Efforts by a for-profit company to gain access to the confidential tax information of businesses was discussed again this week at a joint subject-matter hearing of the House Cities and Villages and Revenue and Finance committees. IRMA testified in opposition along with the Taxpayers Federation of Illinois, CPA Society, Illinois Department of Revenue (IDOR), and Illinoi State Chamber of Commerce.
Currently, municipalities operating under a signed agreement with IDOR, can obtain from IDOR a list of employers in their jurisdiction with the following information: business name, business address, the amount of sales tax distributed to the municipality from sales at that business as part of the municipalities 1% share of the 6.25% State sales tax; the amount of sales tax distributed to the municipality from sales at that business as the result of any locally imposed sales tax administered by the Department; and a listing of all registered businesses located within the municipality by account ID number and address. The financial information is protected by strict confidentiality agreements imposed by IDOR. This is necessary because tax information is highly sensitive.
Last year, legislation was twice defeated in the Senate that sought to allow municipalities to share this information with third-parties. This year, House Amendment #1 and Amendment #2 to HB 2717 seek to not only allow municipalities to share this information with third-parties but allow the third-parties to access complete financials as well as potentially share the information with other third-parties. Just as it did last year during the testimony of the proponents, it became abundantly clear that the only information they need is the address which is currently available free-of-charge from IDOR. The municipalities can obtain this information from IDOR as often as they would like to receive it and it can be compared to other free resources (e.g. property tax rolls) to ensure the taxes businesses collect and remit are being returned by IDOR to the proper municipality.
It was noted that every professional national tax administrators group condemns the practice of contingency-fee type-audits as they pollute the process. The current practice ensures fairness as an audit process can just as easily come out in favor of the taxpayer as the goal of IDOR is the correct payment of tax. Contingency-fees incent reckless estimates and remove the incentive to find or report items that favor the business (e.g. over-payment, missed credits or deductions). If the concern is that IDOR is not properly administering something, the appropriate response is oversight of IDOR, not to disclose confidential taxpayer information.
IRMA appreciated the opportunity to testify and provide answers to the various committee members.
THE CONSUMER’S RIGHT TO KNOW
After a long session of meetings in both the House and Senate regarding an unnecessarily broad, cumbersome and ultimately, costly bill to require businesses that sell or share “personal information” about consumers to third-parties, SB 1502 Amendment #4 (Sen. Michael Hastings, D-Frankfort) was passed this week. This bill will require any company with an online presence that collects data from consumers, to identity the categories of information collected and provide a description of the customer’s rights if such information is shared or sold to 3rd parties. In addition, the bill requires that companies who share or sell information to third-parties, unless it fits into an exemption, to disclose what information was shared and with whom. The bill sets out 26 categories of personal information.
We should note that “personal information” doesn’t mean that the information is actually “personally identifiable.” These are really two different concepts. Personal information could be a person’s name, or a person’s age or a person’s educational background, etc. There is no requirement that any of the information be tied to an actual person that could be identified. For example, if a retailer shares the ages of purchasers of a certain washing machine with its manufacturer, but it doesn’t share the customer’s names or any other information that could identify that person, that information is considered “personal information” in the bill. Such information would have to be disclosed to the customer, upon customer request, even though the third -party has no idea who the actual customers were that purchased the washing machine. This is unnecessary time, money and resources spent on providing information that does nothing to further data privacy.
This bill presents a major challenge for companies that have various ends of their business that collect and share data. For instance, companies that have their own credit cards, loyalty programs, apps, and/or website may collect and share different kinds of data at different times. Data is also shared in order to conduct surveys with third-party manufacturers of products sold in stores. All of the data is not kept in one neat box to pull from upon customer inquiry. Businesses will have to build out a mechanism to search and find data that has been shared regardless of whether that data can actually be used to identify a person.
SB 1502 is loosely based on the state of California’s “Shine the Light” law which is much more narrowly focused in scope. That law requires disclosure to persons that have an established business relationship if information is shared for direct marketing purposes. SB 1502 has no such qualifiers. In fact, instead of using the definition of personal information as defined by the Personal Information Protection Act (PIPA), which requires that personal information actually be personally identifiable, this bill creates a completely new definition by making any piece of information whether tied to a person or offered in the aggregate “personal.” We would also note that information must be disclosed, even if a person shares the information themselves. For instance, if a person has a LinkedIn account and they post their picture, name, educational background, etc. for the entire LinkedIn universe to see, a company must disclose if they have also shared the same information that can be found by a simple Google search. How can information be considered private if a person has publicly shared it about themselves?
Resources that are much better spent actually protecting information that has been collected will now be diverted to building out software programs to respond to Right to Know requests. Just so readers have an idea of how fired up consumers really are about taking advantage of their right to know, we asked a few large retailers doing business in California to tell us how many people have requested the information in the past year. The first retailer told us that two people had requested the information, and the second retailer told us that three people had requested the information. California has just over 34 million residents.
The bill passed out of the Senate with a vote of 31-21-1. It will now move over to the House for additional consideration.