Illinois General Assembly proposes new internet privacy protections
As the federal government repeals regulations requiring broadband companies to obtain consumers’ consent before using their browsing history and other personal information to create targeted ads, Illinois state politicians are moving to ramp up privacy protections. However, whether these bills would actually further those privacy goals or whether they would merely bolster Illinois’ class-action lawsuit industry while burdening businesses are open questions.
President Donald Trump signed a bill April 3 repealing Federal Communications Commission regulations that required broadband companies to obtain customers’ consent before using their browsing history, geolocation and other personal information to create targeted ads, according to The Hill. Industry groups and other supporters of the repeal measure noted that the regulations promulgated by the FCC during President Barack Obama’s administration placed broadband providers at a disadvantage compared with internet companies such as Facebook and Google, which do not have to comply with such restrictions. But the repeal of the regulations has met with criticism from privacy advocates and consumer groups worried it gives companies free rein to profit from and risk the security of consumers’ sensitive information.
Illinois lawmakers have entered the internet privacy debate by introducing new restrictions on the handling of people’s information. Illinois already has the Biometric Information Privacy Act, or BIPA, the most stringent law of any state regarding the procedures companies must take before collecting, storing or using people’s biologically derived, or “biometric,” information such as fingerprints, iris scans and face prints. The new set of bills would impose additional privacy-related requirements.
Three proposed privacy measures passed out of Illinois House and Senate committees in March and are now headed for hearings in the two chambers. Two of these bills would compel companies to disclose information about their transfer of Illinois customers’ data to third parties. A third bill would require individuals as well as businesses and other groups to obtain a person’s express consent before collecting or using that person’s geolocation information. And a fourth proposal, which now sits in the House Rules Committee, would forbid any individual, company or group from enabling or turning on a person’s device microphone without first obtaining that person’s consent. The geolocation and microphone bills include liquidated damages provisions and give people the right to sue for violations under the acts.
These protections would only apply to customers and device users in Illinois, but the legislation, if enacted, could result in companies altering their procedures generally to avoid Illinois litigation and the publicity and regulatory scrutiny that go with it.
In an era of easy online access to people’s sensitive information, concern for data privacy and security is understandable. And in proposing the bills about disclosing information shared with third parties, lawmakers cited “the importance of providing consumers with transparency about how their personal information, especially information relating to their children, is shared by businesses.” However, whether these bills would actually further those privacy goals or whether they would merely bolster Illinois’ class-action lawsuit industry while burdening businesses are open questions.
Right to Know Act
Two similar bills, each titled the “Right to Know Act,” passed out of committee in March and are on the calendar to be heard in their respective chambers in the General Assembly: Senate Bill 1502, introduced by state Sen. Michael Hastings, D-Tinley Park, and House Bill 2774, introduced by state Rep. Arthur Turner, D-Chicago.
The bills require any commercial website operator that collects personal information about Illinois online customers to, in its customer agreement: (1) identify all categories of personal information the company collects; (2) identify all categories of third parties to which the company may disclose that personal information; and (3) provide a description of customers’ rights, along with at least one address to which customers can send disclosure requests. The bills define “personal information” broadly; it includes data such as names, email addresses, financial or health information, internet browsing history, race, political activity, religious affiliation and more.
The bills further provide that, upon receipt of a request by a customer, a company must make available to the customer free of charge all categories of personal information that were disclosed, and the names of all third parties that received the customer’s personal information. The company must provide this response within 30 days of the customer’s request. Parents and legal guardians may submit requests on behalf of their children.
A violation of the Right to Know Act constitutes a violation of the Consumer Fraud and Deceptive Business Practices Act, which gives a customer the right to sue for actual damages incurred. A customer can also seek injunctive relief under the Right to Know Act and ask a court to compel a company to comply with the disclosure provisions of the act.
Geolocation Privacy Protection Act
House Bill 3449, introduced by state Rep. Ann Williams, D-Chicago, creates the “Geolocation Privacy Protection Act.” The bill passed out of committee March 30 and is on the calendar to be heard by the House. HB 3449 governs the conditions under which a “private entity” – meaning a person, business or group – can collect, use, store or disclose geolocation information transmitted by a person’s device, such as a smartphone, tablet or laptop computer. The act defines “geolocation information” as “information that is generated by or derived from … the operation of a mobile device and is sufficient to determine or infer location of that device.”
