|
| | 104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
SB3548 Introduced 2/5/2026, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED:
| | New Act | | 5 ILCS 140/7 | | 30 ILCS 105/5.1038 new | |
| Creates the Consumer Data Privacy Act. Establishes certain consumer rights relating to personal data, including the rights to confirm whether data is being processed, to correct any inaccuracies in the consumer's personal data, to delete personal data provided by the consumer, to obtain a copy of the consumer's personal data that was previously provided, and to opt out of targeted advertising, the sale of data, or profiling of the consumer. Defines terms. Applies to persons who conduct business in Illinois or produce products or services that are targeted to Illinois residents and that during the a calendar year control or process person data of at least 100,000 consumers or 25,0000 consumers and derives over 50% of gross revenue from the sale of personal data. Makes requirements for persons or entities that control and process consumer data and also exempts certain persons or entities from the statutory provisions of the Act. Provides that the Attorney General has exclusive authority to enforce the consumer data privacy rights. Creates the Consumer Privacy Fund to be administered by the Office of the Attorney General. Amends the Freedom of Information Act. Exempts from disclosure data protection impact assessments done under the Illinois Consumer Data Privacy Act. Makes a conforming change in the State Finance Act. |
| |
| | A BILL FOR |
|
|
| | SB3548 | | LRB104 18765 JRC 32208 b |
|
|
| 1 | | AN ACT concerning civil law.
|
| 2 | | Be it enacted by the People of the State of Illinois, |
| 3 | | represented in the General Assembly:
|
| 4 | | Section 1. Short title. This Act may be cited as the |
| 5 | | Consumer Data Privacy Act.
|
| 6 | | Section 5. Definitions. As used in this Act: |
| 7 | | "Affiliate" means a legal entity that controls, is |
| 8 | | controlled by, or is under common control with another legal |
| 9 | | entity or shares common branding with another legal entity. |
| 10 | | For the purposes of this definition, "control" or "controlled" |
| 11 | | means: |
| 12 | | (1) ownership of, or the power to vote, more than 50% |
| 13 | | of the outstanding shares of any class of voting security |
| 14 | | of a company; |
| 15 | | (2) control in any manner over the election of a |
| 16 | | majority of the directors or of individuals exercising |
| 17 | | similar functions; or |
| 18 | | (3) the power to exercise controlling influence over |
| 19 | | the management of a company. |
| 20 | | "Authenticate" means verifying through reasonable means |
| 21 | | that the consumer entitled to exercise consumer rights granted |
| 22 | | in Section 15 is the same consumer exercising consumer rights |
| 23 | | with respect to the personal data at issue. |
|
| | SB3548 | - 2 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | "Biometric data" means data generated by automatic |
| 2 | | measurements of an individual's biological characteristics, |
| 3 | | such as a fingerprint, voiceprint, eye retinas, irises, or |
| 4 | | other unique biological patterns or characteristics that are |
| 5 | | used to identify a specific individual. "Biometric data" does |
| 6 | | not include a physical or digital photograph, a video or audio |
| 7 | | recording, or data generated therefrom, unless that data is |
| 8 | | generated to identify a specific individual or information |
| 9 | | collected, used, or stored for health care treatment, payment, |
| 10 | | or operations under HIPAA. |
| 11 | | "Business associate" has the same meaning as in 45 CFR |
| 12 | | Sec. 160.103 under HIPAA. |
| 13 | | "Child" has the same meaning as in 15 U.S.C. 6501. |
| 14 | | "Consent" means a clear affirmative act signifying a |
| 15 | | consumer's freely given, specific, informed, and unambiguous |
| 16 | | agreement to process personal data relating to the consumer. |
| 17 | | "Consent" includes a written statement, written by electronic |
| 18 | | means, or any other unambiguous affirmative action. |
| 19 | | "Consumer" means a natural person who is a resident of the |
| 20 | | State acting only in an individual context. "Consumer" does |
| 21 | | not include a natural person acting in a commercial or |
| 22 | | employment context. |
| 23 | | "Controller" means the natural or legal person that, |
| 24 | | individually or jointly with others, determines the purpose |
| 25 | | and means of processing personal data. |
| 26 | | "Covered entity" has the same meaning as in 45 CFR Sec. |
|
| | SB3548 | - 3 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | 160.103 under HIPAA. |
| 2 | | "Decisions that produce legal or similarly significant |
| 3 | | effects concerning a consumer" means a decision made by a |
| 4 | | controller that results in the provision or denial by the |
| 5 | | controller of financial and lending services, housing, |
| 6 | | insurance, education enrollment, criminal justice, employment |
| 7 | | opportunities, health care services, or access to basic |
| 8 | | necessities like food and water. |
| 9 | | "Deidentified data" means data that cannot reasonably be |
| 10 | | linked to an identified or identifiable natural person or a |
| 11 | | device linked to a person. |
| 12 | | "Fund" means the Consumer Privacy Fund established in |
| 13 | | Section 50. |
| 14 | | "Health record" means a record, other than for financial |
| 15 | | or billing purposes, relating to an individual, kept by a |
| 16 | | health care provider as a result of the professional |
| 17 | | relationship established between the health care provider and |
| 18 | | the individual. |
| 19 | | "Health care provider" means: |
| 20 | | (1) any health care facility as defined in Section |
| 21 | | 8-2001 of the Code of Civil Procedure; |
| 22 | | (2) health care practitioner as defined in Section |
| 23 | | 8-2001 of the Code of Civil Procedure; |
| 24 | | (3) the current and former employers, officers, |
| 25 | | directors, administrators, agents, or employees of those |
| 26 | | entities listed in paragraphs (1) and (2); or |
|
| | SB3548 | - 4 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | (4) any person acting within the course and scope of |
| 2 | | the office, employment, or agency relating to a health |
| 3 | | care facility or a health care practitioner. |
| 4 | | "HIPAA" means the federal Health Insurance Portability and |
| 5 | | Accountability Act of 1996. |
| 6 | | "Identified or identifiable natural person" means a person |
| 7 | | who can be readily identified directly or indirectly. |
| 8 | | "Institution of higher education" means an educational |
| 9 | | institution that: |
| 10 | | (1) admits as regular students only individuals having |
| 11 | | a certificate of graduation from a high school, or the |
| 12 | | recognized equivalent of such a certificate; |
| 13 | | (2) is legally authorized in this State to provide a |
| 14 | | program of education beyond high school; |
| 15 | | (3) provides an educational program for which it |
| 16 | | awards a bachelor's or higher degree, or provides a |
| 17 | | program that is acceptable for full credit toward such a |
| 18 | | degree, a program of postgraduate or postdoctoral studies, |
| 19 | | or a program of training to prepare students for gainful |
| 20 | | employment in a recognized occupation; and |
| 21 | | (4) is a public or other nonprofit institution. |
| 22 | | "Nonprofit organization" means any incorporated or |
| 23 | | unincorporated entity that: |
| 24 | | (1) is operating for religious, charitable, or |
| 25 | | educational purposes; and |
| 26 | | (2) does not provide net earnings to, or operate in |
|
| | SB3548 | - 5 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | any manner that inures to the benefit of, any officer, |
| 2 | | employee, or shareholder of the entity. |
| 3 | | "Personal data" means any information that is linked or |
| 4 | | reasonably linkable to an identified or identifiable natural |
| 5 | | person. "Personal data" does not include deidentified data or |
| 6 | | publicly available information. |
| 7 | | "Precise geolocation data" means information derived from |
| 8 | | technology, including, but not limited to, global positioning |
| 9 | | system level latitude and longitude coordinates or other |
| 10 | | mechanisms, that directly identifies the specific location of |
| 11 | | a natural person with precision and accuracy within a radius |
| 12 | | of 1,750 feet. "Precise geolocation data" does not include the |
| 13 | | content of communications, or any data generated by or |
| 14 | | connected to advanced utility metering infrastructure systems |
| 15 | | or equipment for use by a utility. |
| 16 | | "Process" or "processing" means any operation or set of |
| 17 | | operations performed, whether by manual or automated means, on |
| 18 | | personal data or on sets of personal data, including, but not |
| 19 | | limited to, the collection, use, storage, disclosure, |
| 20 | | analysis, deletion, or modification of personal data. |
| 21 | | "Processor" means a natural or legal entity that processes |
| 22 | | personal data on behalf of a controller. |
| 23 | | "Profiling" means any form of automated processing |
| 24 | | performed on personal data to evaluate, analyze, or predict |
| 25 | | personal aspects related to an identified or identifiable |
| 26 | | natural person's economic situation, health, personal |
|
| | SB3548 | - 6 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | preferences, interests, reliability, behavior, location, or |
| 2 | | movements. |
| 3 | | "Protected health information" has the same meaning as in |
| 4 | | 45 CFR Sec. 160.103 under HIPAA. |
| 5 | | "Pseudonymous data" means personal data that cannot be |
| 6 | | attributed to a specific natural person without the use of |
| 7 | | additional information, as long as the additional information |
| 8 | | is kept separately and is subject to appropriate technical and |
| 9 | | organizational measures to ensure that the personal data is |
| 10 | | not attributed to an identified or identifiable natural |
| 11 | | person. |
| 12 | | "Publicly available information" means information that is |
| 13 | | lawfully made available through federal, State, or local |
| 14 | | government records, or information that a business has a |
| 15 | | reasonable basis to believe is lawfully made available to the |
| 16 | | general public through widely distributed media, by the |
| 17 | | consumer, or by a person to whom the consumer has disclosed the |
| 18 | | information, unless the consumer has restricted the |
| 19 | | information to a specific audience. |
| 20 | | "Sale of personal data" means the exchange of personal |
| 21 | | data for monetary consideration by the controller to a third |
| 22 | | party. "Sale of personal data" does not include: |
| 23 | | (1) the disclosure of personal data to a processor |
| 24 | | that processes the personal data on behalf of the |
| 25 | | controller; |
| 26 | | (2) the disclosure of personal data to a third party |
|
| | SB3548 | - 7 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | for purposes of providing a product or service requested |
| 2 | | by the consumer; |
| 3 | | (3) the disclosure or transfer of personal data to an |
| 4 | | affiliate of the controller; |
| 5 | | (4) the disclosure of information that the consumer |
| 6 | | intentionally made available to the general public via a |
| 7 | | channel of mass media and did not restrict to a specific |
| 8 | | audience; or |
| 9 | | (5) the disclosure or transfer of personal data to a |
| 10 | | third party as an asset that is part of a proposed or |
| 11 | | actual merger, acquisition, bankruptcy, or other |
| 12 | | transaction in which the third party assumes control of |
| 13 | | all or part of the controller's assets. |
| 14 | | "Sensitive data" means a category of personal data that |
| 15 | | includes: |
| 16 | | (1) personal data indicating racial or ethnic origin, |
| 17 | | religious beliefs, mental or physical health diagnosis, |
| 18 | | sexual orientation, or citizenship or immigration status; |
| 19 | | (2) the processing of genetic or biometric data that |
| 20 | | is processed for the purpose of uniquely identifying a |
| 21 | | specific natural person; |
| 22 | | (3) the personal data collected from a known child; or |
| 23 | | (4) precise geolocation data. |
| 24 | | "State agency" means: |
| 25 | | (1) all departments, offices, commissions, boards, |
| 26 | | institutions, and political and corporate bodies of the |
|
| | SB3548 | - 8 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | State; |
| 2 | | (2) the Supreme Court, appellate courts, and circuit |
| 3 | | courts; and |
| 4 | | (3) the General Assembly, its committees, or |
| 5 | | commissions. |
| 6 | | "Targeted advertising" means displaying advertisements to |
| 7 | | a consumer in which the advertisement is selected based on |
| 8 | | personal data obtained or inferred from that consumer's |
| 9 | | activities over time and across nonaffiliated websites or |
| 10 | | online applications to predict that consumer's preferences or |
| 11 | | interests. "Targeted advertising" does not include: |
| 12 | | (1) advertisements based on activities within a |
| 13 | | controller's own or affiliated websites or online |
| 14 | | applications; |
| 15 | | (2) advertisements based on the context of a |
| 16 | | consumer's current search query, visit to a website, or |
| 17 | | online application; |
| 18 | | (3) advertisements directed to a consumer in response |
| 19 | | to the consumer's request for information or feedback; or |
| 20 | | (4) processing personal data solely for measuring or |
| 21 | | reporting advertising performance, reach, or frequency. |
| 22 | | "Third party" means a natural or legal person, public |
| 23 | | authority, agency, or body other than the consumer, |
| 24 | | controller, processor, or an affiliate of the processor or the |
| 25 | | controller. |
| 26 | | "Trade secret" has the same meaning as in the Illinois |
|
| | SB3548 | - 9 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | Trade Secrets Act.
