103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3517 Introduced 2/9/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED: New Act30 ILCS 105/5.1015 new Creates the Privacy Rights Act. Sets forth duties and obligations of businesses that collected consumers' personal information and sensitive personal information to keep such information private. Sets forth consumer rights in relation to the collected personal information and sensitive personal information, including the right to: delete personal information; correct inaccurate personal information; know what personal information is sold or shared and to whom; opt out of the sale or sharing of personal information; limit use and disclosure of sensitive personal information; and no retaliation for exercising any rights. Sets forth enforcement provisions. Creates the Consumer Privacy Fund. Allows the Attorney General to create rules to implement the Act. Establishes the Privacy Protection Agency. Includes provisions regarding remedies and fines for violations of the Act. Makes a conforming change in the State Finance Act. LRB103 35732 LNS 65813 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3517 Introduced 2/9/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED: New Act30 ILCS 105/5.1015 new New Act 30 ILCS 105/5.1015 new Creates the Privacy Rights Act. Sets forth duties and obligations of businesses that collected consumers' personal information and sensitive personal information to keep such information private. Sets forth consumer rights in relation to the collected personal information and sensitive personal information, including the right to: delete personal information; correct inaccurate personal information; know what personal information is sold or shared and to whom; opt out of the sale or sharing of personal information; limit use and disclosure of sensitive personal information; and no retaliation for exercising any rights. Sets forth enforcement provisions. Creates the Consumer Privacy Fund. Allows the Attorney General to create rules to implement the Act. Establishes the Privacy Protection Agency. Includes provisions regarding remedies and fines for violations of the Act. Makes a conforming change in the State Finance Act. LRB103 35732 LNS 65813 b LRB103 35732 LNS 65813 b A BILL FOR
103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3517 Introduced 2/9/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED:
New Act30 ILCS 105/5.1015 new New Act 30 ILCS 105/5.1015 new
New Act
30 ILCS 105/5.1015 new
Creates the Privacy Rights Act. Sets forth duties and obligations of businesses that collected consumers' personal information and sensitive personal information to keep such information private. Sets forth consumer rights in relation to the collected personal information and sensitive personal information, including the right to: delete personal information; correct inaccurate personal information; know what personal information is sold or shared and to whom; opt out of the sale or sharing of personal information; limit use and disclosure of sensitive personal information; and no retaliation for exercising any rights. Sets forth enforcement provisions. Creates the Consumer Privacy Fund. Allows the Attorney General to create rules to implement the Act. Establishes the Privacy Protection Agency. Includes provisions regarding remedies and fines for violations of the Act. Makes a conforming change in the State Finance Act.
LRB103 35732 LNS 65813 b LRB103 35732 LNS 65813 b
LRB103 35732 LNS 65813 b
A BILL FOR
SB3517LRB103 35732 LNS 65813 b SB3517 LRB103 35732 LNS 65813 b
SB3517 LRB103 35732 LNS 65813 b
1 AN ACT concerning civil law.
2 Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
4 Article 5. General
5 Section 5-1. Short title. This Act may be cited as the
6 Privacy Rights Act.
7 Section 5-5. Purpose and intent. In enacting this Act, it
8 is the purpose and intent of the State to further protect
9 consumers' rights, including the constitutional right of
10 privacy. The implementation of this Act shall be guided by the
11 following principles:
12 (1) Consumers should know who is collecting their
13 personal information and that of their children, how it is
14 being used, and to whom it is disclosed so that they have
15 the information necessary to exercise meaningful control
16 over businesses' use of their personal information and
17 that of their children.
18 (2) Consumers should be able to control the use of
19 their personal information, including limiting the use of
20 their sensitive personal information, the unauthorized use
21 or disclosure of which creates a heightened risk of harm
22 to the consumer, and they should have meaningful options
103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3517 Introduced 2/9/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED:
New Act30 ILCS 105/5.1015 new New Act 30 ILCS 105/5.1015 new
New Act
30 ILCS 105/5.1015 new
Creates the Privacy Rights Act. Sets forth duties and obligations of businesses that collected consumers' personal information and sensitive personal information to keep such information private. Sets forth consumer rights in relation to the collected personal information and sensitive personal information, including the right to: delete personal information; correct inaccurate personal information; know what personal information is sold or shared and to whom; opt out of the sale or sharing of personal information; limit use and disclosure of sensitive personal information; and no retaliation for exercising any rights. Sets forth enforcement provisions. Creates the Consumer Privacy Fund. Allows the Attorney General to create rules to implement the Act. Establishes the Privacy Protection Agency. Includes provisions regarding remedies and fines for violations of the Act. Makes a conforming change in the State Finance Act.
LRB103 35732 LNS 65813 b LRB103 35732 LNS 65813 b
LRB103 35732 LNS 65813 b
A BILL FOR
New Act
30 ILCS 105/5.1015 new
LRB103 35732 LNS 65813 b
SB3517 LRB103 35732 LNS 65813 b
SB3517- 2 -LRB103 35732 LNS 65813 b SB3517 - 2 - LRB103 35732 LNS 65813 b
SB3517 - 2 - LRB103 35732 LNS 65813 b
1 over how it is collected, used, and disclosed.
2 (3) Consumers should have access to their personal
3 information and should be able to correct it, delete it,
4 and take it with them from one business to another.
5 (4) Consumers or their authorized agents should be
6 able to exercise these options through easily accessible
7 self-serve tools.
8 (5) Consumers should be able to exercise these rights
9 without being penalized for doing so.
10 (6) Consumers should be able to hold businesses
11 accountable for failing to take reasonable precautions to
12 protect their most sensitive personal information from
13 hackers and security breaches.
14 (7) Consumers should benefit from businesses' use of
15 their personal information.
16 (8) The privacy interests of employees and independent
17 contractors should also be protected, taking into account
18 the differences in the relationship between employees or
19 independent contractors and businesses as compared to the
20 relationship between consumers and businesses. This Act is
21 not intended to interfere with the right to organize and
22 collective bargaining under the federal National Labor
23 Relations Act.
24 (9) Businesses should specifically and clearly inform
25 consumers about how they collect and use personal
26 information and how they can exercise their rights and
SB3517 - 2 - LRB103 35732 LNS 65813 b
SB3517- 3 -LRB103 35732 LNS 65813 b SB3517 - 3 - LRB103 35732 LNS 65813 b
SB3517 - 3 - LRB103 35732 LNS 65813 b
1 choice.
2 (10) Businesses should only collect consumers'
3 personal information for specific, explicit, and
4 legitimate disclosed purposes and should not further
5 collect, use, or disclose consumers' personal information
6 for reasons incompatible with those purposes.
7 (11) Businesses should collect consumers' personal
8 information only to the extent that it is relevant and
9 limited to what is necessary in relation to the purposes
10 for which it is being collected, used, and shared.
11 (12) Businesses should provide consumers or their
12 authorized agents with easily accessible means to allow
13 consumers and their children to obtain their personal
14 information, to delete it or correct it, to opt out of its
15 sale and sharing across business platforms, services,
16 businesses, and devices, and to limit the use of their
17 sensitive personal information.
18 (13) Businesses should not penalize consumers for
19 exercising these rights.
20 (14) Businesses should take reasonable precautions to
21 protect consumers' personal information from a security
22 breach.
23 (15) Businesses should be held accountable when they
24 violate consumers' privacy rights, and the penalties
25 should be higher when the violation affects children.
26 (16) The rights of consumers and the responsibilities
SB3517 - 3 - LRB103 35732 LNS 65813 b
SB3517- 4 -LRB103 35732 LNS 65813 b SB3517 - 4 - LRB103 35732 LNS 65813 b
SB3517 - 4 - LRB103 35732 LNS 65813 b
1 of businesses should be implemented with the goal of
2 strengthening consumer privacy while giving attention to
3 the impact on business and innovation. Consumer privacy
4 and the development of beneficial new products and
5 services are not necessarily incompatible goals. Strong
6 consumer privacy rights create incentives to innovate and
7 develop new products that are privacy protective.
8 (17) Businesses and consumers should be provided with
9 clear guidance about their responsibilities and rights.
10 (18) The law should place the consumer in a position
11 to knowingly and freely negotiate with a business over the
12 business' use of the personal information.
13 (19) The law should adjust to technological changes,
14 help consumers exercise their rights, and assist
15 businesses with compliance with the continuing goal of
16 strengthening consumer privacy.
17 (20) The law should enable proconsumer new products
18 and services and promote efficiency of implementation for
19 business as long as the law does not compromise or weaken
20 consumer privacy.
21 (21) The law should be amended, if necessary, to
22 improve its operation, as long as the amendments do not
23 compromise or weaken consumer privacy, while giving
24 attention to the impact on business and innovation.
25 (22) Businesses should be held accountable for
26 violating the law through vigorous administrative and
SB3517 - 4 - LRB103 35732 LNS 65813 b
SB3517- 5 -LRB103 35732 LNS 65813 b SB3517 - 5 - LRB103 35732 LNS 65813 b
SB3517 - 5 - LRB103 35732 LNS 65813 b
1 civil enforcement.
2 (23) To the extent it advances consumer privacy and
3 business compliance, the law should be compatible with
4 privacy laws in other jurisdictions.
5 Section 5-10. Definitions. As used in this Act:
6 "Advertising and marketing" means a communication by a
7 business or person acting on behalf of the business in any
8 medium intended to induce a consumer to obtain goods,
9 services, or employment.
10 "Agency" means the Privacy Protection Agency.
11 "Aggregate consumer information" means information that
12 relates to a group or category of consumers, from which
13 individual consumer identities have been removed, that is not
14 linked or reasonably linkable to any consumer or household,
15 including via a device. "Aggregate consumer information" does
16 not include one or more individual consumer records that have
17 been deidentified.
18 "Biometric information" means an individual's
19 physiological, biological, or behavioral characteristics,
20 including information pertaining to an individual's
21 deoxyribonucleic acid (DNA), that is used or is intended to be
22 used singly or in combination with each other or with other
23 identifying data, to establish individual identity. "Biometric
24 information" includes, but is not limited to, imagery of the
25 iris, retina, fingerprint, face, hand, palm, vein patterns,
SB3517 - 5 - LRB103 35732 LNS 65813 b
SB3517- 6 -LRB103 35732 LNS 65813 b SB3517 - 6 - LRB103 35732 LNS 65813 b
SB3517 - 6 - LRB103 35732 LNS 65813 b
1 and voice recordings, from which an identifier template, such
2 as a faceprint, a minutiae template, or a voiceprint, can be
3 extracted, and keystroke patterns or rhythms, gait patterns or
4 rhythms, and sleep, health, or exercise data that contain
5 identifying information.
6 "Business" means:
7 (1) a sole proprietorship, partnership, limited
8 liability company, corporation, association, or other
9 legal entity that is organized or operated for the profit
10 or financial benefit of its shareholders or other owners,
11 that collects consumers' personal information, or on the
12 behalf of which such information is collected and that
13 determines the purposes and means of the processing of
14 consumers' personal information, does business in this
15 State, and satisfies one or more of the following
16 thresholds:
17 (A) as of January 1 of the calendar year, had
18 annual gross revenues in excess of $25,000,000 in the
19 preceding calendar year;
20 (B) alone or in combination, annually, buys,
21 sells, or shares the personal information of 100,000
22 or more consumers or households; or
23 (C) derives 50% or more of its annual revenues
24 from selling or sharing consumers' personal
25 information;
26 (2) any entity that controls or is controlled by a
SB3517 - 6 - LRB103 35732 LNS 65813 b
SB3517- 7 -LRB103 35732 LNS 65813 b SB3517 - 7 - LRB103 35732 LNS 65813 b
SB3517 - 7 - LRB103 35732 LNS 65813 b
1 business and that shares common branding with the business
2 and with whom the business shares consumers' personal
3 information;
4 (3) a joint venture or partnership composed of
5 businesses in which each business has at least a 40%
6 interest; or
7 (4) a person that does business in this State, that is
8 not covered by paragraph (1), (2), or (3) of this
9 definition and that voluntarily certifies to this Act that
10 it is in compliance with, and agrees to be bound by, this
11 Act.
12 "Business associate" has the meaning given to that term in
13 Section 160.103 of Title 45 of the Code of Federal
14 Regulations.
15 "Business controller information" means the name or names
16 of the owner or owners, director, officer, or management
17 employee of a business and the contact information, including
18 a business title, for the owner or owners, director, officer,
19 or management employee.
20 "Business purpose" means the use of personal information
21 for the business's operational purposes, or other notified
22 purposes, or for the service provider's or contractor's
23 operational purposes, as long as the use of personal
24 information is reasonably necessary and proportionate to
25 achieve the purpose for which the personal information was
26 collected or processed or for another purpose that is
SB3517 - 7 - LRB103 35732 LNS 65813 b
SB3517- 8 -LRB103 35732 LNS 65813 b SB3517 - 8 - LRB103 35732 LNS 65813 b
SB3517 - 8 - LRB103 35732 LNS 65813 b
1 compatible with the context in which the personal information
2 was collected. "Business purposes" includes:
3 (1) auditing related to counting ad impressions to
4 unique visitors, verifying positioning and quality of ad
5 impressions, and auditing compliance with this
6 specification and other standards;
7 (2) helping to ensure security and integrity to the
8 extent the use of the personal information is reasonably
9 necessary and proportionate for these purposes;
10 (3) debugging to identify and repair errors that
11 impair existing intended functionality;
12 (4) short-term, transient use, including, but not
13 limited to, nonpersonalized advertising shown as part of a
14 consumer's current interaction with the business, as long
15 as the personal information is not disclosed to another
16 third party and is not used to build a profile about the
17 consumer or otherwise alter the consumer's experience
18 outside the current interaction with the business;
19 (5) performing services on behalf of the business,
20 including maintaining or servicing accounts, providing
21 customer service, processing or fulfilling orders and
22 transactions, verifying customer information, processing
23 payments, providing financing, providing analytic
24 services, providing storage, or providing similar services
25 on behalf of the business;
26 (6) providing advertising and marketing services,
SB3517 - 8 - LRB103 35732 LNS 65813 b
SB3517- 9 -LRB103 35732 LNS 65813 b SB3517 - 9 - LRB103 35732 LNS 65813 b
SB3517 - 9 - LRB103 35732 LNS 65813 b
1 except for cross-context behavioral advertising, to the
2 consumer, as long as a service provider or contractor does
3 not combine the personal information of consumers who
4 opted-out that the service provider or contractor receives
5 from, or on behalf of, the business with personal
6 information that the service provider or contractor
7 receives from, or on behalf of, another person or persons
8 or collects from its own interaction with consumers;
9 (7) undertaking internal research for technological
10 development and demonstration; and
11 (8) undertaking activities to verify or maintain the
12 quality or safety of a service or device that is owned,
13 manufactured, manufactured for, or controlled by the
14 business, and to improve, upgrade, or enhance the service
15 or device that is owned, manufactured, manufactured for,
16 or controlled by the business.
17 "Collects", "collected", or "collection" means buying,
18 renting, gathering, obtaining, receiving, or accessing any
19 personal information pertaining to the consumer by any means.
20 "Collects", "collected", or "collection" includes receiving
21 information from the consumer, either actively or passively,
22 or by observing the consumer's behavior.
23 "Commercial credit reporting agency" means any person who,
24 for monetary fees, dues, or on a cooperative nonprofit basis,
25 provides commercial credit reports to third parties.
26 "Commercial purposes" means to advance a person's
SB3517 - 9 - LRB103 35732 LNS 65813 b
SB3517- 10 -LRB103 35732 LNS 65813 b SB3517 - 10 - LRB103 35732 LNS 65813 b
SB3517 - 10 - LRB103 35732 LNS 65813 b
1 commercial or economic interests, such as by inducing another
2 person to buy, rent, lease, join, subscribe to, provide, or
3 exchange products, goods, property, information, or services,
4 or enabling or effecting, directly or indirectly, a commercial
5 transaction.
6 "Common branding" means a shared name, service mark, or
7 trademark that the average consumer would understand that 2 or
8 more entities are commonly owned.
9 "Consent" means any freely given, specific, informed, and
10 unambiguous indication of the consumer's wishes by which the
11 consumer, the consumer's legal guardian, or a person who has
12 power of attorney signifies agreement to the processing of
13 personal information relating to the consumer for a narrowly
14 defined particular purpose. "Consent" does not include
15 acceptance of a general or broad terms of use, or similar
16 document, that contains descriptions of personal information
17 processing along with other, unrelated information, hovering
18 over, muting, pausing, or closing a given piece of content, or
19 an agreement obtained through use of dark patterns.
20 "Consumer" means a natural person who is a State resident,
21 however identified, including by any unique identifier.
22 "Contractor" means a person to whom the business makes
23 available personal information for a business purpose, under
24 the written contract with the business, if the contract:
25 (1) prohibits the contractor from:
26 (A) selling or sharing the personal information;
SB3517 - 10 - LRB103 35732 LNS 65813 b
SB3517- 11 -LRB103 35732 LNS 65813 b SB3517 - 11 - LRB103 35732 LNS 65813 b
SB3517 - 11 - LRB103 35732 LNS 65813 b
1 (B) retaining, using, or disclosing the personal
2 information for any purpose other than for the
3 business purpose specified in the contract, including
4 retaining, using, or disclosing the personal
5 information for a commercial purpose other than the
6 business purposes specified in the contract, or as
7 otherwise permitted by this Act;
8 (C) retaining, using, or disclosing the personal
9 information outside of the direct business
10 relationship between the contractor and the business;
11 and
12 (D) combining the personal information that the
13 contractor receives under a written contract with the
14 business with personal information that it receives on
15 behalf of another person or persons, or collects from
16 its own interaction with the consumer;
17 (2) includes a certification made by the contractor
18 that the contractor understands the restrictions in
19 paragraph (1) and will comply with them; and
20 (3) permits, subject to agreement with the contractor,
21 the business to monitor the contractor's compliance with
22 the contract through measures, including, but not limited
23 to, ongoing manual reviews and automated scans and regular
24 assessments, audits, or other technical and operational
25 testing at least once every 12 months.
