|
| | 104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
SB2994 Introduced 1/27/2026, by Sen. Rachel Ventura SYNOPSIS AS INTRODUCED:
| | 410 ILCS 513/5 | | 410 ILCS 513/10 | | 410 ILCS 513/20 | | 410 ILCS 513/25 | | 410 ILCS 513/27 new | | 410 ILCS 513/40 | | 410 ILCS 513/50 | |
| Amends the Genetic Information Privacy Act. Adds legislative findings. Defines "neurotechnology" and "neurotechnology data". Prohibits insurers from using genetic testing or neurotechnology data (rather than only genetic testing) for nontherapeutic purposes or underwriting, with limited exceptions. Prohibits employers, employment agencies, labor organizations, and licensing agencies from requesting, requiring, or using neurotechnology data in employment decisions, subject to specified exceptions. Adds new provisions governing confidentiality, consent, privacy policies, and security requirements for entities collecting neurotechnology data. Regulates disclosure to government agencies and sets conditions for clinical research. Makes conforming changes. Effective January 1, 2027. |
| |
| | A BILL FOR |
|
|
| | SB2994 | | LRB104 17867 BDA 31303 b |
|
|
| 1 | | AN ACT concerning health.
|
| 2 | | Be it enacted by the People of the State of Illinois, |
| 3 | | represented in the General Assembly:
|
| 4 | | Section 5. The Genetic Information Privacy Act is amended |
| 5 | | by changing Sections 5, 10, 20, 25, 40, and 50 and by adding |
| 6 | | Section 27 as follows:
|
| 7 | | (410 ILCS 513/5) |
| 8 | | Sec. 5. Legislative findings; intent. The General Assembly |
| 9 | | finds that: |
| 10 | | (a)(1) The use of genetic testing can be valuable to an |
| 11 | | individual. |
| 12 | | (2) Despite existing laws, regulations, and professional |
| 13 | | standards which require or promote voluntary and confidential |
| 14 | | use of genetic testing information, many members of the public |
| 15 | | are deterred from seeking genetic testing because of fear that |
| 16 | | test results will be disclosed without consent in a manner not |
| 17 | | permitted by law or will be used in a discriminatory manner. |
| 18 | | (3) The public health will be served by facilitating |
| 19 | | voluntary and confidential nondiscriminatory use of genetic |
| 20 | | testing information. |
| 21 | | (4) The use of electronic health record systems and the |
| 22 | | exchange of patient records, both paper and electronic, |
| 23 | | through secure means, including through secure health |
|
| | SB2994 | - 2 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | information exchanges, should be encouraged to improve patient |
| 2 | | health care and care coordination, facilitate public health |
| 3 | | reporting, and control health care costs, among other |
| 4 | | purposes. |
| 5 | | (5) Limiting the use or disclosure of, and requests for, |
| 6 | | protected health information to the minimum necessary to |
| 7 | | accomplish an intended purpose, when being transmitted by or |
| 8 | | on behalf of a covered entity under HIPAA, is a key component |
| 9 | | of health information privacy. The disclosure of genetic |
| 10 | | information, when allowed by this Act, shall be performed in |
| 11 | | accordance with the minimum necessary standard when required |
| 12 | | under HIPAA. |
| 13 | | (b)(1) Ongoing advances in technology have produced |
| 14 | | exponential growth in the volume and variety of personal data |
| 15 | | being generated, collected, stored, and analyzed, and these |
| 16 | | advances present both great promise and potential risks. |
| 17 | | (2) Technology that collects data about the user's bodily |
| 18 | | and mental functions is transforming the volume and |
| 19 | | sensitivity of personal data collected from individuals and |
| 20 | | stored by companies. |
| 21 | | (3) Neurotechnologies, including devices capable of |
| 22 | | recording, interpreting, and altering the response of an |
| 23 | | individual's central or peripheral nervous system to its |
| 24 | | internal or external environment, raise particularly pressing |
| 25 | | privacy concerns given their ability to monitor, decode, and |
| 26 | | manipulate brain activity. |
|
| | SB2994 | - 3 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | (4) Data concerning the activity of the human brain and |
| 2 | | wider nervous systems, or "neurotechnology data", is extremely |
| 3 | | sensitive and can reveal intimate information about |
| 4 | | individuals, including information about health, mental |
| 5 | | states, emotions, and cognitive functioning. |
| 6 | | (5) Each human brain is unique, meaning that neural data |
| 7 | | is specific to the individual from whom it is collected. |
| 8 | | Because neurotechnology data contains distinctive information |
| 9 | | about the structure and functioning of individual brains and |
| 10 | | nervous systems, it contains sensitive information that may |
| 11 | | link the data to an identified or identifiable individual. |
| 12 | | (6) The collection of neurotechnology data involves the |
| 13 | | involuntary disclosure of information. Even if individuals |
| 14 | | consent to the collection and processing of their data for |
| 15 | | narrow use, they are unlikely to be fully aware of the content |
| 16 | | or quality of information they are sharing. |
| 17 | | (7) Neurotechnology users cannot decide what specific |
| 18 | | neurotechnology information they would like to disclose, and |
| 19 | | they are unlikely to understand the extent to which their |
| 20 | | neurotechnology data can be decoded, currently or in the |
| 21 | | future. Neurotechnologies can collect and process information |
| 22 | | about an individual that the individual did not even know |
| 23 | | existed. |
| 24 | | (8) Neurotechnologies that are deployed in medical |
| 25 | | settings or otherwise utilize the surgical implantation of |
| 26 | | invasive devices are typically regulated as medical tools that |
|
| | SB2994 | - 4 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | produce health information. Both invasive and noninvasive |
| 2 | | wearable neurotechnologies used in medical settings are also |
| 3 | | regulated by health data privacy laws. However, when |
| 4 | | noninvasive neurotechnologies are used outside of medical |
| 5 | | settings, they are generally considered consumer products and |
| 6 | | operate without regulation or data protection standards. |
| 7 | | (Source: P.A. 98-1046, eff. 1-1-15.)
