SB3517 103RD GENERAL ASSEMBLY

103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024
SB3517

Introduced 2/9/2024, by Sen. Sue Rezin

SYNOPSIS AS INTRODUCED:

`New Act`
`30 ILCS 105/5.1015 new`

Creates the Privacy Rights Act. Sets forth duties and obligations of businesses that collected consumers' personal information and sensitive personal information to keep such information private. Sets forth consumer rights in relation to the collected personal information and sensitive personal information, including the right to: delete personal information; correct inaccurate personal information; know what personal information is sold or shared and to whom; opt out of the sale or sharing of personal information; limit use and disclosure of sensitive personal information; and no retaliation for exercising any rights. Sets forth enforcement provisions. Creates the Consumer Privacy Fund. Allows the Attorney General to create rules to implement the Act. Establishes the Privacy Protection Agency. Includes provisions regarding remedies and fines for violations of the Act. Makes a conforming change in the State Finance Act.

LRB103 35732 LNS 65813 b

A BILL FOR

SB3517

LRB103 35732 LNS 65813 b

1 AN ACT concerning civil law.

2 Be it enacted by the People of the State of Illinois,

3 represented in the General Assembly:

4 Article 5. General

5 Section 5-1. Short title. This Act may be cited as the

6 Privacy Rights Act.

7 Section 5-5. Purpose and intent. In enacting this Act, it

8 is the purpose and intent of the State to further protect

9 consumers' rights, including the constitutional right of

10 privacy. The implementation of this Act shall be guided by the

11 following principles:

12 (1) Consumers should know who is collecting their

13 personal information and that of their children, how it is

14 being used, and to whom it is disclosed so that they have

15 the information necessary to exercise meaningful control

16 over businesses' use of their personal information and

17 that of their children.

18 (2) Consumers should be able to control the use of

19 their personal information, including limiting the use of

20 their sensitive personal information, the unauthorized use

21 or disclosure of which creates a heightened risk of harm

22 to the consumer, and they should have meaningful options

SB3517

- 2 -

LRB103 35732 LNS 65813 b

1 over how it is collected, used, and disclosed.

2 (3) Consumers should have access to their personal

3 information and should be able to correct it, delete it,

4 and take it with them from one business to another.

5 (4) Consumers or their authorized agents should be

6 able to exercise these options through easily accessible

7 self-serve tools.

8 (5) Consumers should be able to exercise these rights

9 without being penalized for doing so.

10 (6) Consumers should be able to hold businesses

11 accountable for failing to take reasonable precautions to

12 protect their most sensitive personal information from

13 hackers and security breaches.

14 (7) Consumers should benefit from businesses' use of

15 their personal information.

16 (8) The privacy interests of employees and independent

17 contractors should also be protected, taking into account

18 the differences in the relationship between employees or

19 independent contractors and businesses as compared to the

20 relationship between consumers and businesses. This Act is

21 not intended to interfere with the right to organize and

22 collective bargaining under the federal National Labor

23 Relations Act.

24 (9) Businesses should specifically and clearly inform

25 consumers about how they collect and use personal

26 information and how they can exercise their rights and

SB3517

- 3 -

LRB103 35732 LNS 65813 b

1 choice.

2 (10) Businesses should only collect consumers'

3 personal information for specific, explicit, and

4 legitimate disclosed purposes and should not further

5 collect, use, or disclose consumers' personal information

6 for reasons incompatible with those purposes.

7 (11) Businesses should collect consumers' personal

8 information only to the extent that it is relevant and

9 limited to what is necessary in relation to the purposes

10 for which it is being collected, used, and shared.

11 (12) Businesses should provide consumers or their

12 authorized agents with easily accessible means to allow

13 consumers and their children to obtain their personal

14 information, to delete it or correct it, to opt out of its

15 sale and sharing across business platforms, services,

16 businesses, and devices, and to limit the use of their

17 sensitive personal information.

18 (13) Businesses should not penalize consumers for

19 exercising these rights.

20 (14) Businesses should take reasonable precautions to

21 protect consumers' personal information from a security

22 breach.

23 (15) Businesses should be held accountable when they

24 violate consumers' privacy rights, and the penalties

25 should be higher when the violation affects children.

26 (16) The rights of consumers and the responsibilities

SB3517

- 4 -

LRB103 35732 LNS 65813 b

1 of businesses should be implemented with the goal of

2 strengthening consumer privacy while giving attention to

3 the impact on business and innovation. Consumer privacy

4 and the development of beneficial new products and

5 services are not necessarily incompatible goals. Strong

6 consumer privacy rights create incentives to innovate and

7 develop new products that are privacy protective.

8 (17) Businesses and consumers should be provided with

9 clear guidance about their responsibilities and rights.

10 (18) The law should place the consumer in a position

11 to knowingly and freely negotiate with a business over the

12 business' use of the personal information.

13 (19) The law should adjust to technological changes,

14 help consumers exercise their rights, and assist

15 businesses with compliance with the continuing goal of

16 strengthening consumer privacy.

17 (20) The law should enable proconsumer new products

18 and services and promote efficiency of implementation for

19 business as long as the law does not compromise or weaken

20 consumer privacy.

21 (21) The law should be amended, if necessary, to

22 improve its operation, as long as the amendments do not

23 compromise or weaken consumer privacy, while giving

24 attention to the impact on business and innovation.

25 (22) Businesses should be held accountable for

26 violating the law through vigorous administrative and

SB3517

- 5 -

LRB103 35732 LNS 65813 b

1 civil enforcement.

2 (23) To the extent it advances consumer privacy and

3 business compliance, the law should be compatible with

4 privacy laws in other jurisdictions.

5 Section 5-10. Definitions. As used in this Act:

6 "Advertising and marketing" means a communication by a

7 business or person acting on behalf of the business in any

8 medium intended to induce a consumer to obtain goods,

9 services, or employment.

10 "Agency" means the Privacy Protection Agency.

11 "Aggregate consumer information" means information that

12 relates to a group or category of consumers, from which

13 individual consumer identities have been removed, that is not

14 linked or reasonably linkable to any consumer or household,

15 including via a device. "Aggregate consumer information" does

16 not include one or more individual consumer records that have

17 been deidentified.

18 "Biometric information" means an individual's

19 physiological, biological, or behavioral characteristics,

20 including information pertaining to an individual's

21 deoxyribonucleic acid (DNA), that is used or is intended to be

22 used singly or in combination with each other or with other

23 identifying data, to establish individual identity. "Biometric

24 information" includes, but is not limited to, imagery of the

25 iris, retina, fingerprint, face, hand, palm, vein patterns,

SB3517

- 6 -

LRB103 35732 LNS 65813 b

1 and voice recordings, from which an identifier template, such

2 as a faceprint, a minutiae template, or a voiceprint, can be

3 extracted, and keystroke patterns or rhythms, gait patterns or

4 rhythms, and sleep, health, or exercise data that contain

5 identifying information.

6 "Business" means:

7 (1) a sole proprietorship, partnership, limited

8 liability company, corporation, association, or other

9 legal entity that is organized or operated for the profit

10 or financial benefit of its shareholders or other owners,

11 that collects consumers' personal information, or on the

12 behalf of which such information is collected and that

13 determines the purposes and means of the processing of

14 consumers' personal information, does business in this

15 State, and satisfies one or more of the following

16 thresholds:

17 (A) as of January 1 of the calendar year, had

18 annual gross revenues in excess of $25,000,000 in the

19 preceding calendar year;

20 (B) alone or in combination, annually, buys,

21 sells, or shares the personal information of 100,000

22 or more consumers or households; or

23 (C) derives 50% or more of its annual revenues

24 from selling or sharing consumers' personal

25 information;

26 (2) any entity that controls or is controlled by a

SB3517

- 7 -

LRB103 35732 LNS 65813 b

1 business and that shares common branding with the business

2 and with whom the business shares consumers' personal

3 information;

4 (3) a joint venture or partnership composed of

5 businesses in which each business has at least a 40%

6 interest; or

7 (4) a person that does business in this State, that is

8 not covered by paragraph (1), (2), or (3) of this

9 definition and that voluntarily certifies to this Act that

10 it is in compliance with, and agrees to be bound by, this

11 Act.

12 "Business associate" has the meaning given to that term in

13 Section 160.103 of Title 45 of the Code of Federal

14 Regulations.

15 "Business controller information" means the name or names

16 of the owner or owners, director, officer, or management

17 employee of a business and the contact information, including

18 a business title, for the owner or owners, director, officer,

19 or management employee.

20 "Business purpose" means the use of personal information

21 for the business's operational purposes, or other notified

22 purposes, or for the service provider's or contractor's

23 operational purposes, as long as the use of personal

24 information is reasonably necessary and proportionate to

25 achieve the purpose for which the personal information was

26 collected or processed or for another purpose that is

SB3517

- 8 -

LRB103 35732 LNS 65813 b

1 compatible with the context in which the personal information

2 was collected. "Business purposes" includes:

3 (1) auditing related to counting ad impressions to

4 unique visitors, verifying positioning and quality of ad

5 impressions, and auditing compliance with this

6 specification and other standards;

7 (2) helping to ensure security and integrity to the

8 extent the use of the personal information is reasonably

9 necessary and proportionate for these purposes;

10 (3) debugging to identify and repair errors that

11 impair existing intended functionality;

12 (4) short-term, transient use, including, but not

13 limited to, nonpersonalized advertising shown as part of a

14 consumer's current interaction with the business, as long

15 as the personal information is not disclosed to another

16 third party and is not used to build a profile about the

17 consumer or otherwise alter the consumer's experience

18 outside the current interaction with the business;

19 (5) performing services on behalf of the business,

20 including maintaining or servicing accounts, providing

21 customer service, processing or fulfilling orders and

22 transactions, verifying customer information, processing

23 payments, providing financing, providing analytic

24 services, providing storage, or providing similar services

25 on behalf of the business;

26 (6) providing advertising and marketing services,

SB3517

- 9 -

LRB103 35732 LNS 65813 b

1 except for cross-context behavioral advertising, to the

2 consumer, as long as a service provider or contractor does

3 not combine the personal information of consumers who

4 opted-out that the service provider or contractor receives

5 from, or on behalf of, the business with personal

6 information that the service provider or contractor

7 receives from, or on behalf of, another person or persons

8 or collects from its own interaction with consumers;

9 (7) undertaking internal research for technological

10 development and demonstration; and

11 (8) undertaking activities to verify or maintain the

12 quality or safety of a service or device that is owned,

13 manufactured, manufactured for, or controlled by the

14 business, and to improve, upgrade, or enhance the service

15 or device that is owned, manufactured, manufactured for,

16 or controlled by the business.

17 "Collects", "collected", or "collection" means buying,

18 renting, gathering, obtaining, receiving, or accessing any

19 personal information pertaining to the consumer by any means.

20 "Collects", "collected", or "collection" includes receiving

21 information from the consumer, either actively or passively,

22 or by observing the consumer's behavior.

23 "Commercial credit reporting agency" means any person who,

24 for monetary fees, dues, or on a cooperative nonprofit basis,

25 provides commercial credit reports to third parties.

26 "Commercial purposes" means to advance a person's

SB3517

- 10 -

LRB103 35732 LNS 65813 b

1 commercial or economic interests, such as by inducing another

2 person to buy, rent, lease, join, subscribe to, provide, or

3 exchange products, goods, property, information, or services,

4 or enabling or effecting, directly or indirectly, a commercial

5 transaction.

6 "Common branding" means a shared name, service mark, or

7 trademark that the average consumer would understand that 2 or

8 more entities are commonly owned.

9 "Consent" means any freely given, specific, informed, and

10 unambiguous indication of the consumer's wishes by which the

11 consumer, the consumer's legal guardian, or a person who has

12 power of attorney signifies agreement to the processing of

13 personal information relating to the consumer for a narrowly

14 defined particular purpose. "Consent" does not include

15 acceptance of a general or broad terms of use, or similar

16 document, that contains descriptions of personal information

17 processing along with other, unrelated information, hovering

18 over, muting, pausing, or closing a given piece of content, or

19 an agreement obtained through use of dark patterns.

20 "Consumer" means a natural person who is a State resident,

21 however identified, including by any unique identifier.

22 "Contractor" means a person to whom the business makes

23 available personal information for a business purpose, under

24 the written contract with the business, if the contract:

25 (1) prohibits the contractor from:

26 (A) selling or sharing the personal information;

SB3517

- 11 -

LRB103 35732 LNS 65813 b

1 (B) retaining, using, or disclosing the personal

2 information for any purpose other than for the

3 business purpose specified in the contract, including

4 retaining, using, or disclosing the personal

5 information for a commercial purpose other than the

6 business purposes specified in the contract, or as

7 otherwise permitted by this Act;

8 (C) retaining, using, or disclosing the personal

9 information outside of the direct business

10 relationship between the contractor and the business;

11 and

12 (D) combining the personal information that the

13 contractor receives under a written contract with the

14 business with personal information that it receives on

15 behalf of another person or persons, or collects from

16 its own interaction with the consumer;

17 (2) includes a certification made by the contractor

18 that the contractor understands the restrictions in

19 paragraph (1) and will comply with them; and

20 (3) permits, subject to agreement with the contractor,

21 the business to monitor the contractor's compliance with

22 the contract through measures, including, but not limited

23 to, ongoing manual reviews and automated scans and regular

24 assessments, audits, or other technical and operational

25 testing at least once every 12 months.

26 "Control" or "controlled" means ownership of, or the power

SB3517

- 12 -

LRB103 35732 LNS 65813 b

1 to vote, more than 50% of the outstanding shares, control in

2 any manner over the election of a majority of directors, or of

3 individuals exercising similar functions, or the power to

4 exercise a controlling influence over the management of the

5 company.

6 "Covered entity" has the meaning given to that term in

7 Section 160.103 of Title 45 of the Code of Federal

8 Regulations.

9 "Cross-context behavioral advertising" means the targeting

10 of advertising to a consumer based on the personal information

11 obtained from the consumer's activity across businesses,

12 distinctly branded websites, applications, or services, other

13 than the business, distinctly branded website, application, or

14 service with which the consumer intentionally interacts.

15 "Dark pattern" means a user interface designed or

16 manipulated with the substantial effect of subverting or

17 impairing user autonomy, decision-making, or choice.

18 "Deidentified" means information that cannot be reasonably

19 used to infer information about, or otherwise be linked to, a

20 particular consumer if the business that possesses the

21 information:

22 (1) takes reasonable measures to ensure that the

23 information cannot be associated with a consumer or

24 household;

25 (2) publicly commits to maintain and use the

26 information in deidentified form and not to attempt to

SB3517

- 13 -

LRB103 35732 LNS 65813 b

1 reidentify the information; and

2 (3) contractually obligates any recipients of the

3 information to comply with all provisions of this

4 definition.

5 "Designated methods for submitting requests" means a

6 mailing address, email address, Internet webpage, Internet web

7 portal, toll-free telephone number, or other applicable

8 contact information, whereby consumers may submit a request or

9 direction under this Act, and any new, consumer-friendly means

10 of contacting a business.

11 "Device" means any physical object that is capable of

12 connecting to the Internet, directly or indirectly, or to

13 another device.

