Read the full stored bill text
Illinois General Assembly - Full Text of HB5221
Select Language
×
The Illinois General Assembly offers the Google Translate™ service for visitor convenience. In no way should it be considered accurate as to the translation of any content herein.
Visitors of the Illinois General Assembly website are encouraged to use other translation services available on the internet.
The English language version is always the official and authoritative version of this website.
NOTE: To return to the original English language version, select the "Show Original" button on the Google Translate™ menu bar at the top of the window.
Choose Language
English
Afrikaans
Albanian
Arabic
Armenian
Azerbaijani
Basque
Bengali
Bosnian
Catalan
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hungarian
Icelandic
Indonesian
Interlingua
Interlingue
Inuktitut
Irish
Italian
Japanese
Javanese
Kannada
Khmer
Korean
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malayalam
Maltese
Maori
Marathi
Myanmar
Nepali
Norwegian
Odia
Pashto
Punjabi
Romanian
Russian
Samoan
Sango
Sanskrit
Sardinian
Sindhi
Sinhala
Slovak
Slovenian
Somali
Southern Sotho
Spanish
Sundanese
Swahili
Swedish
Tamil
Telugu
Thai
Tigrinya
Tonga
Turkish
Ukrainian
Urdu
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
Powered by
Translate
Close
Illinois General Assembly
Top Navigation Bar
Translate
Learn
Select General Assembly
Search the 104th General Assembly
Enter search terms for legislation, members, committees, or schedules.
ILGA.GOV
LEGISLATION & LAWS
Bills & Resolutions
Public Acts
Illinois Compiled Statutes
Illinois Constitution
Search Legislation
Glossary
Guide
Reports & Inquiry
Legislative Reports
Special Reports
FTP Site
Legislator Lookup
Capitol Complex Phone Numbers
Rules & Regulations
Illinois Register
Administrative Rules
Senate
Members
Schedules
Committees
Request for Remote Testimony
Journals
Transcripts
Rules
Audio/Video
FOIA Information
Senate Employment Opportunities
Media Guidelines
House
Members
Schedules
Committees
Submit testimony for House Committees
Journals
Transcripts
Rules
Audio/Video
FOIA Information
House Employment Opportunities
Log In
Mobile Top Bar
Search the 104th General Assembly
Enter keywords to search the Illinois General Assembly website.
Full Text of HB5221
Home
Legislation
Full Text
HB5221 - 104th General Assembly
Bill Status
Full Text
Votes
Witness Slips
Select Menu
Bill Status
Full Text
Votes
Witness Slips
Printer Friendly Version
Introduced
Printer Friendly Version
Introduced
Open PDF
104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
HB5221
Introduced 2/10/2026, by Rep. Edgar González, Jr.
SYNOPSIS AS INTRODUCED:
New Act
5 ILCS 140/7.5
Creates the Consumer Data Privacy Act. Sets forth provisions
concerning agreements between personal data processors and controllers.
Provides for consumer personal data rights, including the right to opt out
of the processing of personal data concerning the consumer for purposes of
targeted advertising, the sale of personal data, or profiling in
furtherance of automated decisions that produce legal effects. Sets forth
provisions concerning the responsibilities of controllers; requirements
for small businesses; and data privacy and protection assessments.
Provides for civil penalties. Preempts home rule. Amends the Freedom of
Information Act to make a conforming change. Effective January 1, 2027.
LRB104 18403 SPS 31845 b
A BILL FOR
HB5221
LRB104 18403 SPS 31845 b
1
AN ACT concerning business.
2
Be it enacted by the People of the State of Illinois,
3
represented in the General Assembly:
4
Section 1.
Short title.
This Act may be cited as the
5
Consumer Data Privacy Act.
6
Section 5.
Definitions.
As used in this Act:
7
"Affiliate" means a legal entity that controls, is
8
controlled by, or is under common control with another legal
9
entity. For purposes of this definition, "control" means: (i)
10
ownership of or the power to vote more than 50% of the
11
outstanding shares of any class of voting security of a
12
company; (ii) control in any manner over the election of a
13
majority of the directors or of individuals exercising similar
14
functions; or (iii) the power to exercise a controlling
15
influence over the management of a company.
16
"Authenticate" means to use reasonable means to determine
17
that a request to exercise any of the rights set forth in
18
paragraphs (2) through (8) of subsection (a) of Section 20 is
19
being made by or rightfully on behalf of the consumer who is
20
entitled to exercise the rights with respect to the personal
21
data at issue.
22
"Biometric data" means data generated by automatic
23
measurements of an individual's biological characteristics,
HB5221
- 2 -
LRB104 18403 SPS 31845 b
1
including a fingerprint, a voiceprint, eye retinas, irises, or
2
other unique biological patterns or characteristics that are
3
used to identify a specific individual. "Biometric data" does
4
not include:
5
(1) a digital or physical photograph;
6
(2) an audio or video recording; or
7
(3) any data generated from a digital or physical
8
photograph, or an audio or video recording, unless the
9
data is generated to identify a specific individual.
10
"Child" has the meaning set forth in 15 U.S.C. 6501.
11
"Consent" means any freely given, specific, informed, and
12
unambiguous indication of the consumer's wishes by which the
13
consumer signifies agreement to the processing of personal
14
data relating to the consumer. Acceptance of a general or
15
broad terms of use or similar document that contains
16
descriptions of personal data processing along with other,
17
unrelated information does not constitute consent. Hovering
18
over, muting, pausing, or closing a given piece of content
19
does not constitute consent. Consent is not valid when the
20
consumer's indication has been obtained by a dark pattern. A
21
consumer may revoke consent previously given, consistent with
22
this Act.
23
"Consumer" means a natural person who is a resident of
24
this State acting only in an individual or household context.
25
"Consumer" does not include a natural person acting in a
26
commercial or employment context.
HB5221
- 3 -
LRB104 18403 SPS 31845 b
1
"Controller" means the natural or legal person who, alone
2
or jointly with others, determines the purposes and means of
3
the processing of personal data.
4
"Decisions that produce legal effects concerning the
5
consumer" means decisions made by the controller that result
6
in the provision or denial by the controller of financial or
7
lending services, housing, insurance, education enrollment or
8
opportunity, criminal justice, employment opportunities,
9
health care services, or access to essential goods or
10
services.
11
"Dark pattern" means a user interface designed or
12
manipulated with the substantial effect of subverting or
13
impairing user autonomy, decision making, or choice.
14
"Deidentified data" means data that cannot reasonably be
15
used to infer information about or otherwise be linked to an
16
identified or identifiable natural person or a device linked
17
to an identified or identifiable natural person, provided that
18
the controller that possesses the data:
19
(1) takes reasonable measures to ensure that the data
20
cannot be associated with a natural person;
21
(2) publicly commits to process the data only in a
22
deidentified fashion and not attempt to reidentify the
23
data; and
24
(3) contractually obligates any recipients of the
25
information to comply with all provisions of this
26
definition.
HB5221
- 4 -
LRB104 18403 SPS 31845 b
1
"Delete" means to remove or destroy information so that it
2
is not maintained in human-or machine-readable form and cannot
3
be retrieved or used in the ordinary course of business.
4
"Genetic information" has the meaning set forth in the
5
Health Insurance Portability and Accountability Act of 1996,
6
as specified in 45 CFR 160.103.
7
"Governmental entity" means each office, board,
8
commission, agency, department, authority, institution,
9
university, body politic and corporate, administrative unit,
10
and corporate outgrowth of the executive, legislative, and
11
judicial branches of State government, whether created by the
12
Illinois Constitution, by or in accordance with statute, or by
13
executive order of the Governor.
14
"Identified or identifiable natural person" means a person
15
who can be readily identified, directly or indirectly.
16
"Known child" means a person under circumstances where a
17
controller has actual knowledge of, or willfully disregards,
18
that the person is under 13 years of age.
19
"Personal data" means any information that is linked or
20
reasonably linkable to an identified or identifiable natural
21
person. "Personal data" does not include deidentified data or
22
publicly available information. For purposes of this
23
definition, "publicly available information" means information
24
that: (i) is lawfully made available from federal, State, or
25
local government records or widely distributed media; or (ii)
26
a controller has a reasonable basis to believe has lawfully
HB5221
- 5 -
LRB104 18403 SPS 31845 b
1
been made available to the general public.
2
"Process" means any operation or set of operations that
3
are performed on personal data or on sets of personal data,
4
whether or not by automated means, including, but not limited
5
to, the collection, use, storage, disclosure, analysis,
6
deletion, or modification of personal data.
7
"Processor" means a natural or legal person who processes
8
personal data on behalf of a controller.
9
"Profiling" means any form of automated processing of
10
personal data to evaluate, analyze, or predict personal
11
aspects related to an identified or identifiable natural
12
person's economic situation, health, personal preferences,
13
interests, reliability, behavior, location, or movements.
14
"Pseudonymous data" means personal data that cannot be
15
attributed to a specific natural person without the use of
16
additional information, provided that the additional
17
information is kept separately and is subject to appropriate
18
technical and organizational measures to ensure that the
19
personal data are not attributed to an identified or
20
identifiable natural person.
21
"Sale" means the exchange of personal data for monetary or
22
other valuable consideration by the controller to a third
23
party. "Sale" does not include:
24
(1) the disclosure of personal data to a processor who
25
processes the personal data on behalf of the controller;
26
(2) the disclosure of personal data to a third party
HB5221
- 6 -
LRB104 18403 SPS 31845 b
1
for purposes of providing a product or service requested
2
by the consumer;
3
(3) the disclosure or transfer of personal data to an
4
affiliate of the controller;
5
(4) the disclosure of information that the consumer
6
intentionally made available to the general public by a
7
channel of mass media and did not restrict to a specific
8
audience;
9
(5) the disclosure or transfer of personal data to a
10
third party as an asset that is part of a completed or
11
proposed merger, acquisition, bankruptcy, or other
12
transaction in which the third party assumes control of
13
all or part of the controller's assets; or
14
(6) the exchange of personal data between the producer
15
of a good or service and authorized agents of the producer
16
who sell and service the goods and services, to enable the
17
cooperative provisioning of goods and services by both the
18
producer and the producer's agents.
19
"Sensitive data" means:
20
(1) personal data revealing racial or ethnic origin,
21
religious beliefs, mental or physical health condition or
22
diagnosis, sexual orientation, or citizenship or
23
immigration status;
24
(2) the processing of biometric data or genetic
25
information for the purpose of uniquely identifying an
26
individual;
HB5221
- 7 -
LRB104 18403 SPS 31845 b
1
(3) the personal data of a known child; or
2
(4) specific geolocation data.
3
"Specific geolocation data" means information derived from
4
technology, including, but not limited to, global positioning
5
system level latitude and longitude coordinates or other
6
mechanisms, that directly identifies the geographic
7
coordinates of a consumer or a device linked to a consumer with
8
an accuracy of more than 3 decimal degrees of latitude and
9
longitude or the equivalent in an alternative geographic
10
coordinate system, or a street address derived from the
11
coordinates. "Specific geolocation data" does not include the
12
content of communications, the contents of databases
13
containing street address information which are accessible to
14
the public as authorized by law, or any data generated by or
15
connected to advanced utility metering infrastructure systems
16
or other equipment for use by a public utility.
17
"Targeted advertising" means displaying advertisements to
18
a consumer where the advertisement is selected based on
19
personal data obtained or inferred from the consumer's
20
activities over time and across nonaffiliated websites or
21
online applications to predict the consumer's preferences or
22
interests. "Targeted advertising" does not include:
23
(1) advertising based on activities within a
24
controller's own websites or online applications;
25
(2) advertising based on the context of a consumer's
26
current search query or visit to a website or online
HB5221
- 8 -
LRB104 18403 SPS 31845 b
1
application;
2
(3) advertising to a consumer in response to the
3
consumer's request for information or feedback; or
4
(4) processing personal data solely for measuring or
5
reporting advertising performance, reach, or frequency.
6
"Third party" means a natural or legal person, public
7
authority, agency, or body other than the consumer,
8
controller, processor, or an affiliate of the processor or the
9
controller.
