Illinois is joining several other states in passing legislation that would dramatically increase the potential liability for marketers in the event of a data breach. The Illinois Senate voted 35-13 to approve a bill (SB1833) drafted by the Illinois Attorney General that would add "consumer marketing information" to the definition of personal information under the state's data breach law. It would require notification if there is a breach of "information related to a consumer's online browsing history, online search history, or purchasing history." Illinois Bill SB1833 now moves to the Illinois House of Representatives, where it will likely have substantial support.
At first blush this certainly sounds appealing considering all the data breaches that have occurred in recent times; however, for those that market products on the internet, the inconsistent laws across the country are truly a field of potential liability landmines.
Several industry groups, including the ANA (Association of National Advertisers) are working together to lobby for federal data breach legislation that would pre-empt the patchwork of 47 inconsistent state data breach laws that currently exist. Only Alabama, New Mexico, and South Dakota currently do not have security breach laws on the books. The ANA calls the Illinois bill the "poster child" example of why federal legislation is necessary as state legislatures rush to curb media-infused consumer fears over data breaches that the ANA purports result in unreasonable laws with the potential for significant liability to companies.
Everyone certainly agrees that consumers should be notified if there is a breach of personal information that creates a risk of identity theft or some other financial harm to consumers. However, the state laws typically contain no clear specific trigger for breach notification. The vast preponderance of consumer marketing information does not present a risk of identity theft or financial harm to consumers.
This unprecedented expansion of the scope of the current data breach law could cost Illinois companies millions of dollars each year to protect non-sensitive information that poses no material risk of identity theft or financial harm to residents. In addition, consumers could eventually succumb to "notice fatigue" if they receive notices about breaches that involve no serious risk of harm to them.