HB5221 104TH GENERAL ASSEMBLY

104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026
HB5221

Introduced 2/10/2026, by Rep. Edgar González, Jr.

SYNOPSIS AS INTRODUCED:

`New Act`
`5 ILCS 140/7.5`

Creates the Consumer Data Privacy Act. Sets forth provisions concerning agreements between personal data processors and controllers. Provides for consumer personal data rights, including the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects. Sets forth provisions concerning the responsibilities of controllers; requirements for small businesses; and data privacy and protection assessments. Provides for civil penalties. Preempts home rule. Amends the Freedom of Information Act to make a conforming change. Effective January 1, 2027.

LRB104 18403 SPS 31845 b

A BILL FOR

HB5221

LRB104 18403 SPS 31845 b

1 AN ACT concerning business.

2 Be it enacted by the People of the State of Illinois,

3 represented in the General Assembly:

4 Section 1. Short title. This Act may be cited as the

5 Consumer Data Privacy Act.

6 Section 5. Definitions. As used in this Act:

7 "Affiliate" means a legal entity that controls, is

8 controlled by, or is under common control with another legal

9 entity. For purposes of this definition, "control" means: (i)

10 ownership of or the power to vote more than 50% of the

11 outstanding shares of any class of voting security of a

12 company; (ii) control in any manner over the election of a

13 majority of the directors or of individuals exercising similar

14 functions; or (iii) the power to exercise a controlling

15 influence over the management of a company.

16 "Authenticate" means to use reasonable means to determine

17 that a request to exercise any of the rights set forth in

18 paragraphs (2) through (8) of subsection (a) of Section 20 is

19 being made by or rightfully on behalf of the consumer who is

20 entitled to exercise the rights with respect to the personal

21 data at issue.

22 "Biometric data" means data generated by automatic

23 measurements of an individual's biological characteristics,

HB5221

- 2 -

LRB104 18403 SPS 31845 b

1 including a fingerprint, a voiceprint, eye retinas, irises, or

2 other unique biological patterns or characteristics that are

3 used to identify a specific individual. "Biometric data" does

4 not include:

5 (1) a digital or physical photograph;

6 (2) an audio or video recording; or

7 (3) any data generated from a digital or physical

8 photograph, or an audio or video recording, unless the

9 data is generated to identify a specific individual.

10 "Child" has the meaning set forth in 15 U.S.C. 6501.

11 "Consent" means any freely given, specific, informed, and

12 unambiguous indication of the consumer's wishes by which the

13 consumer signifies agreement to the processing of personal

14 data relating to the consumer. Acceptance of a general or

15 broad terms of use or similar document that contains

16 descriptions of personal data processing along with other,

17 unrelated information does not constitute consent. Hovering

18 over, muting, pausing, or closing a given piece of content

19 does not constitute consent. Consent is not valid when the

20 consumer's indication has been obtained by a dark pattern. A

21 consumer may revoke consent previously given, consistent with

22 this Act.

23 "Consumer" means a natural person who is a resident of

24 this State acting only in an individual or household context.

25 "Consumer" does not include a natural person acting in a

26 commercial or employment context.

HB5221

- 3 -

LRB104 18403 SPS 31845 b

1 "Controller" means the natural or legal person who, alone

2 or jointly with others, determines the purposes and means of

3 the processing of personal data.

4 "Decisions that produce legal effects concerning the

5 consumer" means decisions made by the controller that result

6 in the provision or denial by the controller of financial or

7 lending services, housing, insurance, education enrollment or

8 opportunity, criminal justice, employment opportunities,

9 health care services, or access to essential goods or

10 services.

11 "Dark pattern" means a user interface designed or

12 manipulated with the substantial effect of subverting or

13 impairing user autonomy, decision making, or choice.

14 "Deidentified data" means data that cannot reasonably be

15 used to infer information about or otherwise be linked to an

16 identified or identifiable natural person or a device linked

17 to an identified or identifiable natural person, provided that

18 the controller that possesses the data:

19 (1) takes reasonable measures to ensure that the data

20 cannot be associated with a natural person;

21 (2) publicly commits to process the data only in a

22 deidentified fashion and not attempt to reidentify the

23 data; and

24 (3) contractually obligates any recipients of the

25 information to comply with all provisions of this

26 definition.

HB5221

- 4 -

LRB104 18403 SPS 31845 b

1 "Delete" means to remove or destroy information so that it

2 is not maintained in human-or machine-readable form and cannot

3 be retrieved or used in the ordinary course of business.

4 "Genetic information" has the meaning set forth in the

5 Health Insurance Portability and Accountability Act of 1996,

6 as specified in 45 CFR 160.103.

7 "Governmental entity" means each office, board,

8 commission, agency, department, authority, institution,

9 university, body politic and corporate, administrative unit,

10 and corporate outgrowth of the executive, legislative, and

11 judicial branches of State government, whether created by the

12 Illinois Constitution, by or in accordance with statute, or by

13 executive order of the Governor.

14 "Identified or identifiable natural person" means a person

15 who can be readily identified, directly or indirectly.

16 "Known child" means a person under circumstances where a

17 controller has actual knowledge of, or willfully disregards,

18 that the person is under 13 years of age.

19 "Personal data" means any information that is linked or

20 reasonably linkable to an identified or identifiable natural

21 person. "Personal data" does not include deidentified data or

22 publicly available information. For purposes of this

23 definition, "publicly available information" means information

24 that: (i) is lawfully made available from federal, State, or

25 local government records or widely distributed media; or (ii)

26 a controller has a reasonable basis to believe has lawfully

HB5221

- 5 -

LRB104 18403 SPS 31845 b

1 been made available to the general public.

2 "Process" means any operation or set of operations that

3 are performed on personal data or on sets of personal data,

4 whether or not by automated means, including, but not limited

5 to, the collection, use, storage, disclosure, analysis,

6 deletion, or modification of personal data.

7 "Processor" means a natural or legal person who processes

8 personal data on behalf of a controller.

9 "Profiling" means any form of automated processing of

10 personal data to evaluate, analyze, or predict personal

11 aspects related to an identified or identifiable natural

12 person's economic situation, health, personal preferences,

13 interests, reliability, behavior, location, or movements.

14 "Pseudonymous data" means personal data that cannot be

15 attributed to a specific natural person without the use of

16 additional information, provided that the additional

17 information is kept separately and is subject to appropriate

18 technical and organizational measures to ensure that the

19 personal data are not attributed to an identified or

20 identifiable natural person.

21 "Sale" means the exchange of personal data for monetary or

22 other valuable consideration by the controller to a third

23 party. "Sale" does not include:

24 (1) the disclosure of personal data to a processor who

25 processes the personal data on behalf of the controller;

26 (2) the disclosure of personal data to a third party

HB5221

- 6 -

LRB104 18403 SPS 31845 b

1 for purposes of providing a product or service requested

2 by the consumer;

3 (3) the disclosure or transfer of personal data to an

4 affiliate of the controller;

5 (4) the disclosure of information that the consumer

6 intentionally made available to the general public by a

7 channel of mass media and did not restrict to a specific

8 audience;

9 (5) the disclosure or transfer of personal data to a

10 third party as an asset that is part of a completed or

11 proposed merger, acquisition, bankruptcy, or other

12 transaction in which the third party assumes control of

13 all or part of the controller's assets; or

14 (6) the exchange of personal data between the producer

15 of a good or service and authorized agents of the producer

16 who sell and service the goods and services, to enable the

17 cooperative provisioning of goods and services by both the

18 producer and the producer's agents.

19 "Sensitive data" means:

20 (1) personal data revealing racial or ethnic origin,

21 religious beliefs, mental or physical health condition or

22 diagnosis, sexual orientation, or citizenship or

23 immigration status;

24 (2) the processing of biometric data or genetic

25 information for the purpose of uniquely identifying an

26 individual;

HB5221

- 7 -

LRB104 18403 SPS 31845 b

1 (3) the personal data of a known child; or

2 (4) specific geolocation data.

3 "Specific geolocation data" means information derived from

4 technology, including, but not limited to, global positioning

5 system level latitude and longitude coordinates or other

6 mechanisms, that directly identifies the geographic

7 coordinates of a consumer or a device linked to a consumer with

8 an accuracy of more than 3 decimal degrees of latitude and

9 longitude or the equivalent in an alternative geographic

10 coordinate system, or a street address derived from the

11 coordinates. "Specific geolocation data" does not include the

12 content of communications, the contents of databases

13 containing street address information which are accessible to

14 the public as authorized by law, or any data generated by or

15 connected to advanced utility metering infrastructure systems

16 or other equipment for use by a public utility.

17 "Targeted advertising" means displaying advertisements to

18 a consumer where the advertisement is selected based on

19 personal data obtained or inferred from the consumer's

20 activities over time and across nonaffiliated websites or

21 online applications to predict the consumer's preferences or

22 interests. "Targeted advertising" does not include:

23 (1) advertising based on activities within a

24 controller's own websites or online applications;

25 (2) advertising based on the context of a consumer's

26 current search query or visit to a website or online

HB5221

- 8 -

LRB104 18403 SPS 31845 b

1 application;

2 (3) advertising to a consumer in response to the

3 consumer's request for information or feedback; or

4 (4) processing personal data solely for measuring or

5 reporting advertising performance, reach, or frequency.

6 "Third party" means a natural or legal person, public

7 authority, agency, or body other than the consumer,

8 controller, processor, or an affiliate of the processor or the

9 controller.

10 "Trade secret" has the meaning set forth in subsection (d)

11 of Section 2 of the Illinois Trade Secrets Act.

12 Section 10. Scope; exclusions.

13 (a) This Act applies to legal entities that conduct

14 business in this State or produce products or services that

15 are targeted to residents of this State, and that satisfy one

16 or more of the following thresholds:

17 (1) during a calendar year, controls or processes

18 personal data of 100,000 consumers or more, excluding

19 personal data controlled or processed solely for the

20 purpose of completing a payment transaction; or

21 (2) derives over 25% of gross revenue from the sale of

22 personal data and processes or controls personal data of

23 25,000 consumers or more.

24 (b) This Act does not apply to the following entities,

25 activities, or types of information:

HB5221

- 9 -

LRB104 18403 SPS 31845 b

1 (1) a government entity;

2 (2) a federally recognized Indian tribe;

3 (3) information that meets the definition of:

4 (A) protected health information, as defined by

5 and for purposes of the Health Insurance Portability

6 and Accountability Act of 1996, as specified in 45 CFR

7 160.103;

8 (B) health information, as defined in 42 U.S.C.

9 1320d(4);

10 (C) patient identifying information for purposes

11 of 42 CFR Part 2, established pursuant to 42 U.S.C.

