IL
Illinois House Bill HB5581

Illinois 2023-2024 Regular Session

Illinois House Bill HB5581 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB5581 Introduced , by Rep. Hoan Huynh SYNOPSIS AS INTRODUCED: New Act Creates the Illinois Privacy Rights Act. Defines terms such as "biometric data", "consumer", "controller", "deidentified data", and "processor". Creates a consumer protection of privacy in which, with some exceptions, provides an individual with the right to: (i) confirm whether or not a controller is processing the consumer's personal data and access such personal data; (ii) correct inaccuracies in the consumer's personal data; (iii) delete personal data provided by or obtained about the consumer; (iv) obtain a copy of the consumer's personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format; and, (v) opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Defines a consumer as a resident of this State excluding an individual acting in commercial or employment context. Provides that this Act applies to persons that conduct business in this State or persons that produce products or services that are targeted to residents of this State that during a 1-year period: (i) controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (ii) controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data. Provides that the Attorney General has the exclusive authority under this Act to enforce violations of it. Makes a violation of this Act an unfair method of competition or any unfair or deceptive act or practice under the Consumer Fraud and Deceptive Business Practices Act. Prohibits a private cause of action under this Act. Effective January 1, 2025. LRB103 38323 JRC 68458 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB5581 Introduced , by Rep. Hoan Huynh SYNOPSIS AS INTRODUCED: New Act New Act Creates the Illinois Privacy Rights Act. Defines terms such as "biometric data", "consumer", "controller", "deidentified data", and "processor". Creates a consumer protection of privacy in which, with some exceptions, provides an individual with the right to: (i) confirm whether or not a controller is processing the consumer's personal data and access such personal data; (ii) correct inaccuracies in the consumer's personal data; (iii) delete personal data provided by or obtained about the consumer; (iv) obtain a copy of the consumer's personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format; and, (v) opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Defines a consumer as a resident of this State excluding an individual acting in commercial or employment context. Provides that this Act applies to persons that conduct business in this State or persons that produce products or services that are targeted to residents of this State that during a 1-year period: (i) controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (ii) controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data. Provides that the Attorney General has the exclusive authority under this Act to enforce violations of it. Makes a violation of this Act an unfair method of competition or any unfair or deceptive act or practice under the Consumer Fraud and Deceptive Business Practices Act. Prohibits a private cause of action under this Act. Effective January 1, 2025. LRB103 38323 JRC 68458 b LRB103 38323 JRC 68458 b A BILL FOR
22 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB5581 Introduced , by Rep. Hoan Huynh SYNOPSIS AS INTRODUCED:
33 New Act New Act
44 New Act
55 Creates the Illinois Privacy Rights Act. Defines terms such as "biometric data", "consumer", "controller", "deidentified data", and "processor". Creates a consumer protection of privacy in which, with some exceptions, provides an individual with the right to: (i) confirm whether or not a controller is processing the consumer's personal data and access such personal data; (ii) correct inaccuracies in the consumer's personal data; (iii) delete personal data provided by or obtained about the consumer; (iv) obtain a copy of the consumer's personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format; and, (v) opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Defines a consumer as a resident of this State excluding an individual acting in commercial or employment context. Provides that this Act applies to persons that conduct business in this State or persons that produce products or services that are targeted to residents of this State that during a 1-year period: (i) controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (ii) controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data. Provides that the Attorney General has the exclusive authority under this Act to enforce violations of it. Makes a violation of this Act an unfair method of competition or any unfair or deceptive act or practice under the Consumer Fraud and Deceptive Business Practices Act. Prohibits a private cause of action under this Act. Effective January 1, 2025.
66 LRB103 38323 JRC 68458 b LRB103 38323 JRC 68458 b
77 LRB103 38323 JRC 68458 b
88 A BILL FOR
99 HB5581LRB103 38323 JRC 68458 b HB5581 LRB103 38323 JRC 68458 b
1010 HB5581 LRB103 38323 JRC 68458 b
1111 1 AN ACT concerning civil law.
1212 2 Be it enacted by the People of the State of Illinois,
1313 3 represented in the General Assembly:
1414 4 Section 1. Short title. This Act may be cited as the
1515 5 Illinois Privacy Rights Act.
1616 6 Section 5. Definitions. As used in this Act:
1717 7 (a) "Affiliate" means a legal entity that shares common
1818 8 branding with another legal entity, or is controlled by, or is
1919 9 under common control with, another legal entity.
2020 10 (b) "Control" or "controlled" means ownership of, or the
2121 11 power to vote, more than 50 percent of the outstanding shares
2222 12 of any class of voting security of a company; control in any
2323 13 manner over the election of a majority of the directors or of
2424 14 individuals exercising similar functions; or the power to
2525 15 exercise controlling influence over the management of a
2626 16 company.
2727 17 (c) "Authenticate" means to use reasonable means to
2828 18 determine that a request to exercise any of the rights
2929 19 afforded under paragraphs (1) through (4) of subsection (a) of
3030 20 Section 20 is being made by, or on behalf of, the consumer who
3131 21 is entitled to exercise such consumer rights with respect to
3232 22 the personal data at issue.
3333 23 (d) "Biometric data" means data generated by automatic
3434
3535
3636
3737 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB5581 Introduced , by Rep. Hoan Huynh SYNOPSIS AS INTRODUCED:
3838 New Act New Act
3939 New Act
4040 Creates the Illinois Privacy Rights Act. Defines terms such as "biometric data", "consumer", "controller", "deidentified data", and "processor". Creates a consumer protection of privacy in which, with some exceptions, provides an individual with the right to: (i) confirm whether or not a controller is processing the consumer's personal data and access such personal data; (ii) correct inaccuracies in the consumer's personal data; (iii) delete personal data provided by or obtained about the consumer; (iv) obtain a copy of the consumer's personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format; and, (v) opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Defines a consumer as a resident of this State excluding an individual acting in commercial or employment context. Provides that this Act applies to persons that conduct business in this State or persons that produce products or services that are targeted to residents of this State that during a 1-year period: (i) controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (ii) controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25% of their gross revenue from the sale of personal data. Provides that the Attorney General has the exclusive authority under this Act to enforce violations of it. Makes a violation of this Act an unfair method of competition or any unfair or deceptive act or practice under the Consumer Fraud and Deceptive Business Practices Act. Prohibits a private cause of action under this Act. Effective January 1, 2025.
4141 LRB103 38323 JRC 68458 b LRB103 38323 JRC 68458 b
4242 LRB103 38323 JRC 68458 b
4343 A BILL FOR
4444
4545
4646
4747
4848
4949 New Act
5050
5151
5252
5353 LRB103 38323 JRC 68458 b
5454
5555
5656
5757
5858
5959
6060
6161
6262
6363 HB5581 LRB103 38323 JRC 68458 b
6464
6565
6666 HB5581- 2 -LRB103 38323 JRC 68458 b HB5581 - 2 - LRB103 38323 JRC 68458 b
6767 HB5581 - 2 - LRB103 38323 JRC 68458 b
6868 1 measurements of an individual's biological characteristics,
6969 2 such as a fingerprint, a voiceprint, eye retinas, irises or
7070 3 other unique biological patterns, or characteristics that are
7171 4 used to identify a specific individual. "Biometric data" does
7272 5 not include a digital or physical photograph, an audio or
7373 6 video recording, or any data generated from a digital or
7474 7 physical photograph, or an audio or video recording, unless
7575 8 such data is generated to identify a specific individual.
7676 9 (e) "Business associate" has the same meaning as provided
7777 10 in the Health Insurance Portability and Accountability Act
7878 11 (HIPAA).
7979 12 (f) "Child" has the same meaning as provided in the
8080 13 Children's Online Privacy Protection Act (COPPA).
8181 14 (g) "Consent" means a clear affirmative act signifying a
8282 15 consumer's freely given, specific, informed and unambiguous
8383 16 agreement to allow the processing of personal data relating to
8484 17 the consumer. "Consent" may include a written statement,
8585 18 including by electronic means, or any other unambiguous
8686 19 affirmative action. "Consent" does not include acceptance of a
8787 20 general or broad terms of use or similar document that
8888 21 contains descriptions of personal data processing along with
8989 22 other, unrelated information; hovering over, muting, pausing
9090 23 or closing a given piece of content; or an agreement obtained
9191 24 through the use of deceptive design patterns (also known as
9292 25 "dark patterns").
