Quantcast

MADISON - ST. CLAIR RECORD

Thursday, March 28, 2024

Critics say online privacy legislation is pro-trial lawyer; Advocate says tech industry is 'too loose' with personal data

General court 07

shutterstock.com

Internet privacy legislation making its way through Springfield is more in line with the interests of the trial bar than it is with consumer protection, critics say.

But a director at a lobbying group advocating for better online privacy says the legislation is needed because "significant parts of the tech industry have played too loose with personal data for too long."

"We have seen massive data breaches, combined with rampant commercial and government abuse of commercial data collection," said Matthew Erickson, outreach director of Digital Privacy Alliance (DPA) in Chicago.

The DPA supports both bills and was one of several groups asked to comment on the draft legislation, Erickson said. One of DPA's board members is a litigator at the class action firm Edelson PC in Chicago.

Edelson firm founder Jay Edelson, described in an April 4 New York Times article as the "boogeyman" to technology executives because he specializes in privacy violation suits, said in a statement Tuesday that he did not write the bills pending in the Illinois legislature.

He also was quoted in a March 26 New York Times article saying the DPA was needed politically because "once we started winning a lot of cases...they all went on the offensive."

“It’s important because the Trump administration is doing so much to roll back privacy rights, so there is going to be a huge shift to state lawmakers and state attorneys general," Edelson stated in the article.

In the meantime, Erickson says that all the DPA is asking for is "transparency and consent around how data is collected and to where it’s sold."

The Right to Know Act - which would require commercial website operators or services such as Google and Facebook to let its customer know what personal information is shared with third parties - and the Geolocation Privacy Protection proposal - which would require entities to get the express consent of device owners to collect, use, store or disclose their whereabouts - have advanced along party lines in both chambers and separately await further action in each.

Language in both measures explicity state that legal action may be taken against alleged violators.

The Geolocation proposal gives authority to the attorney general to pursue actions under the Consumer Fraud and Deceptive Business Practices Act. It would allow for attorneys' fees and costs and injunctive relief. It would further allow courts to award three times the amount of actual damages assessed.

A provision that allowed for private right of action in the Right to Know Act has been amended to give sole enforcement authority to the state attorney general or a state's attorney's office. The proposal's title also has been amended to the Illinois Right to Know Data Transparency and Privacy Protection Act.

Outspoken critic of the legislation, Illinois Chamber of Commerce president Todd Maisch, said the proposals are attempting to fix problems that don't exist, and further that both are "as thinly veiled as pro-trial lawyer legislation comes."

"There's already an awful lot of federal regulation to protect consumer privacy," he said. "This (set of proposals) is worse than duplication. It creates huge new problems for consumers and for companies to comply with."

All businesses would have to comply, he said, including small operators that would be particularly hard hit.

The Right to Know Act "would require any business with a website — even a local flower shop or pizza parlor — to draft privacy policies longer and more confusing than anything required by existing law and to create new IT systems — at best, a complex and expensive undertaking; at worst, impossible to implement — to respond to consumer requests under threat of liability," Maisch wrote in a recent op-ed.

Internet privacy concerns, he said, belong in the realm of federal policy.

"The notion that all 50 states have privacy statements that are not consistent is problematic," he said.

Maisch said he would be concerned that some law firms would attempt to set up businesses in "gotcha" situations, the way that some have purposely gamed alleged violators of the Americans with Disabilities Act.

"They say they are trying to enforce the law, but really are looking to reach $10,000, $15,000 settlements," he said.

John Pastuovic, president of the Illinois Civil Justice League, said that everyone would likely agree that reasonable guidelines are needed to ensure consumer privacy, but the current proposals in Springfield "are falling in the same old trial lawyer trap of using lawsuits to enforce the new standards."

Pastuovic called it "ironic" that under the proposals, companies could be sued for using consumer information without expressed consent."

"Trial lawyers would likely add those same consumers to their mass tort actions, without having to get their permission," he said.

Pastuovic also said that legislators should keep working until they find a better way to protect consumer data.

"There has got to be a better way" than what is currently being proposed, he said.

As for Illinois Chamber criticism that the legislation could create more ways for consumer information to be stolen from untested databases, Erickson countered that the DPA doesn't feel it will.

"In fact, we feel that consumers' understanding of where their data will be going to, plus the opt-in nature of geolocation data collection required by the Geolocation Privacy Protection Act, will reduce the total amount of data to be leaked," he said. "There are hundreds of methods a service can use to identify their users for compliance purposes that firms are already using for tracking purposes. In fact, for simple cases without dynamically constructing datasets for sale, a service could conceivably use a form letter for response, minimizing the amount of implementation effort or data collected for compliance."

He agreed that federal legislation and regulation would provide the best outcomes for businesses and consumers, but believes that Congress "has no interest in protecting the digital privacy rights of Americans, as evidenced by the recent repeal of FCC regulations concerning how Internet Service Providers handle sensitive personal data about their customers."

He said Illinois is not the only state to "step up" to fill the congressional void.

And he said that if big data groups are so supportive of online privacy remaining under federal law and regulation, "why don't they support Federal privacy legislation and regulation instead of celebrating its removal?"

The Right to Know Act passed in the Senate on May 4. It had a first reading in the House on Tuesday and was referred to Rules.

The Geolocation bill passed in the House on April 27. It had a first reading in the Senate on May 2 and was referred to Assignments.

Travis Akin, executive director of Illinois Lawsuit Abuse Watch, said the state legislature shoud be enacting lawsuit reforms to "put people back to work."

"We cannot add jobs and opportunities if we keep inventing ways to file more lawsuits in Illinois," he said.

More News