12 290dd-2;

13 (D) identifiable private information for purposes

14 of the federal policy for the protection of human

15 subjects, 45 CFR Part 46; identifiable private

16 information that is otherwise information collected as

17 part of human subjects research pursuant to the good

18 clinical practice guidelines issued by the

19 International Council for Harmonization; the

20 protection of human subjects under 21 CFR Parts 50 and

21 56; or personal data used or shared in research

22 conducted in accordance with one or more of the

23 requirements set forth in this paragraph;

24 (E) information and documents created for purposes

25 of the federal Health Care Quality Improvement Act of

26 1986, Public Law 99-660, and related regulations; or

HB5221

- 10 -

LRB104 18403 SPS 31845 b

1 (F) patient safety work product for purposes of 42

2 CFR Part 3, established pursuant to 42 U.S.C. 299b-21

3 to 299b-26;

4 (4) information that is derived from any of the health

5 care-related information listed in paragraph (3), but that

6 has been deidentified in accordance with the requirements

7 for deidentification set forth in 45 CFR Part 164;

8 (5) information originating from, and intermingled to

9 be indistinguishable with, any of the health care-related

10 information listed in paragraph (3) that is maintained by:

11 (A) a covered entity or business associate, as

12 defined by the Health Insurance Portability and

13 Accountability Act of 1996, Public Law 104-191, and

14 related regulations;

15 (B) a health care provider, as defined in 42

16 U.S.C. 1320d(3); or

17 (C) a program or a qualified service organization,

18 as defined by 42 CFR Part 2, established pursuant to 42

19 U.S.C. 290dd-2;

20 (6) information that is:

21 (A) maintained by an entity that meets the

22 definition of health care provider under 45 CFR

23 160.103, to the extent that the entity maintains the

24 information in the manner required of covered entities

25 with respect to protected health information for

26 purposes of the Health Insurance Portability and

HB5221

- 11 -

LRB104 18403 SPS 31845 b

1 Accountability Act of 1996, Public Law 104-191, and

2 related regulations;

3 (B) included in a limited data set, as described

4 under 45 CFR Part 164.514(e), to the extent that the

5 information is used, disclosed, and maintained in the

6 manner specified by that part;

7 (C) maintained by, or maintained to comply with

8 the rules or orders of, a self-regulatory organization

9 as defined by 15 U.S.C. 78c(a)(26);

10 (D) originated from, or intermingled with,

11 information described in paragraph (9) and that a

12 mortgage loan originator or lender, as those terms are

13 defined in the Residential Mortgage License Act of

14 1987, collects, processes, uses, or maintains in the

15 same manner as required under the laws and regulations

16 specified in paragraph (9); or

17 (E) originated from, or intermingled with,

18 information described in paragraph (9) and that a

19 nonbank financial institution, as defined in the

20 Illinois Banking Act, collects, processes, uses, or

21 maintains in the same manner as required under the

22 laws and regulations specified in paragraph (9);

23 (7) information used only for public health activities

24 and purposes, as described under 45 CFR Part 164.512;

25 (8) an activity involving the collection, maintenance,

26 disclosure, sale, communication, or use of any personal

HB5221

- 12 -

LRB104 18403 SPS 31845 b

1 data bearing on a consumer's credit worthiness, credit

2 standing, credit capacity, character, general reputation,

3 personal characteristics, or mode of living by a consumer

4 reporting agency, as defined in 15 U.S.C. 1681a(f), by a

5 furnisher of information, as set forth in 15 U.S.C.

6 1681s-2, who provides information for use in a consumer

7 report, as defined in 15 U.S.C. 1681a(d), and by a user of

8 a consumer report, as set forth in 15 U.S.C. 1681b, except

9 that information is only excluded under this paragraph to

10 the extent that the activity involving the collection,

11 maintenance, disclosure, sale, communication, or use of

12 the information by the agency, furnisher, or user is

13 subject to regulation under the federal Fair Credit

14 Reporting Act, 15 U.S.C. 1681 to 1681x, and the

15 information is not collected, maintained, used,

16 communicated, disclosed, or sold except as authorized by

17 the Fair Credit Reporting Act;

18 (9) personal data collected, processed, sold, or

19 disclosed pursuant to the federal Gramm-Leach-Bliley Act,

20 Public Law 106-102, and implementing regulations, if the

21 collection, processing, sale, or disclosure is in

22 compliance with that law;

23 (10) personal data collected, processed, sold, or

24 disclosed pursuant to the federal Driver's Privacy

25 Protection Act of 1994, 18 U.S.C. 2721 to 2725, if the

26 collection, processing, sale, or disclosure is in

HB5221

- 13 -

LRB104 18403 SPS 31845 b

1 compliance with that law;

2 (11) personal data regulated by the federal Family

3 Educational Rights and Privacy Act, 20 U.S.C. 1232g, and

4 implementing regulations;

5 (12) personal data collected, processed, sold, or

6 disclosed pursuant to the federal Farm Credit Act of 1971,

7 12 U.S.C. 2001 to 2279cc, and implementing regulations, 12

8 CFR Part 600, if the collection, processing, sale, or

9 disclosure is in compliance with that law;

10 (13) data collected or maintained:

11 (A) in the course of an individual acting as a job

12 applicant to or an employee, owner, director, officer,

13 medical staff member, or contractor of a business if

14 the data is collected and used solely within the

15 context of the role;

16 (B) as the emergency contact information of an

17 individual under subparagraph (A) if used solely for

18 emergency contact purposes; or

19 (C) that is necessary for the business to retain

20 to administer benefits for another individual relating

21 to the individual under subparagraph (A) if used

22 solely for the purposes of administering those

23 benefits;

24 (14) personal data collected, processed, sold, or

25 disclosed pursuant to the Use of Credit Information in

26 Personal Insurance Act;

HB5221

- 14 -

LRB104 18403 SPS 31845 b

1 (15) data collected, processed, sold, or disclosed as

2 part of a payment-only credit, check, or cash transaction

3 where no data about consumers is retained;

4 (16) a State or federally chartered bank or credit

5 union, or an affiliate or subsidiary that is principally

6 engaged in financial activities, as described in 12 U.S.C.

7 1843(k);

8 (17) information that originates from, or is

9 intermingled so as to be indistinguishable from,

10 information described in paragraph (8) and that a person

11 licensed under the Consumer Installment Loan Act,

12 processes, uses, or maintains in the same manner as is

13 required under the laws and regulations specified in

14 paragraph (8);

15 (18) an insurance company, an insurance producer, an

16 administrator, as those terms are defined in the Illinois

17 Insurance Code, or an affiliate or subsidiary of any

18 entity identified in this paragraph that is principally

19 engaged in financial activities, as described in 12 U.S.C.

20 1843(k), except that this paragraph does not apply to a

21 person that, alone or in combination with another person,

22 establishes and maintains a self-insurance program that

23 does not otherwise engage in the business of entering into

24 policies of insurance;

25 (19) a small business, as defined by the United States

26 Small Business Administration under 13 CFR Part 121,

HB5221

- 15 -

LRB104 18403 SPS 31845 b

1 except that a small business identified in this paragraph

2 is subject to Section 35;

3 (20) a nonprofit organization that is established to

4 detect and prevent fraudulent acts in connection with

5 insurance; and

6 (21) an air carrier subject to the federal Airline

7 Deregulation Act, Public Law 95-504, only to the extent

8 that an air carrier collects personal data related to

9 prices, routes, or services and only to the extent that

10 the provisions of the Airline Deregulation Act preempt the

11 requirements of this Act.

12 (c) Controllers that are in compliance with the Children's

13 Online Privacy Protection Act, 15 U.S.C. 6501 to 6506, and

14 implementing regulations, shall be deemed compliant with any

15 obligation to obtain parental consent under this Act.

16 Section 15. Responsibility according to role.

17 (a) Controllers and processors are responsible for meeting

18 the respective obligations established under this Act.

19 (b) Processors are responsible under this Act for adhering

20 to the instructions of the controller and assisting the

21 controller to meet the controller's obligations under this

22 Act. Assistance under this paragraph shall include:

23 (1) taking into account the nature of the processing,

24 the processor shall assist the controller by appropriate

25 technical and organizational measures, insofar as this is

HB5221

- 16 -

LRB104 18403 SPS 31845 b

1 possible, for the fulfillment of the controller's

2 obligation to respond to consumer requests to exercise

3 their rights pursuant to Section 20; and

4 (2) taking into account the nature of processing and

5 the information available to the processor, the processor

6 shall assist the controller in meeting the controller's

7 obligations in relation to the security of processing the

8 personal data and in relation to the notification of a

9 breach of the security of the system pursuant to the

10 Personal Information Protection Act, and shall provide

11 information to the controller necessary to enable the

12 controller to conduct and document any data privacy and

13 protection assessments required by Section 40.

14 (c) A contract between a controller and a processor shall

15 control the processor's data processing procedures with

16 respect to processing performed on behalf of the controller.

17 The contract shall be binding and clearly set forth

18 instructions for processing data, the nature and purpose of

19 processing, the type of data subject to processing, the

20 duration of processing, and the rights and obligations of both

21 parties. The contract shall also require that the processor:

22 (1) ensure that each person processing the personal

23 data is subject to a duty of confidentiality with respect

24 to the data; and

25 (2) engage a subcontractor only: (i) after providing

26 the controller with an opportunity to object, and (ii)

HB5221

- 17 -

LRB104 18403 SPS 31845 b

1 pursuant to a written contract in accordance with

2 subsection (e) that requires the subcontractor to meet the

3 obligations of the processor with respect to the personal

4 data.

5 (d) Taking into account the context of processing, the

6 controller and the processor shall implement appropriate

7 technical and organizational measures to ensure a level of

8 security appropriate to the risk and establish a clear

9 allocation of the responsibilities between the controller and

10 the processor to implement the technical and organizational

11 measures.

12 (e) Processing by a processor shall be controlled by a

13 contract between the controller and the processor that is

14 binding on both parties and that sets out the processing

15 instructions to which the processor is bound, including the

16 nature and purpose of the processing, the type of personal

17 data subject to the processing, the duration of the

18 processing, and the obligations and rights of both parties.

19 The contract shall include the requirements imposed by this

20 subsection, subsections (c) and (d), and the following

21 requirements:

22 (1) At the discretion of the controller, the processor

23 shall delete or return all personal data to the controller

24 as requested at the end of the provision of services,

25 unless retention of the personal data is required by law.

26 (2) Upon a reasonable request from the controller, the

HB5221

- 18 -

LRB104 18403 SPS 31845 b

1 processor shall make available to the controller all

2 information necessary to demonstrate compliance with the

3 obligations in this Act.

4 (3) The processor shall allow for, and contribute to,

5 reasonable assessments and inspections by the controller

6 or the controller's designated assessor. Alternatively,

7 the processor may arrange for a qualified and independent

8 assessor to conduct, at least annually and at the

9 processor's expense, an assessment of the processor's

10 policies and technical and organizational measures in

11 support of the obligations under this Act. The assessor

12 must use an appropriate and accepted control standard or

13 framework and assessment procedure for assessments as

14 applicable, and shall provide a report of an assessment to

15 the controller upon request.

16 (f) No contract shall relieve a controller or a processor

17 from the liabilities imposed on a controller or processor by

18 virtue of the controller's or processor's roles in the

19 processing relationship under this Act.

20 (g) Determining whether a person is acting as a controller

21 or processor with respect to a specific processing of data is a

22 fact-based determination that depends upon the context in

23 which personal data are to be processed. A person that is not

24 limited in the person's processing of personal data pursuant

25 to a controller's instructions, or that fails to adhere to a

26 controller's instructions, is a controller and not a processor

HB5221

- 19 -

LRB104 18403 SPS 31845 b

1 with respect to a specific processing of data. A processor

2 that continues to adhere to a controller's instructions with

3 respect to a specific processing of personal data remains a

4 processor. If a processor begins, alone or jointly with

5 others, determining the purposes and means of the processing

6 of personal data, the processor is a controller with respect

7 to the processing.

8 Section 20. Consumer personal data rights.

9 (a) Consumer rights provided.

10 (1) Except as provided in this Act, a controller must

11 comply with a request to exercise the consumer rights

12 provided in this subsection.

13 (2) A consumer has the right to confirm whether or not

14 a controller is processing personal data concerning the

15 consumer and access the categories of personal data the

16 controller is processing.

17 (3) A consumer has the right to correct inaccurate

18 personal data concerning the consumer, taking into account

19 the nature of the personal data and the purposes of the

20 processing of the personal data.

21 (4) A consumer has the right to delete personal data

22 concerning the consumer.