9393 26 (h) "Consumer" means an individual who is a resident of
9494
9595
9696
9797
9898
9999 HB5581 - 2 - LRB103 38323 JRC 68458 b
100100
101101
102102 HB5581- 3 -LRB103 38323 JRC 68458 b HB5581 - 3 - LRB103 38323 JRC 68458 b
103103 HB5581 - 3 - LRB103 38323 JRC 68458 b
104104 1 this State. "Consumer" does not include an individual acting
105105 2 in a commercial or employment context or as an employee,
106106 3 owner, director, officer or contractor of a company,
107107 4 partnership, sole proprietorship, nonprofit or government
108108 5 agency whose communications or transactions with the
109109 6 controller occur solely within the context of that
110110 7 individual's role with the company, partnership, sole
111111 8 proprietorship, nonprofit or government agency.
112112 9 (i) "Controller" means an individual who, or legal entity
113113 10 that, alone or jointly with others determines the purpose and
114114 11 means of processing personal data.
115115 12 (j) "COPPA" means the Children's Online Privacy Protection
116116 13 Act of 1998, 15 U.S.C. 6501 et seq., and any amendments,
117117 14 regulations, rules, guidance and exemptions adopted under that
118118 15 act.
119119 16 (k) "Covered entity" has the same meaning as provided in
120120 17 HIPAA.
121121 18 (l) "Dark pattern" or "deceptive design pattern" means a
122122 19 user interface designed or manipulated with the substantial
123123 20 effect of subverting or impairing user autonomy,
124124 21 decision-making or choice, and includes, but is not limited
125125 22 to, any practice the Federal Trade Commission refers to as a
126126 23 "dark pattern".
127127 24 (m) "Decisions that produce legal or similarly significant
128128 25 effects concerning the consumer" means decisions made by the
129129 26 controller that result in the provision or denial by the
130130
131131
132132
133133
134134
135135 HB5581 - 3 - LRB103 38323 JRC 68458 b
136136
137137
138138 HB5581- 4 -LRB103 38323 JRC 68458 b HB5581 - 4 - LRB103 38323 JRC 68458 b
139139 HB5581 - 4 - LRB103 38323 JRC 68458 b
140140 1 controller of financial or lending services, housing,
141141 2 insurance, education enrollment or opportunity, criminal
142142 3 justice, employment opportunities, health care services or
143143 4 access to essential goods or services.
144144 5 (n) "Deidentified data" means data that cannot reasonably
145145 6 be used to infer information about, or otherwise be linked to,
146146 7 an identified or identifiable individual, or a device linked
147147 8 to such individual, if the controller that possesses such data
148148 9 takes reasonable measures to ensure that such data cannot be
149149 10 associated with an individual; publicly commits to process
150150 11 such data only in a deidentified way and not attempt to
151151 12 reidentify such data; and contractually obligates any
152152 13 recipients of such data to satisfy the criteria under this
153153 14 paragraph.
154154 15 (o) "HIPAA" means the Health Insurance Portability and
155155 16 Accountability Act of 1996, 42 USC 1320d et seq., as amended.
156156 17 (p) "Identified or identifiable individual" means an
157157 18 individual who can be readily identified, directly or
158158 19 indirectly.
159159 20 (q) "Institution of higher education" means any individual
160160 21 who, or school, board, association, limited liability company
161161 22 or corporation that, is licensed or accredited to offer one or
162162 23 more programs of higher learning leading to one or more
163163 24 degrees.
164164 25 (r) "Nonprofit organization" means any organization that
165165 26 is exempt from taxation under Section 501(c)(3), 501(c)(4),
166166
167167
168168
169169
170170
171171 HB5581 - 4 - LRB103 38323 JRC 68458 b
172172
173173
174174 HB5581- 5 -LRB103 38323 JRC 68458 b HB5581 - 5 - LRB103 38323 JRC 68458 b
175175 HB5581 - 5 - LRB103 38323 JRC 68458 b
176176 1 501(c)(6), or 501(c)(12) of the Internal Revenue Code of 1986,
177177 2 or any subsequent corresponding internal revenue code of the
178178 3 United States, as amended.
179179 4 (s) "Personal data" means any information that is linked
180180 5 or reasonably linkable to an identified or identifiable
181181 6 individual. "Personal data" does not include deidentified data
182182 7 or publicly available information.
183183 8 (t) "Precise geolocation data" means information derived
184184 9 from technology, including, but not limited to, global
185185 10 positioning system level latitude and longitude coordinates or
186186 11 other mechanisms, that directly identifies the specific
187187 12 location of an individual with precision and accuracy within a
188188 13 radius of 1,750 feet. "Precise geolocation data" does not
189189 14 include the content of communications or any data generated by
190190 15 or connected to advanced utility metering infrastructure
191191 16 systems or equipment for use by a utility.
192192 17 (u) "Process" or "processing" means any operation or set
193193 18 of operations performed, whether by manual or automated means,
194194 19 on personal data or on sets of personal data, such as the
195195 20 collection, use, storage, disclosure, analysis, deletion or
196196 21 modification of personal data.
197197 22 (v) "Processor" means an individual who, or legal entity
198198 23 that, processes personal data on behalf of a controller.
199199 24 (w) "Profiling" means any form of automated processing
200200 25 performed on personal data to evaluate, analyze, or predict
201201 26 personal aspects related to an identified or identifiable
202202
203203
204204
205205
206206
207207 HB5581 - 5 - LRB103 38323 JRC 68458 b
208208
209209
210210 HB5581- 6 -LRB103 38323 JRC 68458 b HB5581 - 6 - LRB103 38323 JRC 68458 b
211211 HB5581 - 6 - LRB103 38323 JRC 68458 b
212212 1 individual's economic situation, health, personal preferences,
213213 2 interests, reliability, behavior, location, or movements.
214214 3 (x) "Protected health information" has the same meaning as
215215 4 provided in HIPAA.
216216 5 (y) "Pseudonymous data" means personal data that cannot be
217217 6 attributed to a specific individual without the use of
218218 7 additional information, provided such additional information
219219 8 is kept separately and is subject to appropriate technical and
220220 9 organizational measures to ensure that the personal data is
221221 10 not attributed to an identified or identifiable individual.
222222 11 (z) "Publicly available information" means information
223223 12 that is lawfully made available through federal, State,
224224 13 municipal government records, or widely distributed media, and
225225 14 a controller has a reasonable basis to believe a consumer has
226226 15 lawfully made available to the general public.
227227 16 (aa) "Sale of personal data" means the exchange of
228228 17 personal data for monetary or other valuable consideration by
229229 18 the controller to a third party. "Sale of personal data" does
230230 19 not include:
231231 20 (1) The disclosure of personal data to a processor
232232 21 that processes the personal data on behalf of the
233233 22 controller;
234234 23 (2) The disclosure of personal data to a third party
235235 24 for purposes of providing a product or service requested
236236 25 by the consumer;
237237 26 (3) The disclosure or transfer of personal data to an
238238
239239
240240
241241
242242
243243 HB5581 - 6 - LRB103 38323 JRC 68458 b
244244
245245
246246 HB5581- 7 -LRB103 38323 JRC 68458 b HB5581 - 7 - LRB103 38323 JRC 68458 b
247247 HB5581 - 7 - LRB103 38323 JRC 68458 b
248248 1 affiliate of the controller;
249249 2 (4) The disclosure of personal data where the consumer
250250 3 directs the controller to disclose the personal data or
251251 4 intentionally uses the controller to interact with a third
252252 5 party;
253253 6 (5) The disclosure of personal data that the consumer
254254 7 intentionally made available to the general public via a
255255 8 channel of mass media, and did not restrict to a specific
256256 9 audience; or
257257 10 (6) The disclosure or transfer of personal data to a
258258 11 third party as an asset that is part of a merger,
259259 12 acquisition, bankruptcy or other transaction, or a
260260 13 proposed merger, acquisition, bankruptcy or other
261261 14 transaction, in which the third party assumes control of
262262 15 all or part of the controller's assets.