14 "Director" means a natural person designated in the

15 articles of incorporation as director, or elected by the

16 incorporators and natural persons designated, elected, or

17 appointed by any other name or title to act as directors, and

18 their successors.

19 "Educational standardized assessment or educational

20 assessment" means a standardized or nonstandardized quiz,

21 test, or other assessment used to evaluate students in or for

22 entry to kindergarten and grades 1 through 12, schools,

23 postsecondary institutions, vocational programs, and

24 postgraduate programs that are accredited by an accrediting

25 agency or organization recognized by the State or the United

26 States Department of Education, as well as certification and

SB3517

- 14 -

LRB103 35732 LNS 65813 b

1 licensure examinations used to determine competency and

2 eligibility to receive certification or licensure from a

3 government agency or government certification body.

4 "Family" means a custodial parent or guardian and any

5 children under 18 years of age over which the parent or

6 guardian has custody.

7 "Fraudulent concealment" means the person knows of

8 material facts related to the person's duties under this Act

9 and knowingly conceals the facts in performing or omitting to

10 perform those duties for the purpose of defrauding the public

11 of information to which it is entitled under this Act.

12 "Homepage" means the introductory page of an Internet

13 website and any Internet webpage where personal information is

14 collected. "Homepage", in the case of an online service such

15 as a mobile application, means the application's platform page

16 or download page, a link within the application, such as from

17 the application configuration, "About", "Information", or

18 settings page, and any other location that allows consumers to

19 review the notices required by this Act, including, but not

20 limited to, before downloading the application.

21 "Household" means a group, however identified, of

22 consumers who cohabitate with one another at the same

23 residential address and share use of common devices or

24 services.

25 "Independent contractor" means a natural person who

26 provides any service to a business under a written contract.

SB3517

- 15 -

LRB103 35732 LNS 65813 b

1 "Individually identifiable" means that the medical

2 information includes or contains any element of personal

3 identifying information sufficient to allow identification of

4 the individual, such as the patient's name, address, email

5 address, telephone number, or social security number, or other

6 information that, alone or in combination with other publicly

7 available information, reveals the identity of the individual.

8 "Infer" or "inference" means the derivation of

9 information, data, assumptions, or conclusions from facts,

10 evidence, or other sources of information or data.

11 "Insurance institution" means any corporation,

12 association, partnership, reciprocal exchange, interinsurer,

13 fraternal benefit society, or other person engaged in the

14 business of insurance. "Insurance institution" does not

15 include agents, insurance-support organizations, or health

16 care service plans.

17 "Intentionally interacts" means when the consumer intends

18 to interact with a person, or disclose personal information to

19 a person, via one or more deliberate interactions, including

20 visiting the person's website or purchasing a good or service

21 from the person. "Intentionally interacts" does not include

22 hovering over, muting, pausing, or closing a given piece of

23 content.

24 "Jeopardize the validity and reliability of that

25 educational standardized assessment or educational assessment"

26 means releasing information that would provide an advantage to

SB3517

- 16 -

LRB103 35732 LNS 65813 b

1 the consumer who has submitted a verifiable consumer request

2 or to another natural person.

3 "Local educational agency" includes school districts,

4 county offices of education, and charter schools.

5 "Management employee" means a natural person whose name

6 and contact information is reported to or collected by a

7 commercial credit reporting agency as the primary manager of a

8 business and used solely within the context of the natural

9 person's role as the primary manager of the business.

10 "Medical information" means any individually identifiable

11 information, in electronic or physical form, in possession of

12 or derived from a provider of health care, health care service

13 plan, pharmaceutical company, or contractor regarding a

14 patient's medical history, mental health application

15 information, mental or physical condition, or treatment.

16 "Medical staff member" means a licensed physician and

17 surgeon, dentist, or podiatric physician, licensed under the

18 Medical Practice Act of 1987, the Illinois Dental Practice

19 Act, or the Podiatric Medical Practice Act of 1987 and a

20 clinical psychologist as defined in the Clinical Psychologist

21 Licensing Act.

22 "New motor vehicle dealer" is a dealer who either acquires

23 for resale new and unregistered motor vehicles from

24 manufacturers or distributors of those motor vehicles or

25 acquires for resale new off-highway motorcycles or all-terrain

26 vehicles from manufacturers or distributors of the vehicles.

SB3517

- 17 -

LRB103 35732 LNS 65813 b

1 "Nonpersonalized advertising" means advertising and

2 marketing that is based solely on personal information derived

3 from the consumer's current interaction with the business with

4 the exception of the consumer's precise geolocation.

5 "Officer" means a natural person elected or appointed by

6 the board of directors to manage the daily operations of a

7 corporation, including a chief executive officer, president,

8 secretary, or treasurer.

9 "Owner" means a natural person who:

10 (1) has ownership of, or the power to vote, more than

11 50% of the outstanding shares of any class of voting

12 security of a business;

13 (2) has control in any manner over the election of a

14 majority of the directors or of individuals exercising

15 similar functions; or

16 (3) has the power to exercise a controlling influence

17 over the management of a company.

18 "Ownership information" means the name or names of and

19 contact information for the registered owner or owners.

20 "Person" means an individual, proprietorship, firm,

21 partnership, joint venture, syndicate, business, trust,

22 company, corporation, limited liability company, association,

23 committee, and any other organization or group of persons

24 acting in concert.

25 "Personal information" means information that identifies,

26 relates to, describes, is reasonably capable of being

SB3517

- 18 -

LRB103 35732 LNS 65813 b

1 associated with, or could reasonably be linked, directly or

2 indirectly, with a particular consumer or household. "Personal

3 information" includes, but is not limited to, the following if

4 it identifies, relates to, describes, is reasonably capable of

5 being associated with, or could be reasonably linked, directly

6 or indirectly, with a particular consumer or household:

7 (1) identifiers such as a real name, alias, postal

8 address, unique personal identifier, online identifier,

9 Internet Protocol address, email address, account name,

10 social security number, driver's license number, passport

11 number, or other similar identifiers;

12 (2) any information, including, but not limited to,

13 signature, physical characteristics or description,

14 address, telephone number, state identification card

15 number, insurance policy number, education, bank account

16 number, credit card number, debit card number, or any

17 other financial information, medical information, or

18 health insurance information, but does not include

19 publicly available information that is lawfully made

20 available to the general public from federal, State, or

21 local government records;

22 (3) characteristics of protected classifications under

23 State or federal law;

24 (4) commercial information, including records of

25 personal property, products or services purchased,

26 obtained, or considered, or other purchasing or consuming

SB3517

- 19 -

LRB103 35732 LNS 65813 b

1 histories or tendencies;

2 (5) biometric information;

3 (6) Internet or other electronic network activity

4 information, including, but not limited to, browsing

5 history, search history, and information regarding a

6 consumer's interaction with an Internet website,

7 application, or advertisement;

8 (7) geolocation data;

9 (8) audio, electronic, visual, thermal, olfactory, or

10 similar information;

11 (9) professional or employment-related information;

12 (10) education information that is not publicly

13 available, personally identifiable information as defined

14 in the federal Family Educational Rights and Privacy Act;

15 (11) inferences drawn from any of the information

16 identified in this definition to create a profile about a

17 consumer to reflect the consumer's preferences,

18 characteristics, psychological trends, predispositions,

19 behavior, attitudes, intelligence, abilities, and

20 aptitudes; or

21 (12) sensitive personal information.

22 "Personal information" does not include publicly available

23 information or lawfully obtained, truthful information that is

24 a matter of public concern, consumer information that is

25 deidentified, or aggregate consumer information.

26 "Precise geolocation" means any data that is derived from

SB3517

- 20 -

LRB103 35732 LNS 65813 b

1 a device and that is used or intended to be used to locate a

2 consumer within a geographic area that is equal to or less than

3 the area of a circle with a radius of 1,850 feet, except as

4 prescribed by rules.

5 "Processing" means any operation or set of operations that

6 are performed on personal information or on sets of personal

7 information, whether by automated means.

8 "Profiling" means any form of automated processing of

9 personal information to evaluate certain personal aspects

10 relating to a natural person and in particular to analyze or

11 predict aspects concerning that natural person's performance

12 at work, economic situation, health, personal preferences,

13 interests, reliability, behavior, location, or movements.

14 "Protected health information" has the meaning given to

15 that term in Section 160.103 of Title 45 of the Code of Federal

16 Regulations.

17 "Provider of health care" means a person licensed or

18 certified under the Medical Practice Act of 1987, the Nurse

19 Practice Act, the Illinois Dental Practice Act, the Podiatric

20 Medical Practice Act of 1987, the Illinois Speech-Language

21 Pathology and Audiology Practice Act, the Illinois

22 Occupational Therapy Practice Act, the Dietitian Nutritionist

23 Practice Act, the Perfusionist Practice Act, the Illinois

24 Physical Therapy Act, the Licensed Certified Professional

25 Midwife Practice Act, the Clinical Psychologist Licensing Act,

26 the Illinois Optometric Practice Act of 1987, the Physician

SB3517

- 21 -

LRB103 35732 LNS 65813 b

1 Assistant Practice Act of 1987, the Respiratory Care Practice

2 Act, the Pharmacy Practice Act, the Massage Licensing Act, the

3 Music Therapy Licensing and Practice Act, the Veterinary

4 Medicine and Surgery Practice Act of 2004, the Acupuncture

5 Practice Act, the Marriage and Family Therapy Licensing Act,

6 the Behavior Analyst Licensing Act, the Clinical Social Work

7 and Social Work Practice Act, and the Professional Counselor

8 and Clinical Professional Counselor Licensing and Practice Act

9 or a clinic, health dispensary, or health facility licensed

10 under the Community Living Facilities Licensing Act, the Home

11 Health, Home Services, and Home Nursing Agency Licensing Act,

12 the Hospice Program Licensing Act, and the Hospital Licensing

13 Act. "Provider of health care" does not include insurance

14 institutions.

15 "Pseudonymize" or "pseudonymization" means the processing

16 of personal information in a manner that renders the personal

17 information no longer attributable to a specific consumer

18 without the use of additional information, as long as the

19 additional information is kept separately and is subject to

20 technical and organizational measures to ensure that the

21 personal information is not attributed to an identified or

22 identifiable consumer.

23 "Publicly available" means information that is lawfully

24 made available from federal, State, or local government

25 records, information that a business has a reasonable basis to

26 believe is lawfully made available to the general public by

SB3517

- 22 -

LRB103 35732 LNS 65813 b

1 the consumer or from widely distributed media or information

2 made available by a person to whom the consumer has disclosed

3 the information if the consumer has not restricted the

4 information to a specific audience. "Publicly available" does

5 not include biometric information collected by a business

6 about a consumer without the consumer's knowledge.

7 "Research" means scientific analysis, systematic study,

8 and observation, including basic research or applied research

9 that is designed to develop or contribute to public or

10 scientific knowledge and that adheres or otherwise conforms to

11 all other applicable ethics and privacy laws, including, but

12 not limited to, studies conducted in the public interest in

13 the area of public health.

14 "Security and integrity" means the ability of:

15 (1) networks or information systems to detect security

16 incidents that compromise the availability, authenticity,

17 integrity, and confidentiality of stored or transmitted

18 personal information;

19 (2) businesses to detect security incidents, resist

20 malicious, deceptive, fraudulent, or illegal actions and

21 to help prosecute those responsible for those actions; and

22 (3) businesses to ensure the physical safety of

23 natural persons.

24 "Sell", "selling", "sale", or "sold" means selling,

25 renting, releasing, disclosing, disseminating, making

26 available, transferring, or otherwise communicating orally, in

SB3517

- 23 -

LRB103 35732 LNS 65813 b

1 writing, or by electronic or other means personal information

2 by the business to a third party for monetary or other valuable

3 consideration.

4 "Sensitive personal information" means:

5 (1) personal information that reveals:

6 (A) a consumer's social security, driver's

7 license, state identification card, or passport

8 number;

9 (B) a consumer's account log-in, financial

10 account, debit card, or credit card number in

11 combination with any required security or access code,

12 password, or credentials allowing access to an

13 account;

14 (C) a consumer's precise geolocation;

15 (D) a consumer's racial or ethnic origin,

16 religious or philosophical beliefs, or union

17 membership;

18 (E) the contents of a consumer's mail, email, or

19 text messages unless the business is the intended

20 recipient of the communication; or

21 (F) a consumer's genetic data;

22 (2) the processing of biometric information for the

23 purpose of uniquely identifying a consumer;

24 (3) personal information collected and analyzed

25 concerning a consumer's health; or

26 (4) personal information collected and analyzed

SB3517

- 24 -

LRB103 35732 LNS 65813 b

1 concerning a consumer's sex life or sexual orientation.

2 "Sensitive personal information" does not include sensitive

3 personal information that is publicly available.

4 "Service" or "services" means work, labor, and services,

5 including services furnished in connection with the sale or

6 repair of goods.

7 "Service provider" means a person that processes personal

8 information on behalf of a business and that receives from or

9 on behalf of the business personal information for a business

10 purpose under a written contract, as long as the contract

11 prohibits the person from:

12 (1) selling or sharing the personal information;

13 (2) retaining, using, or disclosing the personal

14 information for any purpose other than for the specific

15 business purposes specified in the contract for the

16 business, including retaining, using, or disclosing the

17 personal information for a commercial purpose other than

18 the business purposes specified in the contract with the

19 business, or as otherwise permitted by this Act;

20 (3) retaining, using, or disclosing the personal

21 information outside of the direct business relationship

22 between the service provider and the business; or

23 (4) combining the personal information that the

24 service provider receives from, or on behalf of, the

25 business with personal information that it receives from,

26 or on behalf of, another person or persons, or collects

SB3517

- 25 -

LRB103 35732 LNS 65813 b

1 from its own interaction with the consumer.

2 "Share", "shared", or "sharing" means sharing, renting,

3 releasing, disclosing, disseminating, making available,

4 transferring, or otherwise communicating orally, in writing,

5 or by electronic or other means personal information by the

6 business to a third party for cross-context behavioral

7 advertising, whether for monetary or other valuable

8 consideration, including transactions between a business and a

9 third party for cross-context behavioral advertising for the

10 benefit of a business in which no money is exchanged.

11 "Third party" means a person who is not:

12 (1) the business with whom the consumer intentionally

13 interacts and that collects personal information from the

14 consumer as part of the consumer's current interaction

15 with the business under this Act;

16 (2) a service provider to the business; or

17 (3) a contractor.

18 "Unique identifier" or "unique personal identifier" means

19 a persistent identifier that can be used to recognize a

20 consumer, family, or device that is linked to a consumer or

21 family, over time and across different services, including,

22 but not limited to, a device identifier, Internet Protocol

23 address, cookies, beacons, pixel tags, mobile ad identifiers,

24 or similar technology, customer number, unique pseudonym, or

25 user alias, telephone numbers, or other forms of persistent or

26 probabilistic identifiers that can be used to identify a

SB3517

- 26 -

LRB103 35732 LNS 65813 b

1 particular consumer or device that is linked to a consumer or

2 family.

3 "Vehicle information" means the vehicle information

4 number, make, model, year, and odometer reading.

5 "Vehicle manufacturer" means any person who produces from

6 raw materials or new basic components a vehicle of a type

7 subject to registration, off-highway motorcycles or

8 all-terrain vehicles subject to identification, or trailers

9 subject to identification, or who permanently alters, for

10 purposes of retail sales, new commercial vehicles by

11 converting the vehicles into house cars.

