101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
SB2330
 
Introduced 1/8/2020, by Sen. Thomas Cullerton
 
SYNOPSIS AS INTRODUCED:
 

 
New Act

     Creates the Data Transparency and Privacy Act. Provides that any business that processes personal information or deidentified information must, prior to processing, provide notice to the consumer to whom the information refers or belongs of specific information in the service agreement or somewhere readily accessible on the business' website or mobile application. Establishes a "right to know" for consumers and prescribes types of information that they may request of businesses. Provides that consumers have the right to opt out of agreements that entail the disclosure of personal information from the business to third parties and affiliates, the sale of personal information from the business to third parties and affiliates, and the processing of personal information by the business, third parties, and affiliates. Provides that consumers have the right to request that a business correct inaccurate personal information about the consumer or delete personal information about the consumer. Prescribes a protocol for the handling of consumer requests by businesses. Prescribes pricing incentives and prohibitions against discrimination. Provides that businesses, affiliates, and third parties must conduct risk assessments and provides requirements for the assessments. Provides that enforcement of the Act may arise through private actions or enforcement by the Attorney General. Provides that any waiver of the provisions of the Act is void and unenforceable. Contains home rule preemption and severability provisions. Effective July 1, 2021.
  


LRB101 16295 KTG 65668 b

 
 
A BILL FOR
 

  
SB2330LRB101 16295 KTG 65668 b


  
1    AN ACT concerning business.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 1. Short title. This Act may be cited as the Data 
5Transparency and Privacy Act.
 
6    Section 5. Findings. The General Assembly finds and 
7declares that:
8        (1)  The right to privacy is a personal and fundamental 
9    right protected by the United States Constitution. As such, 
10    all individuals have a right to privacy and a personal 
11    property interest in information pertaining to them and 
12    that information shall be adequately protected from 
13    unlawful invasions and takings. This State recognizes the 
14    importance of providing consumers with transparency about 
15    how their personal information is stored, used, and shared 
16    by businesses. This transparency is crucial for Illinois 
17    citizens to protect themselves and their families from 
18    cyber-crimes and identity thieves.
19        (2)  Businesses are now collecting, sharing, and 
20    selling personal information in ways not contemplated or 
21    properly covered by current law.
22            (a)  Some websites install tracking tools that 
23        record when consumers visit web pages and send personal 
 
 
SB2330- 2 -LRB101 16295 KTG 65668 b

1        information collected to third party marketers and 
2        data brokers.
3            (b)  Third-party data broker companies are buying, 
4        selling, and trading personal information obtained 
5        from mobile phones, financial institutions, social 
6        media sites, and other online and brick and mortar 
7        companies.
8            (c)  Social media companies, credit agencies and 
9        retail stores have all had their internal security 
10        systems breached, resulting in consumers' personal 
11        information being stolen and sold on the black market.
12        (3)  Illinois consumers must be better informed about 
13    what kinds of personal information are collected, how 
14    information is shared with third parties, and how 
15    businesses store consumers' personal information. With 
16    this specific information, consumers can knowledgeably 
17    choose to opt in, opt out, or choose among businesses that 
18    disclose information to third parties on the basis of how 
19    protective the business is of consumers' privacy in order 
20    to properly protect their privacy, property, personal 
21    safety, and financial security.
 
22    Section 10. Definitions. As used in this Act:
23    "Affiliate" means a legal entity that controls, is 
24controlled by, or is under common control with another legal 
25entity.
 
 
SB2330- 3 -LRB101 16295 KTG 65668 b

1    "Business" means any sole proprietorship, partnership, 
2limited liability company, corporation, association, or other 
3legal entity that is organized or operated for the profit or 
4financial benefit of its shareholders or other owners, that 
5does business in the State of Illinois and meets one or more of 
6the following thresholds:
7        (1) The business collects or discloses the personal 
8    information of 50,000 or more persons, Illinois 
9    households, or the combination thereof.
10        (2) The business derives 50% or more of its annual 
11    revenues from selling consumers' personal information.