23 (5) A consumer has the right to obtain personal data

24 concerning the consumer, which the consumer previously

25 provided to the controller, in a portable and, to the

HB5221

- 20 -

LRB104 18403 SPS 31845 b

1 extent technically feasible, readily usable format that

2 allows the consumer to transmit the data to another

3 controller without hindrance, where the processing is

4 carried out by automated means.

5 (6) A consumer has the right to opt out of the

6 processing of personal data concerning the consumer for

7 purposes of targeted advertising, the sale of personal

8 data, or profiling in furtherance of automated decisions

9 that produce legal effects concerning a consumer or

10 similarly significant effects concerning a consumer.

11 (7) If a consumer's personal data is profiled in

12 furtherance of decisions that produce legal effects

13 concerning a consumer or similarly significant effects

14 concerning a consumer, the consumer has the right to

15 question the result of the profiling, to be informed of

16 the reason that the profiling resulted in the decision,

17 and, if feasible, to be informed of what actions the

18 consumer might have taken to secure a different decision

19 and the actions that the consumer might take to secure a

20 different decision in the future. The consumer has the

21 right to review the consumer's personal data used in the

22 profiling. If the decision is determined to have been

23 based upon inaccurate personal data, taking into account

24 the nature of the personal data and the purposes of the

25 processing of the personal data, the consumer has the

26 right to have the data corrected and the profiling

HB5221

- 21 -

LRB104 18403 SPS 31845 b

1 decision reevaluated based upon the corrected data.

2 (8) A consumer has a right to obtain a list of the

3 specific third parties to which the controller has

4 disclosed the consumer's personal data. If the controller

5 does not maintain the information in a format specific to

6 the consumer, a list of specific third parties to whom the

7 controller has disclosed any consumers' personal data may

8 be provided instead.

9 (b) Exercising consumer rights.

10 (1) A consumer may exercise the rights set forth in

11 this Section by submitting a request, at any time, to a

12 controller specifying which rights the consumer wishes to

13 exercise.

14 (2) In the case of processing personal data concerning

15 a known child, the parent or legal guardian of the known

16 child may exercise the rights of this Act on the child's

17 behalf.

18 (3) In the case of processing personal data concerning

19 a consumer legally subject to guardianship or

20 conservatorship under the Uniform Adult Guardianship and

21 Protective Proceedings Jurisdiction Act, the guardian or

22 the conservator of the consumer may exercise the rights of

23 this Act on the consumer's behalf.

24 (4) A consumer may designate another person as the

25 consumer's authorized agent to exercise the consumer's

26 right to opt out of the processing of the consumer's

HB5221

- 22 -

LRB104 18403 SPS 31845 b

1 personal data for purposes of targeted advertising and

2 sale under paragraph (6) of subsection (a) on the

3 consumer's behalf. A consumer may designate an authorized

4 agent by way of, among other things, a technology,

5 including, but not limited to, an Internet link or a

6 browser setting, browser extension, or global device

7 setting, indicating the consumer's intent to opt out of

8 the processing. A controller shall comply with an opt-out

9 request received from an authorized agent if the

10 controller is able to verify, with commercially reasonable

11 effort, the identity of the consumer and the authorized

12 agent's authority to act on the consumer's behalf.

13 (c) Universal opt-out mechanisms.

14 (1) A controller must allow a consumer to opt out of

15 any processing of the consumer's personal data for the

16 purposes of targeted advertising, or any sale of the

17 consumer's personal data through an opt-out preference

18 signal sent, with the consumer's consent, by a platform,

19 technology, or mechanism to the controller indicating the

20 consumer's intent to opt out of the processing or sale.

21 The platform, technology, or mechanism must:

22 (A) not unfairly disadvantage another controller;

23 (B) not make use of a default setting, but require

24 the consumer to make an affirmative, freely given, and

25 unambiguous choice to opt out of the processing of the

26 consumer's personal data;

HB5221

- 23 -

LRB104 18403 SPS 31845 b

1 (C) be consumer-friendly and easy to use by the

2 average consumer;

3 (D) be as consistent as possible with any other

4 similar platform, technology, or mechanism required by

5 any federal or State law or regulation; and

6 (E) enable the controller to accurately determine

7 whether the consumer is a resident of this State and

8 whether the consumer has made a legitimate request to

9 opt out of any sale of the consumer's personal data or

10 targeted advertising. For purposes of this

11 subparagraph, the use of an Internet protocol address

12 to estimate the consumer's location is sufficient to

13 determine the consumer's residence.

14 (2) If a consumer's opt-out request is exercised

15 through the platform, technology, or mechanism required

16 under paragraph (1), and the request conflicts with the

17 consumer's existing controller-specific privacy setting or

18 voluntary participation in a controller's bona fide

19 loyalty, rewards, premium features, discounts, or club

20 card program, the controller must comply with the

21 consumer's opt-out preference signal but may also notify

22 the consumer of the conflict and provide the consumer a

23 choice to confirm the controller-specific privacy setting

24 or participation in the controller's program.

25 (3) The platform, technology, or mechanism required

26 under paragraph (1) is subject to the requirements of

HB5221

- 24 -

LRB104 18403 SPS 31845 b

1 subsection (d).

2 (4) A controller that recognizes opt-out preference

3 signals that have been approved by other State laws or

4 regulations is in compliance with this subsection.

5 (d) Controller response to consumer requests.

6 (1) Except as provided in this Act, a controller must

7 comply with a request to exercise the rights pursuant to

8 subsection (a).

9 (2) A controller must provide one or more secure and

10 reliable means for consumers to submit a request to

11 exercise the consumer's rights under this section. The

12 means made available must take into account the ways in

13 which consumers interact with the controller and the need

14 for secure and reliable communication of the requests.

15 (3) A controller may not require a consumer to create

16 a new account in order to exercise a right, but a

17 controller may require a consumer to use an existing

18 account to exercise the consumer's rights under this

19 section.

20 (4) A controller must comply with a request to

21 exercise the right in paragraph (6) of subsection (a) of

22 Section 20, as soon as feasibly possible, but no later

23 than 45 days of receipt of the request.

24 (5) A controller must inform a consumer of any action

25 taken on a request under subsection (a) without undue

26 delay and in any event within 45 days of receipt of the

HB5221

- 25 -

LRB104 18403 SPS 31845 b

1 request. That period may be extended once by 45 additional

2 days where reasonably necessary, taking into account the

3 complexity and number of the requests. The controller must

4 inform the consumer of any extension within 45 days of

5 receipt of the request, together with the reasons for the

6 delay.

7 (6) If a controller does not take action on a

8 consumer's request, the controller must inform the

9 consumer without undue delay and at the latest within 45

10 days of receipt of the request of the reasons for not

11 taking action and instructions for how to appeal the

12 decision with the controller as described in subsection

13 (e).

14 (7) Information provided under this Section must be

15 provided by the controller free of charge up to twice

16 annually to the consumer. Where requests from a consumer

17 are manifestly unfounded or excessive, in particular

18 because of the repetitive character of the requests, the

19 controller may either charge a reasonable fee to cover the

20 administrative costs of complying with the request, or

21 refuse to act on the request. The controller bears the

22 burden of demonstrating the manifestly unfounded or

23 excessive character of the request.

24 (8) A controller is not required to comply with a

25 request to exercise any of the rights under paragraphs (2)

26 through (5) and (8) of subsection (a), if the controller

HB5221

- 26 -

LRB104 18403 SPS 31845 b

1 is unable to authenticate the request using commercially

2 reasonable efforts. In such cases, the controller may

3 request the provision of additional information reasonably

4 necessary to authenticate the request. A controller is not

5 required to authenticate an opt-out request, but a

6 controller may deny an opt-out request if the controller

7 has a good faith, reasonable, and documented belief that

8 the request is fraudulent. If a controller denies an

9 opt-out request because the controller believes a request

10 is fraudulent, the controller must notify the person who

11 made the request that the request was denied due to the

12 controller's belief that the request was fraudulent and

13 state the controller's basis for that belief.

14 (9) In response to a consumer request under subsection

15 (a), a controller must not disclose the following

16 information about a consumer, but must instead inform the

17 consumer with sufficient particularity that the controller

18 has collected that type of information:

19 (A) Social Security number;

20 (B) driver's license number or other

21 government-issued identification number;

22 (C) financial account number;

23 (D) health insurance account number or medical

24 identification number;

25 (E) account password, security questions, or

26 answers; or

HB5221

- 27 -

LRB104 18403 SPS 31845 b

1 (F) biometric data.

2 (10) In response to a consumer request under

3 subsection (a), a controller is not required to reveal any

4 trade secret.

5 (11) A controller that has obtained personal data

6 about a consumer from a source other than the consumer may

7 comply with a consumer's request to delete the consumer's

8 personal data pursuant to paragraph (4) of subsection (a),

9 by either:

10 (A) retaining a record of the deletion request,

11 retaining the minimum data necessary for the purpose

12 of ensuring the consumer's personal data remains

13 deleted from the business's records, and not using the

14 retained data for any other purpose pursuant to the

15 provisions of this Act; or

16 (B) opting the consumer out of the processing of

17 personal data for any purpose except for the purposes

18 exempted pursuant to the provisions of this Act.

19 (e) Appeal process required.

20 (1) A controller must establish an internal process

21 whereby a consumer may appeal a refusal to take action on a

22 request to exercise any of the rights under subsection (a)

23 within a reasonable period of time after the consumer's

24 receipt of the notice sent by the controller under

25 paragraph (6) of subsection (d).

26 (2) The appeal process must be conspicuously

HB5221

- 28 -

LRB104 18403 SPS 31845 b

1 available. The process must include the ease of use

2 provisions in subsection (c) applicable to submitting

3 requests.

4 (3) Within 45 days of receipt of an appeal, a

5 controller must inform the consumer of any action taken or

6 not taken in response to the appeal, along with a written

7 explanation of the reasons in support thereof. That period

8 may be extended by 60 additional days where reasonably

9 necessary, taking into account the complexity and number

10 of the requests serving as the basis for the appeal. The

11 controller must inform the consumer of any extension

12 within 45 days of receipt of the appeal, together with the

13 reasons for the delay.

14 (4) When informing a consumer of any action taken or

15 not taken in response to an appeal under subsection (c),

16 the controller must provide a written explanation of the

17 reasons for the controller's decision and clearly and

18 prominently provide the consumer with information about

19 how to file a complaint with the Office of the Attorney

20 General. The controller must maintain records of all

21 appeals and the controller's responses for at least 24

22 months and shall, upon written request by the Attorney

23 General as part of an investigation, compile and provide a

24 copy of the records to the Attorney General.

25 Section 25. Processing deidentified data or pseudonymous

HB5221

- 29 -

LRB104 18403 SPS 31845 b

1 data.

2 (a) This Act does not require a controller or processor to

3 do any of the following solely for purposes of complying with

4 this Act:

5 (1) reidentify deidentified data;

6 (2) maintain data in identifiable form, or collect,

7 obtain, retain, or access any data or technology, in order

8 to be capable of associating an authenticated consumer

9 request with personal data; or

10 (3) comply with an authenticated consumer request to

11 access, correct, delete, or port personal data pursuant to

12 subsection (a) of Section 20, if all of the following are

13 true:

14 (A) the controller is not reasonably capable of

15 associating the request with the personal data, or it

16 would be unreasonably burdensome for the controller to

17 associate the request with the personal data;

18 (B) the controller does not use the personal data

19 to recognize or respond to the specific consumer who

20 is the subject of the personal data, or associate the

21 personal data with other personal data about the same

22 specific consumer; and

23 (C) the controller does not sell the personal data

24 to any third party or otherwise voluntarily disclose

25 the personal data to any third party other than a

26 processor, except as otherwise permitted in this

HB5221

- 30 -

LRB104 18403 SPS 31845 b

1 Section.

2 (b) The rights contained in paragraphs (2) through (5) and

3 (8) of subsection (a) of Section 20 do not apply to

4 pseudonymous data in cases where the controller is able to

5 demonstrate any information necessary to identify the consumer

6 is kept separately and is subject to effective technical and

7 organizational controls that prevent the controller from

8 accessing the information.