|
| 8 | | (410 ILCS 513/10) |
| 9 | | Sec. 10. Definitions. As used in this Act: |
| 10 | | "Business associate" has the meaning ascribed to it under |
| 11 | | HIPAA, as specified in 45 CFR 160.103. |
| 12 | | "Covered entity" has the meaning ascribed to it under |
| 13 | | HIPAA, as specified in 45 CFR 160.103. |
| 14 | | "De-identified information" means health information that |
| 15 | | is not individually identifiable as described under HIPAA, as |
| 16 | | specified in 45 CFR 164.514(b). |
| 17 | | "Disclosure" has the meaning ascribed to it under HIPAA, |
| 18 | | as specified in 45 CFR 160.103. |
| 19 | | "Employer" means the State of Illinois, any unit of local |
| 20 | | government, and any board, commission, department, |
| 21 | | institution, or school district, any party to a public |
| 22 | | contract, any joint apprenticeship or training committee |
| 23 | | within the State, and every other person employing employees |
| 24 | | within the State. |
| 25 | | "Employment agency" means both public and private |
|
| | SB2994 | - 5 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | employment agencies and any person, labor organization, or |
| 2 | | labor union having a hiring hall or hiring office regularly |
| 3 | | undertaking, with or without compensation, to procure |
| 4 | | opportunities to work, or to procure, recruit, refer, or place |
| 5 | | employees. |
| 6 | | "Family member" means, with respect to an individual, (i) |
| 7 | | the spouse of the individual; (ii) a dependent child of the |
| 8 | | individual, including a child who is born to or placed for |
| 9 | | adoption with the individual; (iii) any other person |
| 10 | | qualifying as a covered dependent under a managed care plan; |
| 11 | | and (iv) all other individuals related by blood or law to the |
| 12 | | individual or the spouse or child described in subsections (i) |
| 13 | | through (iii) of this definition. |
| 14 | | "Genetic information" has the meaning ascribed to it under |
| 15 | | HIPAA, as specified in 45 CFR 160.103. |
| 16 | | "Genetic monitoring" means the periodic examination of |
| 17 | | employees to evaluate acquired modifications to their genetic |
| 18 | | material, such as chromosomal damage or evidence of increased |
| 19 | | occurrence of mutations that may have developed in the course |
| 20 | | of employment due to exposure to toxic substances in the |
| 21 | | workplace in order to identify, evaluate, and respond to |
| 22 | | effects of or control adverse environmental exposures in the |
| 23 | | workplace. |
| 24 | | "Genetic services" has the meaning ascribed to it under |
| 25 | | HIPAA, as specified in 45 CFR 160.103. |
| 26 | | "Genetic testing" and "genetic test" have the meaning |
|
| | SB2994 | - 6 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | ascribed to "genetic test" under HIPAA, as specified in 45 CFR |
| 2 | | 160.103. "Genetic testing" includes direct-to-consumer |
| 3 | | commercial genetic testing. |
| 4 | | "Health care operations" has the meaning ascribed to it |
| 5 | | under HIPAA, as specified in 45 CFR 164.501. |
| 6 | | "Health care professional" means (i) a licensed physician, |
| 7 | | (ii) a licensed physician assistant, (iii) a licensed advanced |
| 8 | | practice registered nurse, (iv) a licensed dentist, (v) a |
| 9 | | licensed podiatric physician, (vi) a licensed genetic |
| 10 | | counselor, or (vii) an individual certified to provide genetic |
| 11 | | testing by a state or local public health department. |
| 12 | | "Health care provider" has the meaning ascribed to it |
| 13 | | under HIPAA, as specified in 45 CFR 160.103. |
| 14 | | "Health facility" means a hospital, blood bank, blood |
| 15 | | center, sperm bank, or other health care institution, |
| 16 | | including any "health facility" as that term is defined in the |
| 17 | | Illinois Finance Authority Act. |
| 18 | | "Health information exchange" or "HIE" means a health |
| 19 | | information exchange or health information organization that |
| 20 | | exchanges health information electronically. In certain |
| 21 | | circumstances, in accordance with HIPAA, an HIE will be a |
| 22 | | business associate. |
| 23 | | "Health oversight agency" has the meaning ascribed to it |
| 24 | | under HIPAA, as specified in 45 CFR 164.501. |
| 25 | | "HIPAA" means the Health Insurance Portability and |
| 26 | | Accountability Act of 1996, Public Law 104-191, as amended by |
|
| | SB2994 | - 7 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | the Health Information Technology for Economic and Clinical |
| 2 | | Health Act of 2009, Public Law 111-05, and any subsequent |
| 3 | | amendments thereto and any regulations promulgated thereunder. |
| 4 | | "Insurer" means (i) an entity that is subject to the |
| 5 | | jurisdiction of the Director of Insurance and (ii) a managed |
| 6 | | care plan. |
| 7 | | "Labor organization" includes any organization, labor |
| 8 | | union, craft union, or any voluntary unincorporated |
| 9 | | association designed to further the cause of the rights of |