A private entity cannot collect, use, store or disclose a person’s geolocation information unless the private entity first receives the person’s express consent. Under the act, a person can only legally consent after the private entity provides “clear, prominent, and accurate notice” that: (1) informs the person that his or her geolocation information will be collected, used or disclosed; (2) informs the person in writing of the specific purposes for which his or her geolocation information will be collected, used or disclosed; and (3) provides the person a hyperlink or other easily accessible means to obtain the information.
Section 15 gives anyone whose rights under the act are violated the right to sue the offending party. The plaintiff in such a case may recover the greater of liquidated damages of $1,000 or actual damages, attorney’s fees and costs, and other appropriate relief, including an injunction to compel the violator to comply with the act.
The Illinois attorney general may also sue to enforce the act, and in any lawsuit brought by the attorney general under the act, the court may order an award of three times the amount of the person’s actual damages.
As with the Right to Know Act, a violation of the Geolocation Privacy Protection Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business
Practices Act.
Microphone-Enabled Devices Act
State Rep. Lou Lang, D-Skokie, is the chief sponsor of House Bill 3819, which was re-referred to the House Rules Committee on March 31. Though as of March 31, the bill appears to be stalled, if it were to become law, HB 3819 would forbid any person, business or group from turning on or enabling a digital device’s microphone to listen or collect information without obtaining the device user’s prior written consent.
Section 20 of the act gives any user whose rights under the act are violated a right to sue an offending party and to recover the greater of liquidated damages of $5,000 or actual damages, attorney’s fees and costs, and other relief, including an injunction.
Implications of new privacy legislation
The bills are far-reaching (the geolocation privacy bill, for example, might even apply to a smartphone’s seemingly innocuous automatic time zone-adjustment feature), and it is uncertain whether they would do much to provide additional protection for people’s sensitive information – or just drum up more business for plaintiffs’ attorneys, while imposing new compliance and legal costs on businesses.
It is not clear how easily plaintiffs would be able to prove damages under the Right to Know Act or the Geolocation Privacy Protection Act. Both acts allow consumers to recover as they would under the Consumer Fraud and Deceptive Business
Practices Act. That law provides that plaintiffs can recover for actual damages incurred. The geolocation bill, though, also has a liquidated damages provision allowing a plaintiff to recover $1,000 (or actual damages if they are greater) for a violation of the act. However, U.S. Supreme Court precedent requiring actual, concrete injuries has resulted in the dismissal of some BIPA cases brought in federal court, where the courts determined that plaintiffs were seeking to recover for mere statutory violations and hadn’t shown they had suffered any actual harm.
By requiring companies to obtain express consent more frequently, the bills’ requirements would probably annoy many consumers, as well as “aggravate the ‘notice fatigue’ that so many users experience,” according to a Forbes article by University of Chicago law professor Omri Ben-Shahar. Ben-Shahar notes that evidence demonstrates that consumers express little interest in companies’ privacy notices and are unlikely to find even more frequent and longer disclosure forms helpful.
Tech companies and trade groups have voiced concerns over Illinois’ proposed privacy legislation, which would add compliance and legal costs even for companies that use the internet for ordinary activities such as creating email lists or giving online support to consumers, according to The New York Times. And the added compliance and legal costs would be especially hard on smaller companies. “Hiring attorneys to write privacy policies, coming up with terms of service – that will be a real burden for small businesses,” Carl Szabo, senior policy counsel at the tech trade group NetChoice, told The New York Times. Indeed, legal journals have already run articles advising companies on how to adapt their policies and procedures to comply with the new measures should they become law.
While tech industry groups and lobbyists for firms such as Apple, Microsoft and Amazon have let lawmakers know their objections to the measures, plaintiffs’ lawyers have made a big push for the bill, according to The New York Times. Edelson PC, a Chicago-based firm that has brought class-action lawsuits under the BIPA, including a lawsuit against Facebook, has backed the new measures, The New York Times reported. And Edelson lawyers are behind the new nonprofit Digital Privacy Alliance, created to “fight for commonsense privacy legislation in statehouses across the country.” As Ben-Shahar noted in his article, the new legislation appears to be for the benefit of the plaintiffs’ bar, rather than consumers, and the bills’ true aim might well be “to perpetuate litigation.”
If the bills are enacted, it is unclear whether customers genuinely concerned about the transmission of their personal information would avail themselves of the privacy-protection provisions in the bills, or whether the legislation would merely put up more expensive hoops for companies to jump through and become one more vehicle for lawsuits against online companies.