Can I collect personal information from my customers in California in Illinois? What are the requirements?

Personal Information Collection Requirements in California and Illinois

If you collect personal information from customers in California and Illinois, you must comply with the relevant state laws and regulations.

California

In California, personal information collection is governed by the California Consumer Privacy Act (CCPA) ^[1.1]. The CCPA requires businesses to provide consumers with notice of the categories of personal information they collect and the purposes for which the information will be used. Businesses must also provide consumers with the right to opt-out of the sale of their personal information and the right to request deletion of their personal information ^[1.1]. Additionally, businesses must provide an annual privacy notice to customers ^[2.1].

Illinois

In Illinois, personal information collection is governed by the Personal Information Protection Act (PIPA) ^[3.2]. PIPA requires data collectors to notify Illinois residents if there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system ^[3.2]. Data collectors that own or license personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure ^[3.1].

Collecting Personal Information from Customers in California and Illinois

If you collect personal information from customers in California and Illinois, you must comply with the relevant state laws and regulations.

California

In California, businesses must provide consumers with notice of the categories of personal information they collect and the purposes for which the information will be used. Businesses must also provide consumers with the right to opt-out of the sale of their personal information and the right to request deletion of their personal information ^[1.1]. Additionally, businesses must provide an annual privacy notice to customers ^[2.1].

Illinois

In Illinois, data collectors that own or license personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure ^[3.1]. PIPA requires data collectors to notify Illinois residents if there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system ^[3.2].

Conclusion

If you collect personal information from customers in California and Illinois, you must comply with the relevant state laws and regulations. In California, businesses must provide consumers with notice of the categories of personal information they collect and the purposes for which the information will be used. Businesses must also provide consumers with the right to opt-out of the sale of their personal information and the right to request deletion of their personal information. Additionally, businesses must provide an annual privacy notice to customers. In Illinois, data collectors that own or license personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure. PIPA requires data collectors to notify Illinois residents if there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

Source(s):

• [1.1] Principles of Personal Information Management.
• [2.1] Annual Privacy Notice to Customers
• [3.1] 815 ILCS 530/45
• [3.2] 815 ILCS 530/10

Jurisdiction

California, Illinois

• Privacy