Back to Illinois

HB5221 • 2026

CONSUMER DATA PRIVACY ACT

CONSUMER DATA PRIVACY ACT

Privacy
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Edgar González, Jr.
Last action
2026-03-27
Official status
Rule 19(a) / Re-referred to Rules Committee
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

CONSUMER DATA PRIVACY ACT

CONSUMER DATA PRIVACY ACT

What This Bill Does

  • CONSUMER DATA PRIVACY ACT

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-03-27 Illinois General Assembly

    Rule 19(a) / Re-referred to Rules Committee

  2. 2026-03-04 Illinois General Assembly

    Assigned to Cybersecurity, Data Analytics, & IT Committee

  3. 2026-02-10 Illinois General Assembly

    First Reading

  4. 2026-02-10 Illinois General Assembly

    Referred to Rules Committee

  5. 2026-02-05 Illinois General Assembly

    Filed with the Clerk by Rep. Edgar González, Jr.

Official Summary Text

CONSUMER DATA PRIVACY ACT

Current Bill Text

Read the full stored bill text
Illinois General Assembly - Full Text of HB5221

Select Language

×

The Illinois General Assembly offers the Google Translate™ service for visitor convenience. In no way should it be considered accurate as to the translation of any content herein.

Visitors of the Illinois General Assembly website are encouraged to use other translation services available on the internet.

The English language version is always the official and authoritative version of this website.

NOTE: To return to the original English language version, select the "Show Original" button on the Google Translate™ menu bar at the top of the window.

Choose Language

English

Afrikaans

Albanian

Arabic

Armenian

Azerbaijani

Basque

Bengali

Bosnian

Catalan

Croatian

Czech

Danish

Dutch

Esperanto

Estonian

Filipino

Finnish

French

Galician

Georgian

German

Greek

Gujarati

Haitian Creole

Hausa

Hawaiian

Hebrew

Hindi

Hungarian

Icelandic

Indonesian

Interlingua

Interlingue

Inuktitut

Irish

Italian

Japanese

Javanese

Kannada

Khmer

Korean

Latin

Latvian

Lithuanian

Luxembourgish

Macedonian

Malagasy

Malayalam

Maltese

Maori

Marathi

Myanmar

Nepali

Norwegian

Odia

Pashto

Punjabi

Romanian

Russian

Samoan

Sango

Sanskrit

Sardinian

Sindhi

Sinhala

Slovak

Slovenian

Somali

Southern Sotho

Spanish

Sundanese

Swahili

Swedish

Tamil

Telugu

Thai

Tigrinya

Tonga

Turkish

Ukrainian

Urdu

Vietnamese

Welsh

Xhosa

Yiddish

Yoruba

Zulu

Powered by
Translate

Close

Illinois General Assembly

Top Navigation Bar

Translate

Learn

Select General Assembly

Search the 104th General Assembly

Enter search terms for legislation, members, committees, or schedules.

ILGA.GOV

LEGISLATION & LAWS

Bills & Resolutions

Public Acts

Illinois Compiled Statutes

Illinois Constitution

Search Legislation

Glossary

Guide

Reports & Inquiry

Legislative Reports

Special Reports

FTP Site

Legislator Lookup

Capitol Complex Phone Numbers

Rules & Regulations

Illinois Register

Administrative Rules

Senate

Members

Schedules

Committees

Request for Remote Testimony

Journals

Transcripts

Rules

Audio/Video

FOIA Information

Senate Employment Opportunities

Media Guidelines

House

Members

Schedules

Committees

Submit testimony for House Committees

Journals

Transcripts

Rules

Audio/Video

FOIA Information

House Employment Opportunities

Log In

Mobile Top Bar

Search the 104th General Assembly

Enter keywords to search the Illinois General Assembly website.

Full Text of HB5221

Home

Legislation

Full Text

HB5221 - 104th General Assembly

Bill Status

Full Text

Votes

Witness Slips

Select Menu

Bill Status

Full Text

Votes

Witness Slips

Printer Friendly Version

Introduced

Printer Friendly Version

Introduced

Open PDF

104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
HB5221

Introduced 2/10/2026, by Rep. Edgar González, Jr.

SYNOPSIS AS INTRODUCED:

New Act
5 ILCS 140/7.5

Creates the Consumer Data Privacy Act. Sets forth provisions
concerning agreements between personal data processors and controllers.
Provides for consumer personal data rights, including the right to opt out
of the processing of personal data concerning the consumer for purposes of
targeted advertising, the sale of personal data, or profiling in
furtherance of automated decisions that produce legal effects. Sets forth
provisions concerning the responsibilities of controllers; requirements
for small businesses; and data privacy and protection assessments.
Provides for civil penalties. Preempts home rule. Amends the Freedom of
Information Act to make a conforming change. Effective January 1, 2027.
LRB104 18403 SPS 31845 b

A BILL FOR

HB5221
LRB104 18403 SPS 31845 b
1

AN ACT concerning business.

2

Be it enacted by the People of the State of Illinois,
3
represented in the General Assembly:

4

Section 1.
Short title.
This Act may be cited as the
5
Consumer Data Privacy Act.

6

Section 5.
Definitions.
As used in this Act:
7

"Affiliate" means a legal entity that controls, is
8
controlled by, or is under common control with another legal
9
entity. For purposes of this definition, "control" means: (i)
10
ownership of or the power to vote more than 50% of the
11
outstanding shares of any class of voting security of a
12
company; (ii) control in any manner over the election of a
13
majority of the directors or of individuals exercising similar
14
functions; or (iii) the power to exercise a controlling
15
influence over the management of a company.
16

"Authenticate" means to use reasonable means to determine
17
that a request to exercise any of the rights set forth in
18
paragraphs (2) through (8) of subsection (a) of Section 20 is
19
being made by or rightfully on behalf of the consumer who is
20
entitled to exercise the rights with respect to the personal
21
data at issue.
22

"Biometric data" means data generated by automatic
23
measurements of an individual's biological characteristics,

HB5221
- 2 -
LRB104 18403 SPS 31845 b
1
including a fingerprint, a voiceprint, eye retinas, irises, or
2
other unique biological patterns or characteristics that are
3
used to identify a specific individual. "Biometric data" does
4
not include:
5

(1) a digital or physical photograph;
6

(2) an audio or video recording; or
7

(3) any data generated from a digital or physical
8

photograph, or an audio or video recording, unless the
9

data is generated to identify a specific individual.
10

"Child" has the meaning set forth in 15 U.S.C. 6501.
11

"Consent" means any freely given, specific, informed, and
12
unambiguous indication of the consumer's wishes by which the
13
consumer signifies agreement to the processing of personal
14
data relating to the consumer. Acceptance of a general or
15
broad terms of use or similar document that contains
16
descriptions of personal data processing along with other,
17
unrelated information does not constitute consent. Hovering
18
over, muting, pausing, or closing a given piece of content
19
does not constitute consent. Consent is not valid when the
20
consumer's indication has been obtained by a dark pattern. A
21
consumer may revoke consent previously given, consistent with
22
this Act.
23

"Consumer" means a natural person who is a resident of
24
this State acting only in an individual or household context.
25
"Consumer" does not include a natural person acting in a
26
commercial or employment context.

HB5221
- 3 -
LRB104 18403 SPS 31845 b
1

"Controller" means the natural or legal person who, alone
2
or jointly with others, determines the purposes and means of
3
the processing of personal data.
4

"Decisions that produce legal effects concerning the
5
consumer" means decisions made by the controller that result
6
in the provision or denial by the controller of financial or
7
lending services, housing, insurance, education enrollment or
8
opportunity, criminal justice, employment opportunities,
9
health care services, or access to essential goods or
10
services.
11

"Dark pattern" means a user interface designed or
12
manipulated with the substantial effect of subverting or
13
impairing user autonomy, decision making, or choice.
14

"Deidentified data" means data that cannot reasonably be
15
used to infer information about or otherwise be linked to an
16
identified or identifiable natural person or a device linked
17
to an identified or identifiable natural person, provided that
18
the controller that possesses the data:
19

(1) takes reasonable measures to ensure that the data
20

cannot be associated with a natural person;
21

(2) publicly commits to process the data only in a
22

deidentified fashion and not attempt to reidentify the
23

data; and
24

(3) contractually obligates any recipients of the
25

information to comply with all provisions of this
26

definition.

HB5221
- 4 -
LRB104 18403 SPS 31845 b
1

"Delete" means to remove or destroy information so that it
2
is not maintained in human-or machine-readable form and cannot
3
be retrieved or used in the ordinary course of business.
4

"Genetic information" has the meaning set forth in the
5
Health Insurance Portability and Accountability Act of 1996,
6
as specified in 45 CFR 160.103.
7

"Governmental entity" means each office, board,
8
commission, agency, department, authority, institution,
9
university, body politic and corporate, administrative unit,
10
and corporate outgrowth of the executive, legislative, and
11
judicial branches of State government, whether created by the
12
Illinois Constitution, by or in accordance with statute, or by
13
executive order of the Governor.
14

"Identified or identifiable natural person" means a person
15
who can be readily identified, directly or indirectly.
16

"Known child" means a person under circumstances where a
17
controller has actual knowledge of, or willfully disregards,
18
that the person is under 13 years of age.
19

"Personal data" means any information that is linked or
20
reasonably linkable to an identified or identifiable natural
21
person. "Personal data" does not include deidentified data or
22
publicly available information. For purposes of this
23
definition, "publicly available information" means information
24
that: (i) is lawfully made available from federal, State, or
25
local government records or widely distributed media; or (ii)
26
a controller has a reasonable basis to believe has lawfully

HB5221
- 5 -
LRB104 18403 SPS 31845 b
1
been made available to the general public.
2

"Process" means any operation or set of operations that
3
are performed on personal data or on sets of personal data,
4
whether or not by automated means, including, but not limited
5
to, the collection, use, storage, disclosure, analysis,
6
deletion, or modification of personal data.
7

"Processor" means a natural or legal person who processes
8
personal data on behalf of a controller.
9

"Profiling" means any form of automated processing of
10
personal data to evaluate, analyze, or predict personal
11
aspects related to an identified or identifiable natural
12
person's economic situation, health, personal preferences,
13
interests, reliability, behavior, location, or movements.
14

"Pseudonymous data" means personal data that cannot be
15
attributed to a specific natural person without the use of
16
additional information, provided that the additional
17
information is kept separately and is subject to appropriate
18
technical and organizational measures to ensure that the
19
personal data are not attributed to an identified or
20
identifiable natural person.
21

"Sale" means the exchange of personal data for monetary or
22
other valuable consideration by the controller to a third
23
party. "Sale" does not include:
24

(1) the disclosure of personal data to a processor who
25

processes the personal data on behalf of the controller;
26

(2) the disclosure of personal data to a third party

HB5221
- 6 -
LRB104 18403 SPS 31845 b
1

for purposes of providing a product or service requested
2

by the consumer;
3

(3) the disclosure or transfer of personal data to an
4

affiliate of the controller;
5

(4) the disclosure of information that the consumer
6

intentionally made available to the general public by a
7

channel of mass media and did not restrict to a specific
8

audience;
9

(5) the disclosure or transfer of personal data to a
10

third party as an asset that is part of a completed or
11

proposed merger, acquisition, bankruptcy, or other
12

transaction in which the third party assumes control of
13

all or part of the controller's assets; or
14

(6) the exchange of personal data between the producer
15

of a good or service and authorized agents of the producer
16

who sell and service the goods and services, to enable the
17

cooperative provisioning of goods and services by both the
18

producer and the producer's agents.
19

"Sensitive data" means:
20

(1) personal data revealing racial or ethnic origin,
21

religious beliefs, mental or physical health condition or
22

diagnosis, sexual orientation, or citizenship or
23

immigration status;
24

(2) the processing of biometric data or genetic
25

information for the purpose of uniquely identifying an
26

individual;

HB5221
- 7 -
LRB104 18403 SPS 31845 b
1

(3) the personal data of a known child; or
2

(4) specific geolocation data.
3

"Specific geolocation data" means information derived from
4
technology, including, but not limited to, global positioning
5
system level latitude and longitude coordinates or other
6
mechanisms, that directly identifies the geographic
7
coordinates of a consumer or a device linked to a consumer with
8
an accuracy of more than 3 decimal degrees of latitude and
9
longitude or the equivalent in an alternative geographic
10
coordinate system, or a street address derived from the
11
coordinates. "Specific geolocation data" does not include the
12
content of communications, the contents of databases
13
containing street address information which are accessible to
14
the public as authorized by law, or any data generated by or
15
connected to advanced utility metering infrastructure systems
16
or other equipment for use by a public utility.
17

"Targeted advertising" means displaying advertisements to
18
a consumer where the advertisement is selected based on
19
personal data obtained or inferred from the consumer's
20
activities over time and across nonaffiliated websites or
21
online applications to predict the consumer's preferences or
22
interests. "Targeted advertising" does not include:
23

(1) advertising based on activities within a
24

controller's own websites or online applications;
25

(2) advertising based on the context of a consumer's
26

current search query or visit to a website or online

HB5221
- 8 -
LRB104 18403 SPS 31845 b
1

application;
2

(3) advertising to a consumer in response to the
3

consumer's request for information or feedback; or
4

(4) processing personal data solely for measuring or
5

reporting advertising performance, reach, or frequency.
6

"Third party" means a natural or legal person, public
7
authority, agency, or body other than the consumer,
8
controller, processor, or an affiliate of the processor or the
9
controller.
10

"Trade secret" has the meaning set forth in subsection (d)
11
of Section 2 of the Illinois Trade Secrets Act.