26 "Control" or "controlled" means ownership of, or the power
SB3517 - 11 - LRB103 35732 LNS 65813 b
SB3517- 12 -LRB103 35732 LNS 65813 b SB3517 - 12 - LRB103 35732 LNS 65813 b
SB3517 - 12 - LRB103 35732 LNS 65813 b
1 to vote, more than 50% of the outstanding shares, control in
2 any manner over the election of a majority of directors, or of
3 individuals exercising similar functions, or the power to
4 exercise a controlling influence over the management of the
5 company.
6 "Covered entity" has the meaning given to that term in
7 Section 160.103 of Title 45 of the Code of Federal
8 Regulations.
9 "Cross-context behavioral advertising" means the targeting
10 of advertising to a consumer based on the personal information
11 obtained from the consumer's activity across businesses,
12 distinctly branded websites, applications, or services, other
13 than the business, distinctly branded website, application, or
14 service with which the consumer intentionally interacts.
15 "Dark pattern" means a user interface designed or
16 manipulated with the substantial effect of subverting or
17 impairing user autonomy, decision-making, or choice.
18 "Deidentified" means information that cannot be reasonably
19 used to infer information about, or otherwise be linked to, a
20 particular consumer if the business that possesses the
21 information:
22 (1) takes reasonable measures to ensure that the
23 information cannot be associated with a consumer or
24 household;
25 (2) publicly commits to maintain and use the
26 information in deidentified form and not to attempt to
SB3517 - 12 - LRB103 35732 LNS 65813 b
SB3517- 13 -LRB103 35732 LNS 65813 b SB3517 - 13 - LRB103 35732 LNS 65813 b
SB3517 - 13 - LRB103 35732 LNS 65813 b
1 reidentify the information; and
2 (3) contractually obligates any recipients of the
3 information to comply with all provisions of this
4 definition.
5 "Designated methods for submitting requests" means a
6 mailing address, email address, Internet webpage, Internet web
7 portal, toll-free telephone number, or other applicable
8 contact information, whereby consumers may submit a request or
9 direction under this Act, and any new, consumer-friendly means
10 of contacting a business.
11 "Device" means any physical object that is capable of
12 connecting to the Internet, directly or indirectly, or to
13 another device.
14 "Director" means a natural person designated in the
15 articles of incorporation as director, or elected by the
16 incorporators and natural persons designated, elected, or
17 appointed by any other name or title to act as directors, and
18 their successors.
19 "Educational standardized assessment or educational
20 assessment" means a standardized or nonstandardized quiz,
21 test, or other assessment used to evaluate students in or for
22 entry to kindergarten and grades 1 through 12, schools,
23 postsecondary institutions, vocational programs, and
24 postgraduate programs that are accredited by an accrediting
25 agency or organization recognized by the State or the United
26 States Department of Education, as well as certification and
SB3517 - 13 - LRB103 35732 LNS 65813 b
SB3517- 14 -LRB103 35732 LNS 65813 b SB3517 - 14 - LRB103 35732 LNS 65813 b
SB3517 - 14 - LRB103 35732 LNS 65813 b
1 licensure examinations used to determine competency and
2 eligibility to receive certification or licensure from a
3 government agency or government certification body.
4 "Family" means a custodial parent or guardian and any
5 children under 18 years of age over which the parent or
6 guardian has custody.
7 "Fraudulent concealment" means the person knows of
8 material facts related to the person's duties under this Act
9 and knowingly conceals the facts in performing or omitting to
10 perform those duties for the purpose of defrauding the public
11 of information to which it is entitled under this Act.
12 "Homepage" means the introductory page of an Internet
13 website and any Internet webpage where personal information is
14 collected. "Homepage", in the case of an online service such
15 as a mobile application, means the application's platform page
16 or download page, a link within the application, such as from
17 the application configuration, "About", "Information", or
18 settings page, and any other location that allows consumers to
19 review the notices required by this Act, including, but not
20 limited to, before downloading the application.
21 "Household" means a group, however identified, of
22 consumers who cohabitate with one another at the same
23 residential address and share use of common devices or
24 services.
25 "Independent contractor" means a natural person who
26 provides any service to a business under a written contract.
SB3517 - 14 - LRB103 35732 LNS 65813 b
SB3517- 15 -LRB103 35732 LNS 65813 b SB3517 - 15 - LRB103 35732 LNS 65813 b
SB3517 - 15 - LRB103 35732 LNS 65813 b
1 "Individually identifiable" means that the medical
2 information includes or contains any element of personal
3 identifying information sufficient to allow identification of
4 the individual, such as the patient's name, address, email
5 address, telephone number, or social security number, or other
6 information that, alone or in combination with other publicly
7 available information, reveals the identity of the individual.
8 "Infer" or "inference" means the derivation of
9 information, data, assumptions, or conclusions from facts,
10 evidence, or other sources of information or data.
11 "Insurance institution" means any corporation,
12 association, partnership, reciprocal exchange, interinsurer,
13 fraternal benefit society, or other person engaged in the
14 business of insurance. "Insurance institution" does not
15 include agents, insurance-support organizations, or health
16 care service plans.
17 "Intentionally interacts" means when the consumer intends
18 to interact with a person, or disclose personal information to
19 a person, via one or more deliberate interactions, including
20 visiting the person's website or purchasing a good or service
21 from the person. "Intentionally interacts" does not include
22 hovering over, muting, pausing, or closing a given piece of
23 content.
24 "Jeopardize the validity and reliability of that
25 educational standardized assessment or educational assessment"
26 means releasing information that would provide an advantage to
SB3517 - 15 - LRB103 35732 LNS 65813 b
SB3517- 16 -LRB103 35732 LNS 65813 b SB3517 - 16 - LRB103 35732 LNS 65813 b
SB3517 - 16 - LRB103 35732 LNS 65813 b
1 the consumer who has submitted a verifiable consumer request
2 or to another natural person.
3 "Local educational agency" includes school districts,
4 county offices of education, and charter schools.
5 "Management employee" means a natural person whose name
6 and contact information is reported to or collected by a
7 commercial credit reporting agency as the primary manager of a
8 business and used solely within the context of the natural
9 person's role as the primary manager of the business.
10 "Medical information" means any individually identifiable
11 information, in electronic or physical form, in possession of
12 or derived from a provider of health care, health care service
13 plan, pharmaceutical company, or contractor regarding a
14 patient's medical history, mental health application
15 information, mental or physical condition, or treatment.
16 "Medical staff member" means a licensed physician and
17 surgeon, dentist, or podiatric physician, licensed under the
18 Medical Practice Act of 1987, the Illinois Dental Practice
19 Act, or the Podiatric Medical Practice Act of 1987 and a
20 clinical psychologist as defined in the Clinical Psychologist
21 Licensing Act.
22 "New motor vehicle dealer" is a dealer who either acquires
23 for resale new and unregistered motor vehicles from
24 manufacturers or distributors of those motor vehicles or
25 acquires for resale new off-highway motorcycles or all-terrain
26 vehicles from manufacturers or distributors of the vehicles.
SB3517 - 16 - LRB103 35732 LNS 65813 b
SB3517- 17 -LRB103 35732 LNS 65813 b SB3517 - 17 - LRB103 35732 LNS 65813 b
SB3517 - 17 - LRB103 35732 LNS 65813 b
1 "Nonpersonalized advertising" means advertising and
2 marketing that is based solely on personal information derived
3 from the consumer's current interaction with the business with
4 the exception of the consumer's precise geolocation.
5 "Officer" means a natural person elected or appointed by
6 the board of directors to manage the daily operations of a
7 corporation, including a chief executive officer, president,
8 secretary, or treasurer.
9 "Owner" means a natural person who:
10 (1) has ownership of, or the power to vote, more than
11 50% of the outstanding shares of any class of voting
12 security of a business;
13 (2) has control in any manner over the election of a
14 majority of the directors or of individuals exercising
15 similar functions; or
16 (3) has the power to exercise a controlling influence
17 over the management of a company.
18 "Ownership information" means the name or names of and
19 contact information for the registered owner or owners.
20 "Person" means an individual, proprietorship, firm,
21 partnership, joint venture, syndicate, business, trust,
22 company, corporation, limited liability company, association,
23 committee, and any other organization or group of persons
24 acting in concert.
25 "Personal information" means information that identifies,
26 relates to, describes, is reasonably capable of being
SB3517 - 17 - LRB103 35732 LNS 65813 b
SB3517- 18 -LRB103 35732 LNS 65813 b SB3517 - 18 - LRB103 35732 LNS 65813 b
SB3517 - 18 - LRB103 35732 LNS 65813 b
1 associated with, or could reasonably be linked, directly or
2 indirectly, with a particular consumer or household. "Personal
3 information" includes, but is not limited to, the following if
4 it identifies, relates to, describes, is reasonably capable of
5 being associated with, or could be reasonably linked, directly
6 or indirectly, with a particular consumer or household:
7 (1) identifiers such as a real name, alias, postal
8 address, unique personal identifier, online identifier,
9 Internet Protocol address, email address, account name,
10 social security number, driver's license number, passport
11 number, or other similar identifiers;
12 (2) any information, including, but not limited to,
13 signature, physical characteristics or description,
14 address, telephone number, state identification card
15 number, insurance policy number, education, bank account
16 number, credit card number, debit card number, or any
17 other financial information, medical information, or
18 health insurance information, but does not include
19 publicly available information that is lawfully made
20 available to the general public from federal, State, or
21 local government records;
22 (3) characteristics of protected classifications under
23 State or federal law;
24 (4) commercial information, including records of
25 personal property, products or services purchased,
26 obtained, or considered, or other purchasing or consuming
SB3517 - 18 - LRB103 35732 LNS 65813 b
SB3517- 19 -LRB103 35732 LNS 65813 b SB3517 - 19 - LRB103 35732 LNS 65813 b
SB3517 - 19 - LRB103 35732 LNS 65813 b
1 histories or tendencies;
2 (5) biometric information;
3 (6) Internet or other electronic network activity
4 information, including, but not limited to, browsing
5 history, search history, and information regarding a
6 consumer's interaction with an Internet website,
7 application, or advertisement;
8 (7) geolocation data;
9 (8) audio, electronic, visual, thermal, olfactory, or
10 similar information;
11 (9) professional or employment-related information;
12 (10) education information that is not publicly
13 available, personally identifiable information as defined
14 in the federal Family Educational Rights and Privacy Act;
15 (11) inferences drawn from any of the information
16 identified in this definition to create a profile about a
17 consumer to reflect the consumer's preferences,
18 characteristics, psychological trends, predispositions,
19 behavior, attitudes, intelligence, abilities, and
20 aptitudes; or
21 (12) sensitive personal information.
22 "Personal information" does not include publicly available
23 information or lawfully obtained, truthful information that is
24 a matter of public concern, consumer information that is
25 deidentified, or aggregate consumer information.
26 "Precise geolocation" means any data that is derived from
SB3517 - 19 - LRB103 35732 LNS 65813 b
SB3517- 20 -LRB103 35732 LNS 65813 b SB3517 - 20 - LRB103 35732 LNS 65813 b
SB3517 - 20 - LRB103 35732 LNS 65813 b
1 a device and that is used or intended to be used to locate a
2 consumer within a geographic area that is equal to or less than
3 the area of a circle with a radius of 1,850 feet, except as
4 prescribed by rules.
5 "Processing" means any operation or set of operations that
6 are performed on personal information or on sets of personal
7 information, whether by automated means.
8 "Profiling" means any form of automated processing of
9 personal information to evaluate certain personal aspects
10 relating to a natural person and in particular to analyze or
11 predict aspects concerning that natural person's performance
12 at work, economic situation, health, personal preferences,
13 interests, reliability, behavior, location, or movements.
14 "Protected health information" has the meaning given to
15 that term in Section 160.103 of Title 45 of the Code of Federal
16 Regulations.
17 "Provider of health care" means a person licensed or
18 certified under the Medical Practice Act of 1987, the Nurse
19 Practice Act, the Illinois Dental Practice Act, the Podiatric
20 Medical Practice Act of 1987, the Illinois Speech-Language
21 Pathology and Audiology Practice Act, the Illinois
22 Occupational Therapy Practice Act, the Dietitian Nutritionist
23 Practice Act, the Perfusionist Practice Act, the Illinois
24 Physical Therapy Act, the Licensed Certified Professional
25 Midwife Practice Act, the Clinical Psychologist Licensing Act,
26 the Illinois Optometric Practice Act of 1987, the Physician
SB3517 - 20 - LRB103 35732 LNS 65813 b
SB3517- 21 -LRB103 35732 LNS 65813 b SB3517 - 21 - LRB103 35732 LNS 65813 b
SB3517 - 21 - LRB103 35732 LNS 65813 b
1 Assistant Practice Act of 1987, the Respiratory Care Practice
2 Act, the Pharmacy Practice Act, the Massage Licensing Act, the
3 Music Therapy Licensing and Practice Act, the Veterinary
4 Medicine and Surgery Practice Act of 2004, the Acupuncture
5 Practice Act, the Marriage and Family Therapy Licensing Act,
6 the Behavior Analyst Licensing Act, the Clinical Social Work
7 and Social Work Practice Act, and the Professional Counselor
8 and Clinical Professional Counselor Licensing and Practice Act
9 or a clinic, health dispensary, or health facility licensed
10 under the Community Living Facilities Licensing Act, the Home
11 Health, Home Services, and Home Nursing Agency Licensing Act,
12 the Hospice Program Licensing Act, and the Hospital Licensing
13 Act. "Provider of health care" does not include insurance
14 institutions.
15 "Pseudonymize" or "pseudonymization" means the processing
16 of personal information in a manner that renders the personal
17 information no longer attributable to a specific consumer
18 without the use of additional information, as long as the
19 additional information is kept separately and is subject to
20 technical and organizational measures to ensure that the
21 personal information is not attributed to an identified or
22 identifiable consumer.
23 "Publicly available" means information that is lawfully
24 made available from federal, State, or local government
25 records, information that a business has a reasonable basis to
26 believe is lawfully made available to the general public by
SB3517 - 21 - LRB103 35732 LNS 65813 b
SB3517- 22 -LRB103 35732 LNS 65813 b SB3517 - 22 - LRB103 35732 LNS 65813 b
SB3517 - 22 - LRB103 35732 LNS 65813 b
1 the consumer or from widely distributed media or information
2 made available by a person to whom the consumer has disclosed
3 the information if the consumer has not restricted the
4 information to a specific audience. "Publicly available" does
5 not include biometric information collected by a business
6 about a consumer without the consumer's knowledge.
7 "Research" means scientific analysis, systematic study,
8 and observation, including basic research or applied research
9 that is designed to develop or contribute to public or
10 scientific knowledge and that adheres or otherwise conforms to
11 all other applicable ethics and privacy laws, including, but
12 not limited to, studies conducted in the public interest in
13 the area of public health.
14 "Security and integrity" means the ability of:
15 (1) networks or information systems to detect security
16 incidents that compromise the availability, authenticity,
17 integrity, and confidentiality of stored or transmitted
18 personal information;
19 (2) businesses to detect security incidents, resist
20 malicious, deceptive, fraudulent, or illegal actions and
21 to help prosecute those responsible for those actions; and
22 (3) businesses to ensure the physical safety of
23 natural persons.
24 "Sell", "selling", "sale", or "sold" means selling,
25 renting, releasing, disclosing, disseminating, making
26 available, transferring, or otherwise communicating orally, in
SB3517 - 22 - LRB103 35732 LNS 65813 b
SB3517- 23 -LRB103 35732 LNS 65813 b SB3517 - 23 - LRB103 35732 LNS 65813 b
SB3517 - 23 - LRB103 35732 LNS 65813 b
1 writing, or by electronic or other means personal information
2 by the business to a third party for monetary or other valuable
3 consideration.
4 "Sensitive personal information" means:
5 (1) personal information that reveals:
6 (A) a consumer's social security, driver's
7 license, state identification card, or passport
8 number;
9 (B) a consumer's account log-in, financial
10 account, debit card, or credit card number in
11 combination with any required security or access code,
12 password, or credentials allowing access to an
13 account;
14 (C) a consumer's precise geolocation;
15 (D) a consumer's racial or ethnic origin,
16 religious or philosophical beliefs, or union
17 membership;
18 (E) the contents of a consumer's mail, email, or
19 text messages unless the business is the intended
20 recipient of the communication; or
21 (F) a consumer's genetic data;
22 (2) the processing of biometric information for the
23 purpose of uniquely identifying a consumer;
24 (3) personal information collected and analyzed
25 concerning a consumer's health; or
26 (4) personal information collected and analyzed
SB3517 - 23 - LRB103 35732 LNS 65813 b
SB3517- 24 -LRB103 35732 LNS 65813 b SB3517 - 24 - LRB103 35732 LNS 65813 b
SB3517 - 24 - LRB103 35732 LNS 65813 b
1 concerning a consumer's sex life or sexual orientation.
2 "Sensitive personal information" does not include sensitive
3 personal information that is publicly available.
4 "Service" or "services" means work, labor, and services,
5 including services furnished in connection with the sale or
6 repair of goods.
7 "Service provider" means a person that processes personal
8 information on behalf of a business and that receives from or
9 on behalf of the business personal information for a business
10 purpose under a written contract, as long as the contract
11 prohibits the person from:
12 (1) selling or sharing the personal information;
13 (2) retaining, using, or disclosing the personal
14 information for any purpose other than for the specific
15 business purposes specified in the contract for the
16 business, including retaining, using, or disclosing the
17 personal information for a commercial purpose other than
18 the business purposes specified in the contract with the
19 business, or as otherwise permitted by this Act;
20 (3) retaining, using, or disclosing the personal
21 information outside of the direct business relationship
22 between the service provider and the business; or
23 (4) combining the personal information that the
24 service provider receives from, or on behalf of, the
25 business with personal information that it receives from,
26 or on behalf of, another person or persons, or collects
SB3517 - 24 - LRB103 35732 LNS 65813 b
SB3517- 25 -LRB103 35732 LNS 65813 b SB3517 - 25 - LRB103 35732 LNS 65813 b
SB3517 - 25 - LRB103 35732 LNS 65813 b
1 from its own interaction with the consumer.