|
| 2 | | Section 10. Coverage of act. |
| 3 | | (a) This Act applies to persons that conduct business in |
| 4 | | the State or produce products or services that are targeted to |
| 5 | | State residents and that during a calendar year control or |
| 6 | | process personal data of at least: |
| 7 | | (1) 100,000 consumers; or |
| 8 | | (2) 25,000 consumers and derive over 50% of gross |
| 9 | | revenue from the sale of personal data. |
| 10 | | (b) This Act does not apply to any: |
| 11 | | (1) unit of local government, State, or any political |
| 12 | | subdivision of the State; |
| 13 | | (2) financial institution, its affiliate, or data |
| 14 | | subject to Title V of the federal Gramm-Leach-Bliley Act; |
| 15 | | (3) covered entity or business associate governed by |
| 16 | | the privacy, security, and breach notification rules |
| 17 | | issued by the United States Department of Health and Human |
| 18 | | Services, 45 CFR Parts 160 and 164 established under |
| 19 | | HIPAA; |
| 20 | | (4) nonprofit organization; |
| 21 | | (5) institution of higher education; |
| 22 | | (6) law enforcement agency in connection with |
| 23 | | suspected insurance-related criminal or fraudulent acts or |
| 24 | | first responders in connection with catastrophic events; |
| 25 | | or |
|
| | SB3548 | - 10 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | (7) public utility as defined in the Public Utilities |
| 2 | | Act; |
| 3 | | (c) The following information and data are exempt from |
| 4 | | this Act: |
| 5 | | (1) protected health information under HIPAA; |
| 6 | | (2) health records; |
| 7 | | (3) patient identifying information for purposes of 42 |
| 8 | | CFR Sec. 2.11; |
| 9 | | (4) identifiable private information for purposes of |
| 10 | | the federal policy for the protection of human subjects |
| 11 | | under 45 CFR Part 46; identifiable private information |
| 12 | | that is otherwise information collected as part of human |
| 13 | | subjects research under the good clinical practice |
| 14 | | guidelines issued by the International Council for |
| 15 | | Harmonisation of Technical Requirements for |
| 16 | | Pharmaceuticals for Human Use; the protection of human |
| 17 | | subjects under 21 CFR Parts 50 and 56, or personal data |
| 18 | | used or shared in research conducted in accordance with |
| 19 | | the requirements set forth in this Act, or other research |
| 20 | | conducted in accordance with applicable law; |
| 21 | | (5) information and documents created for purposes of |
| 22 | | the federal Health Care Quality Improvement Act of 1986; |
| 23 | | (6) patient safety work product for purposes of the |
| 24 | | federal Patient Safety and Quality Improvement Act; |
| 25 | | (7) information derived from any of the health |
| 26 | | care-related information listed in this subsection that is |
|
| | SB3548 | - 11 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | deidentified in accordance with the requirements for |
| 2 | | deidentification under HIPAA; |
| 3 | | (8) information originating from, and intermingled to |
| 4 | | be indistinguishable from, or information treated in the |
| 5 | | same manner as information exempt under this subsection |
| 6 | | that is maintained by a covered entity or business |
| 7 | | associate, or a program or qualified service organization |
| 8 | | as defined by 42 3 CFR Sec. 2.11; |
| 9 | | (9) information used only for public health activities |
| 10 | | and purposes as authorized by HIPAA; |
| 11 | | (10) the collection, maintenance, disclosure, sale, |
| 12 | | communication, or use of any personal information bearing |
| 13 | | on a consumer's creditworthiness, credit standing, credit |
| 14 | | capacity, character, general reputation, personal |
| 15 | | characteristics, or mode of living by a consumer reporting |
| 16 | | agency, furnisher, or user that provides information for |
| 17 | | use in a consumer report, and by a user of a consumer |
| 18 | | report, but only to the extent that the activity is |
| 19 | | regulated by and authorized under the federal Fair Credit |
| 20 | | Reporting Act; |
| 21 | | (11) personal data collected, processed, sold, or |
| 22 | | disclosed in compliance with the federal Driver's Privacy |
| 23 | | Protection Act of 1994; |
| 24 | | (12) personal data regulated by the federal Family |
| 25 | | Educational Rights and Privacy Act; |
| 26 | | (13) personal data collected, processed, sold, or |
|
| | SB3548 | - 12 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | disclosed in compliance with the federal Farm Credit Act; |
| 2 | | (14) data processed or maintained: |
| 3 | | (A) in the course of an individual applying to, |
| 4 | | employed by, or acting as an agent or independent |
| 5 | | contractor of a controller, processor, or third party, |
| 6 | | to the extent that the data is collected and used |
| 7 | | within the context of that role; |
| 8 | | (B) as the emergency contact information of an |
| 9 | | individual used for emergency contact purposes; or |
| 10 | | (C) that is necessary to administer benefits for |
| 11 | | another individual and used for the purposes of |
| 12 | | administering those benefits; |
| 13 | | (15) data processed by a public utility, an affiliate |
| 14 | | of a public utility, or a holding company system organized |
| 15 | | specifically for the purpose of providing goods or |
| 16 | | services to a public utility. For purposes of this |
| 17 | | paragraph, "holding company system" means 2 or more |
| 18 | | affiliated persons, one or more of which is a public |
| 19 | | utility; and |
| 20 | | (16) personal data collected and used for purposes of |
| 21 | | federal policy under the Combat Methamphetamine Epidemic |
| 22 | | Act of 2005. |
| 23 | | (d) Controllers and processors that comply with the |
| 24 | | verifiable parental consent requirements of the Children's |
| 25 | | Online Privacy Protection Act are deemed compliant with any |
| 26 | | obligation to obtain parental consent under this Act.
|
|
| | SB3548 | - 13 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | Section 15. Consumer rights and remedies. |
| 2 | | (a) A consumer may invoke the consumer rights authorized |
| 3 | | under this Section at any time by submitting a request to a |
| 4 | | controller, via the means specified by the controller under |
| 5 | | Section 20, specifying the consumer rights the consumer wishes |
| 6 | | to invoke. A child's parent or legal guardian may invoke these |
| 7 | | consumer rights on behalf of the child regarding processing |
| 8 | | personal data belonging to the child. |
| 9 | | (b) A controller shall comply with an authenticated |
| 10 | | consumer request to exercise the right to: |
| 11 | | (1) confirm whether a controller is processing the |
| 12 | | consumer's personal data and to access the personal data, |
| 13 | | unless the confirmation and access would require the |
| 14 | | controller to reveal a trade secret; |
| 15 | | (2) correct inaccuracies in the consumer's personal |
| 16 | | data, taking into account the nature of the personal data |
| 17 | | and the purposes of processing the data; |
| 18 | | (3) delete personal data provided by or obtained about |
| 19 | | the consumer; |
| 20 | | (4) obtain a copy of the consumer's personal data that |
| 21 | | the consumer previously provided to the controller in a |
| 22 | | portable and, to the extent technically practicable, |
| 23 | | readily usable format that allows the consumer to transmit |
| 24 | | the data to another controller without hindrance, if the |
| 25 | | processing is carried out by automated means. The |
|
| | SB3548 | - 14 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | controller may not be required to reveal any trade |
| 2 | | secrets; and |
| 3 | | (5) opt out of the processing of personal data for |
| 4 | | purposes of targeted advertising, the sale of personal |
| 5 | | data, or profiling in furtherance of decisions that |
| 6 | | produce legal or similarly significant effects concerning |
| 7 | | the consumer. |
| 8 | | (c) Except as otherwise provided in this Act, a controller |
| 9 | | shall comply with a request by a consumer to exercise the |
| 10 | | consumer rights under this Section as follows: |
| 11 | | (1) a controller shall respond to the consumer without |
| 12 | | undue delay, but in all cases within 45 days of receipt of |
| 13 | | the request submitted under the methods described in this |
| 14 | | Section. The response period may be extended once by 45 |
| 15 | | additional days if reasonably necessary, taking into |
| 16 | | consideration the complexity and number of the consumer's |
| 17 | | requests, as long as the controller informs the consumer |
| 18 | | of any extension within the initial 45-day response |
| 19 | | period, together with the reason for the extension; |
| 20 | | (2) if a controller declines to take action regarding |
| 21 | | the consumer's request, the controller shall inform the |
| 22 | | consumer without undue delay, but no later than 45 days |
| 23 | | after receipt of the request of the justification for |
| 24 | | declining to take action and instructions on how to appeal |
| 25 | | that decision; |
| 26 | | (3) information provided in response to a consumer |
|
| | SB3548 | - 15 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | request shall be provided by a controller free of charge, |
| 2 | | up to twice annually per consumer. If requests from a |
| 3 | | consumer are excessive, repetitive, technically |
| 4 | | infeasible, or manifestly unfounded, the controller may |
| 5 | | charge the consumer a reasonable fee to cover the |
| 6 | | administrative costs of complying with the request or |
| 7 | | decline to act on the request. The controller bears the |
| 8 | | burden of demonstrating the excessive, repetitive, |
| 9 | | technically infeasible, or manifestly unfounded nature of |
| 10 | | the request; |
| 11 | | (4) if a controller is unable to authenticate the |
| 12 | | request using commercially reasonable efforts, the |
| 13 | | controller is not required to comply with a request to |
| 14 | | initiate an action under this Section and may request that |
| 15 | | the consumer provide additional information reasonably |
| 16 | | necessary to authenticate the consumer and the consumer's |
| 17 | | request; and |
| 18 | | (5) a controller that has obtained personal data about |
| 19 | | a consumer from a source other than the consumer is deemed |
| 20 | | in compliance with a consumer's request to delete such |
| 21 | | data under this Section by: |
| 22 | | (A) retaining a record of the deletion request and |
| 23 | | the minimum data necessary for the purpose of ensuring |
| 24 | | the consumer's personal data remains deleted from the |
| 25 | | business' records and not using the retained data for |
| 26 | | any other purpose under the provisions of this Act; or |
|
| | SB3548 | - 16 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | (B) opting the consumer out of the processing of |
| 2 | | the personal data for any other purpose unless |
| 3 | | authorized elsewhere in this Act. |
| 4 | | (d) A controller shall establish a process for a consumer |
| 5 | | to appeal the controller's refusal to take action on a request |
| 6 | | within a reasonable period of time after the consumer's |
| 7 | | receipt of the decision under of this Section. The appeal |
| 8 | | process shall be conspicuously available and similar to the |
| 9 | | process for submitting requests to initiate action under this |
| 10 | | Section. Within 60 days of receipt of an appeal, a controller |
| 11 | | shall inform the consumer in writing of any action taken or not |
| 12 | | taken in response to the appeal, including a written |
| 13 | | explanation of the reasons for the decisions. If the appeal is |
| 14 | | denied, the controller shall also provide the consumer with an |
| 15 | | online mechanism, if available, or other method through which |
| 16 | | the consumer may contact the Attorney General to submit a |
| 17 | | complaint.