9 (c) A controller that uses pseudonymous data or

10 deidentified data must exercise reasonable oversight to

11 monitor compliance with any contractual commitments to which

12 the pseudonymous data or deidentified data are subject, and

13 must take appropriate steps to address any breaches of

14 contractual commitments.

15 (d) A processor or third party must not attempt to

16 identify the subjects of deidentified or pseudonymous data

17 without the express authority of the controller that caused

18 the data to be deidentified or pseudonymized.

19 (e) A controller, processor, or third party must not

20 attempt to identify the subjects of data that has been

21 collected with only pseudonymous identifiers.

22 Section 30. Responsibilities of controllers.

23 (a) Transparency obligations.

24 (1) Controllers must provide consumers with a

25 reasonably accessible, clear, and meaningful privacy

HB5221

- 31 -

LRB104 18403 SPS 31845 b

1 notice that includes:

2 (A) the categories of personal data processed by

3 the controller;

4 (B) the purposes for which the categories of

5 personal data are processed;

6 (C) an explanation of the rights contained in

7 Section 20 and how and where consumers may exercise

8 those rights, including how a consumer may appeal a

9 controller's action with regard to the consumer's

10 request;

11 (D) the categories of personal data that the

12 controller sells to or shares with third parties, if

13 any;

14 (E) the categories of third parties, if any, with

15 whom the controller sells or shares personal data;

16 (F) the controller's contact information,

17 including an active email address or other online

18 mechanism that the consumer may use to contact the

19 controller;

20 (G) a description of the controller's retention

21 policies for personal data; and

22 (H) the date the privacy notice was last updated.

23 (2) If a controller sells personal data to third

24 parties, processes personal data for targeted advertising,

25 or engages in profiling in furtherance of decisions that

26 produce legal effects concerning a consumer or similarly

HB5221

- 32 -

LRB104 18403 SPS 31845 b

1 significant effects concerning a consumer, the controller

2 must disclose the processing in the privacy notice and

3 provide access to a clear and conspicuous method outside

4 the privacy notice for a consumer to opt out of the sale,

5 processing, or profiling in furtherance of decisions that

6 produce legal effects concerning a consumer or similarly

7 significant effects concerning a consumer. This method may

8 include, but is not limited to, an Internet hyperlink

9 clearly labeled "Your Opt-Out Rights" or "Your Privacy

10 Rights" that directly effectuates the opt-out request or

11 takes consumers to a web page where the consumer can make

12 the opt-out request.

13 (3) The privacy notice must be made available to the

14 public in each language in which the controller provides a

15 product or service that is subject to the privacy notice

16 or carries out activities related to the product or

17 service.

18 (4) The controller must provide the privacy notice in

19 a manner that is reasonably accessible to and usable by

20 individuals with disabilities.

21 (5) Whenever a controller makes a material change to

22 the controller's privacy notice or practices, the

23 controller must notify consumers affected by the material

24 change with respect to any prospectively collected

25 personal data and provide a reasonable opportunity for

26 consumers to withdraw consent to any further materially

HB5221

- 33 -

LRB104 18403 SPS 31845 b

1 different collection, processing, or transfer of

2 previously collected personal data under the changed

3 policy. The controller shall take all reasonable

4 electronic measures to provide notification regarding

5 material changes to affected consumers, taking into

6 account available technology and the nature of the

7 relationship.

8 (6) A controller is not required to provide a separate

9 Illinois-specific privacy notice or Section of a privacy

10 notice if the controller's general privacy notice contains

11 all the information required by this section.

12 (7) The privacy notice must be posted online through a

13 conspicuous hyperlink using the word "privacy" on the

14 controller's website home page or on a mobile

15 application's app store page or download page. A

16 controller that maintains an application on a mobile or

17 other device shall also include a hyperlink to the privacy

18 notice in the application's settings menu or in a

19 similarly conspicuous and accessible location. A

20 controller that does not operate a website shall make the

21 privacy notice conspicuously available to consumers

22 through a medium regularly used by the controller to

23 interact with consumers, including, but not limited to,

24 mail.

25 (b) Use of data.

26 (1) A controller must limit the collection of personal

HB5221

- 34 -

LRB104 18403 SPS 31845 b

1 data to what is adequate, relevant, and reasonably

2 necessary in relation to the purposes for which the data

3 are processed, which must be disclosed to the consumer.

4 (2) Except as provided in this Act, a controller may

5 not process personal data for purposes that are not

6 reasonably necessary to, or compatible with, the purposes

7 for which the personal data are processed, as disclosed to

8 the consumer, unless the controller obtains the consumer's

9 consent.

10 (3) A controller shall establish, implement, and

11 maintain reasonable administrative, technical, and

12 physical data security practices to protect the

13 confidentiality, integrity, and accessibility of personal

14 data, including the maintenance of an inventory of the

15 data that must be managed to exercise these

16 responsibilities. The data security practices shall be

17 appropriate to the volume and nature of the personal data

18 at issue.

19 (4) Except as otherwise provided in this Act, a

20 controller may not process sensitive data concerning a

21 consumer without obtaining the consumer's consent, or, in

22 the case of the processing of personal data concerning a

23 known child, without obtaining consent from the child's

24 parent or lawful guardian, in accordance with the

25 requirement of the Children's Online Privacy Protection

26 Act, 15 U.S.C. 6501 to 6506, and its implementing

HB5221

- 35 -

LRB104 18403 SPS 31845 b

1 regulations, rules, and exemptions.

2 (5) A controller shall provide an effective mechanism

3 for a consumer, or, in the case of the processing of

4 personal data concerning a known child, the child's parent

5 or lawful guardian, to revoke previously given consent

6 under this subsection. The mechanism provided shall be at

7 least as easy as the mechanism by which the consent was

8 previously given. Upon revocation of consent, a controller

9 shall cease to process the applicable data as soon as

10 practicable, but not later than 15 days after the receipt

11 of the request.

12 (6) A controller may not process the personal data of

13 a consumer for purposes of targeted advertising, or sell

14 the consumer's personal data, without the consumer's

15 consent, under circumstances where the controller knows

16 that the consumer is between the ages of 13 and 16.

17 (7) A controller may not retain personal data that is

18 no longer relevant and reasonably necessary in relation to

19 the purposes for which the data were collected and

20 processed, unless retention of the data is otherwise

21 required by law or permitted under Section 45.

22 (c) Nondiscrimination.

23 (1) A controller shall not process personal data on

24 the basis of a consumer's or a class of consumers' actual

25 or perceived race, color, ethnicity, religion, national

26 origin, sex, gender, gender identity, sexual orientation,

HB5221

- 36 -

LRB104 18403 SPS 31845 b

1 familial status, lawful source of income, or disability in

2 a manner that unlawfully discriminates against the

3 consumer or class of consumers with respect to the

4 offering or provision of: housing, employment, credit, or

5 education; or the goods, services, facilities, privileges,

6 advantages, or accommodations of any place of public

7 accommodation.

8 (2) A controller may not discriminate against a

9 consumer for exercising any of the rights contained in

10 this Act, including denying goods or services to the

11 consumer, charging different prices or rates for goods or

12 services, and providing a different level of quality of

13 goods and services to the consumer. This subsection does

14 not:

15 (A) require a controller to provide a good or

16 service that requires the consumer's personal data

17 that the controller does not collect or maintain; or

18 (B) prohibit a controller from offering a

19 different price, rate, level, quality, or selection of

20 goods or services to a consumer, including offering

21 goods or services for no fee, if the offering is in

22 connection with a consumer's voluntary participation

23 in a bona fide loyalty, rewards, premium features,

24 discounts, or club card program.

25 (d) Any provision of a contract or agreement of any kind

26 that purports to waive or limit in any way a consumer's rights

HB5221

- 37 -

LRB104 18403 SPS 31845 b

1 under this Act is contrary to public policy and is void and

2 unenforceable.

3 Section 35. Requirements for small businesses.

4 (a) A small business, as defined by the United States

5 Small Business Administration under 13 CFR Part 121, that

6 conducts business in this State or produces products or

7 services that are targeted to residents of this State, must

8 not sell a consumer's sensitive data without the consumer's

9 prior consent.

10 (b) Penalties and Attorney General enforcement procedures

11 under Section 50 apply to a small business that violates this

12 Section.

13 Section 40. Data privacy policies; data privacy and

14 protection assessments.

15 (a) A controller must document and maintain a description

16 of the policies and procedures the controller has adopted to

17 comply with this Act. The description must include, where

18 applicable:

19 (1) the name and contact information for the

20 controller's chief privacy officer or other individual

21 with primary responsibility for directing the policies and

22 procedures implemented to comply with the provisions of

23 this Act; and

24 (2) a description of the controller's data privacy

HB5221

- 38 -

LRB104 18403 SPS 31845 b

1 policies and procedures which reflect the requirements in

2 Section 35, and any policies and procedures designed to:

3 (A) reflect the requirements of this Act in the

4 design of the controller's systems;

5 (B) identify and provide personal data to a

6 consumer as required by this Act;

7 (C) establish, implement, and maintain reasonable

8 administrative, technical, and physical data security

9 practices to protect the confidentiality, integrity,

10 and accessibility of personal data, including the

11 maintenance of an inventory of the data that must be

12 managed to exercise the responsibilities under this

13 subparagraph;

14 (D) limit the collection of personal data to what

15 is adequate, relevant, and reasonably necessary in

16 relation to the purposes for which the data are

17 processed;

18 (E) prevent the retention of personal data that is

19 no longer relevant and reasonably necessary in

20 relation to the purposes for which the data were

21 collected and processed, unless retention of the data

22 is otherwise required by law or permitted under

23 Section 45; and

24 (F) identify and remediate violations of this Act.

25 (b) A controller must conduct and document a data privacy

26 and protection assessment for each of the following processing

HB5221

- 39 -

LRB104 18403 SPS 31845 b

1 activities involving personal data:

2 (1) the processing of personal data for purposes of

3 targeted advertising;

4 (2) the sale of personal data;

5 (3) the processing of sensitive data;

6 (4) any processing activities involving personal data

7 that present a heightened risk of harm to consumers; and

8 (5) the processing of personal data for purposes of

9 profiling, where the profiling presents a reasonably

10 foreseeable risk of:

11 (A) unfair or deceptive treatment of, or disparate

12 impact on, consumers;

13 (B) financial, physical, or reputational injury to

14 consumers;

15 (C) a physical or other intrusion upon the

16 solitude or seclusion, or the private affairs or

17 concerns, of consumers, where the intrusion would be

18 offensive to a reasonable person; or

19 (D) other substantial injury to consumers.

20 (c) A data privacy and protection assessment must take

21 into account the type of personal data to be processed by the

22 controller, including the extent to which the personal data

23 are sensitive data, and the context in which the personal data

24 are to be processed.

25 (d) A data privacy and protection assessment must identify

26 and weigh the benefits that may flow directly and indirectly

HB5221

- 40 -

LRB104 18403 SPS 31845 b

1 from the processing to the controller, consumer, other

2 stakeholders, and the public against the potential risks to

3 the rights of the consumer associated with the processing, as

4 mitigated by safeguards that can be employed by the controller

5 to reduce the potential risks. The use of deidentified data

6 and the reasonable expectations of consumers, as well as the

7 context of the processing and the relationship between the

8 controller and the consumer whose personal data will be

9 processed, must be factored into this assessment by the

10 controller.

11 (e) A data privacy and protection assessment must include

12 the description of policies and procedures required by

13 subsection (a).