263263 16 (bb) "Sensitive data" means personal data that includes
264264 17 data revealing racial or ethnic origin, religious beliefs,
265265 18 mental or physical health condition or diagnosis, sex life,
266266 19 sexual orientation or citizenship or immigration status; the
267267 20 processing of genetic or biometric data for the purpose of
268268 21 uniquely identifying an individual; personal data collected
269269 22 from a known child; or precise geolocation data.
270270 23 (cc) "Targeted advertising" means displaying
271271 24 advertisements to a consumer where the advertisement is
272272 25 selected based on personal data obtained or inferred from that
273273 26 consumer's activities over time and across nonaffiliated
274274
275275
276276
277277
278278
279279 HB5581 - 7 - LRB103 38323 JRC 68458 b
280280
281281
282282 HB5581- 8 -LRB103 38323 JRC 68458 b HB5581 - 8 - LRB103 38323 JRC 68458 b
283283 HB5581 - 8 - LRB103 38323 JRC 68458 b
284284 1 Internet websites or online applications to predict such
285285 2 consumer's preferences or interests. "Targeted advertising"
286286 3 does not include:
287287 4 (1) Advertisements based on activities within a
288288 5 controller's own Internet websites or online applications;
289289 6 (2) Advertisements based on the context of a
290290 7 consumer's current search query, visit to an Internet
291291 8 website, or online application;
292292 9 (3) Advertisements directed to a consumer in response
293293 10 to the consumer's request for information or feedback; or
294294 11 (4) Processing personal data solely to measure or
295295 12 report advertising frequency, performance, or reach.
296296 13 (dd) "Third party" means an individual or legal entity,
297297 14 such as a public authority, agency or body, other than the
298298 15 consumer, controller or processor or an affiliate of the
299299 16 processor or the controller.
300300 17 Section 10. Application. This Act applies to persons that
301301 18 conduct business in this State or persons that produce
302302 19 products or services that are targeted to residents of this
303303 20 State that during a one-year period:
304304 21 (a) Controlled or processed the personal data of not
305305 22 less than 35,000 unique consumers, excluding personal data
306306 23 controlled or processed solely for the purpose of
307307 24 completing a payment transaction; or
308308 25 (b) Controlled or processed the personal data of not
309309
310310
311311
312312
313313
314314 HB5581 - 8 - LRB103 38323 JRC 68458 b
315315
316316
317317 HB5581- 9 -LRB103 38323 JRC 68458 b HB5581 - 9 - LRB103 38323 JRC 68458 b
318318 HB5581 - 9 - LRB103 38323 JRC 68458 b
319319 1 less than 10,000 unique consumers and derived more than 25
320320 2 percent of their gross revenue from the sale of personal
321321 3 data.
322322 4 Section 15. Exclusions.
323323 5 (a) This Act does not apply to any:
324324 6 (1) Body, authority, board, bureau, commission,
325325 7 district or agency of this State or any political
326326 8 subdivision of this State;
327327 9 (2) Nonprofit organization;
328328 10 (3) Institution of higher education;
329329 11 (4) National securities association that is registered
330330 12 under 15 U.S.C. 78o-3 of the Security Exchange Act of
331331 13 1934, as amended;
332332 14 (5) Financial institution or data subject to Title V
333333 15 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq.; or
334334 16 (6) A covered entity or business associate, as defined
335335 17 in 45 CFR 160.103(b).
336336 18 (b) The following information and data shall be exempt
337337 19 from this Act:
338338 20 (1) Protected health information under HIPAA;
339339 21 (2) Patient-identifying information for purposes of 42
340340 22 U.S.C. 290dd-2;
341341 23 (3) Identifiable private information for purposes of
342342 24 the federal policy for the protection of human subjects
343343 25 under 45 CFR 46;
344344
345345
346346
347347
348348
349349 HB5581 - 9 - LRB103 38323 JRC 68458 b
350350
351351
352352 HB5581- 10 -LRB103 38323 JRC 68458 b HB5581 - 10 - LRB103 38323 JRC 68458 b
353353 HB5581 - 10 - LRB103 38323 JRC 68458 b
354354 1 (4) Identifiable private information that is otherwise
355355 2 information collected as part of human subjects research
356356 3 pursuant to the good clinical practice guidelines issued
357357 4 by the International Council for Harmonization of
358358 5 Technical Requirements for Pharmaceuticals for Human Use;
359359 6 (5) The protection of human subjects under 21 CFR
360360 7 Parts 6, 50, and 56, or personal data used or shared in
361361 8 research, as defined in 45 CFR 164.501, that is conducted
362362 9 in accordance with the standards set forth in this Act, or
363363 10 other research conducted in accordance with applicable
364364 11 law;
365365 12 (6) Information and documents created for purposes of
366366 13 the Health Care Quality Improvement Act of 1986, 42 U.S.C.
367367 14 11101 et seq.;
368368 15 (7) Patient safety work product for purposes of the
369369 16 Patient Safety and Quality Improvement Act, 42 U.S.C.
370370 17 299b-21 et seq., as amended;
371371 18 (8) Information derived from any of the health care
372372 19 related information listed in this subsection that is
373373 20 deidentified in accordance with the requirements for
374374 21 de-identification pursuant to HIPAA;
375375 22 (9) Information originating from and intermingled to
376376 23 be indistinguishable with, or information treated in the
377377 24 same manner as, information exempt under this Section that
378378 25 is maintained by a covered entity or business associate,
379379 26 program or qualified service organization, as specified in
380380
381381
382382
383383
384384
385385 HB5581 - 10 - LRB103 38323 JRC 68458 b
386386
387387
388388 HB5581- 11 -LRB103 38323 JRC 68458 b HB5581 - 11 - LRB103 38323 JRC 68458 b
389389 HB5581 - 11 - LRB103 38323 JRC 68458 b
390390 1 42 U.S.C. 290dd-2, as amended;
391391 2 (10) Information used for public health activities and
392392 3 purposes as authorized by HIPAA, community health
393393 4 activities and population health activities;
394394 5 (11) The collection, maintenance, disclosure, sale,
395395 6 communication or use of any personal information bearing
396396 7 on a consumer's credit worthiness, credit standing, credit
397397 8 capacity, character, general reputation, personal
398398 9 characteristics or mode of living by a consumer reporting
399399 10 agency, furnisher or user that provides information for
400400 11 use in a consumer report, and by a user of a consumer
401401 12 report, but only to the extent that such activity is
402402 13 regulated by and authorized under the Fair Credit
403403 14 Reporting Act, 15 U.S.C. 1681 et seq.;
404404 15 (12) Personal data collected, processed, sold or
405405 16 disclosed in compliance with the Driver's Privacy
406406 17 Protection Act of 1994, 18 U.S.C. 2721 et seq., as
407407 18 amended;
408408 19 (13) Personal data regulated by the Family Educational
409409 20 Rights and Privacy Act, 20 U.S.C. 1232g et seq., as
410410 21 amended;
411411 22 (14) Personal data collected, processed, sold or
412412 23 disclosed in compliance with the Farm Credit Act, 12
413413 24 U.S.C. 2001 et seq., as amended;
414414 25 (15) Data processed or maintained in the course of an
415415 26 individual applying to, employed by or acting as an agent
416416
417417
418418
419419
420420
421421 HB5581 - 11 - LRB103 38323 JRC 68458 b
422422
423423
424424 HB5581- 12 -LRB103 38323 JRC 68458 b HB5581 - 12 - LRB103 38323 JRC 68458 b
425425 HB5581 - 12 - LRB103 38323 JRC 68458 b
426426 1 or independent contractor of a controller, processor or
427427 2 third party, to the extent that the data is collected and
428428 3 used within the context of that role; as the emergency
429429 4 contact information of an individual under this Act used
430430 5 for emergency contact purposes; or that is necessary to
431431 6 retain to administer benefits for another individual
432432 7 relating to the individual who is the subject of the
433433 8 information under HIPAA and used for the purposes of
434434 9 administering such benefits;
435435 10 (16) Personal data collected, processed, sold or
436436 11 disclosed in relation to price, route or service, as such
437437 12 terms are used in the Airline Deregulation Act, 49 U.S.C.
438438 13 40101 et seq., as amended, by an air carrier subject to the
439439 14 act, to the extent this Act is preempted by the Airline
440440 15 Deregulation Act, 49 U.S.C. 41713, as amended;
441441 16 (17) Personal information maintained or used for
442442 17 purposes of compliance with the regulation of listed
443443 18 chemicals under the federal Controlled Substances Act, 21
444444 19 U.S.C. 830; and
445445 20 (18) Information included in a limited data set as
446446 21 described at 45 CFR 164.514(e), to the extent that the
447447 22 information is used, disclosed, and maintained in the
448448 23 manner specified at 45 CFR 164.514(e).