12    "Business" does not include any third party that operates, 
13hosts, or manages, but does not own, a website or online 
14service on the owner's behalf or by processing information on 
15behalf of the owners, or any State and local governments or 
16municipal corporations.
17    "Categories of sources" means types of entities from which 
18a business collects personal information about consumers, 
19including, but not limited to, the consumer directly, 
20government entities from which public records are obtained, and 
21consumer data resellers.
22    "Categories of third parties" means types of entities that 
23do not collect personal information directly from consumers, 
24including, but not limited to, advertising networks, internet 
25service providers, data analytics providers, government 
26entities, operating systems and platforms, social networks, 
 
 
SB2330- 4 -LRB101 16295 KTG 65668 b

1and consumer data resellers.
2    "Consumer" means a natural person residing in this State. 
3"Consumer" does not include a natural person acting in an 
4employment context.
5    "Deidentified" means information that cannot reasonably 
6identify, relate to, describe, be capable of being associated 
7with, or be linked, directly or indirectly, to a particular 
8consumer, provided that a business that uses deidentified 
9information:
10        (1)  Has implemented technical safeguards that prohibit 
11    reidentification of the consumer to whom the information 
12    may pertain.
13        (2)  Has implemented business processes that 
14    specifically prohibit reidentification of the information.
15        (3)  Has implemented business processes to prevent 
16    inadvertent release of deidentified information.
17        (4)  Makes no attempt to reidentify the information.
18    "Designated request address" means an electronic mail 
19address, online form,  mailing address, or toll-free telephone 
20number that a consumer may use to request information, opt out 
21of the sale or disclosure of personal information, or correct 
22or delete personal information, as required to be provided 
23under this Act.
24    "Disclose" means to disclose, release, transfer, share, 
25disseminate, make available, or otherwise communicate orally, 
26in writing, or by electronic or any other means a consumer's 
 
 
SB2330- 5 -LRB101 16295 KTG 65668 b

1personal information to any affiliate or third party. 
2"Disclose" does not include:
3        (1)  Disclosure of personal information by a business to 
4    a third party or service provider under a written contract 
5    authorizing the third party or service provider to use the 
6    personal information to perform services on behalf of the 
7    business, including, but not limited to, maintaining or 
8    servicing accounts, disclosure of personal information by 
9    a business to a service provider, processing or fulfilling 
10    orders and transactions, verifying consumer information, 
11    processing payments, providing financing, or similar 
12    services, but only if: the contract prohibits the third 
13    party or service provider from using the personal 
14    information for any reason other than performing the 
15    specified service on behalf of the business and from 
16    disclosing any such personal information to additional 
17    third parties or service providers unless those additional 
18    third parties or service providers are allowed by the 
19    contract to further the specified services and  the 
20    additional third parties and service providers and subject 
21    to the same restrictions imposed by this subsection.
22        (2)  Disclosure of personal information by a business to 
23    a third party based on a good faith belief that disclosure 
24    is required to comply with applicable law, regulation, 
25    legal process, or court order.
26        (3)  Disclosure of personal information by a business to 
 
 
SB2330- 6 -LRB101 16295 KTG 65668 b

1    a third party that is reasonably necessary to address 
2    fraud, risk management, security, or technical issues; to 
3    protect the disclosing business' right or property; or to 
4    protect consumers or the public from illegal activities.
5        (4)  Disclosure of personal information by a business to 
6    a third party in connection with the proposed or actual 
7    sale, merger, or bankruptcy of the business, to a third 
8    party.
9    "Personal information" means information that identifies, 
10relates to, describes, is reasonably capable of being 
11associated with, or could reasonably be linked, directly or 
12indirectly, with a particular consumer or household. Personal 
13information includes, but is not limited to, the following:
14        (1)  Identifiers such as a real name, alias, signature, 
15    postal address, telephone number,  unique personal 
16    identifier, online identifier Internet Protocol address, 
17    email address, account name, social security number, 
18    driver's license number, state identification number, 
19    passport number, physical characteristics or description, 
20    insurance policy number, employment, employment history, 
21    bank account number, credit card number, debit card number, 
22    financial information, medical information, health 
23    insurance information,  or other similar identifiers.
24        (2)  Characteristics of protected classifications under 
25    Illinois or federal law.
26        (3)  Commercial information, including records of 
 