14 (f) As part of a civil investigative demand, the Attorney

15 General may request, in writing, that a controller disclose

16 any data privacy and protection assessment that is relevant to

17 an investigation conducted by the Attorney General. The

18 controller must make a data privacy and protection assessment

19 available to the Attorney General upon a request made under

20 this subsection. The Attorney General may evaluate the data

21 privacy and protection assessments for compliance with this

22 Act. Data privacy and protection assessments are classified as

23 nonpublic data, exempt from disclosure under the Illinois

24 Freedom of Information Act. The disclosure of a data privacy

25 and protection assessment pursuant to a request from the

26 Attorney General under this paragraph does not constitute a

HB5221

- 41 -

LRB104 18403 SPS 31845 b

1 waiver of the attorney-client privilege or work product

2 protection with respect to the assessment and any information

3 contained in the assessment.

4 (g) Data privacy and protection assessments or risk

5 assessments conducted by a controller for the purpose of

6 compliance with other laws or regulations may qualify under

7 this Section if the assessments have a similar scope and

8 effect.

9 (h) A single data protection assessment may address

10 multiple sets of comparable processing operations that include

11 similar activities.

12 Section 45. Limitations and applicability.

13 (a) The obligations imposed on controllers or processors

14 under this Act do not restrict a controller's or a processor's

15 ability to:

16 (1) comply with federal, State, or local laws, rules,

17 or regulations, including, but not limited to, data

18 retention requirements in State or federal law

19 notwithstanding a consumer's request to delete personal

20 data;

21 (2) comply with a civil, criminal, or regulatory

22 inquiry, investigation, subpoena, or summons by federal,

23 State, local, or other governmental authorities;

24 (3) cooperate with law enforcement agencies concerning

25 conduct or activity that the controller or processor

HB5221

- 42 -

LRB104 18403 SPS 31845 b

1 reasonably and in good faith believes may violate federal,

2 State, or local laws, rules, or regulations;

3 (4) investigate, establish, exercise, prepare for, or

4 defend legal claims;

5 (5) provide a product or service specifically

6 requested by a consumer; perform a contract to which the

7 consumer is a party, including fulfilling the terms of a

8 written warranty; or take steps at the request of the

9 consumer prior to entering into a contract;

10 (6) take immediate steps to protect an interest that

11 is essential for the life or physical safety of the

12 consumer or of another natural person, and where the

13 processing cannot be manifestly based on another legal

14 basis;

15 (7) prevent, detect, protect against, or respond to

16 security incidents, identity theft, fraud, harassment,

17 malicious or deceptive activities, or any illegal

18 activity; preserve the integrity or security of systems;

19 or investigate, report, or prosecute those responsible for

20 the action;

21 (8) assist another controller, processor, or third

22 party with any of the obligations under this subsection;

23 (9) engage in public or peer-reviewed scientific,

24 historical, or statistical research in the public interest

25 that adheres to all other applicable ethics and privacy

26 laws and is approved, monitored, and controlled by an

HB5221

- 43 -

LRB104 18403 SPS 31845 b

1 institutional review board, human subjects research ethics

2 review board, or a similar independent oversight entity

3 that has determined:

4 (A) the research is likely to provide substantial

5 benefits that do not exclusively accrue to the

6 controller;

7 (B) the expected benefits of the research outweigh

8 the privacy risks; and

9 (C) the controller has implemented reasonable

10 safeguards to mitigate privacy risks associated with

11 research, including any risks associated with

12 reidentification; or

13 (10) process personal data for the benefit of the

14 public in the areas of public health, community health, or

15 population health, but only to the extent that the

16 processing is:

17 (A) subject to suitable and specific measures to

18 safeguard the rights of the consumer whose personal

19 data is being processed; and

20 (B) under the responsibility of a professional

21 individual who is subject to confidentiality

22 obligations under federal, State, or local law.

23 (b) The obligations imposed on controllers or processors

24 under this Act do not restrict a controller's or processor's

25 ability to collect, use, or retain data to:

26 (1) effectuate a product recall or identify and repair

HB5221

- 44 -

LRB104 18403 SPS 31845 b

1 technical errors that impair existing or intended

2 functionality;

3 (2) perform internal operations that are reasonably

4 aligned with the expectations of the consumer based on the

5 consumer's existing relationship with the controller, or

6 are otherwise compatible with processing in furtherance of

7 the provision of a product or service specifically

8 requested by a consumer or the performance of a contract

9 to which the consumer is a party; or

10 (3) conduct internal research to develop, improve, or

11 repair products, services, or technology.

12 (c) The obligations imposed on controllers or processors

13 under this Act do not apply where compliance by the controller

14 or processor with this Act would violate an evidentiary

15 privilege under State law and do not prevent a controller or

16 processor from providing personal data concerning a consumer

17 to a person covered by an evidentiary privilege under State

18 law as part of a privileged communication.

19 (d) A controller or processor that discloses personal data

20 to a third-party controller or processor in compliance with

21 the requirements of this Act is not in violation of this Act if

22 the recipient processes the personal data in violation of this

23 Act, provided that at the time of disclosing the personal

24 data, the disclosing controller or processor did not have

25 actual knowledge that the recipient intended to commit a

26 violation. A third-party controller or processor receiving

HB5221

- 45 -

LRB104 18403 SPS 31845 b

1 personal data from a controller or processor in compliance

2 with the requirements of this Act is not in violation of this

3 Act for the obligations of the controller or processor from

4 which the third-party controller or processor receives the

5 personal data.

6 (e) Obligations imposed on controllers and processors

7 under this Act shall not:

8 (1) adversely affect the rights or freedoms of any

9 persons, including exercising the right of free speech

10 under the First Amendment of the United States

11 Constitution; or

12 (2) apply to the processing of personal data by a

13 natural person in the course of a purely personal or

14 household activity.

15 (f) Personal data that are processed by a controller

16 pursuant to this Section may be processed solely to the extent

17 that the processing is:

18 (1) necessary, reasonable, and proportionate to the

19 purposes listed in this Section;

20 (2) adequate, relevant, and limited to what is

21 necessary in relation to the specific purpose or purposes

22 listed in this section; and

23 (3) insofar as possible, taking into account the

24 nature and purpose of processing the personal data,

25 subjected to reasonable administrative, technical, and

26 physical measures to protect the confidentiality,

HB5221

- 46 -

LRB104 18403 SPS 31845 b

1 integrity, and accessibility of the personal data, and to

2 reduce reasonably foreseeable risks of harm to consumers.

3 (g) If a controller processes personal data under an

4 exemption in this Section, the controller bears the burden of

5 demonstrating that the processing qualifies for the exemption

6 and complies with the requirements in subsection (f).

7 (h) Processing personal data solely for the purposes

8 expressly identified in paragraphs (1) through (7) of

9 subsection (a), does not, by itself, make an entity a

10 controller with respect to the processing.

11 Section 50. Attorney General enforcement.

12 (a) If a controller or processor violates this Act, the

13 Attorney General, prior to filing an enforcement action under

14 subsection (b), must provide the controller or processor with

15 a warning letter identifying the specific provisions of this

16 Act the Attorney General alleges have been or are being

17 violated. If, after 30 days of issuance of the warning letter,

18 the Attorney General believes the controller or processor has

19 failed to cure any alleged violation, the Attorney General may

20 bring an enforcement action under subsection (b).

21 (b) The Attorney General may bring a civil action against

22 a controller or processor to enforce a provision of this Act.

23 If the State prevails in an action to enforce this Act, the

24 State may, in addition to penalties provided by subsection (c)

25 or other remedies provided by law, be allowed an amount

HB5221

- 47 -

LRB104 18403 SPS 31845 b

1 determined by the court to be the reasonable value of all or

2 part of the State's litigation expenses incurred.

3 (c) Any controller or processor that violates this Act is

4 subject to an injunction and liable for a civil penalty of not

5 more than $7,500 for each violation.

6 (d) Nothing in this Act establishes a private right of

7 action for a violation of this Act or any other law.

8 Section 55. Home rule. The regulation of the processing of

9 personal data by controllers or processors is an exclusive

10 power and function of the State. A home rule unit may not

11 regulate the processing of personal data by controllers or

12 processors. This Section is a denial and limitation of home

13 rule powers and functions under subsection (h) of Section 6 of

14 Article VII of the Illinois Constitution.

15 Section 90. The Freedom of Information Act is amended by

16 changing Section 7.5 as follows:

17 (5 ILCS 140/7.5)

18 (Text of Section before amendment by P.A. 104-441 and

19 104-457)

20 Sec. 7.5. Statutory exemptions. To the extent provided for

21 by the statutes referenced below, the following shall be

22 exempt from inspection and copying:

23 (a) All information determined to be confidential

HB5221

- 48 -

LRB104 18403 SPS 31845 b

1 under Section 4002 of the Technology Advancement and

2 Development Act.

3 (b) Library circulation and order records identifying

4 library users with specific materials under the Library

5 Records Confidentiality Act.

6 (c) Applications, related documents, and medical

7 records received by the Experimental Organ Transplantation

8 Procedures Board and any and all documents or other

9 records prepared by the Experimental Organ Transplantation

10 Procedures Board or its staff relating to applications it

11 has received.

12 (d) Information and records held by the Department of

13 Public Health and its authorized representatives relating

14 to known or suspected cases of sexually transmitted

15 infection or any information the disclosure of which is

16 restricted under the Illinois Sexually Transmitted

17 Infection Control Act.

18 (e) Information the disclosure of which is exempted

19 under Section 30 of the Radon Industry Licensing Act.

20 (f) Firm performance evaluations under Section 55 of

21 the Architectural, Engineering, and Land Surveying

22 Qualifications Based Selection Act.

23 (g) Information the disclosure of which is restricted

24 and exempted under Section 50 of the Illinois Prepaid

25 Tuition Act.

26 (h) Information the disclosure of which is exempted

HB5221

- 49 -

LRB104 18403 SPS 31845 b

1 under the State Officials and Employees Ethics Act, and

2 records of any lawfully created State or local inspector

3 general's office that would be exempt if created or

4 obtained by an Executive Inspector General's office under

5 that Act.

6 (i) Information contained in a local emergency energy

7 plan submitted to a municipality in accordance with a

8 local emergency energy plan ordinance that is adopted

9 under Section 11-21.5-5 of the Illinois Municipal Code.

10 (j) Information and data concerning the distribution

11 of surcharge moneys collected and remitted by carriers

12 under the Emergency Telephone System Act.

13 (k) Law enforcement officer identification information

14 or driver identification information compiled by a law

15 enforcement agency or the Department of Transportation

16 under Section 11-212 of the Illinois Vehicle Code.

17 (l) Records and information provided to a residential

18 health care facility resident sexual assault and death

19 review team or the Executive Council under the Abuse

20 Prevention Review Team Act.

21 (m) Information provided to the predatory lending

22 database created pursuant to Article 3 of the Residential

23 Real Property Disclosure Act, except to the extent

24 authorized under that Article.

25 (n) Defense budgets and petitions for certification of

26 compensation and expenses for court appointed trial

HB5221

- 50 -

LRB104 18403 SPS 31845 b

1 counsel as provided under Sections 10 and 15 of the

2 Capital Crimes Litigation Act (repealed). This subsection

3 (n) shall apply until the conclusion of the trial of the

4 case, even if the prosecution chooses not to pursue the

5 death penalty prior to trial or sentencing.

