The Illinois legislature is currently considering three different bills designed to enhance consumer privacy protections. The Right to Know Act would give consumers the right to know what information has been collected about them and who has access to it. The Geolocation Privacy Protection Act prohibits private entities from collecting geo-location information without first meeting specific notice requirements and receiving express consent. Finally, the Microphone-Enabled Device Act protects consumers from the unauthorized use of a device’s microphone.

Any business that collects information from Illinois residents will need to revisit their privacy policies and notice and consent procedures to ensure continuing compliance if these laws are enacted.

What do the bills require?

Proposed Act Requirements
Right to Know Act Upon consumer request, an organization must provide the following information within 30 days, at no cost to the consumer:
  • all categories of personal information disclosed; and
  • names of third parties that receive the personal information.
Geolocation Privacy Protection Act Prohibits an entity from collecting, using, storing, or disclosing geolocation information unless it receives affirmative express, consent after providing notice that:
  • informs the person that his geolocation information will be collected;
  • discloses the specific purposes for use of such information; and
  • provides the person a hyperlink or “comparably easily accessible means to access the information.
Microphone-Enabled Devices Act Prohibits an entity from enabling a digital device’s microphone unless it receives informed, written consent after notifying the user in writing:
  • the microphone will be turned on;
  • the frequency and length of time the microphone will be turned on;
  • the specific categories of information the microphone will listen for; and
  • the specific purpose for collecting the information.

Under the Right to Know Act, any entity that discloses consumer personal information to a third party must make the following information available to the consumer upon request (free of charge): (1) all categories of personal information that are disclosed; (2) the names of all third parties that receive the customer’s personal information; and (3) provide a description of the consumer’s rights.

Businesses must respond to customers within 30 days of a request, so organizations should be sure to have a mechanism in place to promptly investigate and address any inquiries. The requirements are not retroactive and will apply only to personal information disclosed going forward. Failure to comply with this act may result in a private cause of action where consumers may seek injunctive relief, in addition to any other rights under the Consumer Fraud and Deceptive Business Practices Act.

The Geolocation Privacy Protection Act prohibits an entity from collecting, using, storing, or disclosing geolocation information unless it receives “affirmative express consent” after providing “clear, prominent, and accurate notice” that: (1) informs the person that his geolocation information will be collected; (2) discloses the specific purposes for use of such information; and (3) provides the person a hyperlink or “comparably easily accessible means to access the information.” Violations of the act grant consumers a private cause of action to seek injunctive relief, in addition to any other rights under the Consumer Fraud and Deceptive Business Practices Act.

Lastly, the Microphone-Enabled Devices Act prohibits an entity from enabling a digital device’s microphone unless it informs the user in writing: (1) the microphone will be turned on; (2) the frequency and length of time the microphone will be turned on; (3) the specific categories of information the microphone will listen for; and (4) the specific purpose for collecting the information. The entity must receive the “informed, written consent” (including through an electronic means) before enabling a device’s microphone. Like the other two laws, this act also provides a private cause of action, and consumers may recover liquidated damages ($5,000), injunctive relief, and reasonable attorneys’ fees.

Illinois is no stranger to trailblazing privacy legislation

Enacted in 2008, Illinois’ Biometric Information Privacy Act (740 ILCS 14/1 or BIPA), generally requires companies to obtain a person’s consent before collecting, capturing, or purchasing a person’s “biometric identifier” or “biometric information.” Since late 2015, at least six cases have been filed alleging claims under the statute, and the first reported settlement was approved for $1.5 million dollars on December 1, 2016.

While Illinois and Texas are currently the only states with such laws on the books, five other states have pending biometric legislation in committee review (Alaska, Connecticut, Montana, New Hampshire, and Washington). Since BIPA provides a private cause of action unlike Texas’ statute which only allows for enforcement through the attorney general, BIPA serves as the model for these other states considering biometric laws.

Next steps

Now would be a good time for companies to consider reviewing their existing privacy policies and consent practices. California already has a statute similar to the Right to Know Act, impacting companies collecting information about California residents. New York has recently proposed a comparable bill in January that is still making its way through committee. Regardless of the passage of the Illinois bills, other states are already taking action, and therefore businesses should be prepared to account for these existing and pending laws. These laws, both pending and enacted, provide private causes of action, which tend to create increased publicity and ultimately, liability, from regulators as well as the public, including the plaintiffs’ bar. In light of the existing and proposed legislation, companies should consider the following steps:

  • Revisit and update your organization’s privacy policy to verify that it accurately notifies consumers about the type of information collected.
  • Ensure that the privacy policy informs consumers who will be given access to their information, including any third parties to whom their that data may be sold.
  • Provide contact information whereby consumers can request or obtain copies of the information that has been collected or disclosed.
  • Utilize click-wrap or other affirmative consent procedures for collection of geo-location information.