Who is affected by Illinois data privacy laws?
The Personal Information and Privacy Act (PIPA) went into effect in 2006, and was updated in 2017. It applies to any business, organization, or other entity which operates as a data collector within the state. This includes not only private for-profit companies, but government agencies, universities, nonprofit organizations, and other entities who collect private data from Illinois citizens.
The Protecting Household Privacy Act (PHPA) went into effect January 1, 2022. This law targets law enforcement, but will affect businesses who deal in private “household electronic data.” This is defined as any information or input provided to a device capable of facilitating electronic communication—with exceptions for personal computers, tablets, smartphones, cellphones, modems, routers, and more.
What’s the difference between privacy policies and privacy notices?
Illinois privacy laws
Both the PIPA and PHPA have different provisions. Most companies will deal with PIPA more often than they encounter PHPA scenarios.
PIPA protects personal information such as:
- Account passwords and security codes
- Biometric and genetic information
- Credit or debit card numbers
- Driver’s license or state ID numbers
- Federal passport numbers
- Financial account numbers
- Medical account numbers
- Social Security numbers
The law has several requirements for any entity doing business in Illinois or targeting Illinois residents:
- Notification of data breaches: PIPA requires companies to notify Illinois residents if their personal data is compromised. They must notify them as quickly as possible and without “unreasonable delay.” This notice can be written or electronic, but if that’s not possible, general statewide media notifications may meet the requirements.
- Data disposal: Any entity collecting, storing, and/or processing personal data must dispose of the information when it’s no longer needed for services or business operations. This includes both electronic and personal data.
- Security standards: Finally, the PIPA requires data collectors to use “reasonable security measures” to protect data breaches and unauthorized access or use.
Meanwhile, PHPA has its own requirements:
- Warrant requirement: Illinois law enforcement agencies must have a warrant to obtain household smart device data. If no criminal charges are filed within 60 days of obtaining the data, it must be destroyed. There are two exceptions: if there’s reasonable suspicion the information is evidence of criminal activity, or if the information is related to an ongoing investigation.
- Data security requirement: Any entity disclosing household electronic data must create a confidentiality agreement. This is designed to ensure the entity takes reasonable measures to protect the confidentiality and security of any data they transmit to law enforcement. It also limits what can be disclosed: only the information related to the law enforcement agency’s request may be shared with them.
Our software pairs technology with legal expertise to deliver compliant Illinois privacy policies and notices. Just answer a series of questions, download the generated documents, and have your lawyer review. It’s the simplest way to stay compliant in the changing digital landscape.