Smart tech policy warrants Illinois' economic triump
Within the last year, the Illinois General Assembly has seen a large amount of proposals aimed at engineering liability in the areas of privacy and data security. Tech policy is expanding so much that the Illinois House of Representatives has created a new stand-alone committee, the House Cybersecurity, Data Analytics and IT Committee, to address tech policy.
In the last two years, Illinois has seen proposals seeking to regulate everything from drones, short term rentals, blockchain, ride-sharing, data centers, cryptocurrency and geolocation.
The unfortunate reality of data breaches becoming more commonplace have given the lawmakers momentum to enact legislation seeking to regulate emerging technologies. With sweeping changes to law like that of the European Union's GDPR or most recently California's Consumer Privacy Act of 2018, these issues are not going away anytime soon.
Privacy laws on the books
Currently, Illinois businesses should be aware of two privacy laws on the books. First is the state's data breach notification law, otherwise known as the Personal Information Protection Act (or PIPA). PIPA requires businesses with personally identifiable information to implement and maintain reasonable security measures from unauthorized access. The law also requires businesses who experience a data breach to notify Illinois residents of a breach in the most expedient time possible without unreasonable delay. The Act allows for public and private enforcement against businesses found in violation of the law. Consumers may sue an offending business and the Illinois Attorney General may also bring legal action against a business found in violation.
Second, is the plaintiff-friendly Biometric Information Privacy Act, otherwise known as BIPA. BIPA regulates private entities that handle or collect biometrics. Biometrics are the measurement and analysis of unique physical or behavioral characteristics (such as fingerprint or voice patterns) especially as a means of verifying personal identity. Enacted in 2008, BIPA sought to address the concern of biometrics when such information is tied to finances and other personal information.
The law requires a private entity in possession of biometric identifiers to develop a written policy made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers. The law also requires written consent from individuals prior to collecting someone's biometric identifier. The law also prohibits the selling of a person's biometric identifier.
Illinois is one of three states that have a biometric law on the books (Texas adopted in 2009 and Oregon adopted in 2017). Contrary to Oregon and Texas' biometric laws, Illinois' law contains a private right of action. That is the ability for a private entity to bring forth a lawsuit, often granting class status. Anyone aggrieved by a violation under BIPA may be rewarded anywhere from $1,000 to $5,000 per violation.
BIPA went largely unnoticed after its enactment until a series of lawsuits were brought against private entities that allegedly collected and used biometric data in violation of BIPA. With biometric technology becoming more common in the workplace, dozens of employers have been caught off guard by the rash of class-action lawsuits recently filed in Illinois alleging violations of BIPA. The suits target many industries, including restaurants, hospitality, grocery stores, gas stations, nursing homes, logistics and building management companies. The surge in BIPA litigation results from employers' increased use of fingerprint scan technology, and the fact that BIPA is the only biometric statute that contains a private right of action against employers for damages and attorneys' fees.
The chamber introduced a bill this spring that sought to streamline employers' use of biometric technology for employment purposes. SB 3053, sponsored by Sen. Bill Cunningham (D -- Chicago) would amend the state's biometric law to provide employers the ability to use biometric information for internal employment purposes, so long as the employer is not using the information for commercial purposes. The goal was to find a balance between consumer privacy and business innovation. While we fell short, we believe we sent the message to employers that Illinois wants businesses to be able to grow by allowing them to use innovative technologies.
What can we expect in 2019?
Last year, state Senator and Democratic candidate for Attorney General, Kwame Raoul (D -- Chicago), introduced a bill that sought to regulate microphone enabled devices. This would have applied to everything from cellphones, tablets, refrigerators, and cars. The proposal would prohibit any private entity from turning on or enabling a digital device's microphone to listen for or collect information, unless the user agrees to a written policy. The bill ultimately failed, however, should Sen. Raoul become the state's next Attorney General, expect this issue to resurface.
In June, California approved the "California Consumer Privacy Act of 2018." This new law reflects the most far-reaching data privacy law passed to date in the United States. This law, which goes into effect in 2020, provides Californians the right to privacy by providing consumers options for controlling their personal information. One can expect Illinois lawmakers to copy and paste California law in Illinois.
Chicago Alderman Ed Burke's omnibus ordinance introduced this spring may also provide an insight to what may come to the statehouse in 2019. The Chicago Personal Data Collection and Protection Ordinance contains several sections seeking to regulate data-oriented technologies. This would include regulating website operators that collect personally identifiable information, creating a revised data breach law, regulating data brokers, providing mobile phone privacy awareness, and regulating geolocation technology. Burke's ordinance is currently sitting idle in the Chicago Finance Committee; however, proponents of the ordinance have lobbying arms in Springfield that could push a similar proposal in Springfield.
Not all is meant to scare away companies looking to expand and invest here in Illinois. The Chamber will be working to pass a law creating a sale and use tax exemption for tangible personal property used in the construction or operation of a new or existing data center. Data centers are unique and require huge upfront expenditure in construction and ongoing capital investment. Both the initial construction and the "refresh" require skilled craftsmen and technicians and a robust supply chain. As the world's economy continues its affinity for, and its reliance upon, information and data through traditional, as well as "Cloud" computing, the need for facilities to store and transmit the ever-expanding universe of data will continue to grow. Data Centers have been found to provide a net gain to states enacting these types of incentives. Currently, 30 other states have some type of tax incentive to lure in these facilities.
Keep Illinois a leader in innovation
Just like any state, Illinois has its fair share of challenges. However, there are things we do right and providing an environment for a thriving tech ecosystem is one of them. We have a relatively low cost of living (compared to the coasts), access to talent, a world class city, prestigious universities and a thriving venture capital market. Privacy is critically important to both individuals and businesses. When crafting the next privacy law, policymakers need to strike the right balance between privacy and productivity gains offered by modern technology. A collaborative public-private approach, led by industry together with government, is the most feasible way to develop a framework of data privacy standards tailored to our needs.
Tyler Diers is director, legislative relations at the Illinois Chamber of Commerce.