| 10 | | union labor that is constituted for the purpose, in whole or in |
| 11 | | part, of collective bargaining or of dealing with employers |
| 12 | | concerning grievances, terms or conditions of employment, or |
| 13 | | apprenticeships or applications for apprenticeships, or of |
| 14 | | other mutual aid or protection in connection with employment, |
| 15 | | including apprenticeships or applications for apprenticeships. |
| 16 | | "Licensing agency" means a board, commission, committee, |
| 17 | | council, department, or officers, except a judicial officer, |
| 18 | | in this State or any political subdivision authorized to |
| 19 | | grant, deny, renew, revoke, suspend, annul, withdraw, or amend |
| 20 | | a license or certificate of registration. |
| 21 | | "Limited data set" has the meaning ascribed to it under |
| 22 | | HIPAA, as described in 45 CFR 164.514(e)(2). |
| 23 | | "Managed care plan" means a plan that establishes, |
| 24 | | operates, or maintains a network of health care providers that |
| 25 | | have entered into agreements with the plan to provide health |
| 26 | | care services to enrollees where the plan has the ultimate and |
|
| | SB2994 | - 8 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | direct contractual obligation to the enrollee to arrange for |
| 2 | | the provision of or pay for services through: |
| 3 | | (1) organizational arrangements for ongoing quality |
| 4 | | assurance, utilization review programs, or dispute |
| 5 | | resolution; or |
| 6 | | (2) financial incentives for persons enrolled in the |
| 7 | | plan to use the participating providers and procedures |
| 8 | | covered by the plan. |
| 9 | | A managed care plan may be established or operated by any |
| 10 | | entity including a licensed insurance company, hospital or |
| 11 | | medical service plan, health maintenance organization, limited |
| 12 | | health service organization, preferred provider organization, |
| 13 | | third party administrator, or an employer or employee |
| 14 | | organization. |
| 15 | | "Minimum necessary" means HIPAA's standard for using, |
| 16 | | disclosing, and requesting protected health information found |
| 17 | | in 45 CFR 164.502(b) and 164.514(d). |
| 18 | | "Neurotechnology" means devices capable of recording, |
| 19 | | interpreting, or altering the response of an individual's |
| 20 | | central or peripheral nervous system to its internal or |
| 21 | | external environment. "Neurotechnology" includes mental |
| 22 | | augmentation or improving human cognition and behavior through |
| 23 | | direct recording or manipulation of neural activity by |
| 24 | | neurotechnology. |
| 25 | | "Neurotechnology data" means information that is captured |
| 26 | | by neurotechnologies, that is generated by measuring the |
|
| | SB2994 | - 9 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | activity of an individual's central or peripheral nervous |
| 2 | | systems, or that is data associated with neural activity, the |
| 3 | | activity of neurons or glial cells in the central or |
| 4 | | peripheral nervous system. "Neurotechnology data" does not |
| 5 | | include nonneural information, such as pupil dilation, motor |
| 6 | | activity, breathing rate, or other information about the |
| 7 | | downstream physical effects of neural activity. |
| 8 | | "Nontherapeutic purpose" means a purpose that is not |
| 9 | | intended to improve or preserve the life or health of the |
| 10 | | individual whom the information concerns. |
| 11 | | "Organized health care arrangement" has the meaning |
| 12 | | ascribed to it under HIPAA, as specified in 45 CFR 160.103. |
| 13 | | "Patient safety activities" has the meaning ascribed to it |
| 14 | | under 42 CFR 3.20. |
| 15 | | "Payment" has the meaning ascribed to it under HIPAA, as |
| 16 | | specified in 45 CFR 164.501. |
| 17 | | "Person" includes any natural person, partnership, |
| 18 | | association, joint venture, trust, governmental entity, public |
| 19 | | or private corporation, health facility, or other legal |
| 20 | | entity. |
| 21 | | "Protected health information" has the meaning ascribed to |
| 22 | | it under HIPAA, as specified in 45 CFR 164.103. |
| 23 | | "Research" has the meaning ascribed to it under HIPAA, as |
| 24 | | specified in 45 CFR 164.501. |
| 25 | | "State agency" means an instrumentality of the State of |
| 26 | | Illinois and any instrumentality of another state which |
|
| | SB2994 | - 10 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | pursuant to applicable law or a written undertaking with an |
| 2 | | instrumentality of the State of Illinois is bound to protect |
| 3 | | the privacy of genetic information of Illinois persons. |
| 4 | | "Treatment" has the meaning ascribed to it under HIPAA, as |
| 5 | | specified in 45 CFR 164.501. |
| 6 | | "Use" has the meaning ascribed to it under HIPAA, as |
| 7 | | specified in 45 CFR 160.103, where context dictates. |
| 8 | | (Source: P.A. 103-508, eff. 8-4-23; 104-417, eff. 8-15-25.)
