Back to Illinois

SB3890 • 2026

CONSUMER DATA PRIVACY

CONSUMER DATA PRIVACY

Privacy
Passed Legislature

This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.

Sponsor
Rachel Ventura
Last action
2026-05-22
Official status
Rule 3-9(a) / Re-referred to Assignments
Effective date
Not listed

Plain English Breakdown

Using official source text because the generated explanation was unavailable or could not be confirmed against the official bill text.

CONSUMER DATA PRIVACY

CONSUMER DATA PRIVACY

What This Bill Does

  • CONSUMER DATA PRIVACY

Limits and Unknowns

  • This entry is temporarily using official source text because the generated explanation could not be confirmed against the official bill text during the last sync.

Bill History

  1. 2026-05-22 Illinois General Assembly

    Rule 3-9(a) / Re-referred to Assignments

  2. 2026-05-15 Illinois General Assembly

    Rule 2-10 Committee/3rd Reading Deadline Established As May 22, 2026

  3. 2026-04-24 Illinois General Assembly

    Rule 2-10 Committee/3rd Reading Deadline Established As May 15, 2026

  4. 2026-03-27 Illinois General Assembly

    Rule 2-10 Committee Deadline Established As April 24, 2026

  5. 2026-03-13 Illinois General Assembly

    Rule 2-10 Committee Deadline Established As March 27, 2026

  6. 2026-02-25 Illinois General Assembly

    To AI and Social Media

  7. 2026-02-24 Illinois General Assembly

    Assigned to Executive

  8. 2026-02-06 Illinois General Assembly

    Filed with Secretary by Sen. Rachel Ventura

  9. 2026-02-06 Illinois General Assembly

    First Reading

  10. 2026-02-06 Illinois General Assembly

    Referred to Assignments

Official Summary Text

CONSUMER DATA PRIVACY

Current Bill Text

Read the full stored bill text
Illinois General Assembly - Full Text of SB3890

Select Language

×

The Illinois General Assembly offers the Google Translate™ service for visitor convenience. In no way should it be considered accurate as to the translation of any content herein.

Visitors of the Illinois General Assembly website are encouraged to use other translation services available on the internet.

The English language version is always the official and authoritative version of this website.

NOTE: To return to the original English language version, select the "Show Original" button on the Google Translate™ menu bar at the top of the window.

Choose Language

English

Afrikaans

Albanian

Arabic

Armenian

Azerbaijani

Basque

Bengali

Bosnian

Catalan

Croatian

Czech

Danish

Dutch

Esperanto

Estonian

Filipino

Finnish

French

Galician

Georgian

German

Greek

Gujarati

Haitian Creole

Hausa

Hawaiian

Hebrew

Hindi

Hungarian

Icelandic

Indonesian

Interlingua

Interlingue

Inuktitut

Irish

Italian

Japanese

Javanese

Kannada

Khmer

Korean

Latin

Latvian

Lithuanian

Luxembourgish

Macedonian

Malagasy

Malayalam

Maltese

Maori

Marathi

Myanmar

Nepali

Norwegian

Odia

Pashto

Punjabi

Romanian

Russian

Samoan

Sango

Sanskrit

Sardinian

Sindhi

Sinhala

Slovak

Slovenian

Somali

Southern Sotho

Spanish

Sundanese

Swahili

Swedish

Tamil

Telugu

Thai

Tigrinya

Tonga

Turkish

Ukrainian

Urdu

Vietnamese

Welsh

Xhosa

Yiddish

Yoruba

Zulu

Powered by
Translate

Close

Illinois General Assembly

Top Navigation Bar

Translate

Learn

Select General Assembly

Search the 104th General Assembly

Enter search terms for legislation, members, committees, or schedules.

ILGA.GOV

LEGISLATION & LAWS

Bills & Resolutions

Public Acts

Illinois Compiled Statutes

Illinois Constitution

Search Legislation

Glossary

Guide

Reports & Inquiry

Legislative Reports

Special Reports

FTP Site

Legislator Lookup

Capitol Complex Phone Numbers

Rules & Regulations

Illinois Register

Administrative Rules

Senate

Members

Schedules

Committees

Request for Remote Testimony

Journals

Transcripts

Rules

Audio/Video

FOIA Information

Senate Employment Opportunities

Media Guidelines

House

Members

Schedules

Committees

Submit testimony for House Committees

Journals

Transcripts

Rules

Audio/Video

FOIA Information

House Employment Opportunities

Log In

Mobile Top Bar

Search the 104th General Assembly

Enter keywords to search the Illinois General Assembly website.

