This article has been written by Pulkit Chaudhary pursuing the Diploma in International Data Protection and Privacy Laws from LawSikho. This article has been edited by Prashant Baviskar (Associate, Lawsikho) and Smriti Katiyar (Associate, Lawsikho).
A new data protection and privacy bill has been introduced in Illinois. This comprehensive bill, titled Consumer Privacy Act (ICPA), would provide more explicit notice and extended rights on what consumers can do with the categories and specific pieces of personal information that a business collects.
In the present scenario, our lives are totally tilted towards the utility and the satisfaction we obtain from goods and services. Be it basic necessities like food, electricity or luxuries of life like expensive cars, hotels and business class air trips. All the aforesaid descriptions of goods and services fall within the domain of consumer goods/services and in order to deal with the legal aspect the same (quality, standards, complaint mechanism etc.) several consumer protection legislations have been enacted around the world.
Focussing on the other side of the coin, “We are consumers” and therefore various aspects of goods and services like new products, technologies and innovation depends upon the needs, wants, demands of the consumers, and competition in the market. In order to cope up with the upsurging desires of the consumers and competitive market, consumer data is the starting line of the never ending race.
Every organization, big or small, uses consumer data to enhance the quality of its goods and services. Depending upon the scale of operations of these organizations, the consumer data has to be managed and secured accordingly with appropriate technical and organizational measures. Therefore, data protection legislations are important to keep a check upon and regulate the collection, storage, processing and disposing of personal data.
Data protection legislations in the US
There is no uniform data privacy/protection legislation throughout the United States as GDPR (General Data Protection Regulation) in the European Union. Though there are different subject-specific data privacy laws across various branches like healthcare, consumer privacy, finance etc. some of them are as follows:
- The Health Insurance Portability and Accountability Act (HIPAA) to regulate health insurance related data.
- The Children’s Online Privacy Protection Act (COPPA) for regulating and protecting the collection and processing of information relating to minors.
- The Gramm-Leach-Bliley Act (GLBA) to regulate consumer data and privacy relating to banking companies, financial institutions, securities companies etc.
- The California Consumer Privacy Act (CCPA) which is the state specific statute confined to California, USA with the purpose of regulating and protecting the collection, processing, access, sale and disclosure of personal data of the data subjects.
Illinois consumer privacy law
As various US states have come forward with their respective data protection legislations, the State of Illinois has also tried to match the levels of the various data protection laws within the US and also to cope up with the global requirements of data privacy relating to the crucial rights of data subjects.
To protect its citizens against the personal data breach, illegal access, unauthorized and unconsented use, mishandling and abuse of personal information, the state of Illinois passed the Illinois Personal Information Protection Act (PIPA) which got assent in June of 2005 and came into force on January 1, 2006.
This act focuses on extending the domain of rights of the consumers and making the mechanism for exercising the rights easier and more effective as far as the Illinois data subjects are concerned.
Applicability of PIPA
The PIPA applies to the organizations who are engaged in business activities with sole motive of profit maximization in Illinois. These entities engaged in the collection of personal data of the data subject of the Illinois or the entities on whose behalf the information is collected. These entities also determine the objective of processing personal data of the data subjects.
These entities also have to comply with at least one of the following criteria:
- These business organizations must have a gross annual revenue of more than $25 million.
- Dealing with the data of fifty thousand or more customers (alone or jointly)
- Generates 50% or more than 50% of its annual revenue by selling the personal information of the data subjects.
Types of information regulated under PIPA
This legislation covers certain types of personal information of the data subjects ranging from name, address, contact number, email which exists in public domain to professional, educational, employment, healthcare, financial related personal information not available in public domain. The organizations can also keep a record of biometric data under certain exceptions and subject to adequate technical and organizational measures.
Different organizations may or may not have their origin in the state of Illinois but if they are targeting the personal information of the data subjects of Illinois which is not in public domain then such organizations are subject to this PIPA legislation and have to comply with it accordingly.
Rights of data subjects under PIPA
- Right of access to the information- The data subject has the right to access the information collected by the data controller about the consumer and how the same is used.
- Right to be notified about changes in nature of processing- The data subject has the right to be notified about any change made by the organization to the nature of processing of the data than what was initially collected for.
- Right to erasure- The data subjects have the right to get their personal data erased by following the appropriate mechanism laid down by the organization for the purpose.
- Right to opt out- The data subjects have the right to opt out from the sale of their personal data that they may have consented to at the time of data collection.
Main components of PIPA
- Notification for breach- The PIPA provides for informing all the data subjects at the earliest in case of any compromise or breach of their personal data. The organizations are under obligation to inform the data subject in the most expedient manner, without any unreasonable delay either in writing or electronically.
- Security Standards- The Act specifies for the proposal, implementation and maintenance of appropriate technical and organizational measures to protect the personal information of the data subjects against data breach, illegal access, unauthorized and unconsented use, mishandling and abuse of personal information.
- Disposal of Data- The organizations using the consumer data are obligated to determine the duration of use in the data retention policy and shall dispose of the data accordingly (generally when it is no longer required for business operations). The documents can be in any form (physical or electronic) and therefore the documents shall be properly disposed of as the case may be i.e. by burning, making them unreadable, by anonymising and pseudonym zing etc. This helps in ensuring the safety of personal data of the Illinois data subjects.
Compliance with PIPA
- Deletion of Confidential Information-
Disposing of or deletion of personal data is necessary for the protection against mishandling and misuse of private confidential information of the data subjects collected by the company for the purpose of processing.
- Encryption of Personal data-
In order to ensure PIPA compliance, the personal data of the data subjects shall be encrypted so as to prevent the same from getting leaked or breached at any point of time during the course of processing. Encryption of personal data (Prevention) will help to overcome the need of giving data breach notification in the case of data breach situation (cure). Hence, in the world of data protection also, prevention is better than cure.
- Maintaining administrative standards-
- Communicating breach notifications-
In the event of breach of personal data of the Illinois data subjects, the communication of such breach to the data subject is one of the essential components of this legislation. The business organizations or other entities shall enable themselves to notify the people quickly in the case of the breach either physically through letters or electronically via mails, text message.
PIPA enforcement mechanism
The PIPA legislation is enforced by the Attorney General of the state of Illinois. In the case the violation of PIPA law is in existence and is not corrected within the period of 30 days, then the Attorney general is empowered to recover the hefty fines from the organization at fault which can range from up to $2500 in case of unintentional PIPA violation to $7500 in case of intentional PIPA violation.
The PIPA also empowers the Attorney General to display the names of the companies who are affected by data breach including the type of data involved and the number of data subjects affected by it.
The PIPA violations may also result in unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act. The amount of fines in case of data disposal violation can range from $100 for every affected individual as a civil penalty. This penalty can further extend to $50,000 for every instance of improper disposal.
The PIPA primarily focuses on extending the domain of rights of the data subjects in the state of Illinois. The Act not only focuses on providing the quick notification in case of breach but also lays emphasis on overall prevention of data breach itself. In order to properly comply with the PIPA appropriate technical and organizational measures should be adopted and updated accordingly. By using the security mechanisms like anonymization or pseudonymization, detection of breach threats, the chances of data leaks and misuse can be curtailed and PIPA compliance can be ensured.
- http://uscode.house.gov/view.xhtml?req=granule id%3AUSC-prelim-title15-section 6501 edition=prelim.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA