103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3334 Introduced 2/7/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED: New Act30 ILCS 105/5.1015 new Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately. LRB103 38209 SPS 68343 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3334 Introduced 2/7/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED: New Act30 ILCS 105/5.1015 new New Act 30 ILCS 105/5.1015 new Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately. LRB103 38209 SPS 68343 b LRB103 38209 SPS 68343 b A BILL FOR
103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3334 Introduced 2/7/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED:
New Act30 ILCS 105/5.1015 new New Act 30 ILCS 105/5.1015 new
New Act
30 ILCS 105/5.1015 new
Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately.
LRB103 38209 SPS 68343 b LRB103 38209 SPS 68343 b
LRB103 38209 SPS 68343 b
A BILL FOR
SB3334LRB103 38209 SPS 68343 b SB3334 LRB103 38209 SPS 68343 b
SB3334 LRB103 38209 SPS 68343 b
1 AN ACT concerning business.
2 Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
4 Section 1. Short title. This Act may be cited as the
5 Illinois Age-Appropriate Design Code Act.
6 Section 5. Intent. It is the intent of the General
7 Assembly that nothing in this Act shall be construed to
8 infringe on the existing rights and freedoms of children.
9 Section 10. Definitions. As used in this Act:
10 "Affiliate" means a legal entity that controls, is
11 controlled by, or is under common control with, another legal
12 entity. For the purposes of this definition, "control" or
13 "controlled" means: (i) ownership of, or the power to vote,
14 more than 50% of the outstanding shares of any class of voting
15 security of a covered entity; (ii) control in any manner over
16 the election of a majority of the directors or of individuals
17 exercising similar functions; or (iii) the power to exercise a
18 controlling influence over the management of a covered entity.
19 "Age-appropriate" means a recognition of the distinct
20 needs and diversities of children at different age ranges. In
21 order to help support the design of online services, products,
22 and features, covered entities should take into account the
103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3334 Introduced 2/7/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED:
New Act30 ILCS 105/5.1015 new New Act 30 ILCS 105/5.1015 new
New Act
30 ILCS 105/5.1015 new
Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately.
LRB103 38209 SPS 68343 b LRB103 38209 SPS 68343 b
LRB103 38209 SPS 68343 b
A BILL FOR
New Act
30 ILCS 105/5.1015 new
LRB103 38209 SPS 68343 b
SB3334 LRB103 38209 SPS 68343 b
SB3334- 2 -LRB103 38209 SPS 68343 b SB3334 - 2 - LRB103 38209 SPS 68343 b
SB3334 - 2 - LRB103 38209 SPS 68343 b
1 unique needs and diversities of different age ranges,
2 including the following developmental stages: 0 to 5 years of
3 age or preliterate and early literacy; 6-9 years of age or core
4 primary school years; 10 to 12 years of age or transition
5 years; 13 to 15 years of age or early teens; and 16 to 17 years
6 or age or approaching adulthood.
7 "Best interests of children" means the use, by a covered
8 entity, of the personal data of a child or the design of an
9 online service, product, or feature in a way that:
10 (1) will not benefit the covered entity to the
11 detriment of the child; and
12 (2) will not result in:
13 (A) reasonably foreseeable and material physical
14 or financial harm to the child;
15 (B) reasonably foreseeable and severe
16 psychological, or emotional harm to the child;
17 (C) a highly offensive intrusion on the reasonable
18 privacy expectations of the child; or
19 (D) discrimination against the child based upon
20 race, color, religion, national origin, disability,
21 sex, or sexual orientation.
22 "Child" means a consumer who is under 18 years of age.
23 "Collect" means buying, renting, gathering, obtaining,
24 receiving, or accessing any personal data pertaining to a
25 consumer by any means. "Collect" includes receiving data from
26 the consumer, either actively or passively, or by observing
SB3334 - 2 - LRB103 38209 SPS 68343 b
SB3334- 3 -LRB103 38209 SPS 68343 b SB3334 - 3 - LRB103 38209 SPS 68343 b
SB3334 - 3 - LRB103 38209 SPS 68343 b
1 the consumer's behavior.