449449 24 (c) Controllers and processors that comply with the
450450 25 verifiable parental consent requirements of COPPA shall be
451451 26 compliant with any obligation to obtain parental consent
452452
453453
454454
455455
456456
457457 HB5581 - 12 - LRB103 38323 JRC 68458 b
458458
459459
460460 HB5581- 13 -LRB103 38323 JRC 68458 b HB5581 - 13 - LRB103 38323 JRC 68458 b
461461 HB5581 - 13 - LRB103 38323 JRC 68458 b
462462 1 pursuant to this Act.
463463 2 Section 20. Consumer expectation of privacy.
464464 3 (a) A consumer has the right to:
465465 4 (1) Confirm whether or not a controller is processing
466466 5 the consumer's personal data and access such personal
467467 6 data, unless such confirmation or access would require the
468468 7 controller to reveal a trade secret;
469469 8 (2) Correct inaccuracies in the consumer's personal
470470 9 data, taking into account the nature of the personal data
471471 10 and the purposes of the processing of the consumer's
472472 11 personal data;
473473 12 (3) Delete personal data provided by, or obtained
474474 13 about, the consumer;
475475 14 (4) Obtain a copy of the consumer's personal data
476476 15 processed by the controller, in a portable and, to the
477477 16 extent technically feasible, readily usable format that
478478 17 allows the consumer to transmit the data to another
479479 18 controller without hindrance, where the processing is
480480 19 carried out by automated means, provided such controller
481481 20 shall not be required to reveal any trade secret; and
482482 21 (5) Opt out of the processing of the personal data for
483483 22 purposes of targeted advertising, the sale of personal
484484 23 data, except as provided in Section 30, or profiling in
485485 24 furtherance of solely automated decisions that produce
486486 25 legal or similarly significant effects concerning the
487487
488488
489489
490490
491491
492492 HB5581 - 13 - LRB103 38323 JRC 68458 b
493493
494494
495495 HB5581- 14 -LRB103 38323 JRC 68458 b HB5581 - 14 - LRB103 38323 JRC 68458 b
496496 HB5581 - 14 - LRB103 38323 JRC 68458 b
497497 1 consumer.
498498 2 (b) A consumer may exercise rights under this Section by a
499499 3 secure and reliable means established by the Secretary of
500500 4 State and described to the consumer in the controller's
501501 5 privacy notice. A consumer may designate an authorized agent
502502 6 in accordance with Section 25 to exercise the rights of such
503503 7 consumer to opt out of the processing of such consumer's
504504 8 personal data for purposes of paragraph (5) of subsection (a)
505505 9 on behalf of the consumer. In the case of processing personal
506506 10 data of a known child, the parent or legal guardian may
507507 11 exercise such consumer rights on the child's behalf. In the
508508 12 case of processing personal data concerning a consumer subject
509509 13 to a guardianship, conservatorship, or other protective
510510 14 arrangement, the guardian or the conservator of the consumer
511511 15 may exercise such rights on the consumer's behalf.
512512 16 (c) Except as otherwise provided in this Act, a controller
513513 17 shall comply with a request by a consumer to exercise the
514514 18 consumer rights authorized pursuant to this Act as follows:
515515 19 (1) A controller shall respond to the consumer without
516516 20 undue delay, but not later than 45 days after receipt of
517517 21 the request. The controller may extend the response period
518518 22 by 45 additional days when reasonably necessary,
519519 23 considering the complexity and number of the consumer's
520520 24 requests, provided the controller informs the consumer of
521521 25 any such extension within the initial 45-day response
522522 26 period and of the reason for the extension.
523523
524524
525525
526526
527527
528528 HB5581 - 14 - LRB103 38323 JRC 68458 b
529529
530530
531531 HB5581- 15 -LRB103 38323 JRC 68458 b HB5581 - 15 - LRB103 38323 JRC 68458 b
532532 HB5581 - 15 - LRB103 38323 JRC 68458 b
533533 1 (2) If a controller declines to take action regarding
534534 2 the consumer's request, the controller shall inform the
535535 3 consumer without undue delay, but not later than 45 days
536536 4 after receipt of the request, of the justification for
537537 5 declining to take action and instructions for how to
538538 6 appeal the decision.
539539 7 (3) Information provided in response to a consumer
540540 8 request shall be provided by a controller, free of charge,
541541 9 once per consumer during any 12-month period. If requests
542542 10 from a consumer are manifestly unfounded, excessive or
543543 11 repetitive, the controller may charge the consumer a
544544 12 reasonable fee to cover the administrative costs of
545545 13 complying with the request or decline to act on the
546546 14 request. The controller bears the burden of demonstrating
547547 15 the manifestly unfounded, excessive or repetitive nature
548548 16 of the request.
549549 17 (4) If a controller is unable to authenticate a
550550 18 request to exercise any of the rights afforded under
551551 19 paragraphs (1) through (4) of subsection (a) using
552552 20 commercially reasonable efforts, the controller shall not
553553 21 be required to comply with a request to initiate an action
554554 22 pursuant to this Section and shall provide notice to the
555555 23 consumer that the controller is unable to authenticate the
556556 24 request to exercise such right or rights until such
557557 25 consumer provides additional information reasonably
558558 26 necessary to authenticate such consumer and such
559559
560560
561561
562562
563563
564564 HB5581 - 15 - LRB103 38323 JRC 68458 b
565565
566566
567567 HB5581- 16 -LRB103 38323 JRC 68458 b HB5581 - 16 - LRB103 38323 JRC 68458 b
568568 HB5581 - 16 - LRB103 38323 JRC 68458 b
569569 1 consumer's request to exercise such right or rights. A
570570 2 controller shall not be required to authenticate an
571571 3 opt-out request, but a controller may deny an opt-out
572572 4 request if the controller has a good faith, reasonable and
573573 5 documented belief that such request is fraudulent. If a
574574 6 controller denies an opt-out request because the
575575 7 controller believes such request is fraudulent, the
576576 8 controller shall send a notice to the person who made such
577577 9 request disclosing that such controller believes such
578578 10 request is fraudulent, why such controller believes such
579579 11 request is fraudulent and that such controller shall not
580580 12 comply with such request.
581581 13 (5) A controller that has obtained personal data about
582582 14 a consumer from a source other than the consumer shall be
583583 15 deemed in compliance with a consumer's request to delete
584584 16 such data pursuant to paragraph (3) of subsection (a) by
585585 17 retaining a record of the deletion request and the minimum
586586 18 data necessary for the purpose of ensuring the consumer's
587587 19 personal data remains deleted from the controller's
588588 20 records and not using such retained data for any other
589589 21 purpose pursuant to this Act, or opting the consumer out
590590 22 of the processing of such personal data for any purpose
591591 23 except for those exempted pursuant this Act.
592592 24 (d) A controller shall establish a process for a consumer
593593 25 to appeal the controller's refusal to take action on a request
594594 26 within a reasonable period of time after the consumer's
595595
596596
597597
598598
599599
600600 HB5581 - 16 - LRB103 38323 JRC 68458 b
601601
602602
603603 HB5581- 17 -LRB103 38323 JRC 68458 b HB5581 - 17 - LRB103 38323 JRC 68458 b
604604 HB5581 - 17 - LRB103 38323 JRC 68458 b
605605 1 receipt of the decision. The appeal process shall be
606606 2 conspicuously available and similar to the process for
607607 3 submitting requests to initiate action pursuant to this
608608 4 Section. Not later than 60 days after receipt of an appeal, a
609609 5 controller shall inform the consumer in writing of any action
610610 6 taken or not taken in response to the appeal, including a
611611 7 written explanation of the reasons for the decisions. If the
612612 8 appeal is denied, the controller shall also provide the
613613 9 consumer with an online mechanism, if available, or other
614614 10 method through which the consumer may contact the Attorney
615615 11 General to submit a complaint.