12 "Verifiable consumer request" means a request that is made

13 by a consumer, by a consumer on behalf of the consumer's minor

14 child, by a natural person or a person registered with the

15 Secretary of State authorized by the consumer to act on the

16 consumer's behalf, or by a person who has power of attorney,

17 and that the business can reasonably verify, using

18 commercially reasonable methods to be the consumer about whom

19 the business has collected personal information.

20 Section 5-15. Miscellaneous provisions.

21 (a) The joint venture or partnership and each business

22 that composes the joint venture or partnership shall

23 separately be considered a single business, except that

24 personal information in the possession of each business and

25 disclosed to the joint venture or partnership shall not be

SB3517

- 27 -

LRB103 35732 LNS 65813 b

1 shared with the other business.

2 (b) A contractor may combine personal information to

3 perform any business purpose, except as provided for in

4 paragraph (6) of the definition of business purposes and in

5 rules adopted by the Agency.

6 (c) If a contractor engages any other person to assist it

7 in processing personal information for a business purpose on

8 behalf of that business, or if any other person engaged by the

9 contractor engages another person to assist in processing

10 personal information for that business purposes, it shall

11 notify the business of that engagement, and the engagement

12 shall be under a written contract binding the other person to

13 observe all of the requirements set forth in the definition of

14 contractor.

15 (d) A business may attempt to reidentify the deindentified

16 personal information solely for the purpose of determining

17 whether its deidentification processes satisfies the

18 requirements of the definition of deidentified.

19 (e) Research with personal information that may have been

20 collected from a consumer in the course of consumer's

21 interactions with a business's service or device for other

22 purposes shall be:

23 (1) compatible with the business purpose for which the

24 personal information was collected;

25 (2) subsequently pseudonymized and deidentified, or

26 deidentified and in the aggregate, such that the

SB3517

- 28 -

LRB103 35732 LNS 65813 b

1 information cannot reasonably identify, relate to,

2 describe, be capable of being associated with, or be

3 linked, directly or indirectly, to a particular consumer,

4 by a business;

5 (3) made subject to technical safeguards that prohibit

6 reidentification of the consumer to whom the information

7 may pertain, other than as needed to support the research;

8 (4) subject to business processes that specifically

9 prohibit reidentification of the information, other than

10 as needed to support the research;

11 (5) made subject to business processes to prevent

12 inadvertent release of deidentified information;

13 (6) protected from any reidentification attempts;

14 (7) used solely for research purposes that are

15 compatible with the context in which the personal

16 information was collected; and

17 (8) subjected by the business conducting the research

18 to additional security controls that limit access to the

19 research data to only those individuals as are necessary

20 to carry out the research purpose.

21 (f) A business that does not sell or share personal

22 information when:

23 (1) a consumer uses or directs the business to

24 intentionally:

25 (A) disclose personal information; or

26 (B) interact with one or more third parties;

SB3517

- 29 -

LRB103 35732 LNS 65813 b

1 (2) the business uses or shares an identifier for a

2 consumer who has opted-out of the sale of personal

3 information or limited the use of sensitive personal

4 information for the purposes of altering persons that the

5 consumer has opted-out of the sale of personal information

6 or limited the use of sensitive personal information; or

7 (3) the business transfers to a third party the

8 personal information as an asset that is part of a merger,

9 acquisition, bankruptcy, or other transaction in which the

10 third party assumes control of all or part of the

11 business, as long as that personal information is used or

12 shared consistently with this Act. If a third party

13 materially alters how it uses or shares the personal

14 information in a manner that is materially inconsistent

15 with the promises made at the time of collection, it shall

16 provide prior notice of the new or changed practice to the

17 consumer. The notice shall be sufficiently prominent and

18 robust to ensure that existing consumers can easily

19 exercise their choices consistently with this Act. This

20 paragraph does not authorize a business to make material,

21 retroactive privacy policy changes or make other changes

22 in their privacy policy in a manner that would violate the

23 Consumer Fraud and Deceptive Business Practices Act.

24 (g) A service provider may combine personal information to

25 perform any business purpose, except as provided for in

26 paragraph (6) of the definition of business purpose in Section

SB3517

- 30 -

LRB103 35732 LNS 65813 b

1 5-10 and in rules adopted by the Agency. The contract may,

2 subject to agreement with the service provider, permit the

3 business to monitor the service provider's compliance with the

4 contract through measures, including, but not limited to,

5 ongoing manual reviews and automated scans and regular

6 assessments, audits, or other technical and operational

7 testing at least once every 12 months.

8 (h) If a service provider engages any other person to

9 assist it in processing personal information for a business

10 purpose on behalf of the business, or if any other person

11 engaged by the service provider engages another person to

12 assist in processing personal information for that business

13 purpose, it shall notify the business of that engagement, and

14 the engagement shall be under a written contract binding the

15 other person to observe all the requirements set forth in the

16 definition of service provider.

17 (i) A business is not obligated to provide information to

18 the consumer under Sections 10-20 and 10-25 to delete personal

19 information or to correct inaccurate personal information, if

20 the business cannot verify that the consumer making the

21 request is the consumer about whom the business has collected

22 information or is a person authorized by the consumer to act on

23 such consumer's behalf.

24 Article 10. Personal Information

SB3517

- 31 -

LRB103 35732 LNS 65813 b

1 Section 10-5. General duties of businesses that collect

2 personal information.

3 (a) A business that controls the collection of personal

4 information shall, at or before the point of collection,

5 inform consumers of:

6 (1) the categories of personal information to be

7 collected and the purposes for which the categories of

8 personal information are collected or used and whether

9 that information is sold or shared. A business shall not

10 collect additional categories of personal information or

11 use personal information collected for additional purposes

12 that are incompatible with the disclosed purpose for which

13 the personal information was collected without providing

14 the consumer with notice consistent with this Section

15 (2) if the business collects sensitive personal

16 information, the categories of sensitive personal

17 information to be collected and the purposes for which the

18 categories of sensitive personal information to be

19 collected. A business shall not collect additional

20 categories of sensitive personal information or use

21 sensitive personal information collected for additional

22 purposes that are incompatible with the disclosed purpose

23 for which the sensitive personal information was collected

24 without providing the consumer with notice consistent with

25 this Section; and

26 (3) the length of time the business intends to retain

SB3517

- 32 -

LRB103 35732 LNS 65813 b

1 each category of personal information, including sensitive

2 personal information, or, if that is not possible, the

3 criteria used to determine that period provided that a

4 business shall not retain personal information or

5 sensitive personal information for each disclosed purpose

6 for which the personal information was collected for

7 longer than is reasonably necessary for that disclosed

8 purpose.

9 (b) A business that, acting as a third party, controls the

10 collection of personal information may satisfy its obligation

11 under subsection (a) by providing the required information

12 prominently and conspicuously on the homepage of its Internet

13 website. If a business acting as a third party controls the

14 collection of personal information on its premises, including

15 in a vehicle, then the business shall, at or before the point

16 of collection, inform consumers as to the categories of

17 personal information to be collected and the purposes for

18 which the categories of personal information are used, and

19 whether that personal information is sold, in a clear and

20 conspicuous manner at the location.

21 (c) Collection, use, retention, and sharing of personal

22 information by a business shall be reasonably necessary and

23 proportionate to achieve the purposes for which the personal

24 information was collected or processed, or for another

25 disclosed purpose that is compatible with the context in which

26 the personal information was collected, and not further

SB3517

- 33 -

LRB103 35732 LNS 65813 b

1 processed in a manner that is incompatible with those

2 purposes.

3 (d) A business that collects personal information and that

4 sells that personal information to, or shares it with, a third

5 party or that discloses it to a service provider or contractor

6 for a business purpose shall enter into an agreement with the

7 third party, service provider, or contractor that:

8 (1) specifies that the personal information is sold or

9 disclosed by the business only for limited and specified

10 purposes;

11 (2) obligates the third party, service provider, or

12 contractor to comply with applicable obligations under

13 this Act and obligate those persons to provide the same

14 level of privacy protection as is required under this Act;

15 (3) grants the business rights to take reasonable and

16 appropriate steps to help ensure that the third party,

17 service provider, or contractor uses the personal

18 information transferred in a manner consistent with the

19 obligations of the business under this Act;

20 (4) requires the third party, service provider, or

21 contractor to notify the business if it makes a

22 determination that it can no longer meet its obligations

23 under this Act; and

24 (5) grants the business the right, upon notice, to

25 take reasonable and appropriate steps to stop and

26 remediate unauthorized use of personal information.

SB3517

- 34 -

LRB103 35732 LNS 65813 b

1 (e) A business that collects personal information shall

2 implement reasonable security procedures and practices

3 appropriate to the nature of the personal information to

4 protect the personal information from unauthorized or illegal

5 access, destruction, use, modification, or disclosure.

6 (f) Nothing in this Section shall require a business to

7 disclose trade secrets.

8 Section 10-10. Right to delete personal information.

9 (a) A consumer shall have the right to request that a

10 business delete any personal information about the consumer

11 which the business has collected from the consumer.

12 (b) A business that collects personal information shall

13 disclose the consumer's rights to request the deletion of the

14 personal information.

15 (c) A business that receives a verifiable consumer request

16 from a consumer to delete the personal information under

17 subsection (a) shall delete the personal information from its

18 records, notify any service providers or contractors to delete

19 the personal information from their records, and notify all

20 third parties to whom the business has sold or shared the

21 personal information to delete the personal information unless

22 this proves impossible or involves disproportionate effort.

23 The business may maintain a confidential record of

24 deletion requests solely for the purpose of preventing the

25 personal information of a consumer who has submitted a

SB3517

- 35 -

LRB103 35732 LNS 65813 b

1 deletion request from being sold, for compliance with laws or

2 for other purposes, solely to the extent permissible under

3 this Act.

4 A service provider or contractor shall cooperate with the

5 business in responding to a verifiable consumer request, and,

6 at the direction of the business, shall delete, or enable the

7 business to delete, and notify any of its own service

8 providers or contractors to delete the personal information

9 collected, used, processed, or retained by the service

10 provider or contractor. The service provider or contractor

11 shall notify any service providers, contractors, or third

12 parties who may have accessed personal information from or

13 through the service provider or contractor, unless the

14 information was accessed at the direction of the business, to

15 delete the personal information unless this proves impossible

16 or involves disproportionate effort. A service provider or

17 contractor shall not be required to comply with a deletion

18 request submitted by the consumer directly to the service

19 provider or contractor to the extent that the service provider

20 or contractor has collected, used, processed, or retained the

21 personal information in its role as a service provider or

22 contractor to the business.

23 (d) A business, or a service provider or contractor acting

24 under its contract with the business, shall not be required to

25 comply with a consumer's request to delete personal

26 information if it is reasonably necessary for the business,

SB3517

- 36 -

LRB103 35732 LNS 65813 b

1 service provider, or contractor to maintain the personal

2 information in order to:

3 (1) complete the transaction for which the personal

4 information was collected, fulfill the terms of a written

5 warranty or product recall conducted in accordance with

6 federal law, provide a good or service requested by the

7 consumer, or reasonably anticipate an ongoing business

8 relationship with the consumer, or otherwise perform a

9 contract between the business and the consumer;

10 (2) help to ensure security and integrity to the

11 extent the use of the personal information is reasonably

12 necessary and proportionate for those purposes;

13 (3) debug to identify and repair errors that impair

14 existing intended functionality;

15 (4) exercise free speech, ensure the right of another

16 consumer to exercise that consumer's right of free speech,

17 or exercise another right provided for by law;

18 (5) comply with the Protecting Household Privacy Act;

19 (6) engage in public or peer-reviewed scientific,

20 historical, or statistical research that conforms or

21 adheres to all other applicable ethics and privacy laws,

22 when the deletion of the information is likely to render

23 impossible or seriously impair the ability to complete

24 such research, if the consumer has provided informed

25 consent;

26 (7) to enable solely internal uses that are reasonably

SB3517

- 37 -

LRB103 35732 LNS 65813 b

1 aligned with the expectations of the consumer based on the

2 consumer's relationship with the business and compatible

3 with the context in which the consumer provided the

4 information; or

5 (8) comply with a legal obligation.

6 Section 10-15. Right to correct inaccurate personal

7 information.

8 (a) A consumer shall have the right to request a business

9 that maintains inaccurate personal information about the

10 consumer to correct that inaccurate personal information,

11 taking into account the nature of the personal information and

12 the purposes of the processing of the personal information.

13 (b) A business that collects personal information shall

14 disclose the consumer's right to request correction of

15 inaccurate personal information.

16 (c) A business that receives a verifiable consumer request

17 to correct inaccurate personal information shall use

18 commercially reasonable efforts to correct the inaccurate

19 personal information as directed by the consumer.

20 Section 10-20. Right to know what personal information is

21 being collected; right to access personal information.

22 (a) A consumer shall have the right to request that a

23 business that collects personal information about the consumer

24 disclose to the consumer:

SB3517

- 38 -

LRB103 35732 LNS 65813 b

1 (1) the categories of personal information it has

2 collected about the consumer;

3 (2) the categories of sources from which the personal

4 information is collected;

5 (3) the business or commercial purpose for collecting,

6 selling, or sharing personal information;

7 (4) the categories of third parties to whom the

8 business discloses personal information; and

9 (5) the specific pieces of personal information it has

10 collected about that consumer.

11 (b) A business that collects personal information shall

12 disclose to the consumer the information specified in

13 subsection (a) upon receipt of a verifiable consumer request

14 from the consumer.

15 (c) A business that collects personal information shall

16 disclose that a consumer has the right to request the specific

17 pieces of information the business has collected about that

18 consumer.

19 Section 10-25. Right to know what personal information is

20 sold or shared and to whom.

21 (a) A consumer shall have the right to request that a

22 business that sells or shares personal information, or that

23 discloses personal information for a business purpose,

24 disclose to that consumer:

25 (1) the categories of personal information that the

SB3517

- 39 -

LRB103 35732 LNS 65813 b

1 business collected about the consumer;

2 (2) the categories of personal information that the

3 business sold or shared about the consumer and the

4 categories of third parties to whom the personal

5 information was sold or shared, by category or categories

6 of personal information for each category of third parties

7 to whom the personal information was sold or shared; and

8 (3) the categories of personal information that the

9 business disclosed about the consumer for a business

10 purpose and the categories of persons to whom it was

11 disclosed for a business purpose.

12 (b) A business that sells or shares personal information,

13 or that discloses personal information for a business purpose,

14 shall disclose the personal information specified in

15 subsection (a) to the consumer upon receipt of a verifiable

16 consumer request from the consumer.

17 (c) A business that sells or shares personal information,

18 or that discloses personal information for a business purpose,

19 shall disclose:

20 (1) the category or categories of personal information

21 it has sold or shared, or if the business has not sold or

22 shared personal information, it shall disclose that fact;

23 and

24 (2) the category or categories of personal information

25 it has disclosed for a business purpose, or if the

26 business has not disclosed personal information for a

SB3517

- 40 -

LRB103 35732 LNS 65813 b

1 business purpose, it shall disclose that fact.