2 "Covered entity" means:
3 (1) a sole proprietorship, partnership, limited
4 liability company, corporation, association, or other
5 legal entity that is organized or operated for the profit
6 or financial benefit of its shareholders or other owners;
7 and
8 (2) an affiliate of a covered entity that shares
9 common branding with the covered entity. For the purposes
10 of this definition, "common branding" means a shared name,
11 service mark, or trademark that the average consumer would
12 understand that 2 or more entities are commonly owned.
13 For purposes of this Act, for a joint venture or
14 partnership composed of covered entities in which each covered
15 entity has at least a 40% interest, the joint venture or
16 partnership and each covered entity that composes the joint
17 venture or partnership shall separately be considered a single
18 covered entity, except that personal data in the possession of
19 each covered entity and disclosed to the joint venture or
20 partnership shall not be shared with the other covered entity.
21 "Consumer" means a natural person who is an Illinois
22 resident, however identified, including by any unique
23 identifier.
24 "Dark pattern" means a user interface designed or
25 manipulated with the purpose of subverting or impairing user
26 autonomy, decision making, or choice.
SB3334 - 3 - LRB103 38209 SPS 68343 b
SB3334- 4 -LRB103 38209 SPS 68343 b SB3334 - 4 - LRB103 38209 SPS 68343 b
SB3334 - 4 - LRB103 38209 SPS 68343 b
1 "Data protection impact assessment" means a systematic
2 survey to assess compliance with the duty to act in the best
3 interests of children and shall include a plan to ensure that
4 all online products, services, or features provided by the
5 covered entity are designed and offered in a manner consistent
6 with the best interests of children reasonably likely to
7 access the online product, service, or feature and a
8 description of steps the covered entity has taken and will
9 take to comply with the duty to act in the best interests of
10 children.
11 "Default" means a preselected option adopted by the
12 covered entity for the online service, product, or feature.
13 "Deidentified" means data that cannot reasonably be used
14 to infer information about, or otherwise be linked to, an
15 identified or identifiable natural person, or a device linked
16 to such person, provided that the covered entity that
17 possesses the data:
18 (1) takes reasonable measures to ensure that the data
19 cannot be associated with a natural person;
20 (2) publicly commits to maintain and use the data only
21 in a deidentified fashion and not attempt to re-identify
22 the data; and
23 (3) contractually obligates any recipients of the data
24 to comply with all provisions of this Act.
25 "Derived data" means data that is created by the
26 derivation of information, data, assumptions, correlations,
SB3334 - 4 - LRB103 38209 SPS 68343 b
SB3334- 5 -LRB103 38209 SPS 68343 b SB3334 - 5 - LRB103 38209 SPS 68343 b
SB3334 - 5 - LRB103 38209 SPS 68343 b
1 inferences, predictions, or conclusions from facts, evidence,
2 or another source of information or data about a child or a
3 child's device.
4 "Online service, product, or feature" does not mean any of
5 the following:
6 (1) telecommunications service, as defined in 47
7 U.S.C. 153;
8 (2) a broadband service as defined in the Public
9 Utilities Act; or
10 (3) the sale, delivery, or use of a physical product.
11 "Personal data" means any information, including derived
12 data, that is linked or reasonably linkable, alone or in
13 combination with other information, to an identified or
14 identifiable natural person. "Personal data" does not include
15 de-identified data or publicly available information. For the
16 purposes of this definition, "publicly available information"
17 means information (i) that is lawfully made available from
18 federal, State, or local government records or widely
19 distributed media; and (ii) that a controller has a reasonable
20 basis to believe a consumer has lawfully made available to the
21 general public.
22 "Precise geolocation" means any data that is derived from
23 a device and that is used or intended to be used to locate a
24 consumer within a geographic area that is equal to or less than
25 the area of a circle with a radius of 1,850 feet, except as
26 prescribed by regulations.
SB3334 - 5 - LRB103 38209 SPS 68343 b
SB3334- 6 -LRB103 38209 SPS 68343 b SB3334 - 6 - LRB103 38209 SPS 68343 b
SB3334 - 6 - LRB103 38209 SPS 68343 b
1 "Process" or "processing" means to conduct or direct any
2 operation or set of operations performed, whether by manual or
3 automated means, on personal data or on sets of personal data,
4 such as the collection, use, storage, disclosure, analysis,
5 deletion, modification, or otherwise handling of personal
6 data.
