The issue pits business interests against privacy concerns.
For Carolyn Parrish, a privacy professional based in Evanston, data privacy is just as important in her personal, everyday life, as it is to keeping her business running.
When Parrish was looking to download a women’s health and menstrual cycle tracker on her phone, she noticed that many of the available U.S.-based apps required access to her location and her phone’s contacts before she could use any of their features. Parrish said this made her feel uneasy.
So she opted for a German-based app that only required a user account without additional data-sharing.
“There are a lot of apps out there that will take more information than they need to operate. And it is solely for data mining purposes. To create this sort of marketing database," she explains.
“You don’t want to look to your customers like you are just taking everything from them…in exchange for use of an app,” she says of the U.S.-developed apps she encountered. “It may not be worthwhile to the consumer to give that level of information, just to use an app.”
But how much information is too much? And should companies be required to share with consumers the specifics on what data they track and what third- party company receives it?
Two Illinois measures introduced during the spring legislative session attempted to address these questions. The Geolocation Privacy Protection Act and the Right to Know Data Transparency and Privacy Protection Act have caused tension between privacy advocates and those in the Illinois business community.
Advocates say consumers’ information and tracked data are in need of added protection and regulation, especially under President Donald Trump’s administration. In April, Trump signed a Congressional Review Act resolution to nullify a Federal Communication’s Commission privacy rule, which was adopted under the administration of former President Barack Obama. The rule never went into effect but targeted Internet service providers (ISPs) by regulating how they could collect consumer data and how they could sell it for the purpose of advertising.
The business groups argue privacy protection measures would only be adding additional strain on business owners and would cause a “chilling effect” on Illinois tech companies that want to make advances in innovation.
The Federal Broadband Privacy rule “would have brought greater clarity to the privacy requirements in the ISP space,” says John Verdi, vice president of policy for the Future of Privacy Forum, a Washington, D.C.- based think tank and advocacy group focused on issues related to data privacy. Verdi was also the former Director of Privacy Initiatives for the U.S. Department of Commerce under the Obama administration.
The reversal of these rules, Verdi says, has most likely led individual states like Illinois to consider privacy regulation initiatives in the form of legislation and establish the clarity not found at the federal level.
But opponents of the proposed Illinois Right to Know Act say the measure’s language does not bring clarity to businesses, which must already comply with other state laws such as the Biometric Information Privacy Act and the Personal Information Protection Act. And those opposing the Geolocation Privacy Protection Act worry that the measure does not advance consumer but brings added and unnecessary burdens to business owners.
The Right to Know Act’s language, opponents say, establishes too broad of a definition to what may be considered “categories of personal information.” These may include a person’s real name, social security number or religious and political affiliations.
Michael Reever, vice president of Government Affairs for the Chicagoland Chamber of Commerce, says that the Right to Know measure gives a list of what may be considered personal information, but that such information is not limited to that list. This ambiguity gives added leeway to lawsuits, he says.
“The threat of a lawsuit, combined with the over broadness of the statute, is very concerning to businesses because it’s not just what’s listed on the actual bill. So how are businesses supposed to keep up with the information that they’re supposedly supposed to protect if they don’t actually know what it is?”
But the measure’s sponsor state Sen. Michael Hastings, a Democrat from Orland Hills, says that the private right of sue clause was removed from the bill’s language to address these concerns. If the bill were to be signed into law, a consumer would file a complaint with the State’s Attorney’s Office, which would establish if violations took place.
“There was an argument made — which I didn’t find to be a very good argument — but they said that this bill was brought to me from trial lawyers who make their money by suing people,” Hastings says. “That couldn’t be farther from the truth. The most important thing is that people have protections online, and they should have the right to know if a website is collecting information and sharing it and selling it with third parties.”
According to Hastings, it was Cook County Sheriff Tom Dart who first brought up the issue when he was surprised to learn about the restrictions law enforcement encounter when trying to access collected online data for investigations; it would be much easier for them to obtain data from third -party entities than from a court subpoena.
After realizing how much consumer data is available through these third party data providers, Dart and Hastings want to ensure that consumers are made aware that these practices are taking place.
“When you talk to anyone around the state of Illinois, they’ll tell you that they would be offended if they found out that their information was being sold for profit against their will,” he says.
The Right to Know Act — as it now stands — would require companies that track consumer data, to provide consumers with what personal information was followed and the list of third-party entities that receive the data. A consumer would just need to make a request. A website or app would also need to provide a customer agreement notice on their website notifying consumers about the company’s information sharing practices. Any breach would be considered a violation under the Consumer Fraud and Deceptive Business Practices Act.
However, some question what steps these companies will need to take to track personal identifiable information — especially that data that excludes names or social security numbers — back to a specific person requesting the information.
“[The bill] would require business to keep and store more user information than they have to today, says Carl Szabo, senior policy counsel for NetChoice, a Washington, D.C. trade association of ecommerce businesses and online consumers that advocate for fewer restrictions for online businesses. Some of its members include companies like Lyft, eBay and Facebook.