Full Text of SB3890

Home

Legislation

Full Text

SB3890 - 104th General Assembly

Bill Status

Full Text

Votes

Witness Slips

Select Menu

Bill Status

Full Text

Votes

Witness Slips

Printer Friendly Version

Introduced

Printer Friendly Version

Introduced

Open PDF

104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
SB3890

Introduced 2/6/2026, by Sen. Rachel Ventura

SYNOPSIS AS INTRODUCED:

New Act
30 ILCS 105/5.1038 new
815 ILCS 530/55 new
815 ILCS 530/60 new
815 ILCS 530/65 new

Creates the Illinois Data Privacy Protection Act. Applies to legal
entities that conduct business in Illinois or produce products or services
that are targeted to Illinois residents and that satisfy one or more of the
following thresholds: during a calendar year, controls or processes
personal data of 100,000 consumers or more, excluding personal data
controlled or processed solely for the purpose of completing a payment
transaction; or derives over 25% of gross revenue from the sale of personal
data and processes or controls personal data of 25,000 consumers or more.
Requires a controller, alone or jointly with others, to consider the
purposes and means of the processing of personal data in protecting the
security of consumers while processing personal data and in notifying
consumers of a breach of the security of the system. Authorizes rights to
consumers under the Act to include, but not be limited to, the right to
access their personal data, obtain a list of third parties to whom their
data has been disclosed, request corrections to inaccurate data, and
question the profiling of their information. Authorizes the Attorney
General to enforce the Act. Amends the Personal Information Protection
Act. Provides that, annually, on or before January 31, a data broker
operating in the State must register with the Attorney General. Provides
that the Attorney General shall create a page on its Internet website in
which the registration information is accessible to the public that allows
consumers to delete their personal information across all registered data
brokers. Provides for civil penalties. Amends the State Finance Act to
create the Data Privacy Protection Fund. Makes definitions. Makes other
changes. Limits the concurrent exercise of home rule powers. Contains a
severability provision.
LRB104 19719 JRC 33169 b

A BILL FOR

SB3890
LRB104 19719 JRC 33169 b
1

AN ACT concerning civil law.

2

Be it enacted by the People of the State of Illinois,
3
represented in the General Assembly:

4

Section 10.
Short title.
This Act may be cited as the
5
Illinois Data Privacy Protection Act.

6

Section 11.
Definitions.
As used in this Act:
7

(a) "Affiliate" means a legal entity that controls, is
8
controlled by, or is under common control with another legal
9
entity. As used in this definition, "control" or "controlled"
10
means: ownership of or the power to vote more than 50% of the
11
outstanding shares of any class of voting security of a
12
company; control in any manner over the election of a majority
13
of the directors or of individuals exercising similar
14
functions; or the power to exercise a controlling influence
15
over the management of a company.
16

(b) "Authenticate" means to use reasonable means to
17
determine that a request to exercise any of the rights under
18
Section 14, subsection (1), paragraphs (b) to (h), is being
19
made by or rightfully on behalf of the consumer who is entitled
20
to exercise the rights with respect to the personal data at
21
issue.
22

(c) "Biometric data" means data generated by automatic
23
measurements of an individual's biological characteristics,

SB3890
- 2 -
LRB104 19719 JRC 33169 b
1
including a fingerprint, a voiceprint, eye retinas, irises, or
2
other unique biological patterns or characteristics that are
3
used to identify a specific individual. Biometric data does
4
not include:
5

(1) a digital or physical photograph;
6

(2) an audio or video recording; or
7

(3) any data generated from a digital or physical
8

photograph, or an audio or video recording, unless the
9

data is generated to identify a specific individual.
10

(d) "Child" has the meaning given in United States Code,
11
Title 15, Section 6501.
12

(e) "Consent" means any freely given, specific, informed,
13
and unambiguous indication of the consumer's wishes by which
14
the consumer signifies agreement to the processing of personal
15
data relating to the consumer. Acceptance of general or broad
16
terms of use or similar document that contains descriptions of
17
personal data processing along with other, unrelated
18
information does not constitute consent. Hovering over,
19
muting, pausing, or closing a given piece of content does not
20
constitute consent. A consent is not valid when the consumer's
21
indication has been obtained by a dark pattern. A consumer may
22
revoke consent previously given consistent with this Act.
23

(f) "Consumer" means a natural person who is an Illinois
24
resident acting only in an individual or household context.
25
Consumer does not include a natural person acting in a
26
commercial or employment context.

SB3890
- 3 -
LRB104 19719 JRC 33169 b
1

(g) "Controller" means the natural or legal person who,
2
alone or jointly with others, determines the purposes and
3
means of the processing of personal data.
4

(h) "Decisions that produce legal or similarly significant
5
effects concerning the consumer" means decisions made by the
6
controller that result in the provision or denial by the
7
controller of financial or lending services, housing,
8
insurance, education enrollment or opportunity, criminal
9
justice, employment opportunities, health care services, or
10
access to essential goods or services.
11

(i) "Dark pattern" means a user interface designed or
12
manipulated with the substantial effect of subverting or
13
impairing user autonomy, decision making, or choice.
14

(j) "Deidentified data" means data that cannot reasonably
15
be used to infer information about or otherwise be linked to an
16
identified or identifiable natural person or a device linked
17
to an identified or identifiable natural person, provided that
18
the controller that possesses the data:
19

(1) takes reasonable measures to ensure that the data
20

cannot be associated with a natural person;
21

(2) publicly commits to process the data only in a
22

deidentified fashion and not attempt to reidentify the
23

data; and
24

(3) contractually obligates any recipients of the
25

information to comply with all provisions of this
26

definition.

