A proposed data breach bill in Illinois would create “unnecessary compliance burdens” for businesses, the Association of National Advertisers and other trade groups said on Tuesday in a letter to state lawmakers.
Illinois Senate Bill 1833 would require companies to notify consumers about data breaches that exposed not only financial information, but also consumers' geolocation data. In some cases, the bill would also require data brokers and others to tell consumers about the theft of marketing-related data -- including information related to their browsing histories, online searches and purchase history.
The Senate passed the bill last month, and a House committee is slated to take up the measure on Wednesday.
The organizations opposing the bill say companies shouldn't be required to notify consumers about the theft of geolocation information or marketing data, arguing that this type of information can't be used to commit fraud.
“The unauthorized acquisition of these types of data does not create a risk of identity theft or economic harm, and requiring enhanced security obligations would impose undue costs on companies without significant benefit to Illinois residents,” the groups write. “No other state has defined 'consumer marketing data' and 'geolocation' as 'personal information.' This radical definition would put Illinois far outside the mainstream of responsible and effective state breach notification laws, while failing to help Illinois residents defend themselves against fraud borne of a data breach.”
Other opponents include the Direct Marketing Association, Interactive Advertising Bureau, American Advertising Federation, American Association of Advertising Agencies, Acxiom and Epsilon.
Illinois Attorney General Lisa Madigan is backing the measure, arguing that it will update the state's 2005 Personal Information Protection Act. “Since the law’s enactment, the extent of sensitive information collected about consumers has expanded, and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law,” her office said last month in a statement.
A recent amendment, introduced on Monday, appears to limit the bill significantly, The amendment provides that companies only need to disclose the theft of “consumer marketing data” -- meaning online browsing history, search history and purchases -- if the data collector lacks a “direct relationship” with the consumer. That amendment was referred to the legislature's rules committee on Monday.
With the amendment, the disclosure provisions related to Web browsing history (and search queries and purchases) don't appear to apply to online retailers like Amazon or online publishers like Google. Instead, the disclosure requirements would appear to apply only to data brokers and ad networks that are able to connect the information to identifiable individuals.
Dan Jaffe, head of government relations for the ANA, says the organization opposes the bill even with the amendment. “It sets a very bad precedent,” he says of the measure. “All of its provisions are totally unconnected to harm.”
Jaffe says that the ANA believes that companies shouldn't be required to disclose breaches of “non-harmful marketing data.”
He adds that requiring companies to tell consumers about every data breach results in “notification fatigue” -- meaning that people will receive so many notices that they'll stop paying attention to them and will miss the important ones.