104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026 SB0051 Introduced 1/13/2025, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED: New Act Creates the Illinois Age-Appropriate Design Code Act. Provides that a business that provides an online service, product, or feature likely to be accessed by children shall take specified actions, including completing a data protection impact assessment for any online service, product, or feature likely to be accessed by children. Provides that a business shall complete a data protection impact assessment on or before July 1, 2026, for any online service, product, or feature likely to be accessed by children offered to the public before July 1, 2026. Provides that any business that violates the Act shall be subject to an injunction and liable for a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation. Creates the Children's Data Protection Working Group to deliver a report to the General Assembly regarding best practices for the implementation of the Act. LRB104 03750 SPS 13774 b A BILL FOR 104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026 SB0051 Introduced 1/13/2025, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED: New Act New Act Creates the Illinois Age-Appropriate Design Code Act. Provides that a business that provides an online service, product, or feature likely to be accessed by children shall take specified actions, including completing a data protection impact assessment for any online service, product, or feature likely to be accessed by children. Provides that a business shall complete a data protection impact assessment on or before July 1, 2026, for any online service, product, or feature likely to be accessed by children offered to the public before July 1, 2026. Provides that any business that violates the Act shall be subject to an injunction and liable for a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation. Creates the Children's Data Protection Working Group to deliver a report to the General Assembly regarding best practices for the implementation of the Act. LRB104 03750 SPS 13774 b LRB104 03750 SPS 13774 b A BILL FOR
104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026 SB0051 Introduced 1/13/2025, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED:
New Act New Act
New Act
Creates the Illinois Age-Appropriate Design Code Act. Provides that a business that provides an online service, product, or feature likely to be accessed by children shall take specified actions, including completing a data protection impact assessment for any online service, product, or feature likely to be accessed by children. Provides that a business shall complete a data protection impact assessment on or before July 1, 2026, for any online service, product, or feature likely to be accessed by children offered to the public before July 1, 2026. Provides that any business that violates the Act shall be subject to an injunction and liable for a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation. Creates the Children's Data Protection Working Group to deliver a report to the General Assembly regarding best practices for the implementation of the Act.
LRB104 03750 SPS 13774 b LRB104 03750 SPS 13774 b
LRB104 03750 SPS 13774 b
A BILL FOR
SB0051LRB104 03750 SPS 13774 b SB0051 LRB104 03750 SPS 13774 b
SB0051 LRB104 03750 SPS 13774 b
1 AN ACT concerning regulation.
2 Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
4 Section 1. Short title. This Act may be cited as the
5 Illinois Age-Appropriate Design Code Act.
6 Section 5. Definitions. As used in this Act:
7 "Child" or "children", unless otherwise specified, means a
8 consumer or consumers who are under 18 years of age.
9 "Data protection impact assessment" means a systematic
10 survey to assess and mitigate risks that arise from the data
11 management practices of the business to children who are
12 reasonably likely to access the online service, product, or
13 feature at issue that arises from the provision of that online
14 service, product, or feature.
15 "Default" means a preselected option adopted by the
16 business for the online service, product, or feature.
17 "Likely to be accessed by children" means it is reasonable
18 to expect, based on the following indicators, that the online
19 service, product, or feature would be accessed by children:
20 (1) the online service, product, or feature is
21 directed to children as defined by the Children's Online
22 Privacy Protection Act (15 U.S.C. 6501 et seq.);
23 (2) the online service, product, or feature is
104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026 SB0051 Introduced 1/13/2025, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED:
New Act New Act
New Act
Creates the Illinois Age-Appropriate Design Code Act. Provides that a business that provides an online service, product, or feature likely to be accessed by children shall take specified actions, including completing a data protection impact assessment for any online service, product, or feature likely to be accessed by children. Provides that a business shall complete a data protection impact assessment on or before July 1, 2026, for any online service, product, or feature likely to be accessed by children offered to the public before July 1, 2026. Provides that any business that violates the Act shall be subject to an injunction and liable for a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation. Creates the Children's Data Protection Working Group to deliver a report to the General Assembly regarding best practices for the implementation of the Act.
LRB104 03750 SPS 13774 b LRB104 03750 SPS 13774 b
LRB104 03750 SPS 13774 b
A BILL FOR
New Act
LRB104 03750 SPS 13774 b
SB0051 LRB104 03750 SPS 13774 b
SB0051- 2 -LRB104 03750 SPS 13774 b SB0051 - 2 - LRB104 03750 SPS 13774 b
SB0051 - 2 - LRB104 03750 SPS 13774 b
1 determined, based on competent and reliable evidence
2 regarding audience composition, to be routinely accessed
3 by a significant number of children;
4 (3) an online service, product, or feature with
5 advertisements marketed to children;
6 (4) an online service, product, or feature that is
7 substantially similar or the same as an online service,
8 product, or feature subject to paragraph (2);
9 (5) an online service, product, or feature that has
10 design elements that are known to be of interest to
11 children, including, but not limited to, games, cartoons,
12 music, and celebrities who appeal to children; and
13 (6) a significant amount of the audience of the online
14 service, product, or feature is determined, based on
15 internal company research, to be children.