SB3890
- 4 -
LRB104 19719 JRC 33169 b
1

(k) "Delete" means to remove or destroy information so
2
that it is not maintained in human- or machine-readable form
3
and cannot be retrieved or used in the ordinary course of
4
business.
5

(l) "Genetic information" means information about an
6
identifiable individual derived from the presence, absence,
7
alteration, or mutation of a gene, or the presence or absence
8
of a specific DNA or RNA marker, which has been obtained from
9
an analysis of:
10

(1) the individual's biological information or
11

specimen; or
12

(2) the biological information or specimen of a person
13

to whom the individual is related.
14

"Genetic information" also means medical or biological
15
information collected from an individual about a particular
16
genetic condition that is or might be used to provide medical
17
care to that individual or the individual's family members.
18

(m) "Identified or identifiable natural person" means a
19
person who can be readily identified, directly or indirectly.
20

(n) "Known child" means a person under circumstances in
21
which a controller has actual knowledge of, or willfully
22
disregards, that the person is under 13 years of age.
23

(o) "Personal data" means any information that is linked
24
or reasonably linkable to an identified or identifiable
25
natural person. Personal data does not include deidentified
26
data or publicly available information. As used in this

SB3890
- 5 -
LRB104 19719 JRC 33169 b
1
definition, "publicly available information" means information
2
that (1) is lawfully made available from federal, state, or
3
local government records or widely distributed media; or (2) a
4
controller has a reasonable basis to believe has lawfully been
5
made available to the general public.
6

(p) "Process" or "processing" means any operation or set
7
of operations that are performed on personal data or on sets of
8
personal data, whether or not by automated means, including,
9
but not limited to, the collection, use, storage, disclosure,
10
analysis, deletion, or modification of personal data.
11

(q) "Processor" means a natural or legal person who
12
processes personal data on behalf of a controller.
13

(r) "Profiling" means any form of automated processing of
14
personal data to evaluate, analyze, or predict personal
15
aspects related to an identified or identifiable natural
16
person's economic situation, health, personal preferences,
17
interests, reliability, behavior, location, or movements.
18

(s) "Pseudonymous data" means personal data that cannot be
19
attributed to a specific natural person without the use of
20
additional information, provided that the additional
21
information is kept separately and is subject to appropriate
22
technical and organizational measures to ensure that the
23
personal data are not attributed to an identified or
24
identifiable natural person.
25

(t) "Sale", "sell", or "sold" means the exchange of
26
personal data for monetary or other valuable consideration by

SB3890
- 6 -
LRB104 19719 JRC 33169 b
1
the controller to a third party. "Sale" does not include the
2
following:
3

(1) the disclosure of personal data to a processor who
4

processes the personal data on behalf of the controller;
5

(2) the disclosure of personal data to a third party
6

for purposes of providing a product or service requested
7

by the consumer;
8

(3) the disclosure or transfer of personal data to an
9

affiliate of the controller;
10

(4) the disclosure of information that the consumer
11

intentionally made available to the general public via a
12

channel of mass media and did not restrict to a specific
13

audience;
14

(5) the disclosure or transfer of personal data to a
15

third party as an asset that is part of a completed or
16

proposed merger, acquisition, bankruptcy, or other
17

transaction in which the third party assumes control of
18

all or part of the controller's assets; or
19

(6) the exchange of personal data between the producer
20

of a good or service and authorized agents of the producer
21

who sell and service the goods and services to enable the
22

cooperative provisioning of goods and services by both the
23

producer and the producer's agents.
24

(u) "Sensitive data" is a form of personal data.
25
"Sensitive data" means:
26

(1) personal data revealing racial or ethnic origin,

SB3890
- 7 -
LRB104 19719 JRC 33169 b
1

religious beliefs, mental or physical health condition or
2

diagnosis, sexual orientation, or citizenship or
3

immigration status;
4

(2) the processing of biometric data or genetic
5

information for the purpose of uniquely identifying an
6

individual;
7

(3) the personal data of a known child; or
8

(4) specific geolocation data.
9

(v) "Specific geolocation data" means information derived
10
from technology, including, but not limited to, global
11
positioning system level latitude and longitude coordinates or
12
other mechanisms that directly identifies the geographic
13
coordinates of a consumer or a device linked to a consumer with
14
an accuracy of more than 3 decimal degrees of latitude and
15
longitude or the equivalent in an alternative geographic
16
coordinate system or a street address derived from the
17
coordinates. Specific geolocation data does not include the
18
content of communications, the contents of databases
19
containing street address information that are accessible to
20
the public as authorized by law, or any data generated by or
21
connected to advanced utility metering infrastructure systems
22
or other equipment for use by a public utility.
23

