SB0340 Engrossed LRB104 06459 JRC 16495 b
1		AN ACT concerning civil law.
2		Be it enacted by the People of the State of Illinois,
3		represented in the General Assembly:
4		Section 10. Short title. This Act may be cited as the
5		Illinois Consumer Data Privacy Act.
6		Section 11. Definitions. As used in this Act:
7		"Affiliate" means a legal entity that controls, is
8		controlled by, or is under common control with another legal
9		entity. As used in this definition, "control" or "controlled"
10		means: ownership of or the power to vote more than 50% of the
11		outstanding shares of any class of voting security of a
12		company; control in any manner over the election of a majority
13		of the directors or of individuals exercising similar
14		functions; or the power to exercise a controlling influence
15		over the management of a company.
16		"Authenticate" means to use reasonable means to determine
17		that a request to exercise any of the rights under subsection
18		(b) of Section 14 is being made by or rightfully on behalf of
19		the consumer who is entitled to exercise the rights with
20		respect to the personal data at issue.
21		"Biometric identifier" has the same meaning given to that
22		term in the Biometric Information Privacy Act.
23		"Biometric information" has the same meaning given to that

SB0340 Engrossed - 2 - LRB104 06459 JRC 16495 b
1		term in the Biometric Information Privacy Act.
2		"Child" has the meaning given in United States Code, Title
3		15, Section 6501.
4		"Collect" means to buy, rent, obtain, lease, access,
5		receive, or otherwise acquire personal data in any manner.
6		"Consent" means any freely given, specific, informed, and
7		unambiguous indication of the consumer's wishes by which the
8		consumer signifies agreement to the processing of personal
9		data relating to the consumer. Acceptance of general or broad
10		terms of use or similar document that contains descriptions of
11		personal data processing along with other, unrelated
12		information does not constitute consent. Hovering over,
13		muting, pausing, or closing a given piece of content does not
14		constitute consent. A consent is not valid when the consumer's
15		indication has been obtained by a dark pattern. A consumer may
16		revoke consent previously given consistent with this Act.
17		"Consumer" means a natural person who is an Illinois
18		resident acting only in an individual or household context.
19		Consumer does not include a natural person acting in a
20		commercial or employment context.
21		"Controller" means the natural or legal person who, alone
22		or jointly with others, determines the purposes and means of
23		the processing of personal data.
24		"Decisions that produce legal or similarly significant
25		effects concerning the consumer" means decisions made by the
26		controller that result in the provision or denial by the

SB0340 Engrossed - 3 - LRB104 06459 JRC 16495 b
1		controller of financial or lending services, housing,
2		insurance, education enrollment or opportunity, criminal
3		justice, employment opportunities, health care services, or
4		access to essential goods or services.
5		"Dark pattern" means a user interface designed or
6		manipulated with the substantial effect of subverting or
7		impairing user autonomy, decision-making, or choice.
8		"Deidentified data" means data that cannot reasonably be
9		used to infer information about or otherwise be linked to an
10		identified or identifiable natural person or a device linked
11		to an identified or identifiable natural person, provided that
12		the controller that possesses the data:
13		(1) takes reasonable measures to ensure that the data
14		cannot be associated with a natural person;
15		(2) publicly commits to process the data only in a
16		deidentified fashion and not attempt to reidentify the
17		data; and
18		(3) contractually obligates any recipients of the
19		information to comply with all provisions of this
20		definition.
21		"Delete" means to remove or destroy information so that it
22		is not maintained in human- or machine-readable form and
23		cannot be retrieved or used in the ordinary course of
24		business.
25		"Genetic information" has the meaning ascribed to the term
26		under the Health Insurance Portability and Accountability Act

SB0340 Engrossed - 4 - LRB104 06459 JRC 16495 b
1		of 1996 as specified in 45 CFR 160.103.
2		"Identified or identifiable natural person" means a person
3		who can be readily identified, directly or indirectly.
4		"Known child" means a person under circumstances in which
5		a controller has actual knowledge of, or willfully disregards,
6		that the person is under 13 years of age.
7		"Personal data" means any information that is linked or
8		reasonably linkable to an identified or identifiable natural
9		person. "Personal data" does not include deidentified data,
10		pseudonymous data, or publicly available information. As used
11		in this definition, "publicly available information" means
12		information that (1) is lawfully made available from federal,
13		state, or local government records or (2) a controller has a
14		reasonable basis to believe has lawfully been made available
15		to the general public.
16		"Process" or "processing" means any operation or set of
17		operations that are performed on personal data or on sets of
18		personal data, whether or not by automated means, including,
19		but not limited to, the collection, use, storage, disclosure,
20		analysis, deletion, sharing, retention, organizing,
21		structuring, or modification of personal data.
22		"Processor" means a natural or legal person who processes
23		personal data on behalf of a controller.
24		"Profiling" means any form of automated processing of
25		personal data to evaluate, analyze, or predict personal
26		aspects related to an identified or identifiable natural

SB0340 Engrossed - 5 - LRB104 06459 JRC 16495 b
1		person's economic situation, health, personal preferences,
2		interests, reliability, behavior, location, or movements.
3		Profiling does not include automated processing used solely
4		for independent measurement.
5		"Pseudonymous data" means personal data that cannot be
6		attributed to a specific natural person without the use of
7		additional information, provided that the additional
8		information is kept separately and is subject to appropriate
9		technical and organizational measures to ensure that the
10		personal data are not attributed to an identified or
11		identifiable natural person.
12		"Sale", "sell", or "sold" means the exchange of personal
13		data for monetary or other valuable consideration by the
14		controller, processor, or an affiliate of the controller or
15		processor to a third party. "Sale" does not include the
16		following:
17		(1) the disclosure of personal data to a processor who
18		processes the personal data on behalf of the controller if
19		limited to the purposes of processing;
20		(2) the disclosure of personal data to a third party
21		for purposes of providing a product or service requested
22		by the consumer;
23		(3) the disclosure or transfer of personal data to an
24		affiliate of the controller;
25		(4) the disclosure of information that the consumer
26		intentionally made available to the general public via a

SB0340 Engrossed - 6 - LRB104 06459 JRC 16495 b
1		channel of mass media and did not restrict to a specific
2		audience; or
3		(5) the disclosure or transfer of personal data to a
4		third party as an asset that is part of a completed or
5		proposed merger, acquisition, bankruptcy, or other
6		transaction in which the third party assumes control of
7		all or part of the controller's assets.
8		"Sensitive data" is a form of personal data. "Sensitive
9		data" means:
10		(1) personal data revealing racial or ethnic origin,
11		religious beliefs, mental or physical health condition or
12		diagnosis, sexual orientation, or citizenship or
13		immigration status;
14		(2) the processing of biometric identifiers or
15		information or genetic information for the purpose of
16		uniquely identifying an individual;
17		(3) the personal data of a known child;
18		(4) specific geolocation data;
19		(5) information that reveals the status of
20		identifiable natural person as a victim of a crime; or
21		(6) a government-issued identifier, including a social
22		security number, passport number, or a driver's license
23		number, that is not required by law to be displayed in
24		public.
25		"Specific geolocation data" means information derived from
26		technology, including, but not limited to, global positioning

SB0340 Engrossed - 7 - LRB104 06459 JRC 16495 b
1		system level latitude and longitude coordinates or other
2		mechanisms that can precisely and accurately identify the
3		specific location of a consumer or a device linked with a
4		consumer within a radius of 1,750 feet. Specific geolocation
5		data does not include the content of communications, the
6		contents of databases containing street address information
7		that are accessible to the public as authorized by law, or any
8		data generated by or connected to advanced utility metering
9		infrastructure systems or other equipment for use by a public
10		utility.
11		"Targeted advertising" means displaying advertisements to
12		a consumer or to a device linked to a consumer in which the
13		advertisement is selected based on personal data obtained or
14		inferred from the consumer's activities over time and across
15		nonaffiliated websites or online applications to predict the
16		consumer's preferences or interests. Targeted advertising does
17		not include:
18		(1) advertising based on activities within a
19		controller's own websites or online applications;
20		(2) advertising based on the context of a consumer's
21		current search query or visit to a website or online
22		application;
23		(3) advertising to a consumer in response to the
24		consumer's request for information or feedback; or
25		(4) processing personal data solely for measuring or
26		reporting content and advertising performance, reach, or

SB0340 Engrossed - 8 - LRB104 06459 JRC 16495 b
1		frequency, including independent measurement.
2		(z) "Third party" means a natural or legal person, public
3		authority, agency, or body other than the consumer,
4		controller, processor, or an affiliate of the processor or the
5		controller.
6		(aa) "Trade secret" has the same meaning given to the term
7		in the Illinois Trade Secrets Act.
8		Section 12. Scope; exclusions.
9		(a)(1) Scope. This Act applies to legal entities that
10		conduct business in Illinois or produce products or services
11		that are targeted to Illinois residents, and that satisfy one
12		or more of the following thresholds:
13		(A) during a calendar year, collects or processes
14		personal data of 100,000 consumers or more, excluding
15		personal data controlled or processed solely for the
16		purpose of completing a payment transaction; or
17		(B) derives over 25% of gross revenue from the sale of
18		personal data and processes or collects personal data of
19		25,000 consumers or more.
20		(2) A controller or processor shall comply with the
21		Student Online Personal Protection Act, except that if the
22		provisions of that Act conflict with this Act, the Student
23		Online Personal Protection Act prevails.
24		(3) All legal entities shall comply with the Biometric
25		Information Privacy Act and the Genetic Information Privacy

SB0340 Engrossed - 9 - LRB104 06459 JRC 16495 b
1		Act.
2		(b) Exclusions. The provisions of this Act do not apply to
3		the following entities, activities, or types of information:
4		(1) the State, a political subdivision of the State,
5		units of local government, and school districts;
6		(2) a federally recognized Indian tribe;
7		(3) information that meets the definition of:
8		(A) protected health information, as defined by
9		and for purposes of the Health Insurance Portability
10		and Accountability Act of 1996, Public Law 104-191,
11		and related regulations;
12		(B) health records, that includes, but is not
13		limited to, any information, whether oral or recorded
14		in any form or medium, that relates to the past,
15		present, or future physical or mental health or
16		condition of a patient; the provision of health care
17		to a patient; or the past, present, or future payment
18		for the provision of health care to a patient;
19		(C) patient identifying information for purposes
20		of Code of Federal Regulations, Title 42, Part 2,
21		established pursuant to the United States Code, Title
22		42, Section 290dd-2;
23		(D) identifiable private information for purposes
24		of the federal policy for the protection of human
25		subjects, the Code of Federal Regulations, Title 45,
26		Part 46; identifiable private information that is

SB0340 Engrossed - 10 - LRB104 06459 JRC 16495 b
1		otherwise information collected as part of human
2		subjects research under the good clinical practice
3		guidelines issued by the International Council for
4		Harmonisation; the protection of human subjects under
5		the Code of Federal Regulations, Title 21, Parts 50
6		and 56; or personal data used or shared in research
7		conducted in accordance with one or more of the
8		requirements set forth in this paragraph;
9		(E) information and documents created for purposes
10		of the federal Health Care Quality Improvement Act of
11		1986, Public Law 99-660, and related regulations; or
12		(F) patient safety work product for purposes of
13		Code of Federal Regulations, Title 42, Part 3,
14		established under the United States Code, Title 42,
15		Sections 299b-21 to 299b-26;
16		(4) information that is derived from any of the health
17		care-related information listed in clause (3), but that
18		has been deidentified in accordance with the requirements
19		for deidentification set forth in the Code of Federal
20		Regulations, Title 45, Part 164;
21		(5) information originating from, and intermingled to
22		be indistinguishable with, any of the health care-related
23		information listed in clause (3) that is maintained by:
24		(A) a covered entity or business associate, as
25		defined by the Health Insurance Portability and
26		Accountability Act of 1996, Public Law 104-191, and