|
| 18 | | Section 20. Controller's duties and responsibilities. |
| 19 | | (a) A controller shall: |
| 20 | | (1) limit the collection of personal data to what is |
| 21 | | adequate, relevant, and reasonably necessary in relation |
| 22 | | to the purposes for which the data is processed as |
| 23 | | disclosed to the consumer; |
| 24 | | (2) except as otherwise provided in this Section, not |
| 25 | | process personal data for purposes that are neither |
|
| | SB3548 | - 17 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | reasonably necessary to nor compatible with the disclosed |
| 2 | | purposes for which the personal data is processed as |
| 3 | | disclosed to the consumer, unless the controller obtains |
| 4 | | the consumer's consent; |
| 5 | | (3) establish, implement, and maintain reasonable |
| 6 | | administrative, technical, and physical data security |
| 7 | | practices to protect the confidentiality, integrity, and |
| 8 | | accessibility of personal data. The data security |
| 9 | | practices shall be appropriate to the volume and nature of |
| 10 | | the personal data at issue; |
| 11 | | (4) not process personal data in violation of State |
| 12 | | and federal laws that prohibit unlawful discrimination |
| 13 | | against consumers. A controller shall not discriminate |
| 14 | | against a consumer for exercising any of the consumer |
| 15 | | rights contained this Act, including denying goods or |
| 16 | | services, charging different prices or rates for goods or |
| 17 | | services, or providing a different level of quality of |
| 18 | | goods and services to the consumer. Nothing in this |
| 19 | | paragraph may be construed to require a controller to |
| 20 | | provide a product or service that requires the personal |
| 21 | | data of a consumer that the controller does not collect or |
| 22 | | maintain or to prohibit a controller from offering a |
| 23 | | different price, rate, level, quality, or selection of |
| 24 | | goods or services to a consumer, including offering goods |
| 25 | | or services for no fee, if the offer is related to a |
| 26 | | consumer's voluntary participation in a bona fide loyalty, |
|
| | SB3548 | - 18 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | rewards, premium features, discounts, or club card |
| 2 | | program; and |
| 3 | | (5) not process sensitive data concerning a consumer |
| 4 | | without obtaining the consumer's consent, or, in the case |
| 5 | | of the processing of sensitive data collected from a known |
| 6 | | child, process the data in accordance with the federal |
| 7 | | Children's Online Privacy Protection Act. |
| 8 | | (b) Any provision of a contract or agreement of any kind |
| 9 | | that purports to waive or limit in any way consumer rights |
| 10 | | under this Act is deemed contrary to public policy and is void |
| 11 | | and unenforceable. |
| 12 | | (c) Controllers shall provide consumers with a reasonably |
| 13 | | accessible, clear, and meaningful privacy notice that |
| 14 | | includes: |
| 15 | | (1) the categories of personal data processed by the |
| 16 | | controller; |
| 17 | | (2) the purpose for processing personal data; |
| 18 | | (3) how consumers may exercise their consumer rights |
| 19 | | under this Act, including how a consumer may appeal a |
| 20 | | controller's decision regarding a consumer's request; |
| 21 | | (4) the categories of personal data that the |
| 22 | | controller shares with third parties, if any; and |
| 23 | | (5) the categories of third parties, if any, with whom |
| 24 | | the controller shares personal data. |
| 25 | | (d) If a controller sells personal data to third parties |
| 26 | | or processes personal data for targeted advertising, the |
|
| | SB3548 | - 19 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | controller shall clearly and conspicuously disclose such |
| 2 | | activity, as well as the manner in which a consumer may |
| 3 | | exercise the right to opt out of processing. |
| 4 | | (e) A controller shall establish, and shall describe in a |
| 5 | | privacy notice, one or more secure and reliable means for |
| 6 | | consumers to submit a request to exercise their consumer |
| 7 | | rights under this Act. The different ways to submit a request |
| 8 | | by a consumer must consider the ways in which consumers |
| 9 | | normally interact with the controller, the need for secure and |
| 10 | | reliable communication of the requests, and the ability of the |
| 11 | | controller to authenticate the identity of the consumer making |
| 12 | | the request. Controllers may not require a consumer to create |
| 13 | | a new account to exercise consumer rights under this Act but |
| 14 | | may require a consumer to use an existing account.
|
| 15 | | Section 25. Processor duties and responsibilities. |
| 16 | | (a) A processor shall adhere to the instructions of a |
| 17 | | controller and shall assist the controller in meeting its |
| 18 | | obligations under this Act. This assistance shall include: |
| 19 | | (1) supporting the controller's obligation to respond |
| 20 | | to consumer rights requests under this Act by taking into |
| 21 | | account the nature of processing and the information |
| 22 | | available to the processor using appropriate technical and |
| 23 | | organizational measures as reasonably practicable; |
| 24 | | (2) assisting the controller in meeting the |
| 25 | | controller's obligations for the security of processing |
|
| | SB3548 | - 20 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | the personal data and for the notification of a breach of |
| 2 | | the security of the system of the processor under |
| 3 | | applicable State law by taking into account the nature of |
| 4 | | processing and the information available to the processor; |
| 5 | | and |
| 6 | | (3) providing necessary information to enable the |
| 7 | | controller to conduct and document data protection |
| 8 | | assessments under this Act. |
| 9 | | (b) A contract between a controller and a processor |
| 10 | | governs the processor's data processing procedures for |
| 11 | | processing performed on behalf of the controller. The contract |
| 12 | | shall be binding and shall clearly set forth instructions for |
| 13 | | processing personal data, the nature and purpose of |
| 14 | | processing, the type of data subject to processing, the |
| 15 | | duration of processing, and the rights and obligations of both |
| 16 | | parties. The contract shall also include requirements that the |
| 17 | | processor shall: |
| 18 | | (1) ensure that each person processing personal data |
| 19 | | is subject to a duty of confidentiality with respect to |
| 20 | | the data; |
| 21 | | (2) at the controller's direction, delete or return |
| 22 | | all personal data to the controller as requested at the |
| 23 | | end of the provision of services, unless retention of the |
| 24 | | personal data is required by law; |
| 25 | | (3) upon the reasonable request of the controller, |
| 26 | | make available to the controller all information in its |
|
| | SB3548 | - 21 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | possession necessary to demonstrate the processor's |
| 2 | | compliance with the obligations in this Act; |
| 3 | | (4) allow and cooperate with reasonable assessments by |
| 4 | | the controller or the controller's designated assessor. |
| 5 | | Alternatively, the processor may arrange for a qualified |
| 6 | | and independent assessor to conduct an assessment of the |
| 7 | | processor's policies and technical and organizational |
| 8 | | measures in support of the obligations in this Act using |
| 9 | | an appropriate and accepted control standard or framework |
| 10 | | and assessment procedure for assessments. The processor |
| 11 | | shall provide a report of the assessment to the controller |
| 12 | | upon request; and |
| 13 | | (5) engage any subcontractor under a written contract |
| 14 | | under this Section that requires the subcontractor to meet |
| 15 | | the obligations of the processor for personal data. |
| 16 | | (c) Nothing in this Section may be construed to relieve a |
| 17 | | controller or processor from the liabilities imposed on it by |
| 18 | | virtue of its role in a processing relationship as required |
| 19 | | under this Act. |
| 20 | | (d) Determining whether a person is acting as a controller |
| 21 | | or processor for a specific processing of data is a fact-based |
| 22 | | determination that depends upon the context in which personal |
| 23 | | data is to be processed. A processor that continues to adhere |
| 24 | | to a controller's instructions for a specific processing of |
| 25 | | personal data remains a processor.
|
|
| | SB3548 | - 22 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | Section 30. Required data protection impact assessment. |
| 2 | | (a) Controllers shall conduct and document a data |
| 3 | | protection impact assessment of each of the following |
| 4 | | processing activities involving personal data: |
| 5 | | (1) the processing of personal data for the purposes |
| 6 | | of targeted advertising; |
| 7 | | (2) the processing of personal data for the purposes |
| 8 | | of selling of personal data; |
| 9 | | (3) the processing of personal data for the purposes |
| 10 | | of profiling, if the profiling presents a reasonably |
| 11 | | foreseeable risk of: |
| 12 | | (A) unfair or deceptive treatment of consumers or |
| 13 | | disparate impact on consumers; |
| 14 | | (B) financial, physical, or reputational injury to |
| 15 | | consumers; |
| 16 | | (C) a physical or other intrusion upon consumers' |
| 17 | | solitude or seclusion or their private affairs or |
| 18 | | concerns if an intrusion would be offensive to a |
| 19 | | reasonable person; or |
| 20 | | (D) other substantial injury to consumers; |
| 21 | | (4) the processing of sensitive data; and |
| 22 | | (5) any processing of personal data that presents a |
| 23 | | heightened risk of harm to consumers. |
| 24 | | (b) Data protection impact assessments conducted under |
| 25 | | this Section shall identify and weigh the benefits that may |
| 26 | | flow, directly and indirectly, from the processing, to the |
|
| | SB3548 | - 23 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | controller, the consumer, other stakeholders, and the public |
| 2 | | against the potential risks to the rights of the consumer |
| 3 | | associated with such processing, as mitigated by safeguards |
| 4 | | that can be employed by the controller to reduce the risk. The |
| 5 | | use of deidentified data and the reasonable expectations of |
| 6 | | consumers, as well as the context of the processing of |
| 7 | | personal data and the relationship between the controller and |
| 8 | | the consumer whose personal data will be processed, shall be |
| 9 | | factored into this assessment by the controller. |
| 10 | | (c) The Attorney General may request that a controller |
| 11 | | disclose any data protection impact assessment that is |
| 12 | | relevant to an investigation conducted by the Attorney |
| 13 | | General, and the controller shall make the data protection |
| 14 | | impact assessment available to the Attorney General. The |
| 15 | | Attorney General may evaluate the data protection impact |
| 16 | | assessments for compliance with the requirements of this Act. |
| 17 | | (d) Data protection impact assessments are confidential |
| 18 | | and exempt from disclosure, public inspection, and copying |
| 19 | | under the Freedom of Information Act. |
| 20 | | (e) The disclosure of a data protection impact assessment |
| 21 | | under a request from the Attorney General under this Section |
| 22 | | does not constitute a waiver of the attorney-client privilege |
| 23 | | or work product protection of the assessment and any |
| 24 | | information contained in the assessment. |
| 25 | | (f) A single data protection assessment may address a |
| 26 | | comparable set of processing operations that include similar |
|
| | SB3548 | - 24 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | activities. |
| 2 | | (g) Data protection assessments conducted by a controller |
| 3 | | for the purpose of compliance with other laws or regulations |
| 4 | | may comply under this Section if the assessments have a |
| 5 | | reasonably comparable scope and effect. |
| 6 | | (h) Data protection assessment requirements apply to |
| 7 | | processing activities created or generated on or after June 1, |
| 8 | | 2027.
|
| 9 | | Section 35. Controller in possession of de-identified |
| 10 | | data. |
| 11 | | (a) The controller in possession of deidentified data |
| 12 | | shall: |
| 13 | | (1) take reasonable measures to ensure the data cannot |
| 14 | | be associated with a natural person; |
| 15 | | (2) publicly commit to maintaining and using |
| 16 | | deidentified data without attempting to reidentify the |
| 17 | | data; and |
| 18 | | (3) contractually obligate any recipients of the |
| 19 | | deidentified data to comply with this Act. |
| 20 | | (b) Nothing in this Act may be construed to require a |
| 21 | | controller or processor to: |
| 22 | | (1) reidentify deidentified data or pseudonymous data; |
| 23 | | or |
| 24 | | (2) maintain data in identifiable form or collect, |
| 25 | | obtain, retain, or access any data or technology to be |
|
| | SB3548 | - 25 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | capable of associating an authenticated consumer request |
| 2 | | with personal data. |
| 3 | | (c) Nothing in this Act may be construed to require a |
| 4 | | controller or processor to comply with an authenticated |
| 5 | | consumer rights request under Section 15 if: |
| 6 | | (1) the controller is not reasonably capable of |
| 7 | | associating the request with the personal data or it would |
| 8 | | be unreasonably burdensome for the controller to associate |
| 9 | | the request with the personal data; |
| 10 | | (2) the controller does not use the personal data to |
| 11 | | recognize or respond to the specific consumer who is the |
| 12 | | subject of the personal data, or associate the personal |
| 13 | | data with other personal data about the same specific |
| 14 | | consumer; and |
| 15 | | (3) the controller does not sell the personal data to |
| 16 | | any third party or otherwise voluntarily disclose the |
| 17 | | personal data to any third party other than a processor, |
| 18 | | except as otherwise permitted in this Section. |
| 19 | | (d) The consumer rights contained in this Act do not apply |
| 20 | | to pseudonymous data in cases in which the controller is able |
| 21 | | to demonstrate any information necessary to identify the |
| 22 | | consumer is kept separately and is subject to appropriate |
| 23 | | technical and organizational measures to ensure that the |
| 24 | | personal data is not attributed to an identified or |
| 25 | | identifiable natural person. |
| 26 | | (e) A controller that discloses pseudonymous data or |
|
| | SB3548 | - 26 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | de-identified data shall exercise reasonable oversight to |
| 2 | | monitor compliance with any contractual commitments to which |
| 3 | | the pseudonymous data or deidentified data is subject and take |
| 4 | | appropriate steps to address any breaches of those contractual |
| 5 | | commitments.