16 "Online service, product, or feature" does not mean any of
17 the following:
18 (1) a broadband Internet access service;
19 (2) a telecommunications service; or
20 (3) the delivery or use of a physical product.
21 "Profiling" means any form of automated processing of
22 personal information that uses personal information to
23 evaluate certain aspects relating to a natural person,
24 including analyzing or predicting aspects concerning a natural
25 person's performance at work, economic situation, health,
26 personal preferences, interests, reliability, behavior,
SB0051 - 2 - LRB104 03750 SPS 13774 b
SB0051- 3 -LRB104 03750 SPS 13774 b SB0051 - 3 - LRB104 03750 SPS 13774 b
SB0051 - 3 - LRB104 03750 SPS 13774 b
1 location, or movements.
2 Section 10. Requirements for businesses that provide an
3 online service to children.
4 (a) A business that provides an online service, product,
5 or feature likely to be accessed by children shall take all of
6 the following actions:
7 (1) Before any new online services, products, or
8 features are offered to the public, complete a data
9 protection impact assessment for any online service,
10 product, or feature likely to be accessed by children and
11 maintain documentation of this assessment as long as the
12 online service, product, or feature is likely to be
13 accessed by children. A business shall biennially review
14 all data protection impact assessments. The data
15 protection impact assessment required by this paragraph
16 shall identify the purpose of the online service, product,
17 or feature, how it uses children's personal information,
18 and the risks of material detriment to children that arise
19 from the data management practices of the business. The
20 data protection impact assessment shall address, to the
21 extent applicable, all of the following:
22 (A) whether the design of the online product,
23 service, or feature could harm children, including by
24 exposing children to harmful, or potentially harmful,
25 content on the online product, service, or feature;
SB0051 - 3 - LRB104 03750 SPS 13774 b
SB0051- 4 -LRB104 03750 SPS 13774 b SB0051 - 4 - LRB104 03750 SPS 13774 b
SB0051 - 4 - LRB104 03750 SPS 13774 b
1 (B) whether the design of the online product,
2 service, or feature could lead to children
3 experiencing or being targeted by harmful, or
4 potentially harmful, contacts on the online product,
5 service, or feature;
6 (C) whether the design of the online product,
7 service, or feature could permit children to witness,
8 participate in, or be subject to harmful, or
9 potentially harmful, conduct on the online product,
10 service, or feature;
11 (D) whether the design of the online product,
12 service, or feature could allow children to be party
13 to or exploited by a harmful, or potentially harmful,
14 contact on the online product, service, or feature;
15 (E) whether algorithms used by the online product,
16 service, or feature could harm children;
17 (F) whether targeted advertising systems used by
18 the online product, service, or feature could harm
19 children;
20 (G) whether and how the online product, service,
21 or feature uses system design features to increase,
22 sustain, or extend use of the online product, service,
23 or feature by children, including the automatic
24 playing of media, rewards for time spent, and
25 notifications; and
26 (H) whether, how, and for what purpose the online
SB0051 - 4 - LRB104 03750 SPS 13774 b
SB0051- 5 -LRB104 03750 SPS 13774 b SB0051 - 5 - LRB104 03750 SPS 13774 b
SB0051 - 5 - LRB104 03750 SPS 13774 b
1 product, service, or feature collects or processes
2 sensitive personal information of children.
3 (2) Document any risk of material detriment to
4 children that arises from the data management practices of
5 the business identified in the data protection impact
6 assessment required by paragraph (1) and create a timed
7 plan to mitigate or eliminate the risk before the online
8 service, product, or feature is accessed by children.
9 (3) Within 3 business days of a written request by the
10 Attorney General, provide to the Attorney General a list
11 of all data protection impact assessments the business has
12 completed.
13 (4) For any data protection impact assessment
14 completed as required by paragraph (1), make the data
15 protection impact assessment available, within 5 business
16 days, to the Attorney General pursuant to a written
17 request. To the extent any information contained in a data
18 protection impact assessment disclosed to the Attorney
19 General includes information subject to attorney-client
20 privilege or work product protection, disclosure required
21 by this paragraph shall not constitute a waiver of that
22 privilege or protection.
23 (5) Estimate the age of child users with a reasonable
24 level of certainty appropriate to the risks that arise
25 from the data management practices of the business or
26 apply the privacy and data protections afforded to
SB0051 - 5 - LRB104 03750 SPS 13774 b
SB0051- 6 -LRB104 03750 SPS 13774 b SB0051 - 6 - LRB104 03750 SPS 13774 b
SB0051 - 6 - LRB104 03750 SPS 13774 b
1 children to all consumers.
