Back to Illinois

SB3241 • 2026

AGE-APPROPRIATE DESIGN CODE

AGE-APPROPRIATE DESIGN CODE

Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Sue Rezin
Last action
2026-05-22
Official status
Rule 3-9(a) / Re-referred to Assignments
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

AGE-APPROPRIATE DESIGN CODE

AGE-APPROPRIATE DESIGN CODE

What This Bill Does

  • AGE-APPROPRIATE DESIGN CODE

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-05-22 Illinois General Assembly

    Rule 3-9(a) / Re-referred to Assignments

  2. 2026-05-15 Illinois General Assembly

    Rule 2-10 Committee/3rd Reading Deadline Established As May 22, 2026

  3. 2026-05-05 Illinois General Assembly

    Added as Co-Sponsor Sen. Sally J. Turner

  4. 2026-04-24 Illinois General Assembly

    Rule 2-10 Committee/3rd Reading Deadline Established As May 15, 2026

  5. 2026-03-27 Illinois General Assembly

    Rule 2-10 Committee Deadline Established As April 24, 2026

  6. 2026-03-13 Illinois General Assembly

    Rule 2-10 Committee Deadline Established As March 27, 2026

  7. 2026-02-18 Illinois General Assembly

    To AI and Social Media

  8. 2026-02-17 Illinois General Assembly

    Assigned to Executive

  9. 2026-02-02 Illinois General Assembly

    Filed with Secretary by Sen. Sue Rezin

  10. 2026-02-02 Illinois General Assembly

    First Reading

  11. 2026-02-02 Illinois General Assembly

    Referred to Assignments

Official Summary Text

AGE-APPROPRIATE DESIGN CODE

Current Bill Text

Read the full stored bill text
Illinois General Assembly - Full Text of SB3241

Select Language

×

The Illinois General Assembly offers the Google Translate™ service for visitor convenience. In no way should it be considered accurate as to the translation of any content herein.

Visitors of the Illinois General Assembly website are encouraged to use other translation services available on the internet.

The English language version is always the official and authoritative version of this website.

NOTE: To return to the original English language version, select the "Show Original" button on the Google Translate™ menu bar at the top of the window.

Choose Language

English

Afrikaans

Albanian

Arabic

Armenian

Azerbaijani

Basque

Bengali

Bosnian

Catalan

Croatian

Czech

Danish

Dutch

Esperanto

Estonian

Filipino

Finnish

French

Galician

Georgian

German

Greek

Gujarati

Haitian Creole

Hausa

Hawaiian

Hebrew

Hindi

Hungarian

Icelandic

Indonesian

Interlingua

Interlingue

Inuktitut

Irish

Italian

Japanese

Javanese

Kannada

Khmer

Korean

Latin

Latvian

Lithuanian

Luxembourgish

Macedonian

Malagasy

Malayalam

Maltese

Maori

Marathi

Myanmar

Nepali

Norwegian

Odia

Pashto

Punjabi

Romanian

Russian

Samoan

Sango

Sanskrit

Sardinian

Sindhi

Sinhala

Slovak

Slovenian

Somali

Southern Sotho

Spanish

Sundanese

Swahili

Swedish

Tamil

Telugu

Thai

Tigrinya

Tonga

Turkish

Ukrainian

Urdu

Vietnamese

Welsh

Xhosa

Yiddish

Yoruba

Zulu

Powered by
Translate

Close

Illinois General Assembly

Top Navigation Bar

Translate

Learn

Select General Assembly

Search the 104th General Assembly

Enter search terms for legislation, members, committees, or schedules.

ILGA.GOV

LEGISLATION & LAWS

Bills & Resolutions

Public Acts

Illinois Compiled Statutes

Illinois Constitution

Search Legislation

Glossary

Guide

Reports & Inquiry

Legislative Reports

Special Reports

FTP Site

Legislator Lookup

Capitol Complex Phone Numbers

Rules & Regulations

Illinois Register

Administrative Rules

Senate

Members

Schedules

Committees

Request for Remote Testimony

Journals

Transcripts

Rules

Audio/Video

FOIA Information

Senate Employment Opportunities

Media Guidelines

House

Members

Schedules

Committees

Submit testimony for House Committees

Journals

Transcripts

Rules

Audio/Video

FOIA Information

House Employment Opportunities

Log In

Mobile Top Bar

Search the 104th General Assembly

Enter keywords to search the Illinois General Assembly website.

