|
| | 104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
SB3603 Introduced 2/5/2026, by Sen. Steve Stadelman SYNOPSIS AS INTRODUCED:
| | | Amends the Consumer Fraud and Deceptive Business Practices Act. Provides that a consumer may opt out of the processing of personal data for the purpose of targeted advertising by submitting a request using the methods specified in a data processing controller's privacy notice. Sets forth the requirements of a controller's privacy notice. Provides that, if a controller processes personal data for purposes of targeted advertising or sells personal data to third parties for targeted advertising, the controller shall disclose the processing or sale in a privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the processing or sale. Makes other changes. Effective January 1, 2028. |
| |
| | A BILL FOR |
|
|
| | SB3603 | | LRB104 19802 SPS 33252 b |
|
|
| 1 | | AN ACT concerning business.
|
| 2 | | Be it enacted by the People of the State of Illinois, |
| 3 | | represented in the General Assembly:
|
| 4 | | Section 5. The Consumer Fraud and Deceptive Business |
| 5 | | Practices Act is amended by adding Section 2MMMM as follows:
|
| 6 | | (815 ILCS 505/2MMMM new) |
| 7 | | Sec. 2MMMM. Data processing. |
| 8 | | (a) Definitions. As used in this Section: |
| 9 | | "Controller" means the natural or legal person who, alone |
| 10 | | or jointly with others, determines the purposes and means of |
| 11 | | the processing of personal data. |
| 12 | | "Deidentified data" means data that cannot reasonably be |
| 13 | | used to infer information about, or otherwise be linked to, an |
| 14 | | identified or identifiable individual, or a device linked to |
| 15 | | such an individual. |
| 16 | | "Identified or identifiable individual" means a natural |
| 17 | | person who can be readily identified, directly or indirectly, |
| 18 | | based on personal data. |
| 19 | | "Personal data" means any information that is linked or |
| 20 | | reasonably linkable to an identified or identifiable |
| 21 | | individual. "Personal data" does not include deidentified data |
| 22 | | or publicly available information. |
| 23 | | "Process" means any operation or set of operations |
|
| | SB3603 | - 2 - | LRB104 19802 SPS 33252 b |
|
|
| 1 | | performed, whether by manual or automated means, on personal |
| 2 | | data or on sets of personal data, including, but not limited |
| 3 | | to, the collection, use, storage, disclosure, analysis, |
| 4 | | deletion, or modification of personal data. |
| 5 | | "Processor" means a natural or legal person who processes |
| 6 | | personal data on behalf of a controller. |
| 7 | | "Targeted advertising" means displaying advertisements to |
| 8 | | a consumer where the advertisement is selected based on |
| 9 | | personal data obtained or inferred from that consumer's |
| 10 | | activities over time and across nonaffiliated websites or |
| 11 | | online applications to predict the consumer's preferences or |
| 12 | | interests. "Targeted advertising" does not include: |
| 13 | | (1) advertising based on activities within a |
| 14 | | controller's own websites or online applications; |
| 15 | | (2) advertising based on the context of a consumer's |
| 16 | | current search query or visit to a website or online |
| 17 | | application; |
| 18 | | (3) advertising directed to a consumer in response to |
| 19 | | the consumer's request for information or feedback; or |
| 20 | | (4) processing personal data solely for measuring or |
| 21 | | reporting advertising performance, reach, or frequency. |
| 22 | | (b) A consumer may opt out of the processing of personal |
| 23 | | data for the purpose of targeted advertising by submitting a |
| 24 | | request using the methods specified in the controller's |
| 25 | | privacy notice. A consumer may submit a request to a |
| 26 | | controller under this subsection at any time. |
|
| | SB3603 | - 3 - | LRB104 19802 SPS 33252 b |
|
|
| 1 | | (c) A controller that processes personal data for purposes |
| 2 | | of targeted advertising shall provide a clear and conspicuous |
| 3 | | method for a consumer to opt out of the processing of personal |
| 4 | | data for the purpose of targeted advertising. A controller |
| 5 | | shall establish one or more secure and reliable means for |
| 6 | | consumers to submit a request to opt out of the processing of |
| 7 | | personal data for the purpose of targeted advertising, taking |
| 8 | | into account the ways in which consumers normally interact |