 
SB2330- 7 -LRB101 16295 KTG 65668 b

1    personal property, products or services purchased, 
2    obtained, or considered, or other purchasing or consuming 
3    histories or tendencies.
4        (4)  Biometric information.
5        (5)  Internet or other electronic network activity 
6    information, including, but not limited to, browsing 
7    history, search history, and information regarding a 
8    consumer's interaction with an Internet website, 
9    application or advertisement.
10        (6)  Geolocation data.
11        (7)   Audio, electronic, visual, thermal, olfactory, or 
12    similar information.
13        (8)  Professional or employment-related information.
14        (9)  Educational information.
15        (10)   Inferences drawn from any of the information 
16    identified in this Section to create a profile about a 
17    consumer reflecting the consumer's preferences, 
18    characteristics, psychological trends, preferences, 
19    predispositions, behavior, attitudes, intelligence, 
20    abilities, and aptitudes.
21    "Personal information" does not include publicly available 
22information which the business obtained directly from records 
23lawfully made available from federal, state, or local 
24government records. "Personal information" does not include 
25consumer information that is deidentified or aggregate 
26consumer information.
 
 
SB2330- 8 -LRB101 16295 KTG 65668 b

1    "Process" or "processes" means any collection, use, 
2storage, disclosure, analysis, deletion, or modification of 
3personal information.
4    "Request" means a consumer right set forth in this Act 
5including one or more of the following: (i) for the disclosure 
6of information regarding a consumer's personal information; 
7(ii) the opt out of sale or disclosure of a consumer's personal 
8information; (iii) the correction of inaccurate personal 
9information; and (iv) the deletion of personal information.
10    "Sale" or "sell" means the selling, renting, or licensing 
11of a consumer's personal information by a business to a third 
12party in direct exchange for monetary consideration, whereby, 
13as a result of such transaction, the third party may use the 
14personal information for its own commercial purposes.
"Sale" or 
15"sell" does not include circumstances in which:
16        (1)  A consumer uses or directs the business to 
17    intentionally disclose personal information or uses the 
18    business to intentionally interact with a  third party or 
19    affiliate, provided the third party or affiliate does not 
20    also sell the personal information, unless that disclosure 
21    would be consistent with the provisions of this Act. An 
22    intentional interaction occurs when the consumer intends 
23    to interact with the third party by one or more deliberate 
24    interactions. Hovering over, muting, pausing, or closing a 
25    given piece of content does not constitute a consumer's 
26    intent to interact with a third party.
 
 
SB2330- 9 -LRB101 16295 KTG 65668 b

1        (2)  The business uses or shares an identifier for a 
2    consumer who has opted out of the sale of the consumer's 
3    personal information for the purposes of altering third 
4    parties or affiliates that the consumer has opted out of 
5    the sale of the consumer's personal information.
6        (3)  The business uses or shares with a service provider 
7    personal information of a consumer that is necessary to 
8    perform a business purpose or business purposes if the 
9    service provider does not further collect, sell, or use the 
10    personal information of the consumer except as necessary to 
11    perform the business purposes.
12        (4)  The business transfers to a third party the 
13    personal information of a consumer as an asset that is part 
14    of a merger, acquisition, bankruptcy, or other transaction 
15    in which the third party or affiliate assumes control of 
16    all or part of the business, provided that information is 
17    used or shared consistently with this Act. If a third party 
18    or affiliate materially alters how it uses or shares the 
19    personal information of a consumer in a manner that is 
20    materially inconsistent with the promises made at the time 
21    of collection, it shall provide prior notice of the new or 
22    changed practice to the consumer. The notice shall be 
23    sufficiently prominent and robust to ensure that existing 
24    consumers can easily exercise their choices consistent 
25    with Section 20 and Section 25. This subparagraph does not 
26    authorize a business to make material, retroactive privacy 
 