SB0340 Engrossed - 11 - LRB104 06459 JRC 16495 b
1		related regulations to the extent the entity is acting
2		as a covered entity or business associate under the
3		Privacy and Security rules issued by the United States
4		Department of Health and Human Services, Parts 160 and
5		164 of Title 45 of the Code of Federal Regulations;
6		(B) a health care provider, to include, but not be
7		limited to, any public or private facility that
8		provides, on an inpatient or outpatient basis,
9		preventive, diagnostic, therapeutic, convalescent,
10		rehabilitation, mental health, or intellectual
11		disability services, including general or special
12		hospitals, skilled nursing homes, extended care
13		facilities, intermediate care facilities and mental
14		health centers; or
15		(C) a program or a qualified service organization,
16		as defined by Code of Federal Regulations, Title 42,
17		Part 2, established pursuant to United States Code,
18		Title 42, Section 290dd-2;
19		(6) information that is:
20		(A) maintained by an entity that meets the
21		definition of health care provider under the Code of
22		Federal Regulations, Title 45, Section 160.103, to the
23		extent that the entity maintains the information in
24		the manner required of covered entities with respect
25		to protected health information for purposes of the
26		Health Insurance Portability and Accountability Act of

SB0340 Engrossed - 12 - LRB104 06459 JRC 16495 b
1		1996, Public Law 104-191, and related regulations;
2		(B) included in a limited data set, as described
3		under the Code of Federal Regulations, Title 45, Part
4		164.514(e), to the extent that the information is
5		used, disclosed, and maintained in the manner
6		specified by that part;
7		(C) maintained by, or maintained to comply with
8		the rules or orders of, a self-regulatory organization
9		as defined by the United States Code, Title 15,
10		Section 78c(a)(26) or of a registered futures
11		association as designated under the United States
12		Code, Title 7, Section 21;
13		(D) originated from, or intermingled with,
14		information described in clause (9) and that a
15		residential mortgage originator or residential
16		mortgage servicer regulated under the Residential
17		Mortgage License Act of 1987 collects, processes,
18		uses, or maintains in the same manner as required
19		under the laws and regulations specified in clause
20		(9); or
21		(E) originated from, or intermingled with,
22		information described in clause (9) and that a nonbank
23		financial institution collects, processes, uses, or
24		maintains in the same manner as required under the
25		laws and regulations specified in clause (9);
26		(7) information used only for public health activities

SB0340 Engrossed - 13 - LRB104 06459 JRC 16495 b
1		and purposes, as described under the Code of Federal
2		Regulations, Title 45, Part 164.512;
3		(8) an activity involving the collection, maintenance,
4		disclosure, sale, communication, or use of any personal
5		data bearing on a consumer's credit worthiness, credit
6		standing, credit capacity, character, general reputation,
7		personal characteristics, or mode of living by a consumer
8		reporting agency, as defined in the United States Code,
9		Title 15, Section 1681a(f), by a furnisher of information,
10		as set forth in the United States Code, Title 15, Section
11		1681s-2, who provides information for use in a consumer
12		report, as defined in the United States Code, Title 15,
13		Section 1681a(d), and by a user of a consumer report, as
14		set forth in the United States Code, Title 15, Section
15		1681b, except that information is only excluded under this
16		paragraph to the extent that the activity involving the
17		collection, maintenance, disclosure, sale, communication,
18		or use of the information by the agency, furnisher, or
19		user is subject to regulation under the federal Fair
20		Credit Reporting Act, United States Code, Title 15,
21		Sections 1681 to 1681x, and the information is not
22		collected, maintained, used, communicated, disclosed, or
23		sold except as authorized by the Fair Credit Reporting
24		Act;
25		(9) financial institutions, their affiliates, and
26		personal data subject to the federal Gramm-Leach-Bliley

SB0340 Engrossed - 14 - LRB104 06459 JRC 16495 b
1		Act, Public Law 106-102, and implementing regulations;
2		(10) personal data collected, processed, sold, or
3		disclosed pursuant to the federal Driver's Privacy
4		Protection Act of 1994, United States Code, Title 18,
5		Sections 2721 to 2725, if the collection, processing,
6		sale, or disclosure is in compliance with that law;
7		(11) personal data regulated by the federal Family
8		Educational Rights and Privacy Act, United States Code,
9		Title 20, Section 1232g, and implementing regulations;
10		(12) personal data collected, processed, sold, or
11		disclosed pursuant to the federal Farm Credit Act of 1971,
12		as amended, United States Code, Title 12, Sections 2001 to
13		2279cc, and implementing regulations, Code of Federal
14		Regulations, Title 12, Part 600, if the collection,
15		processing, sale, or disclosure is in compliance with that
16		law;
17		(13) data collected or maintained:
18		(A) in the course of an individual acting as a job
19		applicant to or an employee, owner, director, officer,
20		medical staff member, or contractor of a business if
21		the data is collected and used solely within the
22		context of the role;
23		(B) as the emergency contact information of an
24		individual under item (A) if used solely for emergency
25		contact purposes; or
26		(C) that is necessary for the business to retain

SB0340 Engrossed - 15 - LRB104 06459 JRC 16495 b
1		to administer benefits for another individual relating
2		to the individual under item (1) if used solely for the
3		purposes of administering those benefits;
4		(14) personal data collected, processed, sold, or
5		disclosed under the Illinois Insurance Code;
6		(15) data collected, processed, sold, or disclosed as
7		part of a payment-only credit, check, or cash transaction
8		where no data about consumers, as defined in Section 11,
9		are retained;
10		(16) a State or federally chartered bank or credit
11		union, or an affiliate or subsidiary that is principally
12		engaged in financial activities, as described in the
13		United States Code, Title 12, Section 1843(k);
14		(17) information that originates from, or is
15		intermingled so as to be indistinguishable from,
16		information described in clause (8) and that a person
17		collects, processes, uses, or maintains in the same manner
18		as is required under the laws and regulations specified in
19		clause (8);
20		(18) an insurance company and an insurance producer
21		that are regulated by the State under the Illinois
22		Insurance Code, a third-party administrator of
23		self-insurance, or an affiliate or subsidiary of any
24		entity identified in this clause that is principally
25		engaged in financial activities, as described in the
26		United States Code, Title 12, Section 1843(k), except that

SB0340 Engrossed - 16 - LRB104 06459 JRC 16495 b
1		this clause does not apply to a person that, alone or in
2		combination with another person, establishes and maintains
3		a self-insurance program that does not otherwise engage in
4		the business of entering into policies of insurance;
5		(19) a small business, as defined by the United States
6		Small Business Administration under the Code of Federal
7		Regulations, Title 13, Part 121, except that a small
8		business identified in this clause is subject to Section
9		17;
10		(20) a nonprofit organization that is established to
11		detect and prevent fraudulent acts in connection with
12		insurance; and
13		(21) an air carrier subject to the federal Airline
14		Deregulation Act, Public Law 95-504, only to the extent
15		that an air carrier collects personal data related to
16		prices, routes, or services and only to the extent that
17		the provisions of the Airline Deregulation Act preempt the
18		requirements of this Act.
19		Controllers that are in compliance with the Children's
20		Online Privacy Protection Act, United States Code, Title 15,
21		Sections 6501 to 6506, and implementing regulations, are
22		deemed compliant with any obligation to obtain parental
23		consent under this Act.
24		Section 13. Responsibility according to role.
25		(a) Controllers and processors are responsible for meeting

SB0340 Engrossed - 17 - LRB104 06459 JRC 16495 b
1		the respective obligations established under this Act.
2		(b) Processors are responsible under this Act for adhering
3		to the instructions of the controller and assisting the
4		controller to meet the controller's obligations under this
5		Act. Assistance under this subsection shall include the
6		following:
7		(1) taking into account the nature of the processing,
8		the processor shall assist the controller by appropriate
9		technical and organizational measures, insofar as this is
10		possible, for the fulfillment of the controller's
11		obligation to respond to consumer requests to exercise
12		their rights under Section 14; and
13		(2) taking into account the nature of processing and
14		the information available to the processor, the processor
15		shall assist the controller in meeting the controller's
16		obligations in relation to the security of processing the
17		personal data and in relation to the notification of a
18		breach of the security of the system under the Illinois
19		Personal Information Protection Act and provide
20		information to the controller necessary to enable the
21		controller to conduct and document any data privacy and
22		protection assessments required by Section 18.
23		(c) A contract between a controller and a processor shall
24		govern the processor's data processing procedures with respect
25		to processing performed on behalf of the controller. The
26		contract shall be binding on both parties and clearly set

SB0340 Engrossed - 18 - LRB104 06459 JRC 16495 b
1		forth instructions for processing data, the nature and purpose
2		of processing, the type of data subject to processing, the
3		duration of processing, and the rights and obligations of both
4		parties. The contract shall also require that the processor:
5		(1) ensure that each person processing the personal
6		data is subject to a duty of confidentiality with respect
7		to the data;
8		(2) engage a subcontractor only under a written
9		contract in accordance with this subsection (c) that
10		requires the subcontractor to meet the obligations of the
11		processor with respect to the personal data;
12		(3) at the choice of the controller, delete or return
13		all personal data to the controller as requested at the
14		end of the provision of services, unless retention of the
15		personal data is required by law;
16		(4) upon a reasonable request from the controller,
17		make available to the controller all information necessary
18		to demonstrate compliance with the obligations in this
19		Act; and
20		(5) allow for, and contribute to, reasonable
21		assessments and inspections by the controller or the
22		controller's designated assessor. Alternatively, the
23		processor may arrange for a qualified and independent
24		assessor to conduct, at least annually and at the
25		processor's expense, an assessment of the processor's
26		policies and technical and organizational measures in

SB0340 Engrossed - 19 - LRB104 06459 JRC 16495 b
1		support of the obligations under this Act. The assessor
2		must use an appropriate and accepted control standard or
3		framework and assessment procedure for assessments as
4		applicable and provide a report of an assessment to the
5		controller upon request.
6		(d) Taking into account the context of processing, the
7		controller and the processor shall implement appropriate
8		technical and organizational measures to ensure a level of
9		security appropriate to the risk and establish a clear
10		allocation of the responsibilities between the controller and
11		the processor to implement the technical and organizational
12		measures.
13		(e) In no event shall any contract relieve a controller or
14		a processor from the liabilities imposed on a controller or
15		processor by virtue of the controller's or processor's roles
16		in the processing relationship under this Act. Notwithstanding
17		any other provision of this Act, if a processor processes data
18		under a binding contract that sets forth the processing
19		instructions and limits the actions the processor may take
20		with respect to the data it processes on behalf of the
21		controller, the processor is not liable for the controller's
22		actions that led to a violation of this Act.
23		(f) Determining whether a person is acting as a controller
24		or processor with respect to a specific processing of data is a
25		fact-based determination that depends upon the context in
26		which personal data are to be processed. A person that is not

SB0340 Engrossed - 20 - LRB104 06459 JRC 16495 b
1		limited in the person's processing of personal data pursuant
2		to a controller's instructions, or that fails to adhere to a
3		controller's instructions, is a controller and not a processor
4		with respect to a specific processing of data. A processor
5		that continues to adhere to a controller's instructions with
6		respect to a specific processing of personal data remains a
7		processor. If a processor begins, alone or jointly with
8		others, determining the purposes and means of the processing
9		of personal data, the processor is a controller with respect
10		to the processing.
11		Section 14. Consumer personal data rights.
12		(a)(1) Consumer rights provided. Except as provided in
13		this Act, a controller must comply with a request to exercise
14		the consumer rights provided in this subsection (a).
15		(2) A consumer has the right to confirm whether or not a
16		controller is processing personal data concerning the consumer
17		and access the personal data the controller is processing.
18		(3) A consumer has the right to correct inaccurate
19		personal data concerning the consumer taking into account the
20		nature of the personal data and the purposes of the processing
21		of the personal data.
22		(4) A consumer has the right to delete personal data
23		concerning the consumer.
24		(5) A consumer has the right to obtain personal data
25		concerning the consumer, which the consumer previously

SB0340 Engrossed - 21 - LRB104 06459 JRC 16495 b
1		provided to the controller, in a portable and, to the extent
2		technically feasible, readily usable format that allows the
3		consumer to transmit the data to another controller without
4		hindrance, where the processing is carried out by automated
5		means.
6		(6) A consumer has the right to opt out of the processing
7		of personal data concerning the consumer for purposes of: (i)
8		targeted advertising, (ii) the sale of personal data, or (iii)
9		profiling in furtherance of automated decisions that produce
10		legal effects concerning a consumer or similarly significant
11		effects concerning a consumer.
12		(7) A consumer has a right to obtain general descriptions
13		of categories of third parties to which the controller has
14		disclosed the consumer's personal data, unless such a list of
15		specific third parties is readily available to the controller.
16		(b)(1) Exercising consumer rights. A consumer may exercise
17		the rights set forth in subsection (a) by submitting a
18		request, at any time, to a controller specifying which rights
19		the consumer wishes to exercise.
20		(2) In the case of processing personal data concerning a
21		known child, the parent or legal guardian of the known child
22		may exercise the rights under this Act on the child's behalf.
23		(3) In the case of processing personal data concerning a
24		consumer legally subject to guardianship under the Probate Act
25		of 1975, the guardian of the consumer may exercise the rights
26		under this Act on the consumer's behalf.