7 "Product experimentation results" means the data that
8 companies collect to understand the experimental impact of
9 their products.
10 "Profiling" means any form of automated processing of
11 personal data to evaluate, analyze, or predict personal
12 aspects concerning an identified or identifiable natural
13 person's economic situation, health, personal preferences,
14 interests, reliability, behavior, location, or movements.
15 "Profiling" does not include the processing of information
16 that does not result in an assessment or judgment about a
17 natural person.
18 "Reasonably likely to be accessed" means an online
19 service, product, or feature that is accessed by children
20 based on any of the following indicators:
21 (1) the online service, product, or feature is
22 directed to children, as defined by the Children's Online
23 Privacy Protection Act, 15 U.S.C. 6501 et seq., and the
24 Federal Trade Commission rules implementing that Act;
25 (2) the online service, product, or feature is
26 determined, based on competent and reliable evidence
SB3334 - 6 - LRB103 38209 SPS 68343 b
SB3334- 7 -LRB103 38209 SPS 68343 b SB3334 - 7 - LRB103 38209 SPS 68343 b
SB3334 - 7 - LRB103 38209 SPS 68343 b
1 regarding audience composition, to be routinely accessed
2 by a significant number of children;
3 (3) the online service, product, or feature contains
4 advertisements marketed to children;
5 (4) the online service, product, or feature is
6 substantially similar or the same as an online service,
7 product, or feature subject to paragraph (2) of this
8 definition;
9 (5) a significant amount of the audience of the online
10 service, product, or feature is determined, based on
11 internal company research, to be children; and
12 (6) the covered entity knew or should have known that
13 a significant number of users are children, provided that,
14 in making this assessment, the covered entity shall not
15 collect or process any personal data that is not
16 reasonably necessary to provide an online service,
17 product, or feature with which a child is actively and
18 knowingly engaged.
19 "Sale" or "sell" means the exchange of personal data for
20 monetary or other valuable consideration by a covered entity
21 to a third party. "Sale" or "sell" do not include the
22 following:
23 (1) the disclosure of personal data to a third party
24 who processes the personal data on behalf of the covered
25 entity;
26 (2) the disclosure of personal data to a third party
SB3334 - 7 - LRB103 38209 SPS 68343 b
SB3334- 8 -LRB103 38209 SPS 68343 b SB3334 - 8 - LRB103 38209 SPS 68343 b
SB3334 - 8 - LRB103 38209 SPS 68343 b
1 with whom the consumer has a direct relationship for
2 purposes of providing a product or service requested by
3 the consumer;
4 (3) the disclosure or transfer of personal data to an
5 affiliate of the covered entity;
6 (4) the disclosure of data that the consumer
7 intentionally made available to the general public via a
8 channel of mass media and did not restrict to a specific
9 audience; or
10 (5) the disclosure or transfer of personal data to a
11 third party as an asset that is part of a completed or
12 proposed merger, acquisition, bankruptcy, or other
13 transaction in which the third party assumes control of
14 all or part of the covered entity's assets.
15 "Share" means sharing, renting, releasing, disclosing,
16 disseminating, making available, transferring, or otherwise
17 communicating orally, in writing, or by electronic or other
18 means a consumer's personal data by the covered entity to a
19 third party for cross-context behavioral advertising, whether
20 or not for monetary or other valuable consideration, including
21 transactions between a covered entity and a third party for
22 cross-context behavioral advertising for the benefit of a
23 covered entity in which no money is exchanged.
24 "Third party" means a natural or legal person, public
25 authority, agency, or body other than the consumer or the
26 covered entity.
SB3334 - 8 - LRB103 38209 SPS 68343 b
SB3334- 9 -LRB103 38209 SPS 68343 b SB3334 - 9 - LRB103 38209 SPS 68343 b
SB3334 - 9 - LRB103 38209 SPS 68343 b
1 Section 15. Information fiduciary. All covered entities
2 that operate in this State and process children's data in any
3 capacity shall do so in a manner consistent with the best
4 interests of children.