10
"Trade secret" has the meaning set forth in subsection (d)
11
of Section 2 of the Illinois Trade Secrets Act.
12
Section 10.
Scope; exclusions.
13
(a) This Act applies to legal entities that conduct
14
business in this State or produce products or services that
15
are targeted to residents of this State, and that satisfy one
16
or more of the following thresholds:
17
(1) during a calendar year, controls or processes
18
personal data of 100,000 consumers or more, excluding
19
personal data controlled or processed solely for the
20
purpose of completing a payment transaction; or
21
(2) derives over 25% of gross revenue from the sale of
22
personal data and processes or controls personal data of
23
25,000 consumers or more.
24
(b) This Act does not apply to the following entities,
25
activities, or types of information:
HB5221
- 9 -
LRB104 18403 SPS 31845 b
1
(1) a government entity;
2
(2) a federally recognized Indian tribe;
3
(3) information that meets the definition of:
4
(A) protected health information, as defined by
5
and for purposes of the Health Insurance Portability
6
and Accountability Act of 1996, as specified in 45 CFR
7
160.103;
8
(B) health information, as defined in 42 U.S.C.
9
1320d(4);
10
(C) patient identifying information for purposes
11
of 42 CFR Part 2, established pursuant to 42 U.S.C.
12
290dd-2;
13
(D) identifiable private information for purposes
14
of the federal policy for the protection of human
15
subjects, 45 CFR Part 46; identifiable private
16
information that is otherwise information collected as
17
part of human subjects research pursuant to the good
18
clinical practice guidelines issued by the
19
International Council for Harmonization; the
20
protection of human subjects under 21 CFR Parts 50 and
21
56; or personal data used or shared in research
22
conducted in accordance with one or more of the
23
requirements set forth in this paragraph;
24
(E) information and documents created for purposes
25
of the federal Health Care Quality Improvement Act of
26
1986, Public Law 99-660, and related regulations; or
HB5221
- 10 -
LRB104 18403 SPS 31845 b
1
(F) patient safety work product for purposes of 42
2
CFR Part 3, established pursuant to 42 U.S.C. 299b-21
3
to 299b-26;
4
(4) information that is derived from any of the health
5
care-related information listed in paragraph (3), but that
6
has been deidentified in accordance with the requirements
7
for deidentification set forth in 45 CFR Part 164;
8
(5) information originating from, and intermingled to
9
be indistinguishable with, any of the health care-related
10
information listed in paragraph (3) that is maintained by:
11
(A) a covered entity or business associate, as
12
defined by the Health Insurance Portability and
13
Accountability Act of 1996, Public Law 104-191, and
14
related regulations;
15
(B) a health care provider, as defined in 42
16
U.S.C. 1320d(3); or
17
(C) a program or a qualified service organization,
18
as defined by 42 CFR Part 2, established pursuant to 42
19
U.S.C. 290dd-2;
20
(6) information that is:
21
(A) maintained by an entity that meets the
22
definition of health care provider under 45 CFR
23
160.103, to the extent that the entity maintains the
24
information in the manner required of covered entities
25
with respect to protected health information for
26
purposes of the Health Insurance Portability and
HB5221
- 11 -
LRB104 18403 SPS 31845 b
1
Accountability Act of 1996, Public Law 104-191, and
2
related regulations;
3
(B) included in a limited data set, as described
4
under 45 CFR Part 164.514(e), to the extent that the
5
information is used, disclosed, and maintained in the
6
manner specified by that part;
7
(C) maintained by, or maintained to comply with
8
the rules or orders of, a self-regulatory organization
9
as defined by 15 U.S.C. 78c(a)(26);
10
(D) originated from, or intermingled with,
11
information described in paragraph (9) and that a
12
mortgage loan originator or lender, as those terms are
13
defined in the Residential Mortgage License Act of
14
1987, collects, processes, uses, or maintains in the
15
same manner as required under the laws and regulations
16
specified in paragraph (9); or
17
(E) originated from, or intermingled with,
18
information described in paragraph (9) and that a
19
nonbank financial institution, as defined in the
20
Illinois Banking Act, collects, processes, uses, or
21
maintains in the same manner as required under the
22
laws and regulations specified in paragraph (9);
23
(7) information used only for public health activities
24
and purposes, as described under 45 CFR Part 164.512;
25
(8) an activity involving the collection, maintenance,
26
disclosure, sale, communication, or use of any personal
HB5221
- 12 -
LRB104 18403 SPS 31845 b
1
data bearing on a consumer's credit worthiness, credit
2
standing, credit capacity, character, general reputation,
3
personal characteristics, or mode of living by a consumer
4
reporting agency, as defined in 15 U.S.C. 1681a(f), by a
5
furnisher of information, as set forth in 15 U.S.C.
6
1681s-2, who provides information for use in a consumer
7
report, as defined in 15 U.S.C. 1681a(d), and by a user of
8
a consumer report, as set forth in 15 U.S.C. 1681b, except
9
that information is only excluded under this paragraph to
10
the extent that the activity involving the collection,
11
maintenance, disclosure, sale, communication, or use of
12
the information by the agency, furnisher, or user is
13
subject to regulation under the federal Fair Credit
14
Reporting Act, 15 U.S.C. 1681 to 1681x, and the
15
information is not collected, maintained, used,
16
communicated, disclosed, or sold except as authorized by
17
the Fair Credit Reporting Act;
18
(9) personal data collected, processed, sold, or
19
disclosed pursuant to the federal Gramm-Leach-Bliley Act,
20
Public Law 106-102, and implementing regulations, if the
21
collection, processing, sale, or disclosure is in
22
compliance with that law;
23
(10) personal data collected, processed, sold, or
24
disclosed pursuant to the federal Driver's Privacy
25
Protection Act of 1994, 18 U.S.C. 2721 to 2725, if the
26
collection, processing, sale, or disclosure is in
HB5221
- 13 -
LRB104 18403 SPS 31845 b
1
compliance with that law;
2
(11) personal data regulated by the federal Family
3
Educational Rights and Privacy Act, 20 U.S.C. 1232g, and
4
implementing regulations;
5
(12) personal data collected, processed, sold, or
6
disclosed pursuant to the federal Farm Credit Act of 1971,
7
12 U.S.C. 2001 to 2279cc, and implementing regulations, 12
8
CFR Part 600, if the collection, processing, sale, or
9
disclosure is in compliance with that law;
10
(13) data collected or maintained:
11
(A) in the course of an individual acting as a job
12
applicant to or an employee, owner, director, officer,
13
medical staff member, or contractor of a business if
14
the data is collected and used solely within the
15
context of the role;
16
(B) as the emergency contact information of an
17
individual under subparagraph (A) if used solely for
18
emergency contact purposes; or
19
(C) that is necessary for the business to retain
20
to administer benefits for another individual relating
21
to the individual under subparagraph (A) if used
22
solely for the purposes of administering those
23
benefits;
24
(14) personal data collected, processed, sold, or
25
disclosed pursuant to the Use of Credit Information in
26
Personal Insurance Act;
HB5221
- 14 -
LRB104 18403 SPS 31845 b
1
(15) data collected, processed, sold, or disclosed as
2
part of a payment-only credit, check, or cash transaction
3
where no data about consumers is retained;
4
(16) a State or federally chartered bank or credit
5
union, or an affiliate or subsidiary that is principally
6
engaged in financial activities, as described in 12 U.S.C.
7
1843(k);
8
(17) information that originates from, or is
9
intermingled so as to be indistinguishable from,
10
information described in paragraph (8) and that a person
11
licensed under the Consumer Installment Loan Act,
12
processes, uses, or maintains in the same manner as is
13
required under the laws and regulations specified in
14
paragraph (8);
15
(18) an insurance company, an insurance producer, an
16
administrator, as those terms are defined in the Illinois
17
Insurance Code, or an affiliate or subsidiary of any
18
entity identified in this paragraph that is principally
19
engaged in financial activities, as described in 12 U.S.C.
20
1843(k), except that this paragraph does not apply to a
21
person that, alone or in combination with another person,
22
establishes and maintains a self-insurance program that
23
does not otherwise engage in the business of entering into
24
policies of insurance;
25
(19) a small business, as defined by the United States
26
Small Business Administration under 13 CFR Part 121,
HB5221
- 15 -
LRB104 18403 SPS 31845 b
1
except that a small business identified in this paragraph
2
is subject to Section 35;
3
(20) a nonprofit organization that is established to
4
detect and prevent fraudulent acts in connection with
5
insurance; and
6
(21) an air carrier subject to the federal Airline
7
Deregulation Act, Public Law 95-504, only to the extent
8
that an air carrier collects personal data related to
9
prices, routes, or services and only to the extent that
10
the provisions of the Airline Deregulation Act preempt the
11
requirements of this Act.
12
(c) Controllers that are in compliance with the Children's
13
Online Privacy Protection Act, 15 U.S.C. 6501 to 6506, and
14
implementing regulations, shall be deemed compliant with any
15
obligation to obtain parental consent under this Act.
16
Section 15.
Responsibility according to role.
17
(a) Controllers and processors are responsible for meeting
18
the respective obligations established under this Act.
19
(b) Processors are responsible under this Act for adhering
20
to the instructions of the controller and assisting the
21
controller to meet the controller's obligations under this
22
Act. Assistance under this paragraph shall include:
23
(1) taking into account the nature of the processing,
24
the processor shall assist the controller by appropriate
25
technical and organizational measures, insofar as this is
HB5221
- 16 -
LRB104 18403 SPS 31845 b
1
possible, for the fulfillment of the controller's
2
obligation to respond to consumer requests to exercise
3
their rights pursuant to Section 20; and
4
(2) taking into account the nature of processing and
5
the information available to the processor, the processor
6
shall assist the controller in meeting the controller's
7
obligations in relation to the security of processing the
8
personal data and in relation to the notification of a
9
breach of the security of the system pursuant to the
10
Personal Information Protection Act, and shall provide
11
information to the controller necessary to enable the
12
controller to conduct and document any data privacy and
13
protection assessments required by Section 40.
14
(c) A contract between a controller and a processor shall
15
control the processor's data processing procedures with
16
respect to processing performed on behalf of the controller.
17
The contract shall be binding and clearly set forth
18
instructions for processing data, the nature and purpose of
19
processing, the type of data subject to processing, the
20
duration of processing, and the rights and obligations of both
21
parties. The contract shall also require that the processor:
22
(1) ensure that each person processing the personal
23
data is subject to a duty of confidentiality with respect
24
to the data; and
25
(2) engage a subcontractor only: (i) after providing
26
the controller with an opportunity to object, and (ii)
HB5221
- 17 -
LRB104 18403 SPS 31845 b
1
pursuant to a written contract in accordance with
2
subsection (e) that requires the subcontractor to meet the
3
obligations of the processor with respect to the personal
4
data.
5
(d) Taking into account the context of processing, the
6
controller and the processor shall implement appropriate
7
technical and organizational measures to ensure a level of
8
security appropriate to the risk and establish a clear
9
allocation of the responsibilities between the controller and
10
the processor to implement the technical and organizational
11
measures.
12
(e) Processing by a processor shall be controlled by a
13
contract between the controller and the processor that is
14
binding on both parties and that sets out the processing
15
instructions to which the processor is bound, including the
16
nature and purpose of the processing, the type of personal
17
data subject to the processing, the duration of the
18
processing, and the obligations and rights of both parties.
19
The contract shall include the requirements imposed by this
20
subsection, subsections (c) and (d), and the following
21
requirements:
22
(1) At the discretion of the controller, the processor
23
shall delete or return all personal data to the controller
24
as requested at the end of the provision of services,
25
unless retention of the personal data is required by law.
26
(2) Upon a reasonable request from the controller, the
HB5221
- 18 -
LRB104 18403 SPS 31845 b
1
processor shall make available to the controller all
2
information necessary to demonstrate compliance with the
3
obligations in this Act.