Full Text of SB3241

Home

Legislation

Full Text

SB3241 - 104th General Assembly

Bill Status

Full Text

Votes

Witness Slips

Select Menu

Bill Status

Full Text

Votes

Witness Slips

Printer Friendly Version

Introduced

Printer Friendly Version

Introduced

Open PDF

104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
SB3241

Introduced 2/2/2026, by Sen. Sue Rezin

SYNOPSIS AS INTRODUCED:

New Act
30 ILCS 105/5.1038 new

Creates the Illinois Age-Appropriate Design Code Act. Provides that
all covered entities that operate in the State and process children's data
in any capacity shall do so in a manner consistent with the best interests
of children. Provides that a covered entity subject to the Act shall take
specified actions to protect children's privacy in connection with online
services, products, or features, including completing a data protection
impact assessment for an online service, product, or feature that is
reasonably likely to be accessed by children; and maintain documentation
of the data protection impact assessment. Contains provisions concerning
additional requirements for covered entities; prohibited acts by covered
entities; data practices; enforcement by the Attorney General; limitations
of the Act; data protection impact assessment dates; and severability.
Amends the State Finance Act to create the Age-Appropriate Design Code
Enforcement Fund. Effective immediately.
LRB104 18753 SPS 32196 b

A BILL FOR

SB3241
LRB104 18753 SPS 32196 b
1

AN ACT concerning business.

2

Be it enacted by the People of the State of Illinois,
3
represented in the General Assembly:

4

Section 1.
Short title.
This Act may be cited as the
5
Illinois Age-Appropriate Design Code Act.

6

Section 5.
Intent.
It is the intent of the General
7
Assembly that nothing in this Act shall be construed to
8
infringe on the existing rights and freedoms of children.

9

Section 10.
Definitions.
As used in this Act:
10

"Affiliate" means a legal entity that controls, is
11
controlled by, or is under common control with, another legal
12
entity. For the purposes of this definition, "control" or
13
"controlled" means: (i) ownership of, or the power to vote,
14
more than 50% of the outstanding shares of any class of voting
15
security of a covered entity; (ii) control in any manner over
16
the election of a majority of the directors or of individuals
17
exercising similar functions; or (iii) the power to exercise a
18
controlling influence over the management of a covered entity.
19

"Age-appropriate" means a recognition of the distinct
20
needs and diversities of children at different age ranges. In
21
order to help support the design of online services, products,
22
and features, covered entities should take into account the

SB3241
- 2 -
LRB104 18753 SPS 32196 b
1
unique needs and diversities of different age ranges,
2
including the following developmental stages: 0 to 5 years of
3
age or preliterate and early literacy; 6-9 years of age or core
4
primary school years; 10 to 12 years of age or transition
5
years; 13 to 15 years of age or early teens; and 16 to 17 years
6
of age or approaching adulthood.
7

"Best interests of children" means the use, by a covered
8
entity, of the personal data of a child or the design of an
9
online service, product, or feature in a way that:
10

(1) will not benefit the covered entity to the
11

detriment of the child; and
12

(2) will not result in:
13

(A) reasonably foreseeable and material physical
14

or financial harm to the child;
15

(B) reasonably foreseeable and severe
16

psychological or emotional harm to the child;
17

(C) a highly offensive intrusion on the reasonable
18

privacy expectations of the child; or
19

(D) discrimination against the child based upon
20

race, color, religion, national origin, disability,
21

sex, or sexual orientation.
22

"Child" means a consumer who is under 18 years of age.
23

"Collect" means buying, renting, gathering, obtaining,
24
receiving, or accessing any personal data pertaining to a
25
consumer by any means. "Collect" includes receiving data from
26
the consumer, either actively or passively, or by observing

SB3241
- 3 -
LRB104 18753 SPS 32196 b
1
the consumer's behavior.
2

"Covered entity" means:
3

(1) a sole proprietorship, partnership, limited
4

liability company, corporation, association, or other
5

legal entity that is organized or operated for the profit
6

or financial benefit of its shareholders or other owners;
7

and
8

(2) an affiliate of a covered entity that shares
9

common branding with the covered entity. For the purposes
10

of this definition, "common branding" means a shared name,
11

service mark, or trademark that the average consumer would
12

understand that 2 or more entities are commonly owned.
13

For purposes of this Act, for a joint venture or
14
partnership composed of covered entities in which each covered
15
entity has at least a 40% interest, the joint venture or
16
partnership and each covered entity that composes the joint
17
venture or partnership shall separately be considered a single
18
covered entity, except that personal data in the possession of
19
each covered entity and disclosed to the joint venture or
20
partnership shall not be shared with the other covered entity.
21

"Consumer" means a natural person who is an Illinois
22
resident, however identified, including by any unique
23
identifier.
24

"Dark pattern" means a user interface designed or
25
manipulated with the purpose of subverting or impairing user
26
autonomy, decision making, or choice.

