On August 27, 2021, Illinois Governor J.B. Pritzker signed into law the Protecting Household Privacy Act (“PHPA”). The law governs how, and under what conditions, Illinois law enforcement agencies may acquire and use data from household electronic devices, commonly referred to as “smart devices” or the “internet of things.” The PHPA will go into effect on January 1, 2022.
The PHPA applies to “household electronic data,” which the statute defines as any information or input provided by a person to any device “primarily intended for use within a household that is capable of facilitating any electronic communication,” excluding personal computing devices (such as personal computers, cell phones, smartphones, or tablets) and digital gateway devices (such as modems, routers, wireless access points, or cable set-top boxes serviced by a cable provider). Section 5. The law imposes several limits on Illinois law enforcement’s acquisition and use of household electronic data:
- Warrant Requirement: The law generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.” Section 10. This prohibition is subject to a set of exceptions, permitting such acquisition if (i) “a law enforcement agency first obtains a warrant;” (ii) the data is needed to “respond to a call for emergency services concerning the user or possessor of a household electronic device;” (iii) there is “an emergency situation;” or (iv) the data is acquired “with [the] lawful consent of the owner of the household electronic device or person in actual or constructive possession of the household electronic device.” Section 15. Notably, the PHPA itself does not impose any obligations on providers, as it states that the Act “shall not be construed to require a person or entity to provide household electronic data to a law enforcement agency.” Section 35. At the same time, compliance would be compulsory to the extent the provider is served with a warrant in accordance with the statute.
- Confidentiality Requirement: The law also requires that any entity disclosing household electronic data “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.” Section 40.
- Limited Data Retention: Finally, the PHPA limits how long law enforcement can retain household electronic data without filing criminal charges if the data was obtained pursuant to a warrant or in an emergency situation. Section 20. The Act requires that such data be destroyed within 60 days unless (1) “there is reasonable suspicion that the information contains evidence of criminal activity;” or (2) “the information is relevant to an ongoing investigation.”