12

Section 10.
Scope; exclusions.
13

(a) This Act applies to legal entities that conduct
14
business in this State or produce products or services that
15
are targeted to residents of this State, and that satisfy one
16
or more of the following thresholds:
17

(1) during a calendar year, controls or processes
18

personal data of 100,000 consumers or more, excluding
19

personal data controlled or processed solely for the
20

purpose of completing a payment transaction; or
21

(2) derives over 25% of gross revenue from the sale of
22

personal data and processes or controls personal data of
23

25,000 consumers or more.
24

(b) This Act does not apply to the following entities,
25
activities, or types of information:

HB5221
- 9 -
LRB104 18403 SPS 31845 b
1

(1) a government entity;
2

(2) a federally recognized Indian tribe;
3

(3) information that meets the definition of:
4

(A) protected health information, as defined by
5

and for purposes of the Health Insurance Portability
6

and Accountability Act of 1996, as specified in 45 CFR
7

160.103;
8

(B) health information, as defined in 42 U.S.C.
9

1320d(4);
10

(C) patient identifying information for purposes
11

of 42 CFR Part 2, established pursuant to 42 U.S.C.
12

290dd-2;
13

(D) identifiable private information for purposes
14

of the federal policy for the protection of human
15

subjects, 45 CFR Part 46; identifiable private
16

information that is otherwise information collected as
17

part of human subjects research pursuant to the good
18

clinical practice guidelines issued by the
19

International Council for Harmonization; the
20

protection of human subjects under 21 CFR Parts 50 and
21

56; or personal data used or shared in research
22

conducted in accordance with one or more of the
23

requirements set forth in this paragraph;
24

(E) information and documents created for purposes
25

of the federal Health Care Quality Improvement Act of
26

1986, Public Law 99-660, and related regulations; or

HB5221
- 10 -
LRB104 18403 SPS 31845 b
1

(F) patient safety work product for purposes of 42
2

CFR Part 3, established pursuant to 42 U.S.C. 299b-21
3

to 299b-26;
4

(4) information that is derived from any of the health
5

care-related information listed in paragraph (3), but that
6

has been deidentified in accordance with the requirements
7

for deidentification set forth in 45 CFR Part 164;
8

(5) information originating from, and intermingled to
9

be indistinguishable with, any of the health care-related
10

information listed in paragraph (3) that is maintained by:
11

(A) a covered entity or business associate, as
12

defined by the Health Insurance Portability and
13

Accountability Act of 1996, Public Law 104-191, and
14

related regulations;
15

(B) a health care provider, as defined in 42
16

U.S.C. 1320d(3); or
17

(C) a program or a qualified service organization,
18

as defined by 42 CFR Part 2, established pursuant to 42
19

U.S.C. 290dd-2;
20

(6) information that is:
21

(A) maintained by an entity that meets the
22

definition of health care provider under 45 CFR
23

160.103, to the extent that the entity maintains the
24

information in the manner required of covered entities
25

with respect to protected health information for
26

purposes of the Health Insurance Portability and

HB5221
- 11 -
LRB104 18403 SPS 31845 b
1

Accountability Act of 1996, Public Law 104-191, and
2

related regulations;
3

(B) included in a limited data set, as described
4

under 45 CFR Part 164.514(e), to the extent that the
5

information is used, disclosed, and maintained in the
6

manner specified by that part;
7

(C) maintained by, or maintained to comply with
8

the rules or orders of, a self-regulatory organization
9

as defined by 15 U.S.C. 78c(a)(26);
10

(D) originated from, or intermingled with,
11

information described in paragraph (9) and that a
12

mortgage loan originator or lender, as those terms are
13

defined in the Residential Mortgage License Act of
14

1987, collects, processes, uses, or maintains in the
15

same manner as required under the laws and regulations
16

specified in paragraph (9); or
17

(E) originated from, or intermingled with,
18

information described in paragraph (9) and that a
19

nonbank financial institution, as defined in the
20

Illinois Banking Act, collects, processes, uses, or
21

maintains in the same manner as required under the
22

laws and regulations specified in paragraph (9);
23

(7) information used only for public health activities
24

and purposes, as described under 45 CFR Part 164.512;
25

(8) an activity involving the collection, maintenance,
26

disclosure, sale, communication, or use of any personal

HB5221
- 12 -
LRB104 18403 SPS 31845 b
1

data bearing on a consumer's credit worthiness, credit
2

standing, credit capacity, character, general reputation,
3

personal characteristics, or mode of living by a consumer
4

reporting agency, as defined in 15 U.S.C. 1681a(f), by a
5

furnisher of information, as set forth in 15 U.S.C.
6

1681s-2, who provides information for use in a consumer
7

report, as defined in 15 U.S.C. 1681a(d), and by a user of
8

a consumer report, as set forth in 15 U.S.C. 1681b, except
9

that information is only excluded under this paragraph to
10

the extent that the activity involving the collection,
11

maintenance, disclosure, sale, communication, or use of
12

the information by the agency, furnisher, or user is
13

subject to regulation under the federal Fair Credit
14

Reporting Act, 15 U.S.C. 1681 to 1681x, and the
15

information is not collected, maintained, used,
16

communicated, disclosed, or sold except as authorized by
17

the Fair Credit Reporting Act;
18

(9) personal data collected, processed, sold, or
19

disclosed pursuant to the federal Gramm-Leach-Bliley Act,
20

Public Law 106-102, and implementing regulations, if the
21

collection, processing, sale, or disclosure is in
22

compliance with that law;
23

(10) personal data collected, processed, sold, or
24

disclosed pursuant to the federal Driver's Privacy
25

Protection Act of 1994, 18 U.S.C. 2721 to 2725, if the
26

collection, processing, sale, or disclosure is in

HB5221
- 13 -
LRB104 18403 SPS 31845 b
1

compliance with that law;
2

(11) personal data regulated by the federal Family
3

Educational Rights and Privacy Act, 20 U.S.C. 1232g, and
4

implementing regulations;
5

(12) personal data collected, processed, sold, or
6

disclosed pursuant to the federal Farm Credit Act of 1971,
7

12 U.S.C. 2001 to 2279cc, and implementing regulations, 12
8

CFR Part 600, if the collection, processing, sale, or
9

disclosure is in compliance with that law;
10

(13) data collected or maintained:
11

(A) in the course of an individual acting as a job
12

applicant to or an employee, owner, director, officer,
13

medical staff member, or contractor of a business if
14

the data is collected and used solely within the
15

context of the role;
16

(B) as the emergency contact information of an
17

individual under subparagraph (A) if used solely for
18

emergency contact purposes; or
19

(C) that is necessary for the business to retain
20

to administer benefits for another individual relating
21

to the individual under subparagraph (A) if used
22

solely for the purposes of administering those
23

benefits;
24

(14) personal data collected, processed, sold, or
25

disclosed pursuant to the Use of Credit Information in
26

Personal Insurance Act;

HB5221
- 14 -
LRB104 18403 SPS 31845 b
1

(15) data collected, processed, sold, or disclosed as
2

part of a payment-only credit, check, or cash transaction
3

where no data about consumers is retained;
4

(16) a State or federally chartered bank or credit
5

union, or an affiliate or subsidiary that is principally
6

engaged in financial activities, as described in 12 U.S.C.
7

1843(k);
8

(17) information that originates from, or is
9

intermingled so as to be indistinguishable from,
10

information described in paragraph (8) and that a person
11

licensed under the Consumer Installment Loan Act,
12

processes, uses, or maintains in the same manner as is
13

required under the laws and regulations specified in
14

paragraph (8);
15

(18) an insurance company, an insurance producer, an
16

administrator, as those terms are defined in the Illinois
17

Insurance Code, or an affiliate or subsidiary of any
18

entity identified in this paragraph that is principally
19

engaged in financial activities, as described in 12 U.S.C.
20

1843(k), except that this paragraph does not apply to a
21

person that, alone or in combination with another person,
22

establishes and maintains a self-insurance program that
23

does not otherwise engage in the business of entering into
24

policies of insurance;
25

(19) a small business, as defined by the United States
26

Small Business Administration under 13 CFR Part 121,

HB5221
- 15 -
LRB104 18403 SPS 31845 b
1

except that a small business identified in this paragraph
2

is subject to Section 35;
3

(20) a nonprofit organization that is established to
4

detect and prevent fraudulent acts in connection with
5

insurance; and
6

(21) an air carrier subject to the federal Airline
7

Deregulation Act, Public Law 95-504, only to the extent
8

that an air carrier collects personal data related to
9

prices, routes, or services and only to the extent that
10

the provisions of the Airline Deregulation Act preempt the
11

requirements of this Act.
12

(c) Controllers that are in compliance with the Children's
13
Online Privacy Protection Act, 15 U.S.C. 6501 to 6506, and
14
implementing regulations, shall be deemed compliant with any
15
obligation to obtain parental consent under this Act.

16

Section 15.
Responsibility according to role.
17

(a) Controllers and processors are responsible for meeting
18
the respective obligations established under this Act.
19

(b) Processors are responsible under this Act for adhering
20
to the instructions of the controller and assisting the
21
controller to meet the controller's obligations under this
22
Act. Assistance under this paragraph shall include:
23

(1) taking into account the nature of the processing,
24

the processor shall assist the controller by appropriate
25

technical and organizational measures, insofar as this is

HB5221
- 16 -
LRB104 18403 SPS 31845 b
1

possible, for the fulfillment of the controller's
2

obligation to respond to consumer requests to exercise
3

their rights pursuant to Section 20; and
4

(2) taking into account the nature of processing and
5

the information available to the processor, the processor
6

shall assist the controller in meeting the controller's
7

obligations in relation to the security of processing the
8

personal data and in relation to the notification of a
9

breach of the security of the system pursuant to the
10

Personal Information Protection Act, and shall provide
11

information to the controller necessary to enable the
12

controller to conduct and document any data privacy and
13

protection assessments required by Section 40.
14

(c) A contract between a controller and a processor shall
15
control the processor's data processing procedures with
16
respect to processing performed on behalf of the controller.
17
The contract shall be binding and clearly set forth
18
instructions for processing data, the nature and purpose of
19
processing, the type of data subject to processing, the
20
duration of processing, and the rights and obligations of both
21
parties. The contract shall also require that the processor:
22

(1) ensure that each person processing the personal
23

data is subject to a duty of confidentiality with respect
24

to the data; and
25

(2) engage a subcontractor only: (i) after providing
26

the controller with an opportunity to object, and (ii)

HB5221
- 17 -
LRB104 18403 SPS 31845 b
1

pursuant to a written contract in accordance with
2

subsection (e) that requires the subcontractor to meet the
3

obligations of the processor with respect to the personal
4

data.
5

(d) Taking into account the context of processing, the
6
controller and the processor shall implement appropriate
7
technical and organizational measures to ensure a level of
8
security appropriate to the risk and establish a clear
9
allocation of the responsibilities between the controller and
10
the processor to implement the technical and organizational
11
measures.
12