|
| 6 | | Section 40. Exceptions for controllers and processors. |
| 7 | | (a) Nothing in this Act may be construed to restrict a |
| 8 | | controller's or processor's ability to: |
| 9 | | (1) comply with federal, State, or local laws or |
| 10 | | regulations; |
| 11 | | (2) comply with a civil, criminal, or regulatory |
| 12 | | inquiry, investigation, subpoena, or summons by federal, |
| 13 | | State, local, or other governmental authorities; |
| 14 | | (3) cooperate with law enforcement agencies concerning |
| 15 | | conduct or activity that the controller or processor |
| 16 | | reasonably and in good faith believes may violate federal, |
| 17 | | State, or local laws, rules, or regulations; |
| 18 | | (4) investigate, establish, exercise, prepare for, or |
| 19 | | defend legal claims; |
| 20 | | (5) provide a product or service specifically |
| 21 | | requested by a consumer or a parent or guardian of a known |
| 22 | | child; |
| 23 | | (6) perform a contract to which the consumer or parent |
| 24 | | or guardian of a known child is a party, including |
| 25 | | fulfilling the terms of a written warranty; |
|
| | SB3548 | - 27 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | (7) take steps at the request of the consumer or |
| 2 | | parent or guardian of a known child before entering into a |
| 3 | | contract; |
| 4 | | (8) take immediate steps to protect an interest that |
| 5 | | is essential for the life or physical safety of the |
| 6 | | consumer or of another natural person; |
| 7 | | (9) prevent, detect, protect against, or respond to |
| 8 | | security incidents, identity theft, fraud, harassment, |
| 9 | | malicious or deceptive activities, or any illegal |
| 10 | | activity; preserve the integrity or security of systems; |
| 11 | | or investigate, report, or prosecute those responsible for |
| 12 | | any such action; |
| 13 | | (10) engage in public or peer-reviewed scientific or |
| 14 | | statistical research in the public interest that adheres |
| 15 | | to all other applicable ethics and privacy laws and is |
| 16 | | approved, monitored, and governed by an institutional |
| 17 | | review board or similar independent oversight entities |
| 18 | | that determine: |
| 19 | | (A) if the deletion of the information is likely |
| 20 | | to provide substantial benefits that do not |
| 21 | | exclusively accrue to the controller; |
| 22 | | (B) the expected benefits of the research outweigh |
| 23 | | the privacy risks; and |
| 24 | | (C) if the controller has implemented reasonable |
| 25 | | safeguards to mitigate privacy risks associated with |
| 26 | | research, including any risks associated with |
|
| | SB3548 | - 28 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | reidentification; or |
| 2 | | (11) assist another controller, processor, or third |
| 3 | | party with any of the obligations under this Section. |
| 4 | | (b) The obligations imposed on controllers or processors |
| 5 | | under this Act do not restrict a controller's or processor's |
| 6 | | ability to collect, use, or retain data to: |
| 7 | | (1) conduct internal research to develop, improve, or |
| 8 | | repair products, services, or technology; |
| 9 | | (2) effectuate a product recall; |
| 10 | | (3) identify and repair technical errors that impair |
| 11 | | existing or intended functionality; or |
| 12 | | (4) perform internal operations that are reasonably |
| 13 | | aligned with the expectations of the consumer or |
| 14 | | reasonably anticipated based on the consumer's existing |
| 15 | | relationship with the controller or are otherwise |
| 16 | | compatible with processing data in furtherance of the |
| 17 | | provision of a product or service specifically requested |
| 18 | | by a consumer or a parent or guardian of a known child or |
| 19 | | the performance of a contract to which the consumer or a |
| 20 | | parent or guardian of a known child is a party. |
| 21 | | (c) The obligations imposed on controllers or processors |
| 22 | | under this Act do not apply to a controller or processor if |
| 23 | | compliance would violate an evidentiary privilege under State |
| 24 | | law. Nothing in this Act may be construed to prevent a |
| 25 | | controller or processor from providing personal data |
| 26 | | concerning a consumer to a person covered by an evidentiary |
|
| | SB3548 | - 29 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | privilege under State laws as part of a privileged |
| 2 | | communication. |
| 3 | | (d) A controller or processor that discloses personal data |
| 4 | | to a third-party controller or processor, in compliance with |
| 5 | | the requirements of this Act, is not in violation of this Act |
| 6 | | if the third-party controller or processor that receives and |
| 7 | | processes such personal data is in violation of this Act; |
| 8 | | provided that, at the time of disclosing the personal data, |
| 9 | | the disclosing controller or processor did not have actual |
| 10 | | knowledge that the recipient intended to commit a violation. A |
| 11 | | third-party controller or processor receiving personal data |
| 12 | | from a controller or processor in compliance with the |
| 13 | | requirements of this Act is also not in violation of this Act |
| 14 | | for the transgressions of the controller or processor from |
| 15 | | which it receives such personal data. |
| 16 | | (e) Nothing in this Act may be construed as an obligation |
| 17 | | imposed on controllers and processors that adversely affects |
| 18 | | the privacy or other rights or freedoms of any persons, |
| 19 | | including, but not limited to, the right of free speech under |
| 20 | | the First Amendment to the United States Constitution or |
| 21 | | applies to the processing of personal data by a person in the |
| 22 | | course of a purely personal or household activity. |
| 23 | | (f) Personal data processed by a controller under this |
| 24 | | Section may not be processed for any purpose other than those |
| 25 | | expressly listed unless otherwise allowed by this Act. |
| 26 | | Personal data processed by a controller under this Section may |
|
| | SB3548 | - 30 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | be processed to the extent that such processing is: |
| 2 | | (1) reasonably necessary and proportionate to the |
| 3 | | purposes listed in this Section; and |
| 4 | | (2) adequate, relevant, and limited to what is |
| 5 | | necessary for the specific purposes listed in this |
| 6 | | Section. Personal data collected, used, or retained under |
| 7 | | this Section shall, if applicable, take into account the |
| 8 | | nature and purpose or purposes of such collection, use, or |
| 9 | | retention. The data shall be subject to reasonable |
| 10 | | administrative, technical, and physical measures to |
| 11 | | protect the confidentiality, integrity, and accessibility |
| 12 | | of personal data and to reduce reasonably foreseeable |
| 13 | | risks of harm to consumers relating to the collection, |
| 14 | | use, or retention of personal data. |
| 15 | | (g) If a controller processes personal data under an |
| 16 | | exemption in this Section, the controller bears the burden of |
| 17 | | demonstrating that the processing qualifies for the exemption |
| 18 | | and complies with the requirements in this Section. |
| 19 | | (h) Processing personal data for the purposes expressly |
| 20 | | identified in this Section does not by itself make an entity a |
| 21 | | controller with respect to such processing.
|
| 22 | | Section 45. Enforcement by the Attorney General. |
| 23 | | (a) The Attorney General has exclusive authority to |
| 24 | | enforce violations of this Act. The Attorney General may |
| 25 | | enforce this Act by bringing an action in the name of the State |
|
| | SB3548 | - 31 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | of Illinois on behalf of persons residing in this State. The |
| 2 | | Attorney General has all powers and duties granted to the |
| 3 | | Attorney General under State law to investigate and prosecute |
| 4 | | any violation of this Act. The Attorney General may demand any |
| 5 | | information, documents, or physical evidence from any |
| 6 | | controller or processor believed to be engaged in, or about to |
| 7 | | engage in, any violation of this Act. |
| 8 | | (b) Before initiating any action for a violation of this |
| 9 | | Act, the Attorney General shall provide a controller or |
| 10 | | processor 30 days' written notice identifying the specific |
| 11 | | provisions of this Act that the Attorney General alleges have |
| 12 | | been or are being violated. If within the 30 days the |
| 13 | | controller or processor cures the noticed violation and |
| 14 | | provides the Attorney General an express written statement |
| 15 | | that the alleged violations have been cured and that no |
| 16 | | further violations will occur, no action for damages under |
| 17 | | this Section may be initiated against the controller or |
| 18 | | processor. |
| 19 | | (c) If a controller or processor continues to violate this |
| 20 | | Act following the cure period under this Section or breaches |
| 21 | | an express written statement provided to the Attorney General |
| 22 | | under this Section, the Attorney General may initiate an |
| 23 | | action and seek damages for up to $7,500 for each continued |
| 24 | | violation under this Act. |
| 25 | | (d) Nothing in this Act or any other law, regulation, or |
| 26 | | the equivalent may be construed as providing the basis for, or |
|
| | SB3548 | - 32 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | give rise to, a private right of action for violations of this |
| 2 | | Act. |
| 3 | | (e) The Attorney General may recover reasonable expenses |
| 4 | | incurred in investigating and preparing the case, court costs, |
| 5 | | attorney's fees, and any other relief ordered by the court of |
| 6 | | any action initiated under this Act.
|
| 7 | | Section 50. Consumer Privacy Fund. This Act hereby creates |
| 8 | | the Consumer Privacy Fund. The Fund shall be administered by |
| 9 | | the Office of the Attorney General. All civil penalties |
| 10 | | collected under this Act shall be deposited into the Fund. |
| 11 | | Interest earned on moneys in the Fund accrue to the Fund. |
| 12 | | Moneys in the fund shall be used by the Office of the Attorney |
| 13 | | General to enforce this Act.