6 (o) Information that is prohibited from being

7 disclosed under Section 4 of the Illinois Health and

8 Hazardous Substances Registry Act.

9 (p) Security portions of system safety program plans,

10 investigation reports, surveys, schedules, lists, data, or

11 information compiled, collected, or prepared by or for the

12 Department of Transportation under Sections 2705-300 and

13 2705-616 of the Department of Transportation Law of the

14 Civil Administrative Code of Illinois, the Regional

15 Transportation Authority under Section 2.11 of the

16 Regional Transportation Authority Act, or the St. Clair

17 County Transit District under the Bi-State Transit Safety

18 Act (repealed).

19 (q) Information prohibited from being disclosed by the

20 Personnel Record Review Act.

21 (r) Information prohibited from being disclosed by the

22 Illinois School Student Records Act.

23 (s) Information the disclosure of which is restricted

24 under Section 5-108 of the Public Utilities Act.

25 (t) (Blank).

26 (u) Records and information provided to an independent

HB5221

- 51 -

LRB104 18403 SPS 31845 b

1 team of experts under the Developmental Disability and

2 Mental Health Safety Act (also known as Brian's Law).

3 (v) Names and information of people who have applied

4 for or received Firearm Owner's Identification Cards under

5 the Firearm Owners Identification Card Act or applied for

6 or received a concealed carry license under the Firearm

7 Concealed Carry Act, unless otherwise authorized by the

8 Firearm Concealed Carry Act; and databases under the

9 Firearm Concealed Carry Act, records of the Concealed

10 Carry Licensing Review Board under the Firearm Concealed

11 Carry Act, and law enforcement agency objections under the

12 Firearm Concealed Carry Act.

13 (v-5) Records of the Firearm Owner's Identification

14 Card Review Board that are exempted from disclosure under

15 Section 10 of the Firearm Owners Identification Card Act.

16 (w) Personally identifiable information which is

17 exempted from disclosure under subsection (g) of Section

18 19.1 of the Toll Highway Act.

19 (x) Information which is exempted from disclosure

20 under Section 5-1014.3 of the Counties Code or Section

21 8-11-21 of the Illinois Municipal Code.

22 (y) Confidential information under the Adult

23 Protective Services Act and its predecessor enabling

24 statute, the Elder Abuse and Neglect Act, including

25 information about the identity and administrative finding

26 against any caregiver of a verified and substantiated

HB5221

- 52 -

LRB104 18403 SPS 31845 b

1 decision of abuse, neglect, or financial exploitation of

2 an eligible adult maintained in the Registry established

3 under Section 7.5 of the Adult Protective Services Act.

4 (z) Records and information provided to a fatality

5 review team or the Illinois Fatality Review Team Advisory

6 Council under Section 15 of the Adult Protective Services

7 Act.

8 (aa) Information which is exempted from disclosure

9 under Section 2.37 of the Wildlife Code.

10 (bb) Information which is or was prohibited from

11 disclosure by the Juvenile Court Act of 1987.

12 (cc) Recordings made under the Law Enforcement

13 Officer-Worn Body Camera Act, except to the extent

14 authorized under that Act.

15 (dd) Information that is prohibited from being

16 disclosed under Section 45 of the Condominium and Common

17 Interest Community Ombudsperson Act.

18 (ee) Information that is exempted from disclosure

19 under Section 30.1 of the Pharmacy Practice Act.

20 (ff) Information that is exempted from disclosure

21 under the Revised Uniform Unclaimed Property Act.

22 (gg) Information that is prohibited from being

23 disclosed under Section 7-603.5 of the Illinois Vehicle

24 Code.

25 (hh) Records that are exempt from disclosure under

26 Section 1A-16.7 of the Election Code.

HB5221

- 53 -

LRB104 18403 SPS 31845 b

1 (ii) Information which is exempted from disclosure

2 under Section 2505-800 of the Department of Revenue Law of

3 the Civil Administrative Code of Illinois.

4 (jj) Information and reports that are required to be

5 submitted to the Department of Labor by registering day

6 and temporary labor service agencies but are exempt from

7 disclosure under subsection (a-1) of Section 45 of the Day

8 and Temporary Labor Services Act.

9 (kk) Information prohibited from disclosure under the

10 Seizure and Forfeiture Reporting Act.

11 (ll) Information the disclosure of which is restricted

12 and exempted under Section 5-30.8 of the Illinois Public

13 Aid Code.

14 (mm) Records that are exempt from disclosure under

15 Section 4.2 of the Crime Victims Compensation Act.

16 (nn) Information that is exempt from disclosure under

17 Section 70 of the Higher Education Student Assistance Act.

18 (oo) Communications, notes, records, and reports

19 arising out of a peer support counseling session

20 prohibited from disclosure under the First Responders

21 Suicide Prevention Act.

22 (pp) Names and all identifying information relating to

23 an employee of an emergency services provider or law

24 enforcement agency under the First Responders Suicide

25 Prevention Act.

26 (qq) Information and records held by the Department of

HB5221

- 54 -

LRB104 18403 SPS 31845 b

1 Public Health and its authorized representatives collected

2 under the Reproductive Health Act.

3 (rr) Information that is exempt from disclosure under

4 the Cannabis Regulation and Tax Act.

5 (ss) Data reported by an employer to the Department of

6 Human Rights pursuant to Section 2-108 of the Illinois

7 Human Rights Act.

8 (tt) Recordings made under the Children's Advocacy

9 Center Act, except to the extent authorized under that

10 Act.

11 (uu) Information that is exempt from disclosure under

12 Section 50 of the Sexual Assault Evidence Submission Act.

13 (vv) Information that is exempt from disclosure under

14 subsections (f) and (j) of Section 5-36 of the Illinois

15 Public Aid Code.

16 (ww) Information that is exempt from disclosure under

17 Section 16.8 of the State Treasurer Act.

18 (xx) Information that is exempt from disclosure or

19 information that shall not be made public under the

20 Illinois Insurance Code.

21 (yy) Information prohibited from being disclosed under

22 the Illinois Educational Labor Relations Act.

23 (zz) Information prohibited from being disclosed under

24 the Illinois Public Labor Relations Act.

25 (aaa) Information prohibited from being disclosed

26 under Section 1-167 of the Illinois Pension Code.

HB5221

- 55 -

LRB104 18403 SPS 31845 b

1 (bbb) Information that is prohibited from disclosure

2 by the Illinois Police Training Act and the Illinois State

3 Police Act.

4 (ccc) Records exempt from disclosure under Section

5 2605-304 of the Illinois State Police Law of the Civil

6 Administrative Code of Illinois.

7 (ddd) Information prohibited from being disclosed

8 under Section 35 of the Address Confidentiality for

9 Victims of Domestic Violence, Sexual Assault, Human

10 Trafficking, or Stalking Act.

11 (eee) Information prohibited from being disclosed

12 under subsection (b) of Section 75 of the Domestic

13 Violence Fatality Review Act.

14 (fff) Images from cameras under the Expressway Camera

15 Act and all automated license plate reader (ALPR)

16 information used and collected by the Illinois State

17 Police. "ALPR information" means information gathered by

18 an ALPR or created from the analysis of data generated by

19 an ALPR. This subsection (fff) is inoperative on and after

20 July 1, 2028.

21 (ggg) Information prohibited from disclosure under

22 paragraph (3) of subsection (a) of Section 14 of the Nurse

23 Agency Licensing Act.

24 (hhh) Information submitted to the Illinois State

25 Police in an affidavit or application for an assault

26 weapon endorsement, assault weapon attachment endorsement,

HB5221

- 56 -

LRB104 18403 SPS 31845 b

1 .50 caliber rifle endorsement, or .50 caliber cartridge

2 endorsement under the Firearm Owners Identification Card

3 Act.

4 (iii) Data exempt from disclosure under Section 50 of

5 the School Safety Drill Act.

6 (jjj) Information exempt from disclosure under Section

7 30 of the Insurance Data Security Law.

8 (kkk) Confidential business information prohibited

9 from disclosure under Section 45 of the Paint Stewardship

10 Act.

11 (lll) Data exempt from disclosure under Section

12 2-3.196 of the School Code.

13 (mmm) Information prohibited from being disclosed

14 under subsection (e) of Section 1-129 of the Illinois

15 Power Agency Act.

16 (nnn) Materials received by the Department of Commerce

17 and Economic Opportunity that are confidential under the

18 Music and Musicians Tax Credit and Jobs Act.

19 (ooo) Data or information provided pursuant to Section

20 20 of the Statewide Recycling Needs and Assessment Act.

21 (ppp) Information that is exempt from disclosure under

22 Section 28-11 of the Lawful Health Care Activity Act.

23 (qqq) Information that is exempt from disclosure under

24 Section 7-101 of the Illinois Human Rights Act.

25 (rrr) Information prohibited from being disclosed

26 under Section 4-2 of the Uniform Money Transmission

HB5221

- 57 -

LRB104 18403 SPS 31845 b

1 Modernization Act.

2 (sss) Information exempt from disclosure under Section

3 40 of the Student-Athlete Endorsement Rights Act.

4 (ttt) Audio recordings made under Section 30 of the

5 Illinois State Police Act, except to the extent authorized

6 under that Section.

7 (uuu) Information prohibited from being disclosed

8 under Section 30-5 of the Digital Assets Regulation Act.

9 (vvv) Information prohibited or exempt from being

10 disclosed under the Consumer Data Privacy Act.

11 (Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;

12 103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.

13 8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,

14 eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;

15 103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.

16 8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,

17 eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;

18 104-417, eff. 8-15-25; 104-428, eff. 8-18-25; revised

19 9-10-25.)

20 (Text of Section after amendment by P.A. 104-457 but

21 before 104-441)

22 Sec. 7.5. Statutory exemptions. To the extent provided for

23 by the statutes referenced below, the following shall be

24 exempt from inspection and copying:

25 (a) All information determined to be confidential

HB5221

- 58 -

LRB104 18403 SPS 31845 b

1 under Section 4002 of the Technology Advancement and

2 Development Act.

3 (b) Library circulation and order records identifying

4 library users with specific materials under the Library

5 Records Confidentiality Act.

6 (c) Applications, related documents, and medical

7 records received by the Experimental Organ Transplantation

8 Procedures Board and any and all documents or other

9 records prepared by the Experimental Organ Transplantation

10 Procedures Board or its staff relating to applications it

11 has received.

12 (d) Information and records held by the Department of

13 Public Health and its authorized representatives relating

14 to known or suspected cases of sexually transmitted

15 infection or any information the disclosure of which is

16 restricted under the Illinois Sexually Transmitted

17 Infection Control Act.

18 (e) Information the disclosure of which is exempted

19 under Section 30 of the Radon Industry Licensing Act.

20 (f) Firm performance evaluations under Section 55 of

21 the Architectural, Engineering, and Land Surveying

22 Qualifications Based Selection Act.

23 (g) Information the disclosure of which is restricted

24 and exempted under Section 50 of the Illinois Prepaid

25 Tuition Act.

26 (h) Information the disclosure of which is exempted

HB5221

- 59 -

LRB104 18403 SPS 31845 b

1 under the State Officials and Employees Ethics Act, and

2 records of any lawfully created State or local inspector

3 general's office that would be exempt if created or

4 obtained by an Executive Inspector General's office under

5 that Act.

6 (i) Information contained in a local emergency energy

7 plan submitted to a municipality in accordance with a

8 local emergency energy plan ordinance that is adopted

9 under Section 11-21.5-5 of the Illinois Municipal Code.

10 (j) Information and data concerning the distribution

11 of surcharge moneys collected and remitted by carriers

12 under the Emergency Telephone System Act.

13 (k) Law enforcement officer identification information

14 or driver identification information compiled by a law

15 enforcement agency or the Department of Transportation

16 under Section 11-212 of the Illinois Vehicle Code.

17 (l) Records and information provided to a residential

18 health care facility resident sexual assault and death

19 review team or the Executive Council under the Abuse

20 Prevention Review Team Act.

21 (m) Information provided to the predatory lending

22 database created pursuant to Article 3 of the Residential

23 Real Property Disclosure Act, except to the extent

24 authorized under that Article.