(e) Processing by a processor shall be controlled by a
13
contract between the controller and the processor that is
14
binding on both parties and that sets out the processing
15
instructions to which the processor is bound, including the
16
nature and purpose of the processing, the type of personal
17
data subject to the processing, the duration of the
18
processing, and the obligations and rights of both parties.
19
The contract shall include the requirements imposed by this
20
subsection, subsections (c) and (d), and the following
21
requirements:
22

(1) At the discretion of the controller, the processor
23

shall delete or return all personal data to the controller
24

as requested at the end of the provision of services,
25

unless retention of the personal data is required by law.
26

(2) Upon a reasonable request from the controller, the

HB5221
- 18 -
LRB104 18403 SPS 31845 b
1

processor shall make available to the controller all
2

information necessary to demonstrate compliance with the
3

obligations in this Act.
4

(3) The processor shall allow for, and contribute to,
5

reasonable assessments and inspections by the controller
6

or the controller's designated assessor. Alternatively,
7

the processor may arrange for a qualified and independent
8

assessor to conduct, at least annually and at the
9

processor's expense, an assessment of the processor's
10

policies and technical and organizational measures in
11

support of the obligations under this Act. The assessor
12

must use an appropriate and accepted control standard or
13

framework and assessment procedure for assessments as
14

applicable, and shall provide a report of an assessment to
15

the controller upon request.
16

(f) No contract shall relieve a controller or a processor
17
from the liabilities imposed on a controller or processor by
18
virtue of the controller's or processor's roles in the
19
processing relationship under this Act.
20

(g) Determining whether a person is acting as a controller
21
or processor with respect to a specific processing of data is a
22
fact-based determination that depends upon the context in
23
which personal data are to be processed. A person that is not
24
limited in the person's processing of personal data pursuant
25
to a controller's instructions, or that fails to adhere to a
26
controller's instructions, is a controller and not a processor

HB5221
- 19 -
LRB104 18403 SPS 31845 b
1
with respect to a specific processing of data. A processor
2
that continues to adhere to a controller's instructions with
3
respect to a specific processing of personal data remains a
4
processor. If a processor begins, alone or jointly with
5
others, determining the purposes and means of the processing
6
of personal data, the processor is a controller with respect
7
to the processing.

8

Section 20.
Consumer personal data rights.
9

(a) Consumer rights provided.
10

(1) Except as provided in this Act, a controller must
11

comply with a request to exercise the consumer rights
12

provided in this subsection.
13

(2) A consumer has the right to confirm whether or not
14

a controller is processing personal data concerning the
15

consumer and access the categories of personal data the
16

controller is processing.
17

(3) A consumer has the right to correct inaccurate
18

personal data concerning the consumer, taking into account
19

the nature of the personal data and the purposes of the
20

processing of the personal data.
21

(4) A consumer has the right to delete personal data
22

concerning the consumer.
23

(5) A consumer has the right to obtain personal data
24

concerning the consumer, which the consumer previously
25

provided to the controller, in a portable and, to the

HB5221
- 20 -
LRB104 18403 SPS 31845 b
1

extent technically feasible, readily usable format that
2

allows the consumer to transmit the data to another
3

controller without hindrance, where the processing is
4

carried out by automated means.
5

(6) A consumer has the right to opt out of the
6

processing of personal data concerning the consumer for
7

purposes of targeted advertising, the sale of personal
8

data, or profiling in furtherance of automated decisions
9

that produce legal effects concerning a consumer or
10

similarly significant effects concerning a consumer.
11

(7) If a consumer's personal data is profiled in
12

furtherance of decisions that produce legal effects
13

concerning a consumer or similarly significant effects
14

concerning a consumer, the consumer has the right to
15

question the result of the profiling, to be informed of
16

the reason that the profiling resulted in the decision,
17

and, if feasible, to be informed of what actions the
18

consumer might have taken to secure a different decision
19

and the actions that the consumer might take to secure a
20

different decision in the future. The consumer has the
21

right to review the consumer's personal data used in the
22

profiling. If the decision is determined to have been
23

based upon inaccurate personal data, taking into account
24

the nature of the personal data and the purposes of the
25

processing of the personal data, the consumer has the
26

right to have the data corrected and the profiling

HB5221
- 21 -
LRB104 18403 SPS 31845 b
1

decision reevaluated based upon the corrected data.
2

(8) A consumer has a right to obtain a list of the
3

specific third parties to which the controller has
4

disclosed the consumer's personal data. If the controller
5

does not maintain the information in a format specific to
6

the consumer, a list of specific third parties to whom the
7

controller has disclosed any consumers' personal data may
8

be provided instead.
9

(b) Exercising consumer rights.
10

(1) A consumer may exercise the rights set forth in
11

this Section by submitting a request, at any time, to a
12

controller specifying which rights the consumer wishes to
13

exercise.
14

(2) In the case of processing personal data concerning
15

a known child, the parent or legal guardian of the known
16

child may exercise the rights of this Act on the child's
17

behalf.
18

(3) In the case of processing personal data concerning
19

a consumer legally subject to guardianship or
20

conservatorship under the Uniform Adult Guardianship and
21

Protective Proceedings Jurisdiction Act, the guardian or
22

the conservator of the consumer may exercise the rights of
23

this Act on the consumer's behalf.
24

(4) A consumer may designate another person as the
25

consumer's authorized agent to exercise the consumer's
26

right to opt out of the processing of the consumer's

HB5221
- 22 -
LRB104 18403 SPS 31845 b
1

personal data for purposes of targeted advertising and
2

sale under paragraph (6) of subsection (a) on the
3

consumer's behalf. A consumer may designate an authorized
4

agent by way of, among other things, a technology,
5

including, but not limited to, an Internet link or a
6

browser setting, browser extension, or global device
7

setting, indicating the consumer's intent to opt out of
8

the processing. A controller shall comply with an opt-out
9

request received from an authorized agent if the
10

controller is able to verify, with commercially reasonable
11

effort, the identity of the consumer and the authorized
12

agent's authority to act on the consumer's behalf.
13

(c) Universal opt-out mechanisms.
14

(1) A controller must allow a consumer to opt out of
15

any processing of the consumer's personal data for the
16

purposes of targeted advertising, or any sale of the
17

consumer's personal data through an opt-out preference
18

signal sent, with the consumer's consent, by a platform,
19

technology, or mechanism to the controller indicating the
20

consumer's intent to opt out of the processing or sale.
21

The platform, technology, or mechanism must:
22

(A) not unfairly disadvantage another controller;
23

(B) not make use of a default setting, but require
24

the consumer to make an affirmative, freely given, and
25

unambiguous choice to opt out of the processing of the
26

consumer's personal data;

HB5221
- 23 -
LRB104 18403 SPS 31845 b
1

(C) be consumer-friendly and easy to use by the
2

average consumer;
3

(D) be as consistent as possible with any other
4

similar platform, technology, or mechanism required by
5

any federal or State law or regulation; and
6

(E) enable the controller to accurately determine
7

whether the consumer is a resident of this State and
8

whether the consumer has made a legitimate request to
9

opt out of any sale of the consumer's personal data or
10

targeted advertising. For purposes of this
11

subparagraph, the use of an Internet protocol address
12

to estimate the consumer's location is sufficient to
13

determine the consumer's residence.
14

(2) If a consumer's opt-out request is exercised
15

through the platform, technology, or mechanism required
16

under paragraph (1), and the request conflicts with the
17

consumer's existing controller-specific privacy setting or
18

voluntary participation in a controller's bona fide
19

loyalty, rewards, premium features, discounts, or club
20

card program, the controller must comply with the
21

consumer's opt-out preference signal but may also notify
22

the consumer of the conflict and provide the consumer a
23

choice to confirm the controller-specific privacy setting
24

or participation in the controller's program.
25

(3) The platform, technology, or mechanism required
26

under paragraph (1) is subject to the requirements of

HB5221
- 24 -
LRB104 18403 SPS 31845 b
1

subsection (d).
2

(4) A controller that recognizes opt-out preference
3

signals that have been approved by other State laws or
4

regulations is in compliance with this subsection.
5

(d) Controller response to consumer requests.
6

(1) Except as provided in this Act, a controller must
7

comply with a request to exercise the rights pursuant to
8

subsection (a).
9

(2) A controller must provide one or more secure and
10

reliable means for consumers to submit a request to
11

exercise the consumer's rights under this section. The
12

means made available must take into account the ways in
13

which consumers interact with the controller and the need
14

for secure and reliable communication of the requests.
15

(3) A controller may not require a consumer to create
16

a new account in order to exercise a right, but a
17

controller may require a consumer to use an existing
18

account to exercise the consumer's rights under this
19

section.
20

(4) A controller must comply with a request to
21

exercise the right in paragraph (6) of subsection (a) of
22

Section 20, as soon as feasibly possible, but no later
23

than 45 days of receipt of the request.
24

(5) A controller must inform a consumer of any action
25

taken on a request under subsection (a) without undue
26

delay and in any event within 45 days of receipt of the

HB5221
- 25 -
LRB104 18403 SPS 31845 b
1

request. That period may be extended once by 45 additional
2

days where reasonably necessary, taking into account the
3

complexity and number of the requests. The controller must
4

inform the consumer of any extension within 45 days of
5

receipt of the request, together with the reasons for the
6

delay.
7

(6) If a controller does not take action on a
8

consumer's request, the controller must inform the
9

consumer without undue delay and at the latest within 45
10

days of receipt of the request of the reasons for not
11

taking action and instructions for how to appeal the
12

decision with the controller as described in subsection
13

(e).
14

(7) Information provided under this Section must be
15

provided by the controller free of charge up to twice
16

annually to the consumer. Where requests from a consumer
17

are manifestly unfounded or excessive, in particular
18

because of the repetitive character of the requests, the
19

controller may either charge a reasonable fee to cover the
20

administrative costs of complying with the request, or
21

refuse to act on the request. The controller bears the
22

burden of demonstrating the manifestly unfounded or
23

excessive character of the request.
24

(8) A controller is not required to comply with a
25

request to exercise any of the rights under paragraphs (2)
26

through (5) and (8) of subsection (a), if the controller

HB5221
- 26 -
LRB104 18403 SPS 31845 b
1

is unable to authenticate the request using commercially
2

reasonable efforts. In such cases, the controller may
3

request the provision of additional information reasonably
4

necessary to authenticate the request. A controller is not
5

required to authenticate an opt-out request, but a
6

controller may deny an opt-out request if the controller
7

has a good faith, reasonable, and documented belief that
8

the request is fraudulent. If a controller denies an
9

opt-out request because the controller believes a request
10

is fraudulent, the controller must notify the person who
11

made the request that the request was denied due to the
12

controller's belief that the request was fraudulent and
13

state the controller's basis for that belief.
14

(9) In response to a consumer request under subsection
15

(a), a controller must not disclose the following
16

information about a consumer, but must instead inform the
17

consumer with sufficient particularity that the controller
18

has collected that type of information:
19

(A) Social Security number;
20

(B) driver's license number or other
21

government-issued identification number;
22

(C) financial account number;
23

(D) health insurance account number or medical
24

identification number;
25

(E) account password, security questions, or
26

answers; or

HB5221
- 27 -
LRB104 18403 SPS 31845 b
1

(F) biometric data.
2

(10) In response to a consumer request under
3

subsection (a), a controller is not required to reveal any
4

trade secret.
5

(11) A controller that has obtained personal data
6

about a consumer from a source other than the consumer may
7

comply with a consumer's request to delete the consumer's
8

personal data pursuant to paragraph (4) of subsection (a),
9

by either:
10

(A) retaining a record of the deletion request,
11

retaining the minimum data necessary for the purpose
12

of ensuring the consumer's personal data remains
13

deleted from the business's records, and not using the
14

retained data for any other purpose pursuant to the
15

provisions of this Act; or
16

(B) opting the consumer out of the processing of
17

personal data for any purpose except for the purposes
18

exempted pursuant to the provisions of this Act.
19

(e) Appeal process required.
20

(1) A controller must establish an internal process
21

whereby a consumer may appeal a refusal to take action on a
22

request to exercise any of the rights under subsection (a)
23

within a reasonable period of time after the consumer's
24

receipt of the notice sent by the controller under
25

paragraph (6) of subsection (d).
26

(2) The appeal process must be conspicuously

HB5221
- 28 -
LRB104 18403 SPS 31845 b
1

available. The process must include the ease of use
2

provisions in subsection (c) applicable to submitting
3

requests.
4

(3) Within 45 days of receipt of an appeal, a
5

controller must inform the consumer of any action taken or
6

not taken in response to the appeal, along with a written
7

explanation of the reasons in support thereof. That period
8

may be extended by 60 additional days where reasonably
9

necessary, taking into account the complexity and number
10

of the requests serving as the basis for the appeal. The
11

controller must inform the consumer of any extension
12

within 45 days of receipt of the appeal, together with the
13

reasons for the delay.
14

(4) When informing a consumer of any action taken or
15

not taken in response to an appeal under subsection (c),
16

the controller must provide a written explanation of the
17

reasons for the controller's decision and clearly and
18

prominently provide the consumer with information about
19

how to file a complaint with the Office of the Attorney
20

General. The controller must maintain records of all
21

appeals and the controller's responses for at least 24
22

months and shall, upon written request by the Attorney
23

General as part of an investigation, compile and provide a
24

copy of the records to the Attorney General.