2 (6) Configure all default privacy settings provided to
3 children by the online service, product, or feature to
4 settings that offer a high level of privacy, unless the
5 business can demonstrate a compelling reason that a
6 different setting is in the best interests of children.
7 (7) Provide any privacy information, terms of service,
8 policies, and community standards concisely, prominently,
9 and using clear language suited to the age of children
10 likely to access that online service, product, or feature.
11 (8) If the online service, product, or feature allows
12 the child's parent, guardian, or any other consumer to
13 monitor the child's online activity or track the child's
14 location, provide an obvious signal to the child when the
15 child is being monitored or tracked.
16 (9) Enforce published terms, policies, and community
17 standards established by the business, including, but not
18 limited to, privacy policies and those concerning
19 children.
20 (10) Provide prominent, accessible, and responsive
21 tools to help children, or if applicable their parents or
22 guardians, exercise their privacy rights and report
23 concerns.
24 (b) A business that provides an online service, product,
25 or feature likely to be accessed by children shall not take any
26 of the following actions:
SB0051 - 6 - LRB104 03750 SPS 13774 b
SB0051- 7 -LRB104 03750 SPS 13774 b SB0051 - 7 - LRB104 03750 SPS 13774 b
SB0051 - 7 - LRB104 03750 SPS 13774 b
1 (1) Use the personal information of any child in a way
2 that the business knows, or has reason to know, is
3 materially detrimental to the physical health, mental
4 health, or well-being of a child.
5 (2) Profile a child by default unless the following
6 criteria are met:
7 (A) the business can demonstrate it has
8 appropriate safeguards in place to protect children;
9 and
10 (B) either of the following is true:
11 (i) profiling is necessary to provide the
12 online service, product, or feature requested and
13 only with respect to the aspects of the online
14 service, product, or feature with which the child
15 is actively and knowingly engaged; or
16 (ii) the business can demonstrate a compelling
17 reason that profiling is in the best interests of
18 children.
19 (3) Collect, sell, share, or retain any personal
20 information that is not necessary to provide an online
21 service, product, or feature with which a child is
22 actively and knowingly engaged unless the business can
23 demonstrate a compelling reason that the collecting,
24 selling, sharing, or retaining of the personal information
25 is in the best interests of children likely to access the
26 online service, product, or feature.
SB0051 - 7 - LRB104 03750 SPS 13774 b
SB0051- 8 -LRB104 03750 SPS 13774 b SB0051 - 8 - LRB104 03750 SPS 13774 b
SB0051 - 8 - LRB104 03750 SPS 13774 b
1 (4) If the end user is a child, use personal
2 information for any reason other than a reason for which
3 that personal information was collected, unless the
4 business can demonstrate a compelling reason that use of
5 the personal information is in the best interests of
6 children.
7 (5) Collect, sell, or share any precise geolocation
8 information of children by default unless the collection
9 of that precise geolocation information is strictly
10 necessary for the business to provide the service,
11 product, or feature requested and then only for the
12 limited time that the collection of precise geolocation
13 information is necessary to provide the service, product,
14 or feature.
15 (6) Collect any precise geolocation information of a
16 child without providing an obvious sign to the child for
17 the duration of that collection that precise geolocation
18 information is being collected.
19 (7) Use dark patterns to lead or encourage children to
20 provide personal information beyond what is reasonably
21 expected to provide that online service, product, or
22 feature to bypass privacy protections, or to take any
23 action that the business knows, or has reason to know, is
24 materially detrimental to the child's physical health,
25 mental health, or well-being.
26 (8) Use any personal information collected to estimate
SB0051 - 8 - LRB104 03750 SPS 13774 b
SB0051- 9 -LRB104 03750 SPS 13774 b SB0051 - 9 - LRB104 03750 SPS 13774 b
SB0051 - 9 - LRB104 03750 SPS 13774 b
1 age or age range for any other purpose or retain that
2 personal information longer than necessary to estimate
3 age. Age assurance shall be proportionate to the risks and
4 data practice of an online service, product, or feature.
5 (c) A data protection impact assessment conducted by a
6 business for the purpose of compliance with any other law
7 complies with this Section if the data protection impact
8 assessment meets the requirements of this Act. A single data
9 protection impact assessment may contain multiple similar
10 processing operations that present similar risks only if each
11 relevant online service, product, or feature is addressed.
12 Section 15. Children's Data Protection Working Group.
13 (a) The Children's Data Protection Working Group is hereby
14 created to deliver a report to the General Assembly, as
15 described in subsection (e), regarding best practices for the
16 implementation of this Act.
