Read the full stored bill text
Illinois General Assembly - Full Text of SB0340
Select Language
×
The Illinois General Assembly offers the Google Translate™ service for visitor convenience. In no way should it be considered accurate as to the translation of any content herein.
Visitors of the Illinois General Assembly website are encouraged to use other translation services available on the internet.
The English language version is always the official and authoritative version of this website.
NOTE: To return to the original English language version, select the "Show Original" button on the Google Translate™ menu bar at the top of the window.
Choose Language
English
Afrikaans
Albanian
Arabic
Armenian
Azerbaijani
Basque
Bengali
Bosnian
Catalan
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hungarian
Icelandic
Indonesian
Interlingua
Interlingue
Inuktitut
Irish
Italian
Japanese
Javanese
Kannada
Khmer
Korean
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malayalam
Maltese
Maori
Marathi
Myanmar
Nepali
Norwegian
Odia
Pashto
Punjabi
Romanian
Russian
Samoan
Sango
Sanskrit
Sardinian
Sindhi
Sinhala
Slovak
Slovenian
Somali
Southern Sotho
Spanish
Sundanese
Swahili
Swedish
Tamil
Telugu
Thai
Tigrinya
Tonga
Turkish
Ukrainian
Urdu
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
Powered by
Translate
Close
Illinois General Assembly
Top Navigation Bar
Translate
Learn
Select General Assembly
Search the 104th General Assembly
Enter search terms for legislation, members, committees, or schedules.
ILGA.GOV
LEGISLATION & LAWS
Bills & Resolutions
Public Acts
Illinois Compiled Statutes
Illinois Constitution
Search Legislation
Glossary
Guide
Reports & Inquiry
Legislative Reports
Special Reports
FTP Site
Legislator Lookup
Capitol Complex Phone Numbers
Rules & Regulations
Illinois Register
Administrative Rules
Senate
Members
Schedules
Committees
Request for Remote Testimony
Journals
Transcripts
Rules
Audio/Video
FOIA Information
Senate Employment Opportunities
Media Guidelines
House
Members
Schedules
Committees
Submit testimony for House Committees
Journals
Transcripts
Rules
Audio/Video
FOIA Information
House Employment Opportunities
Log In
Mobile Top Bar
Search the 104th General Assembly
Enter keywords to search the Illinois General Assembly website.
Full Text of SB0340
Home
Legislation
Full Text
SB0340 - 104th General Assembly
Bill Status
Full Text
Votes
Witness Slips
Select Menu
Bill Status
Full Text
Votes
Witness Slips
Printer Friendly Version
Introduced
Engrossed
Senate Amendment 001
Senate Amendment 002
Senate Amendment 003
Senate Amendment 004
Printer Friendly Version
Introduced
Engrossed
Senate Amendment 001
Senate Amendment 002
Senate Amendment 003
Senate Amendment 004
Open PDF
SB0340 Engrossed
LRB104 06459 JRC 16495 b
1
AN ACT concerning civil law.
2
Be it enacted by the People of the State of Illinois,
3
represented in the General Assembly:
4
Section 10.
Short title.
This Act may be cited as the
5
Illinois Consumer Data Privacy Act.
6
Section 11.
Definitions.
As used in this Act:
7
"Affiliate" means a legal entity that controls, is
8
controlled by, or is under common control with another legal
9
entity. As used in this definition, "control" or "controlled"
10
means: ownership of or the power to vote more than 50% of the
11
outstanding shares of any class of voting security of a
12
company; control in any manner over the election of a majority
13
of the directors or of individuals exercising similar
14
functions; or the power to exercise a controlling influence
15
over the management of a company.
16
"Authenticate" means to use reasonable means to determine
17
that a request to exercise any of the rights under subsection
18
(b) of Section 14 is being made by or rightfully on behalf of
19
the consumer who is entitled to exercise the rights with
20
respect to the personal data at issue.
21
"Biometric identifier" has the same meaning given to that
22
term in the Biometric Information Privacy Act.
23
"Biometric information" has the same meaning given to that
SB0340 Engrossed
- 2 -
LRB104 06459 JRC 16495 b
1
term in the Biometric Information Privacy Act.
2
"Child" has the meaning given in United States Code, Title
3
15, Section 6501.
4
"Collect" means to buy, rent, obtain, lease, access,
5
receive, or otherwise acquire personal data in any manner.
6
"Consent" means any freely given, specific, informed, and
7
unambiguous indication of the consumer's wishes by which the
8
consumer signifies agreement to the processing of personal
9
data relating to the consumer. Acceptance of general or broad
10
terms of use or similar document that contains descriptions of
11
personal data processing along with other, unrelated
12
information does not constitute consent. Hovering over,
13
muting, pausing, or closing a given piece of content does not
14
constitute consent. A consent is not valid when the consumer's
15
indication has been obtained by a dark pattern. A consumer may
16
revoke consent previously given consistent with this Act.
17
"Consumer" means a natural person who is an Illinois
18
resident acting only in an individual or household context.
19
Consumer does not include a natural person acting in a
20
commercial or employment context.
21
"Controller" means the natural or legal person who, alone
22
or jointly with others, determines the purposes and means of
23
the processing of personal data.
24
"Decisions that produce legal or similarly significant
25
effects concerning the consumer" means decisions made by the
26
controller that result in the provision or denial by the
SB0340 Engrossed
- 3 -
LRB104 06459 JRC 16495 b
1
controller of financial or lending services, housing,
2
insurance, education enrollment or opportunity, criminal
3
justice, employment opportunities, health care services, or
4
access to essential goods or services.
5
"Dark pattern" means a user interface designed or
6
manipulated with the substantial effect of subverting or
7
impairing user autonomy, decision-making, or choice.
8
"Deidentified data" means data that cannot reasonably be
9
used to infer information about or otherwise be linked to an
10
identified or identifiable natural person or a device linked
11
to an identified or identifiable natural person, provided that
12
the controller that possesses the data:
13
(1) takes reasonable measures to ensure that the data
14
cannot be associated with a natural person;
15
(2) publicly commits to process the data only in a
16
deidentified fashion and not attempt to reidentify the
17
data; and
18
(3) contractually obligates any recipients of the
19
information to comply with all provisions of this
20
definition.
21
"Delete" means to remove or destroy information so that it
22
is not maintained in human- or machine-readable form and
23
cannot be retrieved or used in the ordinary course of
24
business.
25
"Genetic information" has the meaning ascribed to the term
26
under the Health Insurance Portability and Accountability Act
SB0340 Engrossed
- 4 -
LRB104 06459 JRC 16495 b
1
of 1996 as specified in 45 CFR 160.103.
2
"Identified or identifiable natural person" means a person
3
who can be readily identified, directly or indirectly.
4
"Known child" means a person under circumstances in which
5
a controller has actual knowledge of, or willfully disregards,
6
that the person is under 13 years of age.
7
"Personal data" means any information that is linked or
8
reasonably linkable to an identified or identifiable natural
9
person. "Personal data" does not include deidentified data,
10
pseudonymous data, or publicly available information. As used
11
in this definition, "publicly available information" means
12
information that (1) is lawfully made available from federal,
13
state, or local government records or (2) a controller has a
14
reasonable basis to believe has lawfully been made available
15
to the general public.
16
"Process" or "processing" means any operation or set of
17
operations that are performed on personal data or on sets of
18
personal data, whether or not by automated means, including,
19
but not limited to, the collection, use, storage, disclosure,
20
analysis, deletion, sharing, retention, organizing,
21
structuring, or modification of personal data.
22
"Processor" means a natural or legal person who processes
23
personal data on behalf of a controller.
24
"Profiling" means any form of automated processing of
25
personal data to evaluate, analyze, or predict personal
26
aspects related to an identified or identifiable natural
SB0340 Engrossed
- 5 -
LRB104 06459 JRC 16495 b
1
person's economic situation, health, personal preferences,
2
interests, reliability, behavior, location, or movements.
3
Profiling does not include automated processing used solely
4
for independent measurement.
5
"Pseudonymous data" means personal data that cannot be
6
attributed to a specific natural person without the use of
7
additional information, provided that the additional
8
information is kept separately and is subject to appropriate
9
technical and organizational measures to ensure that the
10
personal data are not attributed to an identified or
11
identifiable natural person.
12
"Sale", "sell", or "sold" means the exchange of personal
13
data for monetary or other valuable consideration by the
14
controller, processor, or an affiliate of the controller or
15
processor to a third party. "Sale" does not include the
16
following:
17
(1) the disclosure of personal data to a processor who
18
processes the personal data on behalf of the controller if
19
limited to the purposes of processing;
20
(2) the disclosure of personal data to a third party
21
for purposes of providing a product or service requested
22
by the consumer;
23
(3) the disclosure or transfer of personal data to an
24
affiliate of the controller;
25
(4) the disclosure of information that the consumer
26
intentionally made available to the general public via a
SB0340 Engrossed
- 6 -
LRB104 06459 JRC 16495 b
1
channel of mass media and did not restrict to a specific
2
audience; or
3
(5) the disclosure or transfer of personal data to a
4
third party as an asset that is part of a completed or
5
proposed merger, acquisition, bankruptcy, or other
6
transaction in which the third party assumes control of
7
all or part of the controller's assets.
8
"Sensitive data" is a form of personal data. "Sensitive
9
data" means:
10
(1) personal data revealing racial or ethnic origin,
11
religious beliefs, mental or physical health condition or
12
diagnosis, sexual orientation, or citizenship or
13
immigration status;
14
(2) the processing of biometric identifiers or
15
information or genetic information for the purpose of
16
uniquely identifying an individual;
17
(3) the personal data of a known child;
18
(4) specific geolocation data;
19
(5) information that reveals the status of
20
identifiable natural person as a victim of a crime; or
21
(6) a government-issued identifier, including a social
22
security number, passport number, or a driver's license
23
number, that is not required by law to be displayed in
24
public.
25
"Specific geolocation data" means information derived from
26
technology, including, but not limited to, global positioning
SB0340 Engrossed
- 7 -
LRB104 06459 JRC 16495 b
1
system level latitude and longitude coordinates or other
2
mechanisms that can precisely and accurately identify the
3
specific location of a consumer or a device linked with a
4
consumer within a radius of 1,750 feet. Specific geolocation
5
data does not include the content of communications, the
6
contents of databases containing street address information
7
that are accessible to the public as authorized by law, or any
8
data generated by or connected to advanced utility metering
9
infrastructure systems or other equipment for use by a public
10
utility.
11
"Targeted advertising" means displaying advertisements to
12
a consumer or to a device linked to a consumer in which the
13
advertisement is selected based on personal data obtained or
14
inferred from the consumer's activities over time and across
15
nonaffiliated websites or online applications to predict the
16
consumer's preferences or interests. Targeted advertising does
17
not include:
18
(1) advertising based on activities within a
19
controller's own websites or online applications;
20
(2) advertising based on the context of a consumer's
21
current search query or visit to a website or online
22
application;
23
(3) advertising to a consumer in response to the
24
consumer's request for information or feedback; or
25
(4) processing personal data solely for measuring or
26
reporting content and advertising performance, reach, or
SB0340 Engrossed
- 8 -
LRB104 06459 JRC 16495 b
1
frequency, including independent measurement.
2
(z) "Third party" means a natural or legal person, public
3
authority, agency, or body other than the consumer,
4
controller, processor, or an affiliate of the processor or the
5
controller.
6
(aa) "Trade secret" has the same meaning given to the term
7
in the Illinois Trade Secrets Act.
8
Section 12.
Scope; exclusions.
9
(a)(1) Scope. This Act applies to legal entities that
10
conduct business in Illinois or produce products or services
11
that are targeted to Illinois residents, and that satisfy one
12
or more of the following thresholds:
13
(A) during a calendar year, collects or processes
14
personal data of 100,000 consumers or more, excluding
15
personal data controlled or processed solely for the
16
purpose of completing a payment transaction; or
17
(B) derives over 25% of gross revenue from the sale of
18
personal data and processes or collects personal data of
19
25,000 consumers or more.
20
(2) A controller or processor shall comply with the
21
Student Online Personal Protection Act, except that if the
22
provisions of that Act conflict with this Act, the Student
23
Online Personal Protection Act prevails.
24
(3) All legal entities shall comply with the Biometric
25
Information Privacy Act and the Genetic Information Privacy
SB0340 Engrossed
- 9 -
LRB104 06459 JRC 16495 b
1
Act.