SB0340 Engrossed - 22 - LRB104 06459 JRC 16495 b
1		(4) A consumer may designate another person as the
2		consumer's authorized agent to exercise the consumer's right
3		to opt out of the processing of the consumer's personal data
4		for purposes of targeted advertising and sale under subsection
5		(c)(1) on the consumer's behalf. A consumer may designate an
6		authorized agent by way of, among other things, a technology,
7		including, but not limited to, an Internet link or a browser
8		setting, browser extension, or global device setting,
9		indicating the consumer's intent to opt out of the processing.
10		A controller shall comply with an opt-out request received
11		from an authorized agent if the controller is able to verify,
12		with commercially reasonable effort, the identity of the
13		consumer and the authorized agent's authority to act on the
14		consumer's behalf.
15		(c)(1) Universal opt-out mechanisms. A controller must
16		allow a consumer to opt out of any processing of the consumer's
17		personal data for the purposes of targeted advertising,
18		profiling in furtherance of automated decisions that produce
19		legal effects concerning the consumer or any sale of the
20		consumer's personal data through an opt-out preference signal
21		sent, with the consumer's consent, by a platform, technology,
22		or mechanism to the controller indicating the consumer's
23		intent to opt out of the processing, profiling, or sale. The
24		platform, technology, or mechanism must:
25		(A) not unfairly disadvantage another controller;
26		(B) not make use of a default setting but require the

SB0340 Engrossed - 23 - LRB104 06459 JRC 16495 b
1		consumer to make an affirmative, freely given, and
2		unambiguous choice to opt out of the processing of the
3		consumer's personal data;
4		(C) be consumer-friendly and easy to use by the
5		average consumer;
6		(D) be as consistent as possible with any other
7		similar platform, technology, or mechanism required by any
8		federal or State law or regulation; and
9		(E) enable the controller to accurately determine
10		whether the consumer is an Illinois resident and whether
11		the consumer has made a legitimate request to opt out of
12		any sale of the consumer's personal data profiling in
13		furtherance of automated decisions that produce legal
14		effects concerning the consumer, or targeted advertising.
15		For purposes of this paragraph, the use of an Internet
16		protocol address to estimate the consumer's location is
17		sufficient to determine the consumer's residence.
18		(2) If a consumer's opt-out request is exercised through
19		the platform, technology, or mechanism required under
20		subsection (c)(1), and the request conflicts with the
21		consumer's existing controller-specific privacy setting or
22		voluntary participation in a controller's bona fide loyalty,
23		rewards, premium features, discounts, or club card program,
24		the controller must comply with the consumer's opt-out
25		preference signal but may also notify the consumer of the
26		conflict and provide the consumer a choice to confirm the

SB0340 Engrossed - 24 - LRB104 06459 JRC 16495 b
1		controller-specific privacy setting or participation in the
2		controller's program.
3		(3) A controller that recognizes opt-out preference
4		signals that have been approved by other state laws or
5		regulations is in compliance with this subdivision.
6		(d)(1) Controller response to consumer requests. Except as
7		provided in this Act, a controller must comply with a request
8		to exercise the rights pursuant to subsection (a).
9		(2) A controller must provide one or more secure and
10		reliable means for consumers to submit a request to exercise
11		the consumer's rights under this Section. The means made
12		available must take into account the ways in which consumers
13		interact with the controller and the need for secure and
14		reliable communication of the requests.
15		(3) A controller may not require a consumer to create a new
16		account to exercise a right, but a controller may require a
17		consumer to use an existing account to exercise the consumer's
18		rights under this Section.
19		(4) A controller must comply with a request to exercise
20		the rights under this Section as soon as feasibly possible,
21		but no later than 45 days after the receipt of the request,
22		unless the controller extends the time.
23		(5) A controller must inform a consumer of any action
24		taken on a request under subsection (b) without undue delay
25		and in any event within 45 days after the receipt of the
26		request. That period may be extended once by 45 additional

SB0340 Engrossed - 25 - LRB104 06459 JRC 16495 b
1		days where reasonably necessary taking into account the
2		complexity and number of the requests. The controller must
3		inform the consumer of any extension within the original
4		45-day window, together with the reasons for the delay.
5		(6) If a controller does not take action on a consumer's
6		request, the controller must inform the consumer without undue
7		delay and at the latest within 45 days after the receipt of the
8		request of the reasons for not taking action and instructions
9		for how to appeal the decision with the controller as
10		described in subsection (e).
11		(7) Information provided under this Section must be
12		provided by the controller free of charge up to twice annually
13		to the consumer. If requests from a consumer are manifestly
14		unfounded or excessive, in particular because of the
15		repetitive character of the requests, the controller may
16		either charge a reasonable fee to cover the administrative
17		costs of complying with the request or refuse to act on the
18		request. The controller bears the burden of demonstrating the
19		manifestly unfounded or excessive character of the request.
20		(8) A controller is not required to comply with a request
21		to exercise any of the rights under subsection (a), paragraphs
22		(2) to (5) and (8), if the controller is unable to authenticate
23		the request using commercially reasonable efforts. In such
24		cases, the controller may request the provision of additional
25		information reasonably necessary to authenticate the request.
26		A controller is not required to authenticate an opt-out

SB0340 Engrossed - 26 - LRB104 06459 JRC 16495 b
1		request, but a controller may deny an opt-out request if the
2		controller has a good faith, reasonable, and documented belief
3		that the request is fraudulent. If a controller denies an
4		opt-out request because the controller believes a request is
5		fraudulent, the controller must notify the person who made the
6		request that the request was denied because of the
7		controller's belief that the request was fraudulent and state
8		the controller's basis for that belief.
9		(9) In response to a consumer request under subsection
10		(b), a controller must not disclose the following information
11		about a consumer but must instead inform the consumer with
12		sufficient particularity that the controller has collected
13		that type of information:
14		(A) Social Security number;
15		(B) driver's license number or other government-issued
16		identification number;
17		(C) financial account number;
18		(D) health insurance account number or medical
19		identification number;
20		(E) account password, security questions, or answers;
21		or
22		(F) biometric identifiers or information.
23		(10) In response to a consumer request under subsection
24		(b), a controller is not required to reveal any trade secret.
25		(11) A controller that has obtained personal data about a
26		consumer from a source other than the consumer may comply with

SB0340 Engrossed - 27 - LRB104 06459 JRC 16495 b
1		a consumer's request to delete the consumer's personal data
2		pursuant to subsection (a), paragraph (4), by either:
3		(A) retaining a record of the deletion request,
4		retaining the minimum data necessary for the purpose of
5		ensuring the consumer's personal data remains deleted from
6		the business's records and not using the retained data for
7		any other purpose under the provisions of this Act; or
8		(B) opting the consumer out of the processing of
9		personal data for any purpose except for the purposes
10		exempted pursuant to the provisions of this Act.
11		(e)(1) Appeal process required. A controller must
12		establish an internal process in which a consumer may appeal a
13		refusal to take action on a request to exercise any of the
14		rights under subsection (a) within a reasonable period of time
15		after the consumer's receipt of the notice sent by the
16		controller under subsection (d), paragraph (6).
17		(2) The appeal process must be conspicuously available.
18		The process must include the ease of use provisions in
19		subsection (c)(1) applicable to submitting requests.
20		(3) Within 45 days after the receipt of an appeal, a
21		controller must inform the consumer of any action taken or not
22		taken in response to the appeal along with a written
23		explanation of the reasons in support thereof. That period may
24		be extended by 60 additional days if reasonably necessary,
25		taking into account the complexity and number of the requests
26		serving as the basis for the appeal. The controller must

SB0340 Engrossed - 28 - LRB104 06459 JRC 16495 b
1		inform the consumer of any extension within 45 days after the
2		receipt of the appeal together with the reasons for the delay.
3		(4) When informing a consumer of any action taken or not
4		taken in response to an appeal pursuant to paragraph (3), the
5		controller must provide a written explanation of the reasons
6		for the controller's decision and clearly and prominently
7		provide the consumer with information about how to file a
8		complaint with the Attorney General. The controller must
9		maintain records of all appeals and the controller's responses
10		for at least 24 months and shall, upon written request by the
11		Attorney General as part of an investigation, compile and
12		provide a copy of the records to the Attorney General.
13		Section 15. Processing deidentified data or pseudonymous
14		data.
15		(a) This Act does not require a controller or processor to
16		do any of the following solely for purposes of complying with
17		this Act:
18		(1) reidentify deidentified data;
19		(2) maintain data in identifiable form, or collect,
20		obtain, retain, or access any data or technology, to be
21		capable of associating an authenticated consumer request
22		with personal data; or
23		(3) comply with an authenticated consumer request to
24		access, correct, delete, or port personal data under
25		Section 14, subsection (a), if all of the following are

SB0340 Engrossed - 29 - LRB104 06459 JRC 16495 b
1		true:
2		(A) the controller is not reasonably capable of
3		associating the request with the personal data, or it
4		would be unreasonably burdensome for the controller to
5		associate the request with the personal data;
6		(B) the controller does not use the personal data
7		to recognize or respond to the specific consumer who
8		is the subject of the personal data or associate the
9		personal data with other personal data about the same
10		specific consumer; and
11		(C) the controller does not sell the personal data
12		to any third party or otherwise voluntarily disclose
13		the personal data to any third party other than a
14		processor, except as otherwise permitted in this
15		Section.
16		(b) The rights contained in paragraphs (2) to (5) and (8)
17		of subsection (a) of Section 14 do not apply to pseudonymous
18		data in cases in which the controller is able to demonstrate
19		any information necessary to identify the consumer is kept
20		separately and is subject to effective technical and
21		organizational controls that prevent the controller from
22		accessing the information.
23		(c) A controller that transfers, sells, or otherwise
24		discloses pseudonymous data or deidentified data must exercise
25		reasonable oversight to monitor compliance with any
26		contractual commitments to which the pseudonymous data or

SB0340 Engrossed - 30 - LRB104 06459 JRC 16495 b
1		deidentified data are subject, and must take appropriate steps
2		to address any breaches of contractual commitments.
3		(d) A processor or third party must not attempt to
4		identify the subjects of deidentified or pseudonymous data
5		without the express authority of the controller that caused
6		the data to be deidentified or pseudonymized.
7		(e) A controller, processor, or third party must not
8		attempt to identify the subjects of data that has been
9		collected with only pseudonymous identifiers.
10		Section 16. Responsibilities of controllers.
11		(a)(1) Transparency obligations. Controllers must provide
12		consumers with a reasonably accessible, clear, and meaningful
13		privacy notice that includes:
14		(A) the categories of personal data processed by the
15		controller;
16		(B) the purposes for which the categories of personal
17		data are processed;
18		(C) an explanation of the rights contained in Section
19		14 and how and where consumers may exercise those rights,
20		including how a consumer may appeal a controller's action
21		with regard to the consumer's request;
22		(D) the categories of personal data that the
23		controller sells to or shares with third parties, if any;
24		(E) the categories of third parties, if any, with whom
25		the controller sells or shares personal data;

