In the past five months, we’ve seen a significant shift in the direction of privacy regulation at the federal level. As discussed in our previous post, Congress voted (and President Trump signed) a resolution repealing last year’s FCC Order that imposed greater obligations on broadband Internet service providers and other carriers regarding the protection of customer data. The FCC and FTC also announced that they intend to reverse the FCC’s 2015 decision to treat broadband Internet service providers as Title II common carriers, which would effectively return jurisdiction over broadband Internet service providers to the FTC. Then, at the beginning of this month, the Ninth Circuit granted a petition by the FTC to rehear its ruling from last year that the FTC lacked authority under the FTC Act to regulate AT&T as a common carrier.
While federal policymakers appear focused on deregulation (or at least maintenance of the status quo), state policymakers are introducing their own legislation to regulate the collection and use of personal information. On May 16th, the Oregon House voted to amend its Unlawful Trade Practices Act (House Bill 2090) to provide that a company engages in unlawful trade practices if it makes statements in its privacy policy that are materially inconsistent with its actual practices. This new law reinforces the importance of drafting an accurate and clear privacy policy, rather than simply copying and pasting a form template from another website.
Illinois has also proposed legislation through its Right to Know Act (Senate Bill 1502), which passed in the Illinois Senate on May 4th and now heads to the Illinois House for further review and vote. The Right to Know Act declares the right to privacy as a fundamental right protected by the U.S. Constitution, and imposes certain notice obligations on companies with more than 10 employees that own a website or online service operated for commercial purposes and collect personal information about customers residing in Illinois. Specifically, covered companies must post a privacy policy that: (i) identifies all categories of personal information that the company collects about individual customers who visit the website or online service; and (ii) describes that customers have the right to request information about all the categories of personal information about them that the company disclosed to third parties over the prior 12 months, as well as the names of those third parties. Because nearly every website or online service attracts some traffic from Illinois, the Right to Know Act effectively serves as a national regulation.
If you think the Right to Know Act sounds familiar, you’re partially right – in 2003, California passed Shine the Light (CA Civil Code § 1798.83), which imposed certain notice obligations on companies that own websites or online services and collect personal information about customers residing in California. Take a look at nearly any well-crafted privacy policy and you will see the effect: an obligatory section called “Your California Privacy Rights,” which allows for California residents to exercise the rights set forth in the statute.
However, the Illinois Right to Know Act is far from a mere cut-and-paste job of Shine the Light. While Shine the Light only requires companies to provide information about the categories of personal information disclosed to third parties for those third parties’ own direct marketing purposes, the Right to Know Act requires companies to provide information about the categories of personal information disclosed to third parties for any reason (subject to certain exclusions). Further, the definition of personal information under the Right to Know Act is far more expansive than the definition under Shine the Light. Below are some key differences between the definitions:
Shine the Light | Right to Know Act |
Name and address | Name by itself, alias, nickname, username |
Address by itself | |
Social Security Number | Social Security Number, Driver’s License, Passport, ID |
Gender of children | Customer or child gender, sexual orientation, gender expression |
Employment-related information | |
IP address or information concerning accessor use | |
User generated content |
Although the Right to Know Act grants the Attorney General sole enforcement authority over the provisions of the Act, it also specifies that nothing in the Act precludes private rights of action for violations of the Biometric Information Privacy Act (“BIPA”) (740 ILCS 14/) or other relief under the Illinois Code of Civil Procedure. This language may indicate that the Illinois Senate has no intent of amending BIPA — which has become a favorite statute of the consumer class action bar — anytime soon.
While the Right to Know Act still needs to pass in the Illinois House, given the current federal policy climate and the fact that an Illinois House committee approved a similar bill last month, there is a good chance we will see the Act enacted in some form. Practically speaking, implementation of the Right to Know Act would require companies to have a better understanding of their data collection and sharing practices, as well as procedures in place to readily respond to requests. Such understanding and procedures are consistent with the measures companies should already be taking to prepare for the GDPR, as we touched upon in a previous post.
We will continue to keep track of Oregon’s Unlawful Trade Practices Act and Illinois’ Right to Know Act, and other proposed legislation at both the federal and state levels. For updates, please subscribe to our blog or check back regularly.