|
| 14 | | Section 900. The Freedom of Information Act is amended by |
| 15 | | changing Section 7 as follows:
|
| 16 | | (5 ILCS 140/7) |
| 17 | | (Text of Section before amendment by P.A. 104-300) |
| 18 | | Sec. 7. Exemptions. |
| 19 | | (1) When a request is made to inspect or copy a public |
| 20 | | record that contains information that is exempt from |
| 21 | | disclosure under this Section, but also contains information |
| 22 | | that is not exempt from disclosure, the public body may elect |
| 23 | | to redact the information that is exempt. The public body |
|
| | SB3548 | - 33 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | shall make the remaining information available for inspection |
| 2 | | and copying. Subject to this requirement, the following shall |
| 3 | | be exempt from inspection and copying: |
| 4 | | (a) Information specifically prohibited from |
| 5 | | disclosure by federal or State law or rules and |
| 6 | | regulations implementing federal or State law. |
| 7 | | (b) Private information, unless disclosure is required |
| 8 | | by another provision of this Act, a State or federal law, |
| 9 | | or a court order. |
| 10 | | (b-5) Files, documents, and other data or databases |
| 11 | | maintained by one or more law enforcement agencies and |
| 12 | | specifically designed to provide information to one or |
| 13 | | more law enforcement agencies regarding the physical or |
| 14 | | mental status of one or more individual subjects. |
| 15 | | (c) Personal information contained within public |
| 16 | | records, the disclosure of which would constitute a |
| 17 | | clearly unwarranted invasion of personal privacy, unless |
| 18 | | the disclosure is consented to in writing by the |
| 19 | | individual subjects of the information. "Unwarranted |
| 20 | | invasion of personal privacy" means the disclosure of |
| 21 | | information that is highly personal or objectionable to a |
| 22 | | reasonable person and in which the subject's right to |
| 23 | | privacy outweighs any legitimate public interest in |
| 24 | | obtaining the information. The disclosure of information |
| 25 | | that bears on the public duties of public employees and |
| 26 | | officials shall not be considered an invasion of personal |
|
| | SB3548 | - 34 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | privacy. |
| 2 | | (d) Records in the possession of any public body |
| 3 | | created in the course of administrative enforcement |
| 4 | | proceedings, and any law enforcement or correctional |
| 5 | | agency for law enforcement purposes, but only to the |
| 6 | | extent that disclosure would: |
| 7 | | (i) interfere with pending or actually and |
| 8 | | reasonably contemplated law enforcement proceedings |
| 9 | | conducted by any law enforcement or correctional |
| 10 | | agency that is the recipient of the request; |
| 11 | | (ii) interfere with active administrative |
| 12 | | enforcement proceedings conducted by the public body |
| 13 | | that is the recipient of the request; |
| 14 | | (iii) create a substantial likelihood that a |
| 15 | | person will be deprived of a fair trial or an impartial |
| 16 | | hearing; |
| 17 | | (iv) unavoidably disclose the identity of a |
| 18 | | confidential source, confidential information |
| 19 | | furnished only by the confidential source, or persons |
| 20 | | who file complaints with or provide information to |
| 21 | | administrative, investigative, law enforcement, or |
| 22 | | penal agencies; except that the identities of |
| 23 | | witnesses to traffic crashes, traffic crash reports, |
| 24 | | and rescue reports shall be provided by agencies of |
| 25 | | local government, except when disclosure would |
| 26 | | interfere with an active criminal investigation |
|
| | SB3548 | - 35 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | conducted by the agency that is the recipient of the |
| 2 | | request; |
| 3 | | (v) disclose unique or specialized investigative |
| 4 | | techniques other than those generally used and known |
| 5 | | or disclose internal documents of correctional |
| 6 | | agencies related to detection, observation, or |
| 7 | | investigation of incidents of crime or misconduct, and |
| 8 | | disclosure would result in demonstrable harm to the |
| 9 | | agency or public body that is the recipient of the |
| 10 | | request; |
| 11 | | (vi) endanger the life or physical safety of law |
| 12 | | enforcement personnel or any other person; or |
| 13 | | (vii) obstruct an ongoing criminal investigation |
| 14 | | by the agency that is the recipient of the request. |
| 15 | | (d-5) A law enforcement record created for law |
| 16 | | enforcement purposes and contained in a shared electronic |
| 17 | | record management system if the law enforcement agency or |
| 18 | | criminal justice agency that is the recipient of the |
| 19 | | request did not create the record, did not participate in |
| 20 | | or have a role in any of the events which are the subject |
| 21 | | of the record, and only has access to the record through |
| 22 | | the shared electronic record management system. As used in |
| 23 | | this subsection (d-5), "criminal justice agency" means the |
| 24 | | Illinois Criminal Justice Information Authority or the |
| 25 | | Illinois Sentencing Policy Advisory Council. |
| 26 | | (d-6) Records contained in the Officer Professional |
|
| | SB3548 | - 36 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | Conduct Database under Section 9.2 of the Illinois Police |
| 2 | | Training Act, except to the extent authorized under that |
| 3 | | Section. This includes the documents supplied to the |
| 4 | | Illinois Law Enforcement Training Standards Board from the |
| 5 | | Illinois State Police and Illinois State Police Merit |
| 6 | | Board. |
| 7 | | (d-7) Information gathered or records created from the |
| 8 | | use of automatic license plate readers in connection with |
| 9 | | Section 2-130 of the Illinois Vehicle Code. |
| 10 | | (e) Records that relate to or affect the security of |
| 11 | | correctional institutions and detention facilities. |
| 12 | | (e-5) Records requested by persons committed to the |
| 13 | | Department of Corrections, Department of Human Services |
| 14 | | Division of Mental Health, or a county jail if those |
| 15 | | materials are available in the library of the correctional |
| 16 | | institution or facility or jail where the inmate is |
| 17 | | confined. |
| 18 | | (e-6) Records requested by persons committed to the |
| 19 | | Department of Corrections, Department of Human Services |
| 20 | | Division of Mental Health, or a county jail if those |
| 21 | | materials include records from staff members' personnel |
| 22 | | files, staff rosters, or other staffing assignment |
| 23 | | information. |
| 24 | | (e-7) Records requested by persons committed to the |
| 25 | | Department of Corrections or Department of Human Services |
| 26 | | Division of Mental Health if those materials are available |
|
| | SB3548 | - 37 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | through an administrative request to the Department of |
| 2 | | Corrections or Department of Human Services Division of |
| 3 | | Mental Health. |
| 4 | | (e-8) Records requested by a person committed to the |
| 5 | | Department of Corrections, Department of Human Services |
| 6 | | Division of Mental Health, or a county jail, the |
| 7 | | disclosure of which would result in the risk of harm to any |
| 8 | | person or the risk of an escape from a jail or correctional |
| 9 | | institution or facility. |
| 10 | | (e-9) Records requested by a person in a county jail |
| 11 | | or committed to the Department of Corrections or |
| 12 | | Department of Human Services Division of Mental Health, |
| 13 | | containing personal information pertaining to the person's |
| 14 | | victim or the victim's family, including, but not limited |
| 15 | | to, a victim's home address, home telephone number, work |
| 16 | | or school address, work telephone number, social security |
| 17 | | number, or any other identifying information, except as |
| 18 | | may be relevant to a requester's current or potential case |
| 19 | | or claim. |
| 20 | | (e-10) Law enforcement records of other persons |
| 21 | | requested by a person committed to the Department of |
| 22 | | Corrections, Department of Human Services Division of |
| 23 | | Mental Health, or a county jail, including, but not |
| 24 | | limited to, arrest and booking records, mug shots, and |
| 25 | | crime scene photographs, except as these records may be |
| 26 | | relevant to the requester's current or potential case or |
|
| | SB3548 | - 38 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | claim. |
| 2 | | (f) Preliminary drafts, notes, recommendations, |
| 3 | | memoranda, and other records in which opinions are |
| 4 | | expressed, or policies or actions are formulated, except |
| 5 | | that a specific record or relevant portion of a record |
| 6 | | shall not be exempt when the record is publicly cited and |
| 7 | | identified by the head of the public body. The exemption |
| 8 | | provided in this paragraph (f) extends to all those |
| 9 | | records of officers and agencies of the General Assembly |
| 10 | | that pertain to the preparation of legislative documents. |
| 11 | | (g) Trade secrets and commercial or financial |
| 12 | | information obtained from a person or business where the |
| 13 | | trade secrets or commercial or financial information are |
| 14 | | furnished under a claim that they are proprietary, |
| 15 | | privileged, or confidential, and that disclosure of the |
| 16 | | trade secrets or commercial or financial information would |
| 17 | | cause competitive harm to the person or business, and only |
| 18 | | insofar as the claim directly applies to the records |
| 19 | | requested. |
| 20 | | The information included under this exemption includes |
| 21 | | all trade secrets and commercial or financial information |
| 22 | | obtained by a public body, including a public pension |
| 23 | | fund, from a private equity fund or a privately held |
| 24 | | company within the investment portfolio of a private |
| 25 | | equity fund as a result of either investing or evaluating |
| 26 | | a potential investment of public funds in a private equity |
|
| | SB3548 | - 39 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | fund. The exemption contained in this item does not apply |
| 2 | | to the aggregate financial performance information of a |
| 3 | | private equity fund, nor to the identity of the fund's |
| 4 | | managers or general partners. The exemption contained in |
| 5 | | this item does not apply to the identity of a privately |
| 6 | | held company within the investment portfolio of a private |
| 7 | | equity fund, unless the disclosure of the identity of a |
| 8 | | privately held company may cause competitive harm. |
| 9 | | Nothing contained in this paragraph (g) shall be |
| 10 | | construed to prevent a person or business from consenting |
| 11 | | to disclosure. |
| 12 | | (h) Proposals and bids for any contract, grant, or |
| 13 | | agreement, including information which if it were |
| 14 | | disclosed would frustrate procurement or give an advantage |
| 15 | | to any person proposing to enter into a contractor |
| 16 | | agreement with the body, until an award or final selection |
| 17 | | is made. Information prepared by or for the body in |
| 18 | | preparation of a bid solicitation shall be exempt until an |
| 19 | | award or final selection is made. |
| 20 | | (i) Valuable formulae, computer geographic systems, |
| 21 | | designs, drawings, and research data obtained or produced |
| 22 | | by any public body when disclosure could reasonably be |
| 23 | | expected to produce private gain or public loss. The |
| 24 | | exemption for "computer geographic systems" provided in |
| 25 | | this paragraph (i) does not extend to requests made by |
| 26 | | news media as defined in Section 2 of this Act when the |
|
| | SB3548 | - 40 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | requested information is not otherwise exempt and the only |
| 2 | | purpose of the request is to access and disseminate |
| 3 | | information regarding the health, safety, welfare, or |
| 4 | | legal rights of the general public. |
| 5 | | (j) The following information pertaining to |
| 6 | | educational matters: |
| 7 | | (i) test questions, scoring keys, and other |
| 8 | | examination data used to administer an academic |
| 9 | | examination; |
| 10 | | (ii) information received by a primary or |
| 11 | | secondary school, college, or university under its |
| 12 | | procedures for the evaluation of faculty members by |
| 13 | | their academic peers; |
| 14 | | (iii) information concerning a school or |
| 15 | | university's adjudication of student disciplinary |
| 16 | | cases, but only to the extent that disclosure would |
| 17 | | unavoidably reveal the identity of the student; and |
| 18 | | (iv) course materials or research materials used |
| 19 | | by faculty members. |
| 20 | | (k) Architects' plans, engineers' technical |
| 21 | | submissions, and other construction related technical |
| 22 | | documents for projects not constructed or developed in |
| 23 | | whole or in part with public funds and the same for |
| 24 | | projects constructed or developed with public funds, |
| 25 | | including, but not limited to, power generating and |
| 26 | | distribution stations and other transmission and |
|
| | SB3548 | - 41 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | distribution facilities, water treatment facilities, |
| 2 | | airport facilities, sport stadiums, convention centers, |
| 3 | | and all government owned, operated, or occupied buildings, |
| 4 | | but only to the extent that disclosure would compromise |
| 5 | | security. |
| 6 | | (l) Minutes of meetings of public bodies closed to the |
| 7 | | public as provided in the Open Meetings Act until the |
| 8 | | public body makes the minutes available to the public |