SB3241
- 4 -
LRB104 18753 SPS 32196 b
1

"Data protection impact assessment" means a systematic
2
survey to assess compliance with the duty to act in the best
3
interests of children and shall include a plan to ensure that
4
all online products, services, or features provided by the
5
covered entity are designed and offered in a manner consistent
6
with the best interests of children reasonably likely to
7
access the online product, service, or feature and a
8
description of steps the covered entity has taken and will
9
take to comply with the duty to act in the best interests of
10
children.
11

"Default" means a preselected option adopted by the
12
covered entity for the online service, product, or feature.
13

"Deidentified" means data that cannot reasonably be used
14
to infer information about, or otherwise be linked to, an
15
identified or identifiable natural person, or a device linked
16
to such person, provided that the covered entity that
17
possesses the data:
18

(1) takes reasonable measures to ensure that the data
19

cannot be associated with a natural person;
20

(2) publicly commits to maintain and use the data only
21

in a deidentified fashion and not attempt to re-identify
22

the data; and
23

(3) contractually obligates any recipients of the data
24

to comply with all provisions of this Act.
25

"Derived data" means data that is created by the
26
derivation of information, data, assumptions, correlations,

SB3241
- 5 -
LRB104 18753 SPS 32196 b
1
inferences, predictions, or conclusions from facts, evidence,
2
or another source of information or data about a child or a
3
child's device.
4

"Online service, product, or feature" does not mean any of
5
the following:
6

(1) telecommunications service, as defined in 47
7

U.S.C. 153;
8

(2) a broadband service as defined in the Public
9

Utilities Act; or
10

(3) the sale, delivery, or use of a physical product.
11

"Personal data" means any information, including derived
12
data, that is linked or reasonably linkable, alone or in
13
combination with other information, to an identified or
14
identifiable natural person. "Personal data" does not include
15
deidentified data or publicly available information. For the
16
purposes of this definition, "publicly available information"
17
means information (i) that is lawfully made available from
18
federal, State, or local government records or widely
19
distributed media; and (ii) that a controller has a reasonable
20
basis to believe a consumer has lawfully made available to the
21
general public.
22

"Precise geolocation" means any data that is derived from
23
a device and that is used or intended to be used to locate a
24
consumer within a geographic area that is equal to or less than
25
the area of a circle with a radius of 1,850 feet, except as
26
prescribed by regulations.

SB3241
- 6 -
LRB104 18753 SPS 32196 b
1

"Process" or "processing" means to conduct or direct any
2
operation or set of operations performed, whether by manual or
3
automated means, on personal data or on sets of personal data,
4
such as the collection, use, storage, disclosure, analysis,
5
deletion, modification, or otherwise handling of personal
6
data.
7

"Product experimentation results" means the data that
8
companies collect to understand the experimental impact of
9
their products.
10

"Profiling" means any form of automated processing of
11
personal data to evaluate, analyze, or predict personal
12
aspects concerning an identified or identifiable natural
13
person's economic situation, health, personal preferences,
14
interests, reliability, behavior, location, or movements.
15
"Profiling" does not include the processing of information
16
that does not result in an assessment or judgment about a
17
natural person.
18

"Reasonably likely to be accessed" means an online
19
service, product, or feature that is accessed by children
20
based on any of the following indicators:
21