2 "Share", "shared", or "sharing" means sharing, renting,
3 releasing, disclosing, disseminating, making available,
4 transferring, or otherwise communicating orally, in writing,
5 or by electronic or other means personal information by the
6 business to a third party for cross-context behavioral
7 advertising, whether for monetary or other valuable
8 consideration, including transactions between a business and a
9 third party for cross-context behavioral advertising for the
10 benefit of a business in which no money is exchanged.
11 "Third party" means a person who is not:
12 (1) the business with whom the consumer intentionally
13 interacts and that collects personal information from the
14 consumer as part of the consumer's current interaction
15 with the business under this Act;
16 (2) a service provider to the business; or
17 (3) a contractor.
18 "Unique identifier" or "unique personal identifier" means
19 a persistent identifier that can be used to recognize a
20 consumer, family, or device that is linked to a consumer or
21 family, over time and across different services, including,
22 but not limited to, a device identifier, Internet Protocol
23 address, cookies, beacons, pixel tags, mobile ad identifiers,
24 or similar technology, customer number, unique pseudonym, or
25 user alias, telephone numbers, or other forms of persistent or
26 probabilistic identifiers that can be used to identify a
SB3517 - 25 - LRB103 35732 LNS 65813 b
SB3517- 26 -LRB103 35732 LNS 65813 b SB3517 - 26 - LRB103 35732 LNS 65813 b
SB3517 - 26 - LRB103 35732 LNS 65813 b
1 particular consumer or device that is linked to a consumer or
2 family.
3 "Vehicle information" means the vehicle information
4 number, make, model, year, and odometer reading.
5 "Vehicle manufacturer" means any person who produces from
6 raw materials or new basic components a vehicle of a type
7 subject to registration, off-highway motorcycles or
8 all-terrain vehicles subject to identification, or trailers
9 subject to identification, or who permanently alters, for
10 purposes of retail sales, new commercial vehicles by
11 converting the vehicles into house cars.
12 "Verifiable consumer request" means a request that is made
13 by a consumer, by a consumer on behalf of the consumer's minor
14 child, by a natural person or a person registered with the
15 Secretary of State authorized by the consumer to act on the
16 consumer's behalf, or by a person who has power of attorney,
17 and that the business can reasonably verify, using
18 commercially reasonable methods to be the consumer about whom
19 the business has collected personal information.
20 Section 5-15. Miscellaneous provisions.
21 (a) The joint venture or partnership and each business
22 that composes the joint venture or partnership shall
23 separately be considered a single business, except that
24 personal information in the possession of each business and
25 disclosed to the joint venture or partnership shall not be
SB3517 - 26 - LRB103 35732 LNS 65813 b
SB3517- 27 -LRB103 35732 LNS 65813 b SB3517 - 27 - LRB103 35732 LNS 65813 b
SB3517 - 27 - LRB103 35732 LNS 65813 b
1 shared with the other business.
2 (b) A contractor may combine personal information to
3 perform any business purpose, except as provided for in
4 paragraph (6) of the definition of business purposes and in
5 rules adopted by the Agency.
6 (c) If a contractor engages any other person to assist it
7 in processing personal information for a business purpose on
8 behalf of that business, or if any other person engaged by the
9 contractor engages another person to assist in processing
10 personal information for that business purposes, it shall
11 notify the business of that engagement, and the engagement
12 shall be under a written contract binding the other person to
13 observe all of the requirements set forth in the definition of
14 contractor.
15 (d) A business may attempt to reidentify the deindentified
16 personal information solely for the purpose of determining
17 whether its deidentification processes satisfies the
18 requirements of the definition of deidentified.
19 (e) Research with personal information that may have been
20 collected from a consumer in the course of consumer's
21 interactions with a business's service or device for other
22 purposes shall be:
23 (1) compatible with the business purpose for which the
24 personal information was collected;
25 (2) subsequently pseudonymized and deidentified, or
26 deidentified and in the aggregate, such that the
SB3517 - 27 - LRB103 35732 LNS 65813 b
SB3517- 28 -LRB103 35732 LNS 65813 b SB3517 - 28 - LRB103 35732 LNS 65813 b
SB3517 - 28 - LRB103 35732 LNS 65813 b
1 information cannot reasonably identify, relate to,
2 describe, be capable of being associated with, or be
3 linked, directly or indirectly, to a particular consumer,
4 by a business;
5 (3) made subject to technical safeguards that prohibit
6 reidentification of the consumer to whom the information
7 may pertain, other than as needed to support the research;
8 (4) subject to business processes that specifically
9 prohibit reidentification of the information, other than
10 as needed to support the research;
11 (5) made subject to business processes to prevent
12 inadvertent release of deidentified information;
13 (6) protected from any reidentification attempts;
14 (7) used solely for research purposes that are
15 compatible with the context in which the personal
16 information was collected; and
17 (8) subjected by the business conducting the research
18 to additional security controls that limit access to the
19 research data to only those individuals as are necessary
20 to carry out the research purpose.
21 (f) A business that does not sell or share personal
22 information when:
23 (1) a consumer uses or directs the business to
24 intentionally:
25 (A) disclose personal information; or
26 (B) interact with one or more third parties;
SB3517 - 28 - LRB103 35732 LNS 65813 b
SB3517- 29 -LRB103 35732 LNS 65813 b SB3517 - 29 - LRB103 35732 LNS 65813 b
SB3517 - 29 - LRB103 35732 LNS 65813 b
1 (2) the business uses or shares an identifier for a
2 consumer who has opted-out of the sale of personal
3 information or limited the use of sensitive personal
4 information for the purposes of altering persons that the
5 consumer has opted-out of the sale of personal information
6 or limited the use of sensitive personal information; or
7 (3) the business transfers to a third party the
8 personal information as an asset that is part of a merger,
9 acquisition, bankruptcy, or other transaction in which the
10 third party assumes control of all or part of the
11 business, as long as that personal information is used or
12 shared consistently with this Act. If a third party
13 materially alters how it uses or shares the personal
14 information in a manner that is materially inconsistent
15 with the promises made at the time of collection, it shall
16 provide prior notice of the new or changed practice to the
17 consumer. The notice shall be sufficiently prominent and
18 robust to ensure that existing consumers can easily
19 exercise their choices consistently with this Act. This
20 paragraph does not authorize a business to make material,
21 retroactive privacy policy changes or make other changes
22 in their privacy policy in a manner that would violate the
23 Consumer Fraud and Deceptive Business Practices Act.
24 (g) A service provider may combine personal information to
25 perform any business purpose, except as provided for in
26 paragraph (6) of the definition of business purpose in Section
SB3517 - 29 - LRB103 35732 LNS 65813 b
SB3517- 30 -LRB103 35732 LNS 65813 b SB3517 - 30 - LRB103 35732 LNS 65813 b
SB3517 - 30 - LRB103 35732 LNS 65813 b
1 5-10 and in rules adopted by the Agency. The contract may,
2 subject to agreement with the service provider, permit the
3 business to monitor the service provider's compliance with the
4 contract through measures, including, but not limited to,
5 ongoing manual reviews and automated scans and regular
6 assessments, audits, or other technical and operational
7 testing at least once every 12 months.
8 (h) If a service provider engages any other person to
9 assist it in processing personal information for a business
10 purpose on behalf of the business, or if any other person
11 engaged by the service provider engages another person to
12 assist in processing personal information for that business
13 purpose, it shall notify the business of that engagement, and
14 the engagement shall be under a written contract binding the
15 other person to observe all the requirements set forth in the
16 definition of service provider.
17 (i) A business is not obligated to provide information to
18 the consumer under Sections 10-20 and 10-25 to delete personal
19 information or to correct inaccurate personal information, if
20 the business cannot verify that the consumer making the
21 request is the consumer about whom the business has collected
22 information or is a person authorized by the consumer to act on
23 such consumer's behalf.
24 Article 10. Personal Information
SB3517 - 30 - LRB103 35732 LNS 65813 b
SB3517- 31 -LRB103 35732 LNS 65813 b SB3517 - 31 - LRB103 35732 LNS 65813 b
SB3517 - 31 - LRB103 35732 LNS 65813 b
1 Section 10-5. General duties of businesses that collect
2 personal information.
3 (a) A business that controls the collection of personal
4 information shall, at or before the point of collection,
5 inform consumers of:
6 (1) the categories of personal information to be
7 collected and the purposes for which the categories of
8 personal information are collected or used and whether
9 that information is sold or shared. A business shall not
10 collect additional categories of personal information or
11 use personal information collected for additional purposes
12 that are incompatible with the disclosed purpose for which
13 the personal information was collected without providing
14 the consumer with notice consistent with this Section
15 (2) if the business collects sensitive personal
16 information, the categories of sensitive personal
17 information to be collected and the purposes for which the
18 categories of sensitive personal information to be
19 collected. A business shall not collect additional
20 categories of sensitive personal information or use
21 sensitive personal information collected for additional
22 purposes that are incompatible with the disclosed purpose
23 for which the sensitive personal information was collected
24 without providing the consumer with notice consistent with
25 this Section; and
26 (3) the length of time the business intends to retain
SB3517 - 31 - LRB103 35732 LNS 65813 b
SB3517- 32 -LRB103 35732 LNS 65813 b SB3517 - 32 - LRB103 35732 LNS 65813 b
SB3517 - 32 - LRB103 35732 LNS 65813 b
1 each category of personal information, including sensitive
2 personal information, or, if that is not possible, the
3 criteria used to determine that period provided that a
4 business shall not retain personal information or
5 sensitive personal information for each disclosed purpose
6 for which the personal information was collected for
7 longer than is reasonably necessary for that disclosed
8 purpose.
9 (b) A business that, acting as a third party, controls the
10 collection of personal information may satisfy its obligation
11 under subsection (a) by providing the required information
12 prominently and conspicuously on the homepage of its Internet
13 website. If a business acting as a third party controls the
14 collection of personal information on its premises, including
15 in a vehicle, then the business shall, at or before the point
16 of collection, inform consumers as to the categories of
17 personal information to be collected and the purposes for
18 which the categories of personal information are used, and
19 whether that personal information is sold, in a clear and
20 conspicuous manner at the location.
21 (c) Collection, use, retention, and sharing of personal
22 information by a business shall be reasonably necessary and
23 proportionate to achieve the purposes for which the personal
24 information was collected or processed, or for another
25 disclosed purpose that is compatible with the context in which
26 the personal information was collected, and not further
SB3517 - 32 - LRB103 35732 LNS 65813 b
SB3517- 33 -LRB103 35732 LNS 65813 b SB3517 - 33 - LRB103 35732 LNS 65813 b
SB3517 - 33 - LRB103 35732 LNS 65813 b
1 processed in a manner that is incompatible with those
2 purposes.
3 (d) A business that collects personal information and that
4 sells that personal information to, or shares it with, a third
5 party or that discloses it to a service provider or contractor
6 for a business purpose shall enter into an agreement with the
7 third party, service provider, or contractor that:
8 (1) specifies that the personal information is sold or
9 disclosed by the business only for limited and specified
10 purposes;
11 (2) obligates the third party, service provider, or
12 contractor to comply with applicable obligations under
13 this Act and obligate those persons to provide the same
14 level of privacy protection as is required under this Act;
15 (3) grants the business rights to take reasonable and
16 appropriate steps to help ensure that the third party,
17 service provider, or contractor uses the personal
18 information transferred in a manner consistent with the
19 obligations of the business under this Act;
20 (4) requires the third party, service provider, or
21 contractor to notify the business if it makes a
22 determination that it can no longer meet its obligations
23 under this Act; and
24 (5) grants the business the right, upon notice, to
25 take reasonable and appropriate steps to stop and
26 remediate unauthorized use of personal information.
SB3517 - 33 - LRB103 35732 LNS 65813 b
SB3517- 34 -LRB103 35732 LNS 65813 b SB3517 - 34 - LRB103 35732 LNS 65813 b
SB3517 - 34 - LRB103 35732 LNS 65813 b
1 (e) A business that collects personal information shall
2 implement reasonable security procedures and practices
3 appropriate to the nature of the personal information to
4 protect the personal information from unauthorized or illegal
5 access, destruction, use, modification, or disclosure.
6 (f) Nothing in this Section shall require a business to
7 disclose trade secrets.
8 Section 10-10. Right to delete personal information.
9 (a) A consumer shall have the right to request that a
10 business delete any personal information about the consumer
11 which the business has collected from the consumer.
12 (b) A business that collects personal information shall
13 disclose the consumer's rights to request the deletion of the
14 personal information.
15 (c) A business that receives a verifiable consumer request
16 from a consumer to delete the personal information under
17 subsection (a) shall delete the personal information from its
18 records, notify any service providers or contractors to delete
19 the personal information from their records, and notify all
20 third parties to whom the business has sold or shared the
21 personal information to delete the personal information unless
22 this proves impossible or involves disproportionate effort.
23 The business may maintain a confidential record of
24 deletion requests solely for the purpose of preventing the
25 personal information of a consumer who has submitted a
SB3517 - 34 - LRB103 35732 LNS 65813 b
SB3517- 35 -LRB103 35732 LNS 65813 b SB3517 - 35 - LRB103 35732 LNS 65813 b
SB3517 - 35 - LRB103 35732 LNS 65813 b
1 deletion request from being sold, for compliance with laws or
2 for other purposes, solely to the extent permissible under
3 this Act.
4 A service provider or contractor shall cooperate with the
5 business in responding to a verifiable consumer request, and,
6 at the direction of the business, shall delete, or enable the
7 business to delete, and notify any of its own service
8 providers or contractors to delete the personal information
9 collected, used, processed, or retained by the service
10 provider or contractor. The service provider or contractor
11 shall notify any service providers, contractors, or third
12 parties who may have accessed personal information from or
13 through the service provider or contractor, unless the
14 information was accessed at the direction of the business, to
15 delete the personal information unless this proves impossible
16 or involves disproportionate effort. A service provider or
17 contractor shall not be required to comply with a deletion
18 request submitted by the consumer directly to the service
19 provider or contractor to the extent that the service provider
20 or contractor has collected, used, processed, or retained the
21 personal information in its role as a service provider or
22 contractor to the business.
23 (d) A business, or a service provider or contractor acting
24 under its contract with the business, shall not be required to
25 comply with a consumer's request to delete personal
26 information if it is reasonably necessary for the business,
SB3517 - 35 - LRB103 35732 LNS 65813 b
SB3517- 36 -LRB103 35732 LNS 65813 b SB3517 - 36 - LRB103 35732 LNS 65813 b
SB3517 - 36 - LRB103 35732 LNS 65813 b
1 service provider, or contractor to maintain the personal
2 information in order to:
3 (1) complete the transaction for which the personal
4 information was collected, fulfill the terms of a written
5 warranty or product recall conducted in accordance with
6 federal law, provide a good or service requested by the
7 consumer, or reasonably anticipate an ongoing business
8 relationship with the consumer, or otherwise perform a
9 contract between the business and the consumer;
10 (2) help to ensure security and integrity to the
11 extent the use of the personal information is reasonably
12 necessary and proportionate for those purposes;
13 (3) debug to identify and repair errors that impair
14 existing intended functionality;
15 (4) exercise free speech, ensure the right of another
16 consumer to exercise that consumer's right of free speech,
17 or exercise another right provided for by law;
18 (5) comply with the Protecting Household Privacy Act;
19 (6) engage in public or peer-reviewed scientific,
20 historical, or statistical research that conforms or
21 adheres to all other applicable ethics and privacy laws,
22 when the deletion of the information is likely to render
23 impossible or seriously impair the ability to complete
24 such research, if the consumer has provided informed
25 consent;
26 (7) to enable solely internal uses that are reasonably
SB3517 - 36 - LRB103 35732 LNS 65813 b
SB3517- 37 -LRB103 35732 LNS 65813 b SB3517 - 37 - LRB103 35732 LNS 65813 b
SB3517 - 37 - LRB103 35732 LNS 65813 b
1 aligned with the expectations of the consumer based on the
2 consumer's relationship with the business and compatible
3 with the context in which the consumer provided the
4 information; or
5 (8) comply with a legal obligation.
6 Section 10-15. Right to correct inaccurate personal
7 information.
8 (a) A consumer shall have the right to request a business
9 that maintains inaccurate personal information about the
10 consumer to correct that inaccurate personal information,
11 taking into account the nature of the personal information and
12 the purposes of the processing of the personal information.
13 (b) A business that collects personal information shall
14 disclose the consumer's right to request correction of
15 inaccurate personal information.
16 (c) A business that receives a verifiable consumer request
17 to correct inaccurate personal information shall use
18 commercially reasonable efforts to correct the inaccurate
19 personal information as directed by the consumer.
20 Section 10-20. Right to know what personal information is
21 being collected; right to access personal information.
22 (a) A consumer shall have the right to request that a
23 business that collects personal information about the consumer
24 disclose to the consumer:
SB3517 - 37 - LRB103 35732 LNS 65813 b
SB3517- 38 -LRB103 35732 LNS 65813 b SB3517 - 38 - LRB103 35732 LNS 65813 b
SB3517 - 38 - LRB103 35732 LNS 65813 b
1 (1) the categories of personal information it has
2 collected about the consumer;
3 (2) the categories of sources from which the personal
4 information is collected;
5 (3) the business or commercial purpose for collecting,
6 selling, or sharing personal information;
7 (4) the categories of third parties to whom the
8 business discloses personal information; and
9 (5) the specific pieces of personal information it has
10 collected about that consumer.
11 (b) A business that collects personal information shall
12 disclose to the consumer the information specified in
13 subsection (a) upon receipt of a verifiable consumer request
14 from the consumer.
15 (c) A business that collects personal information shall
16 disclose that a consumer has the right to request the specific
17 pieces of information the business has collected about that
18 consumer.
19 Section 10-25. Right to know what personal information is
20 sold or shared and to whom.
