Illinois 2023-2024 Regular Session

Illinois Senate Bill SB3334 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3334 Introduced 2/7/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED: New Act30 ILCS 105/5.1015 new Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately. LRB103 38209 SPS 68343 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3334 Introduced 2/7/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED: New Act30 ILCS 105/5.1015 new New Act 30 ILCS 105/5.1015 new Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately. LRB103 38209 SPS 68343 b LRB103 38209 SPS 68343 b A BILL FOR
2	2	103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3334 Introduced 2/7/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED:
3	3	New Act30 ILCS 105/5.1015 new New Act 30 ILCS 105/5.1015 new
4	4	New Act
5	5	30 ILCS 105/5.1015 new
6	6	Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately.
7	7	LRB103 38209 SPS 68343 b LRB103 38209 SPS 68343 b
8	8	LRB103 38209 SPS 68343 b
9	9	A BILL FOR
10	10	SB3334LRB103 38209 SPS 68343 b SB3334 LRB103 38209 SPS 68343 b
11	11	SB3334 LRB103 38209 SPS 68343 b
12	12	1 AN ACT concerning business.
13	13	2 Be it enacted by the People of the State of Illinois,
14	14	3 represented in the General Assembly:
15	15	4 Section 1. Short title. This Act may be cited as the
16	16	5 Illinois Age-Appropriate Design Code Act.
17	17	6 Section 5. Intent. It is the intent of the General
18	18	7 Assembly that nothing in this Act shall be construed to
19	19	8 infringe on the existing rights and freedoms of children.
20	20	9 Section 10. Definitions. As used in this Act:
21	21	10 "Affiliate" means a legal entity that controls, is
22	22	11 controlled by, or is under common control with, another legal
23	23	12 entity. For the purposes of this definition, "control" or
24	24	13 "controlled" means: (i) ownership of, or the power to vote,
25	25	14 more than 50% of the outstanding shares of any class of voting
26	26	15 security of a covered entity; (ii) control in any manner over
27	27	16 the election of a majority of the directors or of individuals
28	28	17 exercising similar functions; or (iii) the power to exercise a
29	29	18 controlling influence over the management of a covered entity.
30	30	19 "Age-appropriate" means a recognition of the distinct
31	31	20 needs and diversities of children at different age ranges. In
32	32	21 order to help support the design of online services, products,
33	33	22 and features, covered entities should take into account the
34	34
35	35
36	36
37	37	103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3334 Introduced 2/7/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED:
38	38	New Act30 ILCS 105/5.1015 new New Act 30 ILCS 105/5.1015 new
39	39	New Act
40	40	30 ILCS 105/5.1015 new
41	41	Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately.
42	42	LRB103 38209 SPS 68343 b LRB103 38209 SPS 68343 b
43	43	LRB103 38209 SPS 68343 b
44	44	A BILL FOR
45	45
46	46
47	47
48	48
49	49
50	50	New Act
51	51	30 ILCS 105/5.1015 new
52	52
53	53
54	54
55	55	LRB103 38209 SPS 68343 b
56	56
57	57
58	58
59	59
60	60
61	61
62	62
63	63
64	64
65	65	SB3334 LRB103 38209 SPS 68343 b
66	66
67	67
68	68	SB3334- 2 -LRB103 38209 SPS 68343 b SB3334 - 2 - LRB103 38209 SPS 68343 b
69	69	SB3334 - 2 - LRB103 38209 SPS 68343 b
70	70	1 unique needs and diversities of different age ranges,
71	71	2 including the following developmental stages: 0 to 5 years of
72	72	3 age or preliterate and early literacy; 6-9 years of age or core
73	73	4 primary school years; 10 to 12 years of age or transition
74	74	5 years; 13 to 15 years of age or early teens; and 16 to 17 years
75	75	6 or age or approaching adulthood.
76	76	7 "Best interests of children" means the use, by a covered
77	77	8 entity, of the personal data of a child or the design of an
78	78	9 online service, product, or feature in a way that:
79	79	10 (1) will not benefit the covered entity to the
80	80	11 detriment of the child; and
81	81	12 (2) will not result in:
82	82	13 (A) reasonably foreseeable and material physical
83	83	14 or financial harm to the child;
84	84	15 (B) reasonably foreseeable and severe
85	85	16 psychological, or emotional harm to the child;
86	86	17 (C) a highly offensive intrusion on the reasonable
87	87	18 privacy expectations of the child; or
88	88	19 (D) discrimination against the child based upon
89	89	20 race, color, religion, national origin, disability,
90	90	21 sex, or sexual orientation.
91	91	22 "Child" means a consumer who is under 18 years of age.
