Illinois Cyber Resources

The Illinois legislative proposal titled "Illinois Age-Appropriate Design Code Act" addresses online services, products, or features that are likely to be accessed by children, which was initially proposed in 2023 Senate Bill 1126, Senate Amendment No. 1 and reintroduced in 2024 as Senate Bill 3334:

I. Requirements for Businesses:

• Before offering any new online services, products, or features to the public, businesses must complete a data protection impact assessment for those likely to be accessed by children and maintain documentation of this assessment.

• Businesses must document any risk to children from their data management practices and create a plan to mitigate or eliminate the risk.

• The Attorney General can request a list of all data protection impact assessments the business has completed.

• Businesses must estimate the age of child users with a reasonable level of certainty or apply the privacy and data protections afforded to children to all consumers.

• Default privacy settings provided to children should offer a high level of privacy.

• Privacy information, terms of service, policies, and community standards should be presented clearly and suited to the age of children likely to access the service.

II. Prohibited Actions for Businesses:

• Businesses should not use the personal information of any child in a way that is detrimental to their physical or mental health.

• They should not profile a child by default unless certain criteria are met.

• They cannot collect, sell, share, or retain any personal information that is not necessary for the service, product, or feature.

• Businesses cannot use "dark patterns" to lead or encourage children to provide personal information or to bypass privacy protections.

III. Key Definitions:

• Child/Children: Refers to consumers under 18 years of age.

• Data Protection Impact Assessment: A systematic survey to assess and mitigate risks from the data management practices of businesses to children likely to access the online service, product, or feature.

• Default: A preselected option adopted by the business for the online service, product, or feature.

• Likely to be accessed by children: Determined by various indicators, such as being directed to children as defined by the Children's Online Privacy Protection Act, having design elements of interest to children, and more.

• Online service, product, or feature: Excludes broadband internet access service, telecommunications service, and the delivery or use of a physical product.

• Profiling: Automated processing of personal information to evaluate certain aspects relating to a natural person.

IV. Violations and Civil Penalties:

• Businesses that violate this Act are subject to an injunction and civil penalties. The penalty is up to $2,500 per affected child for each negligent violation or up to $7,500 per affected child for each intentional violation.

• If a business is in substantial compliance with certain requirements, the Attorney General must provide written notice to the business before initiating an action. If the business cures the violation within 90 days and provides a written statement, they won't be liable for a civil penalty for the cured violation.

• Penalties, fees, and expenses recovered will be deposited into the General Revenue Fund.

• The Act doesn't serve as a basis for a private right of action.

• The Attorney General can adopt regulations to clarify the Act's requirements.

V. Children's Data Protection Working Group:

• The Act establishes a "Children's Data Protection Working Group" to deliver a report to the General Assembly regarding best practices for the implementation of this Act.

• Members: The group will consist of residents of Illinois with expertise in areas like children's data privacy, physical health, mental health and well-being, computer science, and children's rights.

• Duties: The group will take input from various stakeholders and make recommendations on identifying online services accessed by children, evaluating children's best interests, ensuring age assurance methods, assessing risks, and publishing privacy information in clear language.

• Reporting: The group will submit a report to the General Assembly by January 1, 2024, and every 2 years through 2028. 

Litigation & 2024 Legislation Regarding Harm to Youth

In addition to legislation, litigation by the Illinois Attorney General in conjunction with 41 other states seeks to address social media harms to youth at least partly targeted by Illinois Age-Appropriate Design Code Act legislation. In summary, the Illinois Attorney General and other states "allege that Meta’s business model, which seeks to capture as much user time and attention as possible to sell advertising, has targeted youth, including teenagers and even younger children, in ways that take advantage of them," see Illinois Attorney General Press Release, with linked lawsuit complaint; see also CNBC - October 24, 2023.

The Illinois Biometric Information Privacy Act (BIPA) has become a centerpiece of legal debates surrounding privacy rights in the digital era. The Act, widely hailed as one of the strictest laws of its kind in the United States, places substantial requirements on businesses that collect, use, and store individuals' biometric data, such as fingerprints, face scans, and iris scans. However, as interpretations and applications of the Act continue to evolve, it has attracted a range of views from differing interest groups.