25

Section 25.
Processing deidentified data or pseudonymous

HB5221
- 29 -
LRB104 18403 SPS 31845 b
1
data.
2

(a) This Act does not require a controller or processor to
3
do any of the following solely for purposes of complying with
4
this Act:
5

(1) reidentify deidentified data;
6

(2) maintain data in identifiable form, or collect,
7

obtain, retain, or access any data or technology, in order
8

to be capable of associating an authenticated consumer
9

request with personal data; or
10

(3) comply with an authenticated consumer request to
11

access, correct, delete, or port personal data pursuant to
12

subsection (a) of Section 20, if all of the following are
13

true:
14

(A) the controller is not reasonably capable of
15

associating the request with the personal data, or it
16

would be unreasonably burdensome for the controller to
17

associate the request with the personal data;
18

(B) the controller does not use the personal data
19

to recognize or respond to the specific consumer who
20

is the subject of the personal data, or associate the
21

personal data with other personal data about the same
22

specific consumer; and
23

(C) the controller does not sell the personal data
24

to any third party or otherwise voluntarily disclose
25

the personal data to any third party other than a
26

processor, except as otherwise permitted in this

HB5221
- 30 -
LRB104 18403 SPS 31845 b
1

Section.
2

(b) The rights contained in paragraphs (2) through (5) and
3
(8) of subsection (a) of Section 20 do not apply to
4
pseudonymous data in cases where the controller is able to
5
demonstrate any information necessary to identify the consumer
6
is kept separately and is subject to effective technical and
7
organizational controls that prevent the controller from
8
accessing the information.
9

(c) A controller that uses pseudonymous data or
10
deidentified data must exercise reasonable oversight to
11
monitor compliance with any contractual commitments to which
12
the pseudonymous data or deidentified data are subject, and
13
must take appropriate steps to address any breaches of
14
contractual commitments.
15

(d) A processor or third party must not attempt to
16
identify the subjects of deidentified or pseudonymous data
17
without the express authority of the controller that caused
18
the data to be deidentified or pseudonymized.
19

(e) A controller, processor, or third party must not
20
attempt to identify the subjects of data that has been
21
collected with only pseudonymous identifiers.

22

Section 30.
Responsibilities of controllers.
23

(a) Transparency obligations.
24

(1) Controllers must provide consumers with a
25

reasonably accessible, clear, and meaningful privacy

HB5221
- 31 -
LRB104 18403 SPS 31845 b
1

notice that includes:
2

(A) the categories of personal data processed by
3

the controller;
4

(B) the purposes for which the categories of
5

personal data are processed;
6

(C) an explanation of the rights contained in
7

Section 20 and how and where consumers may exercise
8

those rights, including how a consumer may appeal a
9

controller's action with regard to the consumer's
10

request;
11

(D) the categories of personal data that the
12

controller sells to or shares with third parties, if
13

any;
14

(E) the categories of third parties, if any, with
15

whom the controller sells or shares personal data;
16

(F) the controller's contact information,
17

including an active email address or other online
18

mechanism that the consumer may use to contact the
19

controller;
20

(G) a description of the controller's retention
21

policies for personal data; and
22

(H) the date the privacy notice was last updated.
23

(2) If a controller sells personal data to third
24

parties, processes personal data for targeted advertising,
25

or engages in profiling in furtherance of decisions that
26

produce legal effects concerning a consumer or similarly

HB5221
- 32 -
LRB104 18403 SPS 31845 b
1

significant effects concerning a consumer, the controller
2

must disclose the processing in the privacy notice and
3

provide access to a clear and conspicuous method outside
4

the privacy notice for a consumer to opt out of the sale,
5

processing, or profiling in furtherance of decisions that
6

produce legal effects concerning a consumer or similarly
7

significant effects concerning a consumer. This method may
8

include, but is not limited to, an Internet hyperlink
9

clearly labeled "Your Opt-Out Rights" or "Your Privacy
10

Rights" that directly effectuates the opt-out request or
11

takes consumers to a web page where the consumer can make
12

the opt-out request.
13

(3) The privacy notice must be made available to the
14

public in each language in which the controller provides a
15

product or service that is subject to the privacy notice
16

or carries out activities related to the product or
17

service.
18

(4) The controller must provide the privacy notice in
19

a manner that is reasonably accessible to and usable by
20

individuals with disabilities.
21

(5) Whenever a controller makes a material change to
22

the controller's privacy notice or practices, the
23

controller must notify consumers affected by the material
24

change with respect to any prospectively collected
25

personal data and provide a reasonable opportunity for
26

consumers to withdraw consent to any further materially

HB5221
- 33 -
LRB104 18403 SPS 31845 b
1

different collection, processing, or transfer of
2

previously collected personal data under the changed
3

policy. The controller shall take all reasonable
4

electronic measures to provide notification regarding
5

material changes to affected consumers, taking into
6

account available technology and the nature of the
7

relationship.
8

(6) A controller is not required to provide a separate
9

Illinois-specific privacy notice or Section of a privacy
10

notice if the controller's general privacy notice contains
11

all the information required by this section.
12

(7) The privacy notice must be posted online through a
13

conspicuous hyperlink using the word "privacy" on the
14

controller's website home page or on a mobile
15

application's app store page or download page. A
16

controller that maintains an application on a mobile or
17

other device shall also include a hyperlink to the privacy
18

notice in the application's settings menu or in a
19

similarly conspicuous and accessible location. A
20

controller that does not operate a website shall make the
21

privacy notice conspicuously available to consumers
22

through a medium regularly used by the controller to
23

interact with consumers, including, but not limited to,
24

mail.
25

(b) Use of data.
26

(1) A controller must limit the collection of personal

HB5221
- 34 -
LRB104 18403 SPS 31845 b
1

data to what is adequate, relevant, and reasonably
2

necessary in relation to the purposes for which the data
3

are processed, which must be disclosed to the consumer.
4

(2) Except as provided in this Act, a controller may
5

not process personal data for purposes that are not
6

reasonably necessary to, or compatible with, the purposes
7

for which the personal data are processed, as disclosed to
8

the consumer, unless the controller obtains the consumer's
9

consent.
10

(3) A controller shall establish, implement, and
11

maintain reasonable administrative, technical, and
12

physical data security practices to protect the
13

confidentiality, integrity, and accessibility of personal
14

data, including the maintenance of an inventory of the
15

data that must be managed to exercise these
16

responsibilities. The data security practices shall be
17

appropriate to the volume and nature of the personal data
18

at issue.
19

(4) Except as otherwise provided in this Act, a
20

controller may not process sensitive data concerning a
21

consumer without obtaining the consumer's consent, or, in
22

the case of the processing of personal data concerning a
23

known child, without obtaining consent from the child's
24

parent or lawful guardian, in accordance with the
25

requirement of the Children's Online Privacy Protection
26

Act, 15 U.S.C. 6501 to 6506, and its implementing

HB5221
- 35 -
LRB104 18403 SPS 31845 b
1

regulations, rules, and exemptions.
2

(5) A controller shall provide an effective mechanism
3

for a consumer, or, in the case of the processing of
4

personal data concerning a known child, the child's parent
5

or lawful guardian, to revoke previously given consent
6

under this subsection. The mechanism provided shall be at
7

least as easy as the mechanism by which the consent was
8

previously given. Upon revocation of consent, a controller
9

shall cease to process the applicable data as soon as
10

practicable, but not later than 15 days after the receipt
11

of the request.
12

(6) A controller may not process the personal data of
13

a consumer for purposes of targeted advertising, or sell
14

the consumer's personal data, without the consumer's
15

consent, under circumstances where the controller knows
16

that the consumer is between the ages of 13 and 16.
17

(7) A controller may not retain personal data that is
18

no longer relevant and reasonably necessary in relation to
19

the purposes for which the data were collected and
20

processed, unless retention of the data is otherwise
21

required by law or permitted under Section 45.
22

(c) Nondiscrimination.
23

(1) A controller shall not process personal data on
24

the basis of a consumer's or a class of consumers' actual
25

or perceived race, color, ethnicity, religion, national
26

origin, sex, gender, gender identity, sexual orientation,

HB5221
- 36 -
LRB104 18403 SPS 31845 b
1

familial status, lawful source of income, or disability in
2

a manner that unlawfully discriminates against the
3

consumer or class of consumers with respect to the
4

offering or provision of: housing, employment, credit, or
5

education; or the goods, services, facilities, privileges,
6

advantages, or accommodations of any place of public
7

accommodation.
8

(2) A controller may not discriminate against a
9

consumer for exercising any of the rights contained in
10

this Act, including denying goods or services to the
11

consumer, charging different prices or rates for goods or
12

services, and providing a different level of quality of
13

goods and services to the consumer. This subsection does
14

not:
15

(A) require a controller to provide a good or
16

service that requires the consumer's personal data
17

that the controller does not collect or maintain; or
18

(B) prohibit a controller from offering a
19

different price, rate, level, quality, or selection of
20

goods or services to a consumer, including offering
21

goods or services for no fee, if the offering is in
22

connection with a consumer's voluntary participation
23

in a bona fide loyalty, rewards, premium features,
24

discounts, or club card program.
25

(d) Any provision of a contract or agreement of any kind
26
that purports to waive or limit in any way a consumer's rights

HB5221
- 37 -
LRB104 18403 SPS 31845 b
1
under this Act is contrary to public policy and is void and
2
unenforceable.

3

Section 35.
Requirements for small businesses.
4

(a) A small business, as defined by the United States
5
Small Business Administration under 13 CFR Part 121, that
6
conducts business in this State or produces products or
7
services that are targeted to residents of this State, must
8
not sell a consumer's sensitive data without the consumer's
9
prior consent.
10

(b) Penalties and Attorney General enforcement procedures
11
under Section 50 apply to a small business that violates this
12
Section.