25 (n) Defense budgets and petitions for certification of

26 compensation and expenses for court appointed trial

HB5221

- 60 -

LRB104 18403 SPS 31845 b

1 counsel as provided under Sections 10 and 15 of the

2 Capital Crimes Litigation Act (repealed). This subsection

3 (n) shall apply until the conclusion of the trial of the

4 case, even if the prosecution chooses not to pursue the

5 death penalty prior to trial or sentencing.

6 (o) Information that is prohibited from being

7 disclosed under Section 4 of the Illinois Health and

8 Hazardous Substances Registry Act.

9 (p) Security portions of system safety program plans,

10 investigation reports, surveys, schedules, lists, data, or

11 information compiled, collected, or prepared by or for the

12 Department of Transportation under Sections 2705-300 and

13 2705-616 of the Department of Transportation Law of the

14 Civil Administrative Code of Illinois, the Northern

15 Illinois Transit Authority under Section 2.11 of the

16 Northern Illinois Transit Authority Act, or the St. Clair

17 County Transit District under the Bi-State Transit Safety

18 Act (repealed).

19 (q) Information prohibited from being disclosed by the

20 Personnel Record Review Act.

21 (r) Information prohibited from being disclosed by the

22 Illinois School Student Records Act.

23 (s) Information the disclosure of which is restricted

24 under Section 5-108 of the Public Utilities Act.

25 (t) (Blank).

26 (u) Records and information provided to an independent

HB5221

- 61 -

LRB104 18403 SPS 31845 b

1 team of experts under the Developmental Disability and

2 Mental Health Safety Act (also known as Brian's Law).

3 (v) Names and information of people who have applied

4 for or received Firearm Owner's Identification Cards under

5 the Firearm Owners Identification Card Act or applied for

6 or received a concealed carry license under the Firearm

7 Concealed Carry Act, unless otherwise authorized by the

8 Firearm Concealed Carry Act; and databases under the

9 Firearm Concealed Carry Act, records of the Concealed

10 Carry Licensing Review Board under the Firearm Concealed

11 Carry Act, and law enforcement agency objections under the

12 Firearm Concealed Carry Act.

13 (v-5) Records of the Firearm Owner's Identification

14 Card Review Board that are exempted from disclosure under

15 Section 10 of the Firearm Owners Identification Card Act.

16 (w) Personally identifiable information which is

17 exempted from disclosure under subsection (g) of Section

18 19.1 of the Toll Highway Act.

19 (x) Information which is exempted from disclosure

20 under Section 5-1014.3 of the Counties Code or Section

21 8-11-21 of the Illinois Municipal Code.

22 (y) Confidential information under the Adult

23 Protective Services Act and its predecessor enabling

24 statute, the Elder Abuse and Neglect Act, including

25 information about the identity and administrative finding

26 against any caregiver of a verified and substantiated

HB5221

- 62 -

LRB104 18403 SPS 31845 b

1 decision of abuse, neglect, or financial exploitation of

2 an eligible adult maintained in the Registry established

3 under Section 7.5 of the Adult Protective Services Act.

4 (z) Records and information provided to a fatality

5 review team or the Illinois Fatality Review Team Advisory

6 Council under Section 15 of the Adult Protective Services

7 Act.

8 (aa) Information which is exempted from disclosure

9 under Section 2.37 of the Wildlife Code.

10 (bb) Information which is or was prohibited from

11 disclosure by the Juvenile Court Act of 1987.

12 (cc) Recordings made under the Law Enforcement

13 Officer-Worn Body Camera Act, except to the extent

14 authorized under that Act.

15 (dd) Information that is prohibited from being

16 disclosed under Section 45 of the Condominium and Common

17 Interest Community Ombudsperson Act.

18 (ee) Information that is exempted from disclosure

19 under Section 30.1 of the Pharmacy Practice Act.

20 (ff) Information that is exempted from disclosure

21 under the Revised Uniform Unclaimed Property Act.

22 (gg) Information that is prohibited from being

23 disclosed under Section 7-603.5 of the Illinois Vehicle

24 Code.

25 (hh) Records that are exempt from disclosure under

26 Section 1A-16.7 of the Election Code.

HB5221

- 63 -

LRB104 18403 SPS 31845 b

1 (ii) Information which is exempted from disclosure

2 under Section 2505-800 of the Department of Revenue Law of

3 the Civil Administrative Code of Illinois.

4 (jj) Information and reports that are required to be

5 submitted to the Department of Labor by registering day

6 and temporary labor service agencies but are exempt from

7 disclosure under subsection (a-1) of Section 45 of the Day

8 and Temporary Labor Services Act.

9 (kk) Information prohibited from disclosure under the

10 Seizure and Forfeiture Reporting Act.

11 (ll) Information the disclosure of which is restricted

12 and exempted under Section 5-30.8 of the Illinois Public

13 Aid Code.

14 (mm) Records that are exempt from disclosure under

15 Section 4.2 of the Crime Victims Compensation Act.

16 (nn) Information that is exempt from disclosure under

17 Section 70 of the Higher Education Student Assistance Act.

18 (oo) Communications, notes, records, and reports

19 arising out of a peer support counseling session

20 prohibited from disclosure under the First Responders

21 Suicide Prevention Act.

22 (pp) Names and all identifying information relating to

23 an employee of an emergency services provider or law

24 enforcement agency under the First Responders Suicide

25 Prevention Act.

26 (qq) Information and records held by the Department of

HB5221

- 64 -

LRB104 18403 SPS 31845 b

1 Public Health and its authorized representatives collected

2 under the Reproductive Health Act.

3 (rr) Information that is exempt from disclosure under

4 the Cannabis Regulation and Tax Act.

5 (ss) Data reported by an employer to the Department of

6 Human Rights pursuant to Section 2-108 of the Illinois

7 Human Rights Act.

8 (tt) Recordings made under the Children's Advocacy

9 Center Act, except to the extent authorized under that

10 Act.

11 (uu) Information that is exempt from disclosure under

12 Section 50 of the Sexual Assault Evidence Submission Act.

13 (vv) Information that is exempt from disclosure under

14 subsections (f) and (j) of Section 5-36 of the Illinois

15 Public Aid Code.

16 (ww) Information that is exempt from disclosure under

17 Section 16.8 of the State Treasurer Act.

18 (xx) Information that is exempt from disclosure or

19 information that shall not be made public under the

20 Illinois Insurance Code.

21 (yy) Information prohibited from being disclosed under

22 the Illinois Educational Labor Relations Act.

23 (zz) Information prohibited from being disclosed under

24 the Illinois Public Labor Relations Act.

25 (aaa) Information prohibited from being disclosed

26 under Section 1-167 of the Illinois Pension Code.

HB5221

- 65 -

LRB104 18403 SPS 31845 b

1 (bbb) Information that is prohibited from disclosure

2 by the Illinois Police Training Act and the Illinois State

3 Police Act.

4 (ccc) Records exempt from disclosure under Section

5 2605-304 of the Illinois State Police Law of the Civil

6 Administrative Code of Illinois.

7 (ddd) Information prohibited from being disclosed

8 under Section 35 of the Address Confidentiality for

9 Victims of Domestic Violence, Sexual Assault, Human

10 Trafficking, or Stalking Act.

11 (eee) Information prohibited from being disclosed

12 under subsection (b) of Section 75 of the Domestic

13 Violence Fatality Review Act.

14 (fff) Images from cameras under the Expressway Camera

15 Act and all automated license plate reader (ALPR)

16 information used and collected by the Illinois State

17 Police. "ALPR information" means information gathered by

18 an ALPR or created from the analysis of data generated by

19 an ALPR. This subsection (fff) is inoperative on and after

20 July 1, 2028.

21 (ggg) Information prohibited from disclosure under

22 paragraph (3) of subsection (a) of Section 14 of the Nurse

23 Agency Licensing Act.

24 (hhh) Information submitted to the Illinois State

25 Police in an affidavit or application for an assault

26 weapon endorsement, assault weapon attachment endorsement,

HB5221

- 66 -

LRB104 18403 SPS 31845 b

1 .50 caliber rifle endorsement, or .50 caliber cartridge

2 endorsement under the Firearm Owners Identification Card

3 Act.

4 (iii) Data exempt from disclosure under Section 50 of

5 the School Safety Drill Act.

6 (jjj) Information exempt from disclosure under Section

7 30 of the Insurance Data Security Law.

8 (kkk) Confidential business information prohibited

9 from disclosure under Section 45 of the Paint Stewardship

10 Act.

11 (lll) Data exempt from disclosure under Section

12 2-3.196 of the School Code.

13 (mmm) Information prohibited from being disclosed

14 under subsection (e) of Section 1-129 of the Illinois

15 Power Agency Act.

16 (nnn) Materials received by the Department of Commerce

17 and Economic Opportunity that are confidential under the

18 Music and Musicians Tax Credit and Jobs Act.

19 (ooo) Data or information provided pursuant to Section

20 20 of the Statewide Recycling Needs and Assessment Act.

21 (ppp) Information that is exempt from disclosure under

22 Section 28-11 of the Lawful Health Care Activity Act.

23 (qqq) Information that is exempt from disclosure under

24 Section 7-101 of the Illinois Human Rights Act.

25 (rrr) Information prohibited from being disclosed

26 under Section 4-2 of the Uniform Money Transmission

HB5221

- 67 -

LRB104 18403 SPS 31845 b

1 Modernization Act.

2 (sss) Information exempt from disclosure under Section

3 40 of the Student-Athlete Endorsement Rights Act.

4 (ttt) Audio recordings made under Section 30 of the

5 Illinois State Police Act, except to the extent authorized

6 under that Section.

7 (uuu) Information prohibited from being disclosed

8 under Section 30-5 of the Digital Assets Regulation Act.

9 (vvv) Information prohibited or exempt from being

10 disclosed under the Consumer Data Privacy Act.

11 (Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;

12 103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.

13 8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,

14 eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;

15 103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.

16 8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,

17 eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;

18 104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-457, eff.

19 6-1-26; revised 1-7-26.)

20 (Text of Section after amendment by P.A. 104-441)

21 Sec. 7.5. Statutory exemptions. To the extent provided for

22 by the statutes referenced below, the following shall be

23 exempt from inspection and copying:

24 (a) All information determined to be confidential

25 under Section 4002 of the Technology Advancement and

HB5221

- 68 -

LRB104 18403 SPS 31845 b

1 Development Act.

2 (b) Library circulation and order records identifying

3 library users with specific materials under the Library

4 Records Confidentiality Act.

5 (c) Applications, related documents, and medical

6 records received by the Experimental Organ Transplantation

7 Procedures Board and any and all documents or other

8 records prepared by the Experimental Organ Transplantation

9 Procedures Board or its staff relating to applications it

10 has received.

11 (d) Information and records held by the Department of

12 Public Health and its authorized representatives relating

13 to known or suspected cases of sexually transmitted

14 infection or any information the disclosure of which is

15 restricted under the Illinois Sexually Transmitted

16 Infection Control Act.

17 (e) Information the disclosure of which is exempted

18 under Section 30 of the Radon Industry Licensing Act.

19 (f) Firm performance evaluations under Section 55 of

20 the Architectural, Engineering, and Land Surveying

21 Qualifications Based Selection Act.

22 (g) Information the disclosure of which is restricted

23 and exempted under Section 50 of the Illinois Prepaid

24 Tuition Act.

25 (h) Information the disclosure of which is exempted

26 under the State Officials and Employees Ethics Act, and

HB5221

- 69 -

LRB104 18403 SPS 31845 b

1 records of any lawfully created State or local inspector

2 general's office that would be exempt if created or

3 obtained by an Executive Inspector General's office under

4 that Act.