|
| 9 | | (410 ILCS 513/20) |
| 10 | | Sec. 20. Use of genetic testing information or |
| 11 | | neurotechnology data for insurance purposes. |
| 12 | | (a) An insurer may not seek information derived from |
| 13 | | genetic testing or neurotechnology data for use in connection |
| 14 | | with a policy of accident and health insurance. Except as |
| 15 | | provided in subsection (c), an insurer that receives |
| 16 | | information derived from genetic testing or neurotechnology |
| 17 | | data, regardless of the source of that information, may not |
| 18 | | use the information for a nontherapeutic purpose as it relates |
| 19 | | to a policy of accident and health insurance. |
| 20 | | (b) An insurer shall not use or disclose protected health |
| 21 | | information that is genetic information or neurotechnology |
| 22 | | data for underwriting purposes. For purposes of this Section, |
| 23 | | "underwriting purposes" means, with respect to an insurer: |
| 24 | | (1) rules for, or determination of, eligibility |
| 25 | | (including enrollment and continued eligibility) for, or |
|
| | SB2994 | - 11 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | determination of, benefits under the plan, coverage, or |
| 2 | | policy (including changes in deductibles or other |
| 3 | | cost-sharing mechanisms in return for activities such as |
| 4 | | completing a health risk assessment or participating in a |
| 5 | | wellness program); |
| 6 | | (2) the computation of premium or contribution amounts |
| 7 | | under the plan, coverage, or policy (including discounts, |
| 8 | | rebates, payments in kind, or other premium differential |
| 9 | | mechanisms in return for activities, such as completing a |
| 10 | | health risk assessment or participating in a wellness |
| 11 | | program); |
| 12 | | (3) the application of any pre-existing condition |
| 13 | | exclusion under the plan, coverage, or policy; and |
| 14 | | (4) other activities related to the creation, renewal, |
| 15 | | or replacement of a contract of health insurance or health |
| 16 | | benefits. |
| 17 | | "Underwriting purposes" does not include determinations of |
| 18 | | medical appropriateness where an individual seeks a benefit |
| 19 | | under the plan, coverage, or policy. |
| 20 | | This subsection (b) does not apply to insurers that are |
| 21 | | issuing a long-term care policy, excluding a nursing home |
| 22 | | fixed indemnity plan. |
| 23 | | (c) An insurer may consider the results of genetic testing |
| 24 | | or may consider neurotechnology data in connection with a |
| 25 | | policy of accident and health insurance if the individual |
| 26 | | voluntarily submits the results of genetic testing or |
|
| | SB2994 | - 12 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | voluntarily submits neurotechnology data and if the results of |
| 2 | | genetic testing or the neurotechnology data are favorable to |
| 3 | | the individual. |
| 4 | | (d) An insurer that possesses information derived from |
| 5 | | genetic testing or from neurotechnology data may not release |
| 6 | | the information to a third party, except as specified in this |
| 7 | | Act. |
| 8 | | (e) A company providing direct-to-consumer commercial |
| 9 | | genetic testing or providing direct-to-consumer |
| 10 | | neurotechnology data is prohibited from sharing any genetic |
| 11 | | test information, neurotechnology data, or other personally |
| 12 | | identifiable information about a consumer with any health or |
| 13 | | life insurance company without written consent from the |
| 14 | | consumer. |
| 15 | | (Source: P.A. 101-132, eff. 1-1-20.)
