Press "Enter" to skip to content

‘Consumer Privacy Act’ Introduced in the Land of Lincoln

Illinois Consumer Privacy ActIllinois SB 3299 and HB 5603 are nearly identical and would create the “Consumer Privacy Act.” 

The legislation is similar to the California Consumer Privacy Act. It would apply to any for-profit business, or any entity that controls or is controlled by such a business, that does business in Illinois and:

  1. Has annual gross revenues in excess of $25 million;
  2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices; or
  3. Derives 50% or more of its annual revenues from selling consumers’ personal information.

The legislation would require a notice at collection, provide consumers the right to know and request deletion of personal information collected about them and to opt-out of the sale of their personal information.  It includes CCPA-like requirements for submitting, receiving and verifying consumer requests.

The legislation excludes protected information under certain federal and state health care laws or regulations such as the federal Health Insurance Portability and Accountability Act (HIPAA), the sale of personal information to or from a credit reporting agency pursuant to the federal Fair Credit Reporting Act (FCRA), or personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act (GLBA) or the Illinois Banking Act.

Unlike SB 2330 which we described previously, these bills would not require businesses to conduct risk assessments of “processing activities involving personal information” and make them available to the attorney general upon request.

There is a private right of action if “unencrypted or unredacted personal information” of any consumer is exposed as a result of a data breach “or disclosure” which was the result of the business’s failure to comply with the proposed law’s “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”

A consumer may seek statutory damages of $100 to $750 “per incident” or actual damages (whichever is greater), and civil penalties of not more than $2,500 per violation or $7,500 for each intentional violation.

The legislation would become effective Jan. 1, 2021, and the attorney general is tasked with rulemaking.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.