August 21, 2015

 

 

To the Honorable Members of

The Illinois Senate,

99th General Assembly:

 

 

Today I return Senate Bill 1833, which amends the Personal Information Protection Act, with specific recommendations for change.

The Personal Information Protection Act was enacted in 2005 to protect consumers from the damaging consequences of a data breach. Illinois businesses and non-profit organizations must take their obligations seriously.

Senate Bill 1833 makes significant changes to the Personal Information Protection Act, many of which are intended to protect consumers and update the Act. But unfortunately, the bill goes too far, imposing duplicative and burdensome requirements that are out-of-step with other states. These unnecessary requirements will hurt our economic competitiveness without providing commensurate benefit to Illinois consumers and residents whom the bill is intending to protect.

In particular, the bill would add “consumer marketing information” and “geolocation information” to the types of protected personal information. This is significant departure from the data protection laws of other states. Compared to other types of personal information, the unauthorized release of consumer marketing and geolocation information does not pose the same risk of identity theft that justifies the extraordinary and costly security and notice requirements imposed by the Personal Information Protection Act.

The bill requires that notices be given to the Attorney General within 30 business days after the breach is discovered. While many states do not impose a specific requirement of this type, those that do more often require notice within 45 calendar days (which is approximately the same as 30 business days). To ease the burden of compliance across multiple states, I recommend that the notice be required within 45 calendar days instead of 30 business days.

The bill would also require the operator of any website to post a privacy policy. Because California law already requires this, most large businesses already comply with this requirement. Layering on an Illinois-specific requirement will only increase the cost of compliance without adding value to consumers. Moreover, for those small businesses that are not required to comply with the California law, this is a burdensome and costly mandate, particularly because no other state has imposed a similar requirement.

The changes recommended below would address these and related concerns. While I commend the sponsors for their efforts to protect consumers, Illinois does not need regulation that makes it even more difficult to do business. Illinois is suffering from the consequences of over-regulation. We need to break the cycle of taxation and regulation that has created a hostile economic environment in order to grow our economy, create new jobs, and generate more tax revenue through economic expansion.

Therefore, pursuant to Section 9(e) of Article IV of the Illinois Constitution of 1970, I hereby return Senate Bill 1833, entitled “AN ACT concerning business”, with the following specific recommendations for change:

On page 2, by deleting lines 2 through 17; and

On page 2, line 21, by replacing “information” with “medical information”; and

On page 3, line 1, by replacing “health” with “such”; and

On page 3, by replacing line 23 with “characteristics used by the owner or licensee to authenticate an”; and

On page 4, by deleting lines 1 through 7; and

On page 4, by replacing lines 23 and 24 with “information concerning an Illinois resident shall”; and

On page 5, by replacing lines 11 and 12 with “information”:”; and

On page 9, line 2, by replacing “30 business days” with “45 days”; and

On page 9, by replacing lines 16 through 26 with “(2) (Blank).”; and

On page 10, by deleting lines 1 through 24; and

On page 11, by replacing lines 3 and 4 with “(a) Any State agency that collects personal information”; and

On page 14, line 19, by replacing “30 business days” with “45 days”; and

On page 16, by replacing lines 10 through 25 with the following:

“(815 ILCS 530/50 new)

Sec. 50. (Blank).”; and

By deleting pages 17 and 18; and

On page 19, by deleting lines 1 through 20.

With these changes, Senate Bill 1833 will have my approval. I respectfully request your concurrence.

Sincerely,

 

Bruce Rauner

GOVERNOR