21 (a) A consumer shall have the right to request that a
22 business that sells or shares personal information, or that
23 discloses personal information for a business purpose,
24 disclose to that consumer:
25 (1) the categories of personal information that the
SB3517 - 38 - LRB103 35732 LNS 65813 b
SB3517- 39 -LRB103 35732 LNS 65813 b SB3517 - 39 - LRB103 35732 LNS 65813 b
SB3517 - 39 - LRB103 35732 LNS 65813 b
1 business collected about the consumer;
2 (2) the categories of personal information that the
3 business sold or shared about the consumer and the
4 categories of third parties to whom the personal
5 information was sold or shared, by category or categories
6 of personal information for each category of third parties
7 to whom the personal information was sold or shared; and
8 (3) the categories of personal information that the
9 business disclosed about the consumer for a business
10 purpose and the categories of persons to whom it was
11 disclosed for a business purpose.
12 (b) A business that sells or shares personal information,
13 or that discloses personal information for a business purpose,
14 shall disclose the personal information specified in
15 subsection (a) to the consumer upon receipt of a verifiable
16 consumer request from the consumer.
17 (c) A business that sells or shares personal information,
18 or that discloses personal information for a business purpose,
19 shall disclose:
20 (1) the category or categories of personal information
21 it has sold or shared, or if the business has not sold or
22 shared personal information, it shall disclose that fact;
23 and
24 (2) the category or categories of personal information
25 it has disclosed for a business purpose, or if the
26 business has not disclosed personal information for a
SB3517 - 39 - LRB103 35732 LNS 65813 b
SB3517- 40 -LRB103 35732 LNS 65813 b SB3517 - 40 - LRB103 35732 LNS 65813 b
SB3517 - 40 - LRB103 35732 LNS 65813 b
1 business purpose, it shall disclose that fact.
2 (d) A third party shall not sell or share personal
3 information that has been sold to, or shared with, the third
4 party by a business unless the consumer has received explicit
5 notice and is provided an opportunity to exercise the right to
6 opt out.
7 Section 10-30. Right to opt out of sale or sharing of
8 personal information.
9 (a) A consumer shall have the right, at any time, to direct
10 a business that sells or shares personal information to third
11 parties not to sell or share the personal information. This
12 right may be referred to as the right to opt out of sale or
13 sharing.
14 (b) A business that sells personal information to, or
15 shares it with, third parties shall provide notice to
16 consumers that this information may be sold or shared and that
17 consumers have the right to opt out of the sale or sharing of
18 their personal information.
19 (c) Notwithstanding subsection (a), a business shall not
20 sell or share the personal information of consumers if the
21 business has actual knowledge that the consumer is less than
22 16 years of age, unless the consumer, in the case of consumers
23 at least 13 years of age and less than 16 years of age, or the
24 consumer's parent or guardian in the case of consumers who are
25 less than 13 years of age, has affirmatively authorized the
SB3517 - 40 - LRB103 35732 LNS 65813 b
SB3517- 41 -LRB103 35732 LNS 65813 b SB3517 - 41 - LRB103 35732 LNS 65813 b
SB3517 - 41 - LRB103 35732 LNS 65813 b
1 sale or sharing of the personal information. A business that
2 willfully disregards the consumer's age shall be deemed to
3 have had actual knowledge of the consumer's age.
4 (d) A business that has received direction from a consumer
5 not to sell or share personal information or, in the case of a
6 minor consumer's personal information has not received consent
7 to sell or share the minor consumer's personal information,
8 shall be prohibited from selling or sharing the personal
9 information after its receipt of the consumer's direction,
10 unless the consumer subsequently provides consent, for the
11 sale or sharing of the personal information.
12 Section 10-35. Right to limit use and disclosure of
13 sensitive personal information.
14 (a) A consumer shall have the right, at any time, to direct
15 a business that collects sensitive personal information to
16 limit its use of the sensitive personal information to that
17 use which is necessary to perform the services or provide the
18 goods reasonably expected by an average consumer who requests
19 those goods or services, to perform the services set forth in
20 paragraphs (2), (4), (5), and (8) in the definition of
21 business purpose in Section 5-10, and as authorized by rule. A
22 business that uses or discloses sensitive personal information
23 for purposes other than those specified in this subsection
24 shall provide notice to consumers that this information may be
25 used, or disclosed to a service provider or contractor, for
SB3517 - 41 - LRB103 35732 LNS 65813 b
SB3517- 42 -LRB103 35732 LNS 65813 b SB3517 - 42 - LRB103 35732 LNS 65813 b
SB3517 - 42 - LRB103 35732 LNS 65813 b
1 additional, specified purposes and that consumers have the
2 right to limit the use or disclosure of their sensitive
3 personal information.
4 (b) A business that has received direction from a consumer
5 not to use or disclose the sensitive personal information,
6 except as authorized under subsection (a), shall be prohibited
7 from using or disclosing the sensitive personal information
8 for any other purpose after its receipt of the consumer's
9 direction unless the consumer subsequently provides consent
10 for the use or disclosure of the sensitive personal
11 information for additional purposes.
12 (c) A service provider or contractor that assists a
13 business in performing the purposes authorized by subsection
14 (a) may not use the sensitive personal information after it
15 has received instructions from the business and to the extent
16 it has actual knowledge that the sensitive personal
17 information is sensitive personal information for any other
18 purpose. A service provider or contractor is only required to
19 limit its use of sensitive personal information received under
20 a written contract with the business in response to
21 instructions from the business and only with respect to its
22 relationship with that business.
23 (d) Sensitive personal information that is collected or
24 processed without the purpose of inferring characteristics
25 about a consumer is not subject to this Section, as further
26 defined by rule, and shall be treated as personal information.
SB3517 - 42 - LRB103 35732 LNS 65813 b
SB3517- 43 -LRB103 35732 LNS 65813 b SB3517 - 43 - LRB103 35732 LNS 65813 b
SB3517 - 43 - LRB103 35732 LNS 65813 b
1 Section 10-40. Right of no retaliation following opt-out
2 or exercise of other rights.
3 (a) A business shall not discriminate against a consumer
4 because the consumer exercised any of the consumer's rights
5 under this Act, including, but not limited to:
6 (1) denying goods or services to the consumer;
7 (2) charging different prices or rates for goods or
8 services, including through the use of discounts or other
9 benefits or imposing penalties;
10 (3) providing a different level or quality of goods or
11 services to the consumer; or
12 (4) suggesting that the consumer will receive a
13 different price or rate for goods or services or a
14 different level or quality of goods or services.
15 A business shall not retaliate against an employee
16 applicant for employment, or independent contractor for
17 exercising their rights under this Act.
18 Nothing in this subsection prohibits a business from
19 charging a consumer a different price or rate, or from
20 providing a different level or quality of goods or services,
21 to the consumer if that difference is reasonably related to
22 the value provided to the business by the consumer's data.
23 This subsection does not prohibit a business from offering
24 loyalty, rewards, premium features, discounts, or club card
25 programs consistent with this Act.
SB3517 - 43 - LRB103 35732 LNS 65813 b
SB3517- 44 -LRB103 35732 LNS 65813 b SB3517 - 44 - LRB103 35732 LNS 65813 b
SB3517 - 44 - LRB103 35732 LNS 65813 b
1 (b) A business may offer financial incentives, including
2 payments to consumers as compensation, for the collection of
3 personal information, or the retention of personal
4 information. A business may also offer a different price,
5 rate, level, or quality of goods or services to the consumer if
6 that price or difference is reasonably related to the value
7 provided to the business by the consumer's data.
8 A business that offers any financial incentives under this
9 subsection shall notify consumers of the financial incentives
10 under Section 10-45.
11 A business may enter a consumer into a financial incentive
12 program only if the consumer gives the business prior opt-in
13 consent based on clearly described material terms of the
14 financial incentive program, which may be revoked by the
15 consumer at any time. If a consumer refuses to provide opt-in
16 consent, then the business shall wait for at least 12 months
17 before next requesting that the consumer provide opt-in
18 consent, or as prescribed by rules.
19 A business shall not use financial incentive practices
20 that are unjust, unreasonable, coercive, or usurious in
21 nature.
22 Section 10-45. Notice, disclosure, correction, and
23 deletion requirements.
24 (a) In order to comply with Sections 10-5, 10-10, 10-15,
25 10-20, 10-25, and 10-45, a business shall, in a form that is
SB3517 - 44 - LRB103 35732 LNS 65813 b
SB3517- 45 -LRB103 35732 LNS 65813 b SB3517 - 45 - LRB103 35732 LNS 65813 b
SB3517 - 45 - LRB103 35732 LNS 65813 b
1 reasonably accessible to consumers:
2 (1) (A) make available to consumers 2 or more
3 designated methods for submitting requests for information
4 required to be disclosed under Sections 10-20 and 10-25 or
5 requests for deletion or correction under Sections 10-10
6 and 10-15, including, at a minimum, a toll-free telephone
7 number. A business that operates exclusively online and
8 has a direct relationship with a consumer from whom it
9 collects personal information shall only be required to
10 provide an email address for submitting requests for
11 information required to be disclosed under Sections 10-20
12 and 10-25;
13 (B) if the business maintains an Internet website,
14 make the internet website available to consumers to submit
15 requests for information required to be disclosed under
16 Sections 10-20 and 10-25 or requests for deletion or
17 correction under Sections 10-10 and 10-15;
18 (2) disclose and deliver the required information to a
19 consumer free of charge, correct inaccurate personal
20 information, or delete personal information, based on the
21 consumer's request, within 45 days of receiving a
22 verifiable consumer request from the consumer. The
23 business shall promptly take steps to determine whether
24 the request is a verifiable consumer request, but this
25 shall not extend the business's duty to disclose and
26 deliver the information, correct inaccurate personal
SB3517 - 45 - LRB103 35732 LNS 65813 b
SB3517- 46 -LRB103 35732 LNS 65813 b SB3517 - 46 - LRB103 35732 LNS 65813 b
SB3517 - 46 - LRB103 35732 LNS 65813 b
1 information, or delete personal information within 45 days
2 of receipt of the consumer's request. The period to
3 provide the required information, correct inaccurate
4 personal information, or delete personal information may
5 be extended once by an additional 45 days when reasonably
6 necessary, as long as the consumer is provided notice of
7 the extension within the first 45-day period. The
8 disclosure of the required information shall be made in
9 writing and delivered through the consumer's account with
10 the business, if the consumer maintains an account with
11 the business, or by mail or electronically at the
12 consumer's option if the consumer does not maintain an
13 account with the business, in a readily usable format that
14 allows the consumer to transmit this information from one
15 entity to another entity without hindrance. The business
16 may require authentication of the consumer that is
17 reasonable in light of the nature of the personal
18 information requested, but shall not require the consumer
19 to create an account with the business in order to make a
20 verifiable consumer request. If the consumer has an
21 account with the business, the business may require the
22 consumer to use that account to submit a verifiable
23 consumer request.
24 The disclosure of the required information shall cover
25 the 12-month period preceding the business' receipt of the
26 verifiable consumer request. Upon the adoption of a rule
SB3517 - 46 - LRB103 35732 LNS 65813 b
SB3517- 47 -LRB103 35732 LNS 65813 b SB3517 - 47 - LRB103 35732 LNS 65813 b
SB3517 - 47 - LRB103 35732 LNS 65813 b
1 under Section 10-75, a consumer may request that the
2 business disclose the required information beyond the
3 12-month period, and the business shall be required to
4 provide that information unless doing so proves impossible
5 or would involve a disproportionate effort. A consumer's
6 right to request required information beyond the 12-month
7 period, and a business's obligation to provide that
8 information, shall only apply to personal information
9 collected on or after January 1, 2025. Nothing in this
10 subparagraph shall require a business to keep personal
11 information for any length of time;
12 (3) a business that receives a verifiable consumer
13 request under Section 10-20 or 10-25, disclose any
14 personal information it has collected about a consumer,
15 directly or indirectly, including through or by a service
16 provider or contractor, to the consumer. A service
17 provider or contractor shall not be required to comply
18 with a verifiable consumer request received directly from
19 a consumer or consumer's authorized agent under Section
20 10-20 or 10-25 to the extent that the service provider or
21 contractor has collected personal information about the
22 consumer in its role as a service provider or contractor.
23 A service provider or contractor shall provide assistance
24 to a business with which it has a contractual relationship
25 with respect to the business's response to a verifiable
26 consumer request, including, but not limited to, by
SB3517 - 47 - LRB103 35732 LNS 65813 b
SB3517- 48 -LRB103 35732 LNS 65813 b SB3517 - 48 - LRB103 35732 LNS 65813 b
SB3517 - 48 - LRB103 35732 LNS 65813 b
1 providing to the business the personal information in the
2 service provider's or contractor's possession that the
3 service provider or contractor obtained as a result of
4 providing services to the business and by correcting
5 inaccurate information or by enabling the business to do
6 the same. A service provider or contractor that collects
7 personal information under a written contract with a
8 business shall be required to assist the business through
9 appropriate technical and organizational measures in
10 complying with the requirements of subsections (d) through
11 (f) of Section 10-5, taking into account the nature of the
12 processing.
13 (4) for purposes of subsection (b) of Section 10-20:
14 (A) to identify the consumer, associate the
15 information provided to the consumer in the verifiable
16 consumer request to any personal information
17 previously collected by the business about the
18 consumer;
19 (B) identify by category or categories the
20 personal information collected about the consumer for
21 the applicable period by reference to the enumerated
22 category or categories in subsection (c) that most
23 closely describes the personal information collected,
24 the categories of sources from which the personal
25 information was collected, the business or commercial
26 purpose for collecting, selling, or sharing the
SB3517 - 48 - LRB103 35732 LNS 65813 b
SB3517- 49 -LRB103 35732 LNS 65813 b SB3517 - 49 - LRB103 35732 LNS 65813 b
SB3517 - 49 - LRB103 35732 LNS 65813 b
1 personal information, and the categories of third
2 parties to whom the business discloses the personal
3 information; and
4 (C) provide the specific pieces of personal
5 information obtained from the consumer in a format
6 that is easily understandable to the average consumer,
7 and to the extent technically feasible, in a
8 structured, commonly used, machine-readable format
9 that may also be transmitted to another entity at the
10 consumer's request without hindrance. Specific pieces
11 of personal information do not include data generated
12 to help ensure security and integrity or as prescribed
13 by rule. Personal information is not considered to
14 have been disclosed by a business when a consumer
15 instructs a business to transfer the personal
16 information from one business to another in the
17 context of switching services;
18 (5) for purposes of subsection (b) of Section 10-25:
19 (A) identify the consumer and associate the
20 information provided by the consumer in the verifiable
21 consumer request to any personal information
22 previously collected by the business about the
23 consumer;
24 (B) identify by category or categories the
25 personal information of the consumer that the business
26 sold or shared during the applicable period by
SB3517 - 49 - LRB103 35732 LNS 65813 b
SB3517- 50 -LRB103 35732 LNS 65813 b SB3517 - 50 - LRB103 35732 LNS 65813 b
SB3517 - 50 - LRB103 35732 LNS 65813 b
1 reference to the enumerated category in subsection (c)
2 that most closely describes the personal information,
3 and provide the categories of third parties to whom
4 the personal information was sold or shared during the
5 applicable period by reference to the enumerated
6 category or categories in subsection (c) that most
7 closely describes the personal information sold or
8 shared. The business shall disclose the information in
9 a list that is separate from a list generated under
10 subparagraph (C); and
11 (C) identify by category or categories the
12 personal information of the consumer that the business
13 disclosed for a business purpose during the applicable
14 period by reference to the enumerated category or
15 categories in subsection (c) that most closely
16 describes the personal information, and provide the
17 categories of persons to whom the personal information
18 was disclosed for a business purpose during the
19 applicable period by reference to the enumerated
20 category or categories in subsection (c) that most
21 closely describes the personal information disclosed.
22 The business shall disclose the information in a list
23 that is separate from a list generated under
24 subparagraph (B);
25 (6) disclose the following information in its online
26 privacy policy or policies if the business has an online
SB3517 - 50 - LRB103 35732 LNS 65813 b
SB3517- 51 -LRB103 35732 LNS 65813 b SB3517 - 51 - LRB103 35732 LNS 65813 b
SB3517 - 51 - LRB103 35732 LNS 65813 b
1 privacy police or policies and in any State-specific
2 description of consumer privacy rights, or if the business
3 does not maintain those policies, on its Internet website
4 and update that information at least once every 12 months:
5 (A) a description of a consumer's rights under
6 Sections 10-5, 10-10, 10-15, 10-20, 10-25, and 10-45
7 and 2 more designated methods for submitting requests,
8 except as provided in subparagraph (A) of paragraph
9 (1) of subsection (a);
10 (B) for purposes of subsection (c) of Section
11 10-20:
12 (i) a list of categories of personal
13 information it has collected about consumers in
14 the preceding 12 months by reference to the
15 enumerated category or categories in subsection
16 (c) that most closely describe the personal
17 information collected;
18 (ii) the categories of sources from which
19 personal information is collected;
20 (iii) the business or commercial purpose for
21 collecting, selling, or sharing personal
22 information; and
23 (iv) the categories of third parties to whom
24 the business discloses personal information; and
25 (C) for purposes of paragraphs (1) and (2) of
26 subsection (c) of Section 10-25, 2 separate lists:
SB3517 - 51 - LRB103 35732 LNS 65813 b
SB3517- 52 -LRB103 35732 LNS 65813 b SB3517 - 52 - LRB103 35732 LNS 65813 b
SB3517 - 52 - LRB103 35732 LNS 65813 b
1 (i) a list of categories of personal
2 information it has sold or shared about consumers
3 in the preceding 12 months by reference to the
4 enumerated category or categories in subsection
5 (c) that most closely describe the personal
6 information sold or shared, or if the business has
7 not sold or shared personal information in the
8 preceding 12 months, the business shall
9 prominently disclose that fact in its privacy
10 policy; and
11 (ii) a list of the categories of personal
12 information it has disclosed about consumers for a
13 business purpose in the preceding 12 months by
14 reference to the enumerated category or categories
15 in subsection (c) that most closely describes the
16 personal information disclosed, or if the business
17 has not disclosed personal information in the
18 preceding 12 months, the business shall disclose
19 that fact;
20 (7) ensure that all individuals responsible for
21 handling consumer inquiries about the business' privacy
22 practices or the business' compliance with this Act are
23 informed of all requirements in Sections 10-5, 10-10,
24 10-15, 10-20, 10-25, and 10-45 and this Section, and how
25 to direct consumers to exercise their rights under those
26 Sections; and
SB3517 - 52 - LRB103 35732 LNS 65813 b
SB3517- 53 -LRB103 35732 LNS 65813 b SB3517 - 53 - LRB103 35732 LNS 65813 b
SB3517 - 53 - LRB103 35732 LNS 65813 b
1 (8) use any personal information collected from the
2 consumer in connection with the business' verification of
3 the consumer's request solely for the purposes of
4 verification and shall not further disclose the personal
5 information, retain it longer than necessary for purposes
6 of verification, or use it for unrelated purposes.