SB0340 Engrossed - 31 - LRB104 06459 JRC 16495 b
1		(F) the controller's contact information, including an
2		active email address or other online mechanism that the
3		consumer may use to contact the controller;
4		(G) a description of the controller's retention
5		policies for personal data; and
6		(H) the date the privacy notice was last updated.
7		(2) If a controller sells personal data to third parties,
8		processes personal data for targeted advertising, or engages
9		in profiling in furtherance of decisions that produce legal
10		effects concerning a consumer or similarly significant effects
11		concerning a consumer, the controller must disclose the
12		processing in the privacy notice and provide access to a clear
13		and conspicuous method outside the privacy notice for a
14		consumer to opt out of the sale, processing, or profiling in
15		furtherance of decisions that produce legal effects concerning
16		a consumer or similarly significant effects concerning a
17		consumer. This method may include but is not limited to an
18		Internet hyperlink clearly labeled "Your Opt-Out Rights" or
19		"Your Privacy Rights" that directly effectuates the opt-out
20		request or takes consumers to a web page where the consumer can
21		make the opt-out request.
22		(3) The privacy notice must be made available to the
23		public in each language in which the controller provides a
24		product or service that is subject to the privacy notice or
25		carries out activities related to the product or service.
26		(4) The controller must provide the privacy notice in a

SB0340 Engrossed - 32 - LRB104 06459 JRC 16495 b
1		manner that is reasonably accessible to and usable by
2		individuals with disabilities.
3		(5) Whenever a controller makes a material change to the
4		controller's privacy notice or practices, the controller must
5		notify consumers affected by the material change with respect
6		to any prospectively collected personal data and provide a
7		reasonable opportunity for consumers to withdraw consent to
8		any further materially different collection, processing, or
9		transfer of previously collected personal data under the
10		changed policy. The controller shall take all reasonable
11		electronic measures to provide notification regarding material
12		changes to affected consumers, taking into account available
13		technology and the nature of the relationship.
14		(6) A controller is not required to provide a separate
15		Illinois-specific privacy notice or section of a privacy
16		notice if the controller's general privacy notice contains all
17		the information required by this Section.
18		(7) The privacy notice must be posted online through a
19		conspicuous hyperlink using the word "privacy" on the
20		controller's website home page or on a mobile application's
21		app store page or download page. A controller that maintains
22		an application on a mobile or other device shall also include a
23		hyperlink to the privacy notice in the application's settings
24		menu or in a similarly conspicuous and accessible location. A
25		controller that does not operate a website shall make the
26		privacy notice conspicuously available to consumers through a

SB0340 Engrossed - 33 - LRB104 06459 JRC 16495 b
1		medium regularly used by the controller to interact with
2		consumers, including, but not limited to, mail.
3		(b)(1) Use of data. A controller shall:
4		(A) limit the collection of personal data to what is
5		adequate, relevant, and reasonably necessary in relation
6		to the purposes for which the data are processed, which
7		must be disclosed to the consumer;
8		(B) not collect, process, or share sensitive data
9		concerning a consumer except when such collection,
10		processing, or transfer is strictly necessary to provide
11		or maintain a specific product or service requested by the
12		consumer to whom the sensitive data pertains. For purposes
13		of this Act, the collection and processing of specific
14		geolocation data or personal data to provide
15		transportation services by private entities regulated
16		under the Transportation Network Providers Act, is
17		strictly necessary to the extent that the private entity
18		uses the geolocation data or personal data for the sole
19		purpose of providing a service requested by the individual
20		or the use is otherwise consistent with that individual's
21		reasonable expectations considering the context in which
22		the individual provided the geolocation information to the
23		private entity. For purposes of this Act, the collection,
24		processing, and sharing of biometric identifiers and
25		information must be done in accordance with the
26		requirements of the Biometric Information Privacy Act. For

SB0340 Engrossed - 34 - LRB104 06459 JRC 16495 b
1		purposes of this Act, the collection, processing, and
2		sharing of genetic information must be done in accordance
3		with the Genetic Information Privacy Act. For purposes of
4		this Act, the collection, processing, and sharing of
5		students' covered information must be done in accordance
6		with the Student Online Personal Protection Act; and
7		(C) not sell sensitive data.
8		(2) Except as provided in this Act, a controller may not
9		process personal data for purposes that are not reasonably
10		necessary to, or compatible with, the purposes for which the
11		personal data are processed, as disclosed to the consumer,
12		unless the controller obtains the consumer's consent.
13		(3) A controller shall establish, implement, and maintain
14		reasonable administrative, technical, and physical data
15		security practices to protect the confidentiality, integrity,
16		and accessibility of personal data, including the maintenance
17		of an inventory of the data that must be managed to exercise
18		these responsibilities. The data security practices shall be
19		appropriate to the volume and nature of the personal data at
20		issue.
21		(4) Except as otherwise provided in this Act, a controller
22		may not process sensitive data concerning a consumer without
23		obtaining the consumer's consent, or, in the case of the
24		processing of personal data concerning a known child, without
25		obtaining consent from the child's parent or lawful guardian,
26		in accordance with the requirement of the Children's Online

SB0340 Engrossed - 35 - LRB104 06459 JRC 16495 b
1		Privacy Protection Act, United States Code, Title 15, Sections
2		6501 to 6506, and its implementing regulations. A controller
3		must follow the requirements of the Biometric Information
4		Privacy Act and the Genetic Information Privacy Act for
5		information covered by those Acts.
6		(5) A controller shall provide an effective mechanism for
7		a consumer, or, in the case of the processing of personal data
8		concerning a known child, the child's parent or lawful
9		guardian, to withdraw previously given consent under this
10		subsection. The mechanism provided shall be at least as easy
11		as the mechanism by which the consent was previously given.
12		Upon revocation of consent, a controller shall cease to
13		process the applicable data as soon as practicable, but no
14		later than 15 days after the receipt of the request.
15		(6) A controller may not process the personal data of a
16		consumer for purposes of targeted advertising, or sell the
17		consumer's personal data, without the consumer's consent,
18		under circumstances in which the controller knows that the
19		consumer is between the ages of 13 and 16.
20		(7) A controller may not retain personal data that is no
21		longer relevant and reasonably necessary in relation to the
22		purposes for which the data were collected and processed,
23		unless retention of the data is otherwise required by law or
24		permitted under Section 19 and in accordance with the
25		Biometric Information Privacy Act.
26		(c)(1) Nondiscrimination. A controller shall not process

SB0340 Engrossed - 36 - LRB104 06459 JRC 16495 b
1		personal data on the basis of a consumer's or a class of
2		consumers' actual or perceived race, color, ethnicity,
3		religion, national origin, sex, gender, gender identity,
4		sexual orientation, familial status, lawful source of income,
5		or disability in a manner that unlawfully discriminates
6		against the consumer or class of consumers.
7		(2) A controller may not discriminate against a consumer
8		for exercising any of the rights contained in this Act,
9		including denying goods or services to the consumer, charging
10		different prices or rates for goods or services, and providing
11		a different level of quality of goods and services to the
12		consumer. This subsection does not: (i) require a controller
13		to provide a good or service that requires the consumer's
14		personal data that the controller does not collect or
15		maintain; or (ii) prohibit a controller from offering a
16		different price, rate, level, quality, or selection of goods
17		or services to a consumer, including offering goods or
18		services for no fee, if the offering is in connection with a
19		consumer's voluntary participation in a bona fide loyalty,
20		rewards, premium features, discounts, or club card program if
21		that difference is reasonably related to the value provided to
22		the business by the consumer's data.
23		(d) Waiver of rights unenforceable. Any provision of a
24		contract or agreement of any kind that purports to waive or
25		limit in any way a consumer's rights under this Act is contrary
26		to public policy and is void and unenforceable.

SB0340 Engrossed - 37 - LRB104 06459 JRC 16495 b
1		Section 17. Requirements for small businesses.
2		(a) A small business, as defined by the United States
3		Small Business Administration under the Code of Federal
4		Regulations, Title 13, Part 121, that conducts business in
5		Illinois or produces products or services that are targeted to
6		Illinois residents must not sell a consumer's sensitive data.
7		(b) Penalties and enforcement procedures under Section 20
8		apply to a small business that violates this Section.
9		Section 18. Data privacy policies; data privacy and
10		protection assessments.
11		(a) A controller must document and maintain a description
12		of the policies and procedures the controller has adopted to
13		comply with this Act. The description must include, where
14		applicable:
15		(1) the name and contact information for the
16		controller's chief privacy officer or other individual
17		with primary responsibility for directing the policies and
18		procedures implemented to comply with the provisions of
19		this Act; and
20		(2) a description of the controller's data privacy
21		policies and procedures that reflect the requirements in
22		Section 16, and any policies and procedures designed to:
23		(i) reflect the requirements of this Act in the
24		design of the controller's systems;

SB0340 Engrossed - 38 - LRB104 06459 JRC 16495 b
1		(ii) identify and provide personal data to a
2		consumer as required by this Act;
3		(iii) establish, implement, and maintain
4		reasonable administrative, technical, and physical
5		data security practices to protect the
6		confidentiality, integrity, and accessibility of
7		personal data, including the maintenance of an
8		inventory of the data that must be managed to exercise
9		the responsibilities under this item;
10		(iv) limit the collection of personal data to what
11		is adequate, relevant, and reasonably necessary in
12		relation to the purposes for which the data are
13		processed;
14		(v) prevent the retention of personal data that is
15		no longer relevant and reasonably necessary in
16		relation to the purposes for which the data were
17		collected and processed, unless retention of the data
18		is otherwise required by law or permitted under
19		Section 19 and in accordance with the Biometric
20		Information Privacy Act; and
21		(vi) identify and remediate violations of this
22		Act.
23		(b) A controller must conduct and document a data privacy
24		and protection assessment for each of the following processing
25		activities involving personal data:
26		(1) the processing of personal data for purposes of

SB0340 Engrossed - 39 - LRB104 06459 JRC 16495 b
1		targeted advertising;
2		(2) the sale of personal data;
3		(3) the processing of sensitive data;
4		(4) any processing activities involving personal data
5		that present a heightened risk of harm to consumers; and
6		(5) the processing of personal data for purposes of
7		profiling, where the profiling presents a reasonably
8		foreseeable risk of:
9		(i) unfair or deceptive treatment of, or disparate
10		impact on, consumers;
11		(ii) financial, physical, or reputational injury
12		to consumers;
13		(iii) a physical or other intrusion upon the
14		solitude or seclusion, or the private affairs or
15		concerns, of consumers, where the intrusion would be
16		offensive to a reasonable person; or
17		(iv) other substantial injury to consumers.
18		(c) A data privacy and protection assessment must take
19		into account the type of personal data to be processed by the
20		controller, including the extent to which the personal data
21		are sensitive data, and the context in which the personal data
22		are to be processed.
23		(d) A data privacy and protection assessment must identify
24		and weigh the benefits that may flow directly and indirectly
25		from the processing to the controller, consumer, other
26		stakeholders, and the public against the potential risks to

SB0340 Engrossed - 40 - LRB104 06459 JRC 16495 b
1		the rights of the consumer associated with the processing, as
2		mitigated by safeguards that can be employed by the controller
3		to reduce the potential risks. The use of deidentified data
4		and the reasonable expectations of consumers, as well as the
5		context of the processing and the relationship between the
6		controller and the consumer whose personal data will be
7		processed, must be factored into this assessment by the
8		controller.
9		(e) A data privacy and protection assessment must include
10		the description of policies and procedures required by
11		subsection (a).
12		(f) As part of a subpoena, the Attorney General or State's
13		Attorneys may request, in writing, that a controller disclose
14		any data privacy and protection assessment that is relevant to
15		an investigation conducted by the Attorney General or State's
16		Attorneys. The controller must make a data privacy and
17		protection assessment available to the Attorney General or
18		State's Attorneys upon a request made under this subsection.
19		The Attorney General or State's Attorneys may evaluate the
20		data privacy and protection assessments for compliance with
21		this Act. Data privacy and protection assessments are
22		nonpublic data that is required by State or federal law that
23		is: (1) not about an individual; (2) not accessible by the
24		general public; and (3) accessible by the subject of the data.
25		The disclosure of a data privacy and protection assessment
26		under a request from the Attorney General or State's Attorneys