|
| 16 | | (410 ILCS 513/25) |
| 17 | | Sec. 25. Use of genetic testing information or |
| 18 | | neurotechnology data by employers. |
| 19 | | (a) An employer, employment agency, labor organization, |
| 20 | | and licensing agency shall treat genetic testing and genetic |
| 21 | | information in such a manner that is consistent with the |
| 22 | | requirements of federal law, including but not limited to the |
| 23 | | Genetic Information Nondiscrimination Act of 2008, the |
| 24 | | Americans with Disabilities Act, Title VII of the Civil Rights |
| 25 | | Act of 1964, the Family and Medical Leave Act of 1993, the |
|
| | SB2994 | - 13 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | Occupational Safety and Health Act of 1970, the Federal Mine |
| 2 | | Safety and Health Act of 1977, or the Atomic Energy Act of |
| 3 | | 1954. |
| 4 | | (b) An employer may release genetic testing information or |
| 5 | | neurotechnology data only in accordance with this Act. |
| 6 | | (c) An employer, employment agency, labor organization, |
| 7 | | and licensing agency shall not directly or indirectly do any |
| 8 | | of the following: |
| 9 | | (1) solicit, request, require or purchase genetic |
| 10 | | testing or genetic information of a person or a family |
| 11 | | member of the person, or administer a genetic test to a |
| 12 | | person or a family member of the person as a condition of |
| 13 | | employment, preemployment application, labor organization |
| 14 | | membership, or licensure; |
| 15 | | (2) solicit, request, require, or purchase |
| 16 | | neurotechnology data of a person or a family member of a |
| 17 | | person, or require the person or family member of the |
| 18 | | person to use a neurotechnology, as a condition of |
| 19 | | employment, preemployment application, labor organization |
| 20 | | membership, or licensure; |
| 21 | | (3) (2) affect the terms, conditions, or privileges of |
| 22 | | employment, preemployment application, labor organization |
| 23 | | membership, or licensure, or terminate the employment, |
| 24 | | labor organization membership, or licensure of any person |
| 25 | | because of genetic testing, or genetic information, or |
| 26 | | neurotechnology data with respect to the employee or |
|
| | SB2994 | - 14 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | family member, or information about a request for or the |
| 2 | | receipt of genetic testing or neurotechnology data by such |
| 3 | | employee or family member of such employee; |
| 4 | | (4) (3) limit, segregate, or classify employees in any |
| 5 | | way that would deprive or tend to deprive any employee of |
| 6 | | employment opportunities or otherwise adversely affect the |
| 7 | | status of the employee as an employee because of genetic |
| 8 | | testing, or genetic information, or neurotechnology data |
| 9 | | with respect to the employee or a family member, or |
| 10 | | information about a request for or the receipt of genetic |
| 11 | | testing, or genetic information, or neurotechnology data |
| 12 | | by such employee or family member of such employee; and |
| 13 | | (5) (4) retaliate through discharge or in any other |
| 14 | | manner against any person alleging a violation of this Act |
| 15 | | or participating in any manner in a proceeding under this |
| 16 | | Act. |
| 17 | | (d) An agreement between a person and an employer, |
| 18 | | prospective employer, employment agency, labor organization, |
| 19 | | or licensing agency, or its employees, agents, or members |
| 20 | | offering the person employment, labor organization membership, |
| 21 | | licensure, or any pay or benefit in return for taking a genetic |
| 22 | | test or using a neurotechnology is prohibited. |
| 23 | | (e) An employer shall not use genetic information, or |
| 24 | | genetic testing, or neurotechnology data in furtherance of a |
| 25 | | workplace wellness program benefiting employees unless (1) |
| 26 | | health services, or genetic services, or neurotechnology |
|
| | SB2994 | - 15 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | services are offered by the employer, (2) the employee |
| 2 | | provides written authorization in accordance with Section 27 |
| 3 | | or 30 of this Act, as it may apply, (3) only the employee or |
| 4 | | family member if the family member is receiving genetic |
| 5 | | neurotechnology data services and the licensed health care |
| 6 | | professional or licensed genetic counselor involved in |
| 7 | | providing such services receive individually identifiable |
| 8 | | information concerning the results of such services, and (4) |
| 9 | | any individually identifiable information is only available |
| 10 | | for purposes of such services and shall not be disclosed to the |
| 11 | | employer except in aggregate terms that do not disclose the |
| 12 | | identity of specific employees. An employer shall not penalize |
| 13 | | an employee who does not disclose his or her genetic |
| 14 | | information or neurotechnology data or does not choose to |
| 15 | | participate in a program requiring disclosure of the |
| 16 | | employee's genetic information or neurotechnology data. |
| 17 | | (f) Nothing in this Act shall be construed to prohibit |
| 18 | | genetic testing of an employee who requests a genetic test and |
| 19 | | who provides written authorization, in accordance with Section |
| 20 | | 30 of this Act, from taking a genetic test for the purpose of |
| 21 | | initiating a workers' compensation claim under the Workers' |
| 22 | | Compensation Act. |
