USA - Illinois
Any other covered data collected, processed, or transferred for the purpose of identifying the types of covered data described above. Extra-territorial application If passed, the DPPA would apply to covered entities that collect, process, or transfer covered data of Illinois residents, regardless of the location of the entity. Legislative Framework Requirements for Data Collection, Processing, or Transfer Should the DPPA pass, it would only allow for the collection, processing, or transfer of covered data to the extent it is reasonably necessary and proportionate to provide a specific product or service requested by the individual. The bill describes specific scenarios in which data collection, processing, or transfer would be legitimate. The DPPA also prohibits a covered entity from transferring covered data without obtaining an individual’s affirmative express consent. Moreover, an individual must have the means to withdraw any affirmative express consent previously provided with respect to the processing or transfer of covered data. Notwithstanding this, a covered entity that directly engages in collection, processing, or transfer activities enumerated in the bill need not allow opt-out mechanisms.
Under the bill, a covered entity may not collect, process, or transfer data in a discriminatory manner. Data storage and retention timelines Covered data must be disposed when it is no longer necessary for the purpose for which it was collected, processed, or transferred, unless an individual has provided affirmative express consent to retention. Such disposal includes permanently destroying or otherwise modifying the data to make it permanently indecipherable. Data protection and security practices and procedures The DPPA would require a covered entity to establish, implement, and maintain reasonable data security practices to protect the covered data against unauthorized access or acquisition. If passed, practices should include: Identifying and assessing material risks and vulnerabilities in security systems; Taking preventative corrective actions to mitigate foreseeable risks; Disposing of covered data when it is no longer necessary for the purpose for which it was collected, processed, or transferred, unless affirmative express consent was obtained for additional retention; Providing employee training to safeguard covered data;
https://www.mcdonaldhopkins.com/
Made with FlippingBook - PDF hosting