5 Section 20. Scope; exclusions.
6 (a) A covered entity operating in this State is subject to
7 the requirements of this Act if it:
8 (1) collects consumers' personal data or has
9 consumers' personal data collected on its behalf by a
10 third party;
11 (2) alone or jointly with others, determines the
12 purposes and means of the processing of consumers'
13 personal data; and
14 (3) satisfies one or more of the following thresholds:
15 (i) has annual gross revenues in excess of
16 $25,000,000, as adjusted every odd numbered year to
17 reflect the Consumer Price Index;
18 (ii) alone or in combination, annually buys,
19 receives for the covered entity's commercial purposes,
20 sells, or shares for commercial purposes, alone or in
21 combination, the personal data of 50,000 or more
22 consumers, households, or devices; or
23 (iii) derives 50% or more of its annual revenues
24 from selling consumers' personal data.
SB3334 - 9 - LRB103 38209 SPS 68343 b
SB3334- 10 -LRB103 38209 SPS 68343 b SB3334 - 10 - LRB103 38209 SPS 68343 b
SB3334 - 10 - LRB103 38209 SPS 68343 b
1 (b) This Act does not apply to:
2 (1) protected health information that is collected by
3 a covered entity or covered entity associate governed by
4 the privacy, security, and breach notification rules
5 issued by the United States Department of Health and Human
6 Services, 45 CFR 160 and 164, established pursuant to the
7 Health Insurance Portability and Accountability Act of
8 1996, Public Law 104-191, and the Health Information
9 Technology for Economic and Clinical Health Act, Public
10 Law 111-5;
11 (2) a covered entity governed by the privacy,
12 security, and breach notification rules issued by the
13 United States Department of Health and Human Services, 45
14 CFR 160 and 164, established pursuant to the Health
15 Insurance Portability and Accountability Act of 1996,
16 Public Law 104-191, to the extent the provider or covered
17 entity maintains patient information in the same manner as
18 medical information or protected health information as
19 described in paragraph (1); or
20 (3) information collected as part of a clinical trial
21 subject to the federal policy for the protection of human
22 subjects, also known as the common rule, pursuant to good
23 clinical practice guidelines issued by the International
24 Council for Harmonisation of Technical Requirements for
25 Pharmaceuticals for Human Use or human subject protection
26 requirements issued by the United States Food and Drug
SB3334 - 10 - LRB103 38209 SPS 68343 b
SB3334- 11 -LRB103 38209 SPS 68343 b SB3334 - 11 - LRB103 38209 SPS 68343 b
SB3334 - 11 - LRB103 38209 SPS 68343 b
1 Administration.
2 Section 25. Requirements for covered entities.
3 (a) A covered entity subject to this Act shall:
4 (1) complete a data protection impact assessment for
5 an online service, product, or feature or any new online
6 service, product, or feature that is reasonably likely to
7 be accessed by children; and maintain documentation of the
8 data protection impact assessment for as long as the
9 online service, product, or feature is reasonably likely
10 to be accessed by children;
11 (2) review and modify all data protection impact
12 assessments as necessary to account for material changes
13 to processing pertaining to the online service, product,
14 or feature within 90 days after such material changes;
15 (3) within 5 business days after a written request by
16 the Attorney General, provide to the Attorney General a
17 list of all data protection impact assessments the covered
18 entity has completed;
19 (4) within 7 business days after a written request by
20 the Attorney General, provide the Attorney General with a
21 copy of any data protection impact assessment, unless the
22 Attorney General, in its discretion, extends the time
23 period for a covered entity to respond;
24 (5) configure all default privacy settings provided to
25 children by the online service, product, or feature to
SB3334 - 11 - LRB103 38209 SPS 68343 b
SB3334- 12 -LRB103 38209 SPS 68343 b SB3334 - 12 - LRB103 38209 SPS 68343 b
SB3334 - 12 - LRB103 38209 SPS 68343 b
1 settings that offer a high level of privacy, unless the
2 covered entity can demonstrate a compelling reason that a
3 different setting is in the best interests of children;
4 (6) provide any privacy information, terms of service,
5 policies, and community standards concisely, prominently,
6 and using clear language suited to the age of children
7 reasonably likely to access that online service, product,
8 or feature; and
9 (7) provide prominent, accessible, and responsive
10 tools to help children, or if applicable their parents or
11 guardians, exercise their privacy rights and report
12 concerns.