2
(b) Exclusions. The provisions of this Act do not apply to
3
the following entities, activities, or types of information:
4
(1) the State, a political subdivision of the State,
5
units of local government, and school districts;
6
(2) a federally recognized Indian tribe;
7
(3) information that meets the definition of:
8
(A) protected health information, as defined by
9
and for purposes of the Health Insurance Portability
10
and Accountability Act of 1996, Public Law 104-191,
11
and related regulations;
12
(B) health records, that includes, but is not
13
limited to, any information, whether oral or recorded
14
in any form or medium, that relates to the past,
15
present, or future physical or mental health or
16
condition of a patient; the provision of health care
17
to a patient; or the past, present, or future payment
18
for the provision of health care to a patient;
19
(C) patient identifying information for purposes
20
of Code of Federal Regulations, Title 42, Part 2,
21
established pursuant to the United States Code, Title
22
42, Section 290dd-2;
23
(D) identifiable private information for purposes
24
of the federal policy for the protection of human
25
subjects, the Code of Federal Regulations, Title 45,
26
Part 46; identifiable private information that is
SB0340 Engrossed
- 10 -
LRB104 06459 JRC 16495 b
1
otherwise information collected as part of human
2
subjects research under the good clinical practice
3
guidelines issued by the International Council for
4
Harmonisation; the protection of human subjects under
5
the Code of Federal Regulations, Title 21, Parts 50
6
and 56; or personal data used or shared in research
7
conducted in accordance with one or more of the
8
requirements set forth in this paragraph;
9
(E) information and documents created for purposes
10
of the federal Health Care Quality Improvement Act of
11
1986, Public Law 99-660, and related regulations; or
12
(F) patient safety work product for purposes of
13
Code of Federal Regulations, Title 42, Part 3,
14
established under the United States Code, Title 42,
15
Sections 299b-21 to 299b-26;
16
(4) information that is derived from any of the health
17
care-related information listed in clause (3), but that
18
has been deidentified in accordance with the requirements
19
for deidentification set forth in the Code of Federal
20
Regulations, Title 45, Part 164;
21
(5) information originating from, and intermingled to
22
be indistinguishable with, any of the health care-related
23
information listed in clause (3) that is maintained by:
24
(A) a covered entity or business associate, as
25
defined by the Health Insurance Portability and
26
Accountability Act of 1996, Public Law 104-191, and
SB0340 Engrossed
- 11 -
LRB104 06459 JRC 16495 b
1
related regulations to the extent the entity is acting
2
as a covered entity or business associate under the
3
Privacy and Security rules issued by the United States
4
Department of Health and Human Services, Parts 160 and
5
164 of Title 45 of the Code of Federal Regulations;
6
(B) a health care provider, to include, but not be
7
limited to, any public or private facility that
8
provides, on an inpatient or outpatient basis,
9
preventive, diagnostic, therapeutic, convalescent,
10
rehabilitation, mental health, or intellectual
11
disability services, including general or special
12
hospitals, skilled nursing homes, extended care
13
facilities, intermediate care facilities and mental
14
health centers; or
15
(C) a program or a qualified service organization,
16
as defined by Code of Federal Regulations, Title 42,
17
Part 2, established pursuant to United States Code,
18
Title 42, Section 290dd-2;
19
(6) information that is:
20
(A) maintained by an entity that meets the
21
definition of health care provider under the Code of
22
Federal Regulations, Title 45, Section 160.103, to the
23
extent that the entity maintains the information in
24
the manner required of covered entities with respect
25
to protected health information for purposes of the
26
Health Insurance Portability and Accountability Act of
SB0340 Engrossed
- 12 -
LRB104 06459 JRC 16495 b
1
1996, Public Law 104-191, and related regulations;
2
(B) included in a limited data set, as described
3
under the Code of Federal Regulations, Title 45, Part
4
164.514(e), to the extent that the information is
5
used, disclosed, and maintained in the manner
6
specified by that part;
7
(C) maintained by, or maintained to comply with
8
the rules or orders of, a self-regulatory organization
9
as defined by the United States Code, Title 15,
10
Section 78c(a)(26) or of a registered futures
11
association as designated under the United States
12
Code, Title 7, Section 21;
13
(D) originated from, or intermingled with,
14
information described in clause (9) and that a
15
residential mortgage originator or residential
16
mortgage servicer regulated under the Residential
17
Mortgage License Act of 1987 collects, processes,
18
uses, or maintains in the same manner as required
19
under the laws and regulations specified in clause
20
(9); or
21
(E) originated from, or intermingled with,
22
information described in clause (9) and that a nonbank
23
financial institution collects, processes, uses, or
24
maintains in the same manner as required under the
25
laws and regulations specified in clause (9);
26
(7) information used only for public health activities
SB0340 Engrossed
- 13 -
LRB104 06459 JRC 16495 b
1
and purposes, as described under the Code of Federal
2
Regulations, Title 45, Part 164.512;
3
(8) an activity involving the collection, maintenance,
4
disclosure, sale, communication, or use of any personal
5
data bearing on a consumer's credit worthiness, credit
6
standing, credit capacity, character, general reputation,
7
personal characteristics, or mode of living by a consumer
8
reporting agency, as defined in the United States Code,
9
Title 15, Section 1681a(f), by a furnisher of information,
10
as set forth in the United States Code, Title 15, Section
11
1681s-2, who provides information for use in a consumer
12
report, as defined in the United States Code, Title 15,
13
Section 1681a(d), and by a user of a consumer report, as
14
set forth in the United States Code, Title 15, Section
15
1681b, except that information is only excluded under this
16
paragraph to the extent that the activity involving the
17
collection, maintenance, disclosure, sale, communication,
18
or use of the information by the agency, furnisher, or
19
user is subject to regulation under the federal Fair
20
Credit Reporting Act, United States Code, Title 15,
21
Sections 1681 to 1681x, and the information is not
22
collected, maintained, used, communicated, disclosed, or
23
sold except as authorized by the Fair Credit Reporting
24
Act;
25
(9) financial institutions, their affiliates, and
26
personal data subject to the federal Gramm-Leach-Bliley
SB0340 Engrossed
- 14 -
LRB104 06459 JRC 16495 b
1
Act, Public Law 106-102, and implementing regulations;
2
(10) personal data collected, processed, sold, or
3
disclosed pursuant to the federal Driver's Privacy
4
Protection Act of 1994, United States Code, Title 18,
5
Sections 2721 to 2725, if the collection, processing,
6
sale, or disclosure is in compliance with that law;
7
(11) personal data regulated by the federal Family
8
Educational Rights and Privacy Act, United States Code,
9
Title 20, Section 1232g, and implementing regulations;
10
(12) personal data collected, processed, sold, or
11
disclosed pursuant to the federal Farm Credit Act of 1971,
12
as amended, United States Code, Title 12, Sections 2001 to
13
2279cc, and implementing regulations, Code of Federal
14
Regulations, Title 12, Part 600, if the collection,
15
processing, sale, or disclosure is in compliance with that
16
law;
17
(13) data collected or maintained:
18
(A) in the course of an individual acting as a job
19
applicant to or an employee, owner, director, officer,
20
medical staff member, or contractor of a business if
21
the data is collected and used solely within the
22
context of the role;
23
(B) as the emergency contact information of an
24
individual under item (A) if used solely for emergency
25
contact purposes; or
26
(C) that is necessary for the business to retain
SB0340 Engrossed
- 15 -
LRB104 06459 JRC 16495 b
1
to administer benefits for another individual relating
2
to the individual under item (1) if used solely for the
3
purposes of administering those benefits;
4
(14) personal data collected, processed, sold, or
5
disclosed under the Illinois Insurance Code;
6
(15) data collected, processed, sold, or disclosed as
7
part of a payment-only credit, check, or cash transaction
8
where no data about consumers, as defined in Section 11,
9
are retained;
10
(16) a State or federally chartered bank or credit
11
union, or an affiliate or subsidiary that is principally
12
engaged in financial activities, as described in the
13
United States Code, Title 12, Section 1843(k);
14
(17) information that originates from, or is
15
intermingled so as to be indistinguishable from,
16
information described in clause (8) and that a person
17
collects, processes, uses, or maintains in the same manner
18
as is required under the laws and regulations specified in
19
clause (8);
20
(18) an insurance company and an insurance producer
21
that are regulated by the State under the Illinois
22
Insurance Code, a third-party administrator of
23
self-insurance, or an affiliate or subsidiary of any
24
entity identified in this clause that is principally
25
engaged in financial activities, as described in the
26
United States Code, Title 12, Section 1843(k), except that
SB0340 Engrossed
- 16 -
LRB104 06459 JRC 16495 b
1
this clause does not apply to a person that, alone or in
2
combination with another person, establishes and maintains
3
a self-insurance program that does not otherwise engage in
4
the business of entering into policies of insurance;
5
(19) a small business, as defined by the United States
6
Small Business Administration under the Code of Federal
7
Regulations, Title 13, Part 121, except that a small
8
business identified in this clause is subject to Section
9
17;
10
(20) a nonprofit organization that is established to
11
detect and prevent fraudulent acts in connection with
12
insurance; and
13
(21) an air carrier subject to the federal Airline
14
Deregulation Act, Public Law 95-504, only to the extent
15
that an air carrier collects personal data related to
16
prices, routes, or services and only to the extent that
17
the provisions of the Airline Deregulation Act preempt the
18
requirements of this Act.
19
Controllers that are in compliance with the Children's
20
Online Privacy Protection Act, United States Code, Title 15,
21
Sections 6501 to 6506, and implementing regulations, are
22
deemed compliant with any obligation to obtain parental
23
consent under this Act.
24
Section 13.
Responsibility according to role.
25
(a) Controllers and processors are responsible for meeting
SB0340 Engrossed
- 17 -
LRB104 06459 JRC 16495 b
1
the respective obligations established under this Act.
2
(b) Processors are responsible under this Act for adhering
3
to the instructions of the controller and assisting the
4
controller to meet the controller's obligations under this
5
Act. Assistance under this subsection shall include the
6
following:
7
(1) taking into account the nature of the processing,
8
the processor shall assist the controller by appropriate
9
technical and organizational measures, insofar as this is
10
possible, for the fulfillment of the controller's
11
obligation to respond to consumer requests to exercise
12
their rights under Section 14; and
13
(2) taking into account the nature of processing and
14
the information available to the processor, the processor
15
shall assist the controller in meeting the controller's
16
obligations in relation to the security of processing the
17
personal data and in relation to the notification of a
18
breach of the security of the system under the Illinois
19
Personal Information Protection Act and provide
20
information to the controller necessary to enable the
21
controller to conduct and document any data privacy and
22
protection assessments required by Section 18.
23
(c) A contract between a controller and a processor shall
24
govern the processor's data processing procedures with respect
25
to processing performed on behalf of the controller. The
26
contract shall be binding on both parties and clearly set
SB0340 Engrossed
- 18 -
LRB104 06459 JRC 16495 b
1
forth instructions for processing data, the nature and purpose
2
of processing, the type of data subject to processing, the
3
duration of processing, and the rights and obligations of both
4
parties. The contract shall also require that the processor:
5
(1) ensure that each person processing the personal
6
data is subject to a duty of confidentiality with respect
7
to the data;
8
(2) engage a subcontractor only under a written
9
contract in accordance with this subsection (c) that
10
requires the subcontractor to meet the obligations of the
11
processor with respect to the personal data;
12
(3) at the choice of the controller, delete or return
13
all personal data to the controller as requested at the
14
end of the provision of services, unless retention of the
15
personal data is required by law;
16
(4) upon a reasonable request from the controller,
17
make available to the controller all information necessary
18
to demonstrate compliance with the obligations in this
19
Act; and
20
(5) allow for, and contribute to, reasonable
21
assessments and inspections by the controller or the
22
controller's designated assessor. Alternatively, the
23
processor may arrange for a qualified and independent
24
assessor to conduct, at least annually and at the
25
processor's expense, an assessment of the processor's
26
policies and technical and organizational measures in
SB0340 Engrossed
- 19 -
LRB104 06459 JRC 16495 b
1
support of the obligations under this Act. The assessor
2
must use an appropriate and accepted control standard or
3
framework and assessment procedure for assessments as
4
applicable and provide a report of an assessment to the
5
controller upon request.
6
(d) Taking into account the context of processing, the
7
controller and the processor shall implement appropriate
8
technical and organizational measures to ensure a level of
9
security appropriate to the risk and establish a clear
10
allocation of the responsibilities between the controller and
11
the processor to implement the technical and organizational
12
measures.