2 (d) A third party shall not sell or share personal

3 information that has been sold to, or shared with, the third

4 party by a business unless the consumer has received explicit

5 notice and is provided an opportunity to exercise the right to

6 opt out.

7 Section 10-30. Right to opt out of sale or sharing of

8 personal information.

9 (a) A consumer shall have the right, at any time, to direct

10 a business that sells or shares personal information to third

11 parties not to sell or share the personal information. This

12 right may be referred to as the right to opt out of sale or

13 sharing.

14 (b) A business that sells personal information to, or

15 shares it with, third parties shall provide notice to

16 consumers that this information may be sold or shared and that

17 consumers have the right to opt out of the sale or sharing of

18 their personal information.

19 (c) Notwithstanding subsection (a), a business shall not

20 sell or share the personal information of consumers if the

21 business has actual knowledge that the consumer is less than

22 16 years of age, unless the consumer, in the case of consumers

23 at least 13 years of age and less than 16 years of age, or the

24 consumer's parent or guardian in the case of consumers who are

25 less than 13 years of age, has affirmatively authorized the

SB3517

- 41 -

LRB103 35732 LNS 65813 b

1 sale or sharing of the personal information. A business that

2 willfully disregards the consumer's age shall be deemed to

3 have had actual knowledge of the consumer's age.

4 (d) A business that has received direction from a consumer

5 not to sell or share personal information or, in the case of a

6 minor consumer's personal information has not received consent

7 to sell or share the minor consumer's personal information,

8 shall be prohibited from selling or sharing the personal

9 information after its receipt of the consumer's direction,

10 unless the consumer subsequently provides consent, for the

11 sale or sharing of the personal information.

12 Section 10-35. Right to limit use and disclosure of

13 sensitive personal information.

14 (a) A consumer shall have the right, at any time, to direct

15 a business that collects sensitive personal information to

16 limit its use of the sensitive personal information to that

17 use which is necessary to perform the services or provide the

18 goods reasonably expected by an average consumer who requests

19 those goods or services, to perform the services set forth in

20 paragraphs (2), (4), (5), and (8) in the definition of

21 business purpose in Section 5-10, and as authorized by rule. A

22 business that uses or discloses sensitive personal information

23 for purposes other than those specified in this subsection

24 shall provide notice to consumers that this information may be

25 used, or disclosed to a service provider or contractor, for

SB3517

- 42 -

LRB103 35732 LNS 65813 b

1 additional, specified purposes and that consumers have the

2 right to limit the use or disclosure of their sensitive

3 personal information.

4 (b) A business that has received direction from a consumer

5 not to use or disclose the sensitive personal information,

6 except as authorized under subsection (a), shall be prohibited

7 from using or disclosing the sensitive personal information

8 for any other purpose after its receipt of the consumer's

9 direction unless the consumer subsequently provides consent

10 for the use or disclosure of the sensitive personal

11 information for additional purposes.

12 (c) A service provider or contractor that assists a

13 business in performing the purposes authorized by subsection

14 (a) may not use the sensitive personal information after it

15 has received instructions from the business and to the extent

16 it has actual knowledge that the sensitive personal

17 information is sensitive personal information for any other

18 purpose. A service provider or contractor is only required to

19 limit its use of sensitive personal information received under

20 a written contract with the business in response to

21 instructions from the business and only with respect to its

22 relationship with that business.

23 (d) Sensitive personal information that is collected or

24 processed without the purpose of inferring characteristics

25 about a consumer is not subject to this Section, as further

26 defined by rule, and shall be treated as personal information.

SB3517

- 43 -

LRB103 35732 LNS 65813 b

1 Section 10-40. Right of no retaliation following opt-out

2 or exercise of other rights.

3 (a) A business shall not discriminate against a consumer

4 because the consumer exercised any of the consumer's rights

5 under this Act, including, but not limited to:

6 (1) denying goods or services to the consumer;

7 (2) charging different prices or rates for goods or

8 services, including through the use of discounts or other

9 benefits or imposing penalties;

10 (3) providing a different level or quality of goods or

11 services to the consumer; or

12 (4) suggesting that the consumer will receive a

13 different price or rate for goods or services or a

14 different level or quality of goods or services.

15 A business shall not retaliate against an employee

16 applicant for employment, or independent contractor for

17 exercising their rights under this Act.

18 Nothing in this subsection prohibits a business from

19 charging a consumer a different price or rate, or from

20 providing a different level or quality of goods or services,

21 to the consumer if that difference is reasonably related to

22 the value provided to the business by the consumer's data.

23 This subsection does not prohibit a business from offering

24 loyalty, rewards, premium features, discounts, or club card

25 programs consistent with this Act.

SB3517

- 44 -

LRB103 35732 LNS 65813 b

1 (b) A business may offer financial incentives, including

2 payments to consumers as compensation, for the collection of

3 personal information, or the retention of personal

4 information. A business may also offer a different price,

5 rate, level, or quality of goods or services to the consumer if

6 that price or difference is reasonably related to the value

7 provided to the business by the consumer's data.

8 A business that offers any financial incentives under this

9 subsection shall notify consumers of the financial incentives

10 under Section 10-45.

11 A business may enter a consumer into a financial incentive

12 program only if the consumer gives the business prior opt-in

13 consent based on clearly described material terms of the

14 financial incentive program, which may be revoked by the

15 consumer at any time. If a consumer refuses to provide opt-in

16 consent, then the business shall wait for at least 12 months

17 before next requesting that the consumer provide opt-in

18 consent, or as prescribed by rules.

19 A business shall not use financial incentive practices

20 that are unjust, unreasonable, coercive, or usurious in

21 nature.

22 Section 10-45. Notice, disclosure, correction, and

23 deletion requirements.

24 (a) In order to comply with Sections 10-5, 10-10, 10-15,

25 10-20, 10-25, and 10-45, a business shall, in a form that is

SB3517

- 45 -

LRB103 35732 LNS 65813 b

1 reasonably accessible to consumers:

2 (1) (A) make available to consumers 2 or more

3 designated methods for submitting requests for information

4 required to be disclosed under Sections 10-20 and 10-25 or

5 requests for deletion or correction under Sections 10-10

6 and 10-15, including, at a minimum, a toll-free telephone

7 number. A business that operates exclusively online and

8 has a direct relationship with a consumer from whom it

9 collects personal information shall only be required to

10 provide an email address for submitting requests for

11 information required to be disclosed under Sections 10-20

12 and 10-25;

13 (B) if the business maintains an Internet website,

14 make the internet website available to consumers to submit

15 requests for information required to be disclosed under

16 Sections 10-20 and 10-25 or requests for deletion or

17 correction under Sections 10-10 and 10-15;

18 (2) disclose and deliver the required information to a

19 consumer free of charge, correct inaccurate personal

20 information, or delete personal information, based on the

21 consumer's request, within 45 days of receiving a

22 verifiable consumer request from the consumer. The

23 business shall promptly take steps to determine whether

24 the request is a verifiable consumer request, but this

25 shall not extend the business's duty to disclose and

26 deliver the information, correct inaccurate personal

SB3517

- 46 -

LRB103 35732 LNS 65813 b

1 information, or delete personal information within 45 days

2 of receipt of the consumer's request. The period to

3 provide the required information, correct inaccurate

4 personal information, or delete personal information may

5 be extended once by an additional 45 days when reasonably

6 necessary, as long as the consumer is provided notice of

7 the extension within the first 45-day period. The

8 disclosure of the required information shall be made in

9 writing and delivered through the consumer's account with

10 the business, if the consumer maintains an account with

11 the business, or by mail or electronically at the

12 consumer's option if the consumer does not maintain an

13 account with the business, in a readily usable format that

14 allows the consumer to transmit this information from one

15 entity to another entity without hindrance. The business

16 may require authentication of the consumer that is

17 reasonable in light of the nature of the personal

18 information requested, but shall not require the consumer

19 to create an account with the business in order to make a

20 verifiable consumer request. If the consumer has an

21 account with the business, the business may require the

22 consumer to use that account to submit a verifiable

23 consumer request.

24 The disclosure of the required information shall cover

25 the 12-month period preceding the business' receipt of the

26 verifiable consumer request. Upon the adoption of a rule

SB3517

- 47 -

LRB103 35732 LNS 65813 b

1 under Section 10-75, a consumer may request that the

2 business disclose the required information beyond the

3 12-month period, and the business shall be required to

4 provide that information unless doing so proves impossible

5 or would involve a disproportionate effort. A consumer's

6 right to request required information beyond the 12-month

7 period, and a business's obligation to provide that

8 information, shall only apply to personal information

9 collected on or after January 1, 2025. Nothing in this

10 subparagraph shall require a business to keep personal

11 information for any length of time;

12 (3) a business that receives a verifiable consumer

13 request under Section 10-20 or 10-25, disclose any

14 personal information it has collected about a consumer,

15 directly or indirectly, including through or by a service

16 provider or contractor, to the consumer. A service

17 provider or contractor shall not be required to comply

18 with a verifiable consumer request received directly from

19 a consumer or consumer's authorized agent under Section

20 10-20 or 10-25 to the extent that the service provider or

21 contractor has collected personal information about the

22 consumer in its role as a service provider or contractor.

23 A service provider or contractor shall provide assistance

24 to a business with which it has a contractual relationship

25 with respect to the business's response to a verifiable

26 consumer request, including, but not limited to, by

SB3517

- 48 -

LRB103 35732 LNS 65813 b

1 providing to the business the personal information in the

2 service provider's or contractor's possession that the

3 service provider or contractor obtained as a result of

4 providing services to the business and by correcting

5 inaccurate information or by enabling the business to do

6 the same. A service provider or contractor that collects

7 personal information under a written contract with a

8 business shall be required to assist the business through

9 appropriate technical and organizational measures in

10 complying with the requirements of subsections (d) through

11 (f) of Section 10-5, taking into account the nature of the

12 processing.

13 (4) for purposes of subsection (b) of Section 10-20:

14 (A) to identify the consumer, associate the

15 information provided to the consumer in the verifiable

16 consumer request to any personal information

17 previously collected by the business about the

18 consumer;

19 (B) identify by category or categories the

20 personal information collected about the consumer for

21 the applicable period by reference to the enumerated

22 category or categories in subsection (c) that most

23 closely describes the personal information collected,

24 the categories of sources from which the personal

25 information was collected, the business or commercial

26 purpose for collecting, selling, or sharing the

SB3517

- 49 -

LRB103 35732 LNS 65813 b

1 personal information, and the categories of third

2 parties to whom the business discloses the personal

3 information; and

4 (C) provide the specific pieces of personal

5 information obtained from the consumer in a format

6 that is easily understandable to the average consumer,

7 and to the extent technically feasible, in a

8 structured, commonly used, machine-readable format

9 that may also be transmitted to another entity at the

10 consumer's request without hindrance. Specific pieces

11 of personal information do not include data generated

12 to help ensure security and integrity or as prescribed

13 by rule. Personal information is not considered to

14 have been disclosed by a business when a consumer

15 instructs a business to transfer the personal

16 information from one business to another in the

17 context of switching services;

18 (5) for purposes of subsection (b) of Section 10-25:

19 (A) identify the consumer and associate the

20 information provided by the consumer in the verifiable

21 consumer request to any personal information

22 previously collected by the business about the

23 consumer;

24 (B) identify by category or categories the

25 personal information of the consumer that the business

26 sold or shared during the applicable period by

SB3517

- 50 -

LRB103 35732 LNS 65813 b

1 reference to the enumerated category in subsection (c)

2 that most closely describes the personal information,

3 and provide the categories of third parties to whom

4 the personal information was sold or shared during the

5 applicable period by reference to the enumerated

6 category or categories in subsection (c) that most

7 closely describes the personal information sold or

8 shared. The business shall disclose the information in

9 a list that is separate from a list generated under

10 subparagraph (C); and

11 (C) identify by category or categories the

12 personal information of the consumer that the business

13 disclosed for a business purpose during the applicable

14 period by reference to the enumerated category or

15 categories in subsection (c) that most closely

16 describes the personal information, and provide the

17 categories of persons to whom the personal information

18 was disclosed for a business purpose during the

19 applicable period by reference to the enumerated

20 category or categories in subsection (c) that most

21 closely describes the personal information disclosed.

22 The business shall disclose the information in a list

23 that is separate from a list generated under

24 subparagraph (B);

25 (6) disclose the following information in its online

26 privacy policy or policies if the business has an online

SB3517

- 51 -

LRB103 35732 LNS 65813 b

1 privacy police or policies and in any State-specific

2 description of consumer privacy rights, or if the business

3 does not maintain those policies, on its Internet website

4 and update that information at least once every 12 months:

5 (A) a description of a consumer's rights under

6 Sections 10-5, 10-10, 10-15, 10-20, 10-25, and 10-45

7 and 2 more designated methods for submitting requests,

8 except as provided in subparagraph (A) of paragraph

9 (1) of subsection (a);

10 (B) for purposes of subsection (c) of Section

11 10-20:

12 (i) a list of categories of personal

13 information it has collected about consumers in

14 the preceding 12 months by reference to the

15 enumerated category or categories in subsection

16 (c) that most closely describe the personal

17 information collected;

18 (ii) the categories of sources from which

19 personal information is collected;

20 (iii) the business or commercial purpose for

21 collecting, selling, or sharing personal

22 information; and

23 (iv) the categories of third parties to whom

24 the business discloses personal information; and

25 (C) for purposes of paragraphs (1) and (2) of

26 subsection (c) of Section 10-25, 2 separate lists:

SB3517

- 52 -

LRB103 35732 LNS 65813 b

1 (i) a list of categories of personal

2 information it has sold or shared about consumers

3 in the preceding 12 months by reference to the

4 enumerated category or categories in subsection

5 (c) that most closely describe the personal

6 information sold or shared, or if the business has

7 not sold or shared personal information in the

8 preceding 12 months, the business shall

9 prominently disclose that fact in its privacy

10 policy; and

11 (ii) a list of the categories of personal

12 information it has disclosed about consumers for a

13 business purpose in the preceding 12 months by

14 reference to the enumerated category or categories

15 in subsection (c) that most closely describes the

16 personal information disclosed, or if the business

17 has not disclosed personal information in the

18 preceding 12 months, the business shall disclose

19 that fact;

20 (7) ensure that all individuals responsible for

21 handling consumer inquiries about the business' privacy

22 practices or the business' compliance with this Act are

23 informed of all requirements in Sections 10-5, 10-10,

24 10-15, 10-20, 10-25, and 10-45 and this Section, and how

25 to direct consumers to exercise their rights under those

26 Sections; and

SB3517

- 53 -

LRB103 35732 LNS 65813 b

1 (8) use any personal information collected from the

2 consumer in connection with the business' verification of

3 the consumer's request solely for the purposes of

4 verification and shall not further disclose the personal

5 information, retain it longer than necessary for purposes

6 of verification, or use it for unrelated purposes.

7 (b) A business is not obligated to provide the information

8 required by Sections 10-20 and 10-25 to the same consumer more

9 than twice in a 12-month period.

10 (c) The categories of personal information required to be

11 disclosed under Sections 10-5, 10-20, and 10-25 shall follow

12 the definitions of personal information and sensitive personal

13 information by describing the categories of personal

14 information using the specific terms set forth in the

15 definition of personal information and by describing the

16 categories of sensitive personal information using the

17 specific terms set forth in the definition of sensitive

18 personal information.