SB0340 Engrossed - 41 - LRB104 06459 JRC 16495 b
1		under this subsection does not constitute a waiver of the
2		attorney-client privilege or work product protection with
3		respect to the assessment and any information contained in the
4		assessment.
5		(g) Data privacy and protection assessments or risk
6		assessments conducted by a controller for the purpose of
7		compliance with other laws or regulations may qualify under
8		this Section if the assessments have a similar scope and
9		effect.
10		(h) A single data protection assessment may address
11		multiple sets of comparable processing operations that include
12		similar activities.
13		Section 19. Limitations and applicability.
14		(a) The obligations imposed on controllers or processors
15		under this Act do not restrict a controller's or a processor's
16		ability to:
17		(1) comply with federal, State, or local laws, rules,
18		or regulations, including, but not limited to, data
19		retention requirements in State or federal law
20		notwithstanding a consumer's request to delete personal
21		data;
22		(2) comply with a civil, criminal, or regulatory
23		inquiry, investigation, subpoena, or summons by federal,
24		State, local, or other governmental authorities;
25		(3) cooperate with law enforcement agencies concerning

SB0340 Engrossed - 42 - LRB104 06459 JRC 16495 b
1		conduct or activity that the controller or processor
2		reasonably and in good faith believes may violate federal,
3		State, or local laws, rules, or regulations;
4		(4) investigate, establish, exercise, prepare for, or
5		defend legal claims;
6		(5) provide a product or service specifically
7		requested by a consumer; perform a contract to which the
8		consumer is a party, including fulfilling the terms of a
9		written warranty; or take steps at the request of the
10		consumer prior to entering into a contract;
11		(6) take immediate steps to protect an interest that
12		is essential for the life or physical safety of the
13		consumer or of another natural person, and if the
14		processing cannot be manifestly based on another legal
15		basis;
16		(7) prevent, detect, protect against, or respond to
17		security incidents, identity theft, fraud, harassment,
18		malicious or deceptive activities, or any illegal
19		activity; preserve the integrity or security of systems;
20		or investigate, report, or prosecute those responsible for
21		any such action;
22		(8) assist another controller, processor, or third
23		party with any of the obligations under this subsection;
24		(9) engage in public or peer-reviewed scientific,
25		historical, or statistical research in the public interest
26		that adheres to all other applicable ethics and privacy

SB0340 Engrossed - 43 - LRB104 06459 JRC 16495 b
1		laws and is approved, monitored, and governed by an
2		institutional review board, human subjects research ethics
3		review board, or a similar independent oversight entity
4		that has determined:
5		(A) the research is likely to provide substantial
6		benefits that do not exclusively accrue to the
7		controller;
8		(B) the expected benefits of the research outweigh
9		the privacy risks; and
10		(C) the controller has implemented reasonable
11		safeguards to mitigate privacy risks associated with
12		research, including any risks associated with
13		reidentification; or
14		(10) process personal data for the benefit of the
15		public in the areas of public health, community health, or
16		population health, but only to the extent that the
17		processing is:
18		(A) subject to suitable and specific measures to
19		safeguard the rights of the consumer whose personal
20		data is being processed; and
21		(B) under the responsibility of a professional
22		individual who is subject to confidentiality
23		obligations under federal, State, or local law.
24		(b) The obligations imposed on controllers or processors
25		under this Act do not restrict a controller's or processor's
26		ability to collect, use, or retain data to:

SB0340 Engrossed - 44 - LRB104 06459 JRC 16495 b
1		(1) effectuate a product recall or identify and repair
2		technical errors that impair existing or intended
3		functionality;
4		(2) perform internal operations that are reasonably
5		aligned with the expectations of the consumer based on the
6		consumer's existing relationship with the controller, or
7		are otherwise compatible with processing in furtherance of
8		the provision of a product or service specifically
9		requested by a consumer or the performance of a contract
10		to which the consumer is a party; or
11		(3) conduct internal research to develop, improve, or
12		repair products, services, or technology.
13		(c) The obligations imposed on controllers or processors
14		under this Act do not apply if compliance by the controller or
15		processor with this Act would violate an evidentiary privilege
16		under Illinois law and do not prevent a controller or
17		processor from providing personal data concerning a consumer
18		to a person covered by an evidentiary privilege under Illinois
19		law as part of a privileged communication.
20		(d) A controller or processor that discloses personal data
21		to a third-party controller or processor in compliance with
22		the requirements of this Act is not in violation of this Act if
23		the recipient processes the personal data in violation of this
24		Act, provided that at the time of disclosing the personal
25		data, the disclosing controller or processor did not have
26		actual knowledge that the recipient intended to commit a

SB0340 Engrossed - 45 - LRB104 06459 JRC 16495 b
1		violation. A third-party controller or processor receiving
2		personal data from a controller or processor in compliance
3		with the requirements of this Act is not in violation of this
4		Act for the obligations of the controller or processor from
5		which the third-party controller or processor receives the
6		personal data.
7		(e) Obligations imposed on controllers and processors
8		under this Act shall not:
9		(1) adversely affect the rights or freedoms of any
10		persons, including exercising the right of free speech
11		pursuant to the First Amendment of the United States
12		Constitution; or
13		(2) apply to the processing of personal data by a
14		natural person in the course of a purely personal or
15		household activity.
16		(f) Personal data that are processed by a controller
17		pursuant to this Section may be processed solely to the extent
18		that the processing is:
19		(1) necessary, reasonable, and proportionate to the
20		purposes listed in this Section;
21		(2) adequate, relevant, and limited to what is
22		necessary in relation to the specific purpose or purposes
23		listed in this Section; and
24		(3) insofar as possible, taking into account the
25		nature and purpose of processing the personal data,
26		subjected to reasonable administrative, technical, and

SB0340 Engrossed - 46 - LRB104 06459 JRC 16495 b
1		physical measures to protect the confidentiality,
2		integrity, and accessibility of the personal data, and to
3		reduce reasonably foreseeable risks of harm to consumers.
4		(g) If a controller processes personal data pursuant to an
5		exemption in this Section, the controller bears the burden of
6		demonstrating that the processing qualifies for the exemption
7		and complies with the requirements in subsection (f).
8		(h) Processing personal data solely for the purposes
9		expressly identified in subsection (a), clauses (1) to (7),
10		does not, by itself, make an entity a controller with respect
11		to the processing.
12		Section 20. Enforcement.
13		(a) If a controller or processor violates this Act, the
14		Attorney General or the State's Attorney of any county in this
15		State, before filing an enforcement action under subsection
16		(b), must provide the controller or processor with a warning
17		letter identifying the specific provisions of this Act the
18		Attorney General or State's Attorney alleges have been or are
19		being violated. If, after 30 days of issuance of the warning
20		letter, the Attorney General or State's Attorney believes the
21		controller or processor has failed to cure any alleged
22		violation, the Attorney General or State's Attorney may bring
23		an enforcement action under subsection (b). This subsection
24		becomes inoperative January 1, 2029.
25		(b) The Attorney General or the State's Attorney of any

SB0340 Engrossed - 47 - LRB104 06459 JRC 16495 b
1		county in this State may bring an action in the name of the
2		People of this State against any person to restrain and
3		prevent any pattern or practice in violation of this Act.
4		(c) A violation of this Act constitutes an unlawful
5		practice under the Consumer Fraud and Deceptive Business
6		Practices Act. All remedies, penalties, and authority granted
7		to the Attorney General or the State's Attorney by the
8		Consumer Fraud and Deceptive Business Practices Act are
9		available to the Attorney General or the State's Attorney for
10		the enforcement of this Act.
11		(d) Any civil penalties collected from the enforcement of
12		this Act shall be deposited into the Attorney General Court
13		Ordered and Voluntary Compliance Payment Projects Fund if the
14		Attorney General commenced the action or distributed to the
15		county in which the State's Attorney commenced the action and
16		deposited into a special fund in the county treasury and
17		appropriated to the State's Attorney for use in accordance
18		with law.
19		(e) Nothing in this Act shall be construed to establish a
20		private right of action associated with violations of this
21		Act.
22		(f) Nothing in this Act shall be construed to preempt the
23		enforcement provisions in the Biometric Information Privacy
24		Act or the Genetic Information Privacy Act.
25		Section 95. Home rule. A unit of local government,

SB0340 Engrossed - 48 - LRB104 06459 JRC 16495 b
1		including a home rule unit, may not regulate consumer data
2		privacy. This Section is a denial and limitation of home rule
3		powers and functions under subsection (g) of Section 6 of
4		Article VII of the Illinois Constitution.
5		Section 97. Severability. If any provision of this Act or
6		its application to any person or circumstance is held invalid,
7		the invalidity of that provision or application does not
8		affect other provisions or applications of this Act that can
9		be given effect without the invalid provision or application.
10		Section 900. The Freedom of Information Act is amended by
11		changing Section 7.5 as follows:
12		(5 ILCS 140/7.5)
13		(Text of Section before amendment by P.A. 104-441 and
14		104-457)
15		Sec. 7.5. Statutory exemptions. To the extent provided for
16		by the statutes referenced below, the following shall be
17		exempt from inspection and copying:
18		(a) All information determined to be confidential
19		under Section 4002 of the Technology Advancement and
20		Development Act.
21		(b) Library circulation and order records identifying
22		library users with specific materials under the Library
23		Records Confidentiality Act.

SB0340 Engrossed - 49 - LRB104 06459 JRC 16495 b
1		(c) Applications, related documents, and medical
2		records received by the Experimental Organ Transplantation
3		Procedures Board and any and all documents or other
4		records prepared by the Experimental Organ Transplantation
5		Procedures Board or its staff relating to applications it
6		has received.
7		(d) Information and records held by the Department of
8		Public Health and its authorized representatives relating
9		to known or suspected cases of sexually transmitted
10		infection or any information the disclosure of which is
11		restricted under the Illinois Sexually Transmitted
12		Infection Control Act.
13		(e) Information the disclosure of which is exempted
14		under Section 30 of the Radon Industry Licensing Act.
15		(f) Firm performance evaluations under Section 55 of
16		the Architectural, Engineering, and Land Surveying
17		Qualifications Based Selection Act.
18		(g) Information the disclosure of which is restricted
19		and exempted under Section 50 of the Illinois Prepaid
20		Tuition Act.
21		(h) Information the disclosure of which is exempted
22		under the State Officials and Employees Ethics Act, and
23		records of any lawfully created State or local inspector
24		general's office that would be exempt if created or
25		obtained by an Executive Inspector General's office under
26		that Act.

SB0340 Engrossed - 50 - LRB104 06459 JRC 16495 b
1		(i) Information contained in a local emergency energy
2		plan submitted to a municipality in accordance with a
3		local emergency energy plan ordinance that is adopted
4		under Section 11-21.5-5 of the Illinois Municipal Code.
5		(j) Information and data concerning the distribution
6		of surcharge moneys collected and remitted by carriers
7		under the Emergency Telephone System Act.
8		(k) Law enforcement officer identification information
9		or driver identification information compiled by a law
10		enforcement agency or the Department of Transportation
11		under Section 11-212 of the Illinois Vehicle Code.
12		(l) Records and information provided to a residential
13		health care facility resident sexual assault and death
14		review team or the Executive Council under the Abuse
15		Prevention Review Team Act.
16		(m) Information provided to the predatory lending
17		database created pursuant to Article 3 of the Residential
18		Real Property Disclosure Act, except to the extent
19		authorized under that Article.
20		(n) Defense budgets and petitions for certification of
21		compensation and expenses for court appointed trial
22		counsel as provided under Sections 10 and 15 of the
23		Capital Crimes Litigation Act (repealed). This subsection
24		(n) shall apply until the conclusion of the trial of the
25		case, even if the prosecution chooses not to pursue the
26		death penalty prior to trial or sentencing.

