For Carolyn Parrish, a privacy professional based in Evanston, data privacy is just as important in her personal everyday life as is it to keeping her business running.
When Parrish was looking to download a women’s health and menstrual cycle tracker on her phone, she noticed that many of the available U.S.-based apps required access to her location and her phone’s contacts before she could use any of their features. Parrish said this made her feel uneasy.
So she opted for a German-based app that only required a user account without additional data-sharing.
“There are a lot of apps out there that will take more information than they need to operate," she said, "and it is solely for data-mining purposes to create this sort of marketing database. It may not be worthwhile to the consumer to give that level of information, just to use an app.”
But how much information is too much? And should companies be required to share with consumers the specifics on what data they track and what third- party company receives it?
Two measures introduced during the Illinois spring legislative session attempted to address these questions. The Geolocation Privacy Protection Act and the Right to Know Data Transparency and Privacy Protection Act have caused tension between privacy advocates and the Illinois business community.
Advocates say consumers’ information and tracked data need added protection and regulation, especially under President Donald Trump’s administration. In April, Trump signed a Congressional Review Act resolution to nullify a Federal Communication’s Commission privacy rule, which was adopted under the administration of former President Barack Obama. The rule never went into effect but would have regulated the way Internet service providers (ISPs) could collect consumer data and how they could sell it for advertising purposes.
The business groups argue that privacy-protection measures would add strain on business owners and would cause a “chilling effect” on Illinois tech companies that want to make advances in innovation.
"The Federal Broadband Privacy rule “would have brought greater clarity to the privacy requirements in the ISP space,” says John Verdi, vice president of policy for the Future of Privacy Forum, a think tank and advocacy group based in Washington, D.C., that focuses on data-privacy issues. Verdi also was the former Director of Privacy Initiatives for the U.S. Department of Commerce under the Obama administration.
The reversal of these rules, Verdi says, has most likely led individual states like Illinois to consider privacy-regulation initiatives in the form of legislation and establish the clarity not found at the federal level.
But opponents of the proposed Illinois Right to Know Act say the measure’s language does not bring clarity to businesses, which already must comply with other state laws such as the Biometric Information Privacy Act and the Personal Information Protection Act. Those opposing the Geolocation Privacy Protection Act worry that the measure does not advance consumer but brings added and unnecessary burdens to business owners.
The Right to Know Act’s language, opponents say, establishes too broad a definition to what may be considered “categories of personal information.” These may include a person’s real name, Social Security number, or religious and political affiliations.
Michael Reever, vice president of Government Affairs for the Chicagoland Chamber of Commerce, says that the Right to Know measure gives a list of what may be considered personal information, but that such information is not limited to that list. This ambiguity gives added leeway to lawsuits, he says.
“The threat of a lawsuit, combined with the overbroadness of the statute, is very concerning to businesses because it’s not just what’s listed on the actual bill," Reever said. "So how are businesses supposed to keep up with the information that they’re supposedly supposed to protect if they don’t actually know what it is?”
But the measure’s sponsor, State Sen. Michael Hastings, D-Orland Hills, says the private right-to-sue clause was removed from the bill’s language to address these concerns. If the bill were to be signed into law, a consumer would file a complaint with the State’s Attorney’s Office, which would establish whether violations took place.
“There was an argument made, which I didn’t find to be a very good argument, but they said that this bill was brought to me from trial lawyers who make their money by suing people,” Hastings says. “That couldn’t be farther from the truth. The most important thing is that people have protections online, and they should have the right to know if a website is collecting information and sharing it and selling it with third parties.”
According to Hastings, Cook County Sheriff Tom Dart first brought up the issue after he learned about the restrictions law enforcement encounter when trying to access collected online data for investigations. They actually could obtain data from third-party entities more easily than from a court subpoena.
After realizing how much consumer data is available through these third-party data providers, Dart and Hastings want to ensure that consumers are made aware that these practices exist.
“When you talk to anyone around the state of Illinois, they’ll tell you that they would be offended if they found out that their information was being sold for profit against their will,” he says.
The Right to Know Act, as it now stands, would require companies that track consumer data to provide consumers who request it the personal information was followed and the list of third-party entities that receive the data. A website or app also would need to provide a customer-agreement notice on their website notifying consumers about the company’s information-sharing practices. Any breach would be considered a violation under the Consumer Fraud and Deceptive Business Practices Act.
However, some question what steps these companies will need to take to track personal identifiable information — especially that data that excludes names or Social Security numbers — back to a specific person requesting the information.
“[The bill] would require business to keep and store more user information than they have to today," says Carl Szabo, senior policy counsel for NetChoice, a trade association of ecommerce businesses and online consumers that advocate for fewer restrictions for online businesses. Its members include companies like Lyft, eBay and Facebook.
“This bill actually puts potentially consumer information at greater risk than it’s at today because you are forcing businesses to create a honey pot of information,” he says.