92	92	23 "Collect" means buying, renting, gathering, obtaining,
93	93	24 receiving, or accessing any personal data pertaining to a
94	94	25 consumer by any means. "Collect" includes receiving data from
95	95	26 the consumer, either actively or passively, or by observing
96	96
97	97
98	98
99	99
100	100
101	101	SB3334 - 2 - LRB103 38209 SPS 68343 b
102	102
103	103
104	104	SB3334- 3 -LRB103 38209 SPS 68343 b SB3334 - 3 - LRB103 38209 SPS 68343 b
105	105	SB3334 - 3 - LRB103 38209 SPS 68343 b
106	106	1 the consumer's behavior.
107	107	2 "Covered entity" means:
108	108	3 (1) a sole proprietorship, partnership, limited
109	109	4 liability company, corporation, association, or other
110	110	5 legal entity that is organized or operated for the profit
111	111	6 or financial benefit of its shareholders or other owners;
112	112	7 and
113	113	8 (2) an affiliate of a covered entity that shares
114	114	9 common branding with the covered entity. For the purposes
115	115	10 of this definition, "common branding" means a shared name,
116	116	11 service mark, or trademark that the average consumer would
117	117	12 understand that 2 or more entities are commonly owned.
118	118	13 For purposes of this Act, for a joint venture or
119	119	14 partnership composed of covered entities in which each covered
120	120	15 entity has at least a 40% interest, the joint venture or
121	121	16 partnership and each covered entity that composes the joint
122	122	17 venture or partnership shall separately be considered a single
123	123	18 covered entity, except that personal data in the possession of
124	124	19 each covered entity and disclosed to the joint venture or
125	125	20 partnership shall not be shared with the other covered entity.
126	126	21 "Consumer" means a natural person who is an Illinois
127	127	22 resident, however identified, including by any unique
128	128	23 identifier.
129	129	24 "Dark pattern" means a user interface designed or
130	130	25 manipulated with the purpose of subverting or impairing user
131	131	26 autonomy, decision making, or choice.
132	132
133	133
134	134
135	135
136	136
137	137	SB3334 - 3 - LRB103 38209 SPS 68343 b
138	138
139	139
140	140	SB3334- 4 -LRB103 38209 SPS 68343 b SB3334 - 4 - LRB103 38209 SPS 68343 b
141	141	SB3334 - 4 - LRB103 38209 SPS 68343 b
142	142	1 "Data protection impact assessment" means a systematic
143	143	2 survey to assess compliance with the duty to act in the best
144	144	3 interests of children and shall include a plan to ensure that
145	145	4 all online products, services, or features provided by the
146	146	5 covered entity are designed and offered in a manner consistent
147	147	6 with the best interests of children reasonably likely to
148	148	7 access the online product, service, or feature and a
149	149	8 description of steps the covered entity has taken and will
150	150	9 take to comply with the duty to act in the best interests of
151	151	10 children.
152	152	11 "Default" means a preselected option adopted by the
153	153	12 covered entity for the online service, product, or feature.
154	154	13 "Deidentified" means data that cannot reasonably be used
155	155	14 to infer information about, or otherwise be linked to, an
156	156	15 identified or identifiable natural person, or a device linked
157	157	16 to such person, provided that the covered entity that
158	158	17 possesses the data:
159	159	18 (1) takes reasonable measures to ensure that the data
160	160	19 cannot be associated with a natural person;
161	161	20 (2) publicly commits to maintain and use the data only
162	162	21 in a deidentified fashion and not attempt to re-identify
163	163	22 the data; and
164	164	23 (3) contractually obligates any recipients of the data
165	165	24 to comply with all provisions of this Act.
166	166	25 "Derived data" means data that is created by the
167	167	26 derivation of information, data, assumptions, correlations,
168	168
169	169
170	170
171	171
172	172
173	173	SB3334 - 4 - LRB103 38209 SPS 68343 b
174	174
175	175
176	176	SB3334- 5 -LRB103 38209 SPS 68343 b SB3334 - 5 - LRB103 38209 SPS 68343 b
177	177	SB3334 - 5 - LRB103 38209 SPS 68343 b
178	178	1 inferences, predictions, or conclusions from facts, evidence,
179	179	2 or another source of information or data about a child or a
180	180	3 child's device.
181	181	4 "Online service, product, or feature" does not mean any of
182	182	5 the following:
183	183	6 (1) telecommunications service, as defined in 47
184	184	7 U.S.C. 153;
185	185	8 (2) a broadband service as defined in the Public
186	186	9 Utilities Act; or
187	187	10 (3) the sale, delivery, or use of a physical product.