On one side of the divide, civil liberties advocates, including the American Civil Liberties Union (ACLU) of Illinois, laud BIPA's robust privacy protections. On the other side, business groups argue that the Act's strict measures stifle innovation and expose companies to potentially crippling lawsuits. Amid these competing perspectives, Illinois Senate Democrats and other legislative groups have become key players, navigating the challenging task of balancing privacy rights and economic interests.

Privacy Advocates' Perspective

For privacy rights advocates, BIPA sets a commendable precedent for the protection of individual rights in an age where biometric technology is increasingly pervasive. The ACLU of Illinois, a prominent supporter of BIPA, highlights the law's unique focus on informed consent and transparency. According to the organization, BIPA is currently the only law in the U.S. that grants individuals the right to sue companies for damages if they collect, use, or store their biometric information without explicit consent.

From the ACLU's standpoint, this provision plays a critical role in deterring potential privacy violations and holding corporations accountable. Moreover, the ACLU underscores the significance of BIPA for marginalized groups, such as women and people of color. These demographics are often disproportionately affected by invasive biometric technology due to societal biases that can be embedded within these technologies.

Indeed, privacy advocates' support for BIPA is predicated on the belief that the law acts as a potent safeguard against the non-consensual use of personal data. It provides a framework for ensuring that technological advancements do not override individual privacy rights.

Business Groups' Concerns

Contrarily, business groups, such as the Illinois Manufacturers Association and Chicagoland Chamber of Commerce, express deep concern about BIPA's stringent requirements and their potential implications for companies. They argue that while the intention behind BIPA – to protect individuals' privacy – is noble, the implementation leaves much to be desired.

According to these groups, the current law has led to a surge in "no-injury" lawsuits, where plaintiffs allege technical non-compliance with BIPA, even in the absence of actual harm or data misuse. These lawsuits expose businesses to significant legal and financial risks, potentially reaching up to thousands of dollars per employee or customer involved.

Business groups also highlight that BIPA's lack of a "harm threshold" has implications beyond just the economic. It argues that the wave of litigation dampens the enthusiasm for innovation and investment in Illinois, potentially stifening growth in sectors that rely on biometric technology, such as security, logistics, healthcare, and information technology.

To alleviate these concerns, the business groups have called for reforms to BIPA, including the introduction of a harm threshold requirement, ensuring that businesses can only be sued if their non-compliance with the Act results in actual harm to individuals.

The Legislative Landscape 

As these conflicting perspectives indicate, Illinois House and Senate Democrats face the daunting task of adjudicating between the needs of privacy-conscious citizens and businesses wary of onerous legal and financial exposure.

A proposed legislative reform suggests limiting BIPA's scope by allowing businesses to collect biometric information if they are required by law or if it is needed for employment-related purposes. This approach indicates a potential shift towards a more business-friendly landscape. However, any such move would undoubtedly face resistance from privacy advocates and their legislative allies, who may argue that such changes could undermine the very principles upon which BIPA was founded, and assert that opening up exceptions might dilute the Act's efficacy and ultimately compromise individual privacy.

Legal Conundrum in Healthcare

Healthcare facilities nationwide are increasingly relying on technology to monitor access to narcotics and medicines, especially amidst the ongoing opioid crisis. Federal and state laws mandate that certain medications, notably controlled substances, be stored in locked cabinets. With technological advancements, these cabinets are now often secured using biometric systems like fingerprint or facial recognition. However, the use of such biometric systems, especially in states like Illinois, Texas, and Washington, can lead to increased liability unless specific steps are taken by the legislature or courts. Of note, the Illinois Supreme Court in November 2023 ruled that use of technology that may otherwise fall under a biometric privacy law are exempt when done for certain purposes coverd by federal healthcare privacy law.

The Debate Goes On

The debate surrounding the Illinois Biometric Information Privacy Act underscores the complexity and nuances inherent in modern privacy law. As technological advances continue to push the boundaries of what is possible, the challenge for lawmakers is to strike a delicate balance between protecting individual privacy rights and fostering an environment that allows businesses to innovate and thrive.