19 Section 10-50. Methods of limiting sale, sharing, and use

20 of personal information and use of sensitive personal

21 information.

22 (a) A business that is sells or shares personal

23 information or discloses sensitive personal information for

24 purposes other than those authorized by subsection (a) of

25 Section 10-35 shall, in a form that is reasonably accessible

SB3517

- 54 -

LRB103 35732 LNS 65813 b

1 to consumers:

2 (1) provide a clear and conspicuous link on the

3 business's Internet homepage titled "Do Not Sell or Share

4 My Personal Information" to an Internet webpage that

5 enables a consumer, or a person authorized by the

6 consumer, to opt out of the sale or sharing of the personal

7 information;

8 (2) provide a clear and conspicuous link on the

9 business's Internet homepage titled "Limit the Use of My

10 Sensitive Personal Information" that enables a consumer,

11 or a person authorized by the consumer, to limit the use or

12 disclosure of the sensitive personal information;

13 (3) at the business's discretion, use a single,

14 clearly labeled link on the business's Internet homepage,

15 in lieu of complying with paragraphs (1) and (2), if that

16 link easily allows a consumer to opt out of the sale or

17 sharing of the personal information and to limit the use

18 or disclosure of the sensitive personal information; and

19 (4) if the business responds to opt-out requests

20 received under paragraph (1), (2), or (3) by informing the

21 consumer of a charge for the use of any product or service,

22 present the terms of any financial incentive offered under

23 subsection (b) of Section 10-40, for the retention, use,

24 sale, or sharing of the personal information or sensitive

25 personal information.

26 (b) A business shall not be required to comply with

SB3517

- 55 -

LRB103 35732 LNS 65813 b

1 subsection (a) if the business allows consumers to opt out of

2 the sale or sharing of personal information or limit the use of

3 sensitive personal information through an opt-out preference

4 signal sent with the consumer's consent by a platform,

5 technology, or mechanism, based on technical specifications

6 set forth by rules, to the business indicating the consumer's

7 intent to opt out of the business's sale or sharing of the

8 personal information or to limit the use or disclosure of the

9 sensitive personal information, or both.

10 A business that allows consumers to opt out of the sale or

11 sharing of their personal information and to limit the use of

12 sensitive personal information under this subsection may

13 provide a link to a webpage that enables the consumer to

14 consent to the business ignoring the opt-out preference signal

15 with respect to that business's sale or sharing of the

16 personal information or the use of the sensitive personal

17 information for additional purposes if:

18 (1) the consent webpage also allows the consumer

19 or a person authorized by the consumer to revoke the

20 consent as easily as it affirmatively provided;

21 (2) the link to the webpage does not degrade the

22 consumer's experience on the webpage the consumer

23 intends to visit and has a similar look, feel, and size

24 relative to other links on the same webpage; and

25 (3) the consent webpage complies with technical

26 specifications set forth by rules.

SB3517

- 56 -

LRB103 35732 LNS 65813 b

1 A business that complies with subsection (a) is not

2 required to comply with subsection (b). A business may elect

3 whether to comply with subsection (a) or (b).

4 (c) A business that is subject to this Section shall:

5 (1) not require a consumer to create an account or

6 provide additional information beyond what is necessary in

7 order to direct the business not to sell or share the

8 personal information or to limit use or disclosure of the

9 sensitive personal information;

10 (2) include a description of a consumer's rights under

11 Sections 10-30 and 10-35, along with a separate link to

12 the "Do Not Sell or Share My Personal Information"

13 Internet webpage and a separate link to the "Limit the Use

14 of My Sensitive Personal Information" Internet webpage, if

15 applicable, or a single link to both choices, or a

16 statement that the business responds to and abides by

17 opt-out preference signals sent by a platform, technology,

18 or mechanism in accordance with subsection (b), in:

19 (A) its online privacy policy or policies if the

20 business has an online privacy policy or policies; and

21 (B) any State-specific description of consumers'

22 privacy rights;

23 (3) ensure that all individuals responsible for

24 handling consumer inquiries about the business's privacy

25 practices or the business's compliance with this Act are

26 informed of all requirements in Sections 10-30 and 10-35

SB3517

- 57 -

LRB103 35732 LNS 65813 b

1 and this Section and how to direct consumers to exercise

2 their rights under those Sections;

3 (4) for consumers who exercise their right to opt out

4 of the sale or sharing of their personal information or

5 limit the use or disclosure of their sensitive personal

6 information, refrain from selling or sharing the personal

7 information or using or disclosing the sensitive personal

8 information and wait for at least 12 months before

9 requesting that the consumer authorize the sale or sharing

10 of the personal information or the use and disclosure of

11 the sensitive personal information for additional

12 purposes, or as authorized by rules;

13 (5) for consumers under 16 years of age who do not

14 consent to the sale or sharing of their personal

15 information, refrain from selling or sharing the personal

16 information of the consumer under 16 years of age and wait

17 for at least 12 months before requesting the consumer's

18 consent again, or as authorized by rules or until the

19 consumer attains 16 years of age; and

20 (6) use any personal information collected from the

21 consumer in connection with the submission of the

22 consumer's opt-out request solely for the purposes of

23 complying with the opt-out request.

24 (d) Nothing in this Act shall be construed to require a

25 business to comply with the Act by including the required

26 links and text on the homepage that the business makes

SB3517

- 58 -

LRB103 35732 LNS 65813 b

1 available to the public generally, if the business maintains a

2 separate and additional homepage that is dedicated to State

3 consumers and that includes the required links and text, and

4 the business takes reasonable steps to ensure that State

5 consumers are directed to the homepage for State consumers and

6 not the homepage made available to the public generally.

7 (e) A consumer may authorize another person to opt out of

8 the sale or sharing of the personal information and to limit

9 the use of the sensitive personal information on the

10 consumer's behalf, including through an opt-out preference

11 signal, indicating the consumer's intent to opt out, and a

12 business shall comply with an opt-out request received from a

13 person authorized by the consumer to act on the consumer's

14 behalf, under the rules adopted by the Attorney General,

15 regardless of whether the business has elected to comply with

16 subsection (a) or (b). A business that elects to comply with

17 subsection (a) may respond to the consumer's opt-out request

18 consistent with Section 10-40.

19 (f) If a business communicates a consumer's opt-out

20 request to any persona authorized by the business to collect

21 personal information, the person shall thereafter only use

22 that personal information for a business purpose specified by

23 the business, or as otherwise permitted by this Act, and shall

24 be prohibited from:

25 (1) selling or sharing that personal information; or

26 (2) retaining, using, or disclosing that personal

SB3517

- 59 -

LRB103 35732 LNS 65813 b

1 information:

2 (A) for any purpose other than for the specific

3 purpose of performing the services offered to the

4 business;

5 (B) outside of the direct business relationship

6 between the person and the business; or

7 (C) for a commercial purpose other than providing

8 the services to the business.

9 (g) A business that communicates a consumer's opt-out

10 request to a person under subsection (f) shall not be liable

11 under this Act if the person receiving the opt-out request

12 violates the restrictions set forth in the Act, if, at the time

13 of communicating the opt-out request, the business does not

14 have actual knowledge, or reason to believe, that the person

15 intends to commit such a violation. Any provision of a

16 contract or agreement of any kind that purports to waive or

17 limit this subsection in any way shall be void and

18 unenforceable.

19 Section 10-55. Exemptions.

20 (a) The obligations imposed on a business by this Act

21 shall not restrict a business's ability to:

22 (1) comply with federal, State, or local laws or

23 comply with a court order or subpoena to provide

24 information;

25 (2) comply with a civil, criminal, or regulatory

SB3517

- 60 -

LRB103 35732 LNS 65813 b

1 inquiry, investigation, subpoena, or summons by federal,

2 State, or local authorities. Law enforcement agencies,

3 including police and sheriff's departments, may direct a

4 business under a law enforcement agency-approved

5 investigation with an active case number not to delete

6 personal information, and upon receipt of that direction,

7 a business shall not delete the personal information for

8 90 days in order to allow the law enforcement agency to

9 obtain a court-issued subpoena, order, or warrant to

10 obtain that personal information. For good cause and only

11 to the extent necessary for investigatory purposes, a law

12 enforcement agency may direct a business not to delete the

13 personal information for additional 90-day periods. A

14 business that has received direction from a law

15 enforcement agency not to delete the personal information

16 of a consumer who has requested deletion of the personal

17 information shall not use the personal information for any

18 purpose other than retaining it to produce to law

19 enforcement in response to a court-issued subpoena, order,

20 or warrant unless the deletion request is subject to an

21 exemption from deletion under this Act;

22 (3) cooperate with law enforcement agencies concerning

23 conduct or activity that the business, service provider,

24 or third party reasonably and in good faith believes may

25 violate federal, State, or local law;

26 (4) cooperate with a government agency request for

SB3517

- 61 -

LRB103 35732 LNS 65813 b

1 emergency access to personal information if a natural

2 person is at risk or danger of death or serious physical

3 injury if:

4 (A) the request is approved by a high-ranking

5 government agency officer for emergency access to

6 personal information;

7 (B) the request is based on the government

8 agency's good faith determination that it has a lawful

9 basis to access the personal information on a

10 nonemergency basis; and

11 (C) the government agency agrees to petition a

12 court for an appropriate order within 3 days and to

13 destroy the personal information if that order is not

14 granted;

15 (5) exercise or defend legal claims;

16 (6) collect, use, retain, sell, share, or disclose

17 personal information that is deidentified or aggregate

18 consumer information; or

19 (7) collect, sell, or share personal information if

20 every aspect of that commercial conduct takes place wholly

21 outside of the State. Commercial conduct takes place

22 wholly outside of the State if the business collected that

23 information while the consumer was outside of the State,

24 no part of the sale of the personal information occurred

25 in the State, and no personal information collected while

26 the consumer was in the State is sold. This paragraph

SB3517

- 62 -

LRB103 35732 LNS 65813 b

1 shall not prohibit a business from storing, including on a

2 device, personal information about a consumer when the

3 consumer is in the State and then collecting that personal

4 information when the consumer and stored personal

5 information is outside of the State.

6 (b) The obligations imposed on businesses by Sections

7 10-20, 10-25, 10-30, 10-35, 10-45, and 10-50 shall not apply

8 where compliance by the business with the Act would violate an

9 evidentiary privilege under State law and shall not prevent a

10 business from providing the personal information of a consumer

11 to a person covered by an evidentiary privilege under State

12 law as part of a privileged communication.

13 (c) This Act shall not apply to:

14 (1) medical information governed by the Medical

15 Patient Rights Act or protected health information that is

16 collected by a covered entity or business associate

17 governed by the privacy, security, and breach notification

18 rules issued by the United States Department of Health and

19 Human Services, Parts 160 and 164 of Title 45 of the Code

20 of Federal Regulations;

21 (2) a provider of health care governed by the Medical

22 Patient Rights Act or a covered entity governed by the

23 privacy, security, and breach notification rules issued by

24 the United States Department of Health and Human Services,

25 Parts 160 and 164 of Title 45 of the Code of Federal

26 Regulations to the extent the provider or covered entity

SB3517

- 63 -

LRB103 35732 LNS 65813 b

1 maintains patient information in the same manner as

2 medical information or protected health information as

3 described in paragraph (1); or

4 (3) personal information collected as part of a

5 clinical trial or other biomedical research study subject

6 to or conducted in accordance with the Federal Policy for

7 the Protection of Human Subjects under good clinical

8 practice guidelines issued by the International Council

9 for Harmonisation or under human subject protection

10 requirements of the United States Food and Drug

11 Administration, as long as the information is not sold or

12 shared in a manner not permitted by this paragraph, and if

13 it is inconsistent, that participants be informed of that

14 use and provide consent.

15 (d) This Act applies to an activity involving the

16 collection, maintenance, disclosure, sale, communication, or

17 use of any personal information bearing on a consumer's credit

18 worthiness, credit standing, credit capacity, character,

19 general reputation, personal characteristics, or mode of

20 living by a consumer reporting agency, as defined in

21 subsection (f) of Section 1681a of Title 15 of the United

22 States Code, by a furnisher of information, as set forth in

23 Section 1681s-2 of Title 15 of the United States Code, who

24 provides information for use in a consumer report, as defined

25 in subsection (d) of Section 1681a of Title 15 of the United

26 States Code, and by a user of a consumer report, as set forth

SB3517

- 64 -

LRB103 35732 LNS 65813 b

1 in Section 1681b of Title 15 of the United States Code.

2 This subsection applies only to the extent that such

3 activity involving the collection, maintenance, disclosure,

4 sale, communication, or use of such information by the

5 consumer reporting agency, furnisher, or user is subject to

6 regulation under the federal Fair Credit Reporting Act and the

7 information is not collected, maintained, used, communicated,

8 disclosed, or sold except as authorized by the federal Fair

9 Credit Reporting Act.

10 This subsection shall not apply to Section 10-60.

11 (e) This Act shall not apply to personal information

12 collected, processed, sold, or disclosed under the federal

13 Gramm-Leach-Bliley Act or the federal Farm Credit Act of 1971.

14 This subsection shall not apply to Section 10-60.

15 (f) This Act shall not apply to personal information

16 collected, processed, sold, or disclosed under the federal

17 Driver's Privacy Protection Act of 1994. This subsection shall

18 not apply to Section 10-60.

19 (g) Section 10-30 shall not apply to vehicle information

20 or ownership information retained or shared between a new

21 motor vehicle dealer and the vehicle's manufacturer, if the

22 vehicle or ownership information is shared for the purpose of

23 effectuating, or in anticipation of effectuating, a vehicle

24 repair covered by a vehicle warranty or a recall conducted

25 under Sections 30118 through 30120 of Title 49 of the United

26 States Code, as long as the new motor vehicle dealer or vehicle

SB3517

- 65 -

LRB103 35732 LNS 65813 b

1 manufacturer with which that vehicle information or ownership

2 information is shared does not sell, share, or use that

3 information for any other purpose.

4 (h) Notwithstanding a business's obligations to respond to

5 and honor consumer rights requests under this Act:

6 (1) a period for a business to respond to a consumer

7 for any verifiable consumer request may be extended by up

8 to a total of 90 additional days where necessary, taking

9 into account the complexity and number of the requests.

10 The business shall inform the consumer of any such

11 extension within 45 days of receipt of the request,

12 together with the reasons for the delay;

13 (2) if the business does not take action on the

14 request of the consumer, the business shall inform the

15 consumer, without delay and, at the latest, within the

16 time permitted of response by this subsection, of the

17 reasons for not taking action and any rights the consumer

18 may have to appeal the decision to the business; and

19 (3) if requests from a consumer are manifestly

20 unfounded or excessive, in particular because of their

21 repetitive character, a business may either charge a

22 reasonable fee, taking into account the administrative

23 costs of providing the information or communication or

24 taking the action requested, or refuse to act on the

25 request and notify the consumer of the reason for refusing

26 the request. The business shall bear the burden of

SB3517

- 66 -

LRB103 35732 LNS 65813 b

1 demonstrating that any verifiable consumer request is

2 manifestly unfounded or excessive.