| 23 | | (g) A purchase of commercially and publicly available |
| 24 | | documents, including newspapers, magazines, periodicals, and |
| 25 | | books but not including medical databases, or court records, |
| 26 | | or consumer neurotechnology databases or inadvertently |
|
| | SB2994 | - 16 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | requesting family medical history by an employer, employment |
| 2 | | agency, labor organization, and licensing agency does not |
| 3 | | violate this Act. |
| 4 | | (h) Nothing in this Act shall be construed to prohibit an |
| 5 | | employer that conducts DNA analysis for law enforcement |
| 6 | | purposes as a forensic laboratory and that includes such |
| 7 | | analysis in the Combined DNA Index System pursuant to the |
| 8 | | federal Violent Crime Control and Law Enforcement Act of 1994 |
| 9 | | from requesting or requiring genetic testing or genetic |
| 10 | | information of such employer's employees, but only to the |
| 11 | | extent that such genetic testing or genetic information is |
| 12 | | used for analysis of DNA identification markers for quality |
| 13 | | control to detect sample contamination. |
| 14 | | (i) Nothing in this Act shall be construed to prohibit an |
| 15 | | employer from requesting or requiring genetic information or |
| 16 | | neurotechnology data to be used for genetic monitoring or |
| 17 | | other monitoring of the biological effects of toxic substances |
| 18 | | in the workplace, but only if (1) the employer provides |
| 19 | | written notice of the genetic monitoring or other monitoring |
| 20 | | to the employee; (2) the employee provides written |
| 21 | | authorization under Section 27 or 30 of this Act, as it may |
| 22 | | apply, or the genetic monitoring or other monitoring is |
| 23 | | required by federal or State law; (3) the employee is informed |
| 24 | | of individual monitoring results; (4) the monitoring is in |
| 25 | | compliance with any federal genetic monitoring regulations or |
| 26 | | State genetic monitoring regulations regarding genetic |
|
| | SB2994 | - 17 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | monitoring or other monitoring under the authority of the |
| 2 | | federal Occupational Safety and Health Act of 1970; and (5) |
| 3 | | the employer, excluding any health care provider, health care |
| 4 | | professional, or health facility that is involved in the |
| 5 | | genetic monitoring or other monitoring program, receives the |
| 6 | | results of the monitoring only in aggregate terms that do not |
| 7 | | disclose the identity of specific employees. |
| 8 | | (j) Despite lawful acquisition of genetic testing, or |
| 9 | | genetic information, or neurotechnology data under subsections |
| 10 | | (e) through (i) of this Section, an employer, employment |
| 11 | | agency, labor organization, and licensing agency still may not |
| 12 | | use or disclose the genetic test, or genetic information, or |
| 13 | | neurotechnology data in violation of this Act. |
| 14 | | (k) Except as provided in subsections (e), (f), (h), and |
| 15 | | (i) of this Section, a person shall not knowingly sell to or |
| 16 | | interpret for an employer, employment agency, labor |
| 17 | | organization, or licensing agency, or its employees, agents, |
| 18 | | or members, a genetic test or neurotechnology data of an |
| 19 | | employee, labor organization member, or license holder, or of |
| 20 | | a prospective employee, member, or license holder. |
| 21 | | (Source: P.A. 100-396, eff. 1-1-18.)
|
| 22 | | (410 ILCS 513/27 new) |
| 23 | | Sec. 27. Confidentiality of neurotechnology data. |
| 24 | | (a) As used in this Section: |
| 25 | | "Entity" means a partnership, corporation, association, or |
|
| | SB2994 | - 18 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | public or private organization of any character that: |
| 2 | | (1) offers consumer neurotechnology products or |
| 3 | | services directly to a consumer; or |
| 4 | | (2) collects, uses, or analyzes neurotechnology data. |
| 5 | | "Government agency" means a State agency as defined under |
| 6 | | Section 1-7 of the Illinois State Auditing Act, a unit of local |
| 7 | | government, a school district, or any administrative unit or |
| 8 | | corporate outgrowth thereof. |
| 9 | | "Processor" means a person that processes genetic data on |
| 10 | | behalf of an entity pursuant to a contract between the entity |
| 11 | | and the processor that prohibits the processor from retaining, |
| 12 | | using, or disclosing the neurotechnology data, or any |
| 13 | | information regarding the identity of the consumer, including |
| 14 | | whether that consumer has solicited or received |
| 15 | | neurotechnology, as applicable, for any purpose other than for |
| 16 | | the specific purpose of performing the services specified in |
| 17 | | the contract. |
| 18 | | "Third party" means a person other than the consumer, |
| 19 | | entity, or processor. |
| 20 | | (b) Except as otherwise provided in this Act, |
| 21 | | neurotechnology data and information derived from |
| 22 | | neurotechnology data is confidential and privileged and may be |
| 23 | | released only to the individual whose activity is measured or |
| 24 | | captured and to persons specifically authorized, in writing in |
| 25 | | accordance with this Section, by that individual to receive |
| 26 | | the information. |
|
| | SB2994 | - 19 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | (c) To safeguard the privacy, confidentiality, security, |
| 2 | | and integrity of an individual's neurotechnology data, an |