188	188	11 "Personal data" means any information, including derived
189	189	12 data, that is linked or reasonably linkable, alone or in
190	190	13 combination with other information, to an identified or
191	191	14 identifiable natural person. "Personal data" does not include
192	192	15 de-identified data or publicly available information. For the
193	193	16 purposes of this definition, "publicly available information"
194	194	17 means information (i) that is lawfully made available from
195	195	18 federal, State, or local government records or widely
196	196	19 distributed media; and (ii) that a controller has a reasonable
197	197	20 basis to believe a consumer has lawfully made available to the
198	198	21 general public.
199	199	22 "Precise geolocation" means any data that is derived from
200	200	23 a device and that is used or intended to be used to locate a
201	201	24 consumer within a geographic area that is equal to or less than
202	202	25 the area of a circle with a radius of 1,850 feet, except as
203	203	26 prescribed by regulations.
204	204
205	205
206	206
207	207
208	208
209	209	SB3334 - 5 - LRB103 38209 SPS 68343 b
210	210
211	211
212	212	SB3334- 6 -LRB103 38209 SPS 68343 b SB3334 - 6 - LRB103 38209 SPS 68343 b
213	213	SB3334 - 6 - LRB103 38209 SPS 68343 b
214	214	1 "Process" or "processing" means to conduct or direct any
215	215	2 operation or set of operations performed, whether by manual or
216	216	3 automated means, on personal data or on sets of personal data,
217	217	4 such as the collection, use, storage, disclosure, analysis,
218	218	5 deletion, modification, or otherwise handling of personal
219	219	6 data.
220	220	7 "Product experimentation results" means the data that
221	221	8 companies collect to understand the experimental impact of
222	222	9 their products.
223	223	10 "Profiling" means any form of automated processing of
224	224	11 personal data to evaluate, analyze, or predict personal
225	225	12 aspects concerning an identified or identifiable natural
226	226	13 person's economic situation, health, personal preferences,
227	227	14 interests, reliability, behavior, location, or movements.
228	228	15 "Profiling" does not include the processing of information
229	229	16 that does not result in an assessment or judgment about a
230	230	17 natural person.
231	231	18 "Reasonably likely to be accessed" means an online
232	232	19 service, product, or feature that is accessed by children
233	233	20 based on any of the following indicators:
234	234	21 (1) the online service, product, or feature is
235	235	22 directed to children, as defined by the Children's Online
236	236	23 Privacy Protection Act, 15 U.S.C. 6501 et seq., and the
237	237	24 Federal Trade Commission rules implementing that Act;
238	238	25 (2) the online service, product, or feature is
239	239	26 determined, based on competent and reliable evidence
240	240
241	241
242	242
243	243
244	244
245	245	SB3334 - 6 - LRB103 38209 SPS 68343 b
246	246
247	247
248	248	SB3334- 7 -LRB103 38209 SPS 68343 b SB3334 - 7 - LRB103 38209 SPS 68343 b
249	249	SB3334 - 7 - LRB103 38209 SPS 68343 b
250	250	1 regarding audience composition, to be routinely accessed
251	251	2 by a significant number of children;
252	252	3 (3) the online service, product, or feature contains
253	253	4 advertisements marketed to children;
254	254	5 (4) the online service, product, or feature is
255	255	6 substantially similar or the same as an online service,
256	256	7 product, or feature subject to paragraph (2) of this
257	257	8 definition;
258	258	9 (5) a significant amount of the audience of the online
259	259	10 service, product, or feature is determined, based on
260	260	11 internal company research, to be children; and
261	261	12 (6) the covered entity knew or should have known that
262	262	13 a significant number of users are children, provided that,
263	263	14 in making this assessment, the covered entity shall not
264	264	15 collect or process any personal data that is not
265	265	16 reasonably necessary to provide an online service,
266	266	17 product, or feature with which a child is actively and
267	267	18 knowingly engaged.
268	268	19 "Sale" or "sell" means the exchange of personal data for
269	269	20 monetary or other valuable consideration by a covered entity
270	270	21 to a third party. "Sale" or "sell" do not include the
271	271	22 following:
272	272	23 (1) the disclosure of personal data to a third party
273	273	24 who processes the personal data on behalf of the covered
274	274	25 entity;
275	275	26 (2) the disclosure of personal data to a third party
276	276
277	277
278	278
279	279
280	280
281	281	SB3334 - 7 - LRB103 38209 SPS 68343 b
282	282
283	283
284	284	SB3334- 8 -LRB103 38209 SPS 68343 b SB3334 - 8 - LRB103 38209 SPS 68343 b
285	285	SB3334 - 8 - LRB103 38209 SPS 68343 b
286	286	1 with whom the consumer has a direct relationship for
287	287	2 purposes of providing a product or service requested by
288	288	3 the consumer;
289	289	4 (3) the disclosure or transfer of personal data to an
290	290	5 affiliate of the covered entity;
291	291	6 (4) the disclosure of data that the consumer
292	292	7 intentionally made available to the general public via a
293	293	8 channel of mass media and did not restrict to a specific
294	294	9 audience; or
295	295	10 (5) the disclosure or transfer of personal data to a
296	296	11 third party as an asset that is part of a completed or
297	297	12 proposed merger, acquisition, bankruptcy, or other
298	298	13 transaction in which the third party assumes control of
299	299	14 all or part of the covered entity's assets.