(1) the online service, product, or feature is
22

directed to children, as defined by the Children's Online
23

Privacy Protection Act, 15 U.S.C. 6501 et seq., and the
24

Federal Trade Commission rules implementing that Act;
25

(2) the online service, product, or feature is
26

determined, based on competent and reliable evidence

SB3241
- 7 -
LRB104 18753 SPS 32196 b
1

regarding audience composition, to be routinely accessed
2

by a significant number of children;
3

(3) the online service, product, or feature contains
4

advertisements marketed to children;
5

(4) the online service, product, or feature is
6

substantially similar or the same as an online service,
7

product, or feature subject to paragraph (2) of this
8

definition;
9

(5) a significant amount of the audience of the online
10

service, product, or feature is determined, based on
11

internal company research, to be children; and
12

(6) the covered entity knew or should have known that
13

a significant number of users are children, provided that,
14

in making this assessment, the covered entity shall not
15

collect or process any personal data that is not
16

reasonably necessary to provide an online service,
17

product, or feature with which a child is actively and
18

knowingly engaged.
19

"Sale" or "sell" means the exchange of personal data for
20
monetary or other valuable consideration by a covered entity
21
to a third party. "Sale" or "sell" do not include the
22
following:
23

(1) the disclosure of personal data to a third party
24

who processes the personal data on behalf of the covered
25

entity;
26

(2) the disclosure of personal data to a third party

SB3241
- 8 -
LRB104 18753 SPS 32196 b
1

with whom the consumer has a direct relationship for
2

purposes of providing a product or service requested by
3

the consumer;
4

(3) the disclosure or transfer of personal data to an
5

affiliate of the covered entity;
6

(4) the disclosure of data that the consumer
7

intentionally made available to the general public via a
8

channel of mass media and did not restrict to a specific
9

audience; or
10

(5) the disclosure or transfer of personal data to a
11

third party as an asset that is part of a completed or
12

proposed merger, acquisition, bankruptcy, or other
13

transaction in which the third party assumes control of
14

all or part of the covered entity's assets.
15

"Share" means sharing, renting, releasing, disclosing,
16
disseminating, making available, transferring, or otherwise
17
communicating orally, in writing, or by electronic or other
18
means a consumer's personal data by the covered entity to a
19
third party for cross-context behavioral advertising, whether
20
or not for monetary or other valuable consideration, including
21
transactions between a covered entity and a third party for
22
cross-context behavioral advertising for the benefit of a
23
covered entity in which no money is exchanged.
24

"Third party" means a natural or legal person, public
25
authority, agency, or body other than the consumer or the
26
covered entity.

SB3241
- 9 -
LRB104 18753 SPS 32196 b
1

Section 15.
Information fiduciary.
All covered entities
2
that operate in this State and process children's data in any
3
capacity shall do so in a manner consistent with the best
4
interests of children.

5

Section 20.
Scope; exclusions.
6

(a) A covered entity operating in this State is subject to
7
the requirements of this Act if it:
8

(1) collects consumers' personal data or has
9

consumers' personal data collected on its behalf by a
10

third party;
11

(2) alone or jointly with others, determines the
12

purposes and means of the processing of consumers'
13

personal data; and
14

(3) satisfies one or more of the following thresholds:
15

(i) has annual gross revenues in excess of
16

$25,000,000, as adjusted every odd numbered year to
17

reflect the Consumer Price Index;
18

(ii) alone or in combination, annually buys,
19

receives for the covered entity's commercial purposes,
20

sells, or shares for commercial purposes, alone or in
21

combination, the personal data of 50,000 or more
22

consumers, households, or devices; or
23

(iii) derives 50% or more of its annual revenues
24

from selling consumers' personal data.

SB3241
- 10 -
LRB104 18753 SPS 32196 b
1

(b) This Act does not apply to:
2

(1) protected health information that is collected by
3

a covered entity or covered entity associate governed by
4

the privacy, security, and breach notification rules
5

issued by the United States Department of Health and Human
6

Services, 45 CFR 160 and 164, established pursuant to the
7

Health Insurance Portability and Accountability Act of
8

1996, Public Law 104-191, and the Health Information
9

Technology for Economic and Clinical Health Act, Public
10

Law 111-5;
11

(2) a covered entity governed by the privacy,
12

security, and breach notification rules issued by the
13

United States Department of Health and Human Services, 45
14

CFR 160 and 164, established pursuant to the Health
15

Insurance Portability and Accountability Act of 1996,
16

Public Law 104-191, to the extent the provider or covered
17

entity maintains patient information in the same manner as
18

medical information or protected health information as
19

described in paragraph (1); or
20

(3) information collected as part of a clinical trial
21

subject to the federal policy for the protection of human
22

subjects, also known as the common rule, pursuant to good
23

clinical practice guidelines issued by the International
24

Council for Harmonisation of Technical Requirements for
25

Pharmaceuticals for Human Use or human subject protection
26

requirements issued by the United States Food and Drug

SB3241
- 11 -
LRB104 18753 SPS 32196 b
1

Administration.

