Direct marketers are lauding first-term Republican Governor Bruce Rauner (above) for issuing an amendatory veto on an Illinois data breach bill that would place severe limitations on the collection of consumer marketing information. The stipulation includes geo-location information as well as online search and purchase history.
“What this bill does for the first time is define consumer marketing information as relevant in a data breach notifications statute,” said Chris Oswald, VP of advocacy for the Direct Marketing Association. “The whole purpose of a data breach notice is to put individuals on alert when their private information can be breached by thieves to do financial damage to them.”
Rauner agreed that Illinois Senate Bill 1833 went “too far” and was a “significant departure” from other state data protection laws. He exercised his amendatory veto power, returning it to the state Senate with revisions removing restrictions on marketing information.
“Compared to other types of personal information, the unauthorized release of consumer marketing and geo-location information does not pose the same risk of identity theft that justifies the extraordinary and costly security and notice requirements imposed by the Personal Information Protection Act,” Rauner wrote in a letter to both houses of the Illinois legislature.
In addition, Rauner proposed extending a requirement to notify consumers of a breach from 30 business days to 45 calendar days. He also recommended deleting a provision that all operators of websites post privacy policies, since national marketers are already complying with a similar California law.
Small businesses stood to be hurt most by the Illinois law. In an editorial in the Charleston (IL) Journal Gazette & Times-Courier, NetChoice Counsel Carl Szabo wrote that “this bill treats the breach of health care data from my health insurance company the same as a breach that reveals the last time I ordered a pie at my local pizzeria.”
Charleston attorney Andrew Koester, however, thinks even small businesses should establish and publish privacy policies. “How burdensome can it be to write a short privacy policy on a company’s website? It would take minimal effort to let consumers know what information companies are collecting,” he said.
Koester, too, is of the opinion that some consumer marketing information is as sensitive as financial and health-related data.“Our sexual orientation and identity, what church services we attend, our political leanings—this is all considered consumer marketing information and will be left unprotected by the Governor’s amendatory veto,” he said.
Rauner has returned the bill to the Illinois Senate, which most likely will read it into the record when legislators return from summer recess on September 9. The body has up to 15 days to either agree with the Governor’s revised bill or override it, in which case it progresses to the General Assembly. If the Senate does neither, the bill is officially dead.
“[Illinois legislators] wanted their data breach law to be up to date and lost sight of the purpose of the law in their eagerness to stake out new ground,” said Oswald. “The Governor recognized the negative impact it would have on the Illinois economy and jobs.”