300	300	15 "Share" means sharing, renting, releasing, disclosing,
301	301	16 disseminating, making available, transferring, or otherwise
302	302	17 communicating orally, in writing, or by electronic or other
303	303	18 means a consumer's personal data by the covered entity to a
304	304	19 third party for cross-context behavioral advertising, whether
305	305	20 or not for monetary or other valuable consideration, including
306	306	21 transactions between a covered entity and a third party for
307	307	22 cross-context behavioral advertising for the benefit of a
308	308	23 covered entity in which no money is exchanged.
309	309	24 "Third party" means a natural or legal person, public
310	310	25 authority, agency, or body other than the consumer or the
311	311	26 covered entity.
312	312
313	313
314	314
315	315
316	316
317	317	SB3334 - 8 - LRB103 38209 SPS 68343 b
318	318
319	319
320	320	SB3334- 9 -LRB103 38209 SPS 68343 b SB3334 - 9 - LRB103 38209 SPS 68343 b
321	321	SB3334 - 9 - LRB103 38209 SPS 68343 b
322	322	1 Section 15. Information fiduciary. All covered entities
323	323	2 that operate in this State and process children's data in any
324	324	3 capacity shall do so in a manner consistent with the best
325	325	4 interests of children.
326	326	5 Section 20. Scope; exclusions.
327	327	6 (a) A covered entity operating in this State is subject to
328	328	7 the requirements of this Act if it:
329	329	8 (1) collects consumers' personal data or has
330	330	9 consumers' personal data collected on its behalf by a
331	331	10 third party;
332	332	11 (2) alone or jointly with others, determines the
333	333	12 purposes and means of the processing of consumers'
334	334	13 personal data; and
335	335	14 (3) satisfies one or more of the following thresholds:
336	336	15 (i) has annual gross revenues in excess of
337	337	16 $25,000,000, as adjusted every odd numbered year to
338	338	17 reflect the Consumer Price Index;
339	339	18 (ii) alone or in combination, annually buys,
340	340	19 receives for the covered entity's commercial purposes,
341	341	20 sells, or shares for commercial purposes, alone or in
342	342	21 combination, the personal data of 50,000 or more
343	343	22 consumers, households, or devices; or
344	344	23 (iii) derives 50% or more of its annual revenues
345	345	24 from selling consumers' personal data.
346	346
347	347
348	348
349	349
350	350
351	351	SB3334 - 9 - LRB103 38209 SPS 68343 b
352	352
353	353
354	354	SB3334- 10 -LRB103 38209 SPS 68343 b SB3334 - 10 - LRB103 38209 SPS 68343 b
355	355	SB3334 - 10 - LRB103 38209 SPS 68343 b
356	356	1 (b) This Act does not apply to:
357	357	2 (1) protected health information that is collected by
358	358	3 a covered entity or covered entity associate governed by
359	359	4 the privacy, security, and breach notification rules
360	360	5 issued by the United States Department of Health and Human
361	361	6 Services, 45 CFR 160 and 164, established pursuant to the
362	362	7 Health Insurance Portability and Accountability Act of
363	363	8 1996, Public Law 104-191, and the Health Information
364	364	9 Technology for Economic and Clinical Health Act, Public
365	365	10 Law 111-5;
366	366	11 (2) a covered entity governed by the privacy,
367	367	12 security, and breach notification rules issued by the
368	368	13 United States Department of Health and Human Services, 45
369	369	14 CFR 160 and 164, established pursuant to the Health
370	370	15 Insurance Portability and Accountability Act of 1996,
371	371	16 Public Law 104-191, to the extent the provider or covered
372	372	17 entity maintains patient information in the same manner as
373	373	18 medical information or protected health information as
374	374	19 described in paragraph (1); or
375	375	20 (3) information collected as part of a clinical trial
376	376	21 subject to the federal policy for the protection of human
377	377	22 subjects, also known as the common rule, pursuant to good
378	378	23 clinical practice guidelines issued by the International
379	379	24 Council for Harmonisation of Technical Requirements for
380	380	25 Pharmaceuticals for Human Use or human subject protection
381	381	26 requirements issued by the United States Food and Drug
382	382
383	383
384	384
385	385
386	386
387	387	SB3334 - 10 - LRB103 38209 SPS 68343 b
388	388
389	389
390	390	SB3334- 11 -LRB103 38209 SPS 68343 b SB3334 - 11 - LRB103 38209 SPS 68343 b
391	391	SB3334 - 11 - LRB103 38209 SPS 68343 b
392	392	1 Administration.