| 3 | | entity shall: |
| 4 | | (1) provide clear and complete information regarding |
| 5 | | the entity's policies and procedures for the collection, |
| 6 | | use, or disclosure of neurotechnology data by making |
| 7 | | available to a consumer: |
| 8 | | (A) a high-level privacy policy overview that |
| 9 | | includes basic, essential information about the |
| 10 | | entity's collection, use, or disclosure of |
| 11 | | neurotechnology data; and |
| 12 | | (B) a prominent, publicly available privacy notice |
| 13 | | that includes, at a minimum, information about the |
| 14 | | entity's data collection, consent, use, access, |
| 15 | | disclosure, transfer, security, and retention and |
| 16 | | deletion practices for neurotechnology data; |
| 17 | | (2) obtain initial express consent from a consumer, |
| 18 | | parent, guardian, or power of attorney for the collection, |
| 19 | | use, or disclosure of the consumer's neurotechnology data |
| 20 | | that: |
| 21 | | (A) clearly describes the entity's use of the |
| 22 | | neurotechnology data that the entity collects through |
| 23 | | the entity's neurotechnology product or service; |
| 24 | | (B) specifies the categories of individuals within |
| 25 | | the entity that have access to neurotechnology data; |
| 26 | | and |
|
| | SB2994 | - 20 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | (C) specifies how the entity may share the |
| 2 | | neurotechnology data; |
| 3 | | (3) if the entity engages in any of the following, |
| 4 | | obtain a consumer's: |
| 5 | | (A) separate express consent for: |
| 6 | | (i) the transfer or disclosure of the |
| 7 | | consumer's neurotechnology data to any third party |
| 8 | | other than the entity's processors, including the |
| 9 | | name of the third party to which the consumer's |
| 10 | | neurotechnology data will be transferred or |
| 11 | | disclosed with the consumer's express consent; |
| 12 | | (ii) the use of neurotechnology data beyond |
| 13 | | the primary purpose of the entity's |
| 14 | | neurotechnology product or service and inherent |
| 15 | | contextual uses; or |
| 16 | | (iii) the entity's retention of any |
| 17 | | neurotechnology data provided by the consumer |
| 18 | | following the entity's completion of the primary |
| 19 | | purpose of the entity's neurotechnology requested |
| 20 | | by the consumer; |
| 21 | | (B) informed express consent for transfer or |
| 22 | | disclosure of the consumer's neurotechnology data to |
| 23 | | third party persons for: |
| 24 | | (i) research purposes; or |
| 25 | | (ii) research conducted under the control of |
| 26 | | the entity for the purpose of publication or |
|
| | SB2994 | - 21 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | generalizable knowledge; and |
| 2 | | (C) express consent for: |
| 3 | | (i) marketing to a consumer based on the |
| 4 | | consumer's neurotechnology data; |
| 5 | | (ii) marketing by a third-party person to a |
| 6 | | consumer based on the consumer having ordered or |
| 7 | | purchased a neurotechnology product or service, |
| 8 | | except that marketing under this subdivision (ii) |
| 9 | | does not include the provision of customized |
| 10 | | content or offers on the websites or through the |
| 11 | | applications or services provided by the entity |
| 12 | | with the first-party relationship to the consumer; |
| 13 | | or |
| 14 | | (iii) sale or other valuable consideration of |
| 15 | | the consumer's neurotechnology data. |
| 16 | | (4) comply with the provisions of subsection (d) |
| 17 | | requiring a valid legal process for disclosing |
| 18 | | neurotechnology data to law enforcement or any other |
| 19 | | government agency without a consumer's express consent; |
| 20 | | (5) develop, implement, and maintain a comprehensive |
| 21 | | security program to protect a consumer's neurotechnology |
| 22 | | data against unauthorized access, use, or disclosure; and |
| 23 | | (6) provide a process for a consumer to: |
| 24 | | (A) access the consumer's neurotechnology data; |
| 25 | | (B) request and obtain the destruction of the |
| 26 | | consumer's neurotechnology data; and |
|
| | SB2994 | - 22 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | (C) revoke any consent provided by the consumer. |
| 2 | | (c-5) The requirements of paragraph (6) of subsection (c) |
| 3 | | shall be waived if: |
| 4 | | (1) the entity obtains express and informed written |
| 5 | | consent from a consumer, parent, guardian, or power of |
| 6 | | attorney for participation in a clinical research trial, |
| 7 | | including the collection and use of any neurotechnology |
| 8 | | data, which at a minimum must: |
| 9 | | (A) be in accordance with the good clinical |
| 10 | | practice guideline issued by the international council |
| 11 | | for harmonization of technical requirements for |
| 12 | | pharmaceuticals for human use; |
| 13 | | (B) be obtained no sooner than 14 days from the |
| 14 | | initial neurotechnology data collection if the data is |
| 15 | | collected for a primary purpose unrelated to clinical |
| 16 | | research; |
| 17 | | (C) be obtained separately from any other items of |
| 18 | | consent; |
| 19 | | (D) be in writing on a form with text that is |
| 20 | | easily readable with size 12-point type font or |
| 21 | | larger; |
| 22 | | (E) include the entity's data retention, sharing, |
| 23 | | and use policies; and |
| 24 | | (F) include notice that after consent is given, |
| 25 | | there is no right to access, inspect, or require the |
| 26 | | destruction of any neurotechnology data; |
|
