In the past five months, we’ve seen a significant shift in the direction of privacy regulation at the federal level. As discussed in our previous post, Congress voted (and President Trump signed) a resolution repealing last year’s FCC Order that imposed greater obligations on broadband Internet service providers and other carriers regarding the protection of customer data. The FCC and FTC also announced that they intend to reverse the FCC’s 2015 decision to treat broadband Internet service providers as Title II common carriers, which would effectively return jurisdiction over broadband Internet service providers to the FTC. Then, at the beginning of this month, the Ninth Circuit granted a petition by the FTC to rehear its ruling from last year that the FTC lacked authority under the FTC Act to regulate AT&T as a common carrier.
However, the Illinois Right to Know Act is far from a mere cut-and-paste job of Shine the Light. While Shine the Light only requires companies to provide information about the categories of personal information disclosed to third parties for those third parties’ own direct marketing purposes, the Right to Know Act requires companies to provide information about the categories of personal information disclosed to third parties for any reason (subject to certain exclusions). Further, the definition of personal information under the Right to Know Act is far more expansive than the definition under Shine the Light. Below are some key differences between the definitions:
|Shine the Light||Right to Know Act|
|Name and address||Name by itself, alias, nickname, username|
|Address by itself|
Social Security Number
|Social Security Number, Driver’s License, Passport, ID|
|Gender of children||Customer or child gender, sexual orientation, gender expression|
|IP address or information concerning accessor use|
|User generated content|
Although the Right to Know Act grants the Attorney General sole enforcement authority over the provisions of the Act, it also specifies that nothing in the Act precludes private rights of action for violations of the Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/) or other relief under the Illinois Code of Civil Procedure. This language may indicate that the Illinois Senate has no intent of amending BIPA — which has become a favorite statute of the consumer class action bar — anytime soon.
While the Right to Know Act still needs to pass in the Illinois House, given the current federal policy climate and the fact that an Illinois House committee approved a similar bill last month, there is a good chance we will see the Act enacted in some form. Practically speaking, implementation of the Right to Know Act would require companies to have a better understanding of their data collection and sharing practices, as well as procedures in place to readily respond to requests. Such understanding and procedures are consistent with the measures companies should already be taking to prepare for the GDPR, as we touched upon in a previous post.
We will continue to keep track of Oregon’s Unlawful Trade Practices Act and Illinois’ Right to Know Act, and other proposed legislation at both the federal and state levels. For updates, please subscribe to our blog or check back regularly.