(w) "Targeted advertising" means displaying advertisements
24
to a consumer in which the advertisement is selected based on
25
personal data obtained or inferred from the consumer's
26
activities over time and across nonaffiliated websites or

SB3890
- 8 -
LRB104 19719 JRC 33169 b
1
online applications to predict the consumer's preferences or
2
interests. Targeted advertising does not include:
3

(1) advertising based on activities within a
4

controller's own websites or online applications;
5

(2) advertising based on the context of a consumer's
6

current search query or visit to a website or online
7

application;
8

(3) advertising to a consumer in response to the
9

consumer's request for information or feedback; or
10

(4) processing personal data solely for measuring or
11

reporting advertising performance, reach, or frequency.
12

"Technology provider" means a person who:
13

(1) contracts with a public educational agency or
14

institution, as part of a one-to-one program or otherwise,
15

to provide a school-issued device for student use; and
16

(2) creates, receives, or maintains educational data
17

pursuant or incidental to a contract with a public
18

educational agency or institution.
19

(x) "Third party" means a natural or legal person, public
20
authority, agency, or body other than the consumer,
21
controller, processor, or an affiliate of the processor or the
22
controller.
23

(y) "Trade secret" means information, including a formula,
24
pattern, compilation, program, device, method, technique, or
25
process, that:
26

(1) derives independent economic value, actual or

SB3890
- 9 -
LRB104 19719 JRC 33169 b
1

potential, from not being generally known to, and not
2

being readily ascertainable by proper means by, other
3

persons who can obtain economic value from its disclosure
4

or use, and
5

(2) is the subject of efforts that are reasonable
6

under the circumstances to maintain its secrecy.
7

The existence of a trade secret is not negated merely
8
because an employee or other person has acquired the trade
9
secret without express or specific notice that it is a trade
10
secret if, under all the circumstances, the employee or other
11
person knows or has reason to know that the owner intends or
12
expects the secrecy of the type of information comprising the
13
trade secret to be maintained.

14

Section 12.
Scope; exclusions.
15

(a)(1) Scope. This Act applies to legal entities that
16
conduct business in Illinois or produce products or services
17
that are targeted to Illinois residents, and that satisfy one
18
or more of the following thresholds:
19

(A) during a calendar year, controls or processes
20

personal data of 100,000 consumers or more, excluding
21

personal data controlled or processed solely for the
22

purpose of completing a payment transaction; or
23

(B) derives over 25% of gross revenue from the sale of
24

personal data and processes or controls personal data of
25

25,000 consumers or more.

SB3890
- 10 -
LRB104 19719 JRC 33169 b
1

(2) A controller or processor shall comply with the
2
Student Online Personal Protection Act, except that when the
3
provisions of that Act conflict with this Act, this Act
4
prevails.
5

(b) Exclusions. The provisions of this Act do not apply to
6
the following entities, activities, or types of information:
7

(1) the State, a political subdivision of the State,
8

and units of local government;
9

(2) a federally recognized Indian tribe;
10

(3) information that meets the definition of:
11

(A) protected health information, as defined by
12

and for purposes of the Health Insurance Portability
13

and Accountability Act of 1996, Public Law 104-191,
14

and related regulations;
15

(B) health records, that includes, but is not
16

limited to, any information, whether oral or recorded
17

in any form or medium, that relates to the past,
18

present, or future physical or mental health or
19

condition of a patient; the provision of health care
20

to a patient; or the past, present, or future payment
21

for the provision of health care to a patient;
22

(C) patient identifying information for purposes
23

of Code of Federal Regulations, Title 42, Part 2,
24

established pursuant to the United States Code, Title
25

42, Section 290dd-2;
26

(D) identifiable private information for purposes

SB3890
- 11 -
LRB104 19719 JRC 33169 b
1

of the federal policy for the protection of human
2

subjects, the Code of Federal Regulations, Title 45,
3

Part 46; identifiable private information that is
4

otherwise information collected as part of human
5

subjects research under the good clinical practice
6

guidelines issued by the International Council for
7

Harmonisation; the protection of human subjects under
8

the Code of Federal Regulations, Title 21, Parts 50
9

and 56; or personal data used or shared in research
10

conducted in accordance with one or more of the
11

requirements set forth in this paragraph;
12

(E) information and documents created for purposes
13

of the federal Health Care Quality Improvement Act of
14

1986, Public Law 99-660, and related regulations; or
15

(F) patient safety work product for purposes of
16

Code of Federal Regulations, Title 42, Part 3,
17

established under the United States Code, Title 42,
18

Sections 299b-21 to 299b-26;
19

(4) information that is derived from any of the health
20

care-related information listed in clause (3), but that
21

has been deidentified in accordance with the requirements
22

for deidentification set forth in the Code of Federal
23

Regulations, Title 45, Part 164;
24

(5) information originating from, and intermingled to
25

be indistinguishable with, any of the health care-related
26

information listed in clause (3) that is maintained by:

SB3890
- 12 -
LRB104 19719 JRC 33169 b
1

(A) a covered entity or business associate, as
2

defined by the Health Insurance Portability and
3

Accountability Act of 1996, Public Law 104-191, and
4

related regulations;
5

(B) a health care provider, to include, but not be
6

limited to, any public or private facility that
7

provides, on an inpatient or outpatient basis,
8

preventive, diagnostic, therapeutic, convalescent,
9

rehabilitation, mental health, or intellectual
10

disability services, including general or special
11

hospitals, skilled nursing homes, extended care
12

facilities, intermediate care facilities and mental
13

health centers; or
14

(C) a program or a qualified service organization,
15

as defined by Code of Federal Regulations, Title 42,
16

Part 2, established pursuant to United States Code,
17

Title 42, Section 290dd-2;
18

(6) information that is:
19

(A) maintained by an entity that meets the
20

definition of health care provider under the Code of
21

Federal Regulations, Title 45, Section 160.103, to the
22

extent that the entity maintains the information in
23

the manner required of covered entities with respect
24

to protected health information for purposes of the
25

Health Insurance Portability and Accountability Act of
26

1996, Public Law 104-191, and related regulations;

SB3890
- 13 -
LRB104 19719 JRC 33169 b
1

(B) included in a limited data set, as described
2

under the Code of Federal Regulations, Title 45, Part
3

164.514(e), to the extent that the information is
4

used, disclosed, and maintained in the manner
5

specified by that part;
6

(C) maintained by, or maintained to comply with
7

the rules or orders of, a self-regulatory organization
8

as defined by the United States Code, Title 15,
9

Section 78c(a)(26);
10

(D) originated from, or intermingled with,
11

information described in clause (9) and that a
12

residential mortgage originator or residential
13

mortgage servicer regulated under the Residential
14

Mortgage License Act of 1987 collects, processes,
15

uses, or maintains in the same manner as required
16

under the laws and regulations specified in paragraph
17

(9); or
18

(E) originated from, or intermingled with,
19

information described in clause (9) and that a nonbank
20

financial institution collects, processes, uses, or
21

maintains in the same manner as required under the
22

laws and regulations specified in paragraph (9);
23

(7) information used only for public health activities
24

and purposes, as described under the Code of Federal
25

Regulations, Title 45, Part 164.512;
26

(8) an activity involving the collection, maintenance,

SB3890
- 14 -
LRB104 19719 JRC 33169 b
1

disclosure, sale, communication, or use of any personal
2

data bearing on a consumer's credit worthiness, credit
3

standing, credit capacity, character, general reputation,
4

personal characteristics, or mode of living by a consumer
5

reporting agency, as defined in the United States Code,
6

Title 15, Section 1681a(f), by a furnisher of information,
7

as set forth in the United States Code, Title 15, Section
8

1681s-2, who provides information for use in a consumer
9

report, as defined in the United States Code, Title 15,
10

Section 1681a(d), and by a user of a consumer report, as
11

set forth in the United States Code, Title 15, Section
12

1681b, except that information is only excluded under this
13

paragraph to the extent that the activity involving the
14

collection, maintenance, disclosure, sale, communication,
15

or use of the information by the agency, furnisher, or
16

user is subject to regulation under the federal Fair
17

Credit Reporting Act, United States Code, Title 15,
18

Sections 1681 to 1681x, and the information is not
19

collected, maintained, used, communicated, disclosed, or
20

sold except as authorized by the Fair Credit Reporting
21

Act;
22

(9) personal data collected, processed, sold, or
23

disclosed under the federal Gramm-Leach-Bliley Act, Public
24

Law 106-102, and implementing regulations, if the
25

collection, processing, sale, or disclosure is in
26

compliance with that law;