While the privacy advocates, business groups, and legislators may not see eye to eye on all aspects of BIPA, their ongoing dialogue shapes the future of privacy law in Illinois and provides crucial insights for other states grappling with similar issues. Regardless of which direction the pendulum swings, efforts are underway for changes during the 2024 legislative session.

In January 2024, amendments to the Illinois Biometric Information Privacy Act (BIPA) were proposed through Senate Bill 2979 that aims to redefine how violations are counted, with a shift from accruing per scan or transmission to per initial collection of biometric data. This change is intended to significantly reduce potential damages for violations. Additionally, the amendments propose including "electronic signature" within the definition of "written release," further refining the act's parameters. Based on initial responses in Senate committee and preparations in the House, the legislation appears likely to pass in the spring legislative session. Source.

Sources:

• WTTW News: Illinois Supreme Court Weighs Another Biometric Privacy Lawsuit

• Biometric Update: Does US Privacy Regulation Trump a State’s Biometrics Law? Supreme Court to Decide

• WAND-TV: Illinois Supreme Court Hears Arguments Over Biometric Privacy for Nurses

• Law360: Drug Cabinet Finger Scans Are BIPA-Exempt, Ill. Justices Hear

• Digital Watch Observatory: Landmark Biometric Data Case Sparks Debate in Illinois Supreme Court

• Stephan Zouras, LLP: Fingerprint or Handprint to Open a Medicine Dispensing Cabinet?

• The National Law Review: When Keeping Medication Safe May Lead to Increased Liability

• Capital News Illinois: State High Court Finds Medical Personnel Exemption

• Capital News Illinois: Democratic leaders poised to revisit Biometric Information Privacy Act

The Illinois Genetic Information Privacy Act (Illinois GIPA) is a pivotal piece of legislation that aims to protect the genetic information of individuals. As genetic testing becomes more prevalent, the need for robust privacy protections has never been more crucial. This article delves into the intricacies of Illinois GIPA, its comparisons with other similar laws, notable litigation, and recent legislative proposals.

Understanding the Illinois GIPA

Illinois GIPA, enacted in 1998, safeguards information about an individual's genetic material. This includes not only the results of genetic tests but also the genetic tests of family members and the manifestation of diseases or disorders in family members. Key provisions of the act include:

• Restricting the release of genetic testing information only to the individual tested and those authorized by the individual.

• Prohibiting insurers from using genetic information for non-therapeutic purposes.

• Employers cannot mandate genetic testing as a condition of employment or use the results to influence employment terms.

• Statutory damages of $2,500 per negligent violation and $15,000 for intentional or reckless violations.

Comparison with the Federal Genetic Information Nondiscrimination Act (GINA)

While Illinois GIPA focuses on the state level, GINA is a federal law that prohibits genetic discrimination in health insurance and employment. Both laws share the common goal of protecting individuals from discrimination based on their genetic information. However, GINA has a broader scope, encompassing health insurers and employers nationwide.

Comparison with the California Genetic Information Privacy Act (California GIPA)

Similar to Illinois GIPA, California GIPA aims to protect the genetic information of individuals. However, there are nuances in how each state approaches genetic privacy. For instance, California GIPA has specific provisions related to direct-to-consumer genetic testing companies, emphasizing the need for informed consent before sharing genetic data.

Illinois Litigation Regarding Illinois GIPA

Recent lawsuits highlight the growing importance of genetic privacy. Companies like Ancestry.com, Ford Motor Company, Amazon, and Prudential have faced litigation under Illinois GIPA. Ancestry.com allegedly shared genetic information without individuals' written consent, while Ford and Amazon is accused of inquiring about job applicants' family medical histories similar to prospective Prudential life insurance policyholders, potentially implicating genetic information.

Proposed Legislative Changes to Illinois GIPA: House Bill 4142

The most recent legislative proposal, House Bill 4142, seeks to amend Illinois GIPA concerning insurance companies. The bill suggests that insurers cannot seek genetic testing information for life insurance policies. However, if an individual voluntarily submits favorable genetic test results, insurers may consider them. This amendment aims to strike a balance between protecting individual privacy and allowing individuals to leverage their genetic information when it's to their advantage.