13

Section 40.
Data privacy policies; data privacy and
14
protection assessments.
15

(a) A controller must document and maintain a description
16
of the policies and procedures the controller has adopted to
17
comply with this Act. The description must include, where
18
applicable:
19

(1) the name and contact information for the
20

controller's chief privacy officer or other individual
21

with primary responsibility for directing the policies and
22

procedures implemented to comply with the provisions of
23

this Act; and
24

(2) a description of the controller's data privacy

HB5221
- 38 -
LRB104 18403 SPS 31845 b
1

policies and procedures which reflect the requirements in
2

Section 35, and any policies and procedures designed to:
3

(A) reflect the requirements of this Act in the
4

design of the controller's systems;
5

(B) identify and provide personal data to a
6

consumer as required by this Act;
7

(C) establish, implement, and maintain reasonable
8

administrative, technical, and physical data security
9

practices to protect the confidentiality, integrity,
10

and accessibility of personal data, including the
11

maintenance of an inventory of the data that must be
12

managed to exercise the responsibilities under this
13

subparagraph;
14

(D) limit the collection of personal data to what
15

is adequate, relevant, and reasonably necessary in
16

relation to the purposes for which the data are
17

processed;
18

(E) prevent the retention of personal data that is
19

no longer relevant and reasonably necessary in
20

relation to the purposes for which the data were
21

collected and processed, unless retention of the data
22

is otherwise required by law or permitted under
23

Section 45; and
24

(F) identify and remediate violations of this Act.
25

(b) A controller must conduct and document a data privacy
26
and protection assessment for each of the following processing

HB5221
- 39 -
LRB104 18403 SPS 31845 b
1
activities involving personal data:
2

(1) the processing of personal data for purposes of
3

targeted advertising;
4

(2) the sale of personal data;
5

(3) the processing of sensitive data;
6

(4) any processing activities involving personal data
7

that present a heightened risk of harm to consumers; and
8

(5) the processing of personal data for purposes of
9

profiling, where the profiling presents a reasonably
10

foreseeable risk of:
11

(A) unfair or deceptive treatment of, or disparate
12

impact on, consumers;
13

(B) financial, physical, or reputational injury to
14

consumers;
15

(C) a physical or other intrusion upon the
16

solitude or seclusion, or the private affairs or
17

concerns, of consumers, where the intrusion would be
18

offensive to a reasonable person; or
19

(D) other substantial injury to consumers.
20

(c) A data privacy and protection assessment must take
21
into account the type of personal data to be processed by the
22
controller, including the extent to which the personal data
23
are sensitive data, and the context in which the personal data
24
are to be processed.
25

(d) A data privacy and protection assessment must identify
26
and weigh the benefits that may flow directly and indirectly

HB5221
- 40 -
LRB104 18403 SPS 31845 b
1
from the processing to the controller, consumer, other
2
stakeholders, and the public against the potential risks to
3
the rights of the consumer associated with the processing, as
4
mitigated by safeguards that can be employed by the controller
5
to reduce the potential risks. The use of deidentified data
6
and the reasonable expectations of consumers, as well as the
7
context of the processing and the relationship between the
8
controller and the consumer whose personal data will be
9
processed, must be factored into this assessment by the
10
controller.
11

(e) A data privacy and protection assessment must include
12
the description of policies and procedures required by
13
subsection (a).
14

(f) As part of a civil investigative demand, the Attorney
15
General may request, in writing, that a controller disclose
16
any data privacy and protection assessment that is relevant to
17
an investigation conducted by the Attorney General. The
18
controller must make a data privacy and protection assessment
19
available to the Attorney General upon a request made under
20
this subsection. The Attorney General may evaluate the data
21
privacy and protection assessments for compliance with this
22
Act. Data privacy and protection assessments are classified as
23
nonpublic data, exempt from disclosure under the Illinois
24
Freedom of Information Act. The disclosure of a data privacy
25
and protection assessment pursuant to a request from the
26
Attorney General under this paragraph does not constitute a

HB5221
- 41 -
LRB104 18403 SPS 31845 b
1
waiver of the attorney-client privilege or work product
2
protection with respect to the assessment and any information
3
contained in the assessment.
4

(g) Data privacy and protection assessments or risk
5
assessments conducted by a controller for the purpose of
6
compliance with other laws or regulations may qualify under
7
this Section if the assessments have a similar scope and
8
effect.
9

(h) A single data protection assessment may address
10
multiple sets of comparable processing operations that include
11
similar activities.

12

Section 45.
Limitations and applicability.
13

(a) The obligations imposed on controllers or processors
14
under this Act do not restrict a controller's or a processor's
15
ability to:
16

(1) comply with federal, State, or local laws, rules,
17

or regulations, including, but not limited to, data
18

retention requirements in State or federal law
19

notwithstanding a consumer's request to delete personal
20

data;
21

(2) comply with a civil, criminal, or regulatory
22

inquiry, investigation, subpoena, or summons by federal,
23

State, local, or other governmental authorities;
24

(3) cooperate with law enforcement agencies concerning
25

conduct or activity that the controller or processor

HB5221
- 42 -
LRB104 18403 SPS 31845 b
1

reasonably and in good faith believes may violate federal,
2

State, or local laws, rules, or regulations;
3

(4) investigate, establish, exercise, prepare for, or
4

defend legal claims;
5

(5) provide a product or service specifically
6

requested by a consumer; perform a contract to which the
7

consumer is a party, including fulfilling the terms of a
8

written warranty; or take steps at the request of the
9

consumer prior to entering into a contract;
10

(6) take immediate steps to protect an interest that
11

is essential for the life or physical safety of the
12

consumer or of another natural person, and where the
13

processing cannot be manifestly based on another legal
14

basis;
15

(7) prevent, detect, protect against, or respond to
16

security incidents, identity theft, fraud, harassment,
17

malicious or deceptive activities, or any illegal
18

activity; preserve the integrity or security of systems;
19

or investigate, report, or prosecute those responsible for
20

the action;
21

(8) assist another controller, processor, or third
22

party with any of the obligations under this subsection;
23

(9) engage in public or peer-reviewed scientific,
24

historical, or statistical research in the public interest
25

that adheres to all other applicable ethics and privacy
26

laws and is approved, monitored, and controlled by an

HB5221
- 43 -
LRB104 18403 SPS 31845 b
1

institutional review board, human subjects research ethics
2

review board, or a similar independent oversight entity
3

that has determined:
4

(A) the research is likely to provide substantial
5

benefits that do not exclusively accrue to the
6

controller;
7

(B) the expected benefits of the research outweigh
8

the privacy risks; and
9

(C) the controller has implemented reasonable
10

safeguards to mitigate privacy risks associated with
11

research, including any risks associated with
12

reidentification; or
13

(10) process personal data for the benefit of the
14

public in the areas of public health, community health, or
15

population health, but only to the extent that the
16

processing is:
17

(A) subject to suitable and specific measures to
18

safeguard the rights of the consumer whose personal
19

data is being processed; and
20

(B) under the responsibility of a professional
21

individual who is subject to confidentiality
22

obligations under federal, State, or local law.
23

(b) The obligations imposed on controllers or processors
24
under this Act do not restrict a controller's or processor's
25
ability to collect, use, or retain data to:
26

(1) effectuate a product recall or identify and repair

HB5221
- 44 -
LRB104 18403 SPS 31845 b
1

technical errors that impair existing or intended
2

functionality;
3

(2) perform internal operations that are reasonably
4

aligned with the expectations of the consumer based on the
5

consumer's existing relationship with the controller, or
6

are otherwise compatible with processing in furtherance of
7

the provision of a product or service specifically
8

requested by a consumer or the performance of a contract
9

to which the consumer is a party; or
10

(3) conduct internal research to develop, improve, or
11

repair products, services, or technology.
12

(c) The obligations imposed on controllers or processors
13
under this Act do not apply where compliance by the controller
14
or processor with this Act would violate an evidentiary
15
privilege under State law and do not prevent a controller or
16
processor from providing personal data concerning a consumer
17
to a person covered by an evidentiary privilege under State
18
law as part of a privileged communication.
19

(d) A controller or processor that discloses personal data
20
to a third-party controller or processor in compliance with
21
the requirements of this Act is not in violation of this Act if
22
the recipient processes the personal data in violation of this
23
Act, provided that at the time of disclosing the personal
24
data, the disclosing controller or processor did not have
25
actual knowledge that the recipient intended to commit a
26
violation. A third-party controller or processor receiving

HB5221
- 45 -
LRB104 18403 SPS 31845 b
1
personal data from a controller or processor in compliance
2
with the requirements of this Act is not in violation of this
3
Act for the obligations of the controller or processor from
4
which the third-party controller or processor receives the
5
personal data.
6

(e) Obligations imposed on controllers and processors
7
under this Act shall not:
8

(1) adversely affect the rights or freedoms of any
9

persons, including exercising the right of free speech
10

under the First Amendment of the United States
11

Constitution; or
12

(2) apply to the processing of personal data by a
13

natural person in the course of a purely personal or
14

household activity.
15

(f) Personal data that are processed by a controller
16
pursuant to this Section may be processed solely to the extent
17
that the processing is:
18

(1) necessary, reasonable, and proportionate to the
19

purposes listed in this Section;
20

(2) adequate, relevant, and limited to what is
21

necessary in relation to the specific purpose or purposes
22

listed in this section; and
23

(3) insofar as possible, taking into account the
24

nature and purpose of processing the personal data,
25

subjected to reasonable administrative, technical, and
26

physical measures to protect the confidentiality,

HB5221
- 46 -
LRB104 18403 SPS 31845 b
1

integrity, and accessibility of the personal data, and to
2

reduce reasonably foreseeable risks of harm to consumers.
3

(g) If a controller processes personal data under an
4
exemption in this Section, the controller bears the burden of
5
demonstrating that the processing qualifies for the exemption
6
and complies with the requirements in subsection (f).
7

(h) Processing personal data solely for the purposes
8
expressly identified in paragraphs (1) through (7) of
9
subsection (a), does not, by itself, make an entity a
10
controller with respect to the processing.

11

Section 50.
Attorney General enforcement.
12

(a) If a controller or processor violates this Act, the
13
Attorney General, prior to filing an enforcement action under
14
subsection (b), must provide the controller or processor with
15
a warning letter identifying the specific provisions of this
16
Act the Attorney General alleges have been or are being
17
violated. If, after 30 days of issuance of the warning letter,
18
the Attorney General believes the controller or processor has
19
failed to cure any alleged violation, the Attorney General may
20
bring an enforcement action under subsection (b).
21

(b) The Attorney General may bring a civil action against
22
a controller or processor to enforce a provision of this Act.
23
If the State prevails in an action to enforce this Act, the
24
State may, in addition to penalties provided by subsection (c)
25
or other remedies provided by law, be allowed an amount

HB5221
- 47 -
LRB104 18403 SPS 31845 b
1
determined by the court to be the reasonable value of all or
2
part of the State's litigation expenses incurred.
3

(c) Any controller or processor that violates this Act is
4
subject to an injunction and liable for a civil penalty of not
5
more than $7,500 for each violation.
6

(d) Nothing in this Act establishes a private right of
7
action for a violation of this Act or any other law.

8

Section 55.
Home rule.
The regulation of the processing of
9
personal data by controllers or processors is an exclusive
10
power and function of the State. A home rule unit may not
11
regulate the processing of personal data by controllers or
12
processors. This Section is a denial and limitation of home
13
rule powers and functions under subsection (h) of Section 6 of
14
Article VII of the Illinois Constitution.

15

Section 90.
The Freedom of Information Act is amended by
16
changing Section 7.5 as follows:

17

(5 ILCS 140/7.5)
18

(Text of Section before amendment by P.A. 104-441 and
19
104-457
)
20

Sec. 7.5.
Statutory exemptions.
To the extent provided for
21
by the statutes referenced below, the following shall be
22
exempt from inspection and copying:
23

