USA – ILLINOIS Trends and Developments Contributed by: Paul Yovanic, Jason Priebe, Ada Dolph and Michael Jacobsen, Seyfarth Shaw LLP
significant point of contention among industry and privacy interest groups. Another distinguishing feature of the proposed PRA is its creation of a dedicated enforcement agency, the Privacy Protection Agency (PPA). The PPA would have broad investigative and enforcement authority, including issuing fines and conducting compliance reviews. This cen - tralised enforcement mechanism also sets Illinois apart from most other states, where Attorneys General typically oversee privacy law enforce - ment. While supporters argue that a dedicated agency would strengthen consumer protections, critics warn it could lead to aggressive regulatory oversight and additional costs for businesses. The PRA establishes a threshold for compliance based on business size and data practices. It applies to businesses meeting at least one of the following criteria. • Generating annual gross revenues exceeding USD25 million in the preceding year. • Buying, selling, or sharing the personal infor - mation of 100,000 or more Illinois consumers or households annually. • Deriving 50% or more of annual revenues from selling or sharing consumers’ personal information. Beyond eligibility criteria, the PRA would require businesses to implement a number of key pri - vacy measures, including the following. • Providing clear, upfront notice at the point of data collection about the types of personal data collected, the purposes for processing, and retention periods. This would include job applicant- and worker-specific notices.
• Limiting data collection and processing to what is reasonably necessary and proportion - ate for the disclosed purposes. • Implementing reasonable security measures to safeguard personal information. • Entering into contracts with third-party data recipients intended to ensure that compliance obligations extend beyond direct data con - trollers to the entire data ecosystem. The PRA also grants Illinois consumers a core set of privacy rights, including access, correc - tion, deletion, and the ability to opt out of data sales and certain data uses. These rights align with those seen in other state privacy laws. The PRA’s requirements, when combined with the proposed expansive consumer definition, could create one of the most restrictive regulatory environments for businesses in the country. The PRA would also allow consumers to sue businesses directly if their personal data is compromised due to inadequate security meas - ures. Consumers could seek statutory damages ranging from USD100 to USD750 per incident. This provision, in combination with the lack of an employment exemption, is expected to fuel heightened compliance efforts and industry pushback – and a potential new bonanza for plaintiff law firms similar to what we have seen in recent years with BIPA lawsuits. In addition to the individual cause of action, gov - ernmental enforcement responsibility under the PRA would be shared between the newly estab - lished Privacy Protection Agency (PPA) and the Illinois Attorney General. The PPA would have broad investigative powers, including issuing cease-and-desist orders and imposing fines of up to 2,500 per violation – or USD7,500 for inten - tional violations or those involving minors’ data.
564 CHAMBERS.COM
Powered by FlippingBook