Illinois once led the nation with arguably the strongest privacy law concerning biometric data. But the state is lagging in terms of online consumer privacy. The state still doesn’t have a law about consumer online privacy.
As the state seeks to pass its own online privacy law, it should avoid copying the inadequate laws passed in 14 states that were weakened by tech industry lobbying, a consumer advocate group said in a report Thursday.
“It’s super-alarming how tech companies and others that rely on our data have infiltrated state legislatures with industry-friendly bills that don’t do much to protect people,” said R.J. Cross, consumer policy director and report author for Illinois PIRG.
The report highlights Illinois as one of several states with pending bills that would likely get an “A” grade, if passed.
The Illinois Data Privacy and Protection Act was authored by Illinois PIRG and introduced in the state Legislature last year by state Rep. Abdelnasser Rashid, D-Berwyn.
The bill is stuck in committee, but Rashid said he’s still having conversations toward moving the bill forward.
“Something this significant doesn’t move quickly or without a lot of conversation with stakeholders,” Rashid said. “Companies’ reckless use of data causes real problems. Illinois is already a privacy leader, and we can continue.”
Rashid said the law, which would limit the data that companies could keep, would also protect people from scams and identity theft.
The law would also prohibit companies from targeting advertising to minors 16 and younger, Cross said.
Child protections were the focus of a congressional hearing Wednesday where senators grilled top tech executives.
Since there’s no federal online privacy law — the American Data Privacy and Protection Act of 2022 failed to pass — it’s been up to the states to pass their own laws.
In its report, PIRG graded all 14 states that have online privacy laws. None received an “A,” and all but one were heavily based on industry-drafted bills, the report states.
“At best, these laws enshrine the status quo,” the report states. “At worst, they allow Big Tech to say they care about privacy while at the same time lobbying in states all across the country to strip away consumer protections and weaken privacy laws.”
Virginia was the first state to pass a privacy law, in 2021. But the law was written by tech industry lobbyists that allowed the companies to continue their business model uninterrupted, the report states. The law became the model pushed by the tech industry across the country.
California was praised in the report for having the strongest privacy law — and the one least influenced by the tech lobby — but it still earned a “B.” The report states the law could be more robust if it offered citizens the right to sue companies that break the law.
The right to sue violators — or “private right of action” — is what makes Illinois’ 2008 Biometric Information Privacy Act so strong, the report says. The provision even led to a settlement in Illinois court that restricted Clearview AI from selling face surveillance data.
The report suggests states pass online privacy laws that include:
- Rules to minimize data collection. Most current state laws don’t limit this. A law could ensure that data is deleted by companies once it’s no longer necessary, and could prohibit transferring data to third parties without consent.
- Broader civil rights protections.
- Transparency: Many states require companies to conduct risk assessments. These assessments must be made public.
- Bans on unfair marketing. Companies should not be allowed to collect a consumer’s data with the promise of a discount or loyalty program perk.