SB0340 Engrossed - 51 - LRB104 06459 JRC 16495 b
1		(o) Information that is prohibited from being
2		disclosed under Section 4 of the Illinois Health and
3		Hazardous Substances Registry Act.
4		(p) Security portions of system safety program plans,
5		investigation reports, surveys, schedules, lists, data, or
6		information compiled, collected, or prepared by or for the
7		Department of Transportation under Sections 2705-300 and
8		2705-616 of the Department of Transportation Law of the
9		Civil Administrative Code of Illinois, the Regional
10		Transportation Authority under Section 2.11 of the
11		Regional Transportation Authority Act, or the St. Clair
12		County Transit District under the Bi-State Transit Safety
13		Act (repealed).
14		(q) Information prohibited from being disclosed by the
15		Personnel Record Review Act.
16		(r) Information prohibited from being disclosed by the
17		Illinois School Student Records Act.
18		(s) Information the disclosure of which is restricted
19		under Section 5-108 of the Public Utilities Act.
20		(t) (Blank).
21		(u) Records and information provided to an independent
22		team of experts under the Developmental Disability and
23		Mental Health Safety Act (also known as Brian's Law).
24		(v) Names and information of people who have applied
25		for or received Firearm Owner's Identification Cards under
26		the Firearm Owners Identification Card Act or applied for

SB0340 Engrossed - 52 - LRB104 06459 JRC 16495 b
1		or received a concealed carry license under the Firearm
2		Concealed Carry Act, unless otherwise authorized by the
3		Firearm Concealed Carry Act; and databases under the
4		Firearm Concealed Carry Act, records of the Concealed
5		Carry Licensing Review Board under the Firearm Concealed
6		Carry Act, and law enforcement agency objections under the
7		Firearm Concealed Carry Act.
8		(v-5) Records of the Firearm Owner's Identification
9		Card Review Board that are exempted from disclosure under
10		Section 10 of the Firearm Owners Identification Card Act.
11		(w) Personally identifiable information which is
12		exempted from disclosure under subsection (g) of Section
13		19.1 of the Toll Highway Act.
14		(x) Information which is exempted from disclosure
15		under Section 5-1014.3 of the Counties Code or Section
16		8-11-21 of the Illinois Municipal Code.
17		(y) Confidential information under the Adult
18		Protective Services Act and its predecessor enabling
19		statute, the Elder Abuse and Neglect Act, including
20		information about the identity and administrative finding
21		against any caregiver of a verified and substantiated
22		decision of abuse, neglect, or financial exploitation of
23		an eligible adult maintained in the Registry established
24		under Section 7.5 of the Adult Protective Services Act.
25		(z) Records and information provided to a fatality
26		review team or the Illinois Fatality Review Team Advisory

SB0340 Engrossed - 53 - LRB104 06459 JRC 16495 b
1		Council under Section 15 of the Adult Protective Services
2		Act.
3		(aa) Information which is exempted from disclosure
4		under Section 2.37 of the Wildlife Code.
5		(bb) Information which is or was prohibited from
6		disclosure by the Juvenile Court Act of 1987.
7		(cc) Recordings made under the Law Enforcement
8		Officer-Worn Body Camera Act, except to the extent
9		authorized under that Act.
10		(dd) Information that is prohibited from being
11		disclosed under Section 45 of the Condominium and Common
12		Interest Community Ombudsperson Act.
13		(ee) Information that is exempted from disclosure
14		under Section 30.1 of the Pharmacy Practice Act.
15		(ff) Information that is exempted from disclosure
16		under the Revised Uniform Unclaimed Property Act.
17		(gg) Information that is prohibited from being
18		disclosed under Section 7-603.5 of the Illinois Vehicle
19		Code.
20		(hh) Records that are exempt from disclosure under
21		Section 1A-16.7 of the Election Code.
22		(ii) Information which is exempted from disclosure
23		under Section 2505-800 of the Department of Revenue Law of
24		the Civil Administrative Code of Illinois.
25		(jj) Information and reports that are required to be
26		submitted to the Department of Labor by registering day

SB0340 Engrossed - 54 - LRB104 06459 JRC 16495 b
1		and temporary labor service agencies but are exempt from
2		disclosure under subsection (a-1) of Section 45 of the Day
3		and Temporary Labor Services Act.
4		(kk) Information prohibited from disclosure under the
5		Seizure and Forfeiture Reporting Act.
6		(ll) Information the disclosure of which is restricted
7		and exempted under Section 5-30.8 of the Illinois Public
8		Aid Code.
9		(mm) Records that are exempt from disclosure under
10		Section 4.2 of the Crime Victims Compensation Act.
11		(nn) Information that is exempt from disclosure under
12		Section 70 of the Higher Education Student Assistance Act.
13		(oo) Communications, notes, records, and reports
14		arising out of a peer support counseling session
15		prohibited from disclosure under the First Responders
16		Suicide Prevention Act.
17		(pp) Names and all identifying information relating to
18		an employee of an emergency services provider or law
19		enforcement agency under the First Responders Suicide
20		Prevention Act.
21		(qq) Information and records held by the Department of
22		Public Health and its authorized representatives collected
23		under the Reproductive Health Act.
24		(rr) Information that is exempt from disclosure under
25		the Cannabis Regulation and Tax Act.
26		(ss) Data reported by an employer to the Department of

SB0340 Engrossed - 55 - LRB104 06459 JRC 16495 b
1		Human Rights pursuant to Section 2-108 of the Illinois
2		Human Rights Act.
3		(tt) Recordings made under the Children's Advocacy
4		Center Act, except to the extent authorized under that
5		Act.
6		(uu) Information that is exempt from disclosure under
7		Section 50 of the Sexual Assault Evidence Submission Act.
8		(vv) Information that is exempt from disclosure under
9		subsections (f) and (j) of Section 5-36 of the Illinois
10		Public Aid Code.
11		(ww) Information that is exempt from disclosure under
12		Section 16.8 of the State Treasurer Act.
13		(xx) Information that is exempt from disclosure or
14		information that shall not be made public under the
15		Illinois Insurance Code.
16		(yy) Information prohibited from being disclosed under
17		the Illinois Educational Labor Relations Act.
18		(zz) Information prohibited from being disclosed under
19		the Illinois Public Labor Relations Act.
20		(aaa) Information prohibited from being disclosed
21		under Section 1-167 of the Illinois Pension Code.
22		(bbb) Information that is prohibited from disclosure
23		by the Illinois Police Training Act and the Illinois State
24		Police Act.
25		(ccc) Records exempt from disclosure under Section
26		2605-304 of the Illinois State Police Law of the Civil

SB0340 Engrossed - 56 - LRB104 06459 JRC 16495 b
1		Administrative Code of Illinois.
2		(ddd) Information prohibited from being disclosed
3		under Section 35 of the Address Confidentiality for
4		Victims of Domestic Violence, Sexual Assault, Human
5		Trafficking, or Stalking Act.
6		(eee) Information prohibited from being disclosed
7		under subsection (b) of Section 75 of the Domestic
8		Violence Fatality Review Act.
9		(fff) Images from cameras under the Expressway Camera
10		Act and all automated license plate reader (ALPR)
11		information used and collected by the Illinois State
12		Police. "ALPR information" means information gathered by
13		an ALPR or created from the analysis of data generated by
14		an ALPR. This subsection (fff) is inoperative on and after
15		July 1, 2028.
16		(ggg) Information prohibited from disclosure under
17		paragraph (3) of subsection (a) of Section 14 of the Nurse
18		Agency Licensing Act.
19		(hhh) Information submitted to the Illinois State
20		Police in an affidavit or application for an assault
21		weapon endorsement, assault weapon attachment endorsement,
22		.50 caliber rifle endorsement, or .50 caliber cartridge
23		endorsement under the Firearm Owners Identification Card
24		Act.
25		(iii) Data exempt from disclosure under Section 50 of
26		the School Safety Drill Act.

SB0340 Engrossed - 57 - LRB104 06459 JRC 16495 b
1		(jjj) Information exempt from disclosure under Section
2		30 of the Insurance Data Security Law.
3		(kkk) Confidential business information prohibited
4		from disclosure under Section 45 of the Paint Stewardship
5		Act.
6		(lll) Data exempt from disclosure under Section
7		2-3.196 of the School Code.
8		(mmm) Information prohibited from being disclosed
9		under subsection (e) of Section 1-129 of the Illinois
10		Power Agency Act.
11		(nnn) Materials received by the Department of Commerce
12		and Economic Opportunity that are confidential under the
13		Music and Musicians Tax Credit and Jobs Act.
14		(ooo) Data or information provided pursuant to Section
15		20 of the Statewide Recycling Needs and Assessment Act.
16		(ppp) Information that is exempt from disclosure under
17		Section 28-11 of the Lawful Health Care Activity Act.
18		(qqq) Information that is exempt from disclosure under
19		Section 7-101 of the Illinois Human Rights Act.
20		(rrr) Information prohibited from being disclosed
21		under Section 4-2 of the Uniform Money Transmission
22		Modernization Act.
23		(sss) Information exempt from disclosure under Section
24		40 of the Student-Athlete Endorsement Rights Act.
25		(ttt) Audio recordings made under Section 30 of the
26		Illinois State Police Act, except to the extent authorized

SB0340 Engrossed - 58 - LRB104 06459 JRC 16495 b
1		under that Section.
2		(uuu) Information prohibited from being disclosed
3		under Section 30-5 of the Digital Assets Regulation Act.
4		(www) Data privacy and protection assessments made
5		available to the Attorney General under Section 18 of the
6		Illinois Consumer Data Privacy Act.
7		(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
8		103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
9		8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
10		eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
11		103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
12		8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
13		eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
14		104-417, eff. 8-15-25; 104-428, eff. 8-18-25; revised
15		9-10-25.)
16		(Text of Section after amendment by P.A. 104-457 but
17		before 104-441)
18		Sec. 7.5. Statutory exemptions. To the extent provided for
19		by the statutes referenced below, the following shall be
20		exempt from inspection and copying:
21		(a) All information determined to be confidential
22		under Section 4002 of the Technology Advancement and
23		Development Act.
24		(b) Library circulation and order records identifying
25		library users with specific materials under the Library

SB0340 Engrossed - 59 - LRB104 06459 JRC 16495 b
1		Records Confidentiality Act.
2		(c) Applications, related documents, and medical
3		records received by the Experimental Organ Transplantation
4		Procedures Board and any and all documents or other
5		records prepared by the Experimental Organ Transplantation
6		Procedures Board or its staff relating to applications it
7		has received.
8		(d) Information and records held by the Department of
9		Public Health and its authorized representatives relating
10		to known or suspected cases of sexually transmitted
11		infection or any information the disclosure of which is
12		restricted under the Illinois Sexually Transmitted
13		Infection Control Act.
14		(e) Information the disclosure of which is exempted
15		under Section 30 of the Radon Industry Licensing Act.
16		(f) Firm performance evaluations under Section 55 of
17		the Architectural, Engineering, and Land Surveying
18		Qualifications Based Selection Act.
19		(g) Information the disclosure of which is restricted
20		and exempted under Section 50 of the Illinois Prepaid
21		Tuition Act.
22		(h) Information the disclosure of which is exempted
23		under the State Officials and Employees Ethics Act, and
24		records of any lawfully created State or local inspector
25		general's office that would be exempt if created or
26		obtained by an Executive Inspector General's office under

SB0340 Engrossed - 60 - LRB104 06459 JRC 16495 b
1		that Act.
2		(i) Information contained in a local emergency energy
3		plan submitted to a municipality in accordance with a
4		local emergency energy plan ordinance that is adopted
5		under Section 11-21.5-5 of the Illinois Municipal Code.
6		(j) Information and data concerning the distribution
7		of surcharge moneys collected and remitted by carriers
8		under the Emergency Telephone System Act.
9		(k) Law enforcement officer identification information
10		or driver identification information compiled by a law
11		enforcement agency or the Department of Transportation
12		under Section 11-212 of the Illinois Vehicle Code.
13		(l) Records and information provided to a residential
14		health care facility resident sexual assault and death
15		review team or the Executive Council under the Abuse
16		Prevention Review Team Act.
17		(m) Information provided to the predatory lending
18		database created pursuant to Article 3 of the Residential
19		Real Property Disclosure Act, except to the extent
20		authorized under that Article.
21		(n) Defense budgets and petitions for certification of
22		compensation and expenses for court appointed trial
23		counsel as provided under Sections 10 and 15 of the
24		Capital Crimes Litigation Act (repealed). This subsection
25		(n) shall apply until the conclusion of the trial of the
26		case, even if the prosecution chooses not to pursue the