393	393	2 Section 25. Requirements for covered entities.
394	394	3 (a) A covered entity subject to this Act shall:
395	395	4 (1) complete a data protection impact assessment for
396	396	5 an online service, product, or feature or any new online
397	397	6 service, product, or feature that is reasonably likely to
398	398	7 be accessed by children; and maintain documentation of the
399	399	8 data protection impact assessment for as long as the
400	400	9 online service, product, or feature is reasonably likely
401	401	10 to be accessed by children;
402	402	11 (2) review and modify all data protection impact
403	403	12 assessments as necessary to account for material changes
404	404	13 to processing pertaining to the online service, product,
405	405	14 or feature within 90 days after such material changes;
406	406	15 (3) within 5 business days after a written request by
407	407	16 the Attorney General, provide to the Attorney General a
408	408	17 list of all data protection impact assessments the covered
409	409	18 entity has completed;
410	410	19 (4) within 7 business days after a written request by
411	411	20 the Attorney General, provide the Attorney General with a
412	412	21 copy of any data protection impact assessment, unless the
413	413	22 Attorney General, in its discretion, extends the time
414	414	23 period for a covered entity to respond;
415	415	24 (5) configure all default privacy settings provided to
416	416	25 children by the online service, product, or feature to
417	417
418	418
419	419
420	420
421	421
422	422	SB3334 - 11 - LRB103 38209 SPS 68343 b
423	423
424	424
425	425	SB3334- 12 -LRB103 38209 SPS 68343 b SB3334 - 12 - LRB103 38209 SPS 68343 b
426	426	SB3334 - 12 - LRB103 38209 SPS 68343 b
427	427	1 settings that offer a high level of privacy, unless the
428	428	2 covered entity can demonstrate a compelling reason that a
429	429	3 different setting is in the best interests of children;
430	430	4 (6) provide any privacy information, terms of service,
431	431	5 policies, and community standards concisely, prominently,
432	432	6 and using clear language suited to the age of children
433	433	7 reasonably likely to access that online service, product,
434	434	8 or feature; and
435	435	9 (7) provide prominent, accessible, and responsive
436	436	10 tools to help children, or if applicable their parents or
437	437	11 guardians, exercise their privacy rights and report
438	438	12 concerns.
439	439	13 (b) A data protection, impact assessment required by this
440	440	14 Section shall identify the purpose of the online service,
441	441	15 product, or feature; how it uses children's personal data; and
442	442	16 determine whether the online service, product, or feature is
443	443	17 designed and offered in a age-appropriate manner consistent
444	444	18 with the best interests of children that are reasonably likely
445	445	19 to access the online product by examining, at a minimum, the
446	446	20 following:
447	447	21 (1) whether the design of the online service, product,
448	448	22 or feature could lead to children experiencing or being
449	449	23 targeted by contacts on the online service, product, or
450	450	24 feature that would result in: reasonably foreseeable and
451	451	25 material physical or financial harm to the child;
452	452	26 reasonably foreseeable and severe psychological or
453	453
454	454
455	455
456	456
457	457
458	458	SB3334 - 12 - LRB103 38209 SPS 68343 b
459	459
460	460
461	461	SB3334- 13 -LRB103 38209 SPS 68343 b SB3334 - 13 - LRB103 38209 SPS 68343 b
462	462	SB3334 - 13 - LRB103 38209 SPS 68343 b
463	463	1 emotional harm to the child; a highly offensive intrusion
464	464	2 on the reasonable privacy expectations of the child; or
465	465	3 discrimination against the child based upon race, color,
466	466	4 religion, national origin, disability, sex, or sexual
467	467	5 orientation;
468	468	6 (2) whether the design of the online service, product,
469	469	7 or feature could permit children to witness, participate
470	470	8 in, or be subject to conduct on the online service,
471	471	9 product, or feature that would result in: reasonably
472	472	10 foreseeable and material physical or financial harm to the
473	473	11 child; reasonably foreseeable and severe psychological or
474	474	12 emotional harm to the child; a highly offensive intrusion
475	475	13 on the reasonable privacy expectations of the child; or
476	476	14 discrimination against the child based upon race, color,
477	477	15 religion, national origin, disability, sex, or sexual
478	478	16 orientation;
479	479	17 (3) whether the design of the online service, product,
480	480	18 or feature are reasonably expected to allow children to be