| 9 | | under Section 2.06 of the Open Meetings Act. |
| 10 | | (m) Communications between a public body and an |
| 11 | | attorney or auditor representing the public body that |
| 12 | | would not be subject to discovery in litigation, and |
| 13 | | materials prepared or compiled by or for a public body in |
| 14 | | anticipation of a criminal, civil, or administrative |
| 15 | | proceeding upon the request of an attorney advising the |
| 16 | | public body, and materials prepared or compiled with |
| 17 | | respect to internal audits of public bodies. |
| 18 | | (n) Records relating to a public body's adjudication |
| 19 | | of employee grievances or disciplinary cases; however, |
| 20 | | this exemption shall not extend to the final outcome of |
| 21 | | cases in which discipline is imposed. |
| 22 | | (o) Administrative or technical information associated |
| 23 | | with automated data processing operations, including, but |
| 24 | | not limited to, software, operating protocols, computer |
| 25 | | program abstracts, file layouts, source listings, object |
| 26 | | modules, load modules, user guides, documentation |
|
| | SB3548 | - 42 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | pertaining to all logical and physical design of |
| 2 | | computerized systems, employee manuals, and any other |
| 3 | | information that, if disclosed, would jeopardize the |
| 4 | | security of the system or its data or the security of |
| 5 | | materials exempt under this Section. |
| 6 | | (p) Records relating to collective negotiating matters |
| 7 | | between public bodies and their employees or |
| 8 | | representatives, except that any final contract or |
| 9 | | agreement shall be subject to inspection and copying. |
| 10 | | (q) Test questions, scoring keys, and other |
| 11 | | examination data used to determine the qualifications of |
| 12 | | an applicant for a license or employment. |
| 13 | | (r) The records, documents, and information relating |
| 14 | | to real estate purchase negotiations until those |
| 15 | | negotiations have been completed or otherwise terminated. |
| 16 | | With regard to a parcel involved in a pending or actually |
| 17 | | and reasonably contemplated eminent domain proceeding |
| 18 | | under the Eminent Domain Act, records, documents, and |
| 19 | | information relating to that parcel shall be exempt except |
| 20 | | as may be allowed under discovery rules adopted by the |
| 21 | | Illinois Supreme Court. The records, documents, and |
| 22 | | information relating to a real estate sale shall be exempt |
| 23 | | until a sale is consummated. |
| 24 | | (s) Any and all proprietary information and records |
| 25 | | related to the operation of an intergovernmental risk |
| 26 | | management association or self-insurance pool or jointly |
|
| | SB3548 | - 43 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | self-administered health and accident cooperative or pool. |
| 2 | | Insurance or self-insurance (including any |
| 3 | | intergovernmental risk management association or |
| 4 | | self-insurance pool) claims, loss or risk management |
| 5 | | information, records, data, advice, or communications. |
| 6 | | (t) Information contained in or related to |
| 7 | | examination, operating, or condition reports prepared by, |
| 8 | | on behalf of, or for the use of a public body responsible |
| 9 | | for the regulation or supervision of financial |
| 10 | | institutions, insurance companies, or pharmacy benefit |
| 11 | | managers, unless disclosure is otherwise required by State |
| 12 | | law. |
| 13 | | (u) Information that would disclose or might lead to |
| 14 | | the disclosure of secret or confidential information, |
| 15 | | codes, algorithms, programs, or private keys intended to |
| 16 | | be used to create electronic signatures under the Uniform |
| 17 | | Electronic Transactions Act. |
| 18 | | (v) Vulnerability assessments, security measures, and |
| 19 | | response policies or plans that are designed to identify, |
| 20 | | prevent, or respond to potential attacks upon a |
| 21 | | community's population or systems, facilities, or |
| 22 | | installations, but only to the extent that disclosure |
| 23 | | could reasonably be expected to expose the vulnerability |
| 24 | | or jeopardize the effectiveness of the measures, policies, |
| 25 | | or plans, or the safety of the personnel who implement |
| 26 | | them or the public. Information exempt under this item may |
|
| | SB3548 | - 44 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | include such things as details pertaining to the |
| 2 | | mobilization or deployment of personnel or equipment, to |
| 3 | | the operation of communication systems or protocols, to |
| 4 | | cybersecurity vulnerabilities, or to tactical operations. |
| 5 | | (w) (Blank). |
| 6 | | (x) Maps and other records regarding the location or |
| 7 | | security of generation, transmission, distribution, |
| 8 | | storage, gathering, treatment, or switching facilities |
| 9 | | owned by a utility, by a power generator, or by the |
| 10 | | Illinois Power Agency. |
| 11 | | (y) Information contained in or related to proposals, |
| 12 | | bids, or negotiations related to electric power |
| 13 | | procurement under Section 1-75 of the Illinois Power |
| 14 | | Agency Act and Section 16-111.5 of the Public Utilities |
| 15 | | Act that is determined to be confidential and proprietary |
| 16 | | by the Illinois Power Agency or by the Illinois Commerce |
| 17 | | Commission. |
| 18 | | (z) Information about students exempted from |
| 19 | | disclosure under Section 10-20.38 or 34-18.29 of the |
| 20 | | School Code, and information about undergraduate students |
| 21 | | enrolled at an institution of higher education exempted |
| 22 | | from disclosure under Section 25 of the Illinois Credit |
| 23 | | Card Marketing Act of 2009. |
| 24 | | (aa) Information the disclosure of which is exempted |
| 25 | | under the Viatical Settlements Act of 2009. |
| 26 | | (bb) Records and information provided to a mortality |
|
| | SB3548 | - 45 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | review team and records maintained by a mortality review |
| 2 | | team appointed under the Department of Juvenile Justice |
| 3 | | Mortality Review Team Act. |
| 4 | | (cc) Information regarding interments, entombments, or |
| 5 | | inurnments of human remains that are submitted to the |
| 6 | | Cemetery Oversight Database under the Cemetery Care Act or |
| 7 | | the Cemetery Oversight Act, whichever is applicable. |
| 8 | | (dd) Correspondence and records (i) that may not be |
| 9 | | disclosed under Section 11-9 of the Illinois Public Aid |
| 10 | | Code or (ii) that pertain to appeals under Section 11-8 of |
| 11 | | the Illinois Public Aid Code. |
| 12 | | (ee) The names, addresses, or other personal |
| 13 | | information of persons who are minors and are also |
| 14 | | participants and registrants in programs of park |
| 15 | | districts, forest preserve districts, conservation |
| 16 | | districts, recreation agencies, and special recreation |
| 17 | | associations. |
| 18 | | (ff) The names, addresses, or other personal |
| 19 | | information of participants and registrants in programs of |
| 20 | | park districts, forest preserve districts, conservation |
| 21 | | districts, recreation agencies, and special recreation |
| 22 | | associations where such programs are targeted primarily to |
| 23 | | minors. |
| 24 | | (gg) Confidential information described in Section |
| 25 | | 1-100 of the Illinois Independent Tax Tribunal Act of |
| 26 | | 2012. |
|
| | SB3548 | - 46 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | (hh) The report submitted to the State Board of |
| 2 | | Education by the School Security and Standards Task Force |
| 3 | | under item (8) of subsection (d) of Section 2-3.160 of the |
| 4 | | School Code and any information contained in that report. |
| 5 | | (ii) Records requested by persons committed to or |
| 6 | | detained by the Department of Human Services under the |
| 7 | | Sexually Violent Persons Commitment Act or committed to |
| 8 | | the Department of Corrections under the Sexually Dangerous |
| 9 | | Persons Act if those materials: (i) are available in the |
| 10 | | library of the facility where the individual is confined; |
| 11 | | (ii) include records from staff members' personnel files, |
| 12 | | staff rosters, or other staffing assignment information; |
| 13 | | or (iii) are available through an administrative request |
| 14 | | to the Department of Human Services or the Department of |
| 15 | | Corrections. |
| 16 | | (jj) Confidential information described in Section |
| 17 | | 5-535 of the Civil Administrative Code of Illinois. |
| 18 | | (kk) The public body's credit card numbers, debit card |
| 19 | | numbers, bank account numbers, Federal Employer |
| 20 | | Identification Number, security code numbers, passwords, |
| 21 | | and similar account information, the disclosure of which |
| 22 | | could result in identity theft or impression or defrauding |
| 23 | | of a governmental entity or a person. |
| 24 | | (ll) Records concerning the work of the threat |
| 25 | | assessment team of a school district, including, but not |
| 26 | | limited to, any threat assessment procedure under the |
|
| | SB3548 | - 47 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | School Safety Drill Act and any information contained in |
| 2 | | the procedure. |
| 3 | | (mm) Information prohibited from being disclosed under |
| 4 | | subsections (a) and (b) of Section 15 of the Student |
| 5 | | Confidential Reporting Act. |
| 6 | | (nn) Proprietary information submitted to the |
| 7 | | Environmental Protection Agency under the Drug Take-Back |
| 8 | | Act. |
| 9 | | (oo) Records described in subsection (f) of Section |
| 10 | | 3-5-1 of the Unified Code of Corrections. |
| 11 | | (pp) Any and all information regarding burials, |
| 12 | | interments, or entombments of human remains as required to |
| 13 | | be reported to the Department of Natural Resources |
| 14 | | pursuant either to the Archaeological and Paleontological |
| 15 | | Resources Protection Act or the Human Remains Protection |
| 16 | | Act. |
| 17 | | (qq) Reports described in subsection (e) of Section |
| 18 | | 16-15 of the Abortion Care Clinical Training Program Act. |
| 19 | | (rr) Information obtained by a certified local health |
| 20 | | department under the Access to Public Health Data Act. |
| 21 | | (ss) For a request directed to a public body that is |
| 22 | | also a HIPAA-covered entity, all information that is |
| 23 | | protected health information, including demographic |
| 24 | | information, that may be contained within or extracted |
| 25 | | from any record held by the public body in compliance with |
| 26 | | State and federal medical privacy laws and regulations, |
|
| | SB3548 | - 48 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | including, but not limited to, the Health Insurance |
| 2 | | Portability and Accountability Act and its regulations, 45 |
| 3 | | CFR Parts 160 and 164. As used in this paragraph, |
| 4 | | "HIPAA-covered entity" has the meaning given to the term |
| 5 | | "covered entity" in 45 CFR 160.103 and "protected health |
| 6 | | information" has the meaning given to that term in 45 CFR |
| 7 | | 160.103. |
| 8 | | (tt) Proposals or bids submitted by engineering |
| 9 | | consultants in response to requests for proposal or other |
| 10 | | competitive bidding requests by the Department of |
| 11 | | Transportation or the Illinois Toll Highway Authority. |
| 12 | | (uu) Documents that, pursuant to the State of |
| 13 | | Illinois' 1987 Agreement with the U.S. Nuclear Regulatory |
| 14 | | Commission and the corresponding requirement to maintain |
| 15 | | compatibility with the National Materials Program, have |
| 16 | | been determined to be security sensitive. These documents |
| 17 | | include information classified as safeguards, |
| 18 | | safeguards-modified, and sensitive unclassified |
| 19 | | nonsafeguards information, as identified in U.S. Nuclear |
| 20 | | Regulatory Commission regulatory information summaries, |
| 21 | | security advisories, and other applicable communications |
| 22 | | or regulations related to the control and distribution of |
| 23 | | security sensitive information. |
| 24 | | (1.5) Any information exempt from disclosure under the |
| 25 | | Judicial Privacy Act shall be redacted from public records |
| 26 | | prior to disclosure under this Act. |
|
| | SB3548 | - 49 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | (1.6) Any information exempt from disclosure under the |
| 2 | | Public Official Safety and Privacy Act shall be redacted from |
| 3 | | public records prior to disclosure under this Act. |
| 4 | | (1.7) Any information exempt from disclosure under |
| 5 | | paragraph (3.5) of Section 9-15 of the Election Code shall be |
| 6 | | redacted from public records prior to disclosure under this |
| 7 | | Act. |
| 8 | | (2) A public record that is not in the possession of a |
| 9 | | public body but is in the possession of a party with whom the |
| 10 | | agency has contracted to perform a governmental function on |
| 11 | | behalf of the public body, and that directly relates to the |
| 12 | | governmental function and is not otherwise exempt under this |
| 13 | | Act, shall be considered a public record of the public body, |
| 14 | | for purposes of this Act. |
| 15 | | (3) This Section does not authorize withholding of |
| 16 | | information or limit the availability of records to the |
| 17 | | public, except as stated in this Section or otherwise provided |
| 18 | | in this Act. |
| 19 | | (Source: P.A. 103-154, eff. 6-30-23; 103-423, eff. 1-1-24; |
| 20 | | 103-446, eff. 8-4-23; 103-462, eff. 8-4-23; 103-540, eff. |
| 21 | | 1-1-24; 103-554, eff. 1-1-24; 103-605, eff. 7-1-24; 103-865, |
| 22 | | eff. 1-1-25; 104-438, eff. 1-1-26; 104-443, eff. 1-1-26; |
| 23 | | revised 1-7-26.)