616616 12 Section 25. Consumer agents. A consumer may designate
617617 13 another person to serve as the consumer's authorized agent,
618618 14 and act on such consumer's behalf, to opt out of the processing
619619 15 of such consumer's personal data for one or more of the
620620 16 purposes specified in paragraph (5) of subsection (a) of
621621 17 Section 20. The consumer may designate such authorized agent
622622 18 by way of, among other things, a technology, including, but
623623 19 not limited to, an Internet link or a browser setting, browser
624624 20 extension or global device setting, indicating such consumer's
625625 21 intent to opt out of such processing. A controller shall
626626 22 comply with an opt-out request received from an authorized
627627 23 agent if the controller is able to verify, with commercially
628628 24 reasonable effort, the identity of the consumer and the
629629 25 authorized agent's authority to act on such consumer's behalf.
630630
631631
632632
633633
634634
635635 HB5581 - 17 - LRB103 38323 JRC 68458 b
636636
637637
638638 HB5581- 18 -LRB103 38323 JRC 68458 b HB5581 - 18 - LRB103 38323 JRC 68458 b
639639 HB5581 - 18 - LRB103 38323 JRC 68458 b
640640 1 Section 30. Controller responsibilities.
641641 2 (a) A controller shall:
642642 3 (1) Limit the collection of personal data to what is
643643 4 adequate, relevant and reasonably necessary in relation to
644644 5 the purposes for which such data is processed, as
645645 6 disclosed to the consumer;
646646 7 (2) Except as otherwise provided in this Act, not
647647 8 process personal data for purposes that are neither
648648 9 reasonably necessary to, nor compatible with, the
649649 10 disclosed purposes for which such personal data is
650650 11 processed, as disclosed to the consumer, unless the
651651 12 controller obtains the consumer's consent;
652652 13 (3) Establish, implement and maintain reasonable
653653 14 administrative, technical and physical data security
654654 15 practices to protect the confidentiality, integrity and
655655 16 accessibility of personal data appropriate to the volume
656656 17 and nature of the personal data at issue;
657657 18 (4) Not process sensitive data concerning a consumer
658658 19 without obtaining the consumer's consent, or, in the case
659659 20 of the processing of sensitive data concerning a known
660660 21 child, without processing such data in accordance with
661661 22 COPPA;
662662 23 (5) Not process personal data in violation of the laws
663663 24 of this State and federal laws that prohibit unlawful
664664 25 discrimination against consumers;
665665
666666
667667
668668
669669
670670 HB5581 - 18 - LRB103 38323 JRC 68458 b
671671
672672
673673 HB5581- 19 -LRB103 38323 JRC 68458 b HB5581 - 19 - LRB103 38323 JRC 68458 b
674674 HB5581 - 19 - LRB103 38323 JRC 68458 b
675675 1 (6) Provide an effective mechanism for a consumer to
676676 2 revoke the consumer's consent under this Section that is
677677 3 at least as easy as the mechanism by which the consumer
678678 4 provided the consumer's consent and, upon revocation of
679679 5 such consent, cease to process the data as soon as
680680 6 practicable, but not later than 15 days after the receipt
681681 7 of such request; and
682682 8 (7) Not process the personal data of a consumer for
683683 9 purposes of targeted advertising, or sell the consumer's
684684 10 personal data without the consumer's consent, under
685685 11 circumstances where a controller has actual knowledge, and
686686 12 willfully disregards, that the consumer is at least 13
687687 13 years of age but younger than 16 years of age. A controller
688688 14 shall not discriminate against a consumer for exercising
689689 15 any of the consumer rights contained in this Act,
690690 16 including denying goods or services, charging different
691691 17 prices or rates for goods or services or providing a
692692 18 different level of quality of goods or services to the
693693 19 consumer.
694694 20 (b) Nothing in this Section shall be construed to require
695695 21 a controller to provide a product or service that requires the
696696 22 personal data of a consumer which the controller does not
697697 23 collect or maintain, or prohibit a controller from offering a
698698 24 different price, rate, level, quality or selection of goods or
699699 25 services to a consumer, including offering goods or services
700700 26 for no fee, if the offering is in connection with a consumer's
701701
702702
703703
704704
705705
706706 HB5581 - 19 - LRB103 38323 JRC 68458 b
707707
708708
709709 HB5581- 20 -LRB103 38323 JRC 68458 b HB5581 - 20 - LRB103 38323 JRC 68458 b
710710 HB5581 - 20 - LRB103 38323 JRC 68458 b
711711 1 voluntary participation in a bona fide loyalty, rewards,
712712 2 premium features, discounts or club card program.
713713 3 (c) A controller shall provide consumers with a reasonably
714714 4 accessible, clear and meaningful privacy notice meeting
715715 5 standards established by the Secretary of State that includes:
716716 6 (1) The categories of personal data processed by the
717717 7 controller;
718718 8 (2) The purpose for processing personal data;
719719 9 (3) How consumers may exercise their consumer rights,
720720 10 including how a consumer may appeal a controller's
721721 11 decision with regard to the consumer's request;
722722 12 (4) The categories of personal data that the
723723 13 controller shares with third parties, if any;
724724 14 (5) The categories of third parties, if any, with
725725 15 which the controller shares personal data; and
726726 16 (6) An active electronic mail address or other online
727727 17 mechanism that the consumer may use to contact the
728728 18 controller.
729729 19 (d) If a controller sells personal data to third parties
730730 20 or processes personal data for targeted advertising, the
731731 21 controller shall clearly and conspicuously disclose such
732732 22 processing, as well as the manner in which a consumer may
733733 23 exercise the right to opt out of such processing.
734734 24 (e) A controller shall establish, and shall describe in a
735735 25 privacy notice, consistent with the requirements of the
736736 26 Secretary of State, one or more secure and reliable means for
737737
738738
739739
740740
741741
742742 HB5581 - 20 - LRB103 38323 JRC 68458 b
743743
744744
745745 HB5581- 21 -LRB103 38323 JRC 68458 b HB5581 - 21 - LRB103 38323 JRC 68458 b
746746 HB5581 - 21 - LRB103 38323 JRC 68458 b
747747 1 consumers to submit a request to exercise their consumer
748748 2 rights pursuant to this Act. Such means shall take into
749749 3 account the ways in which consumers normally interact with the
750750 4 controller, the need for secure and reliable communication of
751751 5 such requests and the ability of the controller to verify the
752752 6 identity of the consumer making the request. A controller
753753 7 shall not require a consumer to create a new account in order
754754 8 to exercise consumer rights, but may require a consumer to use
755755 9 an existing account. Any such means shall include:
756756 10 (1) Providing a clear and conspicuous link on the
757757 11 controller's Internet website to an Internet web page that
758758 12 enables a consumer, or an agent of the consumer, to opt out
759759 13 of the targeted advertising or sale of the consumer's
760760 14 personal data; and
761761 15 (2) Not later than January 1, 2025, allowing a
762762 16 consumer to opt out of any processing of the consumer's
763763 17 personal data for the purposes of targeted advertising, or
764764 18 any sale of such personal data, through an opt-out
765765 19 preference signal sent, with such consumer's consent, by a
766766 20 platform, technology or mechanism to the controller,
767767 21 indicating such consumer's intent to opt out of any such
768768 22 processing or sale. Such platform, technology or mechanism
769769 23 shall:
770770 24 (A) Not unfairly disadvantage another controller;
771771 25 (B) Not make use of a default setting, but,
772772 26 rather, require the consumer to make an affirmative,
773773
774774
775775
776776
777777
778778 HB5581 - 21 - LRB103 38323 JRC 68458 b
779779
780780
781781 HB5581- 22 -LRB103 38323 JRC 68458 b HB5581 - 22 - LRB103 38323 JRC 68458 b
782782 HB5581 - 22 - LRB103 38323 JRC 68458 b
783783 1 freely given and unambiguous choice to opt out of any
784784 2 processing of such consumer's personal data pursuant
785785 3 to this Act;
786786 4 (C) Be consumer-friendly and easy to use by the
787787 5 average consumer;
788788 6 (D) Be as consistent as possible with any other
789789 7 similar platform, technology or mechanism required by
790790 8 any federal or State law or regulation; and
791791 9 (E) Enable the controller to accurately determine
792792 10 whether the consumer is a resident of this State and
793793 11 whether the consumer has made a legitimate request to
794794 12 opt out of any sale of such consumer's personal data or
795795 13 targeted advertising.