(a) All information determined to be confidential

HB5221
- 48 -
LRB104 18403 SPS 31845 b
1

under Section 4002 of the Technology Advancement and
2

Development Act.
3

(b) Library circulation and order records identifying
4

library users with specific materials under the Library
5

Records Confidentiality Act.
6

(c) Applications, related documents, and medical
7

records received by the Experimental Organ Transplantation
8

Procedures Board and any and all documents or other
9

records prepared by the Experimental Organ Transplantation
10

Procedures Board or its staff relating to applications it
11

has received.
12

(d) Information and records held by the Department of
13

Public Health and its authorized representatives relating
14

to known or suspected cases of sexually transmitted
15

infection or any information the disclosure of which is
16

restricted under the Illinois Sexually Transmitted
17

Infection Control Act.
18

(e) Information the disclosure of which is exempted
19

under Section 30 of the Radon Industry Licensing Act.
20

(f) Firm performance evaluations under Section 55 of
21

the Architectural, Engineering, and Land Surveying
22

Qualifications Based Selection Act.
23

(g) Information the disclosure of which is restricted
24

and exempted under Section 50 of the Illinois Prepaid
25

Tuition Act.
26

(h) Information the disclosure of which is exempted

HB5221
- 49 -
LRB104 18403 SPS 31845 b
1

under the State Officials and Employees Ethics Act, and
2

records of any lawfully created State or local inspector
3

general's office that would be exempt if created or
4

obtained by an Executive Inspector General's office under
5

that Act.
6

(i) Information contained in a local emergency energy
7

plan submitted to a municipality in accordance with a
8

local emergency energy plan ordinance that is adopted
9

under Section 11-21.5-5 of the Illinois Municipal Code.
10

(j) Information and data concerning the distribution
11

of surcharge moneys collected and remitted by carriers
12

under the Emergency Telephone System Act.
13

(k) Law enforcement officer identification information
14

or driver identification information compiled by a law
15

enforcement agency or the Department of Transportation
16

under Section 11-212 of the Illinois Vehicle Code.
17

(l) Records and information provided to a residential
18

health care facility resident sexual assault and death
19

review team or the Executive Council under the Abuse
20

Prevention Review Team Act.
21

(m) Information provided to the predatory lending
22

database created pursuant to Article 3 of the Residential
23

Real Property Disclosure Act, except to the extent
24

authorized under that Article.
25

(n) Defense budgets and petitions for certification of
26

compensation and expenses for court appointed trial

HB5221
- 50 -
LRB104 18403 SPS 31845 b
1

counsel as provided under Sections 10 and 15 of the
2

Capital Crimes Litigation Act (repealed). This subsection
3

(n) shall apply until the conclusion of the trial of the
4

case, even if the prosecution chooses not to pursue the
5

death penalty prior to trial or sentencing.
6

(o) Information that is prohibited from being
7

disclosed under Section 4 of the Illinois Health and
8

Hazardous Substances Registry Act.
9

(p) Security portions of system safety program plans,
10

investigation reports, surveys, schedules, lists, data, or
11

information compiled, collected, or prepared by or for the
12

Department of Transportation under Sections 2705-300 and
13

2705-616 of the Department of Transportation Law of the
14

Civil Administrative Code of Illinois, the Regional
15

Transportation Authority under Section 2.11 of the
16

Regional Transportation Authority Act, or the St. Clair
17

County Transit District under the Bi-State Transit Safety
18

Act (repealed).
19

(q) Information prohibited from being disclosed by the
20

Personnel Record Review Act.
21

(r) Information prohibited from being disclosed by the
22

Illinois School Student Records Act.
23

(s) Information the disclosure of which is restricted
24

under Section 5-108 of the Public Utilities Act.
25

(t) (Blank).
26

(u) Records and information provided to an independent

HB5221
- 51 -
LRB104 18403 SPS 31845 b
1

team of experts under the Developmental Disability and
2

Mental Health Safety Act (also known as Brian's Law).
3

(v) Names and information of people who have applied
4

for or received Firearm Owner's Identification Cards under
5

the Firearm Owners Identification Card Act or applied for
6

or received a concealed carry license under the Firearm
7

Concealed Carry Act, unless otherwise authorized by the
8

Firearm Concealed Carry Act; and databases under the
9

Firearm Concealed Carry Act, records of the Concealed
10

Carry Licensing Review Board under the Firearm Concealed
11

Carry Act, and law enforcement agency objections under the
12

Firearm Concealed Carry Act.
13

(v-5) Records of the Firearm Owner's Identification
14

Card Review Board that are exempted from disclosure under
15

Section 10 of the Firearm Owners Identification Card Act.
16

(w) Personally identifiable information which is
17

exempted from disclosure under subsection (g) of Section
18

19.1 of the Toll Highway Act.
19

(x) Information which is exempted from disclosure
20

under Section 5-1014.3 of the Counties Code or Section
21

8-11-21 of the Illinois Municipal Code.
22

(y) Confidential information under the Adult
23

Protective Services Act and its predecessor enabling
24

statute, the Elder Abuse and Neglect Act, including
25

information about the identity and administrative finding
26

against any caregiver of a verified and substantiated

HB5221
- 52 -
LRB104 18403 SPS 31845 b
1

decision of abuse, neglect, or financial exploitation of
2

an eligible adult maintained in the Registry established
3

under Section 7.5 of the Adult Protective Services Act.
4

(z) Records and information provided to a fatality
5

review team or the Illinois Fatality Review Team Advisory
6

Council under Section 15 of the Adult Protective Services
7

Act.
8

(aa) Information which is exempted from disclosure
9

under Section 2.37 of the Wildlife Code.
10

(bb) Information which is or was prohibited from
11

disclosure by the Juvenile Court Act of 1987.
12

(cc) Recordings made under the Law Enforcement
13

Officer-Worn Body Camera Act, except to the extent
14

authorized under that Act.
15

(dd) Information that is prohibited from being
16

disclosed under Section 45 of the Condominium and Common
17

Interest Community Ombudsperson Act.
18

(ee) Information that is exempted from disclosure
19

under Section 30.1 of the Pharmacy Practice Act.
20

(ff) Information that is exempted from disclosure
21

under the Revised Uniform Unclaimed Property Act.
22

(gg) Information that is prohibited from being
23

disclosed under Section 7-603.5 of the Illinois Vehicle
24

Code.
25

(hh) Records that are exempt from disclosure under
26

Section 1A-16.7 of the Election Code.

HB5221
- 53 -
LRB104 18403 SPS 31845 b
1

(ii) Information which is exempted from disclosure
2

under Section 2505-800 of the Department of Revenue Law of
3

the Civil Administrative Code of Illinois.
4

(jj) Information and reports that are required to be
5

submitted to the Department of Labor by registering day
6

and temporary labor service agencies but are exempt from
7

disclosure under subsection (a-1) of Section 45 of the Day
8

and Temporary Labor Services Act.
9

(kk) Information prohibited from disclosure under the
10

Seizure and Forfeiture Reporting Act.
11

(ll) Information the disclosure of which is restricted
12

and exempted under Section 5-30.8 of the Illinois Public
13

Aid Code.
14

(mm) Records that are exempt from disclosure under
15

Section 4.2 of the Crime Victims Compensation Act.
16

(nn) Information that is exempt from disclosure under
17

Section 70 of the Higher Education Student Assistance Act.
18

(oo) Communications, notes, records, and reports
19

arising out of a peer support counseling session
20

prohibited from disclosure under the First Responders
21

Suicide Prevention Act.
22

(pp) Names and all identifying information relating to
23

an employee of an emergency services provider or law
24

enforcement agency under the First Responders Suicide
25

Prevention Act.
26

(qq) Information and records held by the Department of

HB5221
- 54 -
LRB104 18403 SPS 31845 b
1

Public Health and its authorized representatives collected
2

under the Reproductive Health Act.
3

(rr) Information that is exempt from disclosure under
4

the Cannabis Regulation and Tax Act.
5

(ss) Data reported by an employer to the Department of
6

Human Rights pursuant to Section 2-108 of the Illinois
7

Human Rights Act.
8

(tt) Recordings made under the Children's Advocacy
9

Center Act, except to the extent authorized under that
10

Act.
11

(uu) Information that is exempt from disclosure under
12

Section 50 of the Sexual Assault Evidence Submission Act.
13

(vv) Information that is exempt from disclosure under
14

subsections (f) and (j) of Section 5-36 of the Illinois
15

Public Aid Code.
16

(ww) Information that is exempt from disclosure under
17

Section 16.8 of the State Treasurer Act.
18

(xx) Information that is exempt from disclosure or
19

information that shall not be made public under the
20

Illinois Insurance Code.
21

(yy) Information prohibited from being disclosed under
22

the Illinois Educational Labor Relations Act.
23

(zz) Information prohibited from being disclosed under
24

the Illinois Public Labor Relations Act.
25

(aaa) Information prohibited from being disclosed
26

under Section 1-167 of the Illinois Pension Code.

HB5221
- 55 -
LRB104 18403 SPS 31845 b
1

(bbb) Information that is prohibited from disclosure
2

by the Illinois Police Training Act and the Illinois State
3

Police Act.
4

(ccc) Records exempt from disclosure under Section
5

2605-304 of the Illinois State Police Law of the Civil
6

Administrative Code of Illinois.
7

(ddd) Information prohibited from being disclosed
8

under Section 35 of the Address Confidentiality for
9

Victims of Domestic Violence, Sexual Assault, Human
10

Trafficking, or Stalking Act.
11

(eee) Information prohibited from being disclosed
12

under subsection (b) of Section 75 of the Domestic
13

Violence Fatality Review Act.
14

(fff) Images from cameras under the Expressway Camera
15

Act and all automated license plate reader (ALPR)
16

information used and collected by the Illinois State
17

Police. "ALPR information" means information gathered by
18

an ALPR or created from the analysis of data generated by
19

an ALPR. This subsection (fff) is inoperative on and after
20

July 1, 2028.
21

(ggg) Information prohibited from disclosure under
22

paragraph (3) of subsection (a) of Section 14 of the Nurse
23

Agency Licensing Act.
24

(hhh) Information submitted to the Illinois State
25

Police in an affidavit or application for an assault
26

weapon endorsement, assault weapon attachment endorsement,

HB5221
- 56 -
LRB104 18403 SPS 31845 b
1

.50 caliber rifle endorsement, or .50 caliber cartridge
2

endorsement under the Firearm Owners Identification Card
3

Act.
4

(iii) Data exempt from disclosure under Section 50 of
5

the School Safety Drill Act.
6

(jjj) Information exempt from disclosure under Section
7

30 of the Insurance Data Security Law.
8

(kkk) Confidential business information prohibited
9

from disclosure under Section 45 of the Paint Stewardship
10

Act.
11

(lll) Data exempt from disclosure under Section
12

2-3.196 of the School Code.
13

(mmm) Information prohibited from being disclosed
14

under subsection (e) of Section 1-129 of the Illinois
15

Power Agency Act.
16

(nnn) Materials received by the Department of Commerce
17

and Economic Opportunity that are confidential under the
18

Music and Musicians Tax Credit and Jobs Act.
19

(ooo) Data or information provided pursuant to Section
20

20 of the Statewide Recycling Needs and Assessment Act.
21

(ppp) Information that is exempt from disclosure under
22

Section 28-11 of the Lawful Health Care Activity Act.
23

(qqq) Information that is exempt from disclosure under
24

Section 7-101 of the Illinois Human Rights Act.
25

(rrr) Information prohibited from being disclosed
26

under Section 4-2 of the Uniform Money Transmission

HB5221
- 57 -
LRB104 18403 SPS 31845 b
1

Modernization Act.
2

(sss) Information exempt from disclosure under Section
3

40 of the Student-Athlete Endorsement Rights Act.
4

(ttt) Audio recordings made under Section 30 of the
5

Illinois State Police Act, except to the extent authorized
6

under that Section.
7

(uuu) Information prohibited from being disclosed
8

under Section 30-5 of the Digital Assets Regulation Act.
9

(vvv) Information prohibited or exempt from being
10

disclosed under the Consumer Data Privacy Act.

11
(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
12
103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
13
8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
14
eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
15
103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
16
8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
17
eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
18
104-417, eff. 8-15-25; 104-428, eff. 8-18-25; revised
19
9-10-25.)