 
SB2330- 10 -LRB101 16295 KTG 65668 b

1    policy changes or make other changes in their privacy 
2    policy in a manner that would violate the Consumer Fraud 
3    and Deceptive Business Practices Act.
4        (5)  A business uses a consumer's personal information 
5    to sell targeted advertising space to a third party as long 
6    as the personal information is not sold by the business to 
7    the third party or affiliate.
8        (6)  The disclosure or transfer of personal information 
9    to an affiliate of the business.
10    "Service provider" means the natural or legal person that 
11processes personal information on behalf of the business.
12    "Third party" means a business that is: (1) not an 
13affiliate of the business that has collected, disclosed, or 
14sold personal information; or (2) an affiliate with the 
15business that has collected, disclosed, or sold personal 
16information and the affiliate relationship is not clear to the 
17consumer.
 
18    Section 15. Right to transparency.  Any business that 
19processes personal information or deidentified information 
20must, prior to processing, provide notice to the consumer of 
21the following in the service agreement or somewhere readily 
22accessible on the business' website or mobile application:
23        (1)  All categories of personal information and 
24    deidentified information that the business processes about 
25    individual consumers;
 
 
SB2330- 11 -LRB101 16295 KTG 65668 b

1        (2)  All categories of third parties and affiliates with 
2    whom the business may disclose or sell that personal 
3    information or deidentified information and the business 
4    purpose for the disclosure or sale;
5        (3)  The process in which an individual consumer may:
6            (A)  review the personal information collected by 
7        the business;
8            (B)  request changes to inaccurate personal 
9        information;
10            (C)  opt out of the disclosure or sale of personal 
11        information; and
12            (D)  request deletion of personal information; and
13        (4)  The process in which the business notifies 
14    consumers of material changes to the notice required to be 
15    made available under this Section.
 
16    Section 20. Right to know.  Consumers may request the 
17following information of businesses:
18        (1)  Copies of specific pieces of personal information 
19    about the consumer processed by the business.
20        (2)  Categories of sources for the personal information 
21    processed.
22        (3)  Name and contact information for each third party 
23    and affiliate to whom the personal information is disclosed 
24    or sold.
 
 
 
SB2330- 12 -LRB101 16295 KTG 65668 b

1    Section 25. Right to opt out, correct, and delete. 
2Consumers have the following rights concerning their personal 
3information:
4        (1)  The right to request to opt out of the following:
5            (A)  the disclosure of personal information from 
6        the business to third parties and affiliates;
7            (B)  the sale of personal information from the 
8        business to third parties and affiliates; and
9            (C)  the processing of personal information by the 
10        business, third parties, and affiliates.
11        (2)  The right to request that a business correct 
12    inaccurate personal information about the consumer.
13        (3)  The right to request that a business delete 
14    personal information about the consumer.
 
15    Section 30. Consumer requests and business responses. 
16    (a)  Businesses shall establish a process for collecting 
17consumer requests and reasonably authenticating consumers 
18making the requests and reasonably authenticating any request 
19to correct inaccurate personal information. The method by which 
20a consumer may submit a request under Section 20 and Section 25 
21shall be done in a form and manner determined by the business 
22in a way that is not overly burdensome on the consumer.
23    (b)  A business shall post on its website, online service, 
24and within any mobile application, a link to a designated 
25request address web page maintained by the business for the 
 