|
| 24 | | (Text of Section after amendment by P.A. 104-300) |
| 25 | | Sec. 7. Exemptions. |
|
| | SB3548 | - 50 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | (1) When a request is made to inspect or copy a public |
| 2 | | record that contains information that is exempt from |
| 3 | | disclosure under this Section, but also contains information |
| 4 | | that is not exempt from disclosure, the public body may elect |
| 5 | | to redact the information that is exempt. The public body |
| 6 | | shall make the remaining information available for inspection |
| 7 | | and copying. Subject to this requirement, the following shall |
| 8 | | be exempt from inspection and copying: |
| 9 | | (a) Records created or compiled by a State public |
| 10 | | defender agency or commission subject to the State Public |
| 11 | | Defender Act that contain: individual client identity; |
| 12 | | individual case file information; individual investigation |
| 13 | | records and other records that are otherwise subject to |
| 14 | | attorney-client privilege; records that would not be |
| 15 | | discoverable in litigation; records under Section 2.15; |
| 16 | | training materials; records related to attorney |
| 17 | | consultation and representation strategy; or any of the |
| 18 | | above concerning clients of county public defenders or |
| 19 | | other defender agencies and firms. This exclusion does not |
| 20 | | apply to deidentified, aggregated, administrative records, |
| 21 | | such as general case processing and workload information. |
| 22 | | (a-5) Information specifically prohibited from |
| 23 | | disclosure by federal or State law or rules and |
| 24 | | regulations implementing federal or State law. |
| 25 | | (b) Private information, unless disclosure is required |
| 26 | | by another provision of this Act, a State or federal law, |
|
| | SB3548 | - 51 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | or a court order. |
| 2 | | (b-5) Files, documents, and other data or databases |
| 3 | | maintained by one or more law enforcement agencies and |
| 4 | | specifically designed to provide information to one or |
| 5 | | more law enforcement agencies regarding the physical or |
| 6 | | mental status of one or more individual subjects. |
| 7 | | (c) Personal information contained within public |
| 8 | | records, the disclosure of which would constitute a |
| 9 | | clearly unwarranted invasion of personal privacy, unless |
| 10 | | the disclosure is consented to in writing by the |
| 11 | | individual subjects of the information. "Unwarranted |
| 12 | | invasion of personal privacy" means the disclosure of |
| 13 | | information that is highly personal or objectionable to a |
| 14 | | reasonable person and in which the subject's right to |
| 15 | | privacy outweighs any legitimate public interest in |
| 16 | | obtaining the information. The disclosure of information |
| 17 | | that bears on the public duties of public employees and |
| 18 | | officials shall not be considered an invasion of personal |
| 19 | | privacy. |
| 20 | | (d) Records in the possession of any public body |
| 21 | | created in the course of administrative enforcement |
| 22 | | proceedings, and any law enforcement or correctional |
| 23 | | agency for law enforcement purposes, but only to the |
| 24 | | extent that disclosure would: |
| 25 | | (i) interfere with pending or actually and |
| 26 | | reasonably contemplated law enforcement proceedings |
|
| | SB3548 | - 52 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | conducted by any law enforcement or correctional |
| 2 | | agency that is the recipient of the request; |
| 3 | | (ii) interfere with active administrative |
| 4 | | enforcement proceedings conducted by the public body |
| 5 | | that is the recipient of the request; |
| 6 | | (iii) create a substantial likelihood that a |
| 7 | | person will be deprived of a fair trial or an impartial |
| 8 | | hearing; |
| 9 | | (iv) unavoidably disclose the identity of a |
| 10 | | confidential source, confidential information |
| 11 | | furnished only by the confidential source, or persons |
| 12 | | who file complaints with or provide information to |
| 13 | | administrative, investigative, law enforcement, or |
| 14 | | penal agencies; except that the identities of |
| 15 | | witnesses to traffic crashes, traffic crash reports, |
| 16 | | and rescue reports shall be provided by agencies of |
| 17 | | local government, except when disclosure would |
| 18 | | interfere with an active criminal investigation |
| 19 | | conducted by the agency that is the recipient of the |
| 20 | | request; |
| 21 | | (v) disclose unique or specialized investigative |
| 22 | | techniques other than those generally used and known |
| 23 | | or disclose internal documents of correctional |
| 24 | | agencies related to detection, observation, or |
| 25 | | investigation of incidents of crime or misconduct, and |
| 26 | | disclosure would result in demonstrable harm to the |
|
| | SB3548 | - 53 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | agency or public body that is the recipient of the |
| 2 | | request; |
| 3 | | (vi) endanger the life or physical safety of law |
| 4 | | enforcement personnel or any other person; or |
| 5 | | (vii) obstruct an ongoing criminal investigation |
| 6 | | by the agency that is the recipient of the request. |
| 7 | | (d-5) A law enforcement record created for law |
| 8 | | enforcement purposes and contained in a shared electronic |
| 9 | | record management system if the law enforcement agency or |
| 10 | | criminal justice agency that is the recipient of the |
| 11 | | request did not create the record, did not participate in |
| 12 | | or have a role in any of the events which are the subject |
| 13 | | of the record, and only has access to the record through |
| 14 | | the shared electronic record management system. As used in |
| 15 | | this subsection (d-5), "criminal justice agency" means the |
| 16 | | Illinois Criminal Justice Information Authority or the |
| 17 | | Illinois Sentencing Policy Advisory Council. |
| 18 | | (d-6) Records contained in the Officer Professional |
| 19 | | Conduct Database under Section 9.2 of the Illinois Police |
| 20 | | Training Act, except to the extent authorized under that |
| 21 | | Section. This includes the documents supplied to the |
| 22 | | Illinois Law Enforcement Training Standards Board from the |
| 23 | | Illinois State Police and Illinois State Police Merit |
| 24 | | Board. |
| 25 | | (d-7) Information gathered or records created from the |
| 26 | | use of automatic license plate readers in connection with |
|
| | SB3548 | - 54 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | Section 2-130 of the Illinois Vehicle Code. |
| 2 | | (e) Records that relate to or affect the security of |
| 3 | | correctional institutions and detention facilities. |
| 4 | | (e-5) Records requested by persons committed to the |
| 5 | | Department of Corrections, Department of Human Services |
| 6 | | Division of Mental Health, or a county jail if those |
| 7 | | materials are available in the library of the correctional |
| 8 | | institution or facility or jail where the inmate is |
| 9 | | confined. |
| 10 | | (e-6) Records requested by persons committed to the |
| 11 | | Department of Corrections, Department of Human Services |
| 12 | | Division of Mental Health, or a county jail if those |
| 13 | | materials include records from staff members' personnel |
| 14 | | files, staff rosters, or other staffing assignment |
| 15 | | information. |
| 16 | | (e-7) Records requested by persons committed to the |
| 17 | | Department of Corrections or Department of Human Services |
| 18 | | Division of Mental Health if those materials are available |
| 19 | | through an administrative request to the Department of |
| 20 | | Corrections or Department of Human Services Division of |
| 21 | | Mental Health. |
| 22 | | (e-8) Records requested by a person committed to the |
| 23 | | Department of Corrections, Department of Human Services |
| 24 | | Division of Mental Health, or a county jail, the |
| 25 | | disclosure of which would result in the risk of harm to any |
| 26 | | person or the risk of an escape from a jail or correctional |
|
| | SB3548 | - 55 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | institution or facility. |
| 2 | | (e-9) Records requested by a person in a county jail |
| 3 | | or committed to the Department of Corrections or |
| 4 | | Department of Human Services Division of Mental Health, |
| 5 | | containing personal information pertaining to the person's |
| 6 | | victim or the victim's family, including, but not limited |
| 7 | | to, a victim's home address, home telephone number, work |
| 8 | | or school address, work telephone number, social security |
| 9 | | number, or any other identifying information, except as |
| 10 | | may be relevant to a requester's current or potential case |
| 11 | | or claim. |
| 12 | | (e-10) Law enforcement records of other persons |
| 13 | | requested by a person committed to the Department of |
| 14 | | Corrections, Department of Human Services Division of |
| 15 | | Mental Health, or a county jail, including, but not |
| 16 | | limited to, arrest and booking records, mug shots, and |
| 17 | | crime scene photographs, except as these records may be |
| 18 | | relevant to the requester's current or potential case or |
| 19 | | claim. |
| 20 | | (f) Preliminary drafts, notes, recommendations, |
| 21 | | memoranda, and other records in which opinions are |
| 22 | | expressed, or policies or actions are formulated, except |
| 23 | | that a specific record or relevant portion of a record |
| 24 | | shall not be exempt when the record is publicly cited and |
| 25 | | identified by the head of the public body. The exemption |
| 26 | | provided in this paragraph (f) extends to all those |
|
| | SB3548 | - 56 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | records of officers and agencies of the General Assembly |
| 2 | | that pertain to the preparation of legislative documents. |
| 3 | | (g) Trade secrets and commercial or financial |
| 4 | | information obtained from a person or business where the |
| 5 | | trade secrets or commercial or financial information are |
| 6 | | furnished under a claim that they are proprietary, |
| 7 | | privileged, or confidential, and that disclosure of the |
| 8 | | trade secrets or commercial or financial information would |
| 9 | | cause competitive harm to the person or business, and only |
| 10 | | insofar as the claim directly applies to the records |
| 11 | | requested. |
| 12 | | The information included under this exemption includes |
| 13 | | all trade secrets and commercial or financial information |
| 14 | | obtained by a public body, including a public pension |
| 15 | | fund, from a private equity fund or a privately held |
| 16 | | company within the investment portfolio of a private |
| 17 | | equity fund as a result of either investing or evaluating |
| 18 | | a potential investment of public funds in a private equity |
| 19 | | fund. The exemption contained in this item does not apply |
| 20 | | to the aggregate financial performance information of a |
| 21 | | private equity fund, nor to the identity of the fund's |
| 22 | | managers or general partners. The exemption contained in |
| 23 | | this item does not apply to the identity of a privately |
| 24 | | held company within the investment portfolio of a private |
| 25 | | equity fund, unless the disclosure of the identity of a |
| 26 | | privately held company may cause competitive harm. |
|
| | SB3548 | - 57 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | Nothing contained in this paragraph (g) shall be |
| 2 | | construed to prevent a person or business from consenting |
| 3 | | to disclosure. |
| 4 | | (h) Proposals and bids for any contract, grant, or |
| 5 | | agreement, including information which if it were |
| 6 | | disclosed would frustrate procurement or give an advantage |
| 7 | | to any person proposing to enter into a contractor |
| 8 | | agreement with the body, until an award or final selection |
| 9 | | is made. Information prepared by or for the body in |
| 10 | | preparation of a bid solicitation shall be exempt until an |
| 11 | | award or final selection is made. |
| 12 | | (i) Valuable formulae, computer geographic systems, |
| 13 | | designs, drawings, and research data obtained or produced |
| 14 | | by any public body when disclosure could reasonably be |
| 15 | | expected to produce private gain or public loss. The |
| 16 | | exemption for "computer geographic systems" provided in |
| 17 | | this paragraph (i) does not extend to requests made by |
| 18 | | news media as defined in Section 2 of this Act when the |
| 19 | | requested information is not otherwise exempt and the only |
| 20 | | purpose of the request is to access and disseminate |
| 21 | | information regarding the health, safety, welfare, or |
| 22 | | legal rights of the general public. |
| 23 | | (j) The following information pertaining to |
| 24 | | educational matters: |
| 25 | | (i) test questions, scoring keys, and other |
| 26 | | examination data used to administer an academic |
|
| | SB3548 | - 58 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | examination; |
| 2 | | (ii) information received by a primary or |
| 3 | | secondary school, college, or university under its |
| 4 | | procedures for the evaluation of faculty members by |
| 5 | | their academic peers; |
| 6 | | (iii) information concerning a school or |
| 7 | | university's adjudication of student disciplinary |
| 8 | | cases, but only to the extent that disclosure would |
| 9 | | unavoidably reveal the identity of the student; and |
| 10 | | (iv) course materials or research materials used |
| 11 | | by faculty members. |
| 12 | | (k) Architects' plans, engineers' technical |
| 13 | | submissions, and other construction related technical |
| 14 | | documents for projects not constructed or developed in |
| 15 | | whole or in part with public funds and the same for |
| 16 | | projects constructed or developed with public funds, |
| 17 | | including, but not limited to, power generating and |
| 18 | | distribution stations and other transmission and |
| 19 | | distribution facilities, water treatment facilities, |
| 20 | | airport facilities, sport stadiums, convention centers, |
| 21 | | and all government owned, operated, or occupied buildings, |
| 22 | | but only to the extent that disclosure would compromise |
| 23 | | security. |
| 24 | | (l) Minutes of meetings of public bodies closed to the |