7 (b) A business is not obligated to provide the information
8 required by Sections 10-20 and 10-25 to the same consumer more
9 than twice in a 12-month period.
10 (c) The categories of personal information required to be
11 disclosed under Sections 10-5, 10-20, and 10-25 shall follow
12 the definitions of personal information and sensitive personal
13 information by describing the categories of personal
14 information using the specific terms set forth in the
15 definition of personal information and by describing the
16 categories of sensitive personal information using the
17 specific terms set forth in the definition of sensitive
18 personal information.
19 Section 10-50. Methods of limiting sale, sharing, and use
20 of personal information and use of sensitive personal
21 information.
22 (a) A business that is sells or shares personal
23 information or discloses sensitive personal information for
24 purposes other than those authorized by subsection (a) of
25 Section 10-35 shall, in a form that is reasonably accessible
SB3517 - 53 - LRB103 35732 LNS 65813 b
SB3517- 54 -LRB103 35732 LNS 65813 b SB3517 - 54 - LRB103 35732 LNS 65813 b
SB3517 - 54 - LRB103 35732 LNS 65813 b
1 to consumers:
2 (1) provide a clear and conspicuous link on the
3 business's Internet homepage titled "Do Not Sell or Share
4 My Personal Information" to an Internet webpage that
5 enables a consumer, or a person authorized by the
6 consumer, to opt out of the sale or sharing of the personal
7 information;
8 (2) provide a clear and conspicuous link on the
9 business's Internet homepage titled "Limit the Use of My
10 Sensitive Personal Information" that enables a consumer,
11 or a person authorized by the consumer, to limit the use or
12 disclosure of the sensitive personal information;
13 (3) at the business's discretion, use a single,
14 clearly labeled link on the business's Internet homepage,
15 in lieu of complying with paragraphs (1) and (2), if that
16 link easily allows a consumer to opt out of the sale or
17 sharing of the personal information and to limit the use
18 or disclosure of the sensitive personal information; and
19 (4) if the business responds to opt-out requests
20 received under paragraph (1), (2), or (3) by informing the
21 consumer of a charge for the use of any product or service,
22 present the terms of any financial incentive offered under
23 subsection (b) of Section 10-40, for the retention, use,
24 sale, or sharing of the personal information or sensitive
25 personal information.
26 (b) A business shall not be required to comply with
SB3517 - 54 - LRB103 35732 LNS 65813 b
SB3517- 55 -LRB103 35732 LNS 65813 b SB3517 - 55 - LRB103 35732 LNS 65813 b
SB3517 - 55 - LRB103 35732 LNS 65813 b
1 subsection (a) if the business allows consumers to opt out of
2 the sale or sharing of personal information or limit the use of
3 sensitive personal information through an opt-out preference
4 signal sent with the consumer's consent by a platform,
5 technology, or mechanism, based on technical specifications
6 set forth by rules, to the business indicating the consumer's
7 intent to opt out of the business's sale or sharing of the
8 personal information or to limit the use or disclosure of the
9 sensitive personal information, or both.
10 A business that allows consumers to opt out of the sale or
11 sharing of their personal information and to limit the use of
12 sensitive personal information under this subsection may
13 provide a link to a webpage that enables the consumer to
14 consent to the business ignoring the opt-out preference signal
15 with respect to that business's sale or sharing of the
16 personal information or the use of the sensitive personal
17 information for additional purposes if:
18 (1) the consent webpage also allows the consumer
19 or a person authorized by the consumer to revoke the
20 consent as easily as it affirmatively provided;
21 (2) the link to the webpage does not degrade the
22 consumer's experience on the webpage the consumer
23 intends to visit and has a similar look, feel, and size
24 relative to other links on the same webpage; and
25 (3) the consent webpage complies with technical
26 specifications set forth by rules.
SB3517 - 55 - LRB103 35732 LNS 65813 b
SB3517- 56 -LRB103 35732 LNS 65813 b SB3517 - 56 - LRB103 35732 LNS 65813 b
SB3517 - 56 - LRB103 35732 LNS 65813 b
1 A business that complies with subsection (a) is not
2 required to comply with subsection (b). A business may elect
3 whether to comply with subsection (a) or (b).
4 (c) A business that is subject to this Section shall:
5 (1) not require a consumer to create an account or
6 provide additional information beyond what is necessary in
7 order to direct the business not to sell or share the
8 personal information or to limit use or disclosure of the
9 sensitive personal information;
10 (2) include a description of a consumer's rights under
11 Sections 10-30 and 10-35, along with a separate link to
12 the "Do Not Sell or Share My Personal Information"
13 Internet webpage and a separate link to the "Limit the Use
14 of My Sensitive Personal Information" Internet webpage, if
15 applicable, or a single link to both choices, or a
16 statement that the business responds to and abides by
17 opt-out preference signals sent by a platform, technology,
18 or mechanism in accordance with subsection (b), in:
19 (A) its online privacy policy or policies if the
20 business has an online privacy policy or policies; and
21 (B) any State-specific description of consumers'
22 privacy rights;
23 (3) ensure that all individuals responsible for
24 handling consumer inquiries about the business's privacy
25 practices or the business's compliance with this Act are
26 informed of all requirements in Sections 10-30 and 10-35
SB3517 - 56 - LRB103 35732 LNS 65813 b
SB3517- 57 -LRB103 35732 LNS 65813 b SB3517 - 57 - LRB103 35732 LNS 65813 b
SB3517 - 57 - LRB103 35732 LNS 65813 b
1 and this Section and how to direct consumers to exercise
2 their rights under those Sections;
3 (4) for consumers who exercise their right to opt out
4 of the sale or sharing of their personal information or
5 limit the use or disclosure of their sensitive personal
6 information, refrain from selling or sharing the personal
7 information or using or disclosing the sensitive personal
8 information and wait for at least 12 months before
9 requesting that the consumer authorize the sale or sharing
10 of the personal information or the use and disclosure of
11 the sensitive personal information for additional
12 purposes, or as authorized by rules;
13 (5) for consumers under 16 years of age who do not
14 consent to the sale or sharing of their personal
15 information, refrain from selling or sharing the personal
16 information of the consumer under 16 years of age and wait
17 for at least 12 months before requesting the consumer's
18 consent again, or as authorized by rules or until the
19 consumer attains 16 years of age; and
20 (6) use any personal information collected from the
21 consumer in connection with the submission of the
22 consumer's opt-out request solely for the purposes of
23 complying with the opt-out request.
24 (d) Nothing in this Act shall be construed to require a
25 business to comply with the Act by including the required
26 links and text on the homepage that the business makes
SB3517 - 57 - LRB103 35732 LNS 65813 b
SB3517- 58 -LRB103 35732 LNS 65813 b SB3517 - 58 - LRB103 35732 LNS 65813 b
SB3517 - 58 - LRB103 35732 LNS 65813 b
1 available to the public generally, if the business maintains a
2 separate and additional homepage that is dedicated to State
3 consumers and that includes the required links and text, and
4 the business takes reasonable steps to ensure that State
5 consumers are directed to the homepage for State consumers and
6 not the homepage made available to the public generally.
7 (e) A consumer may authorize another person to opt out of
8 the sale or sharing of the personal information and to limit
9 the use of the sensitive personal information on the
10 consumer's behalf, including through an opt-out preference
11 signal, indicating the consumer's intent to opt out, and a
12 business shall comply with an opt-out request received from a
13 person authorized by the consumer to act on the consumer's
14 behalf, under the rules adopted by the Attorney General,
15 regardless of whether the business has elected to comply with
16 subsection (a) or (b). A business that elects to comply with
17 subsection (a) may respond to the consumer's opt-out request
18 consistent with Section 10-40.
19 (f) If a business communicates a consumer's opt-out
20 request to any persona authorized by the business to collect
21 personal information, the person shall thereafter only use
22 that personal information for a business purpose specified by
23 the business, or as otherwise permitted by this Act, and shall
24 be prohibited from:
25 (1) selling or sharing that personal information; or
26 (2) retaining, using, or disclosing that personal
SB3517 - 58 - LRB103 35732 LNS 65813 b
SB3517- 59 -LRB103 35732 LNS 65813 b SB3517 - 59 - LRB103 35732 LNS 65813 b
SB3517 - 59 - LRB103 35732 LNS 65813 b
1 information:
2 (A) for any purpose other than for the specific
3 purpose of performing the services offered to the
4 business;
5 (B) outside of the direct business relationship
6 between the person and the business; or
7 (C) for a commercial purpose other than providing
8 the services to the business.
9 (g) A business that communicates a consumer's opt-out
10 request to a person under subsection (f) shall not be liable
11 under this Act if the person receiving the opt-out request
12 violates the restrictions set forth in the Act, if, at the time
13 of communicating the opt-out request, the business does not
14 have actual knowledge, or reason to believe, that the person
15 intends to commit such a violation. Any provision of a
16 contract or agreement of any kind that purports to waive or
17 limit this subsection in any way shall be void and
18 unenforceable.
19 Section 10-55. Exemptions.
20 (a) The obligations imposed on a business by this Act
21 shall not restrict a business's ability to:
22 (1) comply with federal, State, or local laws or
23 comply with a court order or subpoena to provide
24 information;
25 (2) comply with a civil, criminal, or regulatory
SB3517 - 59 - LRB103 35732 LNS 65813 b
SB3517- 60 -LRB103 35732 LNS 65813 b SB3517 - 60 - LRB103 35732 LNS 65813 b
SB3517 - 60 - LRB103 35732 LNS 65813 b
1 inquiry, investigation, subpoena, or summons by federal,
2 State, or local authorities. Law enforcement agencies,
3 including police and sheriff's departments, may direct a
4 business under a law enforcement agency-approved
5 investigation with an active case number not to delete
6 personal information, and upon receipt of that direction,
7 a business shall not delete the personal information for
8 90 days in order to allow the law enforcement agency to
9 obtain a court-issued subpoena, order, or warrant to
10 obtain that personal information. For good cause and only
11 to the extent necessary for investigatory purposes, a law
12 enforcement agency may direct a business not to delete the
13 personal information for additional 90-day periods. A
14 business that has received direction from a law
15 enforcement agency not to delete the personal information
16 of a consumer who has requested deletion of the personal
17 information shall not use the personal information for any
18 purpose other than retaining it to produce to law
19 enforcement in response to a court-issued subpoena, order,
20 or warrant unless the deletion request is subject to an
21 exemption from deletion under this Act;
22 (3) cooperate with law enforcement agencies concerning
23 conduct or activity that the business, service provider,
24 or third party reasonably and in good faith believes may
25 violate federal, State, or local law;
26 (4) cooperate with a government agency request for
SB3517 - 60 - LRB103 35732 LNS 65813 b
SB3517- 61 -LRB103 35732 LNS 65813 b SB3517 - 61 - LRB103 35732 LNS 65813 b
SB3517 - 61 - LRB103 35732 LNS 65813 b
1 emergency access to personal information if a natural
2 person is at risk or danger of death or serious physical
3 injury if:
4 (A) the request is approved by a high-ranking
5 government agency officer for emergency access to
6 personal information;
7 (B) the request is based on the government
8 agency's good faith determination that it has a lawful
9 basis to access the personal information on a
10 nonemergency basis; and
11 (C) the government agency agrees to petition a
12 court for an appropriate order within 3 days and to
13 destroy the personal information if that order is not
14 granted;
15 (5) exercise or defend legal claims;
16 (6) collect, use, retain, sell, share, or disclose
17 personal information that is deidentified or aggregate
18 consumer information; or
19 (7) collect, sell, or share personal information if
20 every aspect of that commercial conduct takes place wholly
21 outside of the State. Commercial conduct takes place
22 wholly outside of the State if the business collected that
23 information while the consumer was outside of the State,
24 no part of the sale of the personal information occurred
25 in the State, and no personal information collected while
26 the consumer was in the State is sold. This paragraph
SB3517 - 61 - LRB103 35732 LNS 65813 b
SB3517- 62 -LRB103 35732 LNS 65813 b SB3517 - 62 - LRB103 35732 LNS 65813 b
SB3517 - 62 - LRB103 35732 LNS 65813 b
1 shall not prohibit a business from storing, including on a
2 device, personal information about a consumer when the
3 consumer is in the State and then collecting that personal
4 information when the consumer and stored personal
5 information is outside of the State.
6 (b) The obligations imposed on businesses by Sections
7 10-20, 10-25, 10-30, 10-35, 10-45, and 10-50 shall not apply
8 where compliance by the business with the Act would violate an
9 evidentiary privilege under State law and shall not prevent a
10 business from providing the personal information of a consumer
11 to a person covered by an evidentiary privilege under State
12 law as part of a privileged communication.
13 (c) This Act shall not apply to:
14 (1) medical information governed by the Medical
15 Patient Rights Act or protected health information that is
16 collected by a covered entity or business associate
17 governed by the privacy, security, and breach notification
18 rules issued by the United States Department of Health and
19 Human Services, Parts 160 and 164 of Title 45 of the Code
20 of Federal Regulations;
21 (2) a provider of health care governed by the Medical
22 Patient Rights Act or a covered entity governed by the
23 privacy, security, and breach notification rules issued by
24 the United States Department of Health and Human Services,
25 Parts 160 and 164 of Title 45 of the Code of Federal
26 Regulations to the extent the provider or covered entity
SB3517 - 62 - LRB103 35732 LNS 65813 b
SB3517- 63 -LRB103 35732 LNS 65813 b SB3517 - 63 - LRB103 35732 LNS 65813 b
SB3517 - 63 - LRB103 35732 LNS 65813 b
1 maintains patient information in the same manner as
2 medical information or protected health information as
3 described in paragraph (1); or
4 (3) personal information collected as part of a
5 clinical trial or other biomedical research study subject
6 to or conducted in accordance with the Federal Policy for
7 the Protection of Human Subjects under good clinical
8 practice guidelines issued by the International Council
9 for Harmonisation or under human subject protection
10 requirements of the United States Food and Drug
11 Administration, as long as the information is not sold or
12 shared in a manner not permitted by this paragraph, and if
13 it is inconsistent, that participants be informed of that
14 use and provide consent.
15 (d) This Act applies to an activity involving the
16 collection, maintenance, disclosure, sale, communication, or
17 use of any personal information bearing on a consumer's credit
18 worthiness, credit standing, credit capacity, character,
19 general reputation, personal characteristics, or mode of
20 living by a consumer reporting agency, as defined in
21 subsection (f) of Section 1681a of Title 15 of the United
22 States Code, by a furnisher of information, as set forth in
23 Section 1681s-2 of Title 15 of the United States Code, who
24 provides information for use in a consumer report, as defined
25 in subsection (d) of Section 1681a of Title 15 of the United
26 States Code, and by a user of a consumer report, as set forth
SB3517 - 63 - LRB103 35732 LNS 65813 b
SB3517- 64 -LRB103 35732 LNS 65813 b SB3517 - 64 - LRB103 35732 LNS 65813 b
SB3517 - 64 - LRB103 35732 LNS 65813 b
1 in Section 1681b of Title 15 of the United States Code.
2 This subsection applies only to the extent that such
3 activity involving the collection, maintenance, disclosure,
4 sale, communication, or use of such information by the
5 consumer reporting agency, furnisher, or user is subject to
6 regulation under the federal Fair Credit Reporting Act and the
7 information is not collected, maintained, used, communicated,
8 disclosed, or sold except as authorized by the federal Fair
9 Credit Reporting Act.
10 This subsection shall not apply to Section 10-60.
11 (e) This Act shall not apply to personal information
12 collected, processed, sold, or disclosed under the federal
13 Gramm-Leach-Bliley Act or the federal Farm Credit Act of 1971.
14 This subsection shall not apply to Section 10-60.
15 (f) This Act shall not apply to personal information
16 collected, processed, sold, or disclosed under the federal
17 Driver's Privacy Protection Act of 1994. This subsection shall
18 not apply to Section 10-60.
19 (g) Section 10-30 shall not apply to vehicle information
20 or ownership information retained or shared between a new
21 motor vehicle dealer and the vehicle's manufacturer, if the
22 vehicle or ownership information is shared for the purpose of
23 effectuating, or in anticipation of effectuating, a vehicle
24 repair covered by a vehicle warranty or a recall conducted
25 under Sections 30118 through 30120 of Title 49 of the United
26 States Code, as long as the new motor vehicle dealer or vehicle
SB3517 - 64 - LRB103 35732 LNS 65813 b
SB3517- 65 -LRB103 35732 LNS 65813 b SB3517 - 65 - LRB103 35732 LNS 65813 b
SB3517 - 65 - LRB103 35732 LNS 65813 b
1 manufacturer with which that vehicle information or ownership
2 information is shared does not sell, share, or use that
3 information for any other purpose.
4 (h) Notwithstanding a business's obligations to respond to
5 and honor consumer rights requests under this Act:
6 (1) a period for a business to respond to a consumer
7 for any verifiable consumer request may be extended by up
8 to a total of 90 additional days where necessary, taking
9 into account the complexity and number of the requests.