4
(3) The processor shall allow for, and contribute to,
5
reasonable assessments and inspections by the controller
6
or the controller's designated assessor. Alternatively,
7
the processor may arrange for a qualified and independent
8
assessor to conduct, at least annually and at the
9
processor's expense, an assessment of the processor's
10
policies and technical and organizational measures in
11
support of the obligations under this Act. The assessor
12
must use an appropriate and accepted control standard or
13
framework and assessment procedure for assessments as
14
applicable, and shall provide a report of an assessment to
15
the controller upon request.
16
(f) No contract shall relieve a controller or a processor
17
from the liabilities imposed on a controller or processor by
18
virtue of the controller's or processor's roles in the
19
processing relationship under this Act.
20
(g) Determining whether a person is acting as a controller
21
or processor with respect to a specific processing of data is a
22
fact-based determination that depends upon the context in
23
which personal data are to be processed. A person that is not
24
limited in the person's processing of personal data pursuant
25
to a controller's instructions, or that fails to adhere to a
26
controller's instructions, is a controller and not a processor
HB5221
- 19 -
LRB104 18403 SPS 31845 b
1
with respect to a specific processing of data. A processor
2
that continues to adhere to a controller's instructions with
3
respect to a specific processing of personal data remains a
4
processor. If a processor begins, alone or jointly with
5
others, determining the purposes and means of the processing
6
of personal data, the processor is a controller with respect
7
to the processing.
8
Section 20.
Consumer personal data rights.
9
(a) Consumer rights provided.
10
(1) Except as provided in this Act, a controller must
11
comply with a request to exercise the consumer rights
12
provided in this subsection.
13
(2) A consumer has the right to confirm whether or not
14
a controller is processing personal data concerning the
15
consumer and access the categories of personal data the
16
controller is processing.
17
(3) A consumer has the right to correct inaccurate
18
personal data concerning the consumer, taking into account
19
the nature of the personal data and the purposes of the
20
processing of the personal data.
21
(4) A consumer has the right to delete personal data
22
concerning the consumer.
23
(5) A consumer has the right to obtain personal data
24
concerning the consumer, which the consumer previously
25
provided to the controller, in a portable and, to the
HB5221
- 20 -
LRB104 18403 SPS 31845 b
1
extent technically feasible, readily usable format that
2
allows the consumer to transmit the data to another
3
controller without hindrance, where the processing is
4
carried out by automated means.
5
(6) A consumer has the right to opt out of the
6
processing of personal data concerning the consumer for
7
purposes of targeted advertising, the sale of personal
8
data, or profiling in furtherance of automated decisions
9
that produce legal effects concerning a consumer or
10
similarly significant effects concerning a consumer.
11
(7) If a consumer's personal data is profiled in
12
furtherance of decisions that produce legal effects
13
concerning a consumer or similarly significant effects
14
concerning a consumer, the consumer has the right to
15
question the result of the profiling, to be informed of
16
the reason that the profiling resulted in the decision,
17
and, if feasible, to be informed of what actions the
18
consumer might have taken to secure a different decision
19
and the actions that the consumer might take to secure a
20
different decision in the future. The consumer has the
21
right to review the consumer's personal data used in the
22
profiling. If the decision is determined to have been
23
based upon inaccurate personal data, taking into account
24
the nature of the personal data and the purposes of the
25
processing of the personal data, the consumer has the
26
right to have the data corrected and the profiling
HB5221
- 21 -
LRB104 18403 SPS 31845 b
1
decision reevaluated based upon the corrected data.
2
(8) A consumer has a right to obtain a list of the
3
specific third parties to which the controller has
4
disclosed the consumer's personal data. If the controller
5
does not maintain the information in a format specific to
6
the consumer, a list of specific third parties to whom the
7
controller has disclosed any consumers' personal data may
8
be provided instead.
9
(b) Exercising consumer rights.
10
(1) A consumer may exercise the rights set forth in
11
this Section by submitting a request, at any time, to a
12
controller specifying which rights the consumer wishes to
13
exercise.
14
(2) In the case of processing personal data concerning
15
a known child, the parent or legal guardian of the known
16
child may exercise the rights of this Act on the child's
17
behalf.
18
(3) In the case of processing personal data concerning
19
a consumer legally subject to guardianship or
20
conservatorship under the Uniform Adult Guardianship and
21
Protective Proceedings Jurisdiction Act, the guardian or
22
the conservator of the consumer may exercise the rights of
23
this Act on the consumer's behalf.
24
(4) A consumer may designate another person as the
25
consumer's authorized agent to exercise the consumer's
26
right to opt out of the processing of the consumer's
HB5221
- 22 -
LRB104 18403 SPS 31845 b
1
personal data for purposes of targeted advertising and
2
sale under paragraph (6) of subsection (a) on the
3
consumer's behalf. A consumer may designate an authorized
4
agent by way of, among other things, a technology,
5
including, but not limited to, an Internet link or a
6
browser setting, browser extension, or global device
7
setting, indicating the consumer's intent to opt out of
8
the processing. A controller shall comply with an opt-out
9
request received from an authorized agent if the
10
controller is able to verify, with commercially reasonable
11
effort, the identity of the consumer and the authorized
12
agent's authority to act on the consumer's behalf.
13
(c) Universal opt-out mechanisms.
14
(1) A controller must allow a consumer to opt out of
15
any processing of the consumer's personal data for the
16
purposes of targeted advertising, or any sale of the
17
consumer's personal data through an opt-out preference
18
signal sent, with the consumer's consent, by a platform,
19
technology, or mechanism to the controller indicating the
20
consumer's intent to opt out of the processing or sale.
21
The platform, technology, or mechanism must:
22
(A) not unfairly disadvantage another controller;
23
(B) not make use of a default setting, but require
24
the consumer to make an affirmative, freely given, and
25
unambiguous choice to opt out of the processing of the
26
consumer's personal data;
HB5221
- 23 -
LRB104 18403 SPS 31845 b
1
(C) be consumer-friendly and easy to use by the
2
average consumer;
3
(D) be as consistent as possible with any other
4
similar platform, technology, or mechanism required by
5
any federal or State law or regulation; and
6
(E) enable the controller to accurately determine
7
whether the consumer is a resident of this State and
8
whether the consumer has made a legitimate request to
9
opt out of any sale of the consumer's personal data or
10
targeted advertising. For purposes of this
11
subparagraph, the use of an Internet protocol address
12
to estimate the consumer's location is sufficient to
13
determine the consumer's residence.
14
(2) If a consumer's opt-out request is exercised
15
through the platform, technology, or mechanism required
16
under paragraph (1), and the request conflicts with the
17
consumer's existing controller-specific privacy setting or
18
voluntary participation in a controller's bona fide
19
loyalty, rewards, premium features, discounts, or club
20
card program, the controller must comply with the
21
consumer's opt-out preference signal but may also notify
22
the consumer of the conflict and provide the consumer a
23
choice to confirm the controller-specific privacy setting
24
or participation in the controller's program.
25
(3) The platform, technology, or mechanism required
26
under paragraph (1) is subject to the requirements of
HB5221
- 24 -
LRB104 18403 SPS 31845 b
1
subsection (d).
2
(4) A controller that recognizes opt-out preference
3
signals that have been approved by other State laws or
4
regulations is in compliance with this subsection.
5
(d) Controller response to consumer requests.
6
(1) Except as provided in this Act, a controller must
7
comply with a request to exercise the rights pursuant to
8
subsection (a).
9
(2) A controller must provide one or more secure and
10
reliable means for consumers to submit a request to
11
exercise the consumer's rights under this section. The
12
means made available must take into account the ways in
13
which consumers interact with the controller and the need
14
for secure and reliable communication of the requests.
15
(3) A controller may not require a consumer to create
16
a new account in order to exercise a right, but a
17
controller may require a consumer to use an existing
18
account to exercise the consumer's rights under this
19
section.
20
(4) A controller must comply with a request to
21
exercise the right in paragraph (6) of subsection (a) of
22
Section 20, as soon as feasibly possible, but no later
23
than 45 days of receipt of the request.
24
(5) A controller must inform a consumer of any action
25
taken on a request under subsection (a) without undue
26
delay and in any event within 45 days of receipt of the
HB5221
- 25 -
LRB104 18403 SPS 31845 b
1
request. That period may be extended once by 45 additional
2
days where reasonably necessary, taking into account the
3
complexity and number of the requests. The controller must
4
inform the consumer of any extension within 45 days of
5
receipt of the request, together with the reasons for the
6
delay.
7
(6) If a controller does not take action on a
8
consumer's request, the controller must inform the
9
consumer without undue delay and at the latest within 45
10
days of receipt of the request of the reasons for not
11
taking action and instructions for how to appeal the
12
decision with the controller as described in subsection
13
(e).
14
(7) Information provided under this Section must be
15
provided by the controller free of charge up to twice
16
annually to the consumer. Where requests from a consumer
17
are manifestly unfounded or excessive, in particular
18
because of the repetitive character of the requests, the
19
controller may either charge a reasonable fee to cover the
20
administrative costs of complying with the request, or
21
refuse to act on the request. The controller bears the
22
burden of demonstrating the manifestly unfounded or
23
excessive character of the request.
24
(8) A controller is not required to comply with a
25
request to exercise any of the rights under paragraphs (2)
26
through (5) and (8) of subsection (a), if the controller
HB5221
- 26 -
LRB104 18403 SPS 31845 b
1
is unable to authenticate the request using commercially
2
reasonable efforts. In such cases, the controller may
3
request the provision of additional information reasonably
4
necessary to authenticate the request. A controller is not
5
required to authenticate an opt-out request, but a
6
controller may deny an opt-out request if the controller
7
has a good faith, reasonable, and documented belief that
8
the request is fraudulent. If a controller denies an
9
opt-out request because the controller believes a request
10
is fraudulent, the controller must notify the person who
11
made the request that the request was denied due to the
12
controller's belief that the request was fraudulent and
13
state the controller's basis for that belief.
14
(9) In response to a consumer request under subsection
15
(a), a controller must not disclose the following
16
information about a consumer, but must instead inform the
17
consumer with sufficient particularity that the controller
18
has collected that type of information:
19
(A) Social Security number;
20
(B) driver's license number or other
21
government-issued identification number;
22
(C) financial account number;
23
(D) health insurance account number or medical
24
identification number;
25
(E) account password, security questions, or
26
answers; or
HB5221
- 27 -
LRB104 18403 SPS 31845 b
1
(F) biometric data.
2
(10) In response to a consumer request under
3
subsection (a), a controller is not required to reveal any
4
trade secret.
5
(11) A controller that has obtained personal data
6
about a consumer from a source other than the consumer may
7
comply with a consumer's request to delete the consumer's
8
personal data pursuant to paragraph (4) of subsection (a),
9
by either:
10
(A) retaining a record of the deletion request,
11
retaining the minimum data necessary for the purpose
12
of ensuring the consumer's personal data remains
13
deleted from the business's records, and not using the
14
retained data for any other purpose pursuant to the
15
provisions of this Act; or
16
(B) opting the consumer out of the processing of
17
personal data for any purpose except for the purposes
18
exempted pursuant to the provisions of this Act.
19
(e) Appeal process required.
20
(1) A controller must establish an internal process
21
whereby a consumer may appeal a refusal to take action on a
22
request to exercise any of the rights under subsection (a)
23
within a reasonable period of time after the consumer's
24
receipt of the notice sent by the controller under
25
paragraph (6) of subsection (d).
26
(2) The appeal process must be conspicuously
HB5221
- 28 -
LRB104 18403 SPS 31845 b
1
available. The process must include the ease of use
2
provisions in subsection (c) applicable to submitting
3
requests.
4
(3) Within 45 days of receipt of an appeal, a
5
controller must inform the consumer of any action taken or
6
not taken in response to the appeal, along with a written
7
explanation of the reasons in support thereof. That period
8
may be extended by 60 additional days where reasonably
9
necessary, taking into account the complexity and number
10
of the requests serving as the basis for the appeal. The
11
controller must inform the consumer of any extension
12
within 45 days of receipt of the appeal, together with the
13
reasons for the delay.
