Early this year, Illinois appeared to be the state most likely to enact some version of the California Consumer Privacy Act. For the past several years, the Legislature had passed privacy legislation vetoed by the outgoing Republican governor, and more than 10 privacy bills were introduced early in the session. House Deputy Majority Leader Art Turner, D-Chicago, sponsored a CCPA-like bill, and it sailed through the House of Representatives by a 72-37 majority April 11 after being amended to exempt a long list of business sectors. The bill cleared the U.S. Senate Committee on the Judiciary in late May after being amended to add a private right of action and several requirements not found in the CCPA, only to be sent back to the subcommittee on the second-to-last day of the 2019 session.
The “Data Transparency and Privacy Act,” HB 3358, as passed by the House, contained CCPA-like rights of notice, right to know and opt-out of sale of personal data but with operationally easier definitions of key CCPA terms “personal information,” “de-identified” data, “disclose” and “sale,” including an exception from the term “sale” for use of data to generate advertisements, provided that the data was not used for another purpose. The House version was to be enforced solely by the attorney general's office.
Controversially, even in the business community, it contained several exemptions not found in the CCPA, for licensed hospitals, public utilities, retailers and telecom companies.
After House passage, State Sen. Tom Cullerton, D-Ill., a sponsor of the bill, decided to amend the bill to provide for class-action enforcement under two Illinois consumer class-action statutes. In the face of heavy opposition from business groups, this provision was amended further so that availability of class-action enforcement was far less clear. Although the amendment expressly foreclosed any private cause of action directly under the new law, it expressly reserved the “operation of ... other Illinois law” and the right to “seek relief under the Code of Civil Procedure.” This left the door open for indirect class-action enforcement, such as by an action under the Illinois Consumer Fraud and Deceptive Business Practices Act. When a representative from Edelson, a firm specializing in privacy class-action lawsuits, was called upon by Cullerton’s staff to explain these changes, it deepened business community suspicion.
The amendments in the last week of May added a new provision stating that if a business violated the law, then the business’s contracts with that consumer were voided. This, in turn, created the possibility of lawsuits to recover revenue paid by Illinois consumers to the company. The Senate amendments also: 1.) restricted the exception for “de-identified” data from the “linked or reasonably linkable” definition in the FTC 2012 Privacy Staff report through a further condition that the data “cannot reasonably be used to infer information about” a consumer; and 2.) added a “right to know” requirement to report on the “approximate number of all third parties that received the consumer’s personal information.”
Both these changes raised operational complexities that increased the risk of businesses unknowingly violating the law.
The combination of large sectoral exceptions, new requirements beyond those in the CCPA, and class-action enforcement risk created enough controversy that the bill did not move forward. The latter two factors similarly thwarted the Washington Privacy Act earlier this year, which had been introduced with significant fanfare as a possible alternative to the CCPA.
What lesson can be drawn from the Illinois bill’s demise?
A plausible one is that outlier requirements beyond the CCPA and private rights of action to enforce the highly operational CCPA rights both make omnibus state privacy bills more difficult to pass, even in deep blue states such as Illinois. By this measure, pending privacy bills in New York and Puerto Rico look like long shots to pass this year, at least in their current form. But state bills can move through legislatures very quickly, and CCPA-style bills are pending in both jurisdictions, as well as in New Jersey.
Jim Halpert is a partner at DLA Piper, representing a coalition of Fortune 500 companies, and has helped draft more than 200 U.S. state privacy, data security breach notification laws and consumer protection laws.
If you want to comment on this post, you need to login.