On May 31, 2015 the Illinois legislature passed amendments that expanded the Illinois Personal Information Protection Act (“PIPA”). Illinois Senate Bill 1833
The amendments made three significant changes to the existing law. First, the amendments expanded the definition of “personal information” to include medical, health insurance, consumer marketing information, biometrics and geophysical location. The current statute limits “personal information” to social security, driver’s license and financial accounts. Second, any breach involving 250 or more Illinois residents required written notice to the Attorney General within 30 days. The bill laid out the contents of consumer notification letters depending on whether the entity owns or leases the data. Third, the amendments required conspicuous posting of privacy policies, such as linking and text size on the homepage or the first significant page after entering the web site.
But on August 21, Illinois Republican Governor Bruce Rauner executed an amendatory veto, sending the bill back to the Illinois senate. The governor said the bill “went too far” and was a “significant departure” from other state data protection laws including the expanded definition of personal information. Gov. Rauner stated that a 45-day notification period is more reasonable than 30. He indicated that he would re-consider the bill if his changes were adopted.