14
(4) When informing a consumer of any action taken or
15
not taken in response to an appeal under subsection (c),
16
the controller must provide a written explanation of the
17
reasons for the controller's decision and clearly and
18
prominently provide the consumer with information about
19
how to file a complaint with the Office of the Attorney
20
General. The controller must maintain records of all
21
appeals and the controller's responses for at least 24
22
months and shall, upon written request by the Attorney
23
General as part of an investigation, compile and provide a
24
copy of the records to the Attorney General.
25
Section 25.
Processing deidentified data or pseudonymous
HB5221
- 29 -
LRB104 18403 SPS 31845 b
1
data.
2
(a) This Act does not require a controller or processor to
3
do any of the following solely for purposes of complying with
4
this Act:
5
(1) reidentify deidentified data;
6
(2) maintain data in identifiable form, or collect,
7
obtain, retain, or access any data or technology, in order
8
to be capable of associating an authenticated consumer
9
request with personal data; or
10
(3) comply with an authenticated consumer request to
11
access, correct, delete, or port personal data pursuant to
12
subsection (a) of Section 20, if all of the following are
13
true:
14
(A) the controller is not reasonably capable of
15
associating the request with the personal data, or it
16
would be unreasonably burdensome for the controller to
17
associate the request with the personal data;
18
(B) the controller does not use the personal data
19
to recognize or respond to the specific consumer who
20
is the subject of the personal data, or associate the
21
personal data with other personal data about the same
22
specific consumer; and
23
(C) the controller does not sell the personal data
24
to any third party or otherwise voluntarily disclose
25
the personal data to any third party other than a
26
processor, except as otherwise permitted in this
HB5221
- 30 -
LRB104 18403 SPS 31845 b
1
Section.
2
(b) The rights contained in paragraphs (2) through (5) and
3
(8) of subsection (a) of Section 20 do not apply to
4
pseudonymous data in cases where the controller is able to
5
demonstrate any information necessary to identify the consumer
6
is kept separately and is subject to effective technical and
7
organizational controls that prevent the controller from
8
accessing the information.
9
(c) A controller that uses pseudonymous data or
10
deidentified data must exercise reasonable oversight to
11
monitor compliance with any contractual commitments to which
12
the pseudonymous data or deidentified data are subject, and
13
must take appropriate steps to address any breaches of
14
contractual commitments.
15
(d) A processor or third party must not attempt to
16
identify the subjects of deidentified or pseudonymous data
17
without the express authority of the controller that caused
18
the data to be deidentified or pseudonymized.
19
(e) A controller, processor, or third party must not
20
attempt to identify the subjects of data that has been
21
collected with only pseudonymous identifiers.
22
Section 30.
Responsibilities of controllers.
23
(a) Transparency obligations.
24
(1) Controllers must provide consumers with a
25
reasonably accessible, clear, and meaningful privacy
HB5221
- 31 -
LRB104 18403 SPS 31845 b
1
notice that includes:
2
(A) the categories of personal data processed by
3
the controller;
4
(B) the purposes for which the categories of
5
personal data are processed;
6
(C) an explanation of the rights contained in
7
Section 20 and how and where consumers may exercise
8
those rights, including how a consumer may appeal a
9
controller's action with regard to the consumer's
10
request;
11
(D) the categories of personal data that the
12
controller sells to or shares with third parties, if
13
any;
14
(E) the categories of third parties, if any, with
15
whom the controller sells or shares personal data;
16
(F) the controller's contact information,
17
including an active email address or other online
18
mechanism that the consumer may use to contact the
19
controller;
20
(G) a description of the controller's retention
21
policies for personal data; and
22
(H) the date the privacy notice was last updated.
23
(2) If a controller sells personal data to third
24
parties, processes personal data for targeted advertising,
25
or engages in profiling in furtherance of decisions that
26
produce legal effects concerning a consumer or similarly
HB5221
- 32 -
LRB104 18403 SPS 31845 b
1
significant effects concerning a consumer, the controller
2
must disclose the processing in the privacy notice and
3
provide access to a clear and conspicuous method outside
4
the privacy notice for a consumer to opt out of the sale,
5
processing, or profiling in furtherance of decisions that
6
produce legal effects concerning a consumer or similarly
7
significant effects concerning a consumer. This method may
8
include, but is not limited to, an Internet hyperlink
9
clearly labeled "Your Opt-Out Rights" or "Your Privacy
10
Rights" that directly effectuates the opt-out request or
11
takes consumers to a web page where the consumer can make
12
the opt-out request.
13
(3) The privacy notice must be made available to the
14
public in each language in which the controller provides a
15
product or service that is subject to the privacy notice
16
or carries out activities related to the product or
17
service.
18
(4) The controller must provide the privacy notice in
19
a manner that is reasonably accessible to and usable by
20
individuals with disabilities.
21
(5) Whenever a controller makes a material change to
22
the controller's privacy notice or practices, the
23
controller must notify consumers affected by the material
24
change with respect to any prospectively collected
25
personal data and provide a reasonable opportunity for
26
consumers to withdraw consent to any further materially
HB5221
- 33 -
LRB104 18403 SPS 31845 b
1
different collection, processing, or transfer of
2
previously collected personal data under the changed
3
policy. The controller shall take all reasonable
4
electronic measures to provide notification regarding
5
material changes to affected consumers, taking into
6
account available technology and the nature of the
7
relationship.
8
(6) A controller is not required to provide a separate
9
Illinois-specific privacy notice or Section of a privacy
10
notice if the controller's general privacy notice contains
11
all the information required by this section.
12
(7) The privacy notice must be posted online through a
13
conspicuous hyperlink using the word "privacy" on the
14
controller's website home page or on a mobile
15
application's app store page or download page. A
16
controller that maintains an application on a mobile or
17
other device shall also include a hyperlink to the privacy
18
notice in the application's settings menu or in a
19
similarly conspicuous and accessible location. A
20
controller that does not operate a website shall make the
21
privacy notice conspicuously available to consumers
22
through a medium regularly used by the controller to
23
interact with consumers, including, but not limited to,
24
mail.
25
(b) Use of data.
26
(1) A controller must limit the collection of personal
HB5221
- 34 -
LRB104 18403 SPS 31845 b
1
data to what is adequate, relevant, and reasonably
2
necessary in relation to the purposes for which the data
3
are processed, which must be disclosed to the consumer.
4
(2) Except as provided in this Act, a controller may
5
not process personal data for purposes that are not
6
reasonably necessary to, or compatible with, the purposes
7
for which the personal data are processed, as disclosed to
8
the consumer, unless the controller obtains the consumer's
9
consent.
10
(3) A controller shall establish, implement, and
11
maintain reasonable administrative, technical, and
12
physical data security practices to protect the
13
confidentiality, integrity, and accessibility of personal
14
data, including the maintenance of an inventory of the
15
data that must be managed to exercise these
16
responsibilities. The data security practices shall be
17
appropriate to the volume and nature of the personal data
18
at issue.
19
(4) Except as otherwise provided in this Act, a
20
controller may not process sensitive data concerning a
21
consumer without obtaining the consumer's consent, or, in
22
the case of the processing of personal data concerning a
23
known child, without obtaining consent from the child's
24
parent or lawful guardian, in accordance with the
25
requirement of the Children's Online Privacy Protection
26
Act, 15 U.S.C. 6501 to 6506, and its implementing
HB5221
- 35 -
LRB104 18403 SPS 31845 b
1
regulations, rules, and exemptions.
2
(5) A controller shall provide an effective mechanism
3
for a consumer, or, in the case of the processing of
4
personal data concerning a known child, the child's parent
5
or lawful guardian, to revoke previously given consent
6
under this subsection. The mechanism provided shall be at
7
least as easy as the mechanism by which the consent was
8
previously given. Upon revocation of consent, a controller
9
shall cease to process the applicable data as soon as
10
practicable, but not later than 15 days after the receipt
11
of the request.
12
(6) A controller may not process the personal data of
13
a consumer for purposes of targeted advertising, or sell
14
the consumer's personal data, without the consumer's
15
consent, under circumstances where the controller knows
16
that the consumer is between the ages of 13 and 16.
17
(7) A controller may not retain personal data that is
18
no longer relevant and reasonably necessary in relation to
19
the purposes for which the data were collected and
20
processed, unless retention of the data is otherwise
21
required by law or permitted under Section 45.
22
(c) Nondiscrimination.
23
(1) A controller shall not process personal data on
24
the basis of a consumer's or a class of consumers' actual
25
or perceived race, color, ethnicity, religion, national
26
origin, sex, gender, gender identity, sexual orientation,
HB5221
- 36 -
LRB104 18403 SPS 31845 b
1
familial status, lawful source of income, or disability in
2
a manner that unlawfully discriminates against the
3
consumer or class of consumers with respect to the
4
offering or provision of: housing, employment, credit, or
5
education; or the goods, services, facilities, privileges,
6
advantages, or accommodations of any place of public
7
accommodation.
8
(2) A controller may not discriminate against a
9
consumer for exercising any of the rights contained in
10
this Act, including denying goods or services to the
11
consumer, charging different prices or rates for goods or
12
services, and providing a different level of quality of
13
goods and services to the consumer. This subsection does
14
not:
15
(A) require a controller to provide a good or
16
service that requires the consumer's personal data
17
that the controller does not collect or maintain; or
18
(B) prohibit a controller from offering a
19
different price, rate, level, quality, or selection of
20
goods or services to a consumer, including offering
21
goods or services for no fee, if the offering is in
22
connection with a consumer's voluntary participation
23
in a bona fide loyalty, rewards, premium features,
24
discounts, or club card program.
25
(d) Any provision of a contract or agreement of any kind
26
that purports to waive or limit in any way a consumer's rights
HB5221
- 37 -
LRB104 18403 SPS 31845 b
1
under this Act is contrary to public policy and is void and
2
unenforceable.
3
Section 35.
Requirements for small businesses.
4
(a) A small business, as defined by the United States
5
Small Business Administration under 13 CFR Part 121, that
6
conducts business in this State or produces products or
7
services that are targeted to residents of this State, must
8
not sell a consumer's sensitive data without the consumer's
9
prior consent.
10
(b) Penalties and Attorney General enforcement procedures
11
under Section 50 apply to a small business that violates this
12
Section.
13
Section 40.
Data privacy policies; data privacy and
14
protection assessments.
15
(a) A controller must document and maintain a description
16
of the policies and procedures the controller has adopted to
17
comply with this Act. The description must include, where
18
applicable:
19
(1) the name and contact information for the
20
controller's chief privacy officer or other individual
21
with primary responsibility for directing the policies and
22
procedures implemented to comply with the provisions of
23
this Act; and
24
(2) a description of the controller's data privacy
HB5221
- 38 -
LRB104 18403 SPS 31845 b
1
policies and procedures which reflect the requirements in
2
Section 35, and any policies and procedures designed to:
3
(A) reflect the requirements of this Act in the
4
design of the controller's systems;
5
(B) identify and provide personal data to a
6
consumer as required by this Act;
7
(C) establish, implement, and maintain reasonable
8
administrative, technical, and physical data security
9
practices to protect the confidentiality, integrity,
10
and accessibility of personal data, including the
11
maintenance of an inventory of the data that must be
12
managed to exercise the responsibilities under this
13
subparagraph;
14
(D) limit the collection of personal data to what
15
is adequate, relevant, and reasonably necessary in
16
relation to the purposes for which the data are
17
processed;
18
(E) prevent the retention of personal data that is
19
no longer relevant and reasonably necessary in
20
relation to the purposes for which the data were
21
collected and processed, unless retention of the data
22
is otherwise required by law or permitted under
23
Section 45; and
24
(F) identify and remediate violations of this Act.
25
(b) A controller must conduct and document a data privacy
26
and protection assessment for each of the following processing
HB5221
- 39 -
LRB104 18403 SPS 31845 b
1
activities involving personal data:
2
(1) the processing of personal data for purposes of
3
targeted advertising;
4
(2) the sale of personal data;
5
(3) the processing of sensitive data;
6
(4) any processing activities involving personal data
7
that present a heightened risk of harm to consumers; and
8
(5) the processing of personal data for purposes of
9
profiling, where the profiling presents a reasonably
10
foreseeable risk of:
11
(A) unfair or deceptive treatment of, or disparate
12
impact on, consumers;
13
(B) financial, physical, or reputational injury to
14
consumers;
15
(C) a physical or other intrusion upon the
16
solitude or seclusion, or the private affairs or
17
concerns, of consumers, where the intrusion would be
18
offensive to a reasonable person; or
19
(D) other substantial injury to consumers.