2

Section 25.
Requirements for covered entities.
3

(a) A covered entity subject to this Act shall:
4

(1) complete a data protection impact assessment for
5

an online service, product, or feature or any new online
6

service, product, or feature that is reasonably likely to
7

be accessed by children; and maintain documentation of the
8

data protection impact assessment for as long as the
9

online service, product, or feature is reasonably likely
10

to be accessed by children;
11

(2) review and modify all data protection impact
12

assessments as necessary to account for material changes
13

to processing pertaining to the online service, product,
14

or feature within 90 days after such material changes;
15

(3) within 5 business days after a written request by
16

the Attorney General, provide to the Attorney General a
17

list of all data protection impact assessments the covered
18

entity has completed;
19

(4) within 7 business days after a written request by
20

the Attorney General, provide the Attorney General with a
21

copy of any data protection impact assessment, unless the
22

Attorney General, in its discretion, extends the time
23

period for a covered entity to respond;
24

(5) configure all default privacy settings provided to
25

children by the online service, product, or feature to

SB3241
- 12 -
LRB104 18753 SPS 32196 b
1

settings that offer a high level of privacy, unless the
2

covered entity can demonstrate a compelling reason that a
3

different setting is in the best interests of children;
4

(6) provide any privacy information, terms of service,
5

policies, and community standards concisely, prominently,
6

and using clear language suited to the age of children
7

reasonably likely to access that online service, product,
8

or feature; and
9

(7) provide prominent, accessible, and responsive
10

tools to help children, or if applicable their parents or
11

guardians, exercise their privacy rights and report
12

concerns.
13

(b) A data protection impact assessment required by this
14
Section shall identify the purpose of the online service,
15
product, or feature; how it uses children's personal data; and
16
determine whether the online service, product, or feature is
17
designed and offered in an age-appropriate manner consistent
18
with the best interests of children that are reasonably likely
19
to access the online product by examining, at a minimum, the
20
following:
21