GIPA & Privacy Implications 

As genetic testing becomes more accessible, the potential for misuse of this sensitive information grows. Illinois GIPA, along with other similar laws, serves as a protection against potential privacy infringements. As technology and society evolve, so too will the legal landscape, underscoring the importance of staying informed and proactive in the realm of genetic privacy.

References:

• Be cautious about family medical history requests (Nixon Peabody)

• Illinois Genetic Information Privacy Act (ILGA)

• Genetic Information Nondiscrimination Act (HHS)

• California Genetic Information Privacy Act (Clarip)

• BIPA, But What About GIPA (JD Supra)

• GIPA Could Bring the Next Wave of Class Actions in Illinois (JD Supra)

• Amazon Hit With Privacy Class Action (ALM Law)

• Illinois House Bill 4142: Amends the Genetic Information Privacy Act (ILGA)

• Prudential Hit With Genetic Privacy Suit After Coverage Denial (Law360)

What is cybersecurity?

Cybersecurity refers to the practice of protecting computer systems, networks, and data from theft, damage, or unauthorized access. It encompasses a range of technologies, processes, and practices designed to safeguard digital information.

Why is cybersecurity important?

With the increasing reliance on digital platforms for communication, business, and personal tasks, the potential risks associated with cyber threats have grown. Cybersecurity ensures the protection of sensitive data, prevents unauthorized access, and maintains the integrity and availability of systems.

What are the most common types of cyber threats?

Some common threats include malware (e.g., viruses, worms, ransomware), phishing attacks, denial-of-service (DoS) attacks, man-in-the-middle attacks, and SQL injection.

How can I protect my personal information online?

Use strong, unique passwords for each account, enable two-factor authentication, regularly update software and applications, be cautious of unsolicited emails or links, and avoid sharing personal information on unsecured websites.

What is a VPN and how does it enhance security?

A Virtual Private Network (VPN) creates a secure, encrypted connection between your device and a remote server. This ensures your online activities remain private and protects your data from potential eavesdroppers, especially on public Wi-Fi networks.

How do firewalls contribute to cybersecurity?

Firewalls act as barriers between a trusted internal network and untrusted external networks. They monitor and control incoming and outgoing network traffic based on predetermined security policies, blocking or allowing data packets.

How do I recognize a phishing email?

Phishing emails often have generic greetings, misspellings, urgent or threatening language, and ask for personal information. They may also contain suspicious links or attachments and come from unfamiliar senders.

What is multi-factor authentication (MFA)?

MFA is a security process that requires users to provide multiple forms of identification before gaining access to an account. This could include something you know (password), something you have (a phone or hardware token), or something you are (fingerprint or facial recognition).

What is the difference between cybersecurity and information security?

While both terms are often used interchangeably, cybersecurity focuses specifically on protecting data from cyber threats, whereas information security is a broader term that encompasses the protection of data in any form, whether digital or physical.

What is the difference between privacy and security?

While they overlap, privacy relates to the rights and expectations of individuals to keep their information confidential, whereas security refers to the measures and technologies used to protect data from unauthorized access, theft, or damage.

What are cookies, and how do they affect my privacy?

Cookies are small text files stored on your device by websites you visit. They track your online activities, preferences, and login information. While they can enhance user experience by remembering preferences, they can also be used by third parties to track and profile users across different websites.

How can I protect my online privacy?

Use strong, unique passwords, enable two-factor authentication, be cautious about sharing personal information, use a VPN, regularly clear cookies and browsing history, and adjust privacy settings on social media and online accounts.

What is end-to-end encryption?

End-to-end encryption ensures that only the sender and the recipient can read a message. The data is encrypted on the sender's side and only decrypted on the recipient's side, preventing intermediaries, including service providers, from accessing the content.

Why do some online services ask for my location?

Some services, like maps or food delivery apps, require location data to function correctly. However, other apps might collect location data for targeted advertising, analytics, or to sell to third parties.

What is "Do Not Track" (DNT)?

DNT is a browser setting that signals websites, analytics companies, ad networks, and plug-ins not to track your browsing activities. However, it's up to the websites to honor this request, and many do not.

Are incognito or private browsing modes completely private?

Incognito or private modes prevent your browser from storing browsing history, cookies, and form data. However, they don't make you invisible online. Your ISP, employers, or the websites you visit can still track your activities.