Illinois at Forefront of Protecting Household Electronic Data
(January 19, 2022) Illinois is the first state limiting law enforcement’s ability to collect household electronic data from doorbell cameras, security cameras, smart appliances, and virtual assistants through a third party.
The Protecting Household Privacy Act (“PHPA”), effective January 1, 2022, marks the second time that Illinois has taken the lead in protecting privacy and data. Illinois was the pioneer in protecting biometric information in 2008 when it enacted the Biometric Information Privacy Act.
The new law addresses the ability of law enforcement to obtain household electronic data from third parties. Normally, there is no right to privacy in data that a person has voluntarily given to a third party (for example, your security monitoring company). The data in question, however, is sensitive personal data within a home, where there is some expectation of privacy that arguably would require a warrant to obtain. The PHPA attempts to codify into law the warrant requirement.
A household electronic device is defined under PHPA as any device primarily intended for use in a household that is “capable of facilitating any electronic communication.” Excluded from the definition are “personal computing devices” such as a personal computer, cell phone, smartphone, tablet, modem, router, and cable set-top box.
PHPA restricts the ability of law enforcement to obtain and use “household electronic data” from a household electronic device. Law enforcement may obtain the data only if:
- the information is gathered pursuant to a warrant;
- the need to gather is in response to an emergency involving a “clear and present danger of imminent death or great bodily harm” from a kidnapping, abduction, or hostage situation;
- the information is necessary and the only potential data available to prevent imminent death or great bodily harm; or
- the owner of the device is in possession of the device and gives permission.
If the information is obtained in an emergency situation, then the law enforcement agency within 72 hours of the commencement of the emergency must seek judicial review of its action. The judge must determine that the court would have granted a search warrant had it been before the court and there was an emergency as defined under PHPA. If the judge cannot make these findings, then the data obtained cannot be used as evidence.
If the law enforcement agency does not file criminal charges within 60 days after obtaining the data, then the data must be destroyed unless there is reasonable suspicion that the information contained evidence of criminal activity or the information is relevant to an ongoing investigation.
The law requires a third party who provides household electronic data to a law enforcement agency to take “reasonable measures to ensure the confidentiality, integrity, and security” of the data during transmission and production of the data to the agency.
The law notes that if some of its provisions overlap the federal Stored Communications Act, the Electronic Communications Privacy Act, or other federal laws or regulations, then “the requirement that establishes the higher standard for law enforcement to obtain information shall govern,” a clear indication that the legislature intended to give household residents protection of their household electronic data.