13
(e) In no event shall any contract relieve a controller or
14
a processor from the liabilities imposed on a controller or
15
processor by virtue of the controller's or processor's roles
16
in the processing relationship under this Act. Notwithstanding
17
any other provision of this Act, if a processor processes data
18
under a binding contract that sets forth the processing
19
instructions and limits the actions the processor may take
20
with respect to the data it processes on behalf of the
21
controller, the processor is not liable for the controller's
22
actions that led to a violation of this Act.
23
(f) Determining whether a person is acting as a controller
24
or processor with respect to a specific processing of data is a
25
fact-based determination that depends upon the context in
26
which personal data are to be processed. A person that is not
SB0340 Engrossed
- 20 -
LRB104 06459 JRC 16495 b
1
limited in the person's processing of personal data pursuant
2
to a controller's instructions, or that fails to adhere to a
3
controller's instructions, is a controller and not a processor
4
with respect to a specific processing of data. A processor
5
that continues to adhere to a controller's instructions with
6
respect to a specific processing of personal data remains a
7
processor. If a processor begins, alone or jointly with
8
others, determining the purposes and means of the processing
9
of personal data, the processor is a controller with respect
10
to the processing.
11
Section 14.
Consumer personal data rights.
12
(a)(1) Consumer rights provided. Except as provided in
13
this Act, a controller must comply with a request to exercise
14
the consumer rights provided in this subsection (a).
15
(2) A consumer has the right to confirm whether or not a
16
controller is processing personal data concerning the consumer
17
and access the personal data the controller is processing.
18
(3) A consumer has the right to correct inaccurate
19
personal data concerning the consumer taking into account the
20
nature of the personal data and the purposes of the processing
21
of the personal data.
22
(4) A consumer has the right to delete personal data
23
concerning the consumer.
24
(5) A consumer has the right to obtain personal data
25
concerning the consumer, which the consumer previously
SB0340 Engrossed
- 21 -
LRB104 06459 JRC 16495 b
1
provided to the controller, in a portable and, to the extent
2
technically feasible, readily usable format that allows the
3
consumer to transmit the data to another controller without
4
hindrance, where the processing is carried out by automated
5
means.
6
(6) A consumer has the right to opt out of the processing
7
of personal data concerning the consumer for purposes of: (i)
8
targeted advertising, (ii) the sale of personal data, or (iii)
9
profiling in furtherance of automated decisions that produce
10
legal effects concerning a consumer or similarly significant
11
effects concerning a consumer.
12
(7) A consumer has a right to obtain general descriptions
13
of categories of third parties to which the controller has
14
disclosed the consumer's personal data, unless such a list of
15
specific third parties is readily available to the controller.
16
(b)(1) Exercising consumer rights. A consumer may exercise
17
the rights set forth in subsection (a) by submitting a
18
request, at any time, to a controller specifying which rights
19
the consumer wishes to exercise.
20
(2) In the case of processing personal data concerning a
21
known child, the parent or legal guardian of the known child
22
may exercise the rights under this Act on the child's behalf.
23
(3) In the case of processing personal data concerning a
24
consumer legally subject to guardianship under the Probate Act
25
of 1975, the guardian of the consumer may exercise the rights
26
under this Act on the consumer's behalf.
SB0340 Engrossed
- 22 -
LRB104 06459 JRC 16495 b
1
(4) A consumer may designate another person as the
2
consumer's authorized agent to exercise the consumer's right
3
to opt out of the processing of the consumer's personal data
4
for purposes of targeted advertising and sale under subsection
5
(c)(1) on the consumer's behalf. A consumer may designate an
6
authorized agent by way of, among other things, a technology,
7
including, but not limited to, an Internet link or a browser
8
setting, browser extension, or global device setting,
9
indicating the consumer's intent to opt out of the processing.
10
A controller shall comply with an opt-out request received
11
from an authorized agent if the controller is able to verify,
12
with commercially reasonable effort, the identity of the
13
consumer and the authorized agent's authority to act on the
14
consumer's behalf.
15
(c)(1) Universal opt-out mechanisms. A controller must
16
allow a consumer to opt out of any processing of the consumer's
17
personal data for the purposes of targeted advertising,
18
profiling in furtherance of automated decisions that produce
19
legal effects concerning the consumer or any sale of the
20
consumer's personal data through an opt-out preference signal
21
sent, with the consumer's consent, by a platform, technology,
22
or mechanism to the controller indicating the consumer's
23
intent to opt out of the processing, profiling, or sale. The
24
platform, technology, or mechanism must:
25
(A) not unfairly disadvantage another controller;
26
(B) not make use of a default setting but require the
SB0340 Engrossed
- 23 -
LRB104 06459 JRC 16495 b
1
consumer to make an affirmative, freely given, and
2
unambiguous choice to opt out of the processing of the
3
consumer's personal data;
4
(C) be consumer-friendly and easy to use by the
5
average consumer;
6
(D) be as consistent as possible with any other
7
similar platform, technology, or mechanism required by any
8
federal or State law or regulation; and
9
(E) enable the controller to accurately determine
10
whether the consumer is an Illinois resident and whether
11
the consumer has made a legitimate request to opt out of
12
any sale of the consumer's personal data profiling in
13
furtherance of automated decisions that produce legal
14
effects concerning the consumer, or targeted advertising.
15
For purposes of this paragraph, the use of an Internet
16
protocol address to estimate the consumer's location is
17
sufficient to determine the consumer's residence.
18
(2) If a consumer's opt-out request is exercised through
19
the platform, technology, or mechanism required under
20
subsection (c)(1), and the request conflicts with the
21
consumer's existing controller-specific privacy setting or
22
voluntary participation in a controller's bona fide loyalty,
23
rewards, premium features, discounts, or club card program,
24
the controller must comply with the consumer's opt-out
25
preference signal but may also notify the consumer of the
26
conflict and provide the consumer a choice to confirm the
SB0340 Engrossed
- 24 -
LRB104 06459 JRC 16495 b
1
controller-specific privacy setting or participation in the
2
controller's program.
3
(3) A controller that recognizes opt-out preference
4
signals that have been approved by other state laws or
5
regulations is in compliance with this subdivision.
6
(d)(1) Controller response to consumer requests. Except as
7
provided in this Act, a controller must comply with a request
8
to exercise the rights pursuant to subsection (a).
9
(2) A controller must provide one or more secure and
10
reliable means for consumers to submit a request to exercise
11
the consumer's rights under this Section. The means made
12
available must take into account the ways in which consumers
13
interact with the controller and the need for secure and
14
reliable communication of the requests.
15
(3) A controller may not require a consumer to create a new
16
account to exercise a right, but a controller may require a
17
consumer to use an existing account to exercise the consumer's
18
rights under this Section.
19
(4) A controller must comply with a request to exercise
20
the rights under this Section as soon as feasibly possible,
21
but no later than 45 days after the receipt of the request,
22
unless the controller extends the time.
23
(5) A controller must inform a consumer of any action
24
taken on a request under subsection (b) without undue delay
25
and in any event within 45 days after the receipt of the
26
request. That period may be extended once by 45 additional
SB0340 Engrossed
- 25 -
LRB104 06459 JRC 16495 b
1
days where reasonably necessary taking into account the
2
complexity and number of the requests. The controller must
3
inform the consumer of any extension within the original
4
45-day window, together with the reasons for the delay.
5
(6) If a controller does not take action on a consumer's
6
request, the controller must inform the consumer without undue
7
delay and at the latest within 45 days after the receipt of the
8
request of the reasons for not taking action and instructions
9
for how to appeal the decision with the controller as
10
described in subsection (e).
11
(7) Information provided under this Section must be
12
provided by the controller free of charge up to twice annually
13
to the consumer. If requests from a consumer are manifestly
14
unfounded or excessive, in particular because of the
15
repetitive character of the requests, the controller may
16
either charge a reasonable fee to cover the administrative
17
costs of complying with the request or refuse to act on the
18
request. The controller bears the burden of demonstrating the
19
manifestly unfounded or excessive character of the request.
20
(8) A controller is not required to comply with a request
21
to exercise any of the rights under subsection (a), paragraphs
22
(2) to (5) and (8), if the controller is unable to authenticate
23
the request using commercially reasonable efforts. In such
24
cases, the controller may request the provision of additional
25
information reasonably necessary to authenticate the request.
26
A controller is not required to authenticate an opt-out
SB0340 Engrossed
- 26 -
LRB104 06459 JRC 16495 b
1
request, but a controller may deny an opt-out request if the
2
controller has a good faith, reasonable, and documented belief
3
that the request is fraudulent. If a controller denies an
4
opt-out request because the controller believes a request is
5
fraudulent, the controller must notify the person who made the
6
request that the request was denied because of the
7
controller's belief that the request was fraudulent and state
8
the controller's basis for that belief.
9
(9) In response to a consumer request under subsection
10
(b), a controller must not disclose the following information
11
about a consumer but must instead inform the consumer with
12
sufficient particularity that the controller has collected
13
that type of information:
14
(A) Social Security number;
15
(B) driver's license number or other government-issued
16
identification number;
17
(C) financial account number;
18
(D) health insurance account number or medical
19
identification number;
20
(E) account password, security questions, or answers;
21
or
22
(F) biometric identifiers or information.
23
(10) In response to a consumer request under subsection
24
(b), a controller is not required to reveal any trade secret.
25
(11) A controller that has obtained personal data about a
26
consumer from a source other than the consumer may comply with
SB0340 Engrossed
- 27 -
LRB104 06459 JRC 16495 b
1
a consumer's request to delete the consumer's personal data
2
pursuant to subsection (a), paragraph (4), by either:
3
(A) retaining a record of the deletion request,
4
retaining the minimum data necessary for the purpose of
5
ensuring the consumer's personal data remains deleted from
6
the business's records and not using the retained data for
7
any other purpose under the provisions of this Act; or
8
(B) opting the consumer out of the processing of
9
personal data for any purpose except for the purposes
10
exempted pursuant to the provisions of this Act.
11
(e)(1) Appeal process required. A controller must
12
establish an internal process in which a consumer may appeal a
13
refusal to take action on a request to exercise any of the
14
rights under subsection (a) within a reasonable period of time
15
after the consumer's receipt of the notice sent by the
16
controller under subsection (d), paragraph (6).
17
(2) The appeal process must be conspicuously available.
18
The process must include the ease of use provisions in
19
subsection (c)(1) applicable to submitting requests.
20
(3) Within 45 days after the receipt of an appeal, a
21
controller must inform the consumer of any action taken or not
22
taken in response to the appeal along with a written
23
explanation of the reasons in support thereof. That period may
24
be extended by 60 additional days if reasonably necessary,
25
taking into account the complexity and number of the requests
26
serving as the basis for the appeal. The controller must
SB0340 Engrossed
- 28 -
LRB104 06459 JRC 16495 b
1
inform the consumer of any extension within 45 days after the
2
receipt of the appeal together with the reasons for the delay.
3
(4) When informing a consumer of any action taken or not
4
taken in response to an appeal pursuant to paragraph (3), the
5
controller must provide a written explanation of the reasons
6
for the controller's decision and clearly and prominently
7
provide the consumer with information about how to file a
8
complaint with the Attorney General. The controller must
9
maintain records of all appeals and the controller's responses
10
for at least 24 months and shall, upon written request by the
11
Attorney General as part of an investigation, compile and
12
provide a copy of the records to the Attorney General.
13
Section 15.
Processing deidentified data or pseudonymous
14
data.
15
(a) This Act does not require a controller or processor to
16
do any of the following solely for purposes of complying with
17
this Act:
18
(1) reidentify deidentified data;
19
(2) maintain data in identifiable form, or collect,
20
obtain, retain, or access any data or technology, to be
21
capable of associating an authenticated consumer request
22
with personal data; or
23
(3) comply with an authenticated consumer request to
24
access, correct, delete, or port personal data under
25
Section 14, subsection (a), if all of the following are
SB0340 Engrossed
- 29 -
LRB104 06459 JRC 16495 b
1
true:
2
(A) the controller is not reasonably capable of
3
associating the request with the personal data, or it
4
would be unreasonably burdensome for the controller to
5
associate the request with the personal data;
6
(B) the controller does not use the personal data
7
to recognize or respond to the specific consumer who
8
is the subject of the personal data or associate the
9
personal data with other personal data about the same
10
specific consumer; and
11
(C) the controller does not sell the personal data
12
to any third party or otherwise voluntarily disclose
13
the personal data to any third party other than a
14
processor, except as otherwise permitted in this
15
Section.
