A proposed data breach bill in Illinois would create “unnecessary compliance burdens” for businesses, the Association of National Advertisers and other trade
groups said on Tuesday in a letter to state lawmakers.
Illinois Senate Bill
1833 would require companies to notify consumers about data breaches that exposed not only financial information, but also consumers' geolocation data. In some cases, the bill would also
require data brokers and others to tell consumers about the theft of marketing-related data -- including information related to their browsing histories, online searches and purchase history.
The Senate passed the bill last month, and a House committee is slated to take up the measure on Wednesday.
The organizations opposing the bill say companies shouldn't be required to notify
consumers about the theft of geolocation information or marketing data, arguing that this type of information can't be used to commit fraud.
“The unauthorized acquisition of these types
of data does not create a risk of identity theft or economic harm, and requiring enhanced security obligations would impose undue costs on companies without significant benefit to Illinois
residents,” the groups write. “No other state has defined 'consumer marketing data' and 'geolocation' as 'personal information.' This radical definition would put Illinois far outside the
mainstream of responsible and effective state breach notification laws, while failing to help Illinois residents defend themselves against fraud borne of a data breach.”
Other opponents
include the Direct Marketing Association, Interactive Advertising Bureau, American Advertising Federation, American Association of Advertising Agencies, Acxiom and Epsilon.
Illinois Attorney
General Lisa Madigan is backing the measure, arguing that it will update the state's 2005 Personal Information
Protection Act. “Since the law’s enactment, the extent of sensitive information collected about consumers has expanded, and the threat of data breaches has increased significantly,
necessitating the need to update and strengthen the state’s law,” her office said last month in a statement.
A recent amendment, introduced on Monday, appears to limit the bill
significantly, The amendment provides that companies only need to disclose the theft of “consumer marketing data” -- meaning online browsing history, search history and purchases -- if the
data collector lacks a “direct relationship” with the consumer. That amendment was referred to the legislature's rules committee on Monday.
With the amendment, the disclosure
provisions related to Web browsing history (and search queries and purchases) don't appear to apply to online retailers like Amazon or online publishers like Google. Instead, the disclosure
requirements would appear to apply only to data brokers and ad networks that are able to connect the information to identifiable individuals.
Dan Jaffe, head of government relations for the
ANA, says the organization opposes the bill even with the amendment. “It sets a very bad precedent,” he says of the measure. “All of its provisions are totally unconnected to
harm.”
Jaffe says that the ANA believes that companies shouldn't be required to disclose breaches of “non-harmful marketing data.”
He adds that requiring companies to
tell consumers about every data breach results in “notification fatigue” -- meaning that people will receive so many notices that they'll stop paying attention to them and will miss the
important ones.