13 (b) A data protection, impact assessment required by this
14 Section shall identify the purpose of the online service,
15 product, or feature; how it uses children's personal data; and
16 determine whether the online service, product, or feature is
17 designed and offered in a age-appropriate manner consistent
18 with the best interests of children that are reasonably likely
19 to access the online product by examining, at a minimum, the
20 following:
21 (1) whether the design of the online service, product,
22 or feature could lead to children experiencing or being
23 targeted by contacts on the online service, product, or
24 feature that would result in: reasonably foreseeable and
25 material physical or financial harm to the child;
26 reasonably foreseeable and severe psychological or
SB3334 - 12 - LRB103 38209 SPS 68343 b
SB3334- 13 -LRB103 38209 SPS 68343 b SB3334 - 13 - LRB103 38209 SPS 68343 b
SB3334 - 13 - LRB103 38209 SPS 68343 b
1 emotional harm to the child; a highly offensive intrusion
2 on the reasonable privacy expectations of the child; or
3 discrimination against the child based upon race, color,
4 religion, national origin, disability, sex, or sexual
5 orientation;
6 (2) whether the design of the online service, product,
7 or feature could permit children to witness, participate
8 in, or be subject to conduct on the online service,
9 product, or feature that would result in: reasonably
10 foreseeable and material physical or financial harm to the
11 child; reasonably foreseeable and severe psychological or
12 emotional harm to the child; a highly offensive intrusion
13 on the reasonable privacy expectations of the child; or
14 discrimination against the child based upon race, color,
15 religion, national origin, disability, sex, or sexual
16 orientation;
17 (3) whether the design of the online service, product,
18 or feature are reasonably expected to allow children to be
19 party to or exploited by a contract on the online service,
20 product, or feature that would result in: reasonably
21 foreseeable and material physical or financial harm to the
22 child; reasonably foreseeable and severe psychological or
23 emotional harm to the child; a highly offensive intrusion
24 on the reasonable privacy expectations of the child; or
25 discrimination against the child based upon race, color,
26 religion, national origin, disability, sex, or sexual
SB3334 - 13 - LRB103 38209 SPS 68343 b
SB3334- 14 -LRB103 38209 SPS 68343 b SB3334 - 14 - LRB103 38209 SPS 68343 b
SB3334 - 14 - LRB103 38209 SPS 68343 b
1 orientation;
2 (4) whether algorithms used by the product, service,
3 or feature would result in: reasonably foreseeable and
4 material physical or financial harm to the child;
5 reasonably foreseeable and severe psychological or
6 emotional harm to the child; a highly offensive intrusion
7 on the reasonable privacy expectations of the child; or
8 discrimination against the child based upon race, color,
9 religion, national origin, disability, sex, or sexual
10 orientation;
11 (5) whether targeted advertising systems used by the
12 online service, product, or feature would result in:
13 reasonably foreseeable and material physical or financial
14 harm to the child; reasonably foreseeable and severe
15 psychological or emotional harm to the child; a highly
16 offensive intrusion on the reasonable privacy expectations
17 of the child; or discrimination against the child based
18 upon race, color, religion, national origin, disability,
19 sex, or sexual orientation;
20 (6) whether the online service, product, or feature
21 uses system design features to increase, sustain, or
22 extend use of the online service, product, or feature by
23 children, including the automatic playing of media,
24 rewards for time spent, and notifications, that would
25 result in: reasonably foreseeable and material physical or
26 financial harm to the child; reasonably foreseeable and
SB3334 - 14 - LRB103 38209 SPS 68343 b
SB3334- 15 -LRB103 38209 SPS 68343 b SB3334 - 15 - LRB103 38209 SPS 68343 b
SB3334 - 15 - LRB103 38209 SPS 68343 b
1 severe psychological or emotional harm to the child; a
2 highly offensive intrusion on the reasonable privacy
3 expectations of the child; or discrimination against the
4 child based upon race, color, religion, national origin,
5 disability, sex, or sexual orientation; and
6 (7) whether, how, and for what purpose the online
7 product, service, or feature collects or processes
8 personal data of children, and whether those practices
9 would result in: reasonably foreseeable and material
10 physical or financial harm to the child; reasonably
11 foreseeable and severe psychological or emotional harm to
12 the child; a highly offensive intrusion on the reasonable
13 privacy expectations of the child; or discrimination
14 against the child based upon race, color, religion,
15 national origin, disability, sex, or sexual orientation;
16 and
17 (8) whether and how product experimentation results
18 for the online product, service, or feature reveal data
19 management or design practices that would result in:
20 reasonably foreseeable and material physical or financial
21 harm to the child; reasonably foreseeable and extreme
22 psychological or emotional harm to the child; a highly
23 offensive intrusion on the reasonable privacy expectations
24 of the child; or discrimination against the child based
25 upon race, color, religion, national origin, disability,
26 sex, or sexual orientation.