20

(Text of Section after amendment by P.A. 104-457 but
21
before 104-441
)
22

Sec. 7.5.
Statutory exemptions.
To the extent provided for
23
by the statutes referenced below, the following shall be
24
exempt from inspection and copying:
25

(a) All information determined to be confidential

HB5221
- 58 -
LRB104 18403 SPS 31845 b
1

under Section 4002 of the Technology Advancement and
2

Development Act.
3

(b) Library circulation and order records identifying
4

library users with specific materials under the Library
5

Records Confidentiality Act.
6

(c) Applications, related documents, and medical
7

records received by the Experimental Organ Transplantation
8

Procedures Board and any and all documents or other
9

records prepared by the Experimental Organ Transplantation
10

Procedures Board or its staff relating to applications it
11

has received.
12

(d) Information and records held by the Department of
13

Public Health and its authorized representatives relating
14

to known or suspected cases of sexually transmitted
15

infection or any information the disclosure of which is
16

restricted under the Illinois Sexually Transmitted
17

Infection Control Act.
18

(e) Information the disclosure of which is exempted
19

under Section 30 of the Radon Industry Licensing Act.
20

(f) Firm performance evaluations under Section 55 of
21

the Architectural, Engineering, and Land Surveying
22

Qualifications Based Selection Act.
23

(g) Information the disclosure of which is restricted
24

and exempted under Section 50 of the Illinois Prepaid
25

Tuition Act.
26

(h) Information the disclosure of which is exempted

HB5221
- 59 -
LRB104 18403 SPS 31845 b
1

under the State Officials and Employees Ethics Act, and
2

records of any lawfully created State or local inspector
3

general's office that would be exempt if created or
4

obtained by an Executive Inspector General's office under
5

that Act.
6

(i) Information contained in a local emergency energy
7

plan submitted to a municipality in accordance with a
8

local emergency energy plan ordinance that is adopted
9

under Section 11-21.5-5 of the Illinois Municipal Code.
10

(j) Information and data concerning the distribution
11

of surcharge moneys collected and remitted by carriers
12

under the Emergency Telephone System Act.
13

(k) Law enforcement officer identification information
14

or driver identification information compiled by a law
15

enforcement agency or the Department of Transportation
16

under Section 11-212 of the Illinois Vehicle Code.
17

(l) Records and information provided to a residential
18

health care facility resident sexual assault and death
19

review team or the Executive Council under the Abuse
20

Prevention Review Team Act.
21

(m) Information provided to the predatory lending
22

database created pursuant to Article 3 of the Residential
23

Real Property Disclosure Act, except to the extent
24

authorized under that Article.
25

(n) Defense budgets and petitions for certification of
26

compensation and expenses for court appointed trial

HB5221
- 60 -
LRB104 18403 SPS 31845 b
1

counsel as provided under Sections 10 and 15 of the
2

Capital Crimes Litigation Act (repealed). This subsection
3

(n) shall apply until the conclusion of the trial of the
4

case, even if the prosecution chooses not to pursue the
5

death penalty prior to trial or sentencing.
6

(o) Information that is prohibited from being
7

disclosed under Section 4 of the Illinois Health and
8

Hazardous Substances Registry Act.
9

(p) Security portions of system safety program plans,
10

investigation reports, surveys, schedules, lists, data, or
11

information compiled, collected, or prepared by or for the
12

Department of Transportation under Sections 2705-300 and
13

2705-616 of the Department of Transportation Law of the
14

Civil Administrative Code of Illinois, the Northern
15

Illinois Transit Authority under Section 2.11 of the
16

Northern Illinois Transit Authority Act, or the St. Clair
17

County Transit District under the Bi-State Transit Safety
18

Act (repealed).
19

(q) Information prohibited from being disclosed by the
20

Personnel Record Review Act.
21

(r) Information prohibited from being disclosed by the
22

Illinois School Student Records Act.
23

(s) Information the disclosure of which is restricted
24

under Section 5-108 of the Public Utilities Act.
25

(t) (Blank).
26

(u) Records and information provided to an independent

HB5221
- 61 -
LRB104 18403 SPS 31845 b
1

team of experts under the Developmental Disability and
2

Mental Health Safety Act (also known as Brian's Law).
3

(v) Names and information of people who have applied
4

for or received Firearm Owner's Identification Cards under
5

the Firearm Owners Identification Card Act or applied for
6

or received a concealed carry license under the Firearm
7

Concealed Carry Act, unless otherwise authorized by the
8

Firearm Concealed Carry Act; and databases under the
9

Firearm Concealed Carry Act, records of the Concealed
10

Carry Licensing Review Board under the Firearm Concealed
11

Carry Act, and law enforcement agency objections under the
12

Firearm Concealed Carry Act.
13

(v-5) Records of the Firearm Owner's Identification
14

Card Review Board that are exempted from disclosure under
15

Section 10 of the Firearm Owners Identification Card Act.
16

(w) Personally identifiable information which is
17

exempted from disclosure under subsection (g) of Section
18

19.1 of the Toll Highway Act.
19

(x) Information which is exempted from disclosure
20

under Section 5-1014.3 of the Counties Code or Section
21

8-11-21 of the Illinois Municipal Code.
22

(y) Confidential information under the Adult
23

Protective Services Act and its predecessor enabling
24

statute, the Elder Abuse and Neglect Act, including
25

information about the identity and administrative finding
26

against any caregiver of a verified and substantiated

HB5221
- 62 -
LRB104 18403 SPS 31845 b
1

decision of abuse, neglect, or financial exploitation of
2

an eligible adult maintained in the Registry established
3

under Section 7.5 of the Adult Protective Services Act.
4

(z) Records and information provided to a fatality
5

review team or the Illinois Fatality Review Team Advisory
6

Council under Section 15 of the Adult Protective Services
7

Act.
8

(aa) Information which is exempted from disclosure
9

under Section 2.37 of the Wildlife Code.
10

(bb) Information which is or was prohibited from
11

disclosure by the Juvenile Court Act of 1987.
12

(cc) Recordings made under the Law Enforcement
13

Officer-Worn Body Camera Act, except to the extent
14

authorized under that Act.
15

(dd) Information that is prohibited from being
16

disclosed under Section 45 of the Condominium and Common
17

Interest Community Ombudsperson Act.
18

(ee) Information that is exempted from disclosure
19

under Section 30.1 of the Pharmacy Practice Act.
20

(ff) Information that is exempted from disclosure
21

under the Revised Uniform Unclaimed Property Act.
22

(gg) Information that is prohibited from being
23

disclosed under Section 7-603.5 of the Illinois Vehicle
24

Code.
25

(hh) Records that are exempt from disclosure under
26

Section 1A-16.7 of the Election Code.

HB5221
- 63 -
LRB104 18403 SPS 31845 b
1

(ii) Information which is exempted from disclosure
2

under Section 2505-800 of the Department of Revenue Law of
3

the Civil Administrative Code of Illinois.
4

(jj) Information and reports that are required to be
5

submitted to the Department of Labor by registering day
6

and temporary labor service agencies but are exempt from
7

disclosure under subsection (a-1) of Section 45 of the Day
8

and Temporary Labor Services Act.
9

(kk) Information prohibited from disclosure under the
10

Seizure and Forfeiture Reporting Act.
11

(ll) Information the disclosure of which is restricted
12

and exempted under Section 5-30.8 of the Illinois Public
13

Aid Code.
14

(mm) Records that are exempt from disclosure under
15

Section 4.2 of the Crime Victims Compensation Act.
16

(nn) Information that is exempt from disclosure under
17

Section 70 of the Higher Education Student Assistance Act.
18

(oo) Communications, notes, records, and reports
19

arising out of a peer support counseling session
20

prohibited from disclosure under the First Responders
21

Suicide Prevention Act.
22

(pp) Names and all identifying information relating to
23

an employee of an emergency services provider or law
24

enforcement agency under the First Responders Suicide
25

Prevention Act.
26

(qq) Information and records held by the Department of

HB5221
- 64 -
LRB104 18403 SPS 31845 b
1

Public Health and its authorized representatives collected
2

under the Reproductive Health Act.
3

(rr) Information that is exempt from disclosure under
4

the Cannabis Regulation and Tax Act.
5

(ss) Data reported by an employer to the Department of
6

Human Rights pursuant to Section 2-108 of the Illinois
7

Human Rights Act.
8

(tt) Recordings made under the Children's Advocacy
9

Center Act, except to the extent authorized under that
10

Act.
11

(uu) Information that is exempt from disclosure under
12

Section 50 of the Sexual Assault Evidence Submission Act.
13

(vv) Information that is exempt from disclosure under
14

subsections (f) and (j) of Section 5-36 of the Illinois
15

Public Aid Code.
16

(ww) Information that is exempt from disclosure under
17

Section 16.8 of the State Treasurer Act.
18

(xx) Information that is exempt from disclosure or
19

information that shall not be made public under the
20

Illinois Insurance Code.
21

(yy) Information prohibited from being disclosed under
22

the Illinois Educational Labor Relations Act.
23

(zz) Information prohibited from being disclosed under
24

the Illinois Public Labor Relations Act.
25

(aaa) Information prohibited from being disclosed
26

under Section 1-167 of the Illinois Pension Code.

HB5221
- 65 -
LRB104 18403 SPS 31845 b
1

(bbb) Information that is prohibited from disclosure
2

by the Illinois Police Training Act and the Illinois State
3

Police Act.
4

(ccc) Records exempt from disclosure under Section
5

2605-304 of the Illinois State Police Law of the Civil
6

Administrative Code of Illinois.
7

(ddd) Information prohibited from being disclosed
8

under Section 35 of the Address Confidentiality for
9

Victims of Domestic Violence, Sexual Assault, Human
10

Trafficking, or Stalking Act.
11

(eee) Information prohibited from being disclosed
12

under subsection (b) of Section 75 of the Domestic
13

Violence Fatality Review Act.
14

(fff) Images from cameras under the Expressway Camera
15

Act and all automated license plate reader (ALPR)
16

information used and collected by the Illinois State
17

Police. "ALPR information" means information gathered by
18

an ALPR or created from the analysis of data generated by
19

an ALPR. This subsection (fff) is inoperative on and after
20

July 1, 2028.
21

(ggg) Information prohibited from disclosure under
22

paragraph (3) of subsection (a) of Section 14 of the Nurse
23

Agency Licensing Act.
24

(hhh) Information submitted to the Illinois State
25

Police in an affidavit or application for an assault
26

weapon endorsement, assault weapon attachment endorsement,

HB5221
- 66 -
LRB104 18403 SPS 31845 b
1

.50 caliber rifle endorsement, or .50 caliber cartridge
2

endorsement under the Firearm Owners Identification Card
3

Act.
4

(iii) Data exempt from disclosure under Section 50 of
5

the School Safety Drill Act.
6

(jjj) Information exempt from disclosure under Section
7

30 of the Insurance Data Security Law.
8

(kkk) Confidential business information prohibited
9

from disclosure under Section 45 of the Paint Stewardship
10

Act.
11

(lll) Data exempt from disclosure under Section
12

2-3.196 of the School Code.
13

(mmm) Information prohibited from being disclosed
14

under subsection (e) of Section 1-129 of the Illinois
15

Power Agency Act.
16

(nnn) Materials received by the Department of Commerce
17

and Economic Opportunity that are confidential under the
18

Music and Musicians Tax Credit and Jobs Act.
19

(ooo) Data or information provided pursuant to Section
20

20 of the Statewide Recycling Needs and Assessment Act.
21

(ppp) Information that is exempt from disclosure under
22

Section 28-11 of the Lawful Health Care Activity Act.
23

(qqq) Information that is exempt from disclosure under
24

Section 7-101 of the Illinois Human Rights Act.
25

(rrr) Information prohibited from being disclosed
26

under Section 4-2 of the Uniform Money Transmission

HB5221
- 67 -
LRB104 18403 SPS 31845 b
1

Modernization Act.
2

(sss) Information exempt from disclosure under Section
3

40 of the Student-Athlete Endorsement Rights Act.
4

(ttt) Audio recordings made under Section 30 of the
5

Illinois State Police Act, except to the extent authorized
6

under that Section.
7

(uuu) Information prohibited from being disclosed
8

under Section 30-5 of the Digital Assets Regulation Act.
9

(vvv) Information prohibited or exempt from being
10

disclosed under the Consumer Data Privacy Act.

11
(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
12
103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
13
8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
14
eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
15
103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
16
8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
17
eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
18
104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-457, eff.
19
6-1-26; revised 1-7-26.)