“This bill actually puts potentially consumer information at greater risk than it’s at today because you are forcing businesses to create a honey pot of information,” he says.
Matthew Erickson, industry outreach director for the Chicago-based Digital Privacy Alliance — a nonprofit organization that advocates for privacy legislation in states across the country — says that this concern has also been addressed.
An amendment "was adopted to enable companies to provide this data without requiring trivially identifying information be kept," he explains.
"The summary is that a company can either provide a personalized profile of data shared to a user as in the first drafts of the bill," or as the change suggests, disclose "all categories of personal information about customers that were disclosed, and the name or names of all third parties that received any customer's personal information."
"This means a company doesn't need to track trivially identifying data about their users to make servicing these requests possible," he says.
And despite the back and forth between opponents and advocates to attempt at clarifying misunderstandings and concerns, the majority of the state’s business community maintains the firm belief that the bills will only benefit trial lawyers over the consumers that advocates say the bills will protect.
The Illinois Retail Merchants Association is one of those business groups.
Tanya Triche Dawood is vice president and general counsel for the association. She says the issues that the measures are supposed to address — that of transparency by sharing what companies do with consumer information — will not give added protections to consumers because those protections are already covered under existing laws.
“So you want real information that is going to inform the consumer, and that information exists today,” she says, “additional, unnecessary burdens on the business community at a time, especially in this state, where it is still very difficult to do business and turn a profit… [we] always oppose something like that.”
The Geolocation bill, sponsored by Chicago Democrat Representative Ann Williams, would require apps and websites to seek consent from consumers before tracking and storing their location. Any violations would also fall under the Consumer Fraud and Deceptive Business Practices Act as determined by the State’s Attorney’s office.
Five of the state’s largest business associations — including the Illinois Chamber of Commerce, the Chicagoland Chamber of Commerce and the Illinois Retail Merchants Association—included both privacy bills in a list of twelve bills that they named “Springfield’s Dirty Dozen”. The business groups consider the 2017 legislative session “one of the worst for employers”, they say, where many of the proposed bills have been “anti-employer” and “anti-job”.
But Erickson with the Digital Privacy Alliance, disagrees with the notion the privacy bills are anti-employer.
“We see this as a pro-business thing. We feel that this has a net bonus on business…we feel like these bills, by essentially establishing a level playing field of trust, will encourage consumers to reach out more and help small businesses get that leg up of immediate trust,” he says.
“The opponents of the [Geolocation] bill say it’s going to kill mapping, it’s going to kill location-based services in general everywhere, even though all that has to happen is the very first time you use a service that stores and sells your geolocation data — they have to get your consent for that. Just the first time,” he explains.
He says that the companies that are in the Digital Privacy Alliance, including tech companies and law firms, “are not out to eliminate marketing-metric driven services. There is a lot of really cool things going on in the space today, based on analytics. We want to make the exchange of your personal information — for essentially free stuff — explicit and consensual.”
Others like Szabo, from NetChoice, say that any additional legislation will hurt Illinois and continue to provide a so called “chilling effect” for tech companies that want to expand their areas of innovation. Illinois he says, is a state with laws that are already tough on privacy. The Biometric Information Privacy Act, for example, aims to regulate how companies collect, use, handle and store biometric identifiers and biometric information. According to the Act, biometric identifiers can be anything from “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Without explicit consent from consumers, a website or app can’t collect or store such data. There is some facial recognition software, Szabo says, that cannot be used in Illinois.
No other state, he says, has come close to the level of privacy regulation as Illinois has.
Privacy experts like John Verdi from the Future of Privacy Forum says that he believes much of the debate between opponents and proponents comes from the nature of the topic, which is in of itself a complicated issue because of the patchwork of legislation across different states.
“It is a vastly complicated space, where you have potential benefits from data to consumers, to businesses, to the economy — to governments. And you also have real concrete privacy and security risks for individuals.”
In this “kind of complicated online and offline data ecosystem,” he says, “you have to drill down and figure out exactly what the practices are that are most concerning and riskier for consumers before you can target your energies” with privacy legislation.
He suggests that instead of focusing too much on the overall idea of data and where every single piece of it goes, that it might be better to focus on specific areas of concerns for consumers.
“Instead of talking about data, and what companies do with data or what users do with data, or who owns the data, I think it’s more helpful to really focus on the sensitive data categories because those are the things that really matter most to consumers.”
What is sensitive to one specific group of people, he says, might not be considered sensitive to others. And this is where misunderstandings and differences of opinions emerge.
The Geolocation bill was approved by both chambers and awaits the governor’s signature. But the future of the Right to Know bill remains uncertain. The Senate approved the measure, but has stalled in the House. The bill’s sponsor plans to bring the measure up again during the next legislative session but not before securing the needed votes.
For the time being, some consumers and privacy advocates like Carolyn Parrish, just want website owners and app developers to establish consensus about what might be considered too much data sharing and to establish ground rules for transparency with consumers. “Giving people greater visibility into what’s happening behind the scenes—it’s useful. Knowledge is helpful to people to help them make educated choices.”