796796 14 (3) If a consumer's decision to opt out of any
797797 15 processing of the consumer's personal data for the
798798 16 purposes of targeted advertising, or any sale of such
799799 17 personal data, through an opt-out preference signal sent
800800 18 in accordance with this subsection (e) conflicts with the
801801 19 consumer's existing controller-specific privacy setting or
802802 20 voluntary participation in a controller's bona fide
803803 21 loyalty, rewards, premium features, discounts or club card
804804 22 program, the controller shall comply with such consumer's
805805 23 opt-out preference signal but may notify such consumer of
806806 24 such conflict and provide to such consumer the choice to
807807 25 confirm such controller-specific privacy setting or
808808 26 participation in such program.
809809
810810
811811
812812
813813
814814 HB5581 - 22 - LRB103 38323 JRC 68458 b
815815
816816
817817 HB5581- 23 -LRB103 38323 JRC 68458 b HB5581 - 23 - LRB103 38323 JRC 68458 b
818818 HB5581 - 23 - LRB103 38323 JRC 68458 b
819819 1 (e-5) If a controller responds to consumer opt-out
820820 2 requests received pursuant to subsection (e) by informing the
821821 3 consumer of a charge for the use of any product or service, the
822822 4 controller shall present the terms of any financial incentive
823823 5 offered pursuant to this Section for the retention, use, sale
824824 6 or sharing of the consumer's personal data.
825825 7 Section 35. Processor responsibilities.
826826 8 (a) A processor shall adhere to the instructions of a
827827 9 controller and shall assist the controller in meeting the
828828 10 controller's obligations under this Act. Such assistance shall
829829 11 include:
830830 12 (1) Taking into account the nature of processing and
831831 13 the information available to the processor, by appropriate
832832 14 technical and organizational measures, insofar as is
833833 15 reasonably practicable, to fulfill the controller's
834834 16 obligation to respond to consumer rights requests;
835835 17 (2) Taking into account the nature of processing and
836836 18 the information available to the processor, by assisting
837837 19 the controller in meeting the controller's obligations in
838838 20 relation to the security of processing the personal data
839839 21 and in relation to the notification of a breach of
840840 22 security or of the system of the processor, in order to
841841 23 meet the controller's obligations; and
842842 24 (3) Providing necessary information to enable the
843843 25 controller to conduct and document data protection
844844
845845
846846
847847
848848
849849 HB5581 - 23 - LRB103 38323 JRC 68458 b
850850
851851
852852 HB5581- 24 -LRB103 38323 JRC 68458 b HB5581 - 24 - LRB103 38323 JRC 68458 b
853853 HB5581 - 24 - LRB103 38323 JRC 68458 b
854854 1 assessments.
855855 2 (b) A contract between a controller and a processor shall
856856 3 govern the processor's data processing procedures with respect
857857 4 to processing performed on behalf of the controller. The
858858 5 contract shall be binding and clearly set forth instructions
859859 6 for processing data, the nature and purpose of processing, the
860860 7 type of data subject to processing, the duration of processing
861861 8 and the rights and obligations of both parties. The contract
862862 9 shall also require that the processor:
863863 10 (1) Ensure that each person processing personal data
864864 11 is subject to a duty of confidentiality with respect to
865865 12 the data;
866866 13 (2) At the controller's direction, delete or return
867867 14 all personal data to the controller as requested at the
868868 15 end of the provision of services, unless retention of the
869869 16 personal data is required by law;
870870 17 (3) Upon the reasonable request of the controller,
871871 18 make available to the controller all information in its
872872 19 possession necessary to demonstrate the processor's
873873 20 compliance with the obligations in this Act;
874874 21 (4) After providing the controller an opportunity to
875875 22 object, engage any subcontractor pursuant to a written
876876 23 contract that requires the subcontractor to meet the
877877 24 obligations of the processor with respect to the personal
878878 25 data; and
879879 26 (5) Allow, and cooperate with, reasonable assessments
880880
881881
882882
883883
884884
885885 HB5581 - 24 - LRB103 38323 JRC 68458 b
886886
887887
888888 HB5581- 25 -LRB103 38323 JRC 68458 b HB5581 - 25 - LRB103 38323 JRC 68458 b
889889 HB5581 - 25 - LRB103 38323 JRC 68458 b
890890 1 by the controller or the controller's designated assessor,
891891 2 or the processor may arrange for a qualified and
892892 3 independent assessor to conduct an assessment of the
893893 4 processor's policies and technical and organizational
894894 5 measures in support of the obligations under this Act,
895895 6 using an appropriate and accepted control standard or
896896 7 framework and assessment procedure for such assessments.
897897 8 The processor shall provide a report of such assessment to
898898 9 the controller upon request.
899899 10 (c) Nothing in this Section shall be construed to relieve
900900 11 a controller or processor from the liabilities imposed on the
901901 12 controller or processor by virtue of such controller's or
902902 13 processor's role in the processing relationship, as described
903903 14 in this Act.
904904 15 (d) Determining whether a person is acting as a controller
905905 16 or processor with respect to a specific processing of data is a
906906 17 fact-based determination that depends upon the context in
907907 18 which personal data is to be processed. A person who is not
908908 19 limited in such person's processing of personal data pursuant
909909 20 to a controller's instructions, or who fails to adhere to such
910910 21 instructions, is a controller and not a processor with respect
911911 22 to a specific processing of data. A processor that continues
912912 23 to adhere to a controller's instructions with respect to a
913913 24 specific processing of personal data remains a processor. If a
914914 25 processor begins, alone or jointly with others, determining
915915 26 the purposes and means of the processing of personal data, the
916916
917917
918918
919919
920920
921921 HB5581 - 25 - LRB103 38323 JRC 68458 b
922922
923923
924924 HB5581- 26 -LRB103 38323 JRC 68458 b HB5581 - 26 - LRB103 38323 JRC 68458 b
925925 HB5581 - 26 - LRB103 38323 JRC 68458 b
926926 1 processor is a controller with respect to such processing and
927927 2 may be subject to an enforcement action Section 55.
928928 3 Section 40. Heightened risk of harm.
929929 4 (a) A controller shall conduct and document a data
930930 5 protection assessment for each of the controller's processing
931931 6 activities that presents a heightened risk of harm to a
932932 7 consumer. For the purposes of this Section, processing that
933933 8 presents a heightened risk of harm to a consumer includes:
934934 9 (1) The processing of personal data for the purposes
935935 10 of targeted advertising;
936936 11 (2) The sale of personal data;
937937 12 (3) The processing of personal data for the purposes
938938 13 of profiling, where such profiling presents a reasonably
939939 14 foreseeable risk of unfair or deceptive treatment of, or
940940 15 unlawful disparate impact on, consumers, financial,
941941 16 physical or reputational injury to consumers, a physical
942942 17 or other intrusion upon the solitude or seclusion, or the
943943 18 private affairs or concerns, of consumers, where such
944944 19 intrusion would be offensive to a reasonable person, or
945945 20 other substantial injury to consumers; and
946946 21 (4) The processing of sensitive data.
947947 22 (b) Data protection assessments conducted pursuant to
948948 23 subsection (a) shall identify and weigh the benefits that may
949949 24 flow, directly and indirectly, from the processing to the
950950 25 controller, the consumer, other stakeholders and the public
951951
952952
953953
954954
955955
956956 HB5581 - 26 - LRB103 38323 JRC 68458 b
957957
958958
959959 HB5581- 27 -LRB103 38323 JRC 68458 b HB5581 - 27 - LRB103 38323 JRC 68458 b
960960 HB5581 - 27 - LRB103 38323 JRC 68458 b
961961 1 against the potential risks to the rights of the consumer
962962 2 associated with such processing, as mitigated by safeguards
963963 3 that can be employed by the controller to reduce such risks.
964964 4 The controller shall factor into any such data protection
965965 5 assessment the use of deidentified data and the reasonable
966966 6 expectations of consumers, as well as the context of the
967967 7 processing and the relationship between the controller and the
968968 8 consumer whose personal data will be processed.