16
(b) The rights contained in paragraphs (2) to (5) and (8)
17
of subsection (a) of Section 14 do not apply to pseudonymous
18
data in cases in which the controller is able to demonstrate
19
any information necessary to identify the consumer is kept
20
separately and is subject to effective technical and
21
organizational controls that prevent the controller from
22
accessing the information.
23
(c) A controller that transfers, sells, or otherwise
24
discloses pseudonymous data or deidentified data must exercise
25
reasonable oversight to monitor compliance with any
26
contractual commitments to which the pseudonymous data or
SB0340 Engrossed
- 30 -
LRB104 06459 JRC 16495 b
1
deidentified data are subject, and must take appropriate steps
2
to address any breaches of contractual commitments.
3
(d) A processor or third party must not attempt to
4
identify the subjects of deidentified or pseudonymous data
5
without the express authority of the controller that caused
6
the data to be deidentified or pseudonymized.
7
(e) A controller, processor, or third party must not
8
attempt to identify the subjects of data that has been
9
collected with only pseudonymous identifiers.
10
Section 16.
Responsibilities of controllers.
11
(a)(1) Transparency obligations. Controllers must provide
12
consumers with a reasonably accessible, clear, and meaningful
13
privacy notice that includes:
14
(A) the categories of personal data processed by the
15
controller;
16
(B) the purposes for which the categories of personal
17
data are processed;
18
(C) an explanation of the rights contained in Section
19
14 and how and where consumers may exercise those rights,
20
including how a consumer may appeal a controller's action
21
with regard to the consumer's request;
22
(D) the categories of personal data that the
23
controller sells to or shares with third parties, if any;
24
(E) the categories of third parties, if any, with whom
25
the controller sells or shares personal data;
SB0340 Engrossed
- 31 -
LRB104 06459 JRC 16495 b
1
(F) the controller's contact information, including an
2
active email address or other online mechanism that the
3
consumer may use to contact the controller;
4
(G) a description of the controller's retention
5
policies for personal data; and
6
(H) the date the privacy notice was last updated.
7
(2) If a controller sells personal data to third parties,
8
processes personal data for targeted advertising, or engages
9
in profiling in furtherance of decisions that produce legal
10
effects concerning a consumer or similarly significant effects
11
concerning a consumer, the controller must disclose the
12
processing in the privacy notice and provide access to a clear
13
and conspicuous method outside the privacy notice for a
14
consumer to opt out of the sale, processing, or profiling in
15
furtherance of decisions that produce legal effects concerning
16
a consumer or similarly significant effects concerning a
17
consumer. This method may include but is not limited to an
18
Internet hyperlink clearly labeled "Your Opt-Out Rights" or
19
"Your Privacy Rights" that directly effectuates the opt-out
20
request or takes consumers to a web page where the consumer can
21
make the opt-out request.
22
(3) The privacy notice must be made available to the
23
public in each language in which the controller provides a
24
product or service that is subject to the privacy notice or
25
carries out activities related to the product or service.
26
(4) The controller must provide the privacy notice in a
SB0340 Engrossed
- 32 -
LRB104 06459 JRC 16495 b
1
manner that is reasonably accessible to and usable by
2
individuals with disabilities.
3
(5) Whenever a controller makes a material change to the
4
controller's privacy notice or practices, the controller must
5
notify consumers affected by the material change with respect
6
to any prospectively collected personal data and provide a
7
reasonable opportunity for consumers to withdraw consent to
8
any further materially different collection, processing, or
9
transfer of previously collected personal data under the
10
changed policy. The controller shall take all reasonable
11
electronic measures to provide notification regarding material
12
changes to affected consumers, taking into account available
13
technology and the nature of the relationship.
14
(6) A controller is not required to provide a separate
15
Illinois-specific privacy notice or section of a privacy
16
notice if the controller's general privacy notice contains all
17
the information required by this Section.
18
(7) The privacy notice must be posted online through a
19
conspicuous hyperlink using the word "privacy" on the
20
controller's website home page or on a mobile application's
21
app store page or download page. A controller that maintains
22
an application on a mobile or other device shall also include a
23
hyperlink to the privacy notice in the application's settings
24
menu or in a similarly conspicuous and accessible location. A
25
controller that does not operate a website shall make the
26
privacy notice conspicuously available to consumers through a
SB0340 Engrossed
- 33 -
LRB104 06459 JRC 16495 b
1
medium regularly used by the controller to interact with
2
consumers, including, but not limited to, mail.
3
(b)(1) Use of data. A controller shall:
4
(A) limit the collection of personal data to what is
5
adequate, relevant, and reasonably necessary in relation
6
to the purposes for which the data are processed, which
7
must be disclosed to the consumer;
8
(B) not collect, process, or share sensitive data
9
concerning a consumer except when such collection,
10
processing, or transfer is strictly necessary to provide
11
or maintain a specific product or service requested by the
12
consumer to whom the sensitive data pertains. For purposes
13
of this Act, the collection and processing of specific
14
geolocation data or personal data to provide
15
transportation services by private entities regulated
16
under the Transportation Network Providers Act, is
17
strictly necessary to the extent that the private entity
18
uses the geolocation data or personal data for the sole
19
purpose of providing a service requested by the individual
20
or the use is otherwise consistent with that individual's
21
reasonable expectations considering the context in which
22
the individual provided the geolocation information to the
23
private entity. For purposes of this Act, the collection,
24
processing, and sharing of biometric identifiers and
25
information must be done in accordance with the
26
requirements of the Biometric Information Privacy Act. For
SB0340 Engrossed
- 34 -
LRB104 06459 JRC 16495 b
1
purposes of this Act, the collection, processing, and
2
sharing of genetic information must be done in accordance
3
with the Genetic Information Privacy Act. For purposes of
4
this Act, the collection, processing, and sharing of
5
students' covered information must be done in accordance
6
with the Student Online Personal Protection Act; and
7
(C) not sell sensitive data.
8
(2) Except as provided in this Act, a controller may not
9
process personal data for purposes that are not reasonably
10
necessary to, or compatible with, the purposes for which the
11
personal data are processed, as disclosed to the consumer,
12
unless the controller obtains the consumer's consent.
13
(3) A controller shall establish, implement, and maintain
14
reasonable administrative, technical, and physical data
15
security practices to protect the confidentiality, integrity,
16
and accessibility of personal data, including the maintenance
17
of an inventory of the data that must be managed to exercise
18
these responsibilities. The data security practices shall be
19
appropriate to the volume and nature of the personal data at
20
issue.
21
(4) Except as otherwise provided in this Act, a controller
22
may not process sensitive data concerning a consumer without
23
obtaining the consumer's consent, or, in the case of the
24
processing of personal data concerning a known child, without
25
obtaining consent from the child's parent or lawful guardian,
26
in accordance with the requirement of the Children's Online
SB0340 Engrossed
- 35 -
LRB104 06459 JRC 16495 b
1
Privacy Protection Act, United States Code, Title 15, Sections
2
6501 to 6506, and its implementing regulations. A controller
3
must follow the requirements of the Biometric Information
4
Privacy Act and the Genetic Information Privacy Act for
5
information covered by those Acts.
6
(5) A controller shall provide an effective mechanism for
7
a consumer, or, in the case of the processing of personal data
8
concerning a known child, the child's parent or lawful
9
guardian, to withdraw previously given consent under this
10
subsection. The mechanism provided shall be at least as easy
11
as the mechanism by which the consent was previously given.
12
Upon revocation of consent, a controller shall cease to
13
process the applicable data as soon as practicable, but no
14
later than 15 days after the receipt of the request.
15
(6) A controller may not process the personal data of a
16
consumer for purposes of targeted advertising, or sell the
17
consumer's personal data, without the consumer's consent,
18
under circumstances in which the controller knows that the
19
consumer is between the ages of 13 and 16.
20
(7) A controller may not retain personal data that is no
21
longer relevant and reasonably necessary in relation to the
22
purposes for which the data were collected and processed,
23
unless retention of the data is otherwise required by law or
24
permitted under Section 19 and in accordance with the
25
Biometric Information Privacy Act.
26
(c)(1) Nondiscrimination. A controller shall not process
SB0340 Engrossed
- 36 -
LRB104 06459 JRC 16495 b
1
personal data on the basis of a consumer's or a class of
2
consumers' actual or perceived race, color, ethnicity,
3
religion, national origin, sex, gender, gender identity,
4
sexual orientation, familial status, lawful source of income,
5
or disability in a manner that unlawfully discriminates
6
against the consumer or class of consumers.
7
(2) A controller may not discriminate against a consumer
8
for exercising any of the rights contained in this Act,
9
including denying goods or services to the consumer, charging
10
different prices or rates for goods or services, and providing
11
a different level of quality of goods and services to the
12
consumer. This subsection does not: (i) require a controller
13
to provide a good or service that requires the consumer's
14
personal data that the controller does not collect or
15
maintain; or (ii) prohibit a controller from offering a
16
different price, rate, level, quality, or selection of goods
17
or services to a consumer, including offering goods or
18
services for no fee, if the offering is in connection with a
19
consumer's voluntary participation in a bona fide loyalty,
20
rewards, premium features, discounts, or club card program if
21
that difference is reasonably related to the value provided to
22
the business by the consumer's data.
23
(d) Waiver of rights unenforceable. Any provision of a
24
contract or agreement of any kind that purports to waive or
25
limit in any way a consumer's rights under this Act is contrary
26
to public policy and is void and unenforceable.
SB0340 Engrossed
- 37 -
LRB104 06459 JRC 16495 b
1
Section 17.
Requirements for small businesses.
2
(a) A small business, as defined by the United States
3
Small Business Administration under the Code of Federal
4
Regulations, Title 13, Part 121, that conducts business in
5
Illinois or produces products or services that are targeted to
6
Illinois residents must not sell a consumer's sensitive data.
7
(b) Penalties and enforcement procedures under Section 20
8
apply to a small business that violates this Section.
9
Section 18.
Data privacy policies; data privacy and
10
protection assessments.
11
(a) A controller must document and maintain a description
12
of the policies and procedures the controller has adopted to
13
comply with this Act. The description must include, where
14
applicable:
15
(1) the name and contact information for the
16
controller's chief privacy officer or other individual
17
with primary responsibility for directing the policies and
18
procedures implemented to comply with the provisions of
19
this Act; and
20
(2) a description of the controller's data privacy
21
policies and procedures that reflect the requirements in
22
Section 16, and any policies and procedures designed to:
23
(i) reflect the requirements of this Act in the
24
design of the controller's systems;
SB0340 Engrossed
- 38 -
LRB104 06459 JRC 16495 b
1
(ii) identify and provide personal data to a
2
consumer as required by this Act;
3
(iii) establish, implement, and maintain
4
reasonable administrative, technical, and physical
5
data security practices to protect the
6
confidentiality, integrity, and accessibility of
7
personal data, including the maintenance of an
8
inventory of the data that must be managed to exercise
9
the responsibilities under this item;
10
(iv) limit the collection of personal data to what
11
is adequate, relevant, and reasonably necessary in
12
relation to the purposes for which the data are
13
processed;
14
(v) prevent the retention of personal data that is
15
no longer relevant and reasonably necessary in
16
relation to the purposes for which the data were
17
collected and processed, unless retention of the data
18
is otherwise required by law or permitted under
19
Section 19 and in accordance with the Biometric
20
Information Privacy Act; and
21
(vi) identify and remediate violations of this
22
Act.
23
(b) A controller must conduct and document a data privacy
24
and protection assessment for each of the following processing
25
activities involving personal data:
26
(1) the processing of personal data for purposes of
SB0340 Engrossed
- 39 -
LRB104 06459 JRC 16495 b
1
targeted advertising;
2
(2) the sale of personal data;
3
(3) the processing of sensitive data;
4
(4) any processing activities involving personal data
5
that present a heightened risk of harm to consumers; and
6
(5) the processing of personal data for purposes of
7
profiling, where the profiling presents a reasonably
8
foreseeable risk of:
9
(i) unfair or deceptive treatment of, or disparate
10
impact on, consumers;
11
(ii) financial, physical, or reputational injury
12
to consumers;
13
(iii) a physical or other intrusion upon the
14
solitude or seclusion, or the private affairs or
15
concerns, of consumers, where the intrusion would be
16
offensive to a reasonable person; or
17
(iv) other substantial injury to consumers.
18
(c) A data privacy and protection assessment must take
19
into account the type of personal data to be processed by the
20
controller, including the extent to which the personal data
21
are sensitive data, and the context in which the personal data
22
are to be processed.