20
(c) A data privacy and protection assessment must take
21
into account the type of personal data to be processed by the
22
controller, including the extent to which the personal data
23
are sensitive data, and the context in which the personal data
24
are to be processed.
25
(d) A data privacy and protection assessment must identify
26
and weigh the benefits that may flow directly and indirectly
HB5221
- 40 -
LRB104 18403 SPS 31845 b
1
from the processing to the controller, consumer, other
2
stakeholders, and the public against the potential risks to
3
the rights of the consumer associated with the processing, as
4
mitigated by safeguards that can be employed by the controller
5
to reduce the potential risks. The use of deidentified data
6
and the reasonable expectations of consumers, as well as the
7
context of the processing and the relationship between the
8
controller and the consumer whose personal data will be
9
processed, must be factored into this assessment by the
10
controller.
11
(e) A data privacy and protection assessment must include
12
the description of policies and procedures required by
13
subsection (a).
14
(f) As part of a civil investigative demand, the Attorney
15
General may request, in writing, that a controller disclose
16
any data privacy and protection assessment that is relevant to
17
an investigation conducted by the Attorney General. The
18
controller must make a data privacy and protection assessment
19
available to the Attorney General upon a request made under
20
this subsection. The Attorney General may evaluate the data
21
privacy and protection assessments for compliance with this
22
Act. Data privacy and protection assessments are classified as
23
nonpublic data, exempt from disclosure under the Illinois
24
Freedom of Information Act. The disclosure of a data privacy
25
and protection assessment pursuant to a request from the
26
Attorney General under this paragraph does not constitute a
HB5221
- 41 -
LRB104 18403 SPS 31845 b
1
waiver of the attorney-client privilege or work product
2
protection with respect to the assessment and any information
3
contained in the assessment.
4
(g) Data privacy and protection assessments or risk
5
assessments conducted by a controller for the purpose of
6
compliance with other laws or regulations may qualify under
7
this Section if the assessments have a similar scope and
8
effect.
9
(h) A single data protection assessment may address
10
multiple sets of comparable processing operations that include
11
similar activities.
12
Section 45.
Limitations and applicability.
13
(a) The obligations imposed on controllers or processors
14
under this Act do not restrict a controller's or a processor's
15
ability to:
16
(1) comply with federal, State, or local laws, rules,
17
or regulations, including, but not limited to, data
18
retention requirements in State or federal law
19
notwithstanding a consumer's request to delete personal
20
data;
21
(2) comply with a civil, criminal, or regulatory
22
inquiry, investigation, subpoena, or summons by federal,
23
State, local, or other governmental authorities;
24
(3) cooperate with law enforcement agencies concerning
25
conduct or activity that the controller or processor
HB5221
- 42 -
LRB104 18403 SPS 31845 b
1
reasonably and in good faith believes may violate federal,
2
State, or local laws, rules, or regulations;
3
(4) investigate, establish, exercise, prepare for, or
4
defend legal claims;
5
(5) provide a product or service specifically
6
requested by a consumer; perform a contract to which the
7
consumer is a party, including fulfilling the terms of a
8
written warranty; or take steps at the request of the
9
consumer prior to entering into a contract;
10
(6) take immediate steps to protect an interest that
11
is essential for the life or physical safety of the
12
consumer or of another natural person, and where the
13
processing cannot be manifestly based on another legal
14
basis;
15
(7) prevent, detect, protect against, or respond to
16
security incidents, identity theft, fraud, harassment,
17
malicious or deceptive activities, or any illegal
18
activity; preserve the integrity or security of systems;
19
or investigate, report, or prosecute those responsible for
20
the action;
21
(8) assist another controller, processor, or third
22
party with any of the obligations under this subsection;
23
(9) engage in public or peer-reviewed scientific,
24
historical, or statistical research in the public interest
25
that adheres to all other applicable ethics and privacy
26
laws and is approved, monitored, and controlled by an
HB5221
- 43 -
LRB104 18403 SPS 31845 b
1
institutional review board, human subjects research ethics
2
review board, or a similar independent oversight entity
3
that has determined:
4
(A) the research is likely to provide substantial
5
benefits that do not exclusively accrue to the
6
controller;
7
(B) the expected benefits of the research outweigh
8
the privacy risks; and
9
(C) the controller has implemented reasonable
10
safeguards to mitigate privacy risks associated with
11
research, including any risks associated with
12
reidentification; or
13
(10) process personal data for the benefit of the
14
public in the areas of public health, community health, or
15
population health, but only to the extent that the
16
processing is:
17
(A) subject to suitable and specific measures to
18
safeguard the rights of the consumer whose personal
19
data is being processed; and
20
(B) under the responsibility of a professional
21
individual who is subject to confidentiality
22
obligations under federal, State, or local law.
23
(b) The obligations imposed on controllers or processors
24
under this Act do not restrict a controller's or processor's
25
ability to collect, use, or retain data to:
26
(1) effectuate a product recall or identify and repair
HB5221
- 44 -
LRB104 18403 SPS 31845 b
1
technical errors that impair existing or intended
2
functionality;
3
(2) perform internal operations that are reasonably
4
aligned with the expectations of the consumer based on the
5
consumer's existing relationship with the controller, or
6
are otherwise compatible with processing in furtherance of
7
the provision of a product or service specifically
8
requested by a consumer or the performance of a contract
9
to which the consumer is a party; or
10
(3) conduct internal research to develop, improve, or
11
repair products, services, or technology.
12
(c) The obligations imposed on controllers or processors
13
under this Act do not apply where compliance by the controller
14
or processor with this Act would violate an evidentiary
15
privilege under State law and do not prevent a controller or
16
processor from providing personal data concerning a consumer
17
to a person covered by an evidentiary privilege under State
18
law as part of a privileged communication.
19
(d) A controller or processor that discloses personal data
20
to a third-party controller or processor in compliance with
21
the requirements of this Act is not in violation of this Act if
22
the recipient processes the personal data in violation of this
23
Act, provided that at the time of disclosing the personal
24
data, the disclosing controller or processor did not have
25
actual knowledge that the recipient intended to commit a
26
violation. A third-party controller or processor receiving
HB5221
- 45 -
LRB104 18403 SPS 31845 b
1
personal data from a controller or processor in compliance
2
with the requirements of this Act is not in violation of this
3
Act for the obligations of the controller or processor from
4
which the third-party controller or processor receives the
5
personal data.
6
(e) Obligations imposed on controllers and processors
7
under this Act shall not:
8
(1) adversely affect the rights or freedoms of any
9
persons, including exercising the right of free speech
10
under the First Amendment of the United States
11
Constitution; or
12
(2) apply to the processing of personal data by a
13
natural person in the course of a purely personal or
14
household activity.
15
(f) Personal data that are processed by a controller
16
pursuant to this Section may be processed solely to the extent
17
that the processing is:
18
(1) necessary, reasonable, and proportionate to the
19
purposes listed in this Section;
20
(2) adequate, relevant, and limited to what is
21
necessary in relation to the specific purpose or purposes
22
listed in this section; and
23
(3) insofar as possible, taking into account the
24
nature and purpose of processing the personal data,
25
subjected to reasonable administrative, technical, and
26
physical measures to protect the confidentiality,
HB5221
- 46 -
LRB104 18403 SPS 31845 b
1
integrity, and accessibility of the personal data, and to
2
reduce reasonably foreseeable risks of harm to consumers.
3
(g) If a controller processes personal data under an
4
exemption in this Section, the controller bears the burden of
5
demonstrating that the processing qualifies for the exemption
6
and complies with the requirements in subsection (f).
7
(h) Processing personal data solely for the purposes
8
expressly identified in paragraphs (1) through (7) of
9
subsection (a), does not, by itself, make an entity a
10
controller with respect to the processing.
11
Section 50.
Attorney General enforcement.
12
(a) If a controller or processor violates this Act, the
13
Attorney General, prior to filing an enforcement action under
14
subsection (b), must provide the controller or processor with
15
a warning letter identifying the specific provisions of this
16
Act the Attorney General alleges have been or are being
17
violated. If, after 30 days of issuance of the warning letter,
18
the Attorney General believes the controller or processor has
19
failed to cure any alleged violation, the Attorney General may
20
bring an enforcement action under subsection (b).
21
(b) The Attorney General may bring a civil action against
22
a controller or processor to enforce a provision of this Act.
23
If the State prevails in an action to enforce this Act, the
24
State may, in addition to penalties provided by subsection (c)
25
or other remedies provided by law, be allowed an amount
HB5221
- 47 -
LRB104 18403 SPS 31845 b
1
determined by the court to be the reasonable value of all or
2
part of the State's litigation expenses incurred.
3
(c) Any controller or processor that violates this Act is
4
subject to an injunction and liable for a civil penalty of not
5
more than $7,500 for each violation.
6
(d) Nothing in this Act establishes a private right of
7
action for a violation of this Act or any other law.
8
Section 55.
Home rule.
The regulation of the processing of
9
personal data by controllers or processors is an exclusive
10
power and function of the State. A home rule unit may not
11
regulate the processing of personal data by controllers or
12
processors. This Section is a denial and limitation of home
13
rule powers and functions under subsection (h) of Section 6 of
14
Article VII of the Illinois Constitution.
15
Section 90.
The Freedom of Information Act is amended by
16
changing Section 7.5 as follows:
17
(5 ILCS 140/7.5)
18
(Text of Section before amendment by P.A. 104-441 and
19
104-457
)
20
Sec. 7.5.
Statutory exemptions.
To the extent provided for
21
by the statutes referenced below, the following shall be
22
exempt from inspection and copying:
23
(a) All information determined to be confidential
HB5221
- 48 -
LRB104 18403 SPS 31845 b
1
under Section 4002 of the Technology Advancement and
2
Development Act.
3
(b) Library circulation and order records identifying
4
library users with specific materials under the Library
5
Records Confidentiality Act.
6
(c) Applications, related documents, and medical
7
records received by the Experimental Organ Transplantation
8
Procedures Board and any and all documents or other
9
records prepared by the Experimental Organ Transplantation
10
Procedures Board or its staff relating to applications it
11
has received.
12
(d) Information and records held by the Department of
13
Public Health and its authorized representatives relating
14
to known or suspected cases of sexually transmitted
15
infection or any information the disclosure of which is
16
restricted under the Illinois Sexually Transmitted
17
Infection Control Act.
18
(e) Information the disclosure of which is exempted
19
under Section 30 of the Radon Industry Licensing Act.
20
(f) Firm performance evaluations under Section 55 of
21
the Architectural, Engineering, and Land Surveying
22
Qualifications Based Selection Act.
23
(g) Information the disclosure of which is restricted
24
and exempted under Section 50 of the Illinois Prepaid
25
Tuition Act.
26
(h) Information the disclosure of which is exempted
HB5221
- 49 -
LRB104 18403 SPS 31845 b
1
under the State Officials and Employees Ethics Act, and
2
records of any lawfully created State or local inspector
3
general's office that would be exempt if created or
4
obtained by an Executive Inspector General's office under
5
that Act.
6
(i) Information contained in a local emergency energy
7
plan submitted to a municipality in accordance with a
8
local emergency energy plan ordinance that is adopted
9
under Section 11-21.5-5 of the Illinois Municipal Code.
10
(j) Information and data concerning the distribution
11
of surcharge moneys collected and remitted by carriers
12
under the Emergency Telephone System Act.
13
(k) Law enforcement officer identification information
14
or driver identification information compiled by a law
15
enforcement agency or the Department of Transportation
16
under Section 11-212 of the Illinois Vehicle Code.
17
(l) Records and information provided to a residential
18
health care facility resident sexual assault and death
19
review team or the Executive Council under the Abuse
20
Prevention Review Team Act.