10 The business shall inform the consumer of any such
11 extension within 45 days of receipt of the request,
12 together with the reasons for the delay;
13 (2) if the business does not take action on the
14 request of the consumer, the business shall inform the
15 consumer, without delay and, at the latest, within the
16 time permitted of response by this subsection, of the
17 reasons for not taking action and any rights the consumer
18 may have to appeal the decision to the business; and
19 (3) if requests from a consumer are manifestly
20 unfounded or excessive, in particular because of their
21 repetitive character, a business may either charge a
22 reasonable fee, taking into account the administrative
23 costs of providing the information or communication or
24 taking the action requested, or refuse to act on the
25 request and notify the consumer of the reason for refusing
26 the request. The business shall bear the burden of
SB3517 - 65 - LRB103 35732 LNS 65813 b
SB3517- 66 -LRB103 35732 LNS 65813 b SB3517 - 66 - LRB103 35732 LNS 65813 b
SB3517 - 66 - LRB103 35732 LNS 65813 b
1 demonstrating that any verifiable consumer request is
2 manifestly unfounded or excessive.
3 (i)(1) A business that discloses personal information to a
4 service provider or contractor in compliance with this Act
5 shall not be liable under this Act if the service provider or
6 contractor receiving the personal information uses it in
7 violation of the restrictions set forth in this Act, and if, at
8 the time of disclosing the personal information, the business
9 does not have actual knowledge, or reason to believe, that the
10 service provider or contractor intends to commit such a
11 violation. A service provider or contractor shall not be
12 liable under this Act for the obligations of a business for
13 which it provides services as set forth in this Act. The
14 service provider or contractor shall be liable for its own
15 violations of this Act.
16 (2) A business that discloses personal information of a
17 consumer, with the exception of consumers who have exercised
18 their right to opt out of the sale or sharing of their personal
19 information, consumers who have limited the use or disclosure
20 of their sensitive personal information, and minor consumers
21 who have not opted-in to the collection or sale of their
22 personal information, to a third party under a written
23 contract that requires the third party to provide the same
24 level of protection of the consumer's rights under this Act as
25 provided by the business shall not be liable under this Act if
26 the third party receiving the personal information uses it in
SB3517 - 66 - LRB103 35732 LNS 65813 b
SB3517- 67 -LRB103 35732 LNS 65813 b SB3517 - 67 - LRB103 35732 LNS 65813 b
SB3517 - 67 - LRB103 35732 LNS 65813 b
1 violation of the restrictions set forth in this Act, and if, at
2 the time of disclosing the personal information, the business
3 does not have actual knowledge, or reason to believe, that the
4 third party intends to commit such a violation.
5 (j) This Act shall not be construed to require a business,
6 service provider, or contractor to:
7 (1) reidentify or otherwise link information that, in
8 the ordinary course of business, is not maintained in a
9 manner that would be considered personal information;
10 (2) retain any personal information about a consumer
11 if, in the ordinary course of business, that information
12 about the consumer would not be retained; or
13 (3) maintain information in identifiable, linkable, or
14 associable form, or collect, obtain, retain, or access any
15 data or technology, in order to be capable of linking or
16 associating a verifiable consumer request with personal
17 information.
18 (k) The rights afforded to consumers and the obligations
19 imposed on the business in this Act shall not adversely affect
20 the rights and freedoms of other natural persons. A verifiable
21 consumer request for specific pieces of personal information,
22 to delete personal information, or to correct inaccurate
23 personal information shall not extend to personal information
24 about the consumer that belongs to, or the business maintains
25 on behalf of, another natural person. A business may rely on
26 representations made in a verifiable consumer request as to
SB3517 - 67 - LRB103 35732 LNS 65813 b
SB3517- 68 -LRB103 35732 LNS 65813 b SB3517 - 68 - LRB103 35732 LNS 65813 b
SB3517 - 68 - LRB103 35732 LNS 65813 b
1 rights with respect to personal information and is under no
2 legal requirement to seek out other persons that may have or
3 claim to have rights to personal information, and a business
4 is under no legal obligation under this Act or any other
5 provision of law to take any action under this Act if there is
6 a dispute between or among persons claiming rights to personal
7 information in the business' possession.
8 (l) The rights afforded to consumers and the obligations
9 imposed on businesses under this Act shall not apply to the
10 extent that they infringe on the noncommercial activities of a
11 person or entity described in Section 4 of Article I of the
12 Illinois Constitution.
13 (m) This Act shall not apply to:
14 (1) personal information that is collected by a
15 business about a natural person in the course of the
16 natural person acting as a job applicant to, employee of,
17 owner of, director of, officer of, medical staff member
18 of, or independent contractor of that business to the
19 extent that the natural person's personal information is
20 collected and used by the business solely within the
21 context of the natural person's role or former role as a
22 job applicant to, an employee of, owner of, director of,
23 officer of, medical staff member of, or an independent
24 contractor of, that business;
25 (2) personal information that is collected by a
26 business that is emergency contact information of the
SB3517 - 68 - LRB103 35732 LNS 65813 b
SB3517- 69 -LRB103 35732 LNS 65813 b SB3517 - 69 - LRB103 35732 LNS 65813 b
SB3517 - 69 - LRB103 35732 LNS 65813 b
1 natural person acting as a job applicant to, employee of,
2 owner of, director of, officer of, medical staff member
3 of, or independent contractor of that business to the
4 extent that the personal information is collected and used
5 solely within the context of having an emergency contact
6 on file; or
7 (3) personal information that is necessary for the
8 business to retain to administer benefits for another
9 natural person relating to the natural person acting as a
10 job applicant to, employee of, owner of, director of,
11 officer of, medical staff member of, or independent
12 contractor of that business to the extent that the
13 personal information is collected and used solely within
14 the context of administering those benefits.
15 This subsection shall not apply to subsection (a) of
16 Section 10-5 or 10-60.
17 This subsection shall become inoperative on January 1,
18 2026.
19 (n) The obligations imposed on businesses by Sections
20 10-5, 10-10, 10-15, 10-20, 10-25, 10-35, 10-45, and 10-50
21 shall not apply to personal information reflecting a written
22 or verbal communication or a transaction between the business
23 and the consumer, where the consumer is a natural person who
24 acted or is acting as an employee, owner, director, officer,
25 or independent contractor of a company, partnership, sole
26 proprietorship, nonprofit, or government agency and whose
SB3517 - 69 - LRB103 35732 LNS 65813 b
SB3517- 70 -LRB103 35732 LNS 65813 b SB3517 - 70 - LRB103 35732 LNS 65813 b
SB3517 - 70 - LRB103 35732 LNS 65813 b
1 communications or transaction with the business occur solely
2 within the context of the business conducting due diligence
3 regarding, or providing or receiving a product or service to
4 or from such company, partnership, sole proprietorship,
5 nonprofit, or government agency.
6 This subsection shall become inoperative on January 1,
7 2026.
8 (o) Sections 10-10 and 10-30 shall not apply to a
9 commercial credit reporting agency's collection, processing,
10 sale, or disclosure of business controller information to the
11 extent the commercial credit reporting agency uses the
12 business controller information solely to identify the
13 relationship of a consumer to a business that the consumer
14 owns or contact the consumer only in the consumer's role as the
15 owner, director, officer, or management employee of the
16 business.
17 (p) The obligations imposed on businesses in Sections
18 10-10, 10-15, 10-20, and 10-25 shall not apply to household
19 data.
20 (q) This Act does not require a business to comply with a
21 verifiable consumer request to delete personal information to
22 the extent the verifiable consumer request applies to a
23 student's grades, educational scores, or educational test
24 results that the business holds on behalf of a local
25 educational agency at which the student is currently enrolled.
26 If a business does not comply with a request under this
SB3517 - 70 - LRB103 35732 LNS 65813 b
SB3517- 71 -LRB103 35732 LNS 65813 b SB3517 - 71 - LRB103 35732 LNS 65813 b
SB3517 - 71 - LRB103 35732 LNS 65813 b
1 Section, it shall notify the consumer that it is acting under
2 this exception.
3 This Act does not require, in response to a request under
4 Section 10-20, that a business disclose an educational
5 standardized assessment or educational assessment or a
6 consumer's specific responses to the educational standardized
7 assessment or educational assessment if consumer access,
8 possession, or control would jeopardize the validity and
9 reliability of that educational standardized assessment or
10 educational assessment. If a business does not comply with a
11 request under this Section, it shall notify the consumer that
12 it is acting under this exception.
13 (r) Sections 10-10 and 10-30 shall not apply to a
14 business's use, disclosure, or sale of particular pieces of
15 personal information if the consumer has consented to the
16 business's use, disclosure, or sale of that personal
17 information to produce a physical item, including a school
18 yearbook containing the consumer's photograph, if:
19 (1) the business has incurred significant expense in
20 reliance on the consumer's consent;
21 (2) compliance with the consumer's request to opt out
22 of the sale of the personal information or to delete the
23 personal information would not be commercially reasonable;
24 and
25 (3) the business complies with the consumer's request
26 as soon as it is commercially reasonable to do so.
SB3517 - 71 - LRB103 35732 LNS 65813 b
SB3517- 72 -LRB103 35732 LNS 65813 b SB3517 - 72 - LRB103 35732 LNS 65813 b
SB3517 - 72 - LRB103 35732 LNS 65813 b
1 Section 10-60. Personal information security breaches.
2 (a) Any consumer whose nonencrypted and nonredacted
3 personal information or whose email address in combination
4 with a password or security question and answer that would
5 permit access to the account is subject to an unauthorized
6 access and exfiltration, theft, or disclosure as a result of
7 the business's violation of the duty to implement and maintain
8 reasonable security procedures and practices appropriate to
9 the nature of the information to protect the personal
10 information may institute a civil action for:
11 (1) the recovery of damages in an amount not less than
12 $100 and not greater than $750 per consumer per incident
13 or actual damages, whichever is greater;
14 (2) injunctive or declaratory relief; or
15 (3) any other relief the court deems proper.
16 In assessing the amount of statutory damages, the court
17 shall consider any one or more of the relevant circumstances
18 presented by any of the parties to the case, including, but not
19 limited to, the nature and seriousness of the misconduct, the
20 number of violations, the persistence of the misconduct, the
21 length of time over which the misconduct occurred, the
22 willfulness of the defendant's misconduct, and the defendant's
23 assets, liabilities, and net worth.
24 (b) Actions under this Section may be brought by a
25 consumer if, prior to initiating any action against a business
SB3517 - 72 - LRB103 35732 LNS 65813 b
SB3517- 73 -LRB103 35732 LNS 65813 b SB3517 - 73 - LRB103 35732 LNS 65813 b
SB3517 - 73 - LRB103 35732 LNS 65813 b
1 for statutory damages on an individual or classwide basis, a
2 consumer provides a business 30 days' written notice
3 identifying the specific provisions of this Act the consumer
4 alleges have been or are being violated. If a cure is possible
5 and if, within the 30 days, the business actually cures the
6 noticed violation and provides the consumer an express written
7 statement that the violations have been cured and that no
8 further violations shall occur, no action for individual
9 statutory damages or classwide statutory damages may be
10 initiated against the business. The implementation and
11 maintenance of reasonable security procedures and practices
12 following a breach does not constitute a cure with respect to
13 that breach. No notice shall be required prior to an
14 individual consumer initiating an action solely for actual
15 pecuniary damages suffered as a result of the alleged
16 violations of this Act. If a business continues to violate
17 this Act in breach of the express written statement provided
18 to the consumer under this Section, the consumer may initiate
19 an action against the business to enforce the written
20 statement and may pursue statutory damages for each breach of
21 the express written statement, as well as any other violation
22 of this Act that postdates the written statement.
23 (c) The cause of action established by this Section shall
24 apply only to violations as defined in subsection (a) and
25 shall not be based on violations of any other Section of this
26 Act. Nothing in this Act shall be interpreted to serve as the
SB3517 - 73 - LRB103 35732 LNS 65813 b
SB3517- 74 -LRB103 35732 LNS 65813 b SB3517 - 74 - LRB103 35732 LNS 65813 b
SB3517 - 74 - LRB103 35732 LNS 65813 b
1 basis for a private right of action under any other law. This
2 shall not be construed to relieve any party from any duties or
3 obligations imposed under other law or the United States or
4 Illinois Constitution.
5 Section 10-65. Administrative enforcement.
6 (a) Any business, service provider, contractor, or other
7 person that violates this Act shall be subject to an
8 injunction and liable for an administrative fine of not more
9 than $2,500 for each violation or $7,500 for each intentional
10 violation or violations involving the personal information of
11 consumers whom the business, service provider, contractor, or
12 other person has actual knowledge are under 16 years of age in
13 an administrative enforcement action brought by the Agency.
14 (b) Any administrative fine assessed for a violation of
15 this Act, and the proceeds of any settlement of an action
16 brought under subsection (a), shall be deposited into the
17 Consumer Privacy Fund, with the intent to fully offset any
18 costs incurred by the State courts, the Attorney General, and
19 the Agency in connection with this Act.
20 Section 10-70. Consumer Privacy Fund.
21 (a) A special fund to be known as the Consumer Privacy Fund
22 is hereby created within the State treasury, and is available
23 upon appropriation by the General Assembly first to offset any
24 costs incurred by the State courts in connection with actions
SB3517 - 74 - LRB103 35732 LNS 65813 b
SB3517- 75 -LRB103 35732 LNS 65813 b SB3517 - 75 - LRB103 35732 LNS 65813 b
SB3517 - 75 - LRB103 35732 LNS 65813 b
1 brought to enforce this Act, the costs incurred by the
2 Attorney General in carrying out the Attorney General's duties
3 under this Act, and then for the purposes of establishing an
4 investment fund in the State treasury, with any earnings or
5 interest from the Fund to be deposited into the General
6 Revenue Fund, and making grants to promote and protect
7 consumer privacy, educate children in the area of online
8 privacy, and fund cooperative programs with international law
9 enforcement organizations to combat fraudulent activities with
10 respect to consumer data breaches.
11 (b) Funds transferred to the Consumer Privacy Fund shall
12 be used exclusively as follows:
13 (1) to offset any costs incurred by the State courts
14 and the Attorney General in connection with this Act; and
15 (2) after satisfying the obligations under paragraph
16 (1), the remaining funds shall be allocated each fiscal
17 year as follows:
18 (A) 91% shall be invested by the Treasurer in
19 financial assets with the goal of maximizing long term
20 yields consistent with a prudent level of risk. The
21 principal shall not be subject to transfer or
22 appropriation, as long as any interest and earnings
23 shall be transferred on an annual basis to the General
24 Revenue Fund for appropriation by the General Assembly
25 for General Revenue Fund purposes; and
26 (B) 9% shall be made available to the Agency for
SB3517 - 75 - LRB103 35732 LNS 65813 b
SB3517- 76 -LRB103 35732 LNS 65813 b SB3517 - 76 - LRB103 35732 LNS 65813 b
SB3517 - 76 - LRB103 35732 LNS 65813 b
1 the purposes of making grants in this State, with 3%
2 allocated to the following grant recipients:
3 (i) nonprofit organizations to promote and
4 protect consumer privacy;
5 (ii) nonprofit organizations and public
6 agencies, including school districts, to educate
7 children in the area of online privacy; and
8 (iii) State and local law enforcement agencies
9 to fund cooperative programs with international
10 law enforcement organizations to combat fraudulent
11 activities with respect to consumer data breaches.
12 (c) Funds in the Consumer Privacy Fund shall not be
13 subject to appropriation or transfer by the General Assembly
14 for any other purpose.