3 (i)(1) A business that discloses personal information to a

4 service provider or contractor in compliance with this Act

5 shall not be liable under this Act if the service provider or

6 contractor receiving the personal information uses it in

7 violation of the restrictions set forth in this Act, and if, at

8 the time of disclosing the personal information, the business

9 does not have actual knowledge, or reason to believe, that the

10 service provider or contractor intends to commit such a

11 violation. A service provider or contractor shall not be

12 liable under this Act for the obligations of a business for

13 which it provides services as set forth in this Act. The

14 service provider or contractor shall be liable for its own

15 violations of this Act.

16 (2) A business that discloses personal information of a

17 consumer, with the exception of consumers who have exercised

18 their right to opt out of the sale or sharing of their personal

19 information, consumers who have limited the use or disclosure

20 of their sensitive personal information, and minor consumers

21 who have not opted-in to the collection or sale of their

22 personal information, to a third party under a written

23 contract that requires the third party to provide the same

24 level of protection of the consumer's rights under this Act as

25 provided by the business shall not be liable under this Act if

26 the third party receiving the personal information uses it in

SB3517

- 67 -

LRB103 35732 LNS 65813 b

1 violation of the restrictions set forth in this Act, and if, at

2 the time of disclosing the personal information, the business

3 does not have actual knowledge, or reason to believe, that the

4 third party intends to commit such a violation.

5 (j) This Act shall not be construed to require a business,

6 service provider, or contractor to:

7 (1) reidentify or otherwise link information that, in

8 the ordinary course of business, is not maintained in a

9 manner that would be considered personal information;

10 (2) retain any personal information about a consumer

11 if, in the ordinary course of business, that information

12 about the consumer would not be retained; or

13 (3) maintain information in identifiable, linkable, or

14 associable form, or collect, obtain, retain, or access any

15 data or technology, in order to be capable of linking or

16 associating a verifiable consumer request with personal

17 information.

18 (k) The rights afforded to consumers and the obligations

19 imposed on the business in this Act shall not adversely affect

20 the rights and freedoms of other natural persons. A verifiable

21 consumer request for specific pieces of personal information,

22 to delete personal information, or to correct inaccurate

23 personal information shall not extend to personal information

24 about the consumer that belongs to, or the business maintains

25 on behalf of, another natural person. A business may rely on

26 representations made in a verifiable consumer request as to

SB3517

- 68 -

LRB103 35732 LNS 65813 b

1 rights with respect to personal information and is under no

2 legal requirement to seek out other persons that may have or

3 claim to have rights to personal information, and a business

4 is under no legal obligation under this Act or any other

5 provision of law to take any action under this Act if there is

6 a dispute between or among persons claiming rights to personal

7 information in the business' possession.

8 (l) The rights afforded to consumers and the obligations

9 imposed on businesses under this Act shall not apply to the

10 extent that they infringe on the noncommercial activities of a

11 person or entity described in Section 4 of Article I of the

12 Illinois Constitution.

13 (m) This Act shall not apply to:

14 (1) personal information that is collected by a

15 business about a natural person in the course of the

16 natural person acting as a job applicant to, employee of,

17 owner of, director of, officer of, medical staff member

18 of, or independent contractor of that business to the

19 extent that the natural person's personal information is

20 collected and used by the business solely within the

21 context of the natural person's role or former role as a

22 job applicant to, an employee of, owner of, director of,

23 officer of, medical staff member of, or an independent

24 contractor of, that business;

25 (2) personal information that is collected by a

26 business that is emergency contact information of the

SB3517

- 69 -

LRB103 35732 LNS 65813 b

1 natural person acting as a job applicant to, employee of,

2 owner of, director of, officer of, medical staff member

3 of, or independent contractor of that business to the

4 extent that the personal information is collected and used

5 solely within the context of having an emergency contact

6 on file; or

7 (3) personal information that is necessary for the

8 business to retain to administer benefits for another

9 natural person relating to the natural person acting as a

10 job applicant to, employee of, owner of, director of,

11 officer of, medical staff member of, or independent

12 contractor of that business to the extent that the

13 personal information is collected and used solely within

14 the context of administering those benefits.

15 This subsection shall not apply to subsection (a) of

16 Section 10-5 or 10-60.

17 This subsection shall become inoperative on January 1,

18 2026.

19 (n) The obligations imposed on businesses by Sections

20 10-5, 10-10, 10-15, 10-20, 10-25, 10-35, 10-45, and 10-50

21 shall not apply to personal information reflecting a written

22 or verbal communication or a transaction between the business

23 and the consumer, where the consumer is a natural person who

24 acted or is acting as an employee, owner, director, officer,

25 or independent contractor of a company, partnership, sole

26 proprietorship, nonprofit, or government agency and whose

SB3517

- 70 -

LRB103 35732 LNS 65813 b

1 communications or transaction with the business occur solely

2 within the context of the business conducting due diligence

3 regarding, or providing or receiving a product or service to

4 or from such company, partnership, sole proprietorship,

5 nonprofit, or government agency.

6 This subsection shall become inoperative on January 1,

7 2026.

8 (o) Sections 10-10 and 10-30 shall not apply to a

9 commercial credit reporting agency's collection, processing,

10 sale, or disclosure of business controller information to the

11 extent the commercial credit reporting agency uses the

12 business controller information solely to identify the

13 relationship of a consumer to a business that the consumer

14 owns or contact the consumer only in the consumer's role as the

15 owner, director, officer, or management employee of the

16 business.

17 (p) The obligations imposed on businesses in Sections

18 10-10, 10-15, 10-20, and 10-25 shall not apply to household

19 data.

20 (q) This Act does not require a business to comply with a

21 verifiable consumer request to delete personal information to

22 the extent the verifiable consumer request applies to a

23 student's grades, educational scores, or educational test

24 results that the business holds on behalf of a local

25 educational agency at which the student is currently enrolled.

26 If a business does not comply with a request under this

SB3517

- 71 -

LRB103 35732 LNS 65813 b

1 Section, it shall notify the consumer that it is acting under

2 this exception.

3 This Act does not require, in response to a request under

4 Section 10-20, that a business disclose an educational

5 standardized assessment or educational assessment or a

6 consumer's specific responses to the educational standardized

7 assessment or educational assessment if consumer access,

8 possession, or control would jeopardize the validity and

9 reliability of that educational standardized assessment or

10 educational assessment. If a business does not comply with a

11 request under this Section, it shall notify the consumer that

12 it is acting under this exception.

13 (r) Sections 10-10 and 10-30 shall not apply to a

14 business's use, disclosure, or sale of particular pieces of

15 personal information if the consumer has consented to the

16 business's use, disclosure, or sale of that personal

17 information to produce a physical item, including a school

18 yearbook containing the consumer's photograph, if:

19 (1) the business has incurred significant expense in

20 reliance on the consumer's consent;

21 (2) compliance with the consumer's request to opt out

22 of the sale of the personal information or to delete the

23 personal information would not be commercially reasonable;

24 and

25 (3) the business complies with the consumer's request

26 as soon as it is commercially reasonable to do so.

SB3517

- 72 -

LRB103 35732 LNS 65813 b

1 Section 10-60. Personal information security breaches.

2 (a) Any consumer whose nonencrypted and nonredacted

3 personal information or whose email address in combination

4 with a password or security question and answer that would

5 permit access to the account is subject to an unauthorized

6 access and exfiltration, theft, or disclosure as a result of

7 the business's violation of the duty to implement and maintain

8 reasonable security procedures and practices appropriate to

9 the nature of the information to protect the personal

10 information may institute a civil action for:

11 (1) the recovery of damages in an amount not less than

12 $100 and not greater than $750 per consumer per incident

13 or actual damages, whichever is greater;

14 (2) injunctive or declaratory relief; or

15 (3) any other relief the court deems proper.

16 In assessing the amount of statutory damages, the court

17 shall consider any one or more of the relevant circumstances

18 presented by any of the parties to the case, including, but not

19 limited to, the nature and seriousness of the misconduct, the

20 number of violations, the persistence of the misconduct, the

21 length of time over which the misconduct occurred, the

22 willfulness of the defendant's misconduct, and the defendant's

23 assets, liabilities, and net worth.

24 (b) Actions under this Section may be brought by a

25 consumer if, prior to initiating any action against a business

SB3517

- 73 -

LRB103 35732 LNS 65813 b

1 for statutory damages on an individual or classwide basis, a

2 consumer provides a business 30 days' written notice

3 identifying the specific provisions of this Act the consumer

4 alleges have been or are being violated. If a cure is possible

5 and if, within the 30 days, the business actually cures the

6 noticed violation and provides the consumer an express written

7 statement that the violations have been cured and that no

8 further violations shall occur, no action for individual

9 statutory damages or classwide statutory damages may be

10 initiated against the business. The implementation and

11 maintenance of reasonable security procedures and practices

12 following a breach does not constitute a cure with respect to

13 that breach. No notice shall be required prior to an

14 individual consumer initiating an action solely for actual

15 pecuniary damages suffered as a result of the alleged

16 violations of this Act. If a business continues to violate

17 this Act in breach of the express written statement provided

18 to the consumer under this Section, the consumer may initiate

19 an action against the business to enforce the written

20 statement and may pursue statutory damages for each breach of

21 the express written statement, as well as any other violation

22 of this Act that postdates the written statement.

23 (c) The cause of action established by this Section shall

24 apply only to violations as defined in subsection (a) and

25 shall not be based on violations of any other Section of this

26 Act. Nothing in this Act shall be interpreted to serve as the

SB3517

- 74 -

LRB103 35732 LNS 65813 b

1 basis for a private right of action under any other law. This

2 shall not be construed to relieve any party from any duties or

3 obligations imposed under other law or the United States or

4 Illinois Constitution.

5 Section 10-65. Administrative enforcement.

6 (a) Any business, service provider, contractor, or other

7 person that violates this Act shall be subject to an

8 injunction and liable for an administrative fine of not more

9 than $2,500 for each violation or $7,500 for each intentional

10 violation or violations involving the personal information of

11 consumers whom the business, service provider, contractor, or

12 other person has actual knowledge are under 16 years of age in

13 an administrative enforcement action brought by the Agency.

14 (b) Any administrative fine assessed for a violation of

15 this Act, and the proceeds of any settlement of an action

16 brought under subsection (a), shall be deposited into the

17 Consumer Privacy Fund, with the intent to fully offset any

18 costs incurred by the State courts, the Attorney General, and

19 the Agency in connection with this Act.

20 Section 10-70. Consumer Privacy Fund.

21 (a) A special fund to be known as the Consumer Privacy Fund

22 is hereby created within the State treasury, and is available

23 upon appropriation by the General Assembly first to offset any

24 costs incurred by the State courts in connection with actions

SB3517

- 75 -

LRB103 35732 LNS 65813 b

1 brought to enforce this Act, the costs incurred by the

2 Attorney General in carrying out the Attorney General's duties

3 under this Act, and then for the purposes of establishing an

4 investment fund in the State treasury, with any earnings or

5 interest from the Fund to be deposited into the General

6 Revenue Fund, and making grants to promote and protect

7 consumer privacy, educate children in the area of online

8 privacy, and fund cooperative programs with international law

9 enforcement organizations to combat fraudulent activities with

10 respect to consumer data breaches.

11 (b) Funds transferred to the Consumer Privacy Fund shall

12 be used exclusively as follows:

13 (1) to offset any costs incurred by the State courts

14 and the Attorney General in connection with this Act; and

15 (2) after satisfying the obligations under paragraph

16 (1), the remaining funds shall be allocated each fiscal

17 year as follows:

18 (A) 91% shall be invested by the Treasurer in

19 financial assets with the goal of maximizing long term

20 yields consistent with a prudent level of risk. The

21 principal shall not be subject to transfer or

22 appropriation, as long as any interest and earnings

23 shall be transferred on an annual basis to the General

24 Revenue Fund for appropriation by the General Assembly

25 for General Revenue Fund purposes; and

26 (B) 9% shall be made available to the Agency for

SB3517

- 76 -

LRB103 35732 LNS 65813 b

1 the purposes of making grants in this State, with 3%

2 allocated to the following grant recipients:

3 (i) nonprofit organizations to promote and

4 protect consumer privacy;

5 (ii) nonprofit organizations and public

6 agencies, including school districts, to educate

7 children in the area of online privacy; and

8 (iii) State and local law enforcement agencies

9 to fund cooperative programs with international

10 law enforcement organizations to combat fraudulent

11 activities with respect to consumer data breaches.

12 (c) Funds in the Consumer Privacy Fund shall not be

13 subject to appropriation or transfer by the General Assembly

14 for any other purpose.

15 Section 10-75. Rules.

16 (a) By July 1, 2025, the Attorney General shall solicit

17 broad public participation and adopt rules to further the

18 purposes of this Act, including, but not limited to:

19 (1) updating or adding categories of personal

20 information to the definition of personal information and

21 updating or adding categories of sensitive personal

22 information to the definition of sensitive personal

23 information in order to address changes in technology,

24 data collection practices, obstacles to implementation,

25 and privacy concerns;

SB3517

- 77 -

LRB103 35732 LNS 65813 b

1 (2) updating as needed the definitions of deidentified

2 and unique identifier to address changes in technology,

3 data collection, obstacles to implementation, and privacy

4 concerns and adding, modifying, or deleting categories to

5 the definition of designated methods for submitting

6 requests to facilitate a consumer's ability to obtain

7 information from a business under Section 10-45. The

8 authority to update the definition of deidentified shall

9 not apply to deidentification standards set forth in

10 Section 164.514 of Title 45 of the Code of Federal

11 Regulations;

12 (3) establishing any exceptions necessary to comply

13 with State or federal law, including, but not limited to,

14 those relating to trade secrets and intellectual property

15 rights, within one year of the effective date of this Act

16 and as needed thereafter, with the intention that trade

17 secrets should not be disclosed in response to a

18 verifiable consumer request;

19 (4) establishing rules and procedures:

20 (A) to facilitate and govern the submission of a

21 request by a consumer to opt out of the sale or sharing

22 of personal information and to limit the use of

23 sensitive personal information to ensure that

24 consumers have the ability to exercise their choices

25 without undue burden and to prevent business from

26 engaging in deceptive or harassing conduct, including

SB3517

- 78 -

LRB103 35732 LNS 65813 b

1 in retaliation against consumers for exercising their

2 rights, while allowing businesses to inform consumers

3 of the consequences of their decision to opt out of the

4 sale or sharing of their personal information or to

5 limit the use of their sensitive personal information;

6 (B) to govern business compliance with a

7 consumer's opt-out request; and

8 (C) for the development and use of a recognizable

9 and uniform opt-out logo or button by all businesses

10 to promote consumer awareness of the opportunity to

11 opt out of the sale of personal information;

12 (5) adjusting the monetary threshold in January of

13 every odd-numbered year to reflect any increase in the

14 Consumer Price Index, in the definition of business,

15 subparagraph (A) of paragraph (1) of subsection (a) of

16 Section 10-60, subsection (a) of Section 10-65, Section

17 15-20, and subsection (a) of Section 15-85;

18 (6) establishing rules, procedures, and any exceptions

19 necessary to ensure that the notices and information that

20 businesses are required to provide under this Act are

21 provided in a manner that may be easily understood by the

22 average consumer, are accessible to consumers with

23 disabilities, and are available in the language primarily

24 used to interact with the consumer, including establishing

25 rules and guidelines regarding financial incentives,

26 within one year of the effective date of this Act and as

SB3517

- 79 -

LRB103 35732 LNS 65813 b

1 needed thereafter;