SB3334 - 15 - LRB103 38209 SPS 68343 b
SB3334- 16 -LRB103 38209 SPS 68343 b SB3334 - 16 - LRB103 38209 SPS 68343 b
SB3334 - 16 - LRB103 38209 SPS 68343 b
1 (c) A data protection impact assessment conducted by a
2 covered entity for the purpose of compliance with any other
3 law complies with this Section if the data protection impact
4 assessment meets the requirement of this Act.
5 (d) A single data protection impact assessment may contain
6 multiple similar processing operations that present similar
7 risk only if each relevant online service, product, or feature
8 is addressed.
9 (e) A company may process only the personal data
10 reasonably necessary to provide an online service, product, or
11 feature with which a child is actively and knowingly engaged
12 to estimate age.
13 Section 30. Prohibited acts by covered entities. A covered
14 entity that provides an online service, product, or feature
15 reasonably likely to be accessed by children shall not:
16 (1) process the personal data of any child in a way
17 that is inconsistent with the best interests of children
18 reasonably likely to access the online service, product,
19 or feature;
20 (2) profile a child by default unless:
21 (A) the covered entity can demonstrate it has
22 appropriate safeguards in place to ensure that
23 profiling is consistent with the best interests of
24 children reasonably likely to access the online
25 service, product, or feature; and
SB3334 - 16 - LRB103 38209 SPS 68343 b
SB3334- 17 -LRB103 38209 SPS 68343 b SB3334 - 17 - LRB103 38209 SPS 68343 b
SB3334 - 17 - LRB103 38209 SPS 68343 b
1 (B) either of the following is true:
2 (i) profiling is necessary to provide the
3 online service, product, or feature requested and
4 only with respect to the aspects of the online
5 service, product, or feature with which a child is
6 actively and knowingly engaged;
7 (ii) the covered entity can demonstrate a
8 compelling reason that profiling is in the best
9 interests of children;
10 (3) process any personal data that is not reasonably
11 necessary to provide an online service, product, or
12 feature with which a child is actively and knowingly
13 engaged;
14 (4) if the end user is a child, process personal data
15 for any reason other than a reason for which that personal
16 data was collected;
17 (5) process any precise geolocation information of
18 children by default, unless the collection of that precise
19 geolocation information is strictly necessary for the
20 covered entity to provide the service, product, or feature
21 requested and then only for the limited time that the
22 collection of precise geolocation information is necessary
23 to provide the service, product, or feature;
24 (6) process any precise geolocation information of a
25 child without providing an obvious sign to the child for
26 the duration of that collection that precise geolocation
SB3334 - 17 - LRB103 38209 SPS 68343 b
SB3334- 18 -LRB103 38209 SPS 68343 b SB3334 - 18 - LRB103 38209 SPS 68343 b
SB3334 - 18 - LRB103 38209 SPS 68343 b
1 information is being collected;
2 (7) use dark patterns to cause children to provide
3 personal data beyond what is reasonably expected to
4 provide that online service, product, or feature to forgo
5 privacy protections, or to take any action that the
6 covered entity knows, or has reason to know, is not in the
7 best interests of children reasonably likely to access the
8 online service, product, or feature; and
9 (8) allow a child's parent, guardian, or any other
10 consumer to monitor the child's online activity or track
11 the child's location, without providing an obvious signal
12 to the child when the child is being monitored or tracked.
13 Section 35. Data practices.
14 (a) A data protection impact assessment collected or
15 maintained by the Attorney General under Section 25 is
16 classified as nonpublic data.