SB3890
- 15 -
LRB104 19719 JRC 33169 b
1

(10) personal data collected, processed, sold, or
2

disclosed pursuant to the federal Driver's Privacy
3

Protection Act of 1994, United States Code, Title 18,
4

Sections 2721 to 2725, if the collection, processing,
5

sale, or disclosure is in compliance with that law;
6

(11) personal data regulated by the federal Family
7

Educational Rights and Privacy Act, United States Code,
8

Title 20, Section 1232g, and implementing regulations;
9

(12) personal data collected, processed, sold, or
10

disclosed pursuant to the federal Farm Credit Act of 1971,
11

as amended, United States Code, Title 12, Sections 2001 to
12

2279cc, and implementing regulations, Code of Federal
13

Regulations, Title 12, Part 600, if the collection,
14

processing, sale, or disclosure is in compliance with that
15

law;
16

(13) data collected or maintained:
17

(A) in the course of an individual acting as a job
18

applicant to or an employee, owner, director, officer,
19

medical staff member, or contractor of a business if
20

the data is collected and used solely within the
21

context of the role;
22

(B) as the emergency contact information of an
23

individual under subparagraph (A) if used solely for
24

emergency contact purposes; or
25

(C) that is necessary for the business to retain
26

to administer benefits for another individual relating

SB3890
- 16 -
LRB104 19719 JRC 33169 b
1

to the individual under subparagraph (A) if used
2

solely for the purposes of administering those
3

benefits;
4

(14) personal data collected, processed, sold, or
5

disclosed under the Illinois Insurance Code;
6

(15) data collected, processed, sold, or disclosed as
7

part of a payment-only credit, check, or cash transaction
8

where no data about consumers, as defined in Section 11,
9

are retained;
10

(16) a State or federally chartered bank or credit
11

union, or an affiliate or subsidiary that is principally
12

engaged in financial activities, as described in the
13

United States Code, Title 12, Section 1843(k);
14

(17) information that originates from, or is
15

intermingled so as to be indistinguishable from,
16

information described in paragraph (8) and that a person
17

collects, processes, uses, or maintains in the same manner
18

as is required under the laws and regulations specified in
19

paragraph (8);
20

(18) an insurance company and an insurance producer
21

that are regulated by the State under the Illinois
22

Insurance Code, a third-party administrator of
23

self-insurance, or an affiliate or subsidiary of any
24

entity identified in this clause that is principally
25

engaged in financial activities, as described in the
26

United States Code, Title 12, Section 1843(k), except that

SB3890
- 17 -
LRB104 19719 JRC 33169 b
1

this clause does not apply to a person that, alone or in
2

combination with another person, establishes and maintains
3

a self-insurance program that does not otherwise engage in
4

the business of entering into policies of insurance;
5

(19) a small business, as defined by the United States
6

Small Business Administration under the Code of Federal
7

Regulations, Title 13, Part 121, except that a small
8

business identified in this clause is subject to Section
9

17;
10

(20) a nonprofit organization that is established to
11

detect and prevent fraudulent acts in connection with
12

insurance; and
13

(21) an air carrier subject to the federal Airline
14

Deregulation Act, Public Law 95-504, only to the extent
15

that an air carrier collects personal data related to
16

prices, routes, or services and only to the extent that
17

the provisions of the Airline Deregulation Act preempt the
18

requirements of this Act.
19

Controllers that are in compliance with the Children's
20
Online Privacy Protection Act, United States Code, Title 15,
21
Sections 6501 to 6506, and implementing regulations, are
22
deemed compliant with any obligation to obtain parental
23
consent under this Act.

24

Section 13.
Responsibility according to role.
25

(a) Controllers and processors are responsible for meeting

SB3890
- 18 -
LRB104 19719 JRC 33169 b
1
the respective obligations established under this Act.
2

(b) Processors are responsible under this Act for adhering
3
to the instructions of the controller and assisting the
4
controller to meet the controller's obligations under this
5
Act. Assistance under this subsection shall include the
6
following:
7

(1) taking into account the nature of the processing,
8

the processor shall assist the controller by appropriate
9

technical and organizational measures, insofar as this is
10

possible, for the fulfillment of the controller's
11

obligation to respond to consumer requests to exercise
12

their rights under Section 14; and
13

(2) taking into account the nature of processing and
14

the information available to the processor, the processor
15

shall assist the controller in meeting the controller's
16

obligations in relation to the security of processing the
17

personal data and in relation to the notification of a
18

breach of the security of the system under the Illinois
19

Personal Information Protection Act and provide
20

information to the controller necessary to enable the
21

controller to conduct and document any data privacy and
22

protection assessments required by Section 18.
23

(c) A contract between a controller and a processor shall
24
govern the processor's data processing procedures with respect
25
to processing performed on behalf of the controller. The
26
contract shall be binding and clearly set forth instructions

SB3890
- 19 -
LRB104 19719 JRC 33169 b
1
for processing data, the nature and purpose of processing, the
2
type of data subject to processing, the duration of
3
processing, and the rights and obligations of both parties.
4
The contract shall also require that the processor:
5

(1) ensure that each person processing the personal
6

data is subject to a duty of confidentiality with respect
7

to the data; and
8

(2) engage a subcontractor only (i) after providing
9

the controller with an opportunity to object, and (ii)
10

pursuant to a written contract in accordance with
11

subsection (e) that requires the subcontractor to meet the
12

obligations of the processor with respect to the personal
13

data.
14

(d) Taking into account the context of processing, the
15
controller and the processor shall implement appropriate
16
technical and organizational measures to ensure a level of
17
security appropriate to the risk and establish a clear
18
allocation of the responsibilities between the controller and
19
the processor to implement the technical and organizational
20
measures.
21

(e) Processing by a processor shall be governed by a
22
contract between the controller and the processor that is
23
binding on both parties and that sets out the processing
24
instructions to which the processor is bound, including the
25
nature and purpose of the processing, the type of personal
26
data subject to the processing, the duration of the

SB3890
- 20 -
LRB104 19719 JRC 33169 b
1
processing, and the obligations and rights of both parties.
2
The contract shall include the requirements imposed by this
3
subsection, subsections (c) and (d), as well as the following
4
requirements:
5