Matthew Erickson, industry outreach director for the Chicago-based nonprofit Digital Privacy Alliance advocating for privacy legislation in states across the country, says that this concern also has been addressed.
An amendment "was adopted to enable companies to provide this data without requiring trivially identifying information be kept," he explains.
"The summary is that a company can either provide a personalized profile of data shared to a user as in the first drafts of the bill" or, as the change suggests, disclose "all categories of personal information about customers that were disclosed, and the name or names of all third parties that received any customer's personal information."
"This means a company doesn't need to track trivially identifying data about their users to make servicing these requests possible," he says.
Despite the back and forth between opponents and advocates to attempt to clarify misunderstandings and concerns, the majority of the state’s business community maintains the firm belief that the bills will benefit only trial lawyers over the consumers whom advocates say the bills will protect.
The Illinois Retail Merchants Association is one of those business groups.
Tanya Triche Dawood is vice president and general counsel for the association. She says the issues that the measures are supposed to address — that of transparency by sharing what companies do with consumer information — will not give added protections to consumers because those protections already are covered under existing laws.
“So you want real information that is going to inform the consumer, and that information exists today,” she said. “Additional, unnecessary burdens on the business community at a time, especially in this state, where it is still very difficult to do business and turn a profit… [we] always oppose something like that.”
The Geolocation bill, sponsored by State Rep. Ann Williams, D-Chicago, would require apps and websites to seek consent from consumers before tracking and storing their location. Any violations would also fall under the Consumer Fraud and Deceptive Business Practices Act as determined by the State’s Attorney’s office.
Five of the state’s largest business associations — including the Illinois Chamber of Commerce, the Chicagoland Chamber of Commerce and the Illinois Retail Merchants Association — included both privacy bills in a list of 12 bills that they named “Springfield’s Dirty Dozen.” The business groups consider the 2017 legislative session “one of the worst for employers,” they say, where many of the proposed bills have been “anti-employer” and “anti-job”.
But Erickson, with the Digital Privacy Alliance, disagrees with the notion the privacy bills are anti-employer.
“We see this as a pro-business thing. We feel that this has a net bonus on business," he said. "We feel like these bills, by essentially establishing a level playing field of trust, will encourage consumers to reach out more and help small businesses get that leg up of immediate trust.”
Erickson said that opponents of the Geolocation bill claim "it’s going to kill mapping, it’s going to kill location-based services in general everywhere, even though all that has to happen is -- the very first time you use a service that stores and sells your geolocation data — they have to get your consent for that. Just the first time,” he explains.
He says companies in the Digital Privacy Alliance, including tech companies and law firms, “are not out to eliminate marketing-metric driven services. There is a lot of really cool things going on in the space today, based on analytics. We want to make the exchange of your personal information — for essentially free stuff — explicit and consensual.”
Others like Szabo from NetChoice, say that any additional legislation will hurt Illinois and continue to provide a so called “chilling effect” for tech companies that want to expand their areas of innovation. Illinois, he says, is a state with laws that already are tough on privacy.
The Biometric Information Privacy Act, for example, aims to regulate how companies collect, use, handle and store biometric identifiers and biometric information. According to the act, biometric identifiers can be anything from “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Without explicit consent from consumers, a website or app can’t collect or store such data. There is some facial-recognition software, Szabo says, that cannot be used in Illinois.
No other state, he says, has come close to the level of privacy regulation that Illinois has.
John Verdi, from the Future of Privacy Forum, says that he believes much of the debate between opponents and proponents comes from the nature of the topic, which is a complicated issue because of the patchwork of legislation across different states.
“It is a vastly complicated space, where you have potential benefits from data to consumers, to businesses, to the economy, to governments -- and you also have real concrete privacy and security risks for individuals," Verdi said.
In this “kind of complicated online and offline data ecosystem,” he said, “you have to drill down and figure out exactly what the practices are that are most concerning and riskier for consumers before you can target your energies” with privacy legislation.
He suggests that, instead of focusing too much on the overall idea of data and where every single piece of it goes, it might be better to focus on specific areas of concerns for consumers.
“Instead of talking about data, and what companies do with data or what users do with data, or who owns the data," he said, "I think it’s more helpful to really focus on the sensitive data categories because those are the things that really matter most to consumers.”
What is sensitive to one specific group of people, he says, might not be considered sensitive to others. And this is where misunderstandings and differences of opinions emerge.
The Geolocation bill was approved by both chambers and awaits the governor’s signature, but the future of the Right to Know bill remains uncertain. The Senate approved the measure, but it has stalled in the House. The bill’s sponsor plans to bring the measure up again during the next legislative session but not before securing the needed votes.
For the time being, some consumers and privacy advocates, like Carolyn Parrish, just want website owners and app developers to establish consensus about what might be considered too much data sharing and to establish ground rules for transparency with consumers.
“Giving people greater visibility into what’s happening behind the scenes—it’s useful," Parrish said. "Knowledge is helpful to people to help them make educated choices.”
Note: This story was created for and posted originally at Illinois Issues.