 
SB2330- 13 -LRB101 16295 KTG 65668 b

1purpose of collecting and processing consumer requests. The 
2business shall also post a designated request street address 
3for consumers to submit requests by mail.
4    (c)  A parent or legal guardian of a consumer under the age 
5of 13 may submit a request on behalf of that consumer.
6    (d)  A business that receives a request from a consumer 
7through a designated request address shall promptly take steps 
8to disclose and deliver, free of charge to the consumer, the 
9personal information required or confirmation of the consumers 
10opt out, correction or deletion request and business' 
11compliance.
12        (1)  The information may be delivered by mail or 
13    electronically, and if provided electronically, the 
14    information shall be in a portable and, to the extent 
15    technically feasible, in a readily usable format that 
16    allows the consumer to transmit this information to another 
17    entity without hindrance.
18        (2)  A business that has received a request to opt out 
19    of the disclosure or sale of a consumer's personal 
20    information shall be prohibited from selling or disclosing 
21    that consumer's personal information after its receipt of 
22    the consumer's request, unless the consumer subsequently 
23    provides express authorization for the sale or disclosure 
24    of the consumer's personal information.
25        (3)  A business that receives a request to delete the 
26    consumer's personal information, shall delete the 
 
 
SB2330- 14 -LRB101 16295 KTG 65668 b

1    consumer's personal information from its records and 
2    direct any third party or affiliate with whom the personal 
3    information was disclosed, to delete the consumer's 
4    personal information from their records.
5        (4)  A business shall not be required to comply with a 
6    consumer's request to delete the consumer's personal 
7    information if it is necessary for the business to maintain 
8    the consumer's personal information in order to:
9            (i)  Complete the transaction for which the 
10        personal information was collected, provide a good or 
11        service requested by the consumer, or reasonably 
12        anticipated within the context of a business' ongoing 
13        business relationship with the consumer, or otherwise 
14        perform a contract between the business and the 
15        consumer.
16            (ii)  Detect security incidents, protect against 
17        malicious, deceptive, fraudulent, or illegal activity; 
18        or prosecute those responsible for that activity.
19            (iii)  Debug to identify and repair errors that 
20        impair existing intended functionality.
21            (iv)  Exercise free speech, ensure the right of 
22        another consumer to exercise their right of free 
23        speech, or exercise another right provided for by law.
24            (v)  Engage in public or peer-reviewed scientific, 
25        historical, or statistical research in the public 
26        interest that adheres to all other applicable ethics 
 
 
SB2330- 15 -LRB101 16295 KTG 65668 b

1        and privacy laws, when the business' deletion of the 
2        information is likely to render impossible or 
3        seriously impair the achievement of such research, if 
4        the consumer has provided informed consent.
5            (vi)  To enable solely internal uses that are 
6        reasonably aligned with the expectations of the 
7        consumer based on the consumer's relationship with the 
8        business.
9            (vii)   Comply with a legal obligation.
10            (viii)  Otherwise use the consumer's personal 
11        information, internally, in a lawful manner that is 
12        compatible with the context in which the consumer 
13        provided the information.
14    (e)  A business must provide a response to the consumer 
15within 45 days of a request under Section 20 and Section 25.
16        (1)  The business shall promptly take steps to verify 
17    the request, but shall not extend the business' duty to 
18    disclose and deliver the information within 45 days of 
19    receipt of the consumer's request. The time period to 
20    provide the required information may be extended once by an 
21    additional 45 days when reasonably necessary, provided the 
22    consumer is provided notice of the extension within the 
23    first 45-day period.
24        (2)  The disclosure shall cover at least the 12-month 
25    period preceding the business' receipt of the request. The 
26    business shall not require the consumer to create an 
 
 
SB2330- 16 -LRB101 16295 KTG 65668 b

1    account with the business in order to make a request.
2        (3)  If requests from a consumer are manifestly 
3    unfounded or excessive, in particular because of their 
4    repetitive character, a business may either charge a 
5    reasonable fee, taking into account the administrative 
6    costs of providing the information or communication or 
7    taking the action requested or refuse to act on the request 
8    and notify the consumer of the reason for refusing the 
9    request. The business shall bear the burden of 
10    demonstrating that any consumer request is manifestly 
11    unfounded or excessive.
12    (f)  A business shall not be required to respond to a 
13request made by or on behalf of the same consumer more than 
14once in any 12-month period.
 