15 Section 10-75. Rules.
16 (a) By July 1, 2025, the Attorney General shall solicit
17 broad public participation and adopt rules to further the
18 purposes of this Act, including, but not limited to:
19 (1) updating or adding categories of personal
20 information to the definition of personal information and
21 updating or adding categories of sensitive personal
22 information to the definition of sensitive personal
23 information in order to address changes in technology,
24 data collection practices, obstacles to implementation,
25 and privacy concerns;
SB3517 - 76 - LRB103 35732 LNS 65813 b
SB3517- 77 -LRB103 35732 LNS 65813 b SB3517 - 77 - LRB103 35732 LNS 65813 b
SB3517 - 77 - LRB103 35732 LNS 65813 b
1 (2) updating as needed the definitions of deidentified
2 and unique identifier to address changes in technology,
3 data collection, obstacles to implementation, and privacy
4 concerns and adding, modifying, or deleting categories to
5 the definition of designated methods for submitting
6 requests to facilitate a consumer's ability to obtain
7 information from a business under Section 10-45. The
8 authority to update the definition of deidentified shall
9 not apply to deidentification standards set forth in
10 Section 164.514 of Title 45 of the Code of Federal
11 Regulations;
12 (3) establishing any exceptions necessary to comply
13 with State or federal law, including, but not limited to,
14 those relating to trade secrets and intellectual property
15 rights, within one year of the effective date of this Act
16 and as needed thereafter, with the intention that trade
17 secrets should not be disclosed in response to a
18 verifiable consumer request;
19 (4) establishing rules and procedures:
20 (A) to facilitate and govern the submission of a
21 request by a consumer to opt out of the sale or sharing
22 of personal information and to limit the use of
23 sensitive personal information to ensure that
24 consumers have the ability to exercise their choices
25 without undue burden and to prevent business from
26 engaging in deceptive or harassing conduct, including
SB3517 - 77 - LRB103 35732 LNS 65813 b
SB3517- 78 -LRB103 35732 LNS 65813 b SB3517 - 78 - LRB103 35732 LNS 65813 b
SB3517 - 78 - LRB103 35732 LNS 65813 b
1 in retaliation against consumers for exercising their
2 rights, while allowing businesses to inform consumers
3 of the consequences of their decision to opt out of the
4 sale or sharing of their personal information or to
5 limit the use of their sensitive personal information;
6 (B) to govern business compliance with a
7 consumer's opt-out request; and
8 (C) for the development and use of a recognizable
9 and uniform opt-out logo or button by all businesses
10 to promote consumer awareness of the opportunity to
11 opt out of the sale of personal information;
12 (5) adjusting the monetary threshold in January of
13 every odd-numbered year to reflect any increase in the
14 Consumer Price Index, in the definition of business,
15 subparagraph (A) of paragraph (1) of subsection (a) of
16 Section 10-60, subsection (a) of Section 10-65, Section
17 15-20, and subsection (a) of Section 15-85;
18 (6) establishing rules, procedures, and any exceptions
19 necessary to ensure that the notices and information that
20 businesses are required to provide under this Act are
21 provided in a manner that may be easily understood by the
22 average consumer, are accessible to consumers with
23 disabilities, and are available in the language primarily
24 used to interact with the consumer, including establishing
25 rules and guidelines regarding financial incentives,
26 within one year of the effective date of this Act and as
SB3517 - 78 - LRB103 35732 LNS 65813 b
SB3517- 79 -LRB103 35732 LNS 65813 b SB3517 - 79 - LRB103 35732 LNS 65813 b
SB3517 - 79 - LRB103 35732 LNS 65813 b
1 needed thereafter;
2 (7) establishing rules and procedures to further the
3 purposes of Sections 10-10, 10-15, 10-20, and 10-25 and to
4 facilitate a consumer's or the consumer's authorized
5 agent's ability to delete personal information, correct
6 inaccurate personal information, or obtain information,
7 with the goal of minimizing the administrative burden on a
8 consumer, taking into account available technology,
9 security concerns, and the burden on the business, to
10 govern a business's determination that a request for
11 information received from a consumer is a verifiable
12 consumer request, including treating a request submitted
13 through a password-protected account maintained by the
14 consumer with the business while the consumer is logged
15 into the account as a verifiable consumer request and
16 providing a mechanism for a consumer who does not maintain
17 an account with the business to request information
18 through the business's authentication of the consumer's
19 identity, within one year of the effective date of this
20 Act and as needed thereafter;
21 (8) establishing how often, and under what
22 circumstances, a consumer may request a correction under
23 Section 10-15, including standards governing:
24 (A) how a business responds to a request for
25 correction, including exceptions for requests to which
26 a response is impossible or would involve
SB3517 - 79 - LRB103 35732 LNS 65813 b
SB3517- 80 -LRB103 35732 LNS 65813 b SB3517 - 80 - LRB103 35732 LNS 65813 b
SB3517 - 80 - LRB103 35732 LNS 65813 b
1 disproportionate effort, and requests for correction
2 of accurate information;
3 (B) how concerns regarding the accuracy of the
4 information may be resolved;
5 (C) the steps a business may take to prevent
6 fraud; and
7 (D) if a business rejects a request to correct
8 personal information collected and analyzed concerning
9 a consumer's health, the right of a consumer to
10 provide a written addendum to the business with
11 respect to any item or statement regarding any such
12 personal information that the consumer believes to be
13 incomplete or incorrect. The addendum shall be limited
14 to 250 words per alleged incomplete or incorrect item
15 and shall clearly indicate in writing that the
16 consumer requests the addendum to be made a part of the
17 consumer's record;
18 (9) establishing the standard to govern a business's
19 determination that providing information beyond the
20 12-month period in a response to a verifiable consumer
21 request is impossible or would involve a disproportionate
22 effort;
23 (10) issuing rules further defining and adding to the
24 business purposes, including other notified purposes, for
25 which businesses, service providers, and contractors may
26 use personal information consistent with consumers'
SB3517 - 80 - LRB103 35732 LNS 65813 b
SB3517- 81 -LRB103 35732 LNS 65813 b SB3517 - 81 - LRB103 35732 LNS 65813 b
SB3517 - 81 - LRB103 35732 LNS 65813 b
1 expectations, and further defining the business purposes
2 for which service providers and contractors may combine
3 personal information obtained from different sources,
4 except as provided for in the definition of business
5 purposes;
6 (11) issuing rules identifying those business
7 purposes, including other notified purposes, for which
8 service providers and contractors may use consumers'
9 personal information received under a written contract
10 with a business, for the service provider or contractor's
11 own business purposes, with the goal of maximizing
12 consumer privacy;
13 (12) issuing rules to further define intentionally
14 interacts with the goal of maximizing consumer privacy;
15 (13) issuing rules to further define precise
16 geolocation, including if the size defined is not
17 sufficient to protect consumer privacy in sparsely
18 populated areas or when the personal information is used
19 for normal operational purposes, including billing;
20 (14) issuing rules to define specific pieces of
21 information obtained from the consumer with the goal of
22 maximizing a consumer's right to access relevant personal
23 information while minimizing the delivery of information
24 to a consumer that would not be useful to the consumer,
25 including system log information and other technical data.
26 For delivery of the most sensitive personal information,
SB3517 - 81 - LRB103 35732 LNS 65813 b
SB3517- 82 -LRB103 35732 LNS 65813 b SB3517 - 82 - LRB103 35732 LNS 65813 b
SB3517 - 82 - LRB103 35732 LNS 65813 b
1 the rules may require a higher standard of authentication
2 as long as the Agency shall monitor the impact of the
3 higher standard on the right of consumers to obtain their
4 personal information to ensure that the requirements of
5 verification do not result in the unreasonable denial of
6 verifiable consumer requests;
7 (15) issuing rules requiring businesses whose
8 processing of personal information presents significant
9 risk to consumers' privacy or security, to:
10 (A) perform a cybersecurity audit on an annual
11 basis, including defining the scope of the audit and
12 establishing a process to ensure that audits are
13 thorough and independent. The factors to be considered
14 in determining when processing may result in
15 significant risk to the security of personal
16 information shall include the size and complexity of
17 the business and the nature and scope of processing
18 activities; and
19 (B) submit to the Agency on a regular basis a risk
20 assessment with respect to their processing of
21 personal information, including whether the processing
22 involves sensitive personal information, and
23 identifying and weighing the benefits resulting from
24 the processing to the business, the consumer, other
25 stakeholders, and the public, against the potential
26 risks to the rights of the consumer associated with
SB3517 - 82 - LRB103 35732 LNS 65813 b
SB3517- 83 -LRB103 35732 LNS 65813 b SB3517 - 83 - LRB103 35732 LNS 65813 b
SB3517 - 83 - LRB103 35732 LNS 65813 b
1 that processing, with the goal of restricting or
2 prohibiting the processing if the risks to privacy of
3 the consumer outweigh the benefits resulting from
4 processing to the consumer, the business, other
5 stakeholders, and the public. Nothing in this Section
6 shall require a business to divulge trade secrets;
7 (16) issuing rules governing access and opt-out rights
8 with respect to a business's use of automated
9 decision-making technology, including profiling and
10 requiring business's response to access requests to
11 include meaningful information about the logic involved in
12 those decision-making processes, as well as a description
13 of the likely outcome of the process with respect to the
14 consumer;
15 (17) issuing rules to further define a law enforcement
16 agency-approved investigation for purposes of the
17 exception in paragraph (2) of subsection (a) of Section
18 10-55;
19 (18) issuing rules to define the scope and process for
20 the exercise of the Agency's audit authority, to establish
21 criteria for selection of persons to audit, and to protect
22 consumers' personal information from disclosure to an
23 auditor in the absence of a court order, warrant, or
24 subpoena;
25 (19) (A) issuing rules to define the requirements and
26 technical specifications for an opt-out preference signal
SB3517 - 83 - LRB103 35732 LNS 65813 b
SB3517- 84 -LRB103 35732 LNS 65813 b SB3517 - 84 - LRB103 35732 LNS 65813 b
SB3517 - 84 - LRB103 35732 LNS 65813 b
1 sent by a platform, technology, or mechanism, to indicate
2 a consumer's intent to opt out of the sale or sharing of
3 the personal information and to limit the use or
4 disclosure of the sensitive personal information. The
5 requirements and specifications for the opt-out preference
6 signal should be updated from time to time to reflect the
7 means by which consumers interact with businesses, and
8 should:
9 (i) ensure that the manufacturer of a platform or
10 browser or device that sends the opt-out preference
11 signal cannot unfairly disadvantage another business;
12 (ii) ensure that the opt-out preference signal is
13 consumer-friendly, clearly described, and easy to use
14 by an average consumer and does not require that the
15 consumer provide additional information beyond what is
16 necessary;
17 (iii) clearly represent a consumer's intent and be
18 free of defaults constraining or presupposing that
19 intent;
20 (iv) ensure that the opt-out preference signal
21 does not conflict with other commonly used privacy
22 settings or tools that consumers may employ;
23 (v) provide a mechanism for the consumer to
24 selectively consent to a business's sale of the
25 personal information or the use or disclosure of the
26 sensitive personal information without affecting the
SB3517 - 84 - LRB103 35732 LNS 65813 b
SB3517- 85 -LRB103 35732 LNS 65813 b SB3517 - 85 - LRB103 35732 LNS 65813 b
SB3517 - 85 - LRB103 35732 LNS 65813 b
1 consumer's preferences with respect to other
2 businesses or disabling the opt-out preference signal
3 globally; and
4 (vi) state that in the case of a page or setting
5 view that the consumer accesses to set the opt-out
6 preference signal, the consumer should see up to 3
7 choices, including:
8 (I) a global opt-out from sale and sharing of
9 personal information, including a direction to
10 limit the use of sensitive personal information;
11 (II) a choice to "Limit the Use of My
12 Sensitive Personal Information"; and
13 (III) a choice to "Do Not Sell or Do Not Share
14 My Personal Information for Cross-Context
15 Behavioral Advertising";
16 (B) issuing rules to establish technical
17 specifications for an opt-out preference signal that
18 allows the consumer, or the consumer's parent or guardian,
19 to specify that the consumer is less than 13 years of age
20 or at least 13 years of age and less than 16 years of age;
21 and
22 (C) issuing rules, with the goal of strengthening
23 consumer privacy while considering the legitimate
24 operational interests of businesses, to govern the use or
25 disclosure of sensitive personal information,
26 notwithstanding the consumer's direction to limit the use
SB3517 - 85 - LRB103 35732 LNS 65813 b
SB3517- 86 -LRB103 35732 LNS 65813 b SB3517 - 86 - LRB103 35732 LNS 65813 b
SB3517 - 86 - LRB103 35732 LNS 65813 b
1 or disclosure of the sensitive personal information,
2 including:
3 (i) determining any additional purposes for which
4 a business may use or disclose sensitive personal
5 information;
6 (ii) determining the scope of activities permitted
7 under the definition of business purposes, as
8 authorized by subsection (a) of Section 10-35, to
9 ensure that the activities do not involve
10 health-related research;
11 (iii) ensuring the functionality of the business'
12 operations; and
13 (iv) ensuring that the exemption in subsection (d)
14 of Section 10-35 for sensitive personal information
15 applies to sensitive personal information that is
16 collected or processed incidentally, or without the
17 purpose of inferring characteristics about a consumer,
18 while ensuring that businesses do not use the
19 exemption for the purpose of evading consumers' rights
20 to limit the use and disclosure of sensitive personal
21 information under Section 10-35;
22 (20) issuing rules to govern how a business that has
23 elected to comply with subsection (b) of Section 10-50
24 responds to the opt-out preference signal and provides
25 consumers with the opportunity subsequently to consent to
26 the sale or sharing of their personal information or the
SB3517 - 86 - LRB103 35732 LNS 65813 b
SB3517- 87 -LRB103 35732 LNS 65813 b SB3517 - 87 - LRB103 35732 LNS 65813 b
SB3517 - 87 - LRB103 35732 LNS 65813 b
1 use and disclosure of their sensitive personal information
2 for purposes in addition to those authorized by subsection
3 (a) of Section 10-50. The rules should:
4 (A) strive to promote competition and consumer
5 choice and be technology neutral;
6 (B) ensure that the business does not respond to
7 an opt-out preference signal by:
8 (i) intentionally degrading the functionality
9 of the consumer experience;
10 (ii) charging the consumer a fee in response
11 to the consumer's opt-out preferences;
12 (iii) making any products or services not
13 function properly or fully for the consumer, as
14 compared to consumers who do not use the opt-out
15 preference signal;
16 (iv) attempting to coerce the consumer to opt
17 in to the sale or sharing of the personal
18 information, or the use or disclosure of the
19 sensitive personal information, by stating or
20 implying that the use of the opt-out preference
21 signal will adversely affect the consumer as
22 compared to consumers who do not use the opt-out
23 preference signal, including stating or implying
24 that the consumer will not be able to use the
25 business' products or services or that those
26 products or services may not function properly or
SB3517 - 87 - LRB103 35732 LNS 65813 b
SB3517- 88 -LRB103 35732 LNS 65813 b SB3517 - 88 - LRB103 35732 LNS 65813 b
SB3517 - 88 - LRB103 35732 LNS 65813 b
1 fully; and
2 (v) displaying any notification or pop-up in
3 response to the consumer's opt-out preference
4 signal;
5 (C) ensure that any link to a webpage or its
6 supporting content that allows the consumer to consent
7 to opt in:
8 (i) is not part of a pop-up, notice, banner,
9 or other intrusive design that obscures any part
10 of the webpage the consumer intended to visit from
11 full view or that interferes with or impedes in
12 any way the consumer's experience visiting or
13 browsing the webpage or website the consumer
14 intended to visit;
15 (ii) does not require or imply that the
16 consumer must click the link to receive full
17 functionality of any products or services,
18 including the website;
19 (iii) does not make use of any dark patterns;
20 and
21 (iv) applies only to the business with which
22 the consumer intends to interact; and
23 (D) strive to curb coercive or deceptive practices
24 in response to an opt-out preference signal but should
25 not unduly restrict businesses that are trying in good
26 faith to comply with Section 10-50;
SB3517 - 88 - LRB103 35732 LNS 65813 b
SB3517- 89 -LRB103 35732 LNS 65813 b SB3517 - 89 - LRB103 35732 LNS 65813 b
SB3517 - 89 - LRB103 35732 LNS 65813 b
1 (21) reviewing existing Illinois Insurance Code
2 provisions and rules relating to consumer privacy, except
3 those relating to insurance rates or pricing, to determine
4 whether any provisions of the Illinois Insurance Code
5 provide greater protection to consumers than the
6 provisions of this Act. Upon completing its review, the
7 Agency shall adopt a rule that applies only the more
8 protective provisions of this Act to insurance companies.
9 The Director of Insurance shall have jurisdiction over
10 insurance rates and pricing; and
11 (22) harmonizing the rules governing opt-out
12 mechanisms, notices to consumers, and other operational
13 mechanisms in this Act to promote clarity and the
14 functionality of this Act for consumers.
15 (b) The Attorney General may adopt additional rules as
16 necessary to further the purposes of this Act.
17 (c) The Attorney General shall not bring an enforcement
18 action under this Act until 6 months after the publication of
19 the final rules adopted under this Section or July 1, 2025,
20 whichever is sooner.
21 (d) Notwithstanding subsection (a), the timeline for
22 adopting final rules required by the Act shall be July 1, 2025.
23 Beginning the later of July 1, 2025, or 6 months after the
24 Agency provides notice to the Attorney General that it is
25 prepared to begin rulemaking under this Act, the authority
26 assigned to the Attorney General to adopt rules under this
SB3517 - 89 - LRB103 35732 LNS 65813 b
SB3517- 90 -LRB103 35732 LNS 65813 b SB3517 - 90 - LRB103 35732 LNS 65813 b
SB3517 - 90 - LRB103 35732 LNS 65813 b
1 Section shall be exercised by the Agency. Notwithstanding any
2 other law, civil and administrative enforcement of the
3 provisions of law added or amended by this Act shall not
4 commence until July 1, 2025, and shall only apply to
5 violations occurring on or after that date.
6 Section 10-80. Anti-avoidance. A court or the Agency shall
7 disregard the intermediate steps or transactions for purposes
8 of effectuating the purposes of this Act:
9 (1) if a series of steps or transactions were
10 component parts of a single transaction intended from the
11 beginning to be taken with the intention of avoiding the
12 reach of this Act, including the disclosure of personal
13 information by a business to a third party in order to
14 avoid the definition of sell or share; or
15 (2) if steps or transactions were taken to purposely
16 avoid the definition of sell or share by eliminating any
17 monetary or other valuable consideration, including by
18 entering into contracts that do not include an exchange
19 for monetary or other valuable consideration, but where a
20 party is obtaining something of value or use.
21 Section 10-85. Waiver. Any provision of a contract or
22 agreement of any kind, including a representative action
23 waiver, that purports to waive or limit in any way a consumer's
24 rights under this Act, including, but not limited to, any
SB3517 - 90 - LRB103 35732 LNS 65813 b
SB3517- 91 -LRB103 35732 LNS 65813 b SB3517 - 91 - LRB103 35732 LNS 65813 b
SB3517 - 91 - LRB103 35732 LNS 65813 b
1 right to a remedy or means of enforcement, shall be deemed
2 contrary to public policy and shall be void and unenforceable.
3 This Section shall not prevent a consumer from declining to
4 request personal information from a business, declining to opt
5 out of a business's sale of the personal information, or
6 authorizing a business to sell or share the personal
7 information after previously opting-out.
8 Section 10-90. Good faith cooperation. The Agency, and any
9 court, as applicable, shall consider the good faith
10 cooperation of the business, service provider, contractor, or
11 other person in determining the amount of any administrative
12 fine or civil penalty for a violation of this Act. A business
13 shall not be required by the Agency, a court, or otherwise to
14 pay both an administrative fine and a civil penalty for the
15 same violation.
16 Section 10-95. Remedies.
17 (a) Any business, service provider, contractor, or other
18 person that violates this Act shall be subject to an
19 injunction and liable for a civil penalty of not more than
20 $2,500 for each violation or $7,500 for each intentional
21 violation and each violation involving the personal
22 information of minor consumers, as adjusted by rule, which
23 shall be assessed and recovered in a civil action brought by
24 the Attorney General. The court may consider the good faith
SB3517 - 91 - LRB103 35732 LNS 65813 b
SB3517- 92 -LRB103 35732 LNS 65813 b SB3517 - 92 - LRB103 35732 LNS 65813 b
SB3517 - 92 - LRB103 35732 LNS 65813 b
1 cooperation of the business, service provider, contractor, or
2 other person in determining the amount of the civil penalty.