| 9 | | with the controller, the need for secure and reliable |
| 10 | | communication of the requests, and the ability of the |
| 11 | | controller to verify the identity of the consumer making the |
| 12 | | request. |
| 13 | | (d) A consumer may authorize another person, acting on the |
| 14 | | consumer's behalf, to opt out of the processing of the |
| 15 | | consumer's personal data for purposes of targeted advertising. |
| 16 | | A consumer may designate an authorized agent through a |
| 17 | | technology, including, but not limited to, an Internet link or |
| 18 | | a browser setting, browser extension, or global device |
| 19 | | setting, indicating the consumer's intent to opt out of the |
| 20 | | processing. |
| 21 | | A controller shall comply with an opt-out request received |
| 22 | | from a person authorized by the consumer to act on the |
| 23 | | consumer's behalf if the controller is able to authenticate, |
| 24 | | with commercially reasonable effort, the identity of the |
| 25 | | consumer and the authorized agent's authority to act on the |
| 26 | | consumer's behalf. |
|
| | SB3603 | - 4 - | LRB104 19802 SPS 33252 b |
|
|
| 1 | | (e) If a controller is processing personal data for |
| 2 | | purposes of targeted advertising of a known child, the parent |
| 3 | | or legal guardian may opt the child out of the processing of |
| 4 | | personal data for the purpose of targeted advertising. If a |
| 5 | | controller is processing the personal data for purposes of |
| 6 | | targeted advertising of a consumer subject to a guardianship, |
| 7 | | conservatorship, or other protective arrangement, the guardian |
| 8 | | or the conservator of the consumer may opt the consumer out of |
| 9 | | the processing of personal data for the purpose of targeted |
| 10 | | advertising. |
| 11 | | (f) A controller shall allow consumers to exercise the |
| 12 | | right to opt out of the processing of personal data for |
| 13 | | purposes of targeted advertising through a user-selected, |
| 14 | | universal opt-out mechanism, including by an opt-out |
| 15 | | preference signal sent, with the consumer's consent, by a |
| 16 | | platform, technology, or mechanism to the controller |
| 17 | | indicating the consumer's intent to opt out of the processing. |
| 18 | | (g) If a controller processes personal data for purposes |
| 19 | | of targeted advertising or sells personal data to third |
| 20 | | parties for targeted advertising, the controller shall |
| 21 | | disclose the processing or sale in a privacy notice and |
| 22 | | provide access to a clear and conspicuous method outside the |
| 23 | | privacy notice for a consumer to opt out of the sale or |
| 24 | | processing. This method may include, but is not limited to, an |
| 25 | | Internet hyperlink clearly labeled "Your Opt-Out Rights" or |
| 26 | | "Your Privacy Rights" that directly effectuates the opt-out |
|
| | SB3603 | - 5 - | LRB104 19802 SPS 33252 b |
|
|
| 1 | | request or takes consumers to a web page where the consumer can |
| 2 | | make the opt-out request. |
| 3 | | The privacy notice shall be posted online through a |
| 4 | | conspicuous hyperlink using the word "privacy" on the |
| 5 | | controller's website home page or on a mobile application's |
| 6 | | store page or download page. A controller that maintains an |
| 7 | | application on a mobile or other device shall also include a |
| 8 | | hyperlink to the privacy notice in the application's settings |
| 9 | | menu or in a similarly conspicuous and accessible location. A |
| 10 | | controller that does not operate a website shall make the |
| 11 | | privacy notice conspicuously available to consumers through a |
| 12 | | medium regularly used by the controller to interact with |
| 13 | | consumers. |
| 14 | | (h) This Section applies to legal entities that conduct |
| 15 | | business in this State or produce products or services that |
| 16 | | are targeted to residents of this State, and that: |
| 17 | | (1) during a calendar year, control or process |
| 18 | | personal data of 100,000 consumers or more, excluding |
| 19 | | personal data controlled or processed solely for the |
| 20 | | purpose of completing a payment transaction; or |
| 21 | | (2) derive over 25% of gross revenue from the sale of |
| 22 | | personal data and process or control personal data of |
| 23 | | 25,000 consumers or more. |
| 24 | | (i) A violation of this Section constitutes an unlawful |
| 25 | | practice within the meaning of this Act.
|
| 26 | | Section 99. Effective date. This Act takes effect January |