21
(m) Information provided to the predatory lending
22
database created pursuant to Article 3 of the Residential
23
Real Property Disclosure Act, except to the extent
24
authorized under that Article.
25
(n) Defense budgets and petitions for certification of
26
compensation and expenses for court appointed trial
HB5221
- 50 -
LRB104 18403 SPS 31845 b
1
counsel as provided under Sections 10 and 15 of the
2
Capital Crimes Litigation Act (repealed). This subsection
3
(n) shall apply until the conclusion of the trial of the
4
case, even if the prosecution chooses not to pursue the
5
death penalty prior to trial or sentencing.
6
(o) Information that is prohibited from being
7
disclosed under Section 4 of the Illinois Health and
8
Hazardous Substances Registry Act.
9
(p) Security portions of system safety program plans,
10
investigation reports, surveys, schedules, lists, data, or
11
information compiled, collected, or prepared by or for the
12
Department of Transportation under Sections 2705-300 and
13
2705-616 of the Department of Transportation Law of the
14
Civil Administrative Code of Illinois, the Regional
15
Transportation Authority under Section 2.11 of the
16
Regional Transportation Authority Act, or the St. Clair
17
County Transit District under the Bi-State Transit Safety
18
Act (repealed).
19
(q) Information prohibited from being disclosed by the
20
Personnel Record Review Act.
21
(r) Information prohibited from being disclosed by the
22
Illinois School Student Records Act.
23
(s) Information the disclosure of which is restricted
24
under Section 5-108 of the Public Utilities Act.
25
(t) (Blank).
26
(u) Records and information provided to an independent
HB5221
- 51 -
LRB104 18403 SPS 31845 b
1
team of experts under the Developmental Disability and
2
Mental Health Safety Act (also known as Brian's Law).
3
(v) Names and information of people who have applied
4
for or received Firearm Owner's Identification Cards under
5
the Firearm Owners Identification Card Act or applied for
6
or received a concealed carry license under the Firearm
7
Concealed Carry Act, unless otherwise authorized by the
8
Firearm Concealed Carry Act; and databases under the
9
Firearm Concealed Carry Act, records of the Concealed
10
Carry Licensing Review Board under the Firearm Concealed
11
Carry Act, and law enforcement agency objections under the
12
Firearm Concealed Carry Act.
13
(v-5) Records of the Firearm Owner's Identification
14
Card Review Board that are exempted from disclosure under
15
Section 10 of the Firearm Owners Identification Card Act.
16
(w) Personally identifiable information which is
17
exempted from disclosure under subsection (g) of Section
18
19.1 of the Toll Highway Act.
19
(x) Information which is exempted from disclosure
20
under Section 5-1014.3 of the Counties Code or Section
21
8-11-21 of the Illinois Municipal Code.
22
(y) Confidential information under the Adult
23
Protective Services Act and its predecessor enabling
24
statute, the Elder Abuse and Neglect Act, including
25
information about the identity and administrative finding
26
against any caregiver of a verified and substantiated
HB5221
- 52 -
LRB104 18403 SPS 31845 b
1
decision of abuse, neglect, or financial exploitation of
2
an eligible adult maintained in the Registry established
3
under Section 7.5 of the Adult Protective Services Act.
4
(z) Records and information provided to a fatality
5
review team or the Illinois Fatality Review Team Advisory
6
Council under Section 15 of the Adult Protective Services
7
Act.
8
(aa) Information which is exempted from disclosure
9
under Section 2.37 of the Wildlife Code.
10
(bb) Information which is or was prohibited from
11
disclosure by the Juvenile Court Act of 1987.
12
(cc) Recordings made under the Law Enforcement
13
Officer-Worn Body Camera Act, except to the extent
14
authorized under that Act.
15
(dd) Information that is prohibited from being
16
disclosed under Section 45 of the Condominium and Common
17
Interest Community Ombudsperson Act.
18
(ee) Information that is exempted from disclosure
19
under Section 30.1 of the Pharmacy Practice Act.
20
(ff) Information that is exempted from disclosure
21
under the Revised Uniform Unclaimed Property Act.
22
(gg) Information that is prohibited from being
23
disclosed under Section 7-603.5 of the Illinois Vehicle
24
Code.
25
(hh) Records that are exempt from disclosure under
26
Section 1A-16.7 of the Election Code.
HB5221
- 53 -
LRB104 18403 SPS 31845 b
1
(ii) Information which is exempted from disclosure
2
under Section 2505-800 of the Department of Revenue Law of
3
the Civil Administrative Code of Illinois.
4
(jj) Information and reports that are required to be
5
submitted to the Department of Labor by registering day
6
and temporary labor service agencies but are exempt from
7
disclosure under subsection (a-1) of Section 45 of the Day
8
and Temporary Labor Services Act.
9
(kk) Information prohibited from disclosure under the
10
Seizure and Forfeiture Reporting Act.
11
(ll) Information the disclosure of which is restricted
12
and exempted under Section 5-30.8 of the Illinois Public
13
Aid Code.
14
(mm) Records that are exempt from disclosure under
15
Section 4.2 of the Crime Victims Compensation Act.
16
(nn) Information that is exempt from disclosure under
17
Section 70 of the Higher Education Student Assistance Act.
18
(oo) Communications, notes, records, and reports
19
arising out of a peer support counseling session
20
prohibited from disclosure under the First Responders
21
Suicide Prevention Act.
22
(pp) Names and all identifying information relating to
23
an employee of an emergency services provider or law
24
enforcement agency under the First Responders Suicide
25
Prevention Act.
26
(qq) Information and records held by the Department of
HB5221
- 54 -
LRB104 18403 SPS 31845 b
1
Public Health and its authorized representatives collected
2
under the Reproductive Health Act.
3
(rr) Information that is exempt from disclosure under
4
the Cannabis Regulation and Tax Act.
5
(ss) Data reported by an employer to the Department of
6
Human Rights pursuant to Section 2-108 of the Illinois
7
Human Rights Act.
8
(tt) Recordings made under the Children's Advocacy
9
Center Act, except to the extent authorized under that
10
Act.
11
(uu) Information that is exempt from disclosure under
12
Section 50 of the Sexual Assault Evidence Submission Act.
13
(vv) Information that is exempt from disclosure under
14
subsections (f) and (j) of Section 5-36 of the Illinois
15
Public Aid Code.
16
(ww) Information that is exempt from disclosure under
17
Section 16.8 of the State Treasurer Act.
18
(xx) Information that is exempt from disclosure or
19
information that shall not be made public under the
20
Illinois Insurance Code.
21
(yy) Information prohibited from being disclosed under
22
the Illinois Educational Labor Relations Act.
23
(zz) Information prohibited from being disclosed under
24
the Illinois Public Labor Relations Act.
25
(aaa) Information prohibited from being disclosed
26
under Section 1-167 of the Illinois Pension Code.
HB5221
- 55 -
LRB104 18403 SPS 31845 b
1
(bbb) Information that is prohibited from disclosure
2
by the Illinois Police Training Act and the Illinois State
3
Police Act.
4
(ccc) Records exempt from disclosure under Section
5
2605-304 of the Illinois State Police Law of the Civil
6
Administrative Code of Illinois.
7
(ddd) Information prohibited from being disclosed
8
under Section 35 of the Address Confidentiality for
9
Victims of Domestic Violence, Sexual Assault, Human
10
Trafficking, or Stalking Act.
11
(eee) Information prohibited from being disclosed
12
under subsection (b) of Section 75 of the Domestic
13
Violence Fatality Review Act.
14
(fff) Images from cameras under the Expressway Camera
15
Act and all automated license plate reader (ALPR)
16
information used and collected by the Illinois State
17
Police. "ALPR information" means information gathered by
18
an ALPR or created from the analysis of data generated by
19
an ALPR. This subsection (fff) is inoperative on and after
20
July 1, 2028.
21
(ggg) Information prohibited from disclosure under
22
paragraph (3) of subsection (a) of Section 14 of the Nurse
23
Agency Licensing Act.
24
(hhh) Information submitted to the Illinois State
25
Police in an affidavit or application for an assault
26
weapon endorsement, assault weapon attachment endorsement,
HB5221
- 56 -
LRB104 18403 SPS 31845 b
1
.50 caliber rifle endorsement, or .50 caliber cartridge
2
endorsement under the Firearm Owners Identification Card
3
Act.
4
(iii) Data exempt from disclosure under Section 50 of
5
the School Safety Drill Act.
6
(jjj) Information exempt from disclosure under Section
7
30 of the Insurance Data Security Law.
8
(kkk) Confidential business information prohibited
9
from disclosure under Section 45 of the Paint Stewardship
10
Act.
11
(lll) Data exempt from disclosure under Section
12
2-3.196 of the School Code.
13
(mmm) Information prohibited from being disclosed
14
under subsection (e) of Section 1-129 of the Illinois
15
Power Agency Act.
16
(nnn) Materials received by the Department of Commerce
17
and Economic Opportunity that are confidential under the
18
Music and Musicians Tax Credit and Jobs Act.
19
(ooo) Data or information provided pursuant to Section
20
20 of the Statewide Recycling Needs and Assessment Act.
21
(ppp) Information that is exempt from disclosure under
22
Section 28-11 of the Lawful Health Care Activity Act.
23
(qqq) Information that is exempt from disclosure under
24
Section 7-101 of the Illinois Human Rights Act.
25
(rrr) Information prohibited from being disclosed
26
under Section 4-2 of the Uniform Money Transmission
HB5221
- 57 -
LRB104 18403 SPS 31845 b
1
Modernization Act.
2
(sss) Information exempt from disclosure under Section
3
40 of the Student-Athlete Endorsement Rights Act.
4
(ttt) Audio recordings made under Section 30 of the
5
Illinois State Police Act, except to the extent authorized
6
under that Section.
7
(uuu) Information prohibited from being disclosed
8
under Section 30-5 of the Digital Assets Regulation Act.
9
(vvv) Information prohibited or exempt from being
10
disclosed under the Consumer Data Privacy Act.
11
(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
12
103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
13
8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
14
eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
15
103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
16
8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
17
eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
18
104-417, eff. 8-15-25; 104-428, eff. 8-18-25; revised
19
9-10-25.)
20
(Text of Section after amendment by P.A. 104-457 but
21
before 104-441
)
22
Sec. 7.5.
Statutory exemptions.
To the extent provided for
23
by the statutes referenced below, the following shall be
24
exempt from inspection and copying:
25
(a) All information determined to be confidential
HB5221
- 58 -
LRB104 18403 SPS 31845 b
1
under Section 4002 of the Technology Advancement and
2
Development Act.
3
(b) Library circulation and order records identifying
4
library users with specific materials under the Library
5
Records Confidentiality Act.
6
(c) Applications, related documents, and medical
7
records received by the Experimental Organ Transplantation
8
Procedures Board and any and all documents or other
9
records prepared by the Experimental Organ Transplantation
10
Procedures Board or its staff relating to applications it
11
has received.
12
(d) Information and records held by the Department of
13
Public Health and its authorized representatives relating
14
to known or suspected cases of sexually transmitted
15
infection or any information the disclosure of which is
16
restricted under the Illinois Sexually Transmitted
17
Infection Control Act.
18
(e) Information the disclosure of which is exempted
19
under Section 30 of the Radon Industry Licensing Act.
20
(f) Firm performance evaluations under Section 55 of
21
the Architectural, Engineering, and Land Surveying
22
Qualifications Based Selection Act.
23
(g) Information the disclosure of which is restricted
24
and exempted under Section 50 of the Illinois Prepaid
25
Tuition Act.
26
(h) Information the disclosure of which is exempted
HB5221
- 59 -
LRB104 18403 SPS 31845 b
1
under the State Officials and Employees Ethics Act, and
2
records of any lawfully created State or local inspector
3
general's office that would be exempt if created or
4
obtained by an Executive Inspector General's office under
5
that Act.
6
(i) Information contained in a local emergency energy
7
plan submitted to a municipality in accordance with a
8
local emergency energy plan ordinance that is adopted
9
under Section 11-21.5-5 of the Illinois Municipal Code.