17 (b) Working Group members shall consist of residents of
18 this State with expertise in at least 2 of the following areas:
19 (1) children's data privacy;
20 (2) physical health;
21 (3) mental health and well-being;
22 (4) computer science; and
23 (5) children's rights.
24 (c) The Working Group shall select a chairperson and a
25 vice chairperson from among its members and shall consist of
SB0051 - 9 - LRB104 03750 SPS 13774 b
SB0051- 10 -LRB104 03750 SPS 13774 b SB0051 - 10 - LRB104 03750 SPS 13774 b
SB0051 - 10 - LRB104 03750 SPS 13774 b
1 the following 8 members:
2 (1) two members appointed by the Governor;
3 (2) two members appointed by the President of the
4 Senate;
5 (3) two members appointed by the Speaker of the House
6 of Representatives; and
7 (4) two members appointed by the Attorney General.
8 (d) The Working Group shall take input from a broad range
9 of stakeholders, including from academia, consumer advocacy
10 groups, and small, medium, and large businesses affected by
11 data privacy policies and shall make recommendations to the
12 General Assembly on best practices regarding, at minimum, all
13 of the following:
14 (1) identifying online services, products, or features
15 likely to be accessed by children;
16 (2) evaluating and prioritizing the best interests of
17 children with respect to their privacy, physical health,
18 and mental health and well-being and evaluating how those
19 interests may be furthered by the design, development, and
20 implementation of an online service, product, or feature;
21 (3) ensuring that age assurance methods used by
22 businesses that provide online services, products, or
23 features likely to be accessed by children are
24 proportionate to the risks that arise from the data
25 management practices of the business, privacy protective,
26 and minimally invasive;
SB0051 - 10 - LRB104 03750 SPS 13774 b
SB0051- 11 -LRB104 03750 SPS 13774 b SB0051 - 11 - LRB104 03750 SPS 13774 b
SB0051 - 11 - LRB104 03750 SPS 13774 b
1 (4) assessing and mitigating risks to children that
2 arise from the use of an online service, product, or
3 feature; and
4 (5) publishing privacy information, policies, and
5 standards in concise, clear language suited for the age of
6 children likely to access an online service, product, or
7 feature.
8 (e) On or before January 1, 2026, and every 2 years
9 thereafter, the Working Group shall submit a report to the
10 General Assembly regarding the recommendations described in
11 subsection (d).
12 (f) The members of the Working Group shall serve without
13 compensation but shall be reimbursed for all necessary
14 expenses actually incurred in the performance of their duties.
15 (g) The Working Group is dissolved, and this Section is
16 repealed, on January 1, 2032.
17 Section 20. Data protection impact assessment.
18 (a) A business shall complete a data protection impact
19 assessment on or before July 1, 2026, for any online service,
20 product, or feature likely to be accessed by children offered
21 to the public before July 1, 2026.
22 (b) This Section does not apply to an online service,
23 product, or feature that is not offered to the public on or
24 after July 1, 2026.
SB0051 - 11 - LRB104 03750 SPS 13774 b
SB0051- 12 -LRB104 03750 SPS 13774 b SB0051 - 12 - LRB104 03750 SPS 13774 b
SB0051 - 12 - LRB104 03750 SPS 13774 b
1 Section 25. Violations; civil penalties
2 (a) Any business that violates this Act shall be subject
3 to an injunction and liable for a civil penalty of not more
4 than $2,500 per affected child for each negligent violation or
5 not more than $7,500 per affected child for each intentional
6 violation, that shall be assessed and recovered only in a
7 civil action brought by the Attorney General.
8 (b) If a business is in substantial compliance with the
9 requirements of paragraphs (1) through (4) of subsection (a)
10 of Section 10, the Attorney General shall provide written
11 notice to the business, before initiating an action under this
12 Act, identifying the specific provisions of this Act that the
13 Attorney General alleges have been or are being violated.
14 (c) If, within 90 days after the notice required by
15 subsection (b), the business cures any noticed violation and
16 provides the Attorney General a written statement that the
17 alleged violations have been cured, and sufficient measures
18 have been taken to prevent future violations, the business
19 shall not be liable for a civil penalty for any violation cured
20 under this subsection.
21 (d) Any penalties, fees, and expenses recovered in an
22 action brought under this Act shall be deposited into the
23 General Revenue Fund.
24 (e) Nothing in this Act shall be interpreted to serve as
25 the basis for a private right of action under this Act or any
26 other law.
SB0051 - 12 - LRB104 03750 SPS 13774 b
SB0051- 13 -LRB104 03750 SPS 13774 b SB0051 - 13 - LRB104 03750 SPS 13774 b
SB0051 - 13 - LRB104 03750 SPS 13774 b
SB0051 - 13 - LRB104 03750 SPS 13774 b