15    Section 35. Businesses, affiliates, and third parties.
16    (a)  A business is not required to retain any personal 
17information collected for a single, one-time transaction, if 
18such information is not sold or retained by the business or to 
19reidentify or otherwise link information that is not maintained 
20in a manner that would be considered personal information.
21    (b)  A business shall not reidentify any deidentified 
22consumer information, unless the consumer subsequently 
23provides express authorization for reidentification of 
24deidentified information.
25    (c)  A business shall not sell the personal information of 
 
 
SB2330- 17 -LRB101 16295 KTG 65668 b

1any consumer for which the business has actual knowledge that 
2the consumer is less than 16 years of age. A business that 
3willfully disregards the consumer's age shall be deemed to have 
4had actual knowledge of the consumer's age.
5    (d) A business shall not use a consumer's personal 
6information for any purpose other than those disclosed in the 
7notice at collection. If the business intends to use a 
8consumer's personal information for a purpose that  was not 
9previously disclosed to the consumer in the notice at 
10collection, the business shall directly notify the consumer of 
11this new use and obtain explicit consent from the consumer to 
12use it for this new purpose.
13    (e) A business shall not collect categories of personal 
14information other than those disclosed in the notice at 
15collection. If the business intends to collect additional 
16categories of personal information, the business shall provide 
17a new notice at collection.
18    (f) If a business does not give the notice at collection to 
19the consumer at or before the collection of their personal 
20information, the business shall not collect personal 
21information from the consumer.
22    (g)  Affiliates and third parties shall not sell consumer 
23personal information purchased from a business unless the 
24consumer has received notice and is provided an opportunity to 
25opt out of the resale of the consumer's personal information.
26    (h)  Pricing incentives and prohibition of discrimination.
 
 
SB2330- 18 -LRB101 16295 KTG 65668 b

1        (1)  A business shall not discriminate against a 
2    consumer because the consumer exercised any of the 
3    consumer's rights in this Act, including, but not limited 
4    to:
5            (A)  Denying goods or services to the consumer.
6            (B)  Charging different prices or rates for goods or 
7        services, including through the use of discounts or 
8        other benefits or imposing penalties.
9            (C)  Providing a different level or quality of goods 
10        or services to the consumer, if the consumer exercises 
11        the consumer's rights under this Act.
12            (D)  Suggesting that the consumer will receive a 
13        different price or rate for goods or services or a 
14        different level or quality of goods or services.
15        (2)  Nothing shall prohibit a business from charging a 
16    consumer a different price or rate, or from providing a 
17    different level or quality of goods or services to the 
18    consumer, if that difference is reasonably related to the 
19    value provided to the consumer by the consumer's data.
20        (3)  A business may offer financial incentives, 
21    including payments to consumers as compensation, for the 
22    collection of personal information, the sale of personal 
23    information, or the deletion of personal information. A 
24    business may also offer a different price, rate, level, or 
25    quality of goods or services to the consumer if that price 
26    or difference is directly related to the value provided to 
 
 
SB2330- 19 -LRB101 16295 KTG 65668 b

1    the consumer by the consumer's data.
2            (A)  A business that offers any financial 
3        incentives regarding consumer personal information or 
4        deidentified information, shall notify consumers of 
5        the financial incentives in the consumer service 
6        agreement, website, online service or mobile 
7        application.
8            (B)  A business may enter a consumer into a 
9        financial incentive program only if the consumer gives 
10        the business prior opt-in consent which clearly 
11        describes the material terms of the financial 
12        incentive program, and which may be revoked by the 
13        consumer at any time.
14            (C)  A business shall not use financial incentive 
15        practices that are unjust, unreasonable, or coercive.
16    (i)  A business that discloses personal information to a 
17service provider shall not be liable under this Act if the 
18service provider receiving the personal information uses it in 
19violation of the restrictions set forth in the Act, provided 
20that, at the time of disclosing the personal information, the 
21business does not have actual knowledge, or reason to believe, 
22that the service provider intends to commit such a violation. A 
23service provider shall likewise not be liable under this Act 
24for the obligations of a business for which it provides 
25services as set forth in this Act.
26    (j)  The obligations imposed on businesses by this Act do 
 