17 (b) To the extent any information contained in a data
18 protection impact assessment disclosed to the Attorney General
19 includes information subject to attorney-client privilege or
20 work product protection, disclosure does not constitute a
21 waiver of that privilege or protection.
22 Section 40. Attorney General enforcement.
23 (a) A covered entity that violates this Act may be subject
24 to an injunction and liable for a civil penalty of not more
SB3334 - 18 - LRB103 38209 SPS 68343 b
SB3334- 19 -LRB103 38209 SPS 68343 b SB3334 - 19 - LRB103 38209 SPS 68343 b
SB3334 - 19 - LRB103 38209 SPS 68343 b
1 than $2,500 per affected child for each negligent violation,
2 or not more than $7,500 per affected child for each
3 intentional violation, which may be assessed or recovered only
4 in a civil action brought by the Attorney General. If the State
5 prevails in an action to enforce this Act, the State may, in
6 addition to civil penalties provided by this subsection or
7 other remedies provided by the law, be allowed an amount
8 determined by the court to be the reasonable value of all or
9 part of the State's litigation expenses incurred.
10 (b) All moneys received by the Attorney General as civil
11 penalties, fees, or other amounts under subsection (a) shall
12 be deposited into the Age-Appropriate Design Code Enforcement
13 Fund, a special fund created in the State treasury, and shall
14 be used, subject to appropriation and as directed by the
15 Attorney General, to offset costs incurred by the Attorney
16 General in connection with the enforcement of this Act.
17 (c) If a covered entity is in substantial compliance with
18 the requirements of Section 25, the Attorney General shall,
19 before initiating a civil action under this Section, provide
20 written notice to the covered entity identifying the specific
21 provisions of this Act that the Attorney General alleges have
22 been or are being violated. If, for a covered entity that
23 satisfied Section 50 or subsection (a) of Section 25 before
24 offering any new online product, service, or feature
25 reasonably likely to be accessed by children to the public,
26 within 90 days after the notice required by this subsection,
SB3334 - 19 - LRB103 38209 SPS 68343 b
SB3334- 20 -LRB103 38209 SPS 68343 b SB3334 - 20 - LRB103 38209 SPS 68343 b
SB3334 - 20 - LRB103 38209 SPS 68343 b
1 the covered entity cures any noticed violation and provides
2 the Attorney General a written statement that the alleged
3 violations have been cured, and sufficient measures have been
4 taken to prevent future violations, the covered entity is not
5 liable for a civil penalty for any violation cured pursuant to
6 this Act.
7 (d) Nothing in this Act shall be construed to create a
8 private right of action.
9 Section 45. Limitations. Nothing in this Act shall be
10 interpreted or construed to:
11 (1) impose liability in a manner that is inconsistent
12 with 47 U.S.C. 230;
13 (2) prevent or preclude any child from deliberately or
14 independently searching for, or specifically requesting,
15 content; or
16 (3) require a covered entity to implement an age
17 gating requirement.
18 Section 50. Data protection impact assessment date.
19 (a) By January 1, 2025 a covered entity shall complete a
20 data protection impact assessment for any online service,
21 product, or feature reasonably likely to be accessed by
22 children offered to the public before January 1, 2025, unless
23 that online service, product, or feature is exempt under
24 paragraph (b).
SB3334 - 20 - LRB103 38209 SPS 68343 b
SB3334- 21 -LRB103 38209 SPS 68343 b SB3334 - 21 - LRB103 38209 SPS 68343 b
SB3334 - 21 - LRB103 38209 SPS 68343 b
1 (b) This Act does not apply to an online service, product,
2 or feature that is not offered to the public on or after
3 January 1, 2025.
4 Section 55. Severability. If any provision of this Act, or
5 an amendment made by this Act, is determined to be
6 unenforceable or invalid, the remaining provisions of this Act
7 and the amendments made by this Act shall not be affected.
8 Section 90. The State Finance Act is amended by adding
9 Section 5.1015 as follows:
10 (30 ILCS 105/5.1015 new)
11 Sec. 5.1015. The Age-Appropriate Design Code Enforcement
12 Fund.
SB3334 - 21 - LRB103 38209 SPS 68343 b