SB0340 Engrossed - 61 - LRB104 06459 JRC 16495 b
1		death penalty prior to trial or sentencing.
2		(o) Information that is prohibited from being
3		disclosed under Section 4 of the Illinois Health and
4		Hazardous Substances Registry Act.
5		(p) Security portions of system safety program plans,
6		investigation reports, surveys, schedules, lists, data, or
7		information compiled, collected, or prepared by or for the
8		Department of Transportation under Sections 2705-300 and
9		2705-616 of the Department of Transportation Law of the
10		Civil Administrative Code of Illinois, the Northern
11		Illinois Transit Authority under Section 2.11 of the
12		Northern Illinois Transit Authority Act, or the St. Clair
13		County Transit District under the Bi-State Transit Safety
14		Act (repealed).
15		(q) Information prohibited from being disclosed by the
16		Personnel Record Review Act.
17		(r) Information prohibited from being disclosed by the
18		Illinois School Student Records Act.
19		(s) Information the disclosure of which is restricted
20		under Section 5-108 of the Public Utilities Act.
21		(t) (Blank).
22		(u) Records and information provided to an independent
23		team of experts under the Developmental Disability and
24		Mental Health Safety Act (also known as Brian's Law).
25		(v) Names and information of people who have applied
26		for or received Firearm Owner's Identification Cards under

SB0340 Engrossed - 62 - LRB104 06459 JRC 16495 b
1		the Firearm Owners Identification Card Act or applied for
2		or received a concealed carry license under the Firearm
3		Concealed Carry Act, unless otherwise authorized by the
4		Firearm Concealed Carry Act; and databases under the
5		Firearm Concealed Carry Act, records of the Concealed
6		Carry Licensing Review Board under the Firearm Concealed
7		Carry Act, and law enforcement agency objections under the
8		Firearm Concealed Carry Act.
9		(v-5) Records of the Firearm Owner's Identification
10		Card Review Board that are exempted from disclosure under
11		Section 10 of the Firearm Owners Identification Card Act.
12		(w) Personally identifiable information which is
13		exempted from disclosure under subsection (g) of Section
14		19.1 of the Toll Highway Act.
15		(x) Information which is exempted from disclosure
16		under Section 5-1014.3 of the Counties Code or Section
17		8-11-21 of the Illinois Municipal Code.
18		(y) Confidential information under the Adult
19		Protective Services Act and its predecessor enabling
20		statute, the Elder Abuse and Neglect Act, including
21		information about the identity and administrative finding
22		against any caregiver of a verified and substantiated
23		decision of abuse, neglect, or financial exploitation of
24		an eligible adult maintained in the Registry established
25		under Section 7.5 of the Adult Protective Services Act.
26		(z) Records and information provided to a fatality

SB0340 Engrossed - 63 - LRB104 06459 JRC 16495 b
1		review team or the Illinois Fatality Review Team Advisory
2		Council under Section 15 of the Adult Protective Services
3		Act.
4		(aa) Information which is exempted from disclosure
5		under Section 2.37 of the Wildlife Code.
6		(bb) Information which is or was prohibited from
7		disclosure by the Juvenile Court Act of 1987.
8		(cc) Recordings made under the Law Enforcement
9		Officer-Worn Body Camera Act, except to the extent
10		authorized under that Act.
11		(dd) Information that is prohibited from being
12		disclosed under Section 45 of the Condominium and Common
13		Interest Community Ombudsperson Act.
14		(ee) Information that is exempted from disclosure
15		under Section 30.1 of the Pharmacy Practice Act.
16		(ff) Information that is exempted from disclosure
17		under the Revised Uniform Unclaimed Property Act.
18		(gg) Information that is prohibited from being
19		disclosed under Section 7-603.5 of the Illinois Vehicle
20		Code.
21		(hh) Records that are exempt from disclosure under
22		Section 1A-16.7 of the Election Code.
23		(ii) Information which is exempted from disclosure
24		under Section 2505-800 of the Department of Revenue Law of
25		the Civil Administrative Code of Illinois.
26		(jj) Information and reports that are required to be

SB0340 Engrossed - 64 - LRB104 06459 JRC 16495 b
1		submitted to the Department of Labor by registering day
2		and temporary labor service agencies but are exempt from
3		disclosure under subsection (a-1) of Section 45 of the Day
4		and Temporary Labor Services Act.
5		(kk) Information prohibited from disclosure under the
6		Seizure and Forfeiture Reporting Act.
7		(ll) Information the disclosure of which is restricted
8		and exempted under Section 5-30.8 of the Illinois Public
9		Aid Code.
10		(mm) Records that are exempt from disclosure under
11		Section 4.2 of the Crime Victims Compensation Act.
12		(nn) Information that is exempt from disclosure under
13		Section 70 of the Higher Education Student Assistance Act.
14		(oo) Communications, notes, records, and reports
15		arising out of a peer support counseling session
16		prohibited from disclosure under the First Responders
17		Suicide Prevention Act.
18		(pp) Names and all identifying information relating to
19		an employee of an emergency services provider or law
20		enforcement agency under the First Responders Suicide
21		Prevention Act.
22		(qq) Information and records held by the Department of
23		Public Health and its authorized representatives collected
24		under the Reproductive Health Act.
25		(rr) Information that is exempt from disclosure under
26		the Cannabis Regulation and Tax Act.

SB0340 Engrossed - 65 - LRB104 06459 JRC 16495 b
1		(ss) Data reported by an employer to the Department of
2		Human Rights pursuant to Section 2-108 of the Illinois
3		Human Rights Act.
4		(tt) Recordings made under the Children's Advocacy
5		Center Act, except to the extent authorized under that
6		Act.
7		(uu) Information that is exempt from disclosure under
8		Section 50 of the Sexual Assault Evidence Submission Act.
9		(vv) Information that is exempt from disclosure under
10		subsections (f) and (j) of Section 5-36 of the Illinois
11		Public Aid Code.
12		(ww) Information that is exempt from disclosure under
13		Section 16.8 of the State Treasurer Act.
14		(xx) Information that is exempt from disclosure or
15		information that shall not be made public under the
16		Illinois Insurance Code.
17		(yy) Information prohibited from being disclosed under
18		the Illinois Educational Labor Relations Act.
19		(zz) Information prohibited from being disclosed under
20		the Illinois Public Labor Relations Act.
21		(aaa) Information prohibited from being disclosed
22		under Section 1-167 of the Illinois Pension Code.
23		(bbb) Information that is prohibited from disclosure
24		by the Illinois Police Training Act and the Illinois State
25		Police Act.
26		(ccc) Records exempt from disclosure under Section

SB0340 Engrossed - 66 - LRB104 06459 JRC 16495 b
1		2605-304 of the Illinois State Police Law of the Civil
2		Administrative Code of Illinois.
3		(ddd) Information prohibited from being disclosed
4		under Section 35 of the Address Confidentiality for
5		Victims of Domestic Violence, Sexual Assault, Human
6		Trafficking, or Stalking Act.
7		(eee) Information prohibited from being disclosed
8		under subsection (b) of Section 75 of the Domestic
9		Violence Fatality Review Act.
10		(fff) Images from cameras under the Expressway Camera
11		Act and all automated license plate reader (ALPR)
12		information used and collected by the Illinois State
13		Police. "ALPR information" means information gathered by
14		an ALPR or created from the analysis of data generated by
15		an ALPR. This subsection (fff) is inoperative on and after
16		July 1, 2028.
17		(ggg) Information prohibited from disclosure under
18		paragraph (3) of subsection (a) of Section 14 of the Nurse
19		Agency Licensing Act.
20		(hhh) Information submitted to the Illinois State
21		Police in an affidavit or application for an assault
22		weapon endorsement, assault weapon attachment endorsement,
23		.50 caliber rifle endorsement, or .50 caliber cartridge
24		endorsement under the Firearm Owners Identification Card
25		Act.
26		(iii) Data exempt from disclosure under Section 50 of

SB0340 Engrossed - 67 - LRB104 06459 JRC 16495 b
1		the School Safety Drill Act.
2		(jjj) Information exempt from disclosure under Section
3		30 of the Insurance Data Security Law.
4		(kkk) Confidential business information prohibited
5		from disclosure under Section 45 of the Paint Stewardship
6		Act.
7		(lll) Data exempt from disclosure under Section
8		2-3.196 of the School Code.
9		(mmm) Information prohibited from being disclosed
10		under subsection (e) of Section 1-129 of the Illinois
11		Power Agency Act.
12		(nnn) Materials received by the Department of Commerce
13		and Economic Opportunity that are confidential under the
14		Music and Musicians Tax Credit and Jobs Act.
15		(ooo) Data or information provided pursuant to Section
16		20 of the Statewide Recycling Needs and Assessment Act.
17		(ppp) Information that is exempt from disclosure under
18		Section 28-11 of the Lawful Health Care Activity Act.
19		(qqq) Information that is exempt from disclosure under
20		Section 7-101 of the Illinois Human Rights Act.
21		(rrr) Information prohibited from being disclosed
22		under Section 4-2 of the Uniform Money Transmission
23		Modernization Act.
24		(sss) Information exempt from disclosure under Section
25		40 of the Student-Athlete Endorsement Rights Act.
26		(ttt) Audio recordings made under Section 30 of the

SB0340 Engrossed - 68 - LRB104 06459 JRC 16495 b
1		Illinois State Police Act, except to the extent authorized
2		under that Section.
3		(uuu) Information prohibited from being disclosed
4		under Section 30-5 of the Digital Assets Regulation Act.
5		(www) Data privacy and protection assessments made
6		available to the Attorney General under Section 18 of the
7		Illinois Consumer Data Privacy Act.
8		(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
9		103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
10		8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
11		eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
12		103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
13		8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
14		eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
15		104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-457, eff.
16		6-1-26; revised 1-7-26.)
17		(Text of Section after amendment by P.A. 104-441)
18		Sec. 7.5. Statutory exemptions. To the extent provided for
19		by the statutes referenced below, the following shall be
20		exempt from inspection and copying:
21		(a) All information determined to be confidential
22		under Section 4002 of the Technology Advancement and
23		Development Act.
24		(b) Library circulation and order records identifying
25		library users with specific materials under the Library

SB0340 Engrossed - 69 - LRB104 06459 JRC 16495 b
1		Records Confidentiality Act.
2		(c) Applications, related documents, and medical
3		records received by the Experimental Organ Transplantation
4		Procedures Board and any and all documents or other
5		records prepared by the Experimental Organ Transplantation
6		Procedures Board or its staff relating to applications it
7		has received.
8		(d) Information and records held by the Department of
9		Public Health and its authorized representatives relating
10		to known or suspected cases of sexually transmitted
11		infection or any information the disclosure of which is
12		restricted under the Illinois Sexually Transmitted
13		Infection Control Act.
14		(e) Information the disclosure of which is exempted
15		under Section 30 of the Radon Industry Licensing Act.
16		(f) Firm performance evaluations under Section 55 of
17		the Architectural, Engineering, and Land Surveying
18		Qualifications Based Selection Act.
19		(g) Information the disclosure of which is restricted
20		and exempted under Section 50 of the Illinois Prepaid
21		Tuition Act.
22		(h) Information the disclosure of which is exempted
23		under the State Officials and Employees Ethics Act, and
24		records of any lawfully created State or local inspector
25		general's office that would be exempt if created or
26		obtained by an Executive Inspector General's office under