5 (i) Information contained in a local emergency energy

6 plan submitted to a municipality in accordance with a

7 local emergency energy plan ordinance that is adopted

8 under Section 11-21.5-5 of the Illinois Municipal Code.

9 (j) Information and data concerning the distribution

10 of surcharge moneys collected and remitted by carriers

11 under the Emergency Telephone System Act.

12 (k) Law enforcement officer identification information

13 or driver identification information compiled by a law

14 enforcement agency or the Department of Transportation

15 under Section 11-212 of the Illinois Vehicle Code.

16 (l) Records and information provided to a residential

17 health care facility resident sexual assault and death

18 review team or the Executive Council under the Abuse

19 Prevention Review Team Act.

20 (m) Information provided to the predatory lending

21 database created pursuant to Article 3 of the Residential

22 Real Property Disclosure Act, except to the extent

23 authorized under that Article.

24 (n) Defense budgets and petitions for certification of

25 compensation and expenses for court appointed trial

26 counsel as provided under Sections 10 and 15 of the

HB5221

- 70 -

LRB104 18403 SPS 31845 b

1 Capital Crimes Litigation Act (repealed). This subsection

2 (n) shall apply until the conclusion of the trial of the

3 case, even if the prosecution chooses not to pursue the

4 death penalty prior to trial or sentencing.

5 (o) Information that is prohibited from being

6 disclosed under Section 4 of the Illinois Health and

7 Hazardous Substances Registry Act.

8 (p) Security portions of system safety program plans,

9 investigation reports, surveys, schedules, lists, data, or

10 information compiled, collected, or prepared by or for the

11 Department of Transportation under Sections 2705-300 and

12 2705-616 of the Department of Transportation Law of the

13 Civil Administrative Code of Illinois, the Northern

14 Illinois Transit Authority under Section 2.11 of the

15 Northern Illinois Transit Authority Act, or the St. Clair

16 County Transit District under the Bi-State Transit Safety

17 Act (repealed).

18 (q) Information prohibited from being disclosed by the

19 Personnel Record Review Act.

20 (r) Information prohibited from being disclosed by the

21 Illinois School Student Records Act.

22 (s) Information the disclosure of which is restricted

23 under Section 5-108 of the Public Utilities Act.

24 (t) (Blank).

25 (u) Records and information provided to an independent

26 team of experts under the Developmental Disability and

HB5221

- 71 -

LRB104 18403 SPS 31845 b

1 Mental Health Safety Act (also known as Brian's Law).

2 (v) Names and information of people who have applied

3 for or received Firearm Owner's Identification Cards under

4 the Firearm Owners Identification Card Act or applied for

5 or received a concealed carry license under the Firearm

6 Concealed Carry Act, unless otherwise authorized by the

7 Firearm Concealed Carry Act; and databases under the

8 Firearm Concealed Carry Act, records of the Concealed

9 Carry Licensing Review Board under the Firearm Concealed

10 Carry Act, and law enforcement agency objections under the

11 Firearm Concealed Carry Act.

12 (v-5) Records of the Firearm Owner's Identification

13 Card Review Board that are exempted from disclosure under

14 Section 10 of the Firearm Owners Identification Card Act.

15 (w) Personally identifiable information which is

16 exempted from disclosure under subsection (g) of Section

17 19.1 of the Toll Highway Act.

18 (x) Information which is exempted from disclosure

19 under Section 5-1014.3 of the Counties Code or Section

20 8-11-21 of the Illinois Municipal Code.

21 (y) Confidential information under the Adult

22 Protective Services Act and its predecessor enabling

23 statute, the Elder Abuse and Neglect Act, including

24 information about the identity and administrative finding

25 against any caregiver of a verified and substantiated

26 decision of abuse, neglect, or financial exploitation of

HB5221

- 72 -

LRB104 18403 SPS 31845 b

1 an eligible adult maintained in the Registry established

2 under Section 7.5 of the Adult Protective Services Act.

3 (z) Records and information provided to a fatality

4 review team or the Illinois Fatality Review Team Advisory

5 Council under Section 15 of the Adult Protective Services

6 Act.

7 (aa) Information which is exempted from disclosure

8 under Section 2.37 of the Wildlife Code.

9 (bb) Information which is or was prohibited from

10 disclosure by the Juvenile Court Act of 1987.

11 (cc) Recordings made under the Law Enforcement

12 Officer-Worn Body Camera Act, except to the extent

13 authorized under that Act.

14 (dd) Information that is prohibited from being

15 disclosed under Section 45 of the Condominium and Common

16 Interest Community Ombudsperson Act.

17 (ee) Information that is exempted from disclosure

18 under Section 30.1 of the Pharmacy Practice Act.

19 (ff) Information that is exempted from disclosure

20 under the Revised Uniform Unclaimed Property Act.

21 (gg) Information that is prohibited from being

22 disclosed under Section 7-603.5 of the Illinois Vehicle

23 Code.

24 (hh) Records that are exempt from disclosure under

25 Section 1A-16.7 of the Election Code.

26 (ii) Information which is exempted from disclosure

HB5221

- 73 -

LRB104 18403 SPS 31845 b

1 under Section 2505-800 of the Department of Revenue Law of

2 the Civil Administrative Code of Illinois.

3 (jj) Information and reports that are required to be

4 submitted to the Department of Labor by registering day

5 and temporary labor service agencies but are exempt from

6 disclosure under subsection (a-1) of Section 45 of the Day

7 and Temporary Labor Services Act.

8 (kk) Information prohibited from disclosure under the

9 Seizure and Forfeiture Reporting Act.

10 (ll) Information the disclosure of which is restricted

11 and exempted under Section 5-30.8 of the Illinois Public

12 Aid Code.

13 (mm) Records that are exempt from disclosure under

14 Section 4.2 of the Crime Victims Compensation Act.

15 (nn) Information that is exempt from disclosure under

16 Section 70 of the Higher Education Student Assistance Act.

17 (oo) Communications, notes, records, and reports

18 arising out of a peer support counseling session

19 prohibited from disclosure under the First Responders

20 Suicide Prevention Act.

21 (pp) Names and all identifying information relating to

22 an employee of an emergency services provider or law

23 enforcement agency under the First Responders Suicide

24 Prevention Act.

25 (qq) Information and records held by the Department of

26 Public Health and its authorized representatives collected

HB5221

- 74 -

LRB104 18403 SPS 31845 b

1 under the Reproductive Health Act.

2 (rr) Information that is exempt from disclosure under

3 the Cannabis Regulation and Tax Act.

4 (ss) Data reported by an employer to the Department of

5 Human Rights pursuant to Section 2-108 of the Illinois

6 Human Rights Act.

7 (tt) Recordings made under the Children's Advocacy

8 Center Act, except to the extent authorized under that

9 Act.

10 (uu) Information that is exempt from disclosure under

11 Section 50 of the Sexual Assault Evidence Submission Act.

12 (vv) Information that is exempt from disclosure under

13 subsections (f) and (j) of Section 5-36 of the Illinois

14 Public Aid Code.

15 (ww) Information that is exempt from disclosure under

16 Section 16.8 of the State Treasurer Act.

17 (xx) Information that is exempt from disclosure or

18 information that shall not be made public under the

19 Illinois Insurance Code.

20 (yy) Information prohibited from being disclosed under

21 the Illinois Educational Labor Relations Act.

22 (zz) Information prohibited from being disclosed under

23 the Illinois Public Labor Relations Act.

24 (aaa) Information prohibited from being disclosed

25 under Section 1-167 of the Illinois Pension Code.

26 (bbb) Information that is prohibited from disclosure

HB5221

- 75 -

LRB104 18403 SPS 31845 b

1 by the Illinois Police Training Act and the Illinois State

2 Police Act.

3 (ccc) Records exempt from disclosure under Section

4 2605-304 of the Illinois State Police Law of the Civil

5 Administrative Code of Illinois.

6 (ddd) Information prohibited from being disclosed

7 under Section 35 of the Address Confidentiality for

8 Victims of Domestic Violence, Sexual Assault, Human

9 Trafficking, or Stalking Act.

10 (eee) Information prohibited from being disclosed

11 under subsection (b) of Section 75 of the Domestic

12 Violence Fatality Review Act.

13 (fff) Images from cameras under the Expressway Camera

14 Act and all automated license plate reader (ALPR)

15 information used and collected by the Illinois State

16 Police. "ALPR information" means information gathered by

17 an ALPR or created from the analysis of data generated by

18 an ALPR. This subsection (fff) is inoperative on and after

19 July 1, 2028.

20 (ggg) Information prohibited from disclosure under

21 paragraph (3) of subsection (a) of Section 14 of the Nurse

22 Agency Licensing Act.

23 (hhh) Information submitted to the Illinois State

24 Police in an affidavit or application for an assault

25 weapon endorsement, assault weapon attachment endorsement,

26 .50 caliber rifle endorsement, or .50 caliber cartridge

HB5221

- 76 -

LRB104 18403 SPS 31845 b

1 endorsement under the Firearm Owners Identification Card

2 Act.

3 (iii) Data exempt from disclosure under Section 50 of

4 the School Safety Drill Act.

5 (jjj) Information exempt from disclosure under Section

6 30 of the Insurance Data Security Law.

7 (kkk) Confidential business information prohibited

8 from disclosure under Section 45 of the Paint Stewardship

9 Act.

10 (lll) Data exempt from disclosure under Section

11 2-3.196 of the School Code.

12 (mmm) Information prohibited from being disclosed

13 under subsection (e) of Section 1-129 of the Illinois

14 Power Agency Act.

15 (nnn) Materials received by the Department of Commerce

16 and Economic Opportunity that are confidential under the

17 Music and Musicians Tax Credit and Jobs Act.

18 (ooo) Data or information provided pursuant to Section

19 20 of the Statewide Recycling Needs and Assessment Act.

20 (ppp) Information that is exempt from disclosure under

21 Section 28-11 of the Lawful Health Care Activity Act.

22 (qqq) Information that is exempt from disclosure under

23 Section 7-101 of the Illinois Human Rights Act.

24 (rrr) Information prohibited from being disclosed

25 under Section 4-2 of the Uniform Money Transmission

26 Modernization Act.

HB5221

- 77 -

LRB104 18403 SPS 31845 b

1 (sss) Information exempt from disclosure under Section

2 40 of the Student-Athlete Endorsement Rights Act.

3 (ttt) Audio recordings made under Section 30 of the

4 Illinois State Police Act, except to the extent authorized

5 under that Section.

6 (uuu) Information prohibited from being disclosed

7 under Section 30-5 of the Digital Assets Regulation Act.

8 (vvv) ~~(uuu)~~ Information exempt from disclosure under

9 Section 70 of the End-of-Life Options for Terminally Ill

10 Patients Act.

11 (www) Information prohibited or exempt from being

12 disclosed under the Consumer Data Privacy Act.

13 (Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;

14 103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.

15 8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,

16 eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;

17 103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.

18 8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,

19 eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;

20 104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-441, eff.

21 9-12-26; 104-457, eff. 6-1-26; revised 1-7-26.)

22 Section 95. No acceleration or delay. Where this Act makes

23 changes in a statute that is represented in this Act by text

24 that is not yet or no longer in effect (for example, a Section

25 represented by multiple versions), the use of that text does

HB5221

- 78 -

LRB104 18403 SPS 31845 b

1 not accelerate or delay the taking effect of (i) the changes

2 made by this Act or (ii) provisions derived from any other

3 Public Act.

4 Section 97. Severability. The provisions of this Act are

5 severable under Section 1.31 of the Statute on Statutes.

6 Section 99. Effective date. This Act takes effect January

7 1, 2027.