481	481	19 party to or exploited by a contract on the online service,
482	482	20 product, or feature that would result in: reasonably
483	483	21 foreseeable and material physical or financial harm to the
484	484	22 child; reasonably foreseeable and severe psychological or
485	485	23 emotional harm to the child; a highly offensive intrusion
486	486	24 on the reasonable privacy expectations of the child; or
487	487	25 discrimination against the child based upon race, color,
488	488	26 religion, national origin, disability, sex, or sexual
489	489
490	490
491	491
492	492
493	493
494	494	SB3334 - 13 - LRB103 38209 SPS 68343 b
495	495
496	496
497	497	SB3334- 14 -LRB103 38209 SPS 68343 b SB3334 - 14 - LRB103 38209 SPS 68343 b
498	498	SB3334 - 14 - LRB103 38209 SPS 68343 b
499	499	1 orientation;
500	500	2 (4) whether algorithms used by the product, service,
501	501	3 or feature would result in: reasonably foreseeable and
502	502	4 material physical or financial harm to the child;
503	503	5 reasonably foreseeable and severe psychological or
504	504	6 emotional harm to the child; a highly offensive intrusion
505	505	7 on the reasonable privacy expectations of the child; or
506	506	8 discrimination against the child based upon race, color,
507	507	9 religion, national origin, disability, sex, or sexual
508	508	10 orientation;
509	509	11 (5) whether targeted advertising systems used by the
510	510	12 online service, product, or feature would result in:
511	511	13 reasonably foreseeable and material physical or financial
512	512	14 harm to the child; reasonably foreseeable and severe
513	513	15 psychological or emotional harm to the child; a highly
514	514	16 offensive intrusion on the reasonable privacy expectations
515	515	17 of the child; or discrimination against the child based
516	516	18 upon race, color, religion, national origin, disability,
517	517	19 sex, or sexual orientation;
518	518	20 (6) whether the online service, product, or feature
519	519	21 uses system design features to increase, sustain, or
520	520	22 extend use of the online service, product, or feature by
521	521	23 children, including the automatic playing of media,
522	522	24 rewards for time spent, and notifications, that would
523	523	25 result in: reasonably foreseeable and material physical or
524	524	26 financial harm to the child; reasonably foreseeable and
525	525
526	526
527	527
528	528
529	529
530	530	SB3334 - 14 - LRB103 38209 SPS 68343 b
531	531
532	532
533	533	SB3334- 15 -LRB103 38209 SPS 68343 b SB3334 - 15 - LRB103 38209 SPS 68343 b
534	534	SB3334 - 15 - LRB103 38209 SPS 68343 b
535	535	1 severe psychological or emotional harm to the child; a
536	536	2 highly offensive intrusion on the reasonable privacy
537	537	3 expectations of the child; or discrimination against the
538	538	4 child based upon race, color, religion, national origin,
539	539	5 disability, sex, or sexual orientation; and
540	540	6 (7) whether, how, and for what purpose the online
541	541	7 product, service, or feature collects or processes
542	542	8 personal data of children, and whether those practices
543	543	9 would result in: reasonably foreseeable and material
544	544	10 physical or financial harm to the child; reasonably
545	545	11 foreseeable and severe psychological or emotional harm to
546	546	12 the child; a highly offensive intrusion on the reasonable
547	547	13 privacy expectations of the child; or discrimination
548	548	14 against the child based upon race, color, religion,
549	549	15 national origin, disability, sex, or sexual orientation;
550	550	16 and
551	551	17 (8) whether and how product experimentation results
552	552	18 for the online product, service, or feature reveal data
553	553	19 management or design practices that would result in:
554	554	20 reasonably foreseeable and material physical or financial
555	555	21 harm to the child; reasonably foreseeable and extreme
556	556	22 psychological or emotional harm to the child; a highly
557	557	23 offensive intrusion on the reasonable privacy expectations
558	558	24 of the child; or discrimination against the child based
559	559	25 upon race, color, religion, national origin, disability,
560	560	26 sex, or sexual orientation.
561	561
562	562
563	563
564	564
565	565
566	566	SB3334 - 15 - LRB103 38209 SPS 68343 b
567	567
568	568
569	569	SB3334- 16 -LRB103 38209 SPS 68343 b SB3334 - 16 - LRB103 38209 SPS 68343 b
570	570	SB3334 - 16 - LRB103 38209 SPS 68343 b
571	571	1 (c) A data protection impact assessment conducted by a
572	572	2 covered entity for the purpose of compliance with any other
573	573	3 law complies with this Section if the data protection impact
574	574	4 assessment meets the requirement of this Act.