SB0340 Engrossed - 70 - LRB104 06459 JRC 16495 b
1		that Act.
2		(i) Information contained in a local emergency energy
3		plan submitted to a municipality in accordance with a
4		local emergency energy plan ordinance that is adopted
5		under Section 11-21.5-5 of the Illinois Municipal Code.
6		(j) Information and data concerning the distribution
7		of surcharge moneys collected and remitted by carriers
8		under the Emergency Telephone System Act.
9		(k) Law enforcement officer identification information
10		or driver identification information compiled by a law
11		enforcement agency or the Department of Transportation
12		under Section 11-212 of the Illinois Vehicle Code.
13		(l) Records and information provided to a residential
14		health care facility resident sexual assault and death
15		review team or the Executive Council under the Abuse
16		Prevention Review Team Act.
17		(m) Information provided to the predatory lending
18		database created pursuant to Article 3 of the Residential
19		Real Property Disclosure Act, except to the extent
20		authorized under that Article.
21		(n) Defense budgets and petitions for certification of
22		compensation and expenses for court appointed trial
23		counsel as provided under Sections 10 and 15 of the
24		Capital Crimes Litigation Act (repealed). This subsection
25		(n) shall apply until the conclusion of the trial of the
26		case, even if the prosecution chooses not to pursue the

SB0340 Engrossed - 71 - LRB104 06459 JRC 16495 b
1		death penalty prior to trial or sentencing.
2		(o) Information that is prohibited from being
3		disclosed under Section 4 of the Illinois Health and
4		Hazardous Substances Registry Act.
5		(p) Security portions of system safety program plans,
6		investigation reports, surveys, schedules, lists, data, or
7		information compiled, collected, or prepared by or for the
8		Department of Transportation under Sections 2705-300 and
9		2705-616 of the Department of Transportation Law of the
10		Civil Administrative Code of Illinois, the Northern
11		Illinois Transit Authority under Section 2.11 of the
12		Northern Illinois Transit Authority Act, or the St. Clair
13		County Transit District under the Bi-State Transit Safety
14		Act (repealed).
15		(q) Information prohibited from being disclosed by the
16		Personnel Record Review Act.
17		(r) Information prohibited from being disclosed by the
18		Illinois School Student Records Act.
19		(s) Information the disclosure of which is restricted
20		under Section 5-108 of the Public Utilities Act.
21		(t) (Blank).
22		(u) Records and information provided to an independent
23		team of experts under the Developmental Disability and
24		Mental Health Safety Act (also known as Brian's Law).
25		(v) Names and information of people who have applied
26		for or received Firearm Owner's Identification Cards under

SB0340 Engrossed - 72 - LRB104 06459 JRC 16495 b
1		the Firearm Owners Identification Card Act or applied for
2		or received a concealed carry license under the Firearm
3		Concealed Carry Act, unless otherwise authorized by the
4		Firearm Concealed Carry Act; and databases under the
5		Firearm Concealed Carry Act, records of the Concealed
6		Carry Licensing Review Board under the Firearm Concealed
7		Carry Act, and law enforcement agency objections under the
8		Firearm Concealed Carry Act.
9		(v-5) Records of the Firearm Owner's Identification
10		Card Review Board that are exempted from disclosure under
11		Section 10 of the Firearm Owners Identification Card Act.
12		(w) Personally identifiable information which is
13		exempted from disclosure under subsection (g) of Section
14		19.1 of the Toll Highway Act.
15		(x) Information which is exempted from disclosure
16		under Section 5-1014.3 of the Counties Code or Section
17		8-11-21 of the Illinois Municipal Code.
18		(y) Confidential information under the Adult
19		Protective Services Act and its predecessor enabling
20		statute, the Elder Abuse and Neglect Act, including
21		information about the identity and administrative finding
22		against any caregiver of a verified and substantiated
23		decision of abuse, neglect, or financial exploitation of
24		an eligible adult maintained in the Registry established
25		under Section 7.5 of the Adult Protective Services Act.
26		(z) Records and information provided to a fatality

SB0340 Engrossed - 73 - LRB104 06459 JRC 16495 b
1		review team or the Illinois Fatality Review Team Advisory
2		Council under Section 15 of the Adult Protective Services
3		Act.
4		(aa) Information which is exempted from disclosure
5		under Section 2.37 of the Wildlife Code.
6		(bb) Information which is or was prohibited from
7		disclosure by the Juvenile Court Act of 1987.
8		(cc) Recordings made under the Law Enforcement
9		Officer-Worn Body Camera Act, except to the extent
10		authorized under that Act.
11		(dd) Information that is prohibited from being
12		disclosed under Section 45 of the Condominium and Common
13		Interest Community Ombudsperson Act.
14		(ee) Information that is exempted from disclosure
15		under Section 30.1 of the Pharmacy Practice Act.
16		(ff) Information that is exempted from disclosure
17		under the Revised Uniform Unclaimed Property Act.
18		(gg) Information that is prohibited from being
19		disclosed under Section 7-603.5 of the Illinois Vehicle
20		Code.
21		(hh) Records that are exempt from disclosure under
22		Section 1A-16.7 of the Election Code.
23		(ii) Information which is exempted from disclosure
24		under Section 2505-800 of the Department of Revenue Law of
25		the Civil Administrative Code of Illinois.
26		(jj) Information and reports that are required to be

SB0340 Engrossed - 74 - LRB104 06459 JRC 16495 b
1		submitted to the Department of Labor by registering day
2		and temporary labor service agencies but are exempt from
3		disclosure under subsection (a-1) of Section 45 of the Day
4		and Temporary Labor Services Act.
5		(kk) Information prohibited from disclosure under the
6		Seizure and Forfeiture Reporting Act.
7		(ll) Information the disclosure of which is restricted
8		and exempted under Section 5-30.8 of the Illinois Public
9		Aid Code.
10		(mm) Records that are exempt from disclosure under
11		Section 4.2 of the Crime Victims Compensation Act.
12		(nn) Information that is exempt from disclosure under
13		Section 70 of the Higher Education Student Assistance Act.
14		(oo) Communications, notes, records, and reports
15		arising out of a peer support counseling session
16		prohibited from disclosure under the First Responders
17		Suicide Prevention Act.
18		(pp) Names and all identifying information relating to
19		an employee of an emergency services provider or law
20		enforcement agency under the First Responders Suicide
21		Prevention Act.
22		(qq) Information and records held by the Department of
23		Public Health and its authorized representatives collected
24		under the Reproductive Health Act.
25		(rr) Information that is exempt from disclosure under
26		the Cannabis Regulation and Tax Act.

SB0340 Engrossed - 75 - LRB104 06459 JRC 16495 b
1		(ss) Data reported by an employer to the Department of
2		Human Rights pursuant to Section 2-108 of the Illinois
3		Human Rights Act.
4		(tt) Recordings made under the Children's Advocacy
5		Center Act, except to the extent authorized under that
6		Act.
7		(uu) Information that is exempt from disclosure under
8		Section 50 of the Sexual Assault Evidence Submission Act.
9		(vv) Information that is exempt from disclosure under
10		subsections (f) and (j) of Section 5-36 of the Illinois
11		Public Aid Code.
12		(ww) Information that is exempt from disclosure under
13		Section 16.8 of the State Treasurer Act.
14		(xx) Information that is exempt from disclosure or
15		information that shall not be made public under the
16		Illinois Insurance Code.
17		(yy) Information prohibited from being disclosed under
18		the Illinois Educational Labor Relations Act.
19		(zz) Information prohibited from being disclosed under
20		the Illinois Public Labor Relations Act.
21		(aaa) Information prohibited from being disclosed
22		under Section 1-167 of the Illinois Pension Code.
23		(bbb) Information that is prohibited from disclosure
24		by the Illinois Police Training Act and the Illinois State
25		Police Act.
26		(ccc) Records exempt from disclosure under Section

SB0340 Engrossed - 76 - LRB104 06459 JRC 16495 b
1		2605-304 of the Illinois State Police Law of the Civil
2		Administrative Code of Illinois.
3		(ddd) Information prohibited from being disclosed
4		under Section 35 of the Address Confidentiality for
5		Victims of Domestic Violence, Sexual Assault, Human
6		Trafficking, or Stalking Act.
7		(eee) Information prohibited from being disclosed
8		under subsection (b) of Section 75 of the Domestic
9		Violence Fatality Review Act.
10		(fff) Images from cameras under the Expressway Camera
11		Act and all automated license plate reader (ALPR)
12		information used and collected by the Illinois State
13		Police. "ALPR information" means information gathered by
14		an ALPR or created from the analysis of data generated by
15		an ALPR. This subsection (fff) is inoperative on and after
16		July 1, 2028.
17		(ggg) Information prohibited from disclosure under
18		paragraph (3) of subsection (a) of Section 14 of the Nurse
19		Agency Licensing Act.
20		(hhh) Information submitted to the Illinois State
21		Police in an affidavit or application for an assault
22		weapon endorsement, assault weapon attachment endorsement,
23		.50 caliber rifle endorsement, or .50 caliber cartridge
24		endorsement under the Firearm Owners Identification Card
25		Act.
26		(iii) Data exempt from disclosure under Section 50 of

SB0340 Engrossed - 77 - LRB104 06459 JRC 16495 b
1		the School Safety Drill Act.
2		(jjj) Information exempt from disclosure under Section
3		30 of the Insurance Data Security Law.
4		(kkk) Confidential business information prohibited
5		from disclosure under Section 45 of the Paint Stewardship
6		Act.
7		(lll) Data exempt from disclosure under Section
8		2-3.196 of the School Code.
9		(mmm) Information prohibited from being disclosed
10		under subsection (e) of Section 1-129 of the Illinois
11		Power Agency Act.
12		(nnn) Materials received by the Department of Commerce
13		and Economic Opportunity that are confidential under the
14		Music and Musicians Tax Credit and Jobs Act.
15		(ooo) Data or information provided pursuant to Section
16		20 of the Statewide Recycling Needs and Assessment Act.
17		(ppp) Information that is exempt from disclosure under
18		Section 28-11 of the Lawful Health Care Activity Act.
19		(qqq) Information that is exempt from disclosure under
20		Section 7-101 of the Illinois Human Rights Act.
21		(rrr) Information prohibited from being disclosed
22		under Section 4-2 of the Uniform Money Transmission
23		Modernization Act.
24		(sss) Information exempt from disclosure under Section
25		40 of the Student-Athlete Endorsement Rights Act.
26		(ttt) Audio recordings made under Section 30 of the

SB0340 Engrossed - 78 - LRB104 06459 JRC 16495 b
1		Illinois State Police Act, except to the extent authorized
2		under that Section.
3		(uuu) Information prohibited from being disclosed
4		under Section 30-5 of the Digital Assets Regulation Act.
5		(vvv) (uuu) Information exempt from disclosure under
6		Section 70 of the End-of-Life Options for Terminally Ill
7		Patients Act.
8		(www) Data privacy and protection assessments made
9		available to the Attorney General under Section 18 of the
10		Illinois Consumer Data Privacy Act.
11		(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
12		103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
13		8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
14		eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
15		103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
16		8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
17		eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
18		104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-441, eff.
19		9-12-26; 104-457, eff. 6-1-26; revised 1-7-26.)
20		Section 905. The Consumer Fraud and Deceptive Business
21		Practices Act is amended by adding Section 2MMMM as follows:
22		(815 ILCS 505/2MMMM new)
23		Sec. 2MMMM. Violations of the Illinois Consumer Data
24		Privacy Act.

SB0340 Engrossed - 79 - LRB104 06459 JRC 16495 b
1		(a) Any person who violates the Illinois Consumer Data
2		Privacy Act commits an unlawful practice within the meaning of
3		this Act.
4		(b) The provisions of Section 10a do not apply to a
5		violation of this Section.
6		Section 995. No acceleration or delay. Where this Act
7		makes changes in a statute that is represented in this Act by
8		text that is not yet or no longer in effect (for example, a
9		Section represented by multiple versions), the use of that
10		text does not accelerate or delay the taking effect of (i) the
11		changes made by this Act or (ii) provisions derived from any
12		other Public Act.
13		Section 999. Effective date. This Act takes effect January
14		1, 2027.