20

(Text of Section after amendment by P.A. 104-441
)
21

Sec. 7.5.
Statutory exemptions.
To the extent provided for
22
by the statutes referenced below, the following shall be
23
exempt from inspection and copying:
24

(a) All information determined to be confidential
25

under Section 4002 of the Technology Advancement and

HB5221
- 68 -
LRB104 18403 SPS 31845 b
1

Development Act.
2

(b) Library circulation and order records identifying
3

library users with specific materials under the Library
4

Records Confidentiality Act.
5

(c) Applications, related documents, and medical
6

records received by the Experimental Organ Transplantation
7

Procedures Board and any and all documents or other
8

records prepared by the Experimental Organ Transplantation
9

Procedures Board or its staff relating to applications it
10

has received.
11

(d) Information and records held by the Department of
12

Public Health and its authorized representatives relating
13

to known or suspected cases of sexually transmitted
14

infection or any information the disclosure of which is
15

restricted under the Illinois Sexually Transmitted
16

Infection Control Act.
17

(e) Information the disclosure of which is exempted
18

under Section 30 of the Radon Industry Licensing Act.
19

(f) Firm performance evaluations under Section 55 of
20

the Architectural, Engineering, and Land Surveying
21

Qualifications Based Selection Act.
22

(g) Information the disclosure of which is restricted
23

and exempted under Section 50 of the Illinois Prepaid
24

Tuition Act.
25

(h) Information the disclosure of which is exempted
26

under the State Officials and Employees Ethics Act, and

HB5221
- 69 -
LRB104 18403 SPS 31845 b
1

records of any lawfully created State or local inspector
2

general's office that would be exempt if created or
3

obtained by an Executive Inspector General's office under
4

that Act.
5

(i) Information contained in a local emergency energy
6

plan submitted to a municipality in accordance with a
7

local emergency energy plan ordinance that is adopted
8

under Section 11-21.5-5 of the Illinois Municipal Code.
9

(j) Information and data concerning the distribution
10

of surcharge moneys collected and remitted by carriers
11

under the Emergency Telephone System Act.
12

(k) Law enforcement officer identification information
13

or driver identification information compiled by a law
14

enforcement agency or the Department of Transportation
15

under Section 11-212 of the Illinois Vehicle Code.
16

(l) Records and information provided to a residential
17

health care facility resident sexual assault and death
18

review team or the Executive Council under the Abuse
19

Prevention Review Team Act.
20

(m) Information provided to the predatory lending
21

database created pursuant to Article 3 of the Residential
22

Real Property Disclosure Act, except to the extent
23

authorized under that Article.
24

(n) Defense budgets and petitions for certification of
25

compensation and expenses for court appointed trial
26

counsel as provided under Sections 10 and 15 of the

HB5221
- 70 -
LRB104 18403 SPS 31845 b
1

Capital Crimes Litigation Act (repealed). This subsection
2

(n) shall apply until the conclusion of the trial of the
3

case, even if the prosecution chooses not to pursue the
4

death penalty prior to trial or sentencing.
5

(o) Information that is prohibited from being
6

disclosed under Section 4 of the Illinois Health and
7

Hazardous Substances Registry Act.
8

(p) Security portions of system safety program plans,
9

investigation reports, surveys, schedules, lists, data, or
10

information compiled, collected, or prepared by or for the
11

Department of Transportation under Sections 2705-300 and
12

2705-616 of the Department of Transportation Law of the
13

Civil Administrative Code of Illinois, the Northern
14

Illinois Transit Authority under Section 2.11 of the
15

Northern Illinois Transit Authority Act, or the St. Clair
16

County Transit District under the Bi-State Transit Safety
17

Act (repealed).
18

(q) Information prohibited from being disclosed by the
19

Personnel Record Review Act.
20

(r) Information prohibited from being disclosed by the
21

Illinois School Student Records Act.
22

(s) Information the disclosure of which is restricted
23

under Section 5-108 of the Public Utilities Act.
24

(t) (Blank).
25

(u) Records and information provided to an independent
26

team of experts under the Developmental Disability and

HB5221
- 71 -
LRB104 18403 SPS 31845 b
1

Mental Health Safety Act (also known as Brian's Law).
2

(v) Names and information of people who have applied
3

for or received Firearm Owner's Identification Cards under
4

the Firearm Owners Identification Card Act or applied for
5

or received a concealed carry license under the Firearm
6

Concealed Carry Act, unless otherwise authorized by the
7

Firearm Concealed Carry Act; and databases under the
8

Firearm Concealed Carry Act, records of the Concealed
9

Carry Licensing Review Board under the Firearm Concealed
10

Carry Act, and law enforcement agency objections under the
11

Firearm Concealed Carry Act.
12

(v-5) Records of the Firearm Owner's Identification
13

Card Review Board that are exempted from disclosure under
14

Section 10 of the Firearm Owners Identification Card Act.
15

(w) Personally identifiable information which is
16

exempted from disclosure under subsection (g) of Section
17

19.1 of the Toll Highway Act.
18

(x) Information which is exempted from disclosure
19

under Section 5-1014.3 of the Counties Code or Section
20

8-11-21 of the Illinois Municipal Code.
21

(y) Confidential information under the Adult
22

Protective Services Act and its predecessor enabling
23

statute, the Elder Abuse and Neglect Act, including
24

information about the identity and administrative finding
25

against any caregiver of a verified and substantiated
26

decision of abuse, neglect, or financial exploitation of

HB5221
- 72 -
LRB104 18403 SPS 31845 b
1

an eligible adult maintained in the Registry established
2

under Section 7.5 of the Adult Protective Services Act.
3

(z) Records and information provided to a fatality
4

review team or the Illinois Fatality Review Team Advisory
5

Council under Section 15 of the Adult Protective Services
6

Act.
7

(aa) Information which is exempted from disclosure
8

under Section 2.37 of the Wildlife Code.
9

(bb) Information which is or was prohibited from
10

disclosure by the Juvenile Court Act of 1987.
11

(cc) Recordings made under the Law Enforcement
12

Officer-Worn Body Camera Act, except to the extent
13

authorized under that Act.
14

(dd) Information that is prohibited from being
15

disclosed under Section 45 of the Condominium and Common
16

Interest Community Ombudsperson Act.
17

(ee) Information that is exempted from disclosure
18

under Section 30.1 of the Pharmacy Practice Act.
19

(ff) Information that is exempted from disclosure
20

under the Revised Uniform Unclaimed Property Act.
21

(gg) Information that is prohibited from being
22

disclosed under Section 7-603.5 of the Illinois Vehicle
23

Code.
24

(hh) Records that are exempt from disclosure under
25

Section 1A-16.7 of the Election Code.
26

(ii) Information which is exempted from disclosure

HB5221
- 73 -
LRB104 18403 SPS 31845 b
1

under Section 2505-800 of the Department of Revenue Law of
2

the Civil Administrative Code of Illinois.
3

(jj) Information and reports that are required to be
4

submitted to the Department of Labor by registering day
5

and temporary labor service agencies but are exempt from
6

disclosure under subsection (a-1) of Section 45 of the Day
7

and Temporary Labor Services Act.
8

(kk) Information prohibited from disclosure under the
9

Seizure and Forfeiture Reporting Act.
10

(ll) Information the disclosure of which is restricted
11

and exempted under Section 5-30.8 of the Illinois Public
12

Aid Code.
13

(mm) Records that are exempt from disclosure under
14

Section 4.2 of the Crime Victims Compensation Act.
15

(nn) Information that is exempt from disclosure under
16

Section 70 of the Higher Education Student Assistance Act.
17

(oo) Communications, notes, records, and reports
18

arising out of a peer support counseling session
19

prohibited from disclosure under the First Responders
20

Suicide Prevention Act.
21

(pp) Names and all identifying information relating to
22

an employee of an emergency services provider or law
23

enforcement agency under the First Responders Suicide
24

Prevention Act.
25

(qq) Information and records held by the Department of
26

Public Health and its authorized representatives collected

HB5221
- 74 -
LRB104 18403 SPS 31845 b
1

under the Reproductive Health Act.
2

(rr) Information that is exempt from disclosure under
3

the Cannabis Regulation and Tax Act.
4

(ss) Data reported by an employer to the Department of
5

Human Rights pursuant to Section 2-108 of the Illinois
6

Human Rights Act.
7

(tt) Recordings made under the Children's Advocacy
8

Center Act, except to the extent authorized under that
9

Act.
10

(uu) Information that is exempt from disclosure under
11

Section 50 of the Sexual Assault Evidence Submission Act.
12

(vv) Information that is exempt from disclosure under
13

subsections (f) and (j) of Section 5-36 of the Illinois
14

Public Aid Code.
15

(ww) Information that is exempt from disclosure under
16

Section 16.8 of the State Treasurer Act.
17

(xx) Information that is exempt from disclosure or
18

information that shall not be made public under the
19

Illinois Insurance Code.
20

(yy) Information prohibited from being disclosed under
21

the Illinois Educational Labor Relations Act.
22

(zz) Information prohibited from being disclosed under
23

the Illinois Public Labor Relations Act.
24

(aaa) Information prohibited from being disclosed
25

under Section 1-167 of the Illinois Pension Code.
26

(bbb) Information that is prohibited from disclosure

HB5221
- 75 -
LRB104 18403 SPS 31845 b
1

by the Illinois Police Training Act and the Illinois State
2

Police Act.
3

(ccc) Records exempt from disclosure under Section
4

2605-304 of the Illinois State Police Law of the Civil
5

Administrative Code of Illinois.
6

(ddd) Information prohibited from being disclosed
7

under Section 35 of the Address Confidentiality for
8

Victims of Domestic Violence, Sexual Assault, Human
9

Trafficking, or Stalking Act.
10

(eee) Information prohibited from being disclosed
11

under subsection (b) of Section 75 of the Domestic
12

Violence Fatality Review Act.
13

(fff) Images from cameras under the Expressway Camera
14

Act and all automated license plate reader (ALPR)
15

information used and collected by the Illinois State
16

Police. "ALPR information" means information gathered by
17

an ALPR or created from the analysis of data generated by
18

an ALPR. This subsection (fff) is inoperative on and after
19

July 1, 2028.
20

(ggg) Information prohibited from disclosure under
21

paragraph (3) of subsection (a) of Section 14 of the Nurse
22

Agency Licensing Act.
23

(hhh) Information submitted to the Illinois State
24

Police in an affidavit or application for an assault
25

weapon endorsement, assault weapon attachment endorsement,
26

.50 caliber rifle endorsement, or .50 caliber cartridge

HB5221
- 76 -
LRB104 18403 SPS 31845 b
1

endorsement under the Firearm Owners Identification Card
2

Act.
3

(iii) Data exempt from disclosure under Section 50 of
4

the School Safety Drill Act.
5

(jjj) Information exempt from disclosure under Section
6

30 of the Insurance Data Security Law.
7

(kkk) Confidential business information prohibited
8

from disclosure under Section 45 of the Paint Stewardship
9

Act.
10

(lll) Data exempt from disclosure under Section
11

2-3.196 of the School Code.
12

(mmm) Information prohibited from being disclosed
13

under subsection (e) of Section 1-129 of the Illinois
14

Power Agency Act.
15

(nnn) Materials received by the Department of Commerce
16

and Economic Opportunity that are confidential under the
17

Music and Musicians Tax Credit and Jobs Act.
18

(ooo) Data or information provided pursuant to Section
19

20 of the Statewide Recycling Needs and Assessment Act.
20

(ppp) Information that is exempt from disclosure under
21

Section 28-11 of the Lawful Health Care Activity Act.
22

(qqq) Information that is exempt from disclosure under
23

Section 7-101 of the Illinois Human Rights Act.
24

(rrr) Information prohibited from being disclosed
25

under Section 4-2 of the Uniform Money Transmission
26

Modernization Act.

HB5221
- 77 -
LRB104 18403 SPS 31845 b
1

(sss) Information exempt from disclosure under Section
2

40 of the Student-Athlete Endorsement Rights Act.
3

(ttt) Audio recordings made under Section 30 of the
4

Illinois State Police Act, except to the extent authorized
5

under that Section.
6

(uuu) Information prohibited from being disclosed
7

under Section 30-5 of the Digital Assets Regulation Act.
8

(vvv)

(uuu)
Information exempt from disclosure under
9

Section 70 of the End-of-Life Options for Terminally Ill
10

Patients Act.
11

(www) Information prohibited or exempt from being
12

disclosed under the Consumer Data Privacy Act.

13
(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
14
103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
15
8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
16
eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
17
103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
18
8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
19
eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
20
104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-441, eff.
21
9-12-26; 104-457, eff. 6-1-26; revised 1-7-26.)

22

Section 95.
No acceleration or delay.
Where this Act makes
23
changes in a statute that is represented in this Act by text
24
that is not yet or no longer in effect (for example, a Section
25
represented by multiple versions), the use of that text does

HB5221
- 78 -
LRB104 18403 SPS 31845 b
1
not accelerate or delay the taking effect of (i) the changes
2
made by this Act or (ii) provisions derived from any other
3
Public Act.

4

Section 97.
Severability.
The provisions of this Act are
5
severable under Section 1.31 of the Statute on Statutes.

6

Section 99.
Effective date.
This Act takes effect January
7
1, 2027.

Footer

Disclaimer

This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.

Contact ILGA Webmaster

ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies

ILGA.GOV

2026 ILGA.gov | All Rights Reserved |
ADA

|
Disclaimers
|
Learn

This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster

ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies

ILGA.GOV

2026 ILGA.gov | All Rights Reserved |
ADA

|
Disclaimers
|
Learn