The Right to Know act has been making progress in Illinois. If passed, the bill would require operators of websites or online services to notify users that reside in Illinois of any information sharing practices they partake in. The bill also requires that these sites provide a either a toll-free telephone number or email address where users can request such information, and the operator must provide a response within 30 days. The penalty for failing to adhere to this regulation would be the greater of either $10 (per individual affected) or “Actual damages”, injunctive relief, and reasonable attorney fees.
The classification of “personal information” within the bill is quite broad. Essentially any user-generated content would be classified as personal information, and thus leave the operator liable for maintaining records of how user information is transmitted. One of the categories of personal information is “Content, including text, photographs, audio or video recordings, or other material generated by the customer”.
In other words, something as simple as allowing a user to leave a comment on an article on your personal blog could be considered transmission of personal information, and thus leave you liable to respond to user requests for who has accessed your information.
Should this law pass in its current state, small businesses with a limited tech background will likely have to hire a legal/technical consulting team to comply with the regulations imposed. Ideally, the wording of the law would be changed in a way that the company only has to disclose in what ways consumer information may be disclosed or used, rather than the ways it actually is. That way, companies do not need to spend millions of dollars implementing and maintaining a database of how user information is transmitted, but consumers are still informed of which ways their data may be used or shared.
The bill does provide a few cases where information can be disclosed to a third party without requiring notifying the user or maintaining a record. These cases are either when information is disclosed for security or fraud prevention purposes, or if there is a contract with the third party that requires that the shared data only be used to perform the services requested, such as billing, filling orders, etc. While this does make the law easier for large corporations with legal teams to comply with, smaller business simply don’t have the resources to draft a contract with each service provider that ensures that personal information is used only as needed, in order to comply with the rules set within the bill.
A recent amendment to the bill stated that an operator would not be required to respond to a request from the same customer more than once in a 12 month period. This may be because of concerns regarding the cost of meeting the law’s requirements. However, because the bill says it requires operators to provide such information, but doesn’t say anything about answering questions(which would require human interaction), the process of sharing information via email or telephone on request could be easily automated at little to no cost. The largest cost associated with the regulations imposed in this bill would be the cost of implementing a system of tracking the ways that user information is transmitted, and creating/maintaining contracts with service providers to ensure that data is only used as needed to provide the service.
While the bill does provide privacy protections for internet users, changes in the legislation are needed to ensure that the bill does not create a situation in which small businesses cannot afford to meet regulatory standards. The bill is still quite new and off to a good start, so improvements will likely be made over time.
The bill is sponsored by Michael E. Hastings.
You can see actions taken on the bill and it’s details here