with whom the business may disclose or sell personal information
  3. The process by which a consumer may review the personal information, request changes to inaccurate personal information, opt-out of the disclosure or sale of personal information and request the deletion of personal information

Right to Know: Consumers may request the following information:

  1. Copies of personal information collected
  2. Categories of sources for the personal information
  3. Name & Contact information for each third party and affiliate to whom the personal information is disclosed or sold

Right to Opt-Out: Consumers have the following rights concerning their personal information:

  1. Consumers have the right to opt out of agreements that entail the disclosure of personal information from the business to third parties and affiliates, the sale of personal information from the business to third parties and affiliates, and the processing of personal information by the business, third parties, and affiliates.
  2. Consumers have the right to request that a business correct inaccurate personal information about the consumer
  3. Consumers have the right to request that a business delete personal information about the consumer

The legislation includes additional restrictions and regulations regarding the use of personal information and requires businesses, affiliates, and third parties to conduct risk assessments and provides the requirements for the assessments which must be made available to the Attorney General.  Provides that enforcement of the Act may arise through private actions or enforcement by the Attorney General. The legislation contains home rule preemption and severability provisions and has an effective date of July 1, 2021.

 

Bill: SB 3223

Sponsor: Sen. Castro

Status: Senate Assignments Committee

Position: Neutral

Description: Data Privacy Day

Senate Bill 3223 designates January 28 of each year as Data Privacy Day to be observed throughout the State as a day in recognition of the right of Illinois citizens to be secure in the privacy of their personal data.

 

Bill: SB 3299 (HB 5603 is a companion bill)

Sponsor: Sen. Fine

Status: Senate Judiciary Committee

Position: Oppose

Description: Consumer Privacy Act

Senate Bill 3299 creates the Consumer Privacy Act:

  • Provides that a consumer has the right to request that a business disclose to that consumer the categories and specific pieces of personal information the business has collected.
  • Requires a business to, at or before the point of collection, inform a consumer as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. Also, requires the business to provide notice when collecting additional categories of personal information or when using a consumer's personal information for additional purposes.
  • Provides that a consumer has the right to request that a business delete any personal information about the consumer that the business has collected from the consumer and direct any service providers to delete the consumer’s personal information from their records, with some exceptions if necessary to maintain the information.
  • Requires a business that collects or sells a consumer's personal information to disclose to the consumer upon request:
    • The categories of personal information collected
    • The categories of sources from which personal information is collected
    • The business purpose for collecting or selling personal information
    • The categories of third parties with whom the business shares personal information
    • The specific pieces of personal information collected
    • Provides that a consumer has the right, at any time, to opt out of the sale of personal information to third parties.
    • Prohibits a business from discriminating against a consumer who exercises any of the rights established under the Act by denying goods or services or charging the consumer different prices or rates for goods or services. Permits a business to provide financial incentives to a consumer that authorizes the sale of his or her personal information.
    • Provides for enforcement by the Attorney General and for civil actions brought by consumers.

 

Bill: SB 3592 (HB 5374 is companion bill)

Sponsor: Sen. Barickman

Status: Senate Judiciary Committee

Position: Neutral

Description: Biometric Information Privacy Act – Procedure – Limit Damages (IL Chamber Initiative)

Senate Bill 3592 amends the Biometric Information Privacy Act by limiting damages that may be brought in a civil action. It provides that an action brought under the Act shall be commenced within one year after the cause of action accrued if, prior to initiating any action against a private entity, the aggrieved person provides a private entity 30 days' written notice identifying the specific provisions the aggrieved person alleges have been or are being violated. If within the 30 days the private entity actually cures the noticed violation and provides the aggrieved person an express written statement that the violation has been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the private entity. If a private entity continues to violate the Act in breach of the express written statement, the aggrieved person may initiate an action against the private entity to enforce the written statement and may pursue statutory damages for each breach of the express written statement and any other violation that postdates the written statement. The legislation provides that a prevailing party may recover: against a private entity that negligently violates the Act, actual damages (rather than liquidated damages of $1,000 or actual damages, whichever is greater); or against a private entity that willfully (rather than intentionally or recklessly) violates the Act, actual damages plus liquidated damages up to the amount of actual damages (rather than liquidated damages of $5,000 or actual damages, whichever is greater). The Act would not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information.

 

Bill: SB 3593 (HB 5375 is companion bill)

Sponsor: Sen. Barickman

Status: Senate Judiciary Committee

Position: Neutral

Description: Biometric Information Privacy Act – Violation (IL Chamber Initiative)

Senate Bill 3593 amends the Biometric Information Privacy Act by removing the right to private action. The legislation provides instead that any violation that results from the collection of biometric information by an employer for employment, human resources, fraud prevention, or security purposes is subject to the enforcement authority of the Department of Labor. The bill provides that an employee or former employee may file a complaint with the Department a violation by submitting a signed, completed complaint form within one year from the date of the violation. The Act would not apply to a private entity if the private entity's employees are covered by a collective bargaining agreement that provides for different policies regarding the retention, collection, disclosure, and destruction of biometric information.

 

Bill: SB 3776

Sponsor: Sen. Cunningham

Status: Senate Assignments Committee

Position: Neutral

Description: Biometric Information Privacy Act – Right of Action – Recovery (IL Chamber Initiative)

Senate Bill 3776 amends the Biometric Information Privacy Act. It provides that a prevailing party may only recover liquidated damages of $1,000 or actual damages, whichever is greater, for negligent violation of the Act against a private entity offending party that is not a current or former employer of the prevailing party. Provides that a prevailing party may only recover actual damages against a private entity offending party that is the current or former employer of the prevailing party and that negligently violates the Act.

 

Bill: HR 681

Sponsor: Rep. Ann Williams

Status: House Cybersecurity, Data Analytics & IT Committee

Position: Neutral

Description: Data Privacy Day

House Resolution 681 urges Illinois to continue to be a leader in the protection of the privacy of its citizens by codifying the Illinois Constitution's fundamental right of privacy which includes the right to consent before private data is collected, right to know with whom data is shared and sold, the right to have a company delete data upon request, the right to opt-in to having data collected, shared or sold and the right to data portability. The resolution declares January 28, 2020 as "Data Privacy Day" in the State of Illinois.