969969 9 (c) The Attorney General may require that a controller
970970 10 disclose any data protection assessment that is relevant to an
971971 11 investigation conducted by the Attorney General, and the
972972 12 controller shall make the data protection assessment available
973973 13 to the Attorney General. The Attorney General may evaluate the
974974 14 data protection assessment for compliance with the
975975 15 responsibilities set forth in this Act. Data protection
976976 16 assessments shall be confidential and shall be exempt from
977977 17 disclosure under 5 ILCS 120. To the extent any information
978978 18 contained in a data protection assessment disclosed to the
979979 19 Attorney General includes information subject to
980980 20 attorney-client privilege or work product protection, such
981981 21 disclosure shall not constitute a waiver of such privilege or
982982 22 protection.
983983 23 (d) A single data protection assessment may address a
984984 24 comparable set of processing operations that include similar
985985 25 activities.
986986 26 (e) If a controller conducts a data protection assessment
987987
988988
989989
990990
991991
992992 HB5581 - 27 - LRB103 38323 JRC 68458 b
993993
994994
995995 HB5581- 28 -LRB103 38323 JRC 68458 b HB5581 - 28 - LRB103 38323 JRC 68458 b
996996 HB5581 - 28 - LRB103 38323 JRC 68458 b
997997 1 for the purpose of complying with another applicable law or
998998 2 regulation, the data protection assessment shall be deemed to
999999 3 satisfy the requirements established in this Section if such
10001000 4 data protection assessment is reasonably similar in scope and
10011001 5 effect to the data protection assessment that would otherwise
10021002 6 be conducted pursuant to this Section.
10031003 7 (f) Data protection assessment requirements shall apply to
10041004 8 processing activities created or generated after July 1, 2024,
10051005 9 and are not retroactive.
10061006 10 Section 45. Deidentified data.
10071007 11 (a) Any controller in possession of deidentified data
10081008 12 shall:
10091009 13 (1) Take reasonable measures to ensure that the data
10101010 14 cannot be associated with an individual;
10111011 15 (2) Publicly commit to maintaining and using
10121012 16 deidentified data without attempting to reidentify the
10131013 17 data; and
10141014 18 (3) Contractually obligate any recipients of the
10151015 19 deidentified data to comply with all provisions of this
10161016 20 Act.
10171017 21 (b) Nothing in this Act shall be construed to:
10181018 22 (1) Require a controller or processor to reidentify
10191019 23 deidentified data or pseudonymous data; or
10201020 24 (2) Maintain data in identifiable form, or collect,
10211021 25 obtain, retain, or access any data or technology, in order
10221022
10231023
10241024
10251025
10261026
10271027 HB5581 - 28 - LRB103 38323 JRC 68458 b
10281028
10291029
10301030 HB5581- 29 -LRB103 38323 JRC 68458 b HB5581 - 29 - LRB103 38323 JRC 68458 b
10311031 HB5581 - 29 - LRB103 38323 JRC 68458 b
10321032 1 to be capable of associating an authenticated consumer
10331033 2 request with personal data.
10341034 3 (c) Nothing in this Act shall be construed to require a
10351035 4 controller or processor to comply with an authenticated
10361036 5 consumer rights request if the controller:
10371037 6 (1) Is not reasonably capable of associating the
10381038 7 request with the personal data or it would be unreasonably
10391039 8 burdensome for the controller to associate the request
10401040 9 with the personal data;
10411041 10 (2) Does not use the personal data to recognize or
10421042 11 respond to the specific consumer who is the subject of the
10431043 12 personal data, or associate the personal data with other
10441044 13 personal data about the same specific consumer; and
10451045 14 (3) Does not sell the personal data to any third party
10461046 15 or otherwise voluntarily disclose the personal data to any
10471047 16 third party other than a processor, except as otherwise
10481048 17 permitted in this Section.
10491049 18 (d) The rights afforded under paragraphs (1) through (4)
10501050 19 of subsection (a) of Section 20 shall not apply to
10511051 20 pseudonymized data in cases where the controller is able to
10521052 21 demonstrate that any information necessary to identify the
10531053 22 consumer is kept separately and is subject to effective
10541054 23 technical and organizational controls that prevent the
10551055 24 controller from accessing such information.
10561056 25 (e) A controller that discloses pseudonymous data or
10571057 26 deidentified data shall exercise reasonable oversight to
10581058
10591059
10601060
10611061
10621062
10631063 HB5581 - 29 - LRB103 38323 JRC 68458 b
10641064
10651065
10661066 HB5581- 30 -LRB103 38323 JRC 68458 b HB5581 - 30 - LRB103 38323 JRC 68458 b
10671067 HB5581 - 30 - LRB103 38323 JRC 68458 b
10681068 1 monitor compliance with any contractual commitments to which
10691069 2 the pseudonymous data or deidentified data is subject and
10701070 3 shall take appropriate steps to address any breaches of those
10711071 4 contractual commitments.
10721072 5 Section 50. Controller responsibilities and obligations.
10731073 6 (a) Nothing in this Act shall be construed to restrict a
10741074 7 controller's or processor's ability to:
10751075 8 (1) Comply with federal, State or municipal ordinances
10761076 9 or regulations;
10771077 10 (2) Comply with a civil, criminal or regulatory
10781078 11 inquiry, investigation, subpoena or summons by federal,
10791079 12 State, municipal or other governmental authorities;
10801080 13 (3) Cooperate with law enforcement agencies concerning
10811081 14 conduct or activity that the controller or processor
10821082 15 reasonably and in good faith believes may violate federal,
10831083 16 State or municipal ordinances or regulations;
10841084 17 (4) Investigate, establish, exercise, prepare for or
10851085 18 defend legal claims;
10861086 19 (5) Provide a product or service specifically
10871087 20 requested by a consumer;
10881088 21 (6) Perform under a contract to which a consumer is a
10891089 22 party, including fulfilling the terms of a written
10901090 23 warranty;
10911091 24 (7) Take steps at the request of a consumer prior to
10921092 25 entering into a contract;
10931093
10941094
10951095
10961096
10971097
10981098 HB5581 - 30 - LRB103 38323 JRC 68458 b
10991099
11001100
11011101 HB5581- 31 -LRB103 38323 JRC 68458 b HB5581 - 31 - LRB103 38323 JRC 68458 b
11021102 HB5581 - 31 - LRB103 38323 JRC 68458 b
11031103 1 (8) Take immediate steps to protect an interest that
11041104 2 is essential for the life or physical safety of the
11051105 3 consumer or another individual, and where the processing
11061106 4 cannot be manifestly based on another legal basis;
11071107 5 (9) Prevent, detect, protect against or respond to
11081108 6 security incidents, identity theft, fraud, harassment,
11091109 7 malicious or deceptive activities or any illegal activity,
11101110 8 preserve the integrity or security of systems or
11111111 9 investigate, report or prosecute those responsible for any
11121112 10 such action;
11131113 11 (10) Engage in public or peer-reviewed scientific or
11141114 12 statistical research in the public interest that adheres
11151115 13 to all other applicable ethics and privacy laws and is
11161116 14 approved, monitored and governed by an institutional
11171117 15 review board that determines, or similar independent
11181118 16 oversight entities that determine:
11191119 17 (A) Whether the deletion of the information is
11201120 18 likely to provide substantial benefits that do not
11211121 19 exclusively accrue to the controller,
11221122 20 (B) The expected benefits of the research outweigh
11231123 21 the privacy risks, and
11241124 22 (C) Whether the controller has implemented
11251125 23 reasonable safeguards to mitigate privacy risks
11261126 24 associated with research, including any risks
11271127 25 associated with reidentification;
11281128 26 (11) Assist another controller, processor, or third
11291129
11301130
11311131
11321132
11331133
11341134 HB5581 - 31 - LRB103 38323 JRC 68458 b
11351135
11361136
11371137 HB5581- 32 -LRB103 38323 JRC 68458 b HB5581 - 32 - LRB103 38323 JRC 68458 b
11381138 HB5581 - 32 - LRB103 38323 JRC 68458 b
11391139 1 party with any of the obligations under this Act; or
11401140 2 (12) Process personal data for reasons of public
11411141 3 interest in the area of public health, community health or
11421142 4 population health, but solely to the extent that such
11431143 5 processing is:
11441144 6 (A) Subject to suitable and specific measures to
11451145 7 safeguard the rights of the consumer whose personal
11461146 8 data is being processed, and
11471147 9 (B) Under the responsibility of a professional
11481148 10 subject to confidentiality obligations under federal,
11491149 11 State or local law.