10
(j) Information and data concerning the distribution
11
of surcharge moneys collected and remitted by carriers
12
under the Emergency Telephone System Act.
13
(k) Law enforcement officer identification information
14
or driver identification information compiled by a law
15
enforcement agency or the Department of Transportation
16
under Section 11-212 of the Illinois Vehicle Code.
17
(l) Records and information provided to a residential
18
health care facility resident sexual assault and death
19
review team or the Executive Council under the Abuse
20
Prevention Review Team Act.
21
(m) Information provided to the predatory lending
22
database created pursuant to Article 3 of the Residential
23
Real Property Disclosure Act, except to the extent
24
authorized under that Article.
25
(n) Defense budgets and petitions for certification of
26
compensation and expenses for court appointed trial
HB5221
- 60 -
LRB104 18403 SPS 31845 b
1
counsel as provided under Sections 10 and 15 of the
2
Capital Crimes Litigation Act (repealed). This subsection
3
(n) shall apply until the conclusion of the trial of the
4
case, even if the prosecution chooses not to pursue the
5
death penalty prior to trial or sentencing.
6
(o) Information that is prohibited from being
7
disclosed under Section 4 of the Illinois Health and
8
Hazardous Substances Registry Act.
9
(p) Security portions of system safety program plans,
10
investigation reports, surveys, schedules, lists, data, or
11
information compiled, collected, or prepared by or for the
12
Department of Transportation under Sections 2705-300 and
13
2705-616 of the Department of Transportation Law of the
14
Civil Administrative Code of Illinois, the Northern
15
Illinois Transit Authority under Section 2.11 of the
16
Northern Illinois Transit Authority Act, or the St. Clair
17
County Transit District under the Bi-State Transit Safety
18
Act (repealed).
19
(q) Information prohibited from being disclosed by the
20
Personnel Record Review Act.
21
(r) Information prohibited from being disclosed by the
22
Illinois School Student Records Act.
23
(s) Information the disclosure of which is restricted
24
under Section 5-108 of the Public Utilities Act.
25
(t) (Blank).
26
(u) Records and information provided to an independent
HB5221
- 61 -
LRB104 18403 SPS 31845 b
1
team of experts under the Developmental Disability and
2
Mental Health Safety Act (also known as Brian's Law).
3
(v) Names and information of people who have applied
4
for or received Firearm Owner's Identification Cards under
5
the Firearm Owners Identification Card Act or applied for
6
or received a concealed carry license under the Firearm
7
Concealed Carry Act, unless otherwise authorized by the
8
Firearm Concealed Carry Act; and databases under the
9
Firearm Concealed Carry Act, records of the Concealed
10
Carry Licensing Review Board under the Firearm Concealed
11
Carry Act, and law enforcement agency objections under the
12
Firearm Concealed Carry Act.
13
(v-5) Records of the Firearm Owner's Identification
14
Card Review Board that are exempted from disclosure under
15
Section 10 of the Firearm Owners Identification Card Act.
16
(w) Personally identifiable information which is
17
exempted from disclosure under subsection (g) of Section
18
19.1 of the Toll Highway Act.
19
(x) Information which is exempted from disclosure
20
under Section 5-1014.3 of the Counties Code or Section
21
8-11-21 of the Illinois Municipal Code.
22
(y) Confidential information under the Adult
23
Protective Services Act and its predecessor enabling
24
statute, the Elder Abuse and Neglect Act, including
25
information about the identity and administrative finding
26
against any caregiver of a verified and substantiated
HB5221
- 62 -
LRB104 18403 SPS 31845 b
1
decision of abuse, neglect, or financial exploitation of
2
an eligible adult maintained in the Registry established
3
under Section 7.5 of the Adult Protective Services Act.
4
(z) Records and information provided to a fatality
5
review team or the Illinois Fatality Review Team Advisory
6
Council under Section 15 of the Adult Protective Services
7
Act.
8
(aa) Information which is exempted from disclosure
9
under Section 2.37 of the Wildlife Code.
10
(bb) Information which is or was prohibited from
11
disclosure by the Juvenile Court Act of 1987.
12
(cc) Recordings made under the Law Enforcement
13
Officer-Worn Body Camera Act, except to the extent
14
authorized under that Act.
15
(dd) Information that is prohibited from being
16
disclosed under Section 45 of the Condominium and Common
17
Interest Community Ombudsperson Act.
18
(ee) Information that is exempted from disclosure
19
under Section 30.1 of the Pharmacy Practice Act.
20
(ff) Information that is exempted from disclosure
21
under the Revised Uniform Unclaimed Property Act.
22
(gg) Information that is prohibited from being
23
disclosed under Section 7-603.5 of the Illinois Vehicle
24
Code.
25
(hh) Records that are exempt from disclosure under
26
Section 1A-16.7 of the Election Code.
HB5221
- 63 -
LRB104 18403 SPS 31845 b
1
(ii) Information which is exempted from disclosure
2
under Section 2505-800 of the Department of Revenue Law of
3
the Civil Administrative Code of Illinois.
4
(jj) Information and reports that are required to be
5
submitted to the Department of Labor by registering day
6
and temporary labor service agencies but are exempt from
7
disclosure under subsection (a-1) of Section 45 of the Day
8
and Temporary Labor Services Act.
9
(kk) Information prohibited from disclosure under the
10
Seizure and Forfeiture Reporting Act.
11
(ll) Information the disclosure of which is restricted
12
and exempted under Section 5-30.8 of the Illinois Public
13
Aid Code.
14
(mm) Records that are exempt from disclosure under
15
Section 4.2 of the Crime Victims Compensation Act.
16
(nn) Information that is exempt from disclosure under
17
Section 70 of the Higher Education Student Assistance Act.
18
(oo) Communications, notes, records, and reports
19
arising out of a peer support counseling session
20
prohibited from disclosure under the First Responders
21
Suicide Prevention Act.
22
(pp) Names and all identifying information relating to
23
an employee of an emergency services provider or law
24
enforcement agency under the First Responders Suicide
25
Prevention Act.
26
(qq) Information and records held by the Department of
HB5221
- 64 -
LRB104 18403 SPS 31845 b
1
Public Health and its authorized representatives collected
2
under the Reproductive Health Act.
3
(rr) Information that is exempt from disclosure under
4
the Cannabis Regulation and Tax Act.
5
(ss) Data reported by an employer to the Department of
6
Human Rights pursuant to Section 2-108 of the Illinois
7
Human Rights Act.
8
(tt) Recordings made under the Children's Advocacy
9
Center Act, except to the extent authorized under that
10
Act.
11
(uu) Information that is exempt from disclosure under
12
Section 50 of the Sexual Assault Evidence Submission Act.
13
(vv) Information that is exempt from disclosure under
14
subsections (f) and (j) of Section 5-36 of the Illinois
15
Public Aid Code.
16
(ww) Information that is exempt from disclosure under
17
Section 16.8 of the State Treasurer Act.
18
(xx) Information that is exempt from disclosure or
19
information that shall not be made public under the
20
Illinois Insurance Code.
21
(yy) Information prohibited from being disclosed under
22
the Illinois Educational Labor Relations Act.
23
(zz) Information prohibited from being disclosed under
24
the Illinois Public Labor Relations Act.
25
(aaa) Information prohibited from being disclosed
26
under Section 1-167 of the Illinois Pension Code.
HB5221
- 65 -
LRB104 18403 SPS 31845 b
1
(bbb) Information that is prohibited from disclosure
2
by the Illinois Police Training Act and the Illinois State
3
Police Act.
4
(ccc) Records exempt from disclosure under Section
5
2605-304 of the Illinois State Police Law of the Civil
6
Administrative Code of Illinois.
7
(ddd) Information prohibited from being disclosed
8
under Section 35 of the Address Confidentiality for
9
Victims of Domestic Violence, Sexual Assault, Human
10
Trafficking, or Stalking Act.
11
(eee) Information prohibited from being disclosed
12
under subsection (b) of Section 75 of the Domestic
13
Violence Fatality Review Act.
14
(fff) Images from cameras under the Expressway Camera
15
Act and all automated license plate reader (ALPR)
16
information used and collected by the Illinois State
17
Police. "ALPR information" means information gathered by
18
an ALPR or created from the analysis of data generated by
19
an ALPR. This subsection (fff) is inoperative on and after
20
July 1, 2028.
21
(ggg) Information prohibited from disclosure under
22
paragraph (3) of subsection (a) of Section 14 of the Nurse
23
Agency Licensing Act.
24
(hhh) Information submitted to the Illinois State
25
Police in an affidavit or application for an assault
26
weapon endorsement, assault weapon attachment endorsement,
HB5221
- 66 -
LRB104 18403 SPS 31845 b
1
.50 caliber rifle endorsement, or .50 caliber cartridge
2
endorsement under the Firearm Owners Identification Card
3
Act.
4
(iii) Data exempt from disclosure under Section 50 of
5
the School Safety Drill Act.
6
(jjj) Information exempt from disclosure under Section
7
30 of the Insurance Data Security Law.
8
(kkk) Confidential business information prohibited
9
from disclosure under Section 45 of the Paint Stewardship
10
Act.
11
(lll) Data exempt from disclosure under Section
12
2-3.196 of the School Code.
13
(mmm) Information prohibited from being disclosed
14
under subsection (e) of Section 1-129 of the Illinois
15
Power Agency Act.
16
(nnn) Materials received by the Department of Commerce
17
and Economic Opportunity that are confidential under the
18
Music and Musicians Tax Credit and Jobs Act.
19
(ooo) Data or information provided pursuant to Section
20
20 of the Statewide Recycling Needs and Assessment Act.
21
(ppp) Information that is exempt from disclosure under
22
Section 28-11 of the Lawful Health Care Activity Act.
23
(qqq) Information that is exempt from disclosure under
24
Section 7-101 of the Illinois Human Rights Act.
25
(rrr) Information prohibited from being disclosed
26
under Section 4-2 of the Uniform Money Transmission
HB5221
- 67 -
LRB104 18403 SPS 31845 b
1
Modernization Act.
2
(sss) Information exempt from disclosure under Section
3
40 of the Student-Athlete Endorsement Rights Act.
4
(ttt) Audio recordings made under Section 30 of the
5
Illinois State Police Act, except to the extent authorized
6
under that Section.
7
(uuu) Information prohibited from being disclosed
8
under Section 30-5 of the Digital Assets Regulation Act.
9
(vvv) Information prohibited or exempt from being
10
disclosed under the Consumer Data Privacy Act.
11
(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
12
103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
13
8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
14
eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
15
103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
16
8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
17
eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
18
104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-457, eff.
19
6-1-26; revised 1-7-26.)
20
(Text of Section after amendment by P.A. 104-441
)
21
Sec. 7.5.
Statutory exemptions.
To the extent provided for
22
by the statutes referenced below, the following shall be
23
exempt from inspection and copying:
24
(a) All information determined to be confidential
25
under Section 4002 of the Technology Advancement and
HB5221
- 68 -
LRB104 18403 SPS 31845 b
1
Development Act.
2
(b) Library circulation and order records identifying
3
library users with specific materials under the Library
4
Records Confidentiality Act.
5
(c) Applications, related documents, and medical
6
records received by the Experimental Organ Transplantation
7
Procedures Board and any and all documents or other
8
records prepared by the Experimental Organ Transplantation
9
Procedures Board or its staff relating to applications it
10
has received.
11
(d) Information and records held by the Department of
12
Public Health and its authorized representatives relating
13
to known or suspected cases of sexually transmitted
14
infection or any information the disclosure of which is
15
restricted under the Illinois Sexually Transmitted
16
Infection Control Act.
17
(e) Information the disclosure of which is exempted
18
under Section 30 of the Radon Industry Licensing Act.
19
(f) Firm performance evaluations under Section 55 of
20
the Architectural, Engineering, and Land Surveying
21
Qualifications Based Selection Act.
22
(g) Information the disclosure of which is restricted
23
and exempted under Section 50 of the Illinois Prepaid
24
Tuition Act.
