April 23, 2018
Good morning and happy Monday, Illinois Chamber Tech Council members! The House and Senate are both in this week. The House comes to town later today, whereas the Senate returns to town tomorrow.
CHI. ALDERMAN ED BURKE INTRODUCES ORDINANCE
The biggest news coming out of last week was Chicago Alderman Ed Burke's introduction of the
Chicago Personal Data Collection and Protection Ordinance. The ordinance contains several articles that seek to regulate several data-oriented technologies within the City boundaries. It is unclear at this moment how serious this ordinance appears to be. Ald. Burke has introduced various versions of this ordinance in separate pieces of legislation in the past. It is worth mentioning that those proposals did receive hearings but did not move to a full Council vote.
I have broken down an analysis of each article in which the ordinance is seeking to regulate.
Data Collection and Disclosure
First, the proposed ordinance would regulate website operators that collect personally identifiable information through the internet on consumers within the city limits of Chicago. The ordinance defines customer information as any website operator collecting:
- Name and billing information.
- Government issued identifiers, including social security number.
- Physical address, email address, phone number, or IP address.
- Demographic information such as date of birth, gender, race, ethnicity, nationality, religion, or sexual orientation.
- Financial information.
- Information pertaining to minors.
- Geolocation information.
- Web browsing history, application usage history, content of communications, and origin and destination IP address of all traffic.
- Device identifiers, such as MAC address or Internet mobile equipment identity.
- Information concerning a customer or user of the customer's subscription or account that is collected or made available in personally identifiable form.
The ordinance would prohibit operators of websites that collect any of the above information from using, disclosing, or permitting access to customers information unless the customer gives the operator prior opt-in consent (which may be revoked by the customer at any time).
The opt-in consent must be conspicuously available on the operator's internet website and the consent disclosure must contain: (1) the types of personal information that the operator is seeking to use, disclose, sell or permit access; (2) the purpose for which the customer's information will be used; (3) the categories of entities to which the operator intends to disclose, sell or permit access to the information.
The ordinance also provides for any aggrieved customer the ability to bring a private right of action in court to recover damages, attorney fees, and other relief.
Data Breaches
Article III of the ordinance would require any data collector who conducts business in Chicago that owns or licenses computerized data that includes personally identifiable information to disclose any breach of a security system to Chicago residents and the Commissioner of the Department of Business Affairs and Consumer Protection in the most expedient time possible without unreasonable delay. A delay of 15 days or more from the discovery of the breach would constitute as an unreasonable delay.
The data collector would also have to give notice of the breach to one or more newspapers of general circulation.
Personally identifiable information, if hacked, would require notification under this Article include:
- Social security number.
- Driver's license number or State ID number.
- Account number or credit or debit card number.
- Medical information.
- Health insurance information.
- Unique biometric data.
- User name or email address, in combination with a password or security code.
Those found in violation of the Article, are subjected to the penalties and fines provided in the Code. Furthermore, each day that a violation continues shall constitute a separate and distinct offense which a separate fine would apply.
Data Brokers
Article IV would regulate commercial entities that collect, assemble, and possess personal information concerning Chicago consumers. Under this Article, personal information is defined as any information in the possession of a data broker that can be used to distinguish or trace and individual's identity.
Any data broker that collects such information must register with the City of Chicago's Department of Business Affairs and Consumer Protection every year on February 1. Furthermore, the data broker would have to register the name of the entity and permanent address, provide the number of Chicago consumers whose information collected in the previous year, and provide the name and nature of the businesses who received the information.
Data brokers that fail to register with the City are subjected to a $250 fine for each day they are not registered after the February 1 registration.
Mobile Phone Privacy Awareness
Article V of the ordinance would require any cell phone or mobile device retailer in Chicago to provide to customers who purchase or lease a cell phone to contain notice in stores about how the devices sold within contain "location services" capabilities.
The Article provides for boilerplate language that must be provided to each customer who buys a cell phone at the point of sale where the phone or devices are purchased. Retailers who violate this Article can be find between $150 and $250 per violation.
Geolocation Information
The final Article of Burke's proposed ordinance would regualte the use of geolocation technology within the City's limits. Geolocation is the contents of a communication genrated by the operation of a mobile device (i.e. smart phone, tablet, laptop) and is sufficient to determine or infer the precise location of that device.
Per the ordinance, a private entity may not collect, use, store or disclose geolocation information unless the private entity receives the person's affirmative express consent after providing clear, prominent and accurate notice.
The Article does contain for an aggrieved customer to bring a private right of action in court seeking the recovery of damages, including the value and profits derived from the unauthorized use of geolocation, attorney's fees and other relief.
"RIGHT TO REPAIR" UPDATE
As mentioned last week,
HB 4747
(D. Harris), would create the so-called "Digital Fair Repair Act." This legislation would
mandate open access to machine repair and diagnostic tools, or access to embedded software code to everyone; risking the release of proprietary information. As currently drafted, the bill would apply to everything from tractors to cell phones.
We have received word that the sponsor has accepted language to carve out off-road equipment - so expect an amendment coming soon. I spent a majority of my time last week lobbying lawmakers on unintended consequences of Rep. Harris' bill. Our roll call is looking better, but it will be a close vote. Expect action this week on the House floor.
"CALL CENTER BILL" NARROWLY PASSES HOUSE
After a lengthy debate last week, a bill opposed by the Illinois Chamber narrowly passed the Illinois House 61-49-0. HB 4081 (Halpin) would place egregious restrictions on companies operating call centers or back office operations in Illinois. Backed by organized labor, this bill would create the Call Center Worker and Consumer Protection Act and would require any employers with 50 or more employees that intends to relocate a call center from Illinois to another state or foreign country to notify the Illinois Treasurer at least 120 days prior to the relocation.
Employers that do not notify the Treasurer would be subjected to a civil penalty of $10,000 for each day they are found in violation! Companies moving out of the state would also be blacklisted on the state Treasurer's website for public display. And it does't stop there. Any employer that appears on the blacklist would be ineligible for any direct or indirect state grants or loan for 5 years and would have to pay back any grant, loan, or tax benefit it previously received from the state back to the Treasurer.
The Chamber is opposed to this bill for many reasons. One, this bill severely restricts Illinois' business competitiveness to companies looking to locate call centers in Illinois. Second, the definition of "call center" is broadly defined it could impact many unintended business operations. And lastly, this legislation undermines a businesses ability to locate a call center in outside areas to communicate with customers in a language other than English. Just to name a few.
The bill now heads to the Senate, where the Chamber team will be actively working to oppose the measure.
BILLS TO NOTE IN COMMITTEE THIS WEEK
As always for a complete list of bills I am tracking, please click
here.
SB 3053 (Cunningham) is our proposal to amend the state's bioemtric statute. Currently, the underlying bill remains posted and assigned to the Senate Telecommunications and IT Committee.
SB 3007 (Raoul) Amends the state's data breach notification law, Personal Information Protection Act. Provides that a data collector required to report breaches to more than 100 Illinois residents as a result of a single breach must also report to the Attorney General. Provides that the Attorney General shall report annually to the General Assembly specified information concerning breaches of data security by February 1 of each year. The bill received a committee deadline extension to April 27. The Chamber remains opposed.