11501150 12 (b) The obligations imposed on controllers or processors
11511151 13 under this Act shall not restrict a controller's or
11521152 14 processor's ability to collect, use or retain data for
11531153 15 internal use to:
11541154 16 (1) Conduct internal research to develop, improve or
11551155 17 repair products, services or technology;
11561156 18 (2) Effectuate a product recall;
11571157 19 (3) Identify and repair technical errors that impair
11581158 20 existing or intended functionality; or
11591159 21 (4) Perform internal operations that are reasonably
11601160 22 aligned with the expectations of the consumer or
11611161 23 reasonably anticipated based on the consumer's existing
11621162 24 relationship with the controller, or are otherwise
11631163 25 compatible with processing data in furtherance of the
11641164 26 provision of a product or service specifically requested
11651165
11661166
11671167
11681168
11691169
11701170 HB5581 - 32 - LRB103 38323 JRC 68458 b
11711171
11721172
11731173 HB5581- 33 -LRB103 38323 JRC 68458 b HB5581 - 33 - LRB103 38323 JRC 68458 b
11741174 HB5581 - 33 - LRB103 38323 JRC 68458 b
11751175 1 by a consumer or the performance of a contract to which the
11761176 2 consumer is a party.
11771177 3 (c) The obligations imposed on controllers or processors
11781178 4 under this Act shall not apply where compliance by the
11791179 5 controller or processor with said Sections would violate an
11801180 6 evidentiary privilege under the laws of this State. Nothing in
11811181 7 this Act shall be construed to prevent a controller or
11821182 8 processor from providing personal data concerning a consumer
11831183 9 to a person covered by an evidentiary privilege under the laws
11841184 10 of the State as part of a privileged communication.
11851185 11 (d) A controller or processor that discloses personal data
11861186 12 to a processor or third-party controller in accordance with
11871187 13 this Act shall not be deemed to have violated said Sections if
11881188 14 the processor or third-party controller that receives and
11891189 15 processes such personal data violates said Sections, provided,
11901190 16 at the time the disclosing controller or processor disclosed
11911191 17 such personal data, the disclosing controller or processor did
11921192 18 not have actual knowledge that the receiving processor or
11931193 19 third-party controller would violate said Sections. A
11941194 20 third-party controller or processor receiving personal data
11951195 21 from a controller or processor in compliance with this Act is
11961196 22 likewise not in violation of said Sections for the
11971197 23 transgressions of the controller or processor from which such
11981198 24 third-party controller or processor receives such personal
11991199 25 data.
12001200 26 (e) Nothing in this Act shall be construed to:
12011201
12021202
12031203
12041204
12051205
12061206 HB5581 - 33 - LRB103 38323 JRC 68458 b
12071207
12081208
12091209 HB5581- 34 -LRB103 38323 JRC 68458 b HB5581 - 34 - LRB103 38323 JRC 68458 b
12101210 HB5581 - 34 - LRB103 38323 JRC 68458 b
12111211 1 (1) Impose any obligation on a controller or processor
12121212 2 that adversely affects the rights or freedoms of any
12131213 3 person, including, but not limited to, the rights of any
12141214 4 person to freedom of speech or freedom of the press
12151215 5 guaranteed in the First Amendment to the United States
12161216 6 Constitution; or
12171217 7 (2) Apply to any person's processing of personal data
12181218 8 in the course of such person's purely personal or
12191219 9 household activities.
12201220 10 (f) Personal data processed by a controller pursuant to
12211221 11 this Section may be processed to the extent that such
12221222 12 processing is:
12231223 13 (1) Reasonably necessary and proportionate to the
12241224 14 purposes listed in this Section; and
12251225 15 (2) Adequate, relevant and limited to what is
12261226 16 necessary in relation to the specific purposes listed in
12271227 17 this Section. Personal data collected, used or retained
12281228 18 under paragraph (2) of subsection (a), where applicable,
12291229 19 take into account the nature and purpose or purposes of
12301230 20 such collection, use or retention. Such data shall be
12311231 21 subject to reasonable administrative, technical and
12321232 22 physical measures to protect the confidentiality,
12331233 23 integrity and accessibility of the personal data and to
12341234 24 reduce reasonably foreseeable risks of harm to consumers
12351235 25 relating to such collection, use or retention of personal
12361236 26 data.
12371237
12381238
12391239
12401240
12411241
12421242 HB5581 - 34 - LRB103 38323 JRC 68458 b
12431243
12441244
12451245 HB5581- 35 -LRB103 38323 JRC 68458 b HB5581 - 35 - LRB103 38323 JRC 68458 b
12461246 HB5581 - 35 - LRB103 38323 JRC 68458 b
12471247 1 (g) If a controller processes personal data pursuant to an
12481248 2 exemption in this Section, the controller bears the burden of
12491249 3 demonstrating that such processing qualifies for the exemption
12501250 4 and complies with the requirements in subsection (f).
12511251 5 (h) Processing personal data for the purposes expressly
12521252 6 identified in this Section shall not solely make a legal
12531253 7 entity a controller with respect to such processing.
12541254 8 Section 55. Notice; enforcement.
12551255 9 (a) The Attorney General shall have exclusive authority to
12561256 10 enforce violations under this Act.
12571257 11 (b) During the period beginning January 1, 2025 and ending
12581258 12 December 31, 2025, the Attorney General shall, and following
12591259 13 said period the Attorney General may, prior to initiating any
12601260 14 action for a violation under this Act, issue a notice of
12611261 15 violation to the controller if the Attorney General determines
12621262 16 that a cure is possible. If the controller fails to cure such
12631263 17 violation within 60 days of receipt of the notice of
12641264 18 violation, the Attorney General may bring an action pursuant
12651265 19 to this Section.
12661266 20 (c) Beginning January 1, 2026, in determining whether to
12671267 21 grant a controller or processor the opportunity to cure an
12681268 22 alleged violation described under this Act, the Attorney
12691269 23 General may consider:
12701270 24 (1) The number of violations;
12711271 25 (2) The size and complexity of the controller or
12721272
12731273
12741274
12751275
12761276
12771277 HB5581 - 35 - LRB103 38323 JRC 68458 b
12781278
12791279
12801280 HB5581- 36 -LRB103 38323 JRC 68458 b HB5581 - 36 - LRB103 38323 JRC 68458 b
12811281 HB5581 - 36 - LRB103 38323 JRC 68458 b
12821282 1 processor;
12831283 2 (3) The nature and extent of the controller's or
12841284 3 processor's processing activities;
12851285 4 (4) The substantial likelihood of injury to the
12861286 5 public;
12871287 6 (5) The safety of persons or property; and
12881288 7 (6) Whether such alleged violation was likely caused
12891289 8 by human or technical error.
12901290 9 (d) Nothing in this Act shall be construed as providing
12911291 10 the basis for, or be subject to, a private right of action for
12921292 11 violations under this Act or any other law.
12931293 12 (e) A violation under this Act shall constitute an unfair
12941294 13 method of competition or any unfair or deceptive act or
12951295 14 practice in the conduct of any trade or commerce within this
12961296 15 State under the Consumer Fraud and Deceptive Business
12971297 16 Practices Act and shall be enforced by the Attorney General.
12981298 17 Section 60. Compliance with other law. An individual or
12991299 18 entity covered by this Act and other law regarding third-party
13001300 19 providers of information and services is required to comply
13011301 20 with both laws, provided, however, that to the extent there is
13021302 21 a direct conflict between the 2 laws which precludes
13031303 22 compliance with both statutes, the individual or entity shall
13041304 23 comply with the statute that provides the greater measure of
13051305 24 privacy protection to individuals. For purposes of this
13061306 25 Section, an "opt-in" procedure for an individual to grant
13071307
13081308
13091309
13101310
13111311
13121312 HB5581 - 36 - LRB103 38323 JRC 68458 b
13131313
13141314
13151315 HB5581- 37 -LRB103 38323 JRC 68458 b HB5581 - 37 - LRB103 38323 JRC 68458 b
13161316 HB5581 - 37 - LRB103 38323 JRC 68458 b
13171317 1 consent for the disclosure of personal information shall be
13181318 2 deemed to provide a greater measure of protection of privacy
13191319 3 than the "opt-out" procedure established under this Act.
13201320
13211321
13221322
13231323
13241324
13251325 HB5581 - 37 - LRB103 38323 JRC 68458 b