2 (7) establishing rules and procedures to further the

3 purposes of Sections 10-10, 10-15, 10-20, and 10-25 and to

4 facilitate a consumer's or the consumer's authorized

5 agent's ability to delete personal information, correct

6 inaccurate personal information, or obtain information,

7 with the goal of minimizing the administrative burden on a

8 consumer, taking into account available technology,

9 security concerns, and the burden on the business, to

10 govern a business's determination that a request for

11 information received from a consumer is a verifiable

12 consumer request, including treating a request submitted

13 through a password-protected account maintained by the

14 consumer with the business while the consumer is logged

15 into the account as a verifiable consumer request and

16 providing a mechanism for a consumer who does not maintain

17 an account with the business to request information

18 through the business's authentication of the consumer's

19 identity, within one year of the effective date of this

20 Act and as needed thereafter;

21 (8) establishing how often, and under what

22 circumstances, a consumer may request a correction under

23 Section 10-15, including standards governing:

24 (A) how a business responds to a request for

25 correction, including exceptions for requests to which

26 a response is impossible or would involve

SB3517

- 80 -

LRB103 35732 LNS 65813 b

1 disproportionate effort, and requests for correction

2 of accurate information;

3 (B) how concerns regarding the accuracy of the

4 information may be resolved;

5 (C) the steps a business may take to prevent

6 fraud; and

7 (D) if a business rejects a request to correct

8 personal information collected and analyzed concerning

9 a consumer's health, the right of a consumer to

10 provide a written addendum to the business with

11 respect to any item or statement regarding any such

12 personal information that the consumer believes to be

13 incomplete or incorrect. The addendum shall be limited

14 to 250 words per alleged incomplete or incorrect item

15 and shall clearly indicate in writing that the

16 consumer requests the addendum to be made a part of the

17 consumer's record;

18 (9) establishing the standard to govern a business's

19 determination that providing information beyond the

20 12-month period in a response to a verifiable consumer

21 request is impossible or would involve a disproportionate

22 effort;

23 (10) issuing rules further defining and adding to the

24 business purposes, including other notified purposes, for

25 which businesses, service providers, and contractors may

26 use personal information consistent with consumers'

SB3517

- 81 -

LRB103 35732 LNS 65813 b

1 expectations, and further defining the business purposes

2 for which service providers and contractors may combine

3 personal information obtained from different sources,

4 except as provided for in the definition of business

5 purposes;

6 (11) issuing rules identifying those business

7 purposes, including other notified purposes, for which

8 service providers and contractors may use consumers'

9 personal information received under a written contract

10 with a business, for the service provider or contractor's

11 own business purposes, with the goal of maximizing

12 consumer privacy;

13 (12) issuing rules to further define intentionally

14 interacts with the goal of maximizing consumer privacy;

15 (13) issuing rules to further define precise

16 geolocation, including if the size defined is not

17 sufficient to protect consumer privacy in sparsely

18 populated areas or when the personal information is used

19 for normal operational purposes, including billing;

20 (14) issuing rules to define specific pieces of

21 information obtained from the consumer with the goal of

22 maximizing a consumer's right to access relevant personal

23 information while minimizing the delivery of information

24 to a consumer that would not be useful to the consumer,

25 including system log information and other technical data.

26 For delivery of the most sensitive personal information,

SB3517

- 82 -

LRB103 35732 LNS 65813 b

1 the rules may require a higher standard of authentication

2 as long as the Agency shall monitor the impact of the

3 higher standard on the right of consumers to obtain their

4 personal information to ensure that the requirements of

5 verification do not result in the unreasonable denial of

6 verifiable consumer requests;

7 (15) issuing rules requiring businesses whose

8 processing of personal information presents significant

9 risk to consumers' privacy or security, to:

10 (A) perform a cybersecurity audit on an annual

11 basis, including defining the scope of the audit and

12 establishing a process to ensure that audits are

13 thorough and independent. The factors to be considered

14 in determining when processing may result in

15 significant risk to the security of personal

16 information shall include the size and complexity of

17 the business and the nature and scope of processing

18 activities; and

19 (B) submit to the Agency on a regular basis a risk

20 assessment with respect to their processing of

21 personal information, including whether the processing

22 involves sensitive personal information, and

23 identifying and weighing the benefits resulting from

24 the processing to the business, the consumer, other

25 stakeholders, and the public, against the potential

26 risks to the rights of the consumer associated with

SB3517

- 83 -

LRB103 35732 LNS 65813 b

1 that processing, with the goal of restricting or

2 prohibiting the processing if the risks to privacy of

3 the consumer outweigh the benefits resulting from

4 processing to the consumer, the business, other

5 stakeholders, and the public. Nothing in this Section

6 shall require a business to divulge trade secrets;

7 (16) issuing rules governing access and opt-out rights

8 with respect to a business's use of automated

9 decision-making technology, including profiling and

10 requiring business's response to access requests to

11 include meaningful information about the logic involved in

12 those decision-making processes, as well as a description

13 of the likely outcome of the process with respect to the

14 consumer;

15 (17) issuing rules to further define a law enforcement

16 agency-approved investigation for purposes of the

17 exception in paragraph (2) of subsection (a) of Section

18 10-55;

19 (18) issuing rules to define the scope and process for

20 the exercise of the Agency's audit authority, to establish

21 criteria for selection of persons to audit, and to protect

22 consumers' personal information from disclosure to an

23 auditor in the absence of a court order, warrant, or

24 subpoena;

25 (19) (A) issuing rules to define the requirements and

26 technical specifications for an opt-out preference signal

SB3517

- 84 -

LRB103 35732 LNS 65813 b

1 sent by a platform, technology, or mechanism, to indicate

2 a consumer's intent to opt out of the sale or sharing of

3 the personal information and to limit the use or

4 disclosure of the sensitive personal information. The

5 requirements and specifications for the opt-out preference

6 signal should be updated from time to time to reflect the

7 means by which consumers interact with businesses, and

8 should:

9 (i) ensure that the manufacturer of a platform or

10 browser or device that sends the opt-out preference

11 signal cannot unfairly disadvantage another business;

12 (ii) ensure that the opt-out preference signal is

13 consumer-friendly, clearly described, and easy to use

14 by an average consumer and does not require that the

15 consumer provide additional information beyond what is

16 necessary;

17 (iii) clearly represent a consumer's intent and be

18 free of defaults constraining or presupposing that

19 intent;

20 (iv) ensure that the opt-out preference signal

21 does not conflict with other commonly used privacy

22 settings or tools that consumers may employ;

23 (v) provide a mechanism for the consumer to

24 selectively consent to a business's sale of the

25 personal information or the use or disclosure of the

26 sensitive personal information without affecting the

SB3517

- 85 -

LRB103 35732 LNS 65813 b

1 consumer's preferences with respect to other

2 businesses or disabling the opt-out preference signal

3 globally; and

4 (vi) state that in the case of a page or setting

5 view that the consumer accesses to set the opt-out

6 preference signal, the consumer should see up to 3

7 choices, including:

8 (I) a global opt-out from sale and sharing of

9 personal information, including a direction to

10 limit the use of sensitive personal information;

11 (II) a choice to "Limit the Use of My

12 Sensitive Personal Information"; and

13 (III) a choice to "Do Not Sell or Do Not Share

14 My Personal Information for Cross-Context

15 Behavioral Advertising";

16 (B) issuing rules to establish technical

17 specifications for an opt-out preference signal that

18 allows the consumer, or the consumer's parent or guardian,

19 to specify that the consumer is less than 13 years of age

20 or at least 13 years of age and less than 16 years of age;

21 and

22 (C) issuing rules, with the goal of strengthening

23 consumer privacy while considering the legitimate

24 operational interests of businesses, to govern the use or

25 disclosure of sensitive personal information,

26 notwithstanding the consumer's direction to limit the use

SB3517

- 86 -

LRB103 35732 LNS 65813 b

1 or disclosure of the sensitive personal information,

2 including:

3 (i) determining any additional purposes for which

4 a business may use or disclose sensitive personal

5 information;

6 (ii) determining the scope of activities permitted

7 under the definition of business purposes, as

8 authorized by subsection (a) of Section 10-35, to

9 ensure that the activities do not involve

10 health-related research;

11 (iii) ensuring the functionality of the business'

12 operations; and

13 (iv) ensuring that the exemption in subsection (d)

14 of Section 10-35 for sensitive personal information

15 applies to sensitive personal information that is

16 collected or processed incidentally, or without the

17 purpose of inferring characteristics about a consumer,

18 while ensuring that businesses do not use the

19 exemption for the purpose of evading consumers' rights

20 to limit the use and disclosure of sensitive personal

21 information under Section 10-35;

22 (20) issuing rules to govern how a business that has

23 elected to comply with subsection (b) of Section 10-50

24 responds to the opt-out preference signal and provides

25 consumers with the opportunity subsequently to consent to

26 the sale or sharing of their personal information or the

SB3517

- 87 -

LRB103 35732 LNS 65813 b

1 use and disclosure of their sensitive personal information

2 for purposes in addition to those authorized by subsection

3 (a) of Section 10-50. The rules should:

4 (A) strive to promote competition and consumer

5 choice and be technology neutral;

6 (B) ensure that the business does not respond to

7 an opt-out preference signal by:

8 (i) intentionally degrading the functionality

9 of the consumer experience;

10 (ii) charging the consumer a fee in response

11 to the consumer's opt-out preferences;

12 (iii) making any products or services not

13 function properly or fully for the consumer, as

14 compared to consumers who do not use the opt-out

15 preference signal;

16 (iv) attempting to coerce the consumer to opt

17 in to the sale or sharing of the personal

18 information, or the use or disclosure of the

19 sensitive personal information, by stating or

20 implying that the use of the opt-out preference

21 signal will adversely affect the consumer as

22 compared to consumers who do not use the opt-out

23 preference signal, including stating or implying

24 that the consumer will not be able to use the

25 business' products or services or that those

26 products or services may not function properly or

SB3517

- 88 -

LRB103 35732 LNS 65813 b

1 fully; and

2 (v) displaying any notification or pop-up in

3 response to the consumer's opt-out preference

4 signal;

5 (C) ensure that any link to a webpage or its

6 supporting content that allows the consumer to consent

7 to opt in:

8 (i) is not part of a pop-up, notice, banner,

9 or other intrusive design that obscures any part

10 of the webpage the consumer intended to visit from

11 full view or that interferes with or impedes in

12 any way the consumer's experience visiting or

13 browsing the webpage or website the consumer

14 intended to visit;

15 (ii) does not require or imply that the

16 consumer must click the link to receive full

17 functionality of any products or services,

18 including the website;

19 (iii) does not make use of any dark patterns;

20 and

21 (iv) applies only to the business with which

22 the consumer intends to interact; and

23 (D) strive to curb coercive or deceptive practices

24 in response to an opt-out preference signal but should

25 not unduly restrict businesses that are trying in good

26 faith to comply with Section 10-50;

SB3517

- 89 -

LRB103 35732 LNS 65813 b

1 (21) reviewing existing Illinois Insurance Code

2 provisions and rules relating to consumer privacy, except

3 those relating to insurance rates or pricing, to determine

4 whether any provisions of the Illinois Insurance Code

5 provide greater protection to consumers than the

6 provisions of this Act. Upon completing its review, the

7 Agency shall adopt a rule that applies only the more

8 protective provisions of this Act to insurance companies.

9 The Director of Insurance shall have jurisdiction over

10 insurance rates and pricing; and

11 (22) harmonizing the rules governing opt-out

12 mechanisms, notices to consumers, and other operational

13 mechanisms in this Act to promote clarity and the

14 functionality of this Act for consumers.

15 (b) The Attorney General may adopt additional rules as

16 necessary to further the purposes of this Act.

17 (c) The Attorney General shall not bring an enforcement

18 action under this Act until 6 months after the publication of

19 the final rules adopted under this Section or July 1, 2025,

20 whichever is sooner.

21 (d) Notwithstanding subsection (a), the timeline for

22 adopting final rules required by the Act shall be July 1, 2025.

23 Beginning the later of July 1, 2025, or 6 months after the

24 Agency provides notice to the Attorney General that it is

25 prepared to begin rulemaking under this Act, the authority

26 assigned to the Attorney General to adopt rules under this

SB3517

- 90 -

LRB103 35732 LNS 65813 b

1 Section shall be exercised by the Agency. Notwithstanding any

2 other law, civil and administrative enforcement of the

3 provisions of law added or amended by this Act shall not

4 commence until July 1, 2025, and shall only apply to

5 violations occurring on or after that date.

6 Section 10-80. Anti-avoidance. A court or the Agency shall

7 disregard the intermediate steps or transactions for purposes

8 of effectuating the purposes of this Act:

9 (1) if a series of steps or transactions were

10 component parts of a single transaction intended from the

11 beginning to be taken with the intention of avoiding the

12 reach of this Act, including the disclosure of personal

13 information by a business to a third party in order to

14 avoid the definition of sell or share; or

15 (2) if steps or transactions were taken to purposely

16 avoid the definition of sell or share by eliminating any

17 monetary or other valuable consideration, including by

18 entering into contracts that do not include an exchange

19 for monetary or other valuable consideration, but where a

20 party is obtaining something of value or use.

21 Section 10-85. Waiver. Any provision of a contract or

22 agreement of any kind, including a representative action

23 waiver, that purports to waive or limit in any way a consumer's

24 rights under this Act, including, but not limited to, any

SB3517

- 91 -

LRB103 35732 LNS 65813 b

1 right to a remedy or means of enforcement, shall be deemed

2 contrary to public policy and shall be void and unenforceable.

3 This Section shall not prevent a consumer from declining to

4 request personal information from a business, declining to opt

5 out of a business's sale of the personal information, or

6 authorizing a business to sell or share the personal

7 information after previously opting-out.

8 Section 10-90. Good faith cooperation. The Agency, and any

9 court, as applicable, shall consider the good faith

10 cooperation of the business, service provider, contractor, or

11 other person in determining the amount of any administrative

12 fine or civil penalty for a violation of this Act. A business

13 shall not be required by the Agency, a court, or otherwise to

14 pay both an administrative fine and a civil penalty for the

15 same violation.

16 Section 10-95. Remedies.

17 (a) Any business, service provider, contractor, or other

18 person that violates this Act shall be subject to an

19 injunction and liable for a civil penalty of not more than

20 $2,500 for each violation or $7,500 for each intentional

21 violation and each violation involving the personal

22 information of minor consumers, as adjusted by rule, which

23 shall be assessed and recovered in a civil action brought by

24 the Attorney General. The court may consider the good faith

SB3517

- 92 -

LRB103 35732 LNS 65813 b

1 cooperation of the business, service provider, contractor, or

2 other person in determining the amount of the civil penalty.

3 (b) Any civil penalty recovered by an action brought by

4 the Attorney General for a violation of this Act, and the

5 proceeds of any settlement of any said action, shall be

6 deposited into the Consumer Privacy Fund.

