August 21, 2015
To the Honorable
The Illinois Senate,
Today I return Senate Bill 1833, which
amends the Personal Information Protection Act, with specific recommendations
The Personal Information Protection Act
was enacted in 2005 to protect consumers from the damaging consequences of a
data breach. Illinois businesses and non-profit organizations must take their
Senate Bill 1833 makes significant
changes to the Personal Information Protection Act, many of which are intended
to protect consumers and update the Act. But unfortunately, the bill goes too
far, imposing duplicative and burdensome requirements that are out-of-step with
other states. These unnecessary requirements will hurt our economic
competitiveness without providing commensurate benefit to Illinois consumers
and residents whom the bill is intending to protect.
In particular, the bill would add
“consumer marketing information” and “geolocation information” to the types of
protected personal information. This is significant departure from the data
protection laws of other states. Compared to other types of personal
information, the unauthorized release of consumer marketing and geolocation
information does not pose the same risk of identity theft that justifies the
extraordinary and costly security and notice requirements imposed by the Personal
Information Protection Act.
The bill requires that notices be given
to the Attorney General within 30 business days after the breach is discovered.
While many states do not impose a specific requirement of this type, those that
do more often require notice within 45 calendar days (which is approximately
the same as 30 business days). To ease the burden of compliance across multiple
states, I recommend that the notice be required within 45 calendar days instead
of 30 business days.
The bill would also require the operator
requires this, most large businesses already comply with this requirement.
Layering on an Illinois-specific requirement will only increase the cost of
compliance without adding value to consumers. Moreover, for those small
businesses that are not required to comply with the California law, this is a
burdensome and costly mandate, particularly because no other state has imposed
a similar requirement.
The changes recommended below would
address these and related concerns. While I commend the sponsors for their
efforts to protect consumers, Illinois does not need regulation that makes it
even more difficult to do business. Illinois is suffering from the consequences
of over-regulation. We need to break the cycle of taxation and regulation that
has created a hostile economic environment in order to grow our economy, create
new jobs, and generate more tax revenue through economic expansion.
Therefore, pursuant to Section 9(e) of
Article IV of the Illinois Constitution of 1970, I hereby return Senate Bill
1833, entitled “AN ACT concerning business”, with the following specific
recommendations for change:
On page 2, by deleting lines 2 through 17; and
On page 2, line 21, by replacing “information” with “medical
On page 3, line 1, by replacing “health” with “such”; and
On page 3, by replacing line 23 with “characteristics used by the
owner or licensee to authenticate an”; and
On page 4, by deleting lines 1 through 7; and
On page 4, by replacing lines 23 and 24 with “information concerning an
Illinois resident shall”; and
On page 5, by replacing lines 11 and 12 with “information”:”;
On page 9, line 2, by replacing “30 business days” with “45
On page 9, by replacing lines 16 through 26 with “(2) (Blank).”;
On page 10, by deleting lines 1 through 24; and
On page 11, by replacing lines 3 and 4 with “(a) Any State agency that
collects personal information”; and
On page 14, line 19, by replacing “30 business days” with “45
On page 16, by replacing lines 10 through 25 with the following:
“(815 ILCS 530/50 new)
Sec. 50. (Blank).”; and
By deleting pages 17 and 18; and
On page 19, by deleting lines 1 through 20.
With these changes, Senate Bill 1833
will have my approval. I respectfully request your concurrence.