In March 2017, the U.S. Congress voted to remove broadband privacy rules which would have gone into effect later that year. The president confirmed the repeal, which ended efforts to pass federal privacy protection law.
After that, states became interested in passing their own legislation to protect the online privacy of their citizens. One of these states was Illinois, which created the Right to Know Act through the passage of two separate bills.
It's important to note that neither bill has become law in Illinois. Both remain in the rules committee for further revision. However, since U.S. states are starting to take control of privacy protection, it's highly likely that these laws will continue to surface and take effect.
Here is a review of what's happening in Illinois.
Act summary
The Right to Know Act is currently in the form of two recently passed bills.
SB 1502 is the Illinois state senate version and HB 2774 is the house version.
The legislature passed these bills along with the Geolocation Privacy Protection Act. While the latter became official law on June 27, 2017, the first two are still being discussed in committee. There has been no movement on either bill since last July.
Both bills arose from concerns about the lack of federal protection for online privacy. Each bill observes that commercial websites and apps are inquiring about more personal information. Besides the usual litany of names, email addresses, shipping addresses, and telephone numbers, websites are also collecting data about health, finances, politics, religions, sexual orientation, and shopping habits.
Sponsors of the bill believed that the direct and indirect collection of this information was becoming excessive. So the state house and senate passed their own versions of online privacy protection bills.
The laws are identical. Both require companies to inform consumers of the types of information they collect and disclose to third parties. Website operators must also provide contact information so consumers may inquire what type of information has been collected so far.
All of these requirements can be satisfied with a well-drafted Privacy Policy, which also serves to provide notice, and an efficient way for consumers to make inquiries.
Besides notice and transparency, companies must provide a detailed list of the information collected, whether it was shared, and who received it if the consumer requests that information.
Proponents argue that operators do not have to change their practices. They just need to be more transparent about them. Requiring improved notice to consumers and better ways to handle inquiries allows consumers to make informed decisions about the websites and apps they access.
However, the Chicago business community, which includes a growing technology sector, is concerned about the bill. It believes that the new law will subject website owners to unreasonable liability.
Concerns about the bill
The first concern arose from a private right to sue. Most privacy laws in the U.S. allow consumers to file a complaint with the state consumer department or the attorney general. They do not offer standing for private lawsuits.
Both bills were revised to remove that restriction. The current version allows consumers to file complaints with the state attorney's office who then determines whether the law was violated.
The second concern is about the types of protected information as defined in the bills. Definitions expand personal and sensitive information to include information not normally in that category.
The bills seek to protect traditional types of personally identifiable information including names, email addresses, driver's license numbers, and social security numbers. They also include the following as protected data:
- Age
- Physical characteristics including height, weight, and distinguishing features
- Sexual orientation
- Gender identity or expression
- Race and ethnicity
- Religion
- Education
- Employment and career choices
- Financial information
According to the business community, when websites collect this data, it is a general non-personal process. These facts are logged but not linked to specific individuals. Also, they are rarely stored and in most cases, a website operator would have an impossible time informing a consumer whether they collected this data.
Basically, if a user inquires about whether this information was collected and the company fails to store it, the user can lodge a complaint because the website operator did not provide complete information. The business community argued this forces them to store information they normally would not consider relevant.
How to comply
While these bills are not yet law, it is likely Illinois will pass something that resembles them. With states being increasingly concerned about the online privacy of their citizens, Illinois is unlikely to be alone in addressing these challenges.
The best time to start preparing for this wave of privacy legislation is now.
Here is how you can comply with the current Illinois bills and any new ones like them:
Communicate clearly
Transparency is the goal with these laws. Be very clear in your Privacy Policy on the types of data you collect. Limit collection to only to what you need and use bullets, bolded headers or even a table on your Privacy Policy to bring attention to each type of data you use and share.
Sephora Play! offers a good example with this table. Not only does it list the data collected but it explains how it secures it:
You may also want to divide collected information by what you ask for directly versus what is collected automatically.
That is the approach taken by Survey Monkey:
The trick here is to avoid excluding any information or information categories subject to your data collection. That omission could leave you vulnerable to civil or administrative penalties.
Make it easy to opt out
Provide links and information on how users can opt out on data collection. Since you likely use cookies or targeted ads to automatically collect information, inform consumers of how to end those inquiries.
Web2Store contains several links to opt out including network advertising settings, Google Ads, and other third party services that use its platform:
This is not required by these, bills but including this section shows good faith and transparency. If you want to avoid consumer complaints based on automatic data collection, this is a good way to control them.
Limit collection
Perform an information audit. There is a good chance that your data requests venture into overkill. Data you may have needed for your app two years ago may no longer be necessary. If this data is protected, take steps to quit collecting it directly and automatically.
Likewise, you may use advertising platforms or cookies that are no longer effective. Find and deactivate them.
These steps assure you do not collect more information than necessary. You do not want to be held liable or face fines because of sensitive data you never needed in the first place.
Provide contact information
Nearly all Privacy Policies contain contact information. You need to continue that practice and perhaps make it easier for consumers to make inquiries.
Apple is one of the best examples of this. The contact section offers instructions and a privacy contact form so it can streamline these requests:
If you are transacting business in the U.S., it is a good idea to include a similar provision in your Privacy Policy. Provide links and make it easy for consumers to contact you.
Follow through on requests
Good forms and clear contact information will not serve you if there is no follow through at your business.
Make it easy to answer customer inquiries. Give privacy matters their own forms and email addresses rather than rely on a general "contact us" form. Assign specific employees to these matters and offer training so they can become subject matter experts.
If a consumer makes a request and that ends up in a neglected email box or file, that exposes you to legal risk. Even if the Illinois bills do not pass, there are other state laws, like the California Online Privacy Protection Act (CalOPPA), which you can be violating.
The lack of a federal law in the U.S. does not take you off the hook regarding privacy concerns. Illinois will likely pass a law similar to these bills, and Alaska and Rhode Island are making progress on their own online privacy bills. As these concerns arise, take the time to audit current privacy practices and review your Privacy Policy to see if you can make it easier to read and more accessible to consumers.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.