23
(d) A data privacy and protection assessment must identify
24
and weigh the benefits that may flow directly and indirectly
25
from the processing to the controller, consumer, other
26
stakeholders, and the public against the potential risks to
SB0340 Engrossed
- 40 -
LRB104 06459 JRC 16495 b
1
the rights of the consumer associated with the processing, as
2
mitigated by safeguards that can be employed by the controller
3
to reduce the potential risks. The use of deidentified data
4
and the reasonable expectations of consumers, as well as the
5
context of the processing and the relationship between the
6
controller and the consumer whose personal data will be
7
processed, must be factored into this assessment by the
8
controller.
9
(e) A data privacy and protection assessment must include
10
the description of policies and procedures required by
11
subsection (a).
12
(f) As part of a subpoena, the Attorney General or State's
13
Attorneys may request, in writing, that a controller disclose
14
any data privacy and protection assessment that is relevant to
15
an investigation conducted by the Attorney General or State's
16
Attorneys. The controller must make a data privacy and
17
protection assessment available to the Attorney General or
18
State's Attorneys upon a request made under this subsection.
19
The Attorney General or State's Attorneys may evaluate the
20
data privacy and protection assessments for compliance with
21
this Act. Data privacy and protection assessments are
22
nonpublic data that is required by State or federal law that
23
is: (1) not about an individual; (2) not accessible by the
24
general public; and (3) accessible by the subject of the data.
25
The disclosure of a data privacy and protection assessment
26
under a request from the Attorney General or State's Attorneys
SB0340 Engrossed
- 41 -
LRB104 06459 JRC 16495 b
1
under this subsection does not constitute a waiver of the
2
attorney-client privilege or work product protection with
3
respect to the assessment and any information contained in the
4
assessment.
5
(g) Data privacy and protection assessments or risk
6
assessments conducted by a controller for the purpose of
7
compliance with other laws or regulations may qualify under
8
this Section if the assessments have a similar scope and
9
effect.
10
(h) A single data protection assessment may address
11
multiple sets of comparable processing operations that include
12
similar activities.
13
Section 19.
Limitations and applicability.
14
(a) The obligations imposed on controllers or processors
15
under this Act do not restrict a controller's or a processor's
16
ability to:
17
(1) comply with federal, State, or local laws, rules,
18
or regulations, including, but not limited to, data
19
retention requirements in State or federal law
20
notwithstanding a consumer's request to delete personal
21
data;
22
(2) comply with a civil, criminal, or regulatory
23
inquiry, investigation, subpoena, or summons by federal,
24
State, local, or other governmental authorities;
25
(3) cooperate with law enforcement agencies concerning
SB0340 Engrossed
- 42 -
LRB104 06459 JRC 16495 b
1
conduct or activity that the controller or processor
2
reasonably and in good faith believes may violate federal,
3
State, or local laws, rules, or regulations;
4
(4) investigate, establish, exercise, prepare for, or
5
defend legal claims;
6
(5) provide a product or service specifically
7
requested by a consumer; perform a contract to which the
8
consumer is a party, including fulfilling the terms of a
9
written warranty; or take steps at the request of the
10
consumer prior to entering into a contract;
11
(6) take immediate steps to protect an interest that
12
is essential for the life or physical safety of the
13
consumer or of another natural person, and if the
14
processing cannot be manifestly based on another legal
15
basis;
16
(7) prevent, detect, protect against, or respond to
17
security incidents, identity theft, fraud, harassment,
18
malicious or deceptive activities, or any illegal
19
activity; preserve the integrity or security of systems;
20
or investigate, report, or prosecute those responsible for
21
any such action;
22
(8) assist another controller, processor, or third
23
party with any of the obligations under this subsection;
24
(9) engage in public or peer-reviewed scientific,
25
historical, or statistical research in the public interest
26
that adheres to all other applicable ethics and privacy
SB0340 Engrossed
- 43 -
LRB104 06459 JRC 16495 b
1
laws and is approved, monitored, and governed by an
2
institutional review board, human subjects research ethics
3
review board, or a similar independent oversight entity
4
that has determined:
5
(A) the research is likely to provide substantial
6
benefits that do not exclusively accrue to the
7
controller;
8
(B) the expected benefits of the research outweigh
9
the privacy risks; and
10
(C) the controller has implemented reasonable
11
safeguards to mitigate privacy risks associated with
12
research, including any risks associated with
13
reidentification; or
14
(10) process personal data for the benefit of the
15
public in the areas of public health, community health, or
16
population health, but only to the extent that the
17
processing is:
18
(A) subject to suitable and specific measures to
19
safeguard the rights of the consumer whose personal
20
data is being processed; and
21
(B) under the responsibility of a professional
22
individual who is subject to confidentiality
23
obligations under federal, State, or local law.
24
(b) The obligations imposed on controllers or processors
25
under this Act do not restrict a controller's or processor's
26
ability to collect, use, or retain data to:
SB0340 Engrossed
- 44 -
LRB104 06459 JRC 16495 b
1
(1) effectuate a product recall or identify and repair
2
technical errors that impair existing or intended
3
functionality;
4
(2) perform internal operations that are reasonably
5
aligned with the expectations of the consumer based on the
6
consumer's existing relationship with the controller, or
7
are otherwise compatible with processing in furtherance of
8
the provision of a product or service specifically
9
requested by a consumer or the performance of a contract
10
to which the consumer is a party; or
11
(3) conduct internal research to develop, improve, or
12
repair products, services, or technology.
13
(c) The obligations imposed on controllers or processors
14
under this Act do not apply if compliance by the controller or
15
processor with this Act would violate an evidentiary privilege
16
under Illinois law and do not prevent a controller or
17
processor from providing personal data concerning a consumer
18
to a person covered by an evidentiary privilege under Illinois
19
law as part of a privileged communication.
20
(d) A controller or processor that discloses personal data
21
to a third-party controller or processor in compliance with
22
the requirements of this Act is not in violation of this Act if
23
the recipient processes the personal data in violation of this
24
Act, provided that at the time of disclosing the personal
25
data, the disclosing controller or processor did not have
26
actual knowledge that the recipient intended to commit a
SB0340 Engrossed
- 45 -
LRB104 06459 JRC 16495 b
1
violation. A third-party controller or processor receiving
2
personal data from a controller or processor in compliance
3
with the requirements of this Act is not in violation of this
4
Act for the obligations of the controller or processor from
5
which the third-party controller or processor receives the
6
personal data.
7
(e) Obligations imposed on controllers and processors
8
under this Act shall not:
9
(1) adversely affect the rights or freedoms of any
10
persons, including exercising the right of free speech
11
pursuant to the First Amendment of the United States
12
Constitution; or
13
(2) apply to the processing of personal data by a
14
natural person in the course of a purely personal or
15
household activity.
16
(f) Personal data that are processed by a controller
17
pursuant to this Section may be processed solely to the extent
18
that the processing is:
19
(1) necessary, reasonable, and proportionate to the
20
purposes listed in this Section;
21
(2) adequate, relevant, and limited to what is
22
necessary in relation to the specific purpose or purposes
23
listed in this Section; and
24
(3) insofar as possible, taking into account the
25
nature and purpose of processing the personal data,
26
subjected to reasonable administrative, technical, and
SB0340 Engrossed
- 46 -
LRB104 06459 JRC 16495 b
1
physical measures to protect the confidentiality,
2
integrity, and accessibility of the personal data, and to
3
reduce reasonably foreseeable risks of harm to consumers.
4
(g) If a controller processes personal data pursuant to an
5
exemption in this Section, the controller bears the burden of
6
demonstrating that the processing qualifies for the exemption
7
and complies with the requirements in subsection (f).
8
(h) Processing personal data solely for the purposes
9
expressly identified in subsection (a), clauses (1) to (7),
10
does not, by itself, make an entity a controller with respect
11
to the processing.
12
Section 20.
Enforcement.
13
(a) If a controller or processor violates this Act, the
14
Attorney General or the State's Attorney of any county in this
15
State, before filing an enforcement action under subsection
16
(b), must provide the controller or processor with a warning
17
letter identifying the specific provisions of this Act the
18
Attorney General or State's Attorney alleges have been or are
19
being violated. If, after 30 days of issuance of the warning
20
letter, the Attorney General or State's Attorney believes the
21
controller or processor has failed to cure any alleged
22
violation, the Attorney General or State's Attorney may bring
23
an enforcement action under subsection (b). This subsection
24
becomes inoperative January 1, 2029.
25
(b) The Attorney General or the State's Attorney of any
SB0340 Engrossed
- 47 -
LRB104 06459 JRC 16495 b
1
county in this State may bring an action in the name of the
2
People of this State against any person to restrain and
3
prevent any pattern or practice in violation of this Act.
4
(c) A violation of this Act constitutes an unlawful
5
practice under the Consumer Fraud and Deceptive Business
6
Practices Act. All remedies, penalties, and authority granted
7
to the Attorney General or the State's Attorney by the
8
Consumer Fraud and Deceptive Business Practices Act are
9
available to the Attorney General or the State's Attorney for
10
the enforcement of this Act.
11
(d) Any civil penalties collected from the enforcement of
12
this Act shall be deposited into the Attorney General Court
13
Ordered and Voluntary Compliance Payment Projects Fund if the
14
Attorney General commenced the action or distributed to the
15
county in which the State's Attorney commenced the action and
16
deposited into a special fund in the county treasury and
17
appropriated to the State's Attorney for use in accordance
18
with law.
19
(e) Nothing in this Act shall be construed to establish a
20
private right of action associated with violations of this
21
Act.
22
(f) Nothing in this Act shall be construed to preempt the
23
enforcement provisions in the Biometric Information Privacy
24
Act or the Genetic Information Privacy Act.
25
Section 95.
Home rule.
A unit of local government,
SB0340 Engrossed
- 48 -
LRB104 06459 JRC 16495 b
1
including a home rule unit, may not regulate consumer data
2
privacy. This Section is a denial and limitation of home rule
3
powers and functions under subsection (g) of Section 6 of
4
Article VII of the Illinois Constitution.
5
Section 97.
Severability.
If any provision of this Act or
6
its application to any person or circumstance is held invalid,
7
the invalidity of that provision or application does not
8
affect other provisions or applications of this Act that can
9
be given effect without the invalid provision or application.
10
Section 900.
The Freedom of Information Act is amended by
11
changing Section 7.5 as follows:
12
(5 ILCS 140/7.5)
13
(Text of Section before amendment by P.A. 104-441 and
14
104-457
)
15
Sec. 7.5.
Statutory exemptions.
To the extent provided for
16
by the statutes referenced below, the following shall be
17
exempt from inspection and copying:
18
(a) All information determined to be confidential
19
under Section 4002 of the Technology Advancement and
20
Development Act.
21
(b) Library circulation and order records identifying
22
library users with specific materials under the Library
23
Records Confidentiality Act.
SB0340 Engrossed
- 49 -
LRB104 06459 JRC 16495 b
1
(c) Applications, related documents, and medical
2
records received by the Experimental Organ Transplantation
3
Procedures Board and any and all documents or other
4
records prepared by the Experimental Organ Transplantation
5
Procedures Board or its staff relating to applications it
6
has received.
7
(d) Information and records held by the Department of
8
Public Health and its authorized representatives relating
9
to known or suspected cases of sexually transmitted
10
infection or any information the disclosure of which is
11
restricted under the Illinois Sexually Transmitted
12
Infection Control Act.
13
(e) Information the disclosure of which is exempted
14
under Section 30 of the Radon Industry Licensing Act.
15
(f) Firm performance evaluations under Section 55 of
16
the Architectural, Engineering, and Land Surveying
17
Qualifications Based Selection Act.
18
(g) Information the disclosure of which is restricted
19
and exempted under Section 50 of the Illinois Prepaid
20
Tuition Act.
21
(h) Information the disclosure of which is exempted
22
under the State Officials and Employees Ethics Act, and
23
records of any lawfully created State or local inspector
24
general's office that would be exempt if created or
25
obtained by an Executive Inspector General's office under
26
that Act.
SB0340 Engrossed
- 50 -
LRB104 06459 JRC 16495 b
1
(i) Information contained in a local emergency energy
2
plan submitted to a municipality in accordance with a
3
local emergency energy plan ordinance that is adopted
4
under Section 11-21.5-5 of the Illinois Municipal Code.
5
(j) Information and data concerning the distribution
6
of surcharge moneys collected and remitted by carriers
7
under the Emergency Telephone System Act.
