On February 27, 2020, the Illinois State Senate referred SB2330, which if enacted would create the Data Transparency and Privacy Act (the “Proposed Act”), to its Judiciary Committee. The Proposed Act would apply to “businesses”, including insurers, intermediaries, and other third-party service providers, who collect or disclose the personal information of 50,000 or more persons, Illinois households, or a combination thereof or who derive 50% or more of their business’s annual revenue from the sale of personal information. As currently drafted, SB2330 may apply to insurers and other affiliates who write a limited number of policies in Illinois but meet the statutory thresholds through business written outside of Illinois. While the Proposed Act contains a carve-out for personal information collected, processed, sold, or disclosed under the Gramm-Leach-Bliley Act, SB2330 may still have applicability to many insurers and reinsurers admitted to write business in Illinois and may also be of particular note to surplus lines carriers from both an enterprise and an underwriting perspective.
Under SB2330, Illinois consumers, including policyholders who meet the statutory definitions, would have several broad rights concerning personal information: (1) the right to transparency, (2) the right to know, and (3) the right to opt out, correct, and delete. SB2330, 101st Gen. Assemb., Reg. Sess., §§15, 20, 25 (Ill. 2020). Businesses who meet the statutory definition would be required to establish a procedure for collecting consumers’ requests and also for authenticating the consumer making each request. Id. at §30(a). The Proposed Act would mandate a response to a consumer’s request within 45 days. Id. at §30(e). Each impacted business would be required to post links on its website and mobile applications for the purpose of processing consumer requests. Id. at §30(b).
A violation of the Proposed Act would be statutorily deemed an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. Id. at §40(b). Whether such a finding is constitutionally permissible is something which may need to be tested if the Proposed Act is enacted depending upon regulatory guidance and interpretation. The Illinois Attorney General would be tasked with enforcement of the Proposed Act in terms of alleged violations of the Illinois Consumer Fraud and Deceptive Business Practices Act. Id. Consumers would also have a right of action in the event of “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices . . . .” Id. at §40(a).
As of March 4, 2020, the Proposed Act has not been scheduled for hearing and has only received a single reading, in a single chamber of the General Assembly. The Illinois Constitution mandates that each bill shall be read by title on at least three different days in each house. ILL. CONST. art. IV, §8(d). It is unclear whether the Proposed Act will meet a similar fate as previous data privacy legislation proposed in recent Illinois sessions. As the Proposed Act has an effective date of July 1, 2021, as currently drafted, it is unclear whether data privacy is something that might have legs in the regular session or something that could be resurrected in the veto session following this November’s election. Either way, SB2330 and similar proposed legislation in other States are of note particularly for insurers who write in multiple jurisdictions and may face an obligation to comply with data privacy laws, each with their own nuance, across multiple jurisdictions.