25
(h) Information the disclosure of which is exempted
26
under the State Officials and Employees Ethics Act, and
HB5221
- 69 -
LRB104 18403 SPS 31845 b
1
records of any lawfully created State or local inspector
2
general's office that would be exempt if created or
3
obtained by an Executive Inspector General's office under
4
that Act.
5
(i) Information contained in a local emergency energy
6
plan submitted to a municipality in accordance with a
7
local emergency energy plan ordinance that is adopted
8
under Section 11-21.5-5 of the Illinois Municipal Code.
9
(j) Information and data concerning the distribution
10
of surcharge moneys collected and remitted by carriers
11
under the Emergency Telephone System Act.
12
(k) Law enforcement officer identification information
13
or driver identification information compiled by a law
14
enforcement agency or the Department of Transportation
15
under Section 11-212 of the Illinois Vehicle Code.
16
(l) Records and information provided to a residential
17
health care facility resident sexual assault and death
18
review team or the Executive Council under the Abuse
19
Prevention Review Team Act.
20
(m) Information provided to the predatory lending
21
database created pursuant to Article 3 of the Residential
22
Real Property Disclosure Act, except to the extent
23
authorized under that Article.
24
(n) Defense budgets and petitions for certification of
25
compensation and expenses for court appointed trial
26
counsel as provided under Sections 10 and 15 of the
HB5221
- 70 -
LRB104 18403 SPS 31845 b
1
Capital Crimes Litigation Act (repealed). This subsection
2
(n) shall apply until the conclusion of the trial of the
3
case, even if the prosecution chooses not to pursue the
4
death penalty prior to trial or sentencing.
5
(o) Information that is prohibited from being
6
disclosed under Section 4 of the Illinois Health and
7
Hazardous Substances Registry Act.
8
(p) Security portions of system safety program plans,
9
investigation reports, surveys, schedules, lists, data, or
10
information compiled, collected, or prepared by or for the
11
Department of Transportation under Sections 2705-300 and
12
2705-616 of the Department of Transportation Law of the
13
Civil Administrative Code of Illinois, the Northern
14
Illinois Transit Authority under Section 2.11 of the
15
Northern Illinois Transit Authority Act, or the St. Clair
16
County Transit District under the Bi-State Transit Safety
17
Act (repealed).
18
(q) Information prohibited from being disclosed by the
19
Personnel Record Review Act.
20
(r) Information prohibited from being disclosed by the
21
Illinois School Student Records Act.
22
(s) Information the disclosure of which is restricted
23
under Section 5-108 of the Public Utilities Act.
24
(t) (Blank).
25
(u) Records and information provided to an independent
26
team of experts under the Developmental Disability and
HB5221
- 71 -
LRB104 18403 SPS 31845 b
1
Mental Health Safety Act (also known as Brian's Law).
2
(v) Names and information of people who have applied
3
for or received Firearm Owner's Identification Cards under
4
the Firearm Owners Identification Card Act or applied for
5
or received a concealed carry license under the Firearm
6
Concealed Carry Act, unless otherwise authorized by the
7
Firearm Concealed Carry Act; and databases under the
8
Firearm Concealed Carry Act, records of the Concealed
9
Carry Licensing Review Board under the Firearm Concealed
10
Carry Act, and law enforcement agency objections under the
11
Firearm Concealed Carry Act.
12
(v-5) Records of the Firearm Owner's Identification
13
Card Review Board that are exempted from disclosure under
14
Section 10 of the Firearm Owners Identification Card Act.
15
(w) Personally identifiable information which is
16
exempted from disclosure under subsection (g) of Section
17
19.1 of the Toll Highway Act.
18
(x) Information which is exempted from disclosure
19
under Section 5-1014.3 of the Counties Code or Section
20
8-11-21 of the Illinois Municipal Code.
21
(y) Confidential information under the Adult
22
Protective Services Act and its predecessor enabling
23
statute, the Elder Abuse and Neglect Act, including
24
information about the identity and administrative finding
25
against any caregiver of a verified and substantiated
26
decision of abuse, neglect, or financial exploitation of
HB5221
- 72 -
LRB104 18403 SPS 31845 b
1
an eligible adult maintained in the Registry established
2
under Section 7.5 of the Adult Protective Services Act.
3
(z) Records and information provided to a fatality
4
review team or the Illinois Fatality Review Team Advisory
5
Council under Section 15 of the Adult Protective Services
6
Act.
7
(aa) Information which is exempted from disclosure
8
under Section 2.37 of the Wildlife Code.
9
(bb) Information which is or was prohibited from
10
disclosure by the Juvenile Court Act of 1987.
11
(cc) Recordings made under the Law Enforcement
12
Officer-Worn Body Camera Act, except to the extent
13
authorized under that Act.
14
(dd) Information that is prohibited from being
15
disclosed under Section 45 of the Condominium and Common
16
Interest Community Ombudsperson Act.
17
(ee) Information that is exempted from disclosure
18
under Section 30.1 of the Pharmacy Practice Act.
19
(ff) Information that is exempted from disclosure
20
under the Revised Uniform Unclaimed Property Act.
21
(gg) Information that is prohibited from being
22
disclosed under Section 7-603.5 of the Illinois Vehicle
23
Code.
24
(hh) Records that are exempt from disclosure under
25
Section 1A-16.7 of the Election Code.
26
(ii) Information which is exempted from disclosure
HB5221
- 73 -
LRB104 18403 SPS 31845 b
1
under Section 2505-800 of the Department of Revenue Law of
2
the Civil Administrative Code of Illinois.
3
(jj) Information and reports that are required to be
4
submitted to the Department of Labor by registering day
5
and temporary labor service agencies but are exempt from
6
disclosure under subsection (a-1) of Section 45 of the Day
7
and Temporary Labor Services Act.
8
(kk) Information prohibited from disclosure under the
9
Seizure and Forfeiture Reporting Act.
10
(ll) Information the disclosure of which is restricted
11
and exempted under Section 5-30.8 of the Illinois Public
12
Aid Code.
13
(mm) Records that are exempt from disclosure under
14
Section 4.2 of the Crime Victims Compensation Act.
15
(nn) Information that is exempt from disclosure under
16
Section 70 of the Higher Education Student Assistance Act.
17
(oo) Communications, notes, records, and reports
18
arising out of a peer support counseling session
19
prohibited from disclosure under the First Responders
20
Suicide Prevention Act.
21
(pp) Names and all identifying information relating to
22
an employee of an emergency services provider or law
23
enforcement agency under the First Responders Suicide
24
Prevention Act.
25
(qq) Information and records held by the Department of
26
Public Health and its authorized representatives collected
HB5221
- 74 -
LRB104 18403 SPS 31845 b
1
under the Reproductive Health Act.
2
(rr) Information that is exempt from disclosure under
3
the Cannabis Regulation and Tax Act.
4
(ss) Data reported by an employer to the Department of
5
Human Rights pursuant to Section 2-108 of the Illinois
6
Human Rights Act.
7
(tt) Recordings made under the Children's Advocacy
8
Center Act, except to the extent authorized under that
9
Act.
10
(uu) Information that is exempt from disclosure under
11
Section 50 of the Sexual Assault Evidence Submission Act.
12
(vv) Information that is exempt from disclosure under
13
subsections (f) and (j) of Section 5-36 of the Illinois
14
Public Aid Code.
15
(ww) Information that is exempt from disclosure under
16
Section 16.8 of the State Treasurer Act.
17
(xx) Information that is exempt from disclosure or
18
information that shall not be made public under the
19
Illinois Insurance Code.
20
(yy) Information prohibited from being disclosed under
21
the Illinois Educational Labor Relations Act.
22
(zz) Information prohibited from being disclosed under
23
the Illinois Public Labor Relations Act.
24
(aaa) Information prohibited from being disclosed
25
under Section 1-167 of the Illinois Pension Code.
26
(bbb) Information that is prohibited from disclosure
HB5221
- 75 -
LRB104 18403 SPS 31845 b
1
by the Illinois Police Training Act and the Illinois State
2
Police Act.
3
(ccc) Records exempt from disclosure under Section
4
2605-304 of the Illinois State Police Law of the Civil
5
Administrative Code of Illinois.
6
(ddd) Information prohibited from being disclosed
7
under Section 35 of the Address Confidentiality for
8
Victims of Domestic Violence, Sexual Assault, Human
9
Trafficking, or Stalking Act.
10
(eee) Information prohibited from being disclosed
11
under subsection (b) of Section 75 of the Domestic
12
Violence Fatality Review Act.
13
(fff) Images from cameras under the Expressway Camera
14
Act and all automated license plate reader (ALPR)
15
information used and collected by the Illinois State
16
Police. "ALPR information" means information gathered by
17
an ALPR or created from the analysis of data generated by
18
an ALPR. This subsection (fff) is inoperative on and after
19
July 1, 2028.
20
(ggg) Information prohibited from disclosure under
21
paragraph (3) of subsection (a) of Section 14 of the Nurse
22
Agency Licensing Act.
23
(hhh) Information submitted to the Illinois State
24
Police in an affidavit or application for an assault
25
weapon endorsement, assault weapon attachment endorsement,
26
.50 caliber rifle endorsement, or .50 caliber cartridge
HB5221
- 76 -
LRB104 18403 SPS 31845 b
1
endorsement under the Firearm Owners Identification Card
2
Act.
3
(iii) Data exempt from disclosure under Section 50 of
4
the School Safety Drill Act.
5
(jjj) Information exempt from disclosure under Section
6
30 of the Insurance Data Security Law.
7
(kkk) Confidential business information prohibited
8
from disclosure under Section 45 of the Paint Stewardship
9
Act.
10
(lll) Data exempt from disclosure under Section
11
2-3.196 of the School Code.
12
(mmm) Information prohibited from being disclosed
13
under subsection (e) of Section 1-129 of the Illinois
14
Power Agency Act.
15
(nnn) Materials received by the Department of Commerce
16
and Economic Opportunity that are confidential under the
17
Music and Musicians Tax Credit and Jobs Act.
18
(ooo) Data or information provided pursuant to Section
19
20 of the Statewide Recycling Needs and Assessment Act.
20
(ppp) Information that is exempt from disclosure under
21
Section 28-11 of the Lawful Health Care Activity Act.
22
(qqq) Information that is exempt from disclosure under
23
Section 7-101 of the Illinois Human Rights Act.
24
(rrr) Information prohibited from being disclosed
25
under Section 4-2 of the Uniform Money Transmission
26
Modernization Act.
HB5221
- 77 -
LRB104 18403 SPS 31845 b
1
(sss) Information exempt from disclosure under Section
2
40 of the Student-Athlete Endorsement Rights Act.
3
(ttt) Audio recordings made under Section 30 of the
4
Illinois State Police Act, except to the extent authorized
5
under that Section.
6
(uuu) Information prohibited from being disclosed
7
under Section 30-5 of the Digital Assets Regulation Act.
8
(vvv)
(uuu)
Information exempt from disclosure under
9
Section 70 of the End-of-Life Options for Terminally Ill
10
Patients Act.
11
(www) Information prohibited or exempt from being
12
disclosed under the Consumer Data Privacy Act.
13
(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
14
103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
15
8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
16
eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
17
103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
18
8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
19
eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
20
104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-441, eff.
21
9-12-26; 104-457, eff. 6-1-26; revised 1-7-26.)
22
Section 95.
No acceleration or delay.
Where this Act makes
23
changes in a statute that is represented in this Act by text
24
that is not yet or no longer in effect (for example, a Section
25
represented by multiple versions), the use of that text does
HB5221
- 78 -
LRB104 18403 SPS 31845 b
1
not accelerate or delay the taking effect of (i) the changes
2
made by this Act or (ii) provisions derived from any other
3
Public Act.
4
Section 97.
Severability.
The provisions of this Act are
5
severable under Section 1.31 of the Statute on Statutes.
6
Section 99.
Effective date.
This Act takes effect January
7
1, 2027.
Footer
Disclaimer
This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster
ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies
ILGA.GOV
2026 ILGA.gov | All Rights Reserved |
ADA
|
Disclaimers
|
Learn
This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster
ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies
ILGA.GOV
2026 ILGA.gov | All Rights Reserved |
ADA
|
Disclaimers
|
Learn