| | SB2994 | - 23 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | (2) the neurotechnology data is used for clinical |
| 2 | | research purposes only. |
| 3 | | (c-10) The requirements of subsection (c-5) supersede all |
| 4 | | exceptions to, and waivers of, informed consent in the federal |
| 5 | | policy for the protection of human subjects under 45 CFR Part |
| 6 | | 46, to the extent permitted by federal law. Neurotechnology |
| 7 | | data of Illinois residents collected in the State may not be |
| 8 | | stored within the territorial boundaries of any country |
| 9 | | currently sanctioned in any way by the United States office of |
| 10 | | foreign asset control or designated as a foreign adversary |
| 11 | | under 15 CFR 7.4(a). Neurotechnology data of Illinois |
| 12 | | residents collected in the State may only be transferred or |
| 13 | | stored outside the United States with the consent of the |
| 14 | | resident. |
| 15 | | (d) Neurotechnology data use by government agencies is |
| 16 | | regulated as follows: |
| 17 | | (1) Any collection, storage, use, or dissemination of |
| 18 | | neurotechnology data by a government agency must be |
| 19 | | performed in accordance with a specific State law or |
| 20 | | executed through a search warrant or investigative |
| 21 | | subpoena. |
| 22 | | (2) A government agency may not obtain neurotechnology |
| 23 | | search results from a consumer neurotechnology database: |
| 24 | | (A) without a search warrant or investigative |
| 25 | | subpoena issued by a court on a finding of probable |
| 26 | | cause; or |
|
| | SB2994 | - 24 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | (B) unless the consumer whose information is |
| 2 | | sought previously waived the consumer's right to |
| 3 | | privacy in the information. |
| 4 | | (3) A government agency that legally obtains |
| 5 | | neurotechnology database search results, as set forth in |
| 6 | | paragraph (2) of subsection (d), or neurotechnology data, |
| 7 | | as set forth in this Section, may use the results during |
| 8 | | criminal investigations and judicial proceedings subject |
| 9 | | to applicable rules of criminal procedure and evidence. |
| 10 | | (e) This Section does not apply to protected health |
| 11 | | information that is collected by a covered entity or business |
| 12 | | associate as those terms are defined in 45 CFR Parts 160 and |
| 13 | | 164, if separate informed consent related to the collection, |
| 14 | | use, and dissemination of neurotechnology data is obtained |
| 15 | | from the consumer, parent, guardian, or power of attorney, and |
| 16 | | the covered entity or business associate follows the policies |
| 17 | | outlined in paragraph (6) of subsection (c).
|
| 18 | | (410 ILCS 513/40) |
| 19 | | Sec. 40. Right of action. |
| 20 | | (a) Any person aggrieved by a violation of this Act shall |
| 21 | | have a right of action in a State circuit court or as a |
| 22 | | supplemental claim in a federal district court against an |
| 23 | | offending party. A prevailing party may recover for each |
| 24 | | violation: |
| 25 | | (1) Against any party who negligently violates a |
|
| | SB2994 | - 25 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | provision of this Act, liquidated damages of $2,500 or |
| 2 | | actual damages, whichever is greater. |
| 3 | | (2) Against any party who intentionally or recklessly |
| 4 | | violates a provision of this Act, liquidated damages of |
| 5 | | $15,000 or actual damages, whichever is greater. |
| 6 | | (3) Reasonable attorney's fees and costs, including |
| 7 | | expert witness fees and other litigation expenses. |
| 8 | | (4) Such other relief, including an injunction, as the |
| 9 | | State or federal court may deem appropriate. |
| 10 | | (b) Article XL of the Illinois Insurance Code shall |
| 11 | | provide the exclusive remedy for violations of Section 30 by |
| 12 | | insurers. |
| 13 | | (c) Notwithstanding any provisions of the law to the |
| 14 | | contrary, any person alleging a violation of subsection (a) of |
| 15 | | Section 15, subsection (b) of Section 25, Section 27, Section |
| 16 | | 30, Section 31, or Section 35 of this Act shall have a right of |
| 17 | | action in a State circuit court or as a supplemental claim in a |
| 18 | | federal district court to seek a preliminary injunction |
| 19 | | preventing the release or disclosure of genetic testing, or |
| 20 | | genetic information, or neurotechnology data pending the final |
| 21 | | resolution of any action under this Act. |
| 22 | | (Source: P.A. 98-1046, eff. 1-1-15.)
|
| 23 | | (410 ILCS 513/50) |
| 24 | | Sec. 50. Home rule. Any home rule unit of local |
| 25 | | government, any non-home rule municipality, or any non-home |
|
| | SB2994 | - 26 - | LRB104 17867 BDA 31303 b |
|
|
| 1 | | rule county within the unincorporated territory of the county |
| 2 | | may enact ordinances, standards, rules, or regulations that |
| 3 | | protect genetic information, and genetic testing, and |
| 4 | | neurotechnology data in a manner or to an extent equal to or |
| 5 | | greater than the protection provided in this Act. This Section |
| 6 | | is a limitation on the concurrent exercise of home rule power |
| 7 | | under subsection (i) of Section 6 of Article VII of the |
| 8 | | Illinois Constitution. |
| 9 | | (Source: P.A. 95-927, eff. 1-1-09.)
|
| 10 | | Section 97. Severability. The provisions of this Act are |
| 11 | | severable under Section 1.31 of the Statute on Statutes.
|
| 12 | | Section 99. Effective date. This Act takes effect January |
| 13 | | 1, 2027. |