 
SB2330- 20 -LRB101 16295 KTG 65668 b

1not restrict a business' ability to:
2        (1)  Comply with federal, state, or local laws, rules, 
3    regulations, or enforceable guidance.
4        (2)  Comply with a civil, criminal, or regulatory 
5    inquiry, investigation, subpoena, or summons by federal, 
6    state, or local authorities.
7        (3)  Cooperate with law enforcement agencies concerning 
8    conduct or activity that the business, service provider, or 
9    third party reasonably and in good faith believes may 
10    violate federal, state, or local law.
11        (4)  Exercise or defend legal claims.
12        (5)  Prevent, detect, or respond to identity theft, 
13    fraud, or other malicious or illegal activity.
14        (6)  Collect, use, retain, sell, or disclose consumer's 
15    personal information that is deidentified or in the 
16    aggregate consumer information.
17    (k)  Businesses, affiliates, and third parties shall take 
18reasonable measures to protect customer's personal information 
19from unauthorized use, disclosure, or access.
20        (1)  In implementing security measures required by this 
21    subsection, a business, affiliate, and third party shall 
22    take into account each of the following factors:
23            (A)  The nature and scope of the business;, 
24        affiliate's, or third party's activities;
25            (B)  The sensitivity of the data processed;
26            (C)  The size of the business, affiliate, or third 
 
 
SB2330- 21 -LRB101 16295 KTG 65668 b

1        party; and
2            (D)  The technical feasibility of the security 
3        measures.
4        (2)  A business, affiliate, or third party may employ 
5    any lawful measure that allows the business, affiliate, or 
6    third party to comply with the requirements of this 
7    subsection.
8    (l)  Risk assessments.
9        (1)  Businesses, affiliates, and third parties must 
10    conduct, to the extent not previously conducted, a risk 
11    assessment of each of their processing activities 
12    involving personal information and an additional risk 
13    assessment any time there is a change in processing that 
14    materially increases the risk to consumers. Such risk 
15    assessments must take into account the type of personal 
16    data to be processed by the business, affiliate, or third 
17    party, including the extent to which the personal 
18    information is sensitive information or otherwise 
19    sensitive in nature, and the context in which the personal 
20    information is to be processed.
21        (2)  Risk assessments conducted under subsection (a) 
22    must identify and weigh the benefits that may flow directly 
23    and indirectly from the processing to the business, 
24    consumer, other stakeholders, and the public, against the 
25    potential risks to the rights of the consumer associated 
26    with such processing, as mitigated by safeguards that can 
 
 
SB2330- 22 -LRB101 16295 KTG 65668 b

1    be employed by the business to reduce such risks. The use 
2    of deidentified data and the reasonable expectations of 
3    consumers, as well as the context of the processing and the 
4    relationship between the business, affiliate, or third 
5    party and the consumer whose personal data will be 
6    processed, must factor into this assessment by the 
7    business, affiliate, or third party.
8        (3)  If the risk assessment conducted under subsection 
9    (a) of this Section determines that the potential risks of 
10    privacy harm to consumers are substantial and outweigh the 
11    interests of the business, consumer, other stakeholders, 
12    and the public in processing the personal information of 
13    the consumer, the business may only engage in such 
14    processing with the consent of the consumer or if another 
15    exemption under this Act applies. To the extent the 
16    business seeks consumer consent for processing, such 
17    consent shall be as easy to withdraw as to give.
18        (4)  Processing for a business purpose shall be presumed 
19    to be permissible unless:  (i) it involves the processing of 
20    sensitive data; and (ii) the risk of processing cannot be 
21    reduced through the use of appropriate administrative and 
22    technical safeguards.
23        (5)  The business, affiliate, and third party must make 
24    the risk assessment available to the Office of the Attorney 
25    General upon request. Risk assessments are confidential 
26    and exempt from public inspection and copying under the 
 