8
(k) Law enforcement officer identification information
9
or driver identification information compiled by a law
10
enforcement agency or the Department of Transportation
11
under Section 11-212 of the Illinois Vehicle Code.
12
(l) Records and information provided to a residential
13
health care facility resident sexual assault and death
14
review team or the Executive Council under the Abuse
15
Prevention Review Team Act.
16
(m) Information provided to the predatory lending
17
database created pursuant to Article 3 of the Residential
18
Real Property Disclosure Act, except to the extent
19
authorized under that Article.
20
(n) Defense budgets and petitions for certification of
21
compensation and expenses for court appointed trial
22
counsel as provided under Sections 10 and 15 of the
23
Capital Crimes Litigation Act (repealed). This subsection
24
(n) shall apply until the conclusion of the trial of the
25
case, even if the prosecution chooses not to pursue the
26
death penalty prior to trial or sentencing.
SB0340 Engrossed
- 51 -
LRB104 06459 JRC 16495 b
1
(o) Information that is prohibited from being
2
disclosed under Section 4 of the Illinois Health and
3
Hazardous Substances Registry Act.
4
(p) Security portions of system safety program plans,
5
investigation reports, surveys, schedules, lists, data, or
6
information compiled, collected, or prepared by or for the
7
Department of Transportation under Sections 2705-300 and
8
2705-616 of the Department of Transportation Law of the
9
Civil Administrative Code of Illinois, the Regional
10
Transportation Authority under Section 2.11 of the
11
Regional Transportation Authority Act, or the St. Clair
12
County Transit District under the Bi-State Transit Safety
13
Act (repealed).
14
(q) Information prohibited from being disclosed by the
15
Personnel Record Review Act.
16
(r) Information prohibited from being disclosed by the
17
Illinois School Student Records Act.
18
(s) Information the disclosure of which is restricted
19
under Section 5-108 of the Public Utilities Act.
20
(t) (Blank).
21
(u) Records and information provided to an independent
22
team of experts under the Developmental Disability and
23
Mental Health Safety Act (also known as Brian's Law).
24
(v) Names and information of people who have applied
25
for or received Firearm Owner's Identification Cards under
26
the Firearm Owners Identification Card Act or applied for
SB0340 Engrossed
- 52 -
LRB104 06459 JRC 16495 b
1
or received a concealed carry license under the Firearm
2
Concealed Carry Act, unless otherwise authorized by the
3
Firearm Concealed Carry Act; and databases under the
4
Firearm Concealed Carry Act, records of the Concealed
5
Carry Licensing Review Board under the Firearm Concealed
6
Carry Act, and law enforcement agency objections under the
7
Firearm Concealed Carry Act.
8
(v-5) Records of the Firearm Owner's Identification
9
Card Review Board that are exempted from disclosure under
10
Section 10 of the Firearm Owners Identification Card Act.
11
(w) Personally identifiable information which is
12
exempted from disclosure under subsection (g) of Section
13
19.1 of the Toll Highway Act.
14
(x) Information which is exempted from disclosure
15
under Section 5-1014.3 of the Counties Code or Section
16
8-11-21 of the Illinois Municipal Code.
17
(y) Confidential information under the Adult
18
Protective Services Act and its predecessor enabling
19
statute, the Elder Abuse and Neglect Act, including
20
information about the identity and administrative finding
21
against any caregiver of a verified and substantiated
22
decision of abuse, neglect, or financial exploitation of
23
an eligible adult maintained in the Registry established
24
under Section 7.5 of the Adult Protective Services Act.
25
(z) Records and information provided to a fatality
26
review team or the Illinois Fatality Review Team Advisory
SB0340 Engrossed
- 53 -
LRB104 06459 JRC 16495 b
1
Council under Section 15 of the Adult Protective Services
2
Act.
3
(aa) Information which is exempted from disclosure
4
under Section 2.37 of the Wildlife Code.
5
(bb) Information which is or was prohibited from
6
disclosure by the Juvenile Court Act of 1987.
7
(cc) Recordings made under the Law Enforcement
8
Officer-Worn Body Camera Act, except to the extent
9
authorized under that Act.
10
(dd) Information that is prohibited from being
11
disclosed under Section 45 of the Condominium and Common
12
Interest Community Ombudsperson Act.
13
(ee) Information that is exempted from disclosure
14
under Section 30.1 of the Pharmacy Practice Act.
15
(ff) Information that is exempted from disclosure
16
under the Revised Uniform Unclaimed Property Act.
17
(gg) Information that is prohibited from being
18
disclosed under Section 7-603.5 of the Illinois Vehicle
19
Code.
20
(hh) Records that are exempt from disclosure under
21
Section 1A-16.7 of the Election Code.
22
(ii) Information which is exempted from disclosure
23
under Section 2505-800 of the Department of Revenue Law of
24
the Civil Administrative Code of Illinois.
25
(jj) Information and reports that are required to be
26
submitted to the Department of Labor by registering day
SB0340 Engrossed
- 54 -
LRB104 06459 JRC 16495 b
1
and temporary labor service agencies but are exempt from
2
disclosure under subsection (a-1) of Section 45 of the Day
3
and Temporary Labor Services Act.
4
(kk) Information prohibited from disclosure under the
5
Seizure and Forfeiture Reporting Act.
6
(ll) Information the disclosure of which is restricted
7
and exempted under Section 5-30.8 of the Illinois Public
8
Aid Code.
9
(mm) Records that are exempt from disclosure under
10
Section 4.2 of the Crime Victims Compensation Act.
11
(nn) Information that is exempt from disclosure under
12
Section 70 of the Higher Education Student Assistance Act.
13
(oo) Communications, notes, records, and reports
14
arising out of a peer support counseling session
15
prohibited from disclosure under the First Responders
16
Suicide Prevention Act.
17
(pp) Names and all identifying information relating to
18
an employee of an emergency services provider or law
19
enforcement agency under the First Responders Suicide
20
Prevention Act.
21
(qq) Information and records held by the Department of
22
Public Health and its authorized representatives collected
23
under the Reproductive Health Act.
24
(rr) Information that is exempt from disclosure under
25
the Cannabis Regulation and Tax Act.
26
(ss) Data reported by an employer to the Department of
SB0340 Engrossed
- 55 -
LRB104 06459 JRC 16495 b
1
Human Rights pursuant to Section 2-108 of the Illinois
2
Human Rights Act.
3
(tt) Recordings made under the Children's Advocacy
4
Center Act, except to the extent authorized under that
5
Act.
6
(uu) Information that is exempt from disclosure under
7
Section 50 of the Sexual Assault Evidence Submission Act.
8
(vv) Information that is exempt from disclosure under
9
subsections (f) and (j) of Section 5-36 of the Illinois
10
Public Aid Code.
11
(ww) Information that is exempt from disclosure under
12
Section 16.8 of the State Treasurer Act.
13
(xx) Information that is exempt from disclosure or
14
information that shall not be made public under the
15
Illinois Insurance Code.
16
(yy) Information prohibited from being disclosed under
17
the Illinois Educational Labor Relations Act.
18
(zz) Information prohibited from being disclosed under
19
the Illinois Public Labor Relations Act.
20
(aaa) Information prohibited from being disclosed
21
under Section 1-167 of the Illinois Pension Code.
22
(bbb) Information that is prohibited from disclosure
23
by the Illinois Police Training Act and the Illinois State
24
Police Act.
25
(ccc) Records exempt from disclosure under Section
26
2605-304 of the Illinois State Police Law of the Civil
SB0340 Engrossed
- 56 -
LRB104 06459 JRC 16495 b
1
Administrative Code of Illinois.
2
(ddd) Information prohibited from being disclosed
3
under Section 35 of the Address Confidentiality for
4
Victims of Domestic Violence, Sexual Assault, Human
5
Trafficking, or Stalking Act.
6
(eee) Information prohibited from being disclosed
7
under subsection (b) of Section 75 of the Domestic
8
Violence Fatality Review Act.
9
(fff) Images from cameras under the Expressway Camera
10
Act and all automated license plate reader (ALPR)
11
information used and collected by the Illinois State
12
Police. "ALPR information" means information gathered by
13
an ALPR or created from the analysis of data generated by
14
an ALPR. This subsection (fff) is inoperative on and after
15
July 1, 2028.
16
(ggg) Information prohibited from disclosure under
17
paragraph (3) of subsection (a) of Section 14 of the Nurse
18
Agency Licensing Act.
19
(hhh) Information submitted to the Illinois State
20
Police in an affidavit or application for an assault
21
weapon endorsement, assault weapon attachment endorsement,
22
.50 caliber rifle endorsement, or .50 caliber cartridge
23
endorsement under the Firearm Owners Identification Card
24
Act.
25
(iii) Data exempt from disclosure under Section 50 of
26
the School Safety Drill Act.
SB0340 Engrossed
- 57 -
LRB104 06459 JRC 16495 b
1
(jjj) Information exempt from disclosure under Section
2
30 of the Insurance Data Security Law.
3
(kkk) Confidential business information prohibited
4
from disclosure under Section 45 of the Paint Stewardship
5
Act.
6
(lll) Data exempt from disclosure under Section
7
2-3.196 of the School Code.
8
(mmm) Information prohibited from being disclosed
9
under subsection (e) of Section 1-129 of the Illinois
10
Power Agency Act.
11
(nnn) Materials received by the Department of Commerce
12
and Economic Opportunity that are confidential under the
13
Music and Musicians Tax Credit and Jobs Act.
14
(ooo) Data or information provided pursuant to Section
15
20 of the Statewide Recycling Needs and Assessment Act.
16
(ppp) Information that is exempt from disclosure under
17
Section 28-11 of the Lawful Health Care Activity Act.
18
(qqq) Information that is exempt from disclosure under
19
Section 7-101 of the Illinois Human Rights Act.
20
(rrr) Information prohibited from being disclosed
21
under Section 4-2 of the Uniform Money Transmission
22
Modernization Act.
23
(sss) Information exempt from disclosure under Section
24
40 of the Student-Athlete Endorsement Rights Act.
25
(ttt) Audio recordings made under Section 30 of the
26
Illinois State Police Act, except to the extent authorized
SB0340 Engrossed
- 58 -
LRB104 06459 JRC 16495 b
1
under that Section.
2
(uuu) Information prohibited from being disclosed
3
under Section 30-5 of the Digital Assets Regulation Act.
4
(www) Data privacy and protection assessments made
5
available to the Attorney General under Section 18 of the
6
Illinois Consumer Data Privacy Act.
7
(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
8
103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
9
8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
10
eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
11
103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
12
8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
13
eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
14
104-417, eff. 8-15-25; 104-428, eff. 8-18-25; revised
15
9-10-25.)
16
(Text of Section after amendment by P.A. 104-457 but
17
before 104-441
)
18
Sec. 7.5.
Statutory exemptions.
To the extent provided for
19
by the statutes referenced below, the following shall be
20
exempt from inspection and copying:
21
(a) All information determined to be confidential
22
under Section 4002 of the Technology Advancement and
23
Development Act.
24
(b) Library circulation and order records identifying
25
library users with specific materials under the Library
SB0340 Engrossed
- 59 -
LRB104 06459 JRC 16495 b
1
Records Confidentiality Act.
2
(c) Applications, related documents, and medical
3
records received by the Experimental Organ Transplantation
4
Procedures Board and any and all documents or other
5
records prepared by the Experimental Organ Transplantation
6
Procedures Board or its staff relating to applications it
7
has received.
8
(d) Information and records held by the Department of
9
Public Health and its authorized representatives relating
10
to known or suspected cases of sexually transmitted
11
infection or any information the disclosure of which is
12
restricted under the Illinois Sexually Transmitted
13
Infection Control Act.
14
(e) Information the disclosure of which is exempted
15
under Section 30 of the Radon Industry Licensing Act.
16
(f) Firm performance evaluations under Section 55 of
17
the Architectural, Engineering, and Land Surveying
18
Qualifications Based Selection Act.
19
(g) Information the disclosure of which is restricted
20
and exempted under Section 50 of the Illinois Prepaid
21
Tuition Act.
22
(h) Information the disclosure of which is exempted
23
under the State Officials and Employees Ethics Act, and
24
records of any lawfully created State or local inspector
25
general's office that would be exempt if created or
26
obtained by an Executive Inspector General's office under
SB0340 Engrossed
- 60 -
LRB104 06459 JRC 16495 b
1
that Act.
2
(i) Information contained in a local emergency energy
3
plan submitted to a municipality in accordance with a
4
local emergency energy plan ordinance that is adopted
5
under Section 11-21.5-5 of the Illinois Municipal Code.