575	575	5 (d) A single data protection impact assessment may contain
576	576	6 multiple similar processing operations that present similar
577	577	7 risk only if each relevant online service, product, or feature
578	578	8 is addressed.
579	579	9 (e) A company may process only the personal data
580	580	10 reasonably necessary to provide an online service, product, or
581	581	11 feature with which a child is actively and knowingly engaged
582	582	12 to estimate age.
583	583	13 Section 30. Prohibited acts by covered entities. A covered
584	584	14 entity that provides an online service, product, or feature
585	585	15 reasonably likely to be accessed by children shall not:
586	586	16 (1) process the personal data of any child in a way
587	587	17 that is inconsistent with the best interests of children
588	588	18 reasonably likely to access the online service, product,
589	589	19 or feature;
590	590	20 (2) profile a child by default unless:
591	591	21 (A) the covered entity can demonstrate it has
592	592	22 appropriate safeguards in place to ensure that
593	593	23 profiling is consistent with the best interests of
594	594	24 children reasonably likely to access the online
595	595	25 service, product, or feature; and
596	596
597	597
598	598
599	599
600	600
601	601	SB3334 - 16 - LRB103 38209 SPS 68343 b
602	602
603	603
604	604	SB3334- 17 -LRB103 38209 SPS 68343 b SB3334 - 17 - LRB103 38209 SPS 68343 b
605	605	SB3334 - 17 - LRB103 38209 SPS 68343 b
606	606	1 (B) either of the following is true:
607	607	2 (i) profiling is necessary to provide the
608	608	3 online service, product, or feature requested and
609	609	4 only with respect to the aspects of the online
610	610	5 service, product, or feature with which a child is
611	611	6 actively and knowingly engaged;
612	612	7 (ii) the covered entity can demonstrate a
613	613	8 compelling reason that profiling is in the best
614	614	9 interests of children;
615	615	10 (3) process any personal data that is not reasonably
616	616	11 necessary to provide an online service, product, or
617	617	12 feature with which a child is actively and knowingly
618	618	13 engaged;
619	619	14 (4) if the end user is a child, process personal data
620	620	15 for any reason other than a reason for which that personal
621	621	16 data was collected;
622	622	17 (5) process any precise geolocation information of
623	623	18 children by default, unless the collection of that precise
624	624	19 geolocation information is strictly necessary for the
625	625	20 covered entity to provide the service, product, or feature
626	626	21 requested and then only for the limited time that the
627	627	22 collection of precise geolocation information is necessary
628	628	23 to provide the service, product, or feature;
629	629	24 (6) process any precise geolocation information of a
630	630	25 child without providing an obvious sign to the child for
631	631	26 the duration of that collection that precise geolocation
632	632
633	633
634	634
635	635
636	636
637	637	SB3334 - 17 - LRB103 38209 SPS 68343 b
638	638
639	639
640	640	SB3334- 18 -LRB103 38209 SPS 68343 b SB3334 - 18 - LRB103 38209 SPS 68343 b
641	641	SB3334 - 18 - LRB103 38209 SPS 68343 b
642	642	1 information is being collected;
643	643	2 (7) use dark patterns to cause children to provide
644	644	3 personal data beyond what is reasonably expected to
645	645	4 provide that online service, product, or feature to forgo
646	646	5 privacy protections, or to take any action that the
647	647	6 covered entity knows, or has reason to know, is not in the
648	648	7 best interests of children reasonably likely to access the
649	649	8 online service, product, or feature; and
650	650	9 (8) allow a child's parent, guardian, or any other
651	651	10 consumer to monitor the child's online activity or track
652	652	11 the child's location, without providing an obvious signal
653	653	12 to the child when the child is being monitored or tracked.
654	654	13 Section 35. Data practices.
655	655	14 (a) A data protection impact assessment collected or
656	656	15 maintained by the Attorney General under Section 25 is
657	657	16 classified as nonpublic data.
658	658	17 (b) To the extent any information contained in a data
659	659	18 protection impact assessment disclosed to the Attorney General
660	660	19 includes information subject to attorney-client privilege or
661	661	20 work product protection, disclosure does not constitute a
662	662	21 waiver of that privilege or protection.
663	663	22 Section 40. Attorney General enforcement.