| 25 | | public as provided in the Open Meetings Act until the |
| 26 | | public body makes the minutes available to the public |
|
| | SB3548 | - 59 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | under Section 2.06 of the Open Meetings Act. |
| 2 | | (m) Communications between a public body and an |
| 3 | | attorney or auditor representing the public body that |
| 4 | | would not be subject to discovery in litigation, and |
| 5 | | materials prepared or compiled by or for a public body in |
| 6 | | anticipation of a criminal, civil, or administrative |
| 7 | | proceeding upon the request of an attorney advising the |
| 8 | | public body, and materials prepared or compiled with |
| 9 | | respect to internal audits of public bodies. |
| 10 | | (n) Records relating to a public body's adjudication |
| 11 | | of employee grievances or disciplinary cases; however, |
| 12 | | this exemption shall not extend to the final outcome of |
| 13 | | cases in which discipline is imposed. |
| 14 | | (o) Administrative or technical information associated |
| 15 | | with automated data processing operations, including, but |
| 16 | | not limited to, software, operating protocols, computer |
| 17 | | program abstracts, file layouts, source listings, object |
| 18 | | modules, load modules, user guides, documentation |
| 19 | | pertaining to all logical and physical design of |
| 20 | | computerized systems, employee manuals, and any other |
| 21 | | information that, if disclosed, would jeopardize the |
| 22 | | security of the system or its data or the security of |
| 23 | | materials exempt under this Section. |
| 24 | | (p) Records relating to collective negotiating matters |
| 25 | | between public bodies and their employees or |
| 26 | | representatives, except that any final contract or |
|
| | SB3548 | - 60 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | agreement shall be subject to inspection and copying. |
| 2 | | (q) Test questions, scoring keys, and other |
| 3 | | examination data used to determine the qualifications of |
| 4 | | an applicant for a license or employment. |
| 5 | | (r) The records, documents, and information relating |
| 6 | | to real estate purchase negotiations until those |
| 7 | | negotiations have been completed or otherwise terminated. |
| 8 | | With regard to a parcel involved in a pending or actually |
| 9 | | and reasonably contemplated eminent domain proceeding |
| 10 | | under the Eminent Domain Act, records, documents, and |
| 11 | | information relating to that parcel shall be exempt except |
| 12 | | as may be allowed under discovery rules adopted by the |
| 13 | | Illinois Supreme Court. The records, documents, and |
| 14 | | information relating to a real estate sale shall be exempt |
| 15 | | until a sale is consummated. |
| 16 | | (s) Any and all proprietary information and records |
| 17 | | related to the operation of an intergovernmental risk |
| 18 | | management association or self-insurance pool or jointly |
| 19 | | self-administered health and accident cooperative or pool. |
| 20 | | Insurance or self-insurance (including any |
| 21 | | intergovernmental risk management association or |
| 22 | | self-insurance pool) claims, loss or risk management |
| 23 | | information, records, data, advice, or communications. |
| 24 | | (t) Information contained in or related to |
| 25 | | examination, operating, or condition reports prepared by, |
| 26 | | on behalf of, or for the use of a public body responsible |
|
| | SB3548 | - 61 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | for the regulation or supervision of financial |
| 2 | | institutions, insurance companies, or pharmacy benefit |
| 3 | | managers, unless disclosure is otherwise required by State |
| 4 | | law. |
| 5 | | (u) Information that would disclose or might lead to |
| 6 | | the disclosure of secret or confidential information, |
| 7 | | codes, algorithms, programs, or private keys intended to |
| 8 | | be used to create electronic signatures under the Uniform |
| 9 | | Electronic Transactions Act. |
| 10 | | (v) Vulnerability assessments, security measures, and |
| 11 | | response policies or plans that are designed to identify, |
| 12 | | prevent, or respond to potential attacks upon a |
| 13 | | community's population or systems, facilities, or |
| 14 | | installations, but only to the extent that disclosure |
| 15 | | could reasonably be expected to expose the vulnerability |
| 16 | | or jeopardize the effectiveness of the measures, policies, |
| 17 | | or plans, or the safety of the personnel who implement |
| 18 | | them or the public. Information exempt under this item may |
| 19 | | include such things as details pertaining to the |
| 20 | | mobilization or deployment of personnel or equipment, to |
| 21 | | the operation of communication systems or protocols, to |
| 22 | | cybersecurity vulnerabilities, or to tactical operations. |
| 23 | | (w) (Blank). |
| 24 | | (x) Maps and other records regarding the location or |
| 25 | | security of generation, transmission, distribution, |
| 26 | | storage, gathering, treatment, or switching facilities |
|
| | SB3548 | - 62 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | owned by a utility, by a power generator, or by the |
| 2 | | Illinois Power Agency. |
| 3 | | (y) Information contained in or related to proposals, |
| 4 | | bids, or negotiations related to electric power |
| 5 | | procurement under Section 1-75 of the Illinois Power |
| 6 | | Agency Act and Section 16-111.5 of the Public Utilities |
| 7 | | Act that is determined to be confidential and proprietary |
| 8 | | by the Illinois Power Agency or by the Illinois Commerce |
| 9 | | Commission. |
| 10 | | (z) Information about students exempted from |
| 11 | | disclosure under Section 10-20.38 or 34-18.29 of the |
| 12 | | School Code, and information about undergraduate students |
| 13 | | enrolled at an institution of higher education exempted |
| 14 | | from disclosure under Section 25 of the Illinois Credit |
| 15 | | Card Marketing Act of 2009. |
| 16 | | (aa) Information the disclosure of which is exempted |
| 17 | | under the Viatical Settlements Act of 2009. |
| 18 | | (bb) Records and information provided to a mortality |
| 19 | | review team and records maintained by a mortality review |
| 20 | | team appointed under the Department of Juvenile Justice |
| 21 | | Mortality Review Team Act. |
| 22 | | (cc) Information regarding interments, entombments, or |
| 23 | | inurnments of human remains that are submitted to the |
| 24 | | Cemetery Oversight Database under the Cemetery Care Act or |
| 25 | | the Cemetery Oversight Act, whichever is applicable. |
| 26 | | (dd) Correspondence and records (i) that may not be |
|
| | SB3548 | - 63 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | disclosed under Section 11-9 of the Illinois Public Aid |
| 2 | | Code or (ii) that pertain to appeals under Section 11-8 of |
| 3 | | the Illinois Public Aid Code. |
| 4 | | (ee) The names, addresses, or other personal |
| 5 | | information of persons who are minors and are also |
| 6 | | participants and registrants in programs of park |
| 7 | | districts, forest preserve districts, conservation |
| 8 | | districts, recreation agencies, and special recreation |
| 9 | | associations. |
| 10 | | (ff) The names, addresses, or other personal |
| 11 | | information of participants and registrants in programs of |
| 12 | | park districts, forest preserve districts, conservation |
| 13 | | districts, recreation agencies, and special recreation |
| 14 | | associations where such programs are targeted primarily to |
| 15 | | minors. |
| 16 | | (gg) Confidential information described in Section |
| 17 | | 1-100 of the Illinois Independent Tax Tribunal Act of |
| 18 | | 2012. |
| 19 | | (hh) The report submitted to the State Board of |
| 20 | | Education by the School Security and Standards Task Force |
| 21 | | under item (8) of subsection (d) of Section 2-3.160 of the |
| 22 | | School Code and any information contained in that report. |
| 23 | | (ii) Records requested by persons committed to or |
| 24 | | detained by the Department of Human Services under the |
| 25 | | Sexually Violent Persons Commitment Act or committed to |
| 26 | | the Department of Corrections under the Sexually Dangerous |
|
| | SB3548 | - 64 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | Persons Act if those materials: (i) are available in the |
| 2 | | library of the facility where the individual is confined; |
| 3 | | (ii) include records from staff members' personnel files, |
| 4 | | staff rosters, or other staffing assignment information; |
| 5 | | or (iii) are available through an administrative request |
| 6 | | to the Department of Human Services or the Department of |
| 7 | | Corrections. |
| 8 | | (jj) Confidential information described in Section |
| 9 | | 5-535 of the Civil Administrative Code of Illinois. |
| 10 | | (kk) The public body's credit card numbers, debit card |
| 11 | | numbers, bank account numbers, Federal Employer |
| 12 | | Identification Number, security code numbers, passwords, |
| 13 | | and similar account information, the disclosure of which |
| 14 | | could result in identity theft or impression or defrauding |
| 15 | | of a governmental entity or a person. |
| 16 | | (ll) Records concerning the work of the threat |
| 17 | | assessment team of a school district, including, but not |
| 18 | | limited to, any threat assessment procedure under the |
| 19 | | School Safety Drill Act and any information contained in |
| 20 | | the procedure. |
| 21 | | (mm) Information prohibited from being disclosed under |
| 22 | | subsections (a) and (b) of Section 15 of the Student |
| 23 | | Confidential Reporting Act. |
| 24 | | (nn) Proprietary information submitted to the |
| 25 | | Environmental Protection Agency under the Drug Take-Back |
| 26 | | Act. |
|
| | SB3548 | - 65 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | (oo) Records described in subsection (f) of Section |
| 2 | | 3-5-1 of the Unified Code of Corrections. |
| 3 | | (pp) Any and all information regarding burials, |
| 4 | | interments, or entombments of human remains as required to |
| 5 | | be reported to the Department of Natural Resources |
| 6 | | pursuant either to the Archaeological and Paleontological |
| 7 | | Resources Protection Act or the Human Remains Protection |
| 8 | | Act. |
| 9 | | (qq) Reports described in subsection (e) of Section |
| 10 | | 16-15 of the Abortion Care Clinical Training Program Act. |
| 11 | | (rr) Information obtained by a certified local health |
| 12 | | department under the Access to Public Health Data Act. |
| 13 | | (ss) For a request directed to a public body that is |
| 14 | | also a HIPAA-covered entity, all information that is |
| 15 | | protected health information, including demographic |
| 16 | | information, that may be contained within or extracted |
| 17 | | from any record held by the public body in compliance with |
| 18 | | State and federal medical privacy laws and regulations, |
| 19 | | including, but not limited to, the Health Insurance |
| 20 | | Portability and Accountability Act and its regulations, 45 |
| 21 | | CFR Parts 160 and 164. As used in this paragraph, |
| 22 | | "HIPAA-covered entity" has the meaning given to the term |
| 23 | | "covered entity" in 45 CFR 160.103 and "protected health |
| 24 | | information" has the meaning given to that term in 45 CFR |
| 25 | | 160.103. |
| 26 | | (tt) Proposals or bids submitted by engineering |
|
| | SB3548 | - 66 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | consultants in response to requests for proposal or other |
| 2 | | competitive bidding requests by the Department of |
| 3 | | Transportation or the Illinois Toll Highway Authority. |
| 4 | | (uu) Documents that, pursuant to the State of |
| 5 | | Illinois' 1987 Agreement with the U.S. Nuclear Regulatory |
| 6 | | Commission and the corresponding requirement to maintain |
| 7 | | compatibility with the National Materials Program, have |
| 8 | | been determined to be security sensitive. These documents |
| 9 | | include information classified as safeguards, |
| 10 | | safeguards-modified, and sensitive unclassified |
| 11 | | nonsafeguards information, as identified in U.S. Nuclear |
| 12 | | Regulatory Commission regulatory information summaries, |
| 13 | | security advisories, and other applicable communications |
| 14 | | or regulations related to the control and distribution of |
| 15 | | security sensitive information. |
| 16 | | (vv) Disclosure data protection impact assessments |
| 17 | | done under the Consumer Data Privacy Act. |
| 18 | | (1.5) Any information exempt from disclosure under the |
| 19 | | Judicial Privacy Act shall be redacted from public records |
| 20 | | prior to disclosure under this Act. |
| 21 | | (1.6) Any information exempt from disclosure under the |
| 22 | | Public Official Safety and Privacy Act shall be redacted from |
| 23 | | public records prior to disclosure under this Act. |
| 24 | | (1.7) Any information exempt from disclosure under |
| 25 | | paragraph (3.5) of Section 9-15 of the Election Code shall be |
| 26 | | redacted from public records prior to disclosure under this |
|
| | SB3548 | - 67 - | LRB104 18765 JRC 32208 b |
|
|
| 1 | | Act. |
| 2 | | (2) A public record that is not in the possession of a |
| 3 | | public body but is in the possession of a party with whom the |
| 4 | | agency has contracted to perform a governmental function on |
| 5 | | behalf of the public body, and that directly relates to the |
| 6 | | governmental function and is not otherwise exempt under this |
| 7 | | Act, shall be considered a public record of the public body, |
| 8 | | for purposes of this Act. |
| 9 | | (3) This Section does not authorize withholding of |
| 10 | | information or limit the availability of records to the |
| 11 | | public, except as stated in this Section or otherwise provided |
| 12 | | in this Act. |
| 13 | | (Source: P.A. 103-154, eff. 6-30-23; 103-423, eff. 1-1-24; |
| 14 | | 103-446, eff. 8-4-23; 103-462, eff. 8-4-23; 103-540, eff. |
| 15 | | 1-1-24; 103-554, eff. 1-1-24; 103-605, eff. 7-1-24; 103-865, |
| 16 | | eff. 1-1-25; 104-300, eff. 1-1-27; 104-438, eff. 1-1-26; |
| 17 | | 104-443, eff. 1-1-26; revised 1-7-26.)
|
| 18 | | Section 905. The State Finance Act is amended by adding |
| 19 | | Section 5.1038 as follows:
|
| 20 | | (30 ILCS 105/5.1038 new) |
| 21 | | Sec. 5.1038. The Consumer Privacy Fund.
|
| 22 | | Section 995. No acceleration or delay. Where this Act |
| 23 | | makes changes in a statute that is represented in this Act by |