7 (c) The Agency shall, upon request by the Attorney

8 General, stay an administrative action or investigation under

9 this Act to permit the Attorney General to proceed with an

10 investigation or civil action and shall not pursue an

11 administrative action or investigation, unless the Attorney

12 General subsequently determines not to pursue an investigation

13 or civil action. The Agency may not limit the authority of the

14 Attorney General to enforce this Act.

15 (d) No civil action may be filed by the Attorney General

16 under this Section for any violation of this Act after the

17 Agency has issued a decision under Section 15-80 or an order

18 under Section 15-50 against that person for the same

19 violation.

20 (e) This Section shall not affect the private right of

21 action provided for in Section 10-60.

22 Article 15. Privacy Protection Agency

23 Section 15-5. Establishment of Privacy Protection Agency.

24 (a) There is hereby established the Privacy Protection

SB3517

- 93 -

LRB103 35732 LNS 65813 b

1 Agency, which is vested with full administrative power,

2 authority, and jurisdiction to implement and enforce this Act.

3 The Agency shall be governed by a 5-member board, including

4 the chairperson. The chairperson and one member of the Board

5 shall be appointed by the Governor. The Attorney General,

6 President of the Senate, and Speaker of the House shall each

7 appoint one member to the Board. These appointments should be

8 made from among State residents with expertise in the areas of

9 privacy, technology, and consumer rights.

10 (b) The initial appointments to the Board shall be made

11 within 90 days of the effective date of this Act.

12 Section 15-10. Member requirements. Members of the Board

13 shall:

14 (1) have qualifications, experience, and skills, in

15 particular in the areas of privacy and technology,

16 required to perform the duties of the Agency and exercise

17 its powers;

18 (2) maintain the confidentiality of information which

19 has come to their knowledge in the course of the

20 performance of their tasks or exercise of their powers,

21 except to the extent that disclosure is required by the

22 Freedom of Information Act;

23 (3) remain free from external influence, whether

24 direct or indirect, and shall neither seek nor take

25 instructions from another;

SB3517

- 94 -

LRB103 35732 LNS 65813 b

1 (4) refrain from any action incompatible with their

2 duties and engaging in any incompatible occupation,

3 whether gainful or not, during their term;

4 (5) have the right of access to all information made

5 available by the Agency to the chairperson;

6 (6) be precluded, for a period of one year after

7 leaving office, from accepting employment with a business

8 that was subject to an enforcement action or civil action

9 under this Act during the member's tenure or during the

10 5-year period preceding the member's appointment; and

11 (7) be precluded for a period of 2 years after leaving

12 office from acting, for compensation, as an agent or

13 attorney for, or otherwise representing, any other person

14 in a matter pending before the Agency if the purpose is to

15 influence an action of the Agency.

16 Section 15-15. Terms. Members of the Board, including the

17 chairperson, shall serve at the pleasure of their appointing

18 authority but shall serve for no longer than 8 consecutive

19 years.

20 Section 15-20. Compensation. For each day on which they

21 engage in official duties, members of the Board shall be

22 compensated at the rate of $100, adjusted biennially to

23 reflect changes in the cost of living, and shall be reimbursed

24 for expenses incurred in performance of their official duties.

SB3517

- 95 -

LRB103 35732 LNS 65813 b

1 Section 15-25. Executive director, officers, counsel, and

2 employees. The Board shall appoint an executive director who

3 shall act in accordance with Agency policies and rules and

4 with applicable law. The Agency shall appoint and discharge

5 officers, counsel, and employees, consistent with applicable

6 civil service laws, and shall fix the compensation of

7 employees and prescribe their duties. The Agency may contract

8 for services that cannot be provided by its employees.

9 Section 15-30. Authority. The Board may delegate authority

10 to the chairperson or the executive director to act in the name

11 of the Agency between meetings of the Agency, except with

12 respect to resolution of enforcement actions and rulemaking

13 authority.

14 Section 15-35. Functions. The Agency shall perform the

15 following functions:

16 (1) administer, implement, and enforce through

17 administrative actions this Act;

18 (2) on and after the earlier of July 1, 2025, or within

19 6 months of the Agency providing the Attorney General with

20 notice that it is prepared to assume rulemaking

21 responsibilities under this Act, adopt, amend, and rescind

22 rules under Section 10-75 to carry out the purposes and

23 provisions of this Act, including rules specifying

SB3517

- 96 -

LRB103 35732 LNS 65813 b

1 recordkeeping requirements for businesses to ensure

2 compliance with this Act;

3 (3) through the implementation of this Act, protect

4 the fundamental privacy rights of natural persons with

5 respect to the use of their personal information;

6 (4) promote public awareness and understanding of the

7 risks, rules, responsibilities, safeguards, and rights in

8 relation to the collection, use, sale, and disclosure of

9 personal information, including the rights of minors with

10 respect to their own information, and provide a public

11 report summarizing the risk assessments filed with the

12 Agency while ensuring that data security is not

13 compromised;

14 (5) provide guidance to consumers regarding their

15 rights under this Act;

16 (6) provide guidance to businesses regarding their

17 duties and responsibilities under this Act and appoint a

18 Chief Privacy Auditor to conduct audits of businesses to

19 ensure compliance with this Act;

20 (7) provide technical assistance and advice to the

21 General Assembly, upon request, with respect to

22 privacy-related legislation;

23 (8) monitor relevant developments relating to the

24 protection of personal information and in particular, the

25 development of information and communication technologies

26 and commercial practices;

SB3517

- 97 -

LRB103 35732 LNS 65813 b

1 (9) cooperate with other agencies with jurisdiction

2 over privacy laws and with data processing authorities in

3 this State, other states, territories, and countries to

4 ensure consistent application of privacy protections;

5 (10) establish a mechanism under which persons doing

6 business in this State that do not meet the definition of

7 business may voluntarily certify that they are in

8 compliance with this Act, and make a list of those

9 entities available to the public;

10 (11) solicit, review, and approve applications for

11 grants to the extent funds are available under paragraph

12 (2) of subsection (b) of Section 10-70; and

13 (12) perform all other acts necessary or appropriate

14 in the exercise of its power, authority, and jurisdiction

15 and seek to balance the goals of strengthening consumer

16 privacy while giving attention to the impact on

17 businesses.

18 Section 15-40. Investigation of violations.

19 (a) Upon the sworn complaint of any person or on its own

20 initiative, the Agency may investigate possible violations of

21 this Act relating to any business, service provider,

22 contractor, or person. The Agency may decide not to

23 investigate a complaint or decide to provide a business with a

24 period to cure the alleged violation. In making a decision not

25 to investigate or provide more time to cure, the Agency may

SB3517

- 98 -

LRB103 35732 LNS 65813 b

1 consider:

2 (1) the lack of intent to violate this Act; and

3 (2) the voluntary efforts undertaken by the business,

4 service provider, contractor, or person to cure the

5 alleged violation prior to being notified by the Agency of

6 the complaint.

7 (b) The Agency shall notify in writing the person who made

8 the complaint of the action, if any, the Agency has taken or

9 plans to take on the complaint, together with the reasons for

10 that action or nonaction.

11 Section 15-45. Notice. No finding of probable cause to

12 believe this Act has been violated shall be made by the Agency

13 unless, at least 30 days prior to the Agency's consideration

14 of the alleged violation, the business, service provider,

15 contractor, or person alleged to have violated this Act is

16 notified of the violation by service of process or registered

17 mail with return receipt requested, provided with a summary of

18 the evidence, and informed of their right to be present in

19 person and represented by counsel at any proceeding of the

20 Agency held for the purpose of considering whether probable

21 cause exists for believing the person violated this Act.

22 Notice to the alleged violator shall be deemed made on the date

23 of service, the date the registered mail receipt is signed, or

24 if the registered mail receipt is not signed, the date

25 returned by the post office. A proceeding held for the purpose

SB3517

- 99 -

LRB103 35732 LNS 65813 b

1 of considering probable cause shall be private unless the

2 alleged violator files with the Agency a written request that

3 the proceeding be public.

4 Section 15-50. Procedure.

5 (a) If the Agency determines there is probable cause for

6 believing this Act has been violated, it shall hold a hearing

7 to determine if a violation or violations have occurred.

8 Notice shall be given and the hearing conducted in accordance

9 with the Illinois Administrative Procedure Act. The Agency

10 shall have all the powers granted by that Act. If the Agency

11 determines on the basis of the hearing conducted under this

12 subsection that a violation or violations have occurred, it

13 shall issue an order that may require the violator to do all or

14 any of the following:

15 (1) cease and desist violation of this Act; or

16 (2) subject to Section 10-65, pay an administrative

17 fine of up to $2,500 for each violation, or up to $7,500

18 for each intentional violation and each violation

19 involving the personal information of minor consumers to

20 the Consumer Privacy Fund.

21 If the Agency determines that no violation has occurred,

22 it shall publish a declaration so stating.

23 (b) If 2 or more persons are responsible for any violation

24 or violations, they shall be jointly and severally liable.

SB3517

- 100 -

LRB103 35732 LNS 65813 b

1 Section 15-55. Rejection of administrative law decision.

2 Whenever the Agency rejects the decision of an administrative

3 law judge, the Agency shall state the reasons in writing for

4 rejecting the decision.

5 Section 15-60. Subpoenas and evidence. The Agency may

6 subpoena witnesses, compel their attendance and testimony,

7 administer oaths and affirmations, take evidence and require

8 by subpoena the production of any books, papers, records, or

9 other items material to the performance of the Agency's duties

10 or exercise of its powers, including, but not limited to, its

11 power to audit a business's compliance with this Act.

12 Section 15-65. Limitations. No administrative action

13 brought under this Act alleging a violation of any of the

14 provisions of this Act shall be commenced more than 5 years

15 after the date on which the violation occurred.

16 (1) The service of the probable cause hearing notice

17 upon the person alleged to have violated this Act shall

18 constitute the commencement of the administrative action.

19 (2) If the person alleged to have violated this Act

20 engages in the fraudulent concealment of the person's acts

21 or identity, the 5-year period shall be tolled for the

22 period of the concealment.

23 (3) If, upon being ordered by a court to produce any

24 documents sought by a subpoena in any administrative

SB3517

- 101 -

LRB103 35732 LNS 65813 b

1 proceeding under this Act and the person alleged to have

2 violated this Act fails to produce documents in response

3 to the order by the date ordered to comply therewith, the

4 5-year period shall be tolled for the period of the delay

5 from the date of filing of the motion to compel until the

6 date the documents are produced.

7 Section 15-70. Collection of administrative fines.

8 (a) In addition to any other available remedies, the

9 Agency may bring a civil action and obtain a judgment in court

10 for the purpose of collecting any unpaid administrative fines

11 imposed under this Act after exhaustion of judicial review of

12 the Agency's action. The venue for this action shall be in the

13 county where the administrative fines were imposed by the

14 Agency. In order to obtain a judgment in a proceeding under

15 this Section, the Agency shall show, following the procedures

16 and rules of evidence as applied in ordinary civil actions:

17 (1) that the administrative fines were imposed

18 following the procedures set forth in this Act and

19 implementing rules;

20 (2) that the defendant or defendants in the action

21 were notified, by actual or constructive notice, of the

22 imposition of the administrative fines; and

23 (3) that a demand for payment has been made by the

24 Agency and full payment has not been received.

25 (b) A civil action brought under subsection (a) shall be

SB3517

- 102 -

LRB103 35732 LNS 65813 b

1 commenced within 4 years after the date on which the

2 administrative fines were imposed.

3 Section 15-75. Judgment.

4 (a) If the time for judicial review of a final Agency order

5 or decision has lapsed, or if all means of judicial review of

6 the order or decision have been exhausted, the Agency may

7 apply to the clerk of the court for a judgment to collect the

8 administrative fines imposed by the order or decision, or the

9 order as modified in accordance with a decision on judicial

10 review.

11 (b) The application, which shall include a certified copy

12 of the order or decision, or the order as modified in

13 accordance with a decision on judicial review, and proof of

14 service of the order or decision, constitutes a sufficient

15 showing to warrant issuance of the judgment to collect the

16 administrative fines. The clerk of the court shall enter the

17 judgment immediately in conformity with the application.

18 (c) An application made under this Section shall be made

19 to the clerk of the court in the county where the

20 administrative fines were imposed by the Agency.

21 (d) A judgment entered in accordance with this Section has

22 the same force and effect as, and is subject to all the

23 provisions of law relating to, a judgment in a civil action and

24 may be enforced in the same manner as any other judgment of the

25 court in which it is entered.

SB3517

- 103 -

LRB103 35732 LNS 65813 b

1 (e) The Agency may bring an application under this Section

2 only within 4 years after the date on which all means of

3 judicial review of the order or decision have been exhausted.

4 (f) The remedies available under this Section are in

5 addition to those available under any other law.

6 Section 15-80. Judicial review. Any decision of the Agency

7 with respect to a complaint or administrative fine shall be

8 subject to judicial review in an action brought by an

9 interested party to the complaint or administrative fine and

10 shall be subject to an abuse of discretion standard.

11 Article 20. Miscellaneous

12 Section 20-5. Conflicting provisions. This Act is intended

13 to further the constitutional right of privacy and to

14 supplement existing laws relating to personal information. The

15 provisions of this Act are not limited to information

16 collected electronically or over the Internet, but apply to

17 the collection and sale of all personal information collected

18 by a business from consumers. Wherever possible, law relating

19 to personal information should be construed to harmonize with

20 the provisions of this Act, but if a conflict between other

21 laws and the provisions of this Act, the provisions of the law

22 that afford the greatest protection for the right of privacy

23 for consumers shall control.

SB3517

- 104 -

LRB103 35732 LNS 65813 b

1 Section 20-10. Preemption. This Act is a matter of

2 statewide concern and supersedes and preempts all rules,

3 regulations, codes, ordinances, and other laws adopted by a

4 city, county, municipality, or local agency regarding the

5 collection and sale of consumers' personal information by a

6 business.

7 Section 20-15. Severability. The provisions of this Act

8 are severable under Section 1.31 of the Statute on Statutes.

9 Section 20-20. Standing. Notwithstanding any other

10 provision of law, if the State or any of its officials fail to

11 defend the constitutionality of this Act, any other

12 governmental agency of this State shall have the authority to

13 intervene in any court action challenging the

14 constitutionality of this Act for the purpose of defending its

15 constitutionality, whether that action is in State or federal

16 trial court, on appeal, or on discretionary review by the

17 Illinois Supreme Court or the Supreme Court of the United

18 States. The reasonable fees and costs of defending the action

19 shall be a charge on funds appropriated to the Office of the

20 Attorney General, which shall be satisfied promptly.

21 Section 20-25. Construction. This Act shall be liberally

22 construed to effectuate its purposes.

SB3517

- 105 -

LRB103 35732 LNS 65813 b

1 Section 20-30. Saving clause. This Act is intended to

2 supplement federal and State law, where permissible, but shall

3 not apply if that application is preempted by, or in conflict

4 with, federal law or the Illinois Constitution. The provisions

5 of this Act relating to children under 16 years of age shall

6 only apply to the extent not in conflict with the federal

7 Children's Online Privacy Protection Act.

8 Article 25. Amendatory Provisions

9 Section 25-5. The State Finance Act is amended by adding

10 Section 5.1015 as follows:

11 (30 ILCS 105/5.1015 new)

12 Sec. 5.1015. The Consumer Privacy Fund.