6
(j) Information and data concerning the distribution
7
of surcharge moneys collected and remitted by carriers
8
under the Emergency Telephone System Act.
9
(k) Law enforcement officer identification information
10
or driver identification information compiled by a law
11
enforcement agency or the Department of Transportation
12
under Section 11-212 of the Illinois Vehicle Code.
13
(l) Records and information provided to a residential
14
health care facility resident sexual assault and death
15
review team or the Executive Council under the Abuse
16
Prevention Review Team Act.
17
(m) Information provided to the predatory lending
18
database created pursuant to Article 3 of the Residential
19
Real Property Disclosure Act, except to the extent
20
authorized under that Article.
21
(n) Defense budgets and petitions for certification of
22
compensation and expenses for court appointed trial
23
counsel as provided under Sections 10 and 15 of the
24
Capital Crimes Litigation Act (repealed). This subsection
25
(n) shall apply until the conclusion of the trial of the
26
case, even if the prosecution chooses not to pursue the
SB0340 Engrossed
- 61 -
LRB104 06459 JRC 16495 b
1
death penalty prior to trial or sentencing.
2
(o) Information that is prohibited from being
3
disclosed under Section 4 of the Illinois Health and
4
Hazardous Substances Registry Act.
5
(p) Security portions of system safety program plans,
6
investigation reports, surveys, schedules, lists, data, or
7
information compiled, collected, or prepared by or for the
8
Department of Transportation under Sections 2705-300 and
9
2705-616 of the Department of Transportation Law of the
10
Civil Administrative Code of Illinois, the Northern
11
Illinois Transit Authority under Section 2.11 of the
12
Northern Illinois Transit Authority Act, or the St. Clair
13
County Transit District under the Bi-State Transit Safety
14
Act (repealed).
15
(q) Information prohibited from being disclosed by the
16
Personnel Record Review Act.
17
(r) Information prohibited from being disclosed by the
18
Illinois School Student Records Act.
19
(s) Information the disclosure of which is restricted
20
under Section 5-108 of the Public Utilities Act.
21
(t) (Blank).
22
(u) Records and information provided to an independent
23
team of experts under the Developmental Disability and
24
Mental Health Safety Act (also known as Brian's Law).
25
(v) Names and information of people who have applied
26
for or received Firearm Owner's Identification Cards under
SB0340 Engrossed
- 62 -
LRB104 06459 JRC 16495 b
1
the Firearm Owners Identification Card Act or applied for
2
or received a concealed carry license under the Firearm
3
Concealed Carry Act, unless otherwise authorized by the
4
Firearm Concealed Carry Act; and databases under the
5
Firearm Concealed Carry Act, records of the Concealed
6
Carry Licensing Review Board under the Firearm Concealed
7
Carry Act, and law enforcement agency objections under the
8
Firearm Concealed Carry Act.
9
(v-5) Records of the Firearm Owner's Identification
10
Card Review Board that are exempted from disclosure under
11
Section 10 of the Firearm Owners Identification Card Act.
12
(w) Personally identifiable information which is
13
exempted from disclosure under subsection (g) of Section
14
19.1 of the Toll Highway Act.
15
(x) Information which is exempted from disclosure
16
under Section 5-1014.3 of the Counties Code or Section
17
8-11-21 of the Illinois Municipal Code.
18
(y) Confidential information under the Adult
19
Protective Services Act and its predecessor enabling
20
statute, the Elder Abuse and Neglect Act, including
21
information about the identity and administrative finding
22
against any caregiver of a verified and substantiated
23
decision of abuse, neglect, or financial exploitation of
24
an eligible adult maintained in the Registry established
25
under Section 7.5 of the Adult Protective Services Act.
26
(z) Records and information provided to a fatality
SB0340 Engrossed
- 63 -
LRB104 06459 JRC 16495 b
1
review team or the Illinois Fatality Review Team Advisory
2
Council under Section 15 of the Adult Protective Services
3
Act.
4
(aa) Information which is exempted from disclosure
5
under Section 2.37 of the Wildlife Code.
6
(bb) Information which is or was prohibited from
7
disclosure by the Juvenile Court Act of 1987.
8
(cc) Recordings made under the Law Enforcement
9
Officer-Worn Body Camera Act, except to the extent
10
authorized under that Act.
11
(dd) Information that is prohibited from being
12
disclosed under Section 45 of the Condominium and Common
13
Interest Community Ombudsperson Act.
14
(ee) Information that is exempted from disclosure
15
under Section 30.1 of the Pharmacy Practice Act.
16
(ff) Information that is exempted from disclosure
17
under the Revised Uniform Unclaimed Property Act.
18
(gg) Information that is prohibited from being
19
disclosed under Section 7-603.5 of the Illinois Vehicle
20
Code.
21
(hh) Records that are exempt from disclosure under
22
Section 1A-16.7 of the Election Code.
23
(ii) Information which is exempted from disclosure
24
under Section 2505-800 of the Department of Revenue Law of
25
the Civil Administrative Code of Illinois.
26
(jj) Information and reports that are required to be
SB0340 Engrossed
- 64 -
LRB104 06459 JRC 16495 b
1
submitted to the Department of Labor by registering day
2
and temporary labor service agencies but are exempt from
3
disclosure under subsection (a-1) of Section 45 of the Day
4
and Temporary Labor Services Act.
5
(kk) Information prohibited from disclosure under the
6
Seizure and Forfeiture Reporting Act.
7
(ll) Information the disclosure of which is restricted
8
and exempted under Section 5-30.8 of the Illinois Public
9
Aid Code.
10
(mm) Records that are exempt from disclosure under
11
Section 4.2 of the Crime Victims Compensation Act.
12
(nn) Information that is exempt from disclosure under
13
Section 70 of the Higher Education Student Assistance Act.
14
(oo) Communications, notes, records, and reports
15
arising out of a peer support counseling session
16
prohibited from disclosure under the First Responders
17
Suicide Prevention Act.
18
(pp) Names and all identifying information relating to
19
an employee of an emergency services provider or law
20
enforcement agency under the First Responders Suicide
21
Prevention Act.
22
(qq) Information and records held by the Department of
23
Public Health and its authorized representatives collected
24
under the Reproductive Health Act.
25
(rr) Information that is exempt from disclosure under
26
the Cannabis Regulation and Tax Act.
SB0340 Engrossed
- 65 -
LRB104 06459 JRC 16495 b
1
(ss) Data reported by an employer to the Department of
2
Human Rights pursuant to Section 2-108 of the Illinois
3
Human Rights Act.
4
(tt) Recordings made under the Children's Advocacy
5
Center Act, except to the extent authorized under that
6
Act.
7
(uu) Information that is exempt from disclosure under
8
Section 50 of the Sexual Assault Evidence Submission Act.
9
(vv) Information that is exempt from disclosure under
10
subsections (f) and (j) of Section 5-36 of the Illinois
11
Public Aid Code.
12
(ww) Information that is exempt from disclosure under
13
Section 16.8 of the State Treasurer Act.
14
(xx) Information that is exempt from disclosure or
15
information that shall not be made public under the
16
Illinois Insurance Code.
17
(yy) Information prohibited from being disclosed under
18
the Illinois Educational Labor Relations Act.
19
(zz) Information prohibited from being disclosed under
20
the Illinois Public Labor Relations Act.
21
(aaa) Information prohibited from being disclosed
22
under Section 1-167 of the Illinois Pension Code.
23
(bbb) Information that is prohibited from disclosure
24
by the Illinois Police Training Act and the Illinois State
25
Police Act.
26
(ccc) Records exempt from disclosure under Section
SB0340 Engrossed
- 66 -
LRB104 06459 JRC 16495 b
1
2605-304 of the Illinois State Police Law of the Civil
2
Administrative Code of Illinois.
3
(ddd) Information prohibited from being disclosed
4
under Section 35 of the Address Confidentiality for
5
Victims of Domestic Violence, Sexual Assault, Human
6
Trafficking, or Stalking Act.
7
(eee) Information prohibited from being disclosed
8
under subsection (b) of Section 75 of the Domestic
9
Violence Fatality Review Act.
10
(fff) Images from cameras under the Expressway Camera
11
Act and all automated license plate reader (ALPR)
12
information used and collected by the Illinois State
13
Police. "ALPR information" means information gathered by
14
an ALPR or created from the analysis of data generated by
15
an ALPR. This subsection (fff) is inoperative on and after
16
July 1, 2028.
17
(ggg) Information prohibited from disclosure under
18
paragraph (3) of subsection (a) of Section 14 of the Nurse
19
Agency Licensing Act.
20
(hhh) Information submitted to the Illinois State
21
Police in an affidavit or application for an assault
22
weapon endorsement, assault weapon attachment endorsement,
23
.50 caliber rifle endorsement, or .50 caliber cartridge
24
endorsement under the Firearm Owners Identification Card
25
Act.
26
(iii) Data exempt from disclosure under Section 50 of
SB0340 Engrossed
- 67 -
LRB104 06459 JRC 16495 b
1
the School Safety Drill Act.
2
(jjj) Information exempt from disclosure under Section
3
30 of the Insurance Data Security Law.
4
(kkk) Confidential business information prohibited
5
from disclosure under Section 45 of the Paint Stewardship
6
Act.
7
(lll) Data exempt from disclosure under Section
8
2-3.196 of the School Code.
9
(mmm) Information prohibited from being disclosed
10
under subsection (e) of Section 1-129 of the Illinois
11
Power Agency Act.
12
(nnn) Materials received by the Department of Commerce
13
and Economic Opportunity that are confidential under the
14
Music and Musicians Tax Credit and Jobs Act.
15
(ooo) Data or information provided pursuant to Section
16
20 of the Statewide Recycling Needs and Assessment Act.
17
(ppp) Information that is exempt from disclosure under
18
Section 28-11 of the Lawful Health Care Activity Act.
19
(qqq) Information that is exempt from disclosure under
20
Section 7-101 of the Illinois Human Rights Act.
21
(rrr) Information prohibited from being disclosed
22
under Section 4-2 of the Uniform Money Transmission
23
Modernization Act.
24
(sss) Information exempt from disclosure under Section
25
40 of the Student-Athlete Endorsement Rights Act.
26
(ttt) Audio recordings made under Section 30 of the
SB0340 Engrossed
- 68 -
LRB104 06459 JRC 16495 b
1
Illinois State Police Act, except to the extent authorized
2
under that Section.
3
(uuu) Information prohibited from being disclosed
4
under Section 30-5 of the Digital Assets Regulation Act.
5
(www) Data privacy and protection assessments made
6
available to the Attorney General under Section 18 of the
7
Illinois Consumer Data Privacy Act.
8
(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
9
103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
10
8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
11
eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
12
103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
13
8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
14
eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
15
104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-457, eff.
16
6-1-26; revised 1-7-26.)
17
(Text of Section after amendment by P.A. 104-441
)
18
Sec. 7.5.
Statutory exemptions.
To the extent provided for
19
by the statutes referenced below, the following shall be
20
exempt from inspection and copying:
21
(a) All information determined to be confidential
22
under Section 4002 of the Technology Advancement and
23
Development Act.
24
(b) Library circulation and order records identifying
25
library users with specific materials under the Library
SB0340 Engrossed
- 69 -
LRB104 06459 JRC 16495 b
1
Records Confidentiality Act.
2
(c) Applications, related documents, and medical
3
records received by the Experimental Organ Transplantation
4
Procedures Board and any and all documents or other
5
records prepared by the Experimental Organ Transplantation
6
Procedures Board or its staff relating to applications it
7
has received.
8
(d) Information and records held by the Department of
9
Public Health and its authorized representatives relating
10
to known or suspected cases of sexually transmitted
11
infection or any information the disclosure of which is
12
restricted under the Illinois Sexually Transmitted
13
Infection Control Act.
14
(e) Information the disclosure of which is exempted
15
under Section 30 of the Radon Industry Licensing Act.
16
(f) Firm performance evaluations under Section 55 of
17
the Architectural, Engineering, and Land Surveying
18
Qualifications Based Selection Act.
19
(g) Information the disclosure of which is restricted
20
and exempted under Section 50 of the Illinois Prepaid
21
Tuition Act.
22
(h) Information the disclosure of which is exempted
23
under the State Officials and Employees Ethics Act, and
24
records of any lawfully created State or local inspector
25
general's office that would be exempt if created or
26
obtained by an Executive Inspector General's office under
SB0340 Engrossed
- 70 -
LRB104 06459 JRC 16495 b
1
that Act.