(1) at the choice of the controller, the processor
6

shall delete or return all personal data to the controller
7

as requested at the end of the provision of services,
8

unless retention of the personal data is required by law;
9

(2) upon a reasonable request from the controller, the
10

processor shall make available to the controller all
11

information necessary to demonstrate compliance with the
12

obligations in this Act; and
13

(3) the processor shall allow for, and contribute to,
14

reasonable assessments and inspections by the controller
15

or the controller's designated assessor. Alternatively,
16

the processor may arrange for a qualified and independent
17

assessor to conduct, at least annually and at the
18

processor's expense, an assessment of the processor's
19

policies and technical and organizational measures in
20

support of the obligations under this Act. The assessor
21

must use an appropriate and accepted control standard or
22

framework and assessment procedure for assessments as
23

applicable, and shall provide a report of an assessment to
24

the controller upon request.
25

(f) In no event shall any contract relieve a controller or
26
a processor from the liabilities imposed on a controller or

SB3890
- 21 -
LRB104 19719 JRC 33169 b
1
processor by virtue of the controller's or processor's roles
2
in the processing relationship under this Act.
3

(g) Determining whether a person is acting as a controller
4
or processor with respect to a specific processing of data is a
5
fact-based determination that depends upon the context in
6
which personal data are to be processed. A person that is not
7
limited in the person's processing of personal data pursuant
8
to a controller's instructions, or that fails to adhere to a
9
controller's instructions, is a controller and not a processor
10
with respect to a specific processing of data. A processor
11
that continues to adhere to a controller's instructions with
12
respect to a specific processing of personal data remains a
13
processor. If a processor begins, alone or jointly with
14
others, determining the purposes and means of the processing
15
of personal data, the processor is a controller with respect
16
to the processing.

17

Section 14.
Consumer personal data rights.
18

(a)(1) Consumer rights provided. Except as provided in
19
this Act, a controller must comply with a request to exercise
20
the consumer rights provided in this subdivision.
21

(2) A consumer has the right to confirm whether or not a
22
controller is processing personal data concerning the consumer
23
and access the categories of personal data the controller is
24
processing.
25

(3) A consumer has the right to correct inaccurate

SB3890
- 22 -
LRB104 19719 JRC 33169 b
1
personal data concerning the consumer taking into account the
2
nature of the personal data and the purposes of the processing
3
of the personal data.
4

(4) A consumer has the right to delete personal data
5
concerning the consumer.
6

(5) A consumer has the right to obtain personal data
7
concerning the consumer, which the consumer previously
8
provided to the controller, in a portable and, to the extent
9
technically feasible, readily usable format that allows the
10
consumer to transmit the data to another controller without
11
hindrance, where the processing is carried out by automated
12
means.
13

(6) A consumer has the right to opt out of the processing
14
of personal data concerning the consumer for purposes of
15
targeted advertising, the sale of personal data, or profiling
16
in furtherance of automated decisions that produce legal
17
effects concerning a consumer or similarly significant effects
18
concerning a consumer.
19

(7) If a consumer's personal data is profiled in
20
furtherance of decisions that produce legal effects concerning
21
a consumer or similarly significant effects concerning a
22
consumer, the consumer has the right to question the result of
23
the profiling, to be informed of the reason that the profiling
24
resulted in the decision, and, if feasible, to be informed of
25
what actions the consumer might have taken to secure a
26
different decision and the actions that the consumer might

SB3890
- 23 -
LRB104 19719 JRC 33169 b
1
take to secure a different decision in the future. The
2
consumer has the right to review the consumer's personal data
3
used in the profiling. If the decision is determined to have
4
been based upon inaccurate personal data taking into account
5
the nature of the personal data and the purposes of the
6
processing of the personal data, the consumer has the right to
7
have the data corrected and the profiling decision reevaluated
8
based upon the corrected data.
9

(8) A consumer has a right to obtain a list of the specific
10
third parties to which the controller has disclosed the
11
consumer's personal data. If the controller does not maintain
12
the information in a format specific to the consumer, a list of
13
specific third parties to whom the controller has disclosed
14
any consumers' personal data may be provided instead.
15

(b)(1) Exercising consumer rights. A consumer may exercise
16
the rights set forth in this Section by submitting a request,
17
at any time, to a controller specifying which rights the
18
consumer wishes to exercise.
19

(2) In the case of processing personal data concerning a
20
known child, the parent or legal guardian of the known child
21
may exercise the rights under this Act on the child's behalf.
22

(3) In the case of processing personal data concerning a
23
consumer legally subject to guardianship under the Probate Act
24
of 1975, the guardian of the consumer may exercise the rights
25
under this Act on the consumer's behalf.
26

(4) A consumer may designate another person as the

SB3890
- 24 -
LRB104 19719 JRC 33169 b
1
consumer's authorized agent to exercise the consumer's right
2
to opt out of the processing of the consumer's personal data
3
for purposes of targeted advertising and sale under paragraph
4
(6), on the consumer's behalf. A consumer may designate an
5
authorized agent by way of, among other things, a technology,
6
including, but not limited to, an Internet link or a browser
7
setting, browser extension, or global device setting,
8
indicating the consumer's intent to opt out of the processing.
9
A controller shall comply with an opt-out request received
10
from an authorized agent if the controller is able to verify,
11
with commercially reasonable effort, the identity of the
12
consumer and the authorized agent's authority to act on the
13
consumer's behalf.
14