(1) whether the design of the online service, product,
22

or feature could lead to children experiencing or being
23

targeted by contacts on the online service, product, or
24

feature that would result in: reasonably foreseeable and
25

material physical or financial harm to the child;
26

reasonably foreseeable and severe psychological or

SB3241
- 13 -
LRB104 18753 SPS 32196 b
1

emotional harm to the child; a highly offensive intrusion
2

on the reasonable privacy expectations of the child; or
3

discrimination against the child based upon race, color,
4

religion, national origin, disability, sex, or sexual
5

orientation;
6

(2) whether the design of the online service, product,
7

or feature could permit children to witness, participate
8

in, or be subject to conduct on the online service,
9

product, or feature that would result in: reasonably
10

foreseeable and material physical or financial harm to the
11

child; reasonably foreseeable and severe psychological or
12

emotional harm to the child; a highly offensive intrusion
13

on the reasonable privacy expectations of the child; or
14

discrimination against the child based upon race, color,
15

religion, national origin, disability, sex, or sexual
16

orientation;
17

(3) whether the design of the online service, product,
18

or feature is reasonably expected to allow children to be
19

party to or exploited by a contract on the online service,
20

product, or feature that would result in: reasonably
21

foreseeable and material physical or financial harm to the
22

child; reasonably foreseeable and severe psychological or
23

emotional harm to the child; a highly offensive intrusion
24

on the reasonable privacy expectations of the child; or
25

discrimination against the child based upon race, color,
26

religion, national origin, disability, sex, or sexual

SB3241
- 14 -
LRB104 18753 SPS 32196 b
1

orientation;
2

(4) whether algorithms used by the product, service,
3

or feature would result in: reasonably foreseeable and
4

material physical or financial harm to the child;
5

reasonably foreseeable and severe psychological or
6

emotional harm to the child; a highly offensive intrusion
7

on the reasonable privacy expectations of the child; or
8

discrimination against the child based upon race, color,
9

religion, national origin, disability, sex, or sexual
10

orientation;
11

(5) whether targeted advertising systems used by the
12

online service, product, or feature would result in:
13

reasonably foreseeable and material physical or financial
14

harm to the child; reasonably foreseeable and severe
15

psychological or emotional harm to the child; a highly
16

offensive intrusion on the reasonable privacy expectations
17

of the child; or discrimination against the child based
18

upon race, color, religion, national origin, disability,
19

sex, or sexual orientation;
20

(6) whether the online service, product, or feature
21

uses system design features to increase, sustain, or
22

extend use of the online service, product, or feature by
23

children, including the automatic playing of media,
24

rewards for time spent, and notifications, that would
25

result in: reasonably foreseeable and material physical or
26

financial harm to the child; reasonably foreseeable and

SB3241
- 15 -
LRB104 18753 SPS 32196 b
1

severe psychological or emotional harm to the child; a
2

highly offensive intrusion on the reasonable privacy
3

expectations of the child; or discrimination against the
4

child based upon race, color, religion, national origin,
5

disability, sex, or sexual orientation; and
6

(7) whether, how, and for what purpose the online
7

product, service, or feature collects or processes
8

personal data of children, and whether those practices
9

would result in: reasonably foreseeable and material
10

physical or financial harm to the child; reasonably
11

foreseeable and severe psychological or emotional harm to
12

the child; a highly offensive intrusion on the reasonable
13

privacy expectations of the child; or discrimination
14

against the child based upon race, color, religion,
15

national origin, disability, sex, or sexual orientation;
16

and
17

(8) whether and how product experimentation results
18

for the online product, service, or feature reveal data
19

management or design practices that would result in:
20

reasonably foreseeable and material physical or financial
21

harm to the child; reasonably foreseeable and extreme
22

psychological or emotional harm to the child; a highly
23

offensive intrusion on the reasonable privacy expectations
24

of the child; or discrimination against the child based
25

upon race, color, religion, national origin, disability,
26

sex, or sexual orientation.

SB3241
- 16 -
LRB104 18753 SPS 32196 b
1

(c) A data protection impact assessment conducted by a
2
covered entity for the purpose of compliance with any other
3
law complies with this Section if the data protection impact
4
assessment meets the requirements of this Act.
5

(d) A single data protection impact assessment may contain
6
multiple similar processing operations that present similar
7
risk only if each relevant online service, product, or feature
8
is addressed.
9

(e) A company may process only the personal data
10
reasonably necessary to provide an online service, product, or
11
feature with which a child is actively and knowingly engaged
12
to estimate age.

13

Section 30.
Prohibited acts by covered entities.
A covered
14
entity that provides an online service, product, or feature
15
reasonably likely to be accessed by children shall not:
16

(1) process the personal data of any child in a way
17

that is inconsistent with the best interests of children
18

reasonably likely to access the online service, product,
19

or feature;
20

(2) profile a child by default unless:
21

(A) the covered entity can demonstrate it has
22

appropriate safeguards in place to ensure that
23

profiling is consistent with the best interests of
24

children reasonably likely to access the online
25

service, product, or feature; and

SB3241
- 17 -
LRB104 18753 SPS 32196 b
1

(B) either of the following is true:
2

(i) profiling is necessary to provide the
3

online service, product, or feature requested and
4

only with respect to the aspects of the online
5

service, product, or feature with which a child is
6

actively and knowingly engaged;
7

(ii) the covered entity can demonstrate a
8

compelling reason that profiling is in the best
9

interests of children;
10

(3) process any personal data that is not reasonably
11

necessary to provide an online service, product, or
12

feature with which a child is actively and knowingly
13

engaged;
14

(4) if the end user is a child, process personal data
15

for any reason other than a reason for which that personal
16

data was collected;
17

(5) process any precise geolocation information of
18

children by default, unless the collection of that precise
19

geolocation information is strictly necessary for the
20

covered entity to provide the service, product, or feature
21

requested and then only for the limited time that the
22

collection of precise geolocation information is necessary
23

to provide the service, product, or feature;
24

(6) process any precise geolocation information of a
25

child without providing an obvious sign to the child for
26

the duration of that collection that precise geolocation

SB3241
- 18 -
LRB104 18753 SPS 32196 b
1

information is being collected;
2

(7) use dark patterns to cause children to provide
3

personal data beyond what is reasonably expected to
4

provide that online service, product, or feature to forgo
5

privacy protections, or to take any action that the
6

covered entity knows, or has reason to know, is not in the
7

best interests of children reasonably likely to access the
8

online service, product, or feature; and
9

(8) allow a child's parent, guardian, or any other
10

consumer to monitor the child's online activity or track
11

the child's location, without providing an obvious signal
12

to the child when the child is being monitored or tracked.