 
SB2330- 23 -LRB101 16295 KTG 65668 b

1    Freedom of Information Act.
 
2    Section 40. Enforcement.
3    (a)  Private right of action.
4        (1)  Any consumer whose unencrypted or unredacted 
5    personal information is subject to an unauthorized access 
6    and exfiltration, theft, or disclosure as a result of the 
7    business' violation of the duty to implement and maintain 
8    reasonable security procedures and practices appropriate 
9    to the nature of the information to protect the personal 
10    information may institute a civil action for any of the 
11    following:
12            (A)  To recover damages in an amount not less than 
13        $100 and not greater than $750 per customer per 
14        incident or actual damages, whichever is greater.
15            (B)  Injunctive or declaratory relief.
16            (C)  Any other relief the court deems proper.
17        (2)  In assessing the amount of statutory damages, the 
18    court shall consider any one or more of the relevant 
19    circumstances presented by any of the parties to the case, 
20    including, but not limited to, the nature and seriousness 
21    of the misconduct, the number of violations, the 
22    persistence of the misconduct, the length of time over 
23    which the misconduct occurred, the willfulness of the 
24    defendant's misconduct, and the defendant's assets, 
25    liabilities, and net worth.
 
 
SB2330- 24 -LRB101 16295 KTG 65668 b

1        (3)  Nothing in this Act shall be interpreted to serve 
2    as the basis for a private right of action under any other 
3    law. This shall not be construed to relieve any party from 
4    any duties or obligations imposed under other law or the 
5    United States or Illinois Constitution.
6    (b)  Attorney General enforcement. A violation of this Act 
7constitutes an unlawful practice under the Consumer Fraud and 
8Deceptive Business Practices Act. The Attorney General has 
9authority to enforce this Act as a violation of the Consumer 
10Fraud and Deceptive Business Practices Act, subject to the 
11remedies available to the Attorney General under the Consumer 
12Fraud and Deceptive Business Practices Act.
 
13    Section 45. Applicability.
14    (a)  This Act does not apply to personal information 
15collected, processed, sold, or disclosed under: 
16        (1)  The Gramm-Leach-Bliley Act, and the rules 
17    promulgated under that Act.
18        (2)  The Health Insurance Portability and 
19    Accountability Act of 1996, and the rules promulgated under 
20    that Act.
21        (3)  The Fair Credit Reporting Act, and the rules 
22    promulgated under that Act.
23    (b)  Nothing in this Act restricts a business' ability to 
24collect or disclose a consumer's personal information if a 
25consumer's conduct takes place wholly outside of Illinois. For 
 
 
SB2330- 25 -LRB101 16295 KTG 65668 b

1purposes of this Act, conduct takes place wholly outside of 
2Illinois if the business collected that information while the 
3consumer was outside of Illinois, no part of the sale of the 
4consumer's personal information occurred in Illinois, and no 
5personal information collected while the consumer was in 
6Illinois is disclosed.
 
7    Section 50. Waivers; contracts. Any waiver of the 
8provisions of this Act is void and unenforceable.
 
9    Section 55. Home rule preemption. Except as otherwise 
10provided in this Act, the regulation of the activities 
11described in this Act are the exclusive powers and functions of 
12the State. Except as otherwise provided in this Act, a unit of 
13local government, including a home rule unit, may not regulate 
14the activities described in this Act. This Section is a denial 
15and limitation of home rule powers and functions under 
16subsection (h) of Section 6 of Article VII of the Illinois 
17Constitution.
 
18    Section 97. Severability. The provisions of this Act are 
19severable under Section 1.31 of the Statute on Statutes.
 
 
20    Section 99. Effective date. This Act takes effect July 1, 
212021.