3 (b) Any civil penalty recovered by an action brought by
4 the Attorney General for a violation of this Act, and the
5 proceeds of any settlement of any said action, shall be
6 deposited into the Consumer Privacy Fund.
7 (c) The Agency shall, upon request by the Attorney
8 General, stay an administrative action or investigation under
9 this Act to permit the Attorney General to proceed with an
10 investigation or civil action and shall not pursue an
11 administrative action or investigation, unless the Attorney
12 General subsequently determines not to pursue an investigation
13 or civil action. The Agency may not limit the authority of the
14 Attorney General to enforce this Act.
15 (d) No civil action may be filed by the Attorney General
16 under this Section for any violation of this Act after the
17 Agency has issued a decision under Section 15-80 or an order
18 under Section 15-50 against that person for the same
19 violation.
20 (e) This Section shall not affect the private right of
21 action provided for in Section 10-60.
22 Article 15. Privacy Protection Agency
23 Section 15-5. Establishment of Privacy Protection Agency.
24 (a) There is hereby established the Privacy Protection
SB3517 - 92 - LRB103 35732 LNS 65813 b
SB3517- 93 -LRB103 35732 LNS 65813 b SB3517 - 93 - LRB103 35732 LNS 65813 b
SB3517 - 93 - LRB103 35732 LNS 65813 b
1 Agency, which is vested with full administrative power,
2 authority, and jurisdiction to implement and enforce this Act.
3 The Agency shall be governed by a 5-member board, including
4 the chairperson. The chairperson and one member of the Board
5 shall be appointed by the Governor. The Attorney General,
6 President of the Senate, and Speaker of the House shall each
7 appoint one member to the Board. These appointments should be
8 made from among State residents with expertise in the areas of
9 privacy, technology, and consumer rights.
10 (b) The initial appointments to the Board shall be made
11 within 90 days of the effective date of this Act.
12 Section 15-10. Member requirements. Members of the Board
13 shall:
14 (1) have qualifications, experience, and skills, in
15 particular in the areas of privacy and technology,
16 required to perform the duties of the Agency and exercise
17 its powers;
18 (2) maintain the confidentiality of information which
19 has come to their knowledge in the course of the
20 performance of their tasks or exercise of their powers,
21 except to the extent that disclosure is required by the
22 Freedom of Information Act;
23 (3) remain free from external influence, whether
24 direct or indirect, and shall neither seek nor take
25 instructions from another;
SB3517 - 93 - LRB103 35732 LNS 65813 b
SB3517- 94 -LRB103 35732 LNS 65813 b SB3517 - 94 - LRB103 35732 LNS 65813 b
SB3517 - 94 - LRB103 35732 LNS 65813 b
1 (4) refrain from any action incompatible with their
2 duties and engaging in any incompatible occupation,
3 whether gainful or not, during their term;
4 (5) have the right of access to all information made
5 available by the Agency to the chairperson;
6 (6) be precluded, for a period of one year after
7 leaving office, from accepting employment with a business
8 that was subject to an enforcement action or civil action
9 under this Act during the member's tenure or during the
10 5-year period preceding the member's appointment; and
11 (7) be precluded for a period of 2 years after leaving
12 office from acting, for compensation, as an agent or
13 attorney for, or otherwise representing, any other person
14 in a matter pending before the Agency if the purpose is to
15 influence an action of the Agency.
16 Section 15-15. Terms. Members of the Board, including the
17 chairperson, shall serve at the pleasure of their appointing
18 authority but shall serve for no longer than 8 consecutive
19 years.
20 Section 15-20. Compensation. For each day on which they
21 engage in official duties, members of the Board shall be
22 compensated at the rate of $100, adjusted biennially to
23 reflect changes in the cost of living, and shall be reimbursed
24 for expenses incurred in performance of their official duties.
SB3517 - 94 - LRB103 35732 LNS 65813 b
SB3517- 95 -LRB103 35732 LNS 65813 b SB3517 - 95 - LRB103 35732 LNS 65813 b
SB3517 - 95 - LRB103 35732 LNS 65813 b
1 Section 15-25. Executive director, officers, counsel, and
2 employees. The Board shall appoint an executive director who
3 shall act in accordance with Agency policies and rules and
4 with applicable law. The Agency shall appoint and discharge
5 officers, counsel, and employees, consistent with applicable
6 civil service laws, and shall fix the compensation of
7 employees and prescribe their duties. The Agency may contract
8 for services that cannot be provided by its employees.
9 Section 15-30. Authority. The Board may delegate authority
10 to the chairperson or the executive director to act in the name
11 of the Agency between meetings of the Agency, except with
12 respect to resolution of enforcement actions and rulemaking
13 authority.
14 Section 15-35. Functions. The Agency shall perform the
15 following functions:
16 (1) administer, implement, and enforce through
17 administrative actions this Act;
18 (2) on and after the earlier of July 1, 2025, or within
19 6 months of the Agency providing the Attorney General with
20 notice that it is prepared to assume rulemaking
21 responsibilities under this Act, adopt, amend, and rescind
22 rules under Section 10-75 to carry out the purposes and
23 provisions of this Act, including rules specifying
SB3517 - 95 - LRB103 35732 LNS 65813 b
SB3517- 96 -LRB103 35732 LNS 65813 b SB3517 - 96 - LRB103 35732 LNS 65813 b
SB3517 - 96 - LRB103 35732 LNS 65813 b
1 recordkeeping requirements for businesses to ensure
2 compliance with this Act;
3 (3) through the implementation of this Act, protect
4 the fundamental privacy rights of natural persons with
5 respect to the use of their personal information;
6 (4) promote public awareness and understanding of the
7 risks, rules, responsibilities, safeguards, and rights in
8 relation to the collection, use, sale, and disclosure of
9 personal information, including the rights of minors with
10 respect to their own information, and provide a public
11 report summarizing the risk assessments filed with the
12 Agency while ensuring that data security is not
13 compromised;
14 (5) provide guidance to consumers regarding their
15 rights under this Act;
16 (6) provide guidance to businesses regarding their
17 duties and responsibilities under this Act and appoint a
18 Chief Privacy Auditor to conduct audits of businesses to
19 ensure compliance with this Act;
20 (7) provide technical assistance and advice to the
21 General Assembly, upon request, with respect to
22 privacy-related legislation;
23 (8) monitor relevant developments relating to the
24 protection of personal information and in particular, the
25 development of information and communication technologies
26 and commercial practices;
SB3517 - 96 - LRB103 35732 LNS 65813 b
SB3517- 97 -LRB103 35732 LNS 65813 b SB3517 - 97 - LRB103 35732 LNS 65813 b
SB3517 - 97 - LRB103 35732 LNS 65813 b
1 (9) cooperate with other agencies with jurisdiction
2 over privacy laws and with data processing authorities in
3 this State, other states, territories, and countries to
4 ensure consistent application of privacy protections;
5 (10) establish a mechanism under which persons doing
6 business in this State that do not meet the definition of
7 business may voluntarily certify that they are in
8 compliance with this Act, and make a list of those
9 entities available to the public;
10 (11) solicit, review, and approve applications for
11 grants to the extent funds are available under paragraph
12 (2) of subsection (b) of Section 10-70; and
13 (12) perform all other acts necessary or appropriate
14 in the exercise of its power, authority, and jurisdiction
15 and seek to balance the goals of strengthening consumer
16 privacy while giving attention to the impact on
17 businesses.
18 Section 15-40. Investigation of violations.
19 (a) Upon the sworn complaint of any person or on its own
20 initiative, the Agency may investigate possible violations of
21 this Act relating to any business, service provider,
22 contractor, or person. The Agency may decide not to
23 investigate a complaint or decide to provide a business with a
24 period to cure the alleged violation. In making a decision not
25 to investigate or provide more time to cure, the Agency may
SB3517 - 97 - LRB103 35732 LNS 65813 b
SB3517- 98 -LRB103 35732 LNS 65813 b SB3517 - 98 - LRB103 35732 LNS 65813 b
SB3517 - 98 - LRB103 35732 LNS 65813 b
1 consider:
2 (1) the lack of intent to violate this Act; and
3 (2) the voluntary efforts undertaken by the business,
4 service provider, contractor, or person to cure the
5 alleged violation prior to being notified by the Agency of
6 the complaint.
7 (b) The Agency shall notify in writing the person who made
8 the complaint of the action, if any, the Agency has taken or
9 plans to take on the complaint, together with the reasons for
10 that action or nonaction.
11 Section 15-45. Notice. No finding of probable cause to
12 believe this Act has been violated shall be made by the Agency
13 unless, at least 30 days prior to the Agency's consideration
14 of the alleged violation, the business, service provider,
15 contractor, or person alleged to have violated this Act is
16 notified of the violation by service of process or registered
17 mail with return receipt requested, provided with a summary of
18 the evidence, and informed of their right to be present in
19 person and represented by counsel at any proceeding of the
20 Agency held for the purpose of considering whether probable
21 cause exists for believing the person violated this Act.
22 Notice to the alleged violator shall be deemed made on the date
23 of service, the date the registered mail receipt is signed, or
24 if the registered mail receipt is not signed, the date
25 returned by the post office. A proceeding held for the purpose
SB3517 - 98 - LRB103 35732 LNS 65813 b
SB3517- 99 -LRB103 35732 LNS 65813 b SB3517 - 99 - LRB103 35732 LNS 65813 b
SB3517 - 99 - LRB103 35732 LNS 65813 b
1 of considering probable cause shall be private unless the
2 alleged violator files with the Agency a written request that
3 the proceeding be public.
4 Section 15-50. Procedure.
5 (a) If the Agency determines there is probable cause for
6 believing this Act has been violated, it shall hold a hearing
7 to determine if a violation or violations have occurred.
8 Notice shall be given and the hearing conducted in accordance
9 with the Illinois Administrative Procedure Act. The Agency
10 shall have all the powers granted by that Act. If the Agency
11 determines on the basis of the hearing conducted under this
12 subsection that a violation or violations have occurred, it
13 shall issue an order that may require the violator to do all or
14 any of the following:
15 (1) cease and desist violation of this Act; or
16 (2) subject to Section 10-65, pay an administrative
17 fine of up to $2,500 for each violation, or up to $7,500
18 for each intentional violation and each violation
19 involving the personal information of minor consumers to
20 the Consumer Privacy Fund.
21 If the Agency determines that no violation has occurred,
22 it shall publish a declaration so stating.
23 (b) If 2 or more persons are responsible for any violation
24 or violations, they shall be jointly and severally liable.
SB3517 - 99 - LRB103 35732 LNS 65813 b
SB3517- 100 -LRB103 35732 LNS 65813 b SB3517 - 100 - LRB103 35732 LNS 65813 b
SB3517 - 100 - LRB103 35732 LNS 65813 b
1 Section 15-55. Rejection of administrative law decision.
2 Whenever the Agency rejects the decision of an administrative
3 law judge, the Agency shall state the reasons in writing for
4 rejecting the decision.
5 Section 15-60. Subpoenas and evidence. The Agency may
6 subpoena witnesses, compel their attendance and testimony,
7 administer oaths and affirmations, take evidence and require
8 by subpoena the production of any books, papers, records, or
9 other items material to the performance of the Agency's duties
10 or exercise of its powers, including, but not limited to, its
11 power to audit a business's compliance with this Act.
12 Section 15-65. Limitations. No administrative action
13 brought under this Act alleging a violation of any of the
14 provisions of this Act shall be commenced more than 5 years
15 after the date on which the violation occurred.
16 (1) The service of the probable cause hearing notice
17 upon the person alleged to have violated this Act shall
18 constitute the commencement of the administrative action.
19 (2) If the person alleged to have violated this Act
20 engages in the fraudulent concealment of the person's acts
21 or identity, the 5-year period shall be tolled for the
22 period of the concealment.
23 (3) If, upon being ordered by a court to produce any
24 documents sought by a subpoena in any administrative
SB3517 - 100 - LRB103 35732 LNS 65813 b
SB3517- 101 -LRB103 35732 LNS 65813 b SB3517 - 101 - LRB103 35732 LNS 65813 b
SB3517 - 101 - LRB103 35732 LNS 65813 b
1 proceeding under this Act and the person alleged to have
2 violated this Act fails to produce documents in response
3 to the order by the date ordered to comply therewith, the
4 5-year period shall be tolled for the period of the delay
5 from the date of filing of the motion to compel until the
6 date the documents are produced.
7 Section 15-70. Collection of administrative fines.
8 (a) In addition to any other available remedies, the
9 Agency may bring a civil action and obtain a judgment in court
10 for the purpose of collecting any unpaid administrative fines
11 imposed under this Act after exhaustion of judicial review of
12 the Agency's action. The venue for this action shall be in the
13 county where the administrative fines were imposed by the
14 Agency. In order to obtain a judgment in a proceeding under
15 this Section, the Agency shall show, following the procedures
16 and rules of evidence as applied in ordinary civil actions:
17 (1) that the administrative fines were imposed
18 following the procedures set forth in this Act and
19 implementing rules;
20 (2) that the defendant or defendants in the action
21 were notified, by actual or constructive notice, of the
22 imposition of the administrative fines; and
23 (3) that a demand for payment has been made by the
24 Agency and full payment has not been received.
25 (b) A civil action brought under subsection (a) shall be
SB3517 - 101 - LRB103 35732 LNS 65813 b
SB3517- 102 -LRB103 35732 LNS 65813 b SB3517 - 102 - LRB103 35732 LNS 65813 b
SB3517 - 102 - LRB103 35732 LNS 65813 b
1 commenced within 4 years after the date on which the
2 administrative fines were imposed.
3 Section 15-75. Judgment.
4 (a) If the time for judicial review of a final Agency order
5 or decision has lapsed, or if all means of judicial review of
6 the order or decision have been exhausted, the Agency may
7 apply to the clerk of the court for a judgment to collect the
8 administrative fines imposed by the order or decision, or the
9 order as modified in accordance with a decision on judicial
10 review.
11 (b) The application, which shall include a certified copy
12 of the order or decision, or the order as modified in
13 accordance with a decision on judicial review, and proof of
14 service of the order or decision, constitutes a sufficient
15 showing to warrant issuance of the judgment to collect the
16 administrative fines. The clerk of the court shall enter the
17 judgment immediately in conformity with the application.
18 (c) An application made under this Section shall be made
19 to the clerk of the court in the county where the
20 administrative fines were imposed by the Agency.
21 (d) A judgment entered in accordance with this Section has
22 the same force and effect as, and is subject to all the
23 provisions of law relating to, a judgment in a civil action and
24 may be enforced in the same manner as any other judgment of the
25 court in which it is entered.
SB3517 - 102 - LRB103 35732 LNS 65813 b
SB3517- 103 -LRB103 35732 LNS 65813 b SB3517 - 103 - LRB103 35732 LNS 65813 b
SB3517 - 103 - LRB103 35732 LNS 65813 b
1 (e) The Agency may bring an application under this Section
2 only within 4 years after the date on which all means of
3 judicial review of the order or decision have been exhausted.
4 (f) The remedies available under this Section are in
5 addition to those available under any other law.
6 Section 15-80. Judicial review. Any decision of the Agency
7 with respect to a complaint or administrative fine shall be
8 subject to judicial review in an action brought by an
9 interested party to the complaint or administrative fine and
10 shall be subject to an abuse of discretion standard.
11 Article 20. Miscellaneous
12 Section 20-5. Conflicting provisions. This Act is intended
13 to further the constitutional right of privacy and to
14 supplement existing laws relating to personal information. The
15 provisions of this Act are not limited to information
16 collected electronically or over the Internet, but apply to
17 the collection and sale of all personal information collected
18 by a business from consumers. Wherever possible, law relating
19 to personal information should be construed to harmonize with
20 the provisions of this Act, but if a conflict between other
21 laws and the provisions of this Act, the provisions of the law
22 that afford the greatest protection for the right of privacy
23 for consumers shall control.
SB3517 - 103 - LRB103 35732 LNS 65813 b
SB3517- 104 -LRB103 35732 LNS 65813 b SB3517 - 104 - LRB103 35732 LNS 65813 b
SB3517 - 104 - LRB103 35732 LNS 65813 b
1 Section 20-10. Preemption. This Act is a matter of
2 statewide concern and supersedes and preempts all rules,
3 regulations, codes, ordinances, and other laws adopted by a
4 city, county, municipality, or local agency regarding the
5 collection and sale of consumers' personal information by a
6 business.
7 Section 20-15. Severability. The provisions of this Act
8 are severable under Section 1.31 of the Statute on Statutes.
9 Section 20-20. Standing. Notwithstanding any other
10 provision of law, if the State or any of its officials fail to
11 defend the constitutionality of this Act, any other
12 governmental agency of this State shall have the authority to
13 intervene in any court action challenging the
14 constitutionality of this Act for the purpose of defending its
15 constitutionality, whether that action is in State or federal
16 trial court, on appeal, or on discretionary review by the
17 Illinois Supreme Court or the Supreme Court of the United
18 States. The reasonable fees and costs of defending the action
19 shall be a charge on funds appropriated to the Office of the
20 Attorney General, which shall be satisfied promptly.
21 Section 20-25. Construction. This Act shall be liberally
22 construed to effectuate its purposes.
SB3517 - 104 - LRB103 35732 LNS 65813 b
SB3517- 105 -LRB103 35732 LNS 65813 b SB3517 - 105 - LRB103 35732 LNS 65813 b
SB3517 - 105 - LRB103 35732 LNS 65813 b
1 Section 20-30. Saving clause. This Act is intended to
2 supplement federal and State law, where permissible, but shall
3 not apply if that application is preempted by, or in conflict
4 with, federal law or the Illinois Constitution. The provisions
5 of this Act relating to children under 16 years of age shall
6 only apply to the extent not in conflict with the federal
7 Children's Online Privacy Protection Act.
8 Article 25. Amendatory Provisions
9 Section 25-5. The State Finance Act is amended by adding
10 Section 5.1015 as follows:
SB3517 - 105 - LRB103 35732 LNS 65813 b