664	664	23 (a) A covered entity that violates this Act may be subject
665	665	24 to an injunction and liable for a civil penalty of not more
666	666
667	667
668	668
669	669
670	670
671	671	SB3334 - 18 - LRB103 38209 SPS 68343 b
672	672
673	673
674	674	SB3334- 19 -LRB103 38209 SPS 68343 b SB3334 - 19 - LRB103 38209 SPS 68343 b
675	675	SB3334 - 19 - LRB103 38209 SPS 68343 b
676	676	1 than $2,500 per affected child for each negligent violation,
677	677	2 or not more than $7,500 per affected child for each
678	678	3 intentional violation, which may be assessed or recovered only
679	679	4 in a civil action brought by the Attorney General. If the State
680	680	5 prevails in an action to enforce this Act, the State may, in
681	681	6 addition to civil penalties provided by this subsection or
682	682	7 other remedies provided by the law, be allowed an amount
683	683	8 determined by the court to be the reasonable value of all or
684	684	9 part of the State's litigation expenses incurred.
685	685	10 (b) All moneys received by the Attorney General as civil
686	686	11 penalties, fees, or other amounts under subsection (a) shall
687	687	12 be deposited into the Age-Appropriate Design Code Enforcement
688	688	13 Fund, a special fund created in the State treasury, and shall
689	689	14 be used, subject to appropriation and as directed by the
690	690	15 Attorney General, to offset costs incurred by the Attorney
691	691	16 General in connection with the enforcement of this Act.
692	692	17 (c) If a covered entity is in substantial compliance with
693	693	18 the requirements of Section 25, the Attorney General shall,
694	694	19 before initiating a civil action under this Section, provide
695	695	20 written notice to the covered entity identifying the specific
696	696	21 provisions of this Act that the Attorney General alleges have
697	697	22 been or are being violated. If, for a covered entity that
698	698	23 satisfied Section 50 or subsection (a) of Section 25 before
699	699	24 offering any new online product, service, or feature
700	700	25 reasonably likely to be accessed by children to the public,
701	701	26 within 90 days after the notice required by this subsection,
702	702
703	703
704	704
705	705
706	706
707	707	SB3334 - 19 - LRB103 38209 SPS 68343 b
708	708
709	709
710	710	SB3334- 20 -LRB103 38209 SPS 68343 b SB3334 - 20 - LRB103 38209 SPS 68343 b
711	711	SB3334 - 20 - LRB103 38209 SPS 68343 b
712	712	1 the covered entity cures any noticed violation and provides
713	713	2 the Attorney General a written statement that the alleged
714	714	3 violations have been cured, and sufficient measures have been
715	715	4 taken to prevent future violations, the covered entity is not
716	716	5 liable for a civil penalty for any violation cured pursuant to
717	717	6 this Act.
718	718	7 (d) Nothing in this Act shall be construed to create a
719	719	8 private right of action.
720	720	9 Section 45. Limitations. Nothing in this Act shall be
721	721	10 interpreted or construed to:
722	722	11 (1) impose liability in a manner that is inconsistent
723	723	12 with 47 U.S.C. 230;
724	724	13 (2) prevent or preclude any child from deliberately or
725	725	14 independently searching for, or specifically requesting,
726	726	15 content; or
727	727	16 (3) require a covered entity to implement an age
728	728	17 gating requirement.
729	729	18 Section 50. Data protection impact assessment date.
730	730	19 (a) By January 1, 2025 a covered entity shall complete a
731	731	20 data protection impact assessment for any online service,
732	732	21 product, or feature reasonably likely to be accessed by
733	733	22 children offered to the public before January 1, 2025, unless
734	734	23 that online service, product, or feature is exempt under
735	735	24 paragraph (b).
736	736
737	737
738	738
739	739
740	740
741	741	SB3334 - 20 - LRB103 38209 SPS 68343 b
742	742
743	743
744	744	SB3334- 21 -LRB103 38209 SPS 68343 b SB3334 - 21 - LRB103 38209 SPS 68343 b
745	745	SB3334 - 21 - LRB103 38209 SPS 68343 b
746	746	1 (b) This Act does not apply to an online service, product,
747	747	2 or feature that is not offered to the public on or after
748	748	3 January 1, 2025.
749	749	4 Section 55. Severability. If any provision of this Act, or
750	750	5 an amendment made by this Act, is determined to be
751	751	6 unenforceable or invalid, the remaining provisions of this Act
752	752	7 and the amendments made by this Act shall not be affected.
753	753	8 Section 90. The State Finance Act is amended by adding
754	754	9 Section 5.1015 as follows:
755	755	10 (30 ILCS 105/5.1015 new)
756	756	11 Sec. 5.1015. The Age-Appropriate Design Code Enforcement
757	757	12 Fund.
758	758
759	759
760	760
761	761
762	762
763	763	SB3334 - 21 - LRB103 38209 SPS 68343 b