2
(i) Information contained in a local emergency energy
3
plan submitted to a municipality in accordance with a
4
local emergency energy plan ordinance that is adopted
5
under Section 11-21.5-5 of the Illinois Municipal Code.
6
(j) Information and data concerning the distribution
7
of surcharge moneys collected and remitted by carriers
8
under the Emergency Telephone System Act.
9
(k) Law enforcement officer identification information
10
or driver identification information compiled by a law
11
enforcement agency or the Department of Transportation
12
under Section 11-212 of the Illinois Vehicle Code.
13
(l) Records and information provided to a residential
14
health care facility resident sexual assault and death
15
review team or the Executive Council under the Abuse
16
Prevention Review Team Act.
17
(m) Information provided to the predatory lending
18
database created pursuant to Article 3 of the Residential
19
Real Property Disclosure Act, except to the extent
20
authorized under that Article.
21
(n) Defense budgets and petitions for certification of
22
compensation and expenses for court appointed trial
23
counsel as provided under Sections 10 and 15 of the
24
Capital Crimes Litigation Act (repealed). This subsection
25
(n) shall apply until the conclusion of the trial of the
26
case, even if the prosecution chooses not to pursue the
SB0340 Engrossed
- 71 -
LRB104 06459 JRC 16495 b
1
death penalty prior to trial or sentencing.
2
(o) Information that is prohibited from being
3
disclosed under Section 4 of the Illinois Health and
4
Hazardous Substances Registry Act.
5
(p) Security portions of system safety program plans,
6
investigation reports, surveys, schedules, lists, data, or
7
information compiled, collected, or prepared by or for the
8
Department of Transportation under Sections 2705-300 and
9
2705-616 of the Department of Transportation Law of the
10
Civil Administrative Code of Illinois, the Northern
11
Illinois Transit Authority under Section 2.11 of the
12
Northern Illinois Transit Authority Act, or the St. Clair
13
County Transit District under the Bi-State Transit Safety
14
Act (repealed).
15
(q) Information prohibited from being disclosed by the
16
Personnel Record Review Act.
17
(r) Information prohibited from being disclosed by the
18
Illinois School Student Records Act.
19
(s) Information the disclosure of which is restricted
20
under Section 5-108 of the Public Utilities Act.
21
(t) (Blank).
22
(u) Records and information provided to an independent
23
team of experts under the Developmental Disability and
24
Mental Health Safety Act (also known as Brian's Law).
25
(v) Names and information of people who have applied
26
for or received Firearm Owner's Identification Cards under
SB0340 Engrossed
- 72 -
LRB104 06459 JRC 16495 b
1
the Firearm Owners Identification Card Act or applied for
2
or received a concealed carry license under the Firearm
3
Concealed Carry Act, unless otherwise authorized by the
4
Firearm Concealed Carry Act; and databases under the
5
Firearm Concealed Carry Act, records of the Concealed
6
Carry Licensing Review Board under the Firearm Concealed
7
Carry Act, and law enforcement agency objections under the
8
Firearm Concealed Carry Act.
9
(v-5) Records of the Firearm Owner's Identification
10
Card Review Board that are exempted from disclosure under
11
Section 10 of the Firearm Owners Identification Card Act.
12
(w) Personally identifiable information which is
13
exempted from disclosure under subsection (g) of Section
14
19.1 of the Toll Highway Act.
15
(x) Information which is exempted from disclosure
16
under Section 5-1014.3 of the Counties Code or Section
17
8-11-21 of the Illinois Municipal Code.
18
(y) Confidential information under the Adult
19
Protective Services Act and its predecessor enabling
20
statute, the Elder Abuse and Neglect Act, including
21
information about the identity and administrative finding
22
against any caregiver of a verified and substantiated
23
decision of abuse, neglect, or financial exploitation of
24
an eligible adult maintained in the Registry established
25
under Section 7.5 of the Adult Protective Services Act.
26
(z) Records and information provided to a fatality
SB0340 Engrossed
- 73 -
LRB104 06459 JRC 16495 b
1
review team or the Illinois Fatality Review Team Advisory
2
Council under Section 15 of the Adult Protective Services
3
Act.
4
(aa) Information which is exempted from disclosure
5
under Section 2.37 of the Wildlife Code.
6
(bb) Information which is or was prohibited from
7
disclosure by the Juvenile Court Act of 1987.
8
(cc) Recordings made under the Law Enforcement
9
Officer-Worn Body Camera Act, except to the extent
10
authorized under that Act.
11
(dd) Information that is prohibited from being
12
disclosed under Section 45 of the Condominium and Common
13
Interest Community Ombudsperson Act.
14
(ee) Information that is exempted from disclosure
15
under Section 30.1 of the Pharmacy Practice Act.
16
(ff) Information that is exempted from disclosure
17
under the Revised Uniform Unclaimed Property Act.
18
(gg) Information that is prohibited from being
19
disclosed under Section 7-603.5 of the Illinois Vehicle
20
Code.
21
(hh) Records that are exempt from disclosure under
22
Section 1A-16.7 of the Election Code.
23
(ii) Information which is exempted from disclosure
24
under Section 2505-800 of the Department of Revenue Law of
25
the Civil Administrative Code of Illinois.
26
(jj) Information and reports that are required to be
SB0340 Engrossed
- 74 -
LRB104 06459 JRC 16495 b
1
submitted to the Department of Labor by registering day
2
and temporary labor service agencies but are exempt from
3
disclosure under subsection (a-1) of Section 45 of the Day
4
and Temporary Labor Services Act.
5
(kk) Information prohibited from disclosure under the
6
Seizure and Forfeiture Reporting Act.
7
(ll) Information the disclosure of which is restricted
8
and exempted under Section 5-30.8 of the Illinois Public
9
Aid Code.
10
(mm) Records that are exempt from disclosure under
11
Section 4.2 of the Crime Victims Compensation Act.
12
(nn) Information that is exempt from disclosure under
13
Section 70 of the Higher Education Student Assistance Act.
14
(oo) Communications, notes, records, and reports
15
arising out of a peer support counseling session
16
prohibited from disclosure under the First Responders
17
Suicide Prevention Act.
18
(pp) Names and all identifying information relating to
19
an employee of an emergency services provider or law
20
enforcement agency under the First Responders Suicide
21
Prevention Act.
22
(qq) Information and records held by the Department of
23
Public Health and its authorized representatives collected
24
under the Reproductive Health Act.
25
(rr) Information that is exempt from disclosure under
26
the Cannabis Regulation and Tax Act.
SB0340 Engrossed
- 75 -
LRB104 06459 JRC 16495 b
1
(ss) Data reported by an employer to the Department of
2
Human Rights pursuant to Section 2-108 of the Illinois
3
Human Rights Act.
4
(tt) Recordings made under the Children's Advocacy
5
Center Act, except to the extent authorized under that
6
Act.
7
(uu) Information that is exempt from disclosure under
8
Section 50 of the Sexual Assault Evidence Submission Act.
9
(vv) Information that is exempt from disclosure under
10
subsections (f) and (j) of Section 5-36 of the Illinois
11
Public Aid Code.
12
(ww) Information that is exempt from disclosure under
13
Section 16.8 of the State Treasurer Act.
14
(xx) Information that is exempt from disclosure or
15
information that shall not be made public under the
16
Illinois Insurance Code.
17
(yy) Information prohibited from being disclosed under
18
the Illinois Educational Labor Relations Act.
19
(zz) Information prohibited from being disclosed under
20
the Illinois Public Labor Relations Act.
21
(aaa) Information prohibited from being disclosed
22
under Section 1-167 of the Illinois Pension Code.
23
(bbb) Information that is prohibited from disclosure
24
by the Illinois Police Training Act and the Illinois State
25
Police Act.
26
(ccc) Records exempt from disclosure under Section
SB0340 Engrossed
- 76 -
LRB104 06459 JRC 16495 b
1
2605-304 of the Illinois State Police Law of the Civil
2
Administrative Code of Illinois.
3
(ddd) Information prohibited from being disclosed
4
under Section 35 of the Address Confidentiality for
5
Victims of Domestic Violence, Sexual Assault, Human
6
Trafficking, or Stalking Act.
7
(eee) Information prohibited from being disclosed
8
under subsection (b) of Section 75 of the Domestic
9
Violence Fatality Review Act.
10
(fff) Images from cameras under the Expressway Camera
11
Act and all automated license plate reader (ALPR)
12
information used and collected by the Illinois State
13
Police. "ALPR information" means information gathered by
14
an ALPR or created from the analysis of data generated by
15
an ALPR. This subsection (fff) is inoperative on and after
16
July 1, 2028.
17
(ggg) Information prohibited from disclosure under
18
paragraph (3) of subsection (a) of Section 14 of the Nurse
19
Agency Licensing Act.
20
(hhh) Information submitted to the Illinois State
21
Police in an affidavit or application for an assault
22
weapon endorsement, assault weapon attachment endorsement,
23
.50 caliber rifle endorsement, or .50 caliber cartridge
24
endorsement under the Firearm Owners Identification Card
25
Act.
26
(iii) Data exempt from disclosure under Section 50 of
SB0340 Engrossed
- 77 -
LRB104 06459 JRC 16495 b
1
the School Safety Drill Act.
2
(jjj) Information exempt from disclosure under Section
3
30 of the Insurance Data Security Law.
4
(kkk) Confidential business information prohibited
5
from disclosure under Section 45 of the Paint Stewardship
6
Act.
7
(lll) Data exempt from disclosure under Section
8
2-3.196 of the School Code.
9
(mmm) Information prohibited from being disclosed
10
under subsection (e) of Section 1-129 of the Illinois
11
Power Agency Act.
12
(nnn) Materials received by the Department of Commerce
13
and Economic Opportunity that are confidential under the
14
Music and Musicians Tax Credit and Jobs Act.
15
(ooo) Data or information provided pursuant to Section
16
20 of the Statewide Recycling Needs and Assessment Act.
17
(ppp) Information that is exempt from disclosure under
18
Section 28-11 of the Lawful Health Care Activity Act.
19
(qqq) Information that is exempt from disclosure under
20
Section 7-101 of the Illinois Human Rights Act.
21
(rrr) Information prohibited from being disclosed
22
under Section 4-2 of the Uniform Money Transmission
23
Modernization Act.
24
(sss) Information exempt from disclosure under Section
25
40 of the Student-Athlete Endorsement Rights Act.
26
(ttt) Audio recordings made under Section 30 of the
SB0340 Engrossed
- 78 -
LRB104 06459 JRC 16495 b
1
Illinois State Police Act, except to the extent authorized
2
under that Section.
3
(uuu) Information prohibited from being disclosed
4
under Section 30-5 of the Digital Assets Regulation Act.
5
(vvv)
(uuu)
Information exempt from disclosure under
6
Section 70 of the End-of-Life Options for Terminally Ill
7
Patients Act.
8
(www) Data privacy and protection assessments made
9
available to the Attorney General under Section 18 of the
10
Illinois Consumer Data Privacy Act.
11
(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
12
103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
13
8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
14
eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
15
103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
16
8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
17
eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
18
104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-441, eff.
19
9-12-26; 104-457, eff. 6-1-26; revised 1-7-26.)
20
Section 905.
The Consumer Fraud and Deceptive Business
21
Practices Act is amended by adding Section 2MMMM as follows:
22
(815 ILCS 505/2MMMM new)
23
Sec. 2MMMM.
Violations of the Illinois Consumer Data
24
Privacy Act.
SB0340 Engrossed
- 79 -
LRB104 06459 JRC 16495 b
1
(a) Any person who violates the Illinois Consumer Data
2
Privacy Act commits an unlawful practice within the meaning of
3
this Act.
4
(b) The provisions of Section 10a do not apply to a
5
violation of this Section.
6
Section 995.
No acceleration or delay.
Where this Act
7
makes changes in a statute that is represented in this Act by
8
text that is not yet or no longer in effect (for example, a
9
Section represented by multiple versions), the use of that
10
text does not accelerate or delay the taking effect of (i) the
11
changes made by this Act or (ii) provisions derived from any
12
other Public Act.
13
Section 999.
Effective date.
This Act takes effect January
14
1, 2027.
Footer
Disclaimer
This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster
ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies
ILGA.GOV
2026 ILGA.gov | All Rights Reserved |
ADA
|
Disclaimers
|
Learn
This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster
ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies
ILGA.GOV
2026 ILGA.gov | All Rights Reserved |
ADA
|
Disclaimers
|
Learn