13

Section 35.
Data practices.
14

(a) A data protection impact assessment collected or
15
maintained by the Attorney General under Section 25 is
16
classified as nonpublic data.
17

(b) To the extent any information contained in a data
18
protection impact assessment disclosed to the Attorney General
19
includes information subject to attorney-client privilege or
20
work product protection, disclosure does not constitute a
21
waiver of that privilege or protection.

22

Section 40.
Attorney General enforcement.
23

(a) A covered entity that violates this Act may be subject
24
to an injunction and liable for a civil penalty of not more

SB3241
- 19 -
LRB104 18753 SPS 32196 b
1
than $2,500 per affected child for each negligent violation,
2
or not more than $7,500 per affected child for each
3
intentional violation, which may be assessed or recovered only
4
in a civil action brought by the Attorney General. If the State
5
prevails in an action to enforce this Act, the State may, in
6
addition to civil penalties provided by this subsection or
7
other remedies provided by the law, be allowed an amount
8
determined by the court to be the reasonable value of all or
9
part of the State's litigation expenses incurred.
10

(b) All moneys received by the Attorney General as civil
11
penalties, fees, or other amounts under subsection (a) shall
12
be deposited into the Age-Appropriate Design Code Enforcement
13
Fund, a special fund created in the State treasury, and shall
14
be used, subject to appropriation and as directed by the
15
Attorney General, to offset costs incurred by the Attorney
16
General in connection with the enforcement of this Act.
17

(c) If a covered entity is in substantial compliance with
18
the requirements of Section 25, the Attorney General shall,
19
before initiating a civil action under this Section, provide
20
written notice to the covered entity identifying the specific
21
provisions of this Act that the Attorney General alleges have
22
been or are being violated. If, for a covered entity that
23
satisfied Section 50 or subsection (a) of Section 25 before
24
offering any new online product, service, or feature
25
reasonably likely to be accessed by children to the public,
26
within 90 days after the notice required by this subsection,

SB3241
- 20 -
LRB104 18753 SPS 32196 b
1
the covered entity cures any noticed violation and provides
2
the Attorney General a written statement that the alleged
3
violations have been cured, and sufficient measures have been
4
taken to prevent future violations, the covered entity is not
5
liable for a civil penalty for any violation cured pursuant to
6
this Act.
7

(d) Nothing in this Act shall be construed to create a
8
private right of action.

9

Section 45.
Limitations.
Nothing in this Act shall be
10
interpreted or construed to:
11

(1) impose liability in a manner that is inconsistent
12

with 47 U.S.C. 230;
13

(2) prevent or preclude any child from deliberately or
14

independently searching for, or specifically requesting,
15

content; or
16

(3) require a covered entity to implement an age
17

gating requirement.

18

Section 50.
Data protection impact assessment date.
19

(a) By January 1, 2027 a covered entity shall complete a
20
data protection impact assessment for any online service,
21
product, or feature reasonably likely to be accessed by
22
children offered to the public before January 1, 2027, unless
23
that online service, product, or feature is exempt under
24
paragraph (b).

SB3241
- 21 -
LRB104 18753 SPS 32196 b
1

(b) This Act does not apply to an online service, product,
2
or feature that is not offered to the public on or after
3
January 1, 2027.

4

Section 55.
Severability.
If any provision of this Act, or
5
an amendment made by this Act, is determined to be
6
unenforceable or invalid, the remaining provisions of this Act
7
and the amendments made by this Act shall not be affected.

8

Section 90.
The State Finance Act is amended by adding
9
Section 5.1038 as follows:

10

(30 ILCS 105/5.1038 new)
11

Sec. 5.1038.
The Age-Appropriate Design Code Enforcement
12
Fund.

13

Section 99.
Effective date.
This Act takes effect upon
14
becoming law.

Footer

Disclaimer

This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.

Contact ILGA Webmaster

ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies

ILGA.GOV

2026 ILGA.gov | All Rights Reserved |
ADA

|
Disclaimers
|
Learn

This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster

ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies

ILGA.GOV

2026 ILGA.gov | All Rights Reserved |
ADA

|
Disclaimers
|
Learn