(c)(1) Universal opt-out mechanisms. A controller must
15
allow a consumer to opt out of any processing of the consumer's
16
personal data for the purposes of targeted advertising, or any
17
sale of the consumer's personal data through an opt-out
18
preference signal sent, with the consumer's consent, by a
19
platform, technology, or mechanism to the controller
20
indicating the consumer's intent to opt out of the processing
21
or sale. The platform, technology, or mechanism must:
22

(A) not unfairly disadvantage another controller;
23

(B) not make use of a default setting but require the
24

consumer to make an affirmative, freely given, and
25

unambiguous choice to opt out of the processing of the
26

consumer's personal data;

SB3890
- 25 -
LRB104 19719 JRC 33169 b
1

(C) be consumer-friendly and easy to use by the
2

average consumer;
3

(D) be as consistent as possible with any other
4

similar platform, technology, or mechanism required by any
5

federal or State law or regulation; and
6

(E) enable the controller to accurately determine
7

whether the consumer is an Illinois resident and whether
8

the consumer has made a legitimate request to opt out of
9

any sale of the consumer's personal data or targeted
10

advertising. For purposes of this paragraph, the use of an
11

Internet protocol address to estimate the consumer's
12

location is sufficient to determine the consumer's
13

residence.
14

(2) If a consumer's opt-out request is exercised through
15
the platform, technology, or mechanism required under
16
paragraph (a), and the request conflicts with the consumer's
17
existing controller-specific privacy setting or voluntary
18
participation in a controller's bona fide loyalty, rewards,
19
premium features, discounts, or club card program, the
20
controller must comply with the consumer's opt-out preference
21
signal but may also notify the consumer of the conflict and
22
provide the consumer a choice to confirm the
23
controller-specific privacy setting or participation in the
24
controller's program.
25

(3) The platform, technology, or mechanism required under
26
paragraph (a) is subject to the requirements of subdivision 4.

SB3890
- 26 -
LRB104 19719 JRC 33169 b
1

(4) A controller that recognizes opt-out preference
2
signals that have been approved by other state laws or
3
regulations is in compliance with this subdivision.
4

(d)(1) Except as provided in this Act, a controller must
5
comply with a request to exercise the rights under this
6
Section.
7

(2) A controller must provide one or more secure and
8
reliable means for consumers to submit a request to exercise
9
the consumer's rights under this Section. The means made
10
available must take into account the ways in which consumers
11
interact with the controller and the need for secure and
12
reliable communication of the requests.
13

(3) A controller may not require a consumer to create a new
14
account to exercise a right, but a controller may require a
15
consumer to use an existing account to exercise the consumer's
16
rights under this Section.
17

(4) A controller must comply with a request to exercise
18
the right in this Section, as soon as feasibly possible, but no
19
later than 45 days of receipt of the request.
20

(5) A controller must inform a consumer of any action
21
taken on a request under this Section without undue delay and
22
in any event within 45 days of receipt of the request. That
23
period may be extended once by 45 additional days where
24
reasonably necessary, taking into account the complexity and
25
number of the requests. The controller must inform the
26
consumer of any extension within 45 days of receipt of the

SB3890
- 27 -
LRB104 19719 JRC 33169 b
1
request, together with the reasons for the delay.
2

(6) If a controller does not take action on a consumer's
3
request, the controller must inform the consumer without undue
4
delay and at the latest within 45 days of receipt of the
5
request of the reasons for not taking action and instructions
6
for how to appeal the decision with the controller as
7
described in this Section.
8

(7) Information provided under this Section must be
9
provided by the controller free of charge up to twice annually
10
to the consumer. If requests from a consumer are manifestly
11
unfounded or excessive, in particular because of the
12
repetitive character of the requests, the controller may
13
either charge a reasonable fee to cover the administrative
14
costs of complying with the request or refuse to act on the
15
request. The controller bears the burden of demonstrating the
16
manifestly unfounded or excessive character of the request.
17

(8) A controller is not required to comply with a request
18
to exercise any of the rights under this Section, if the
19
controller is unable to authenticate the request using
20
commercially reasonable efforts. In such cases, the controller
21
may request the provision of additional information reasonably
22
necessary to authenticate the request. A controller is not
23
required to authenticate an opt-out request, but a controller
24
may deny an opt-out request if the controller has a good faith,
25
reasonable, and documented belief that the request is
26
fraudulent. If a controller denies an opt-out request because

SB3890
- 28 -
LRB104 19719 JRC 33169 b
1
the controller believes a request is fraudulent, the
2
controller must notify the person who made the request that
3
the request was denied because of the controller's belief that
4
the request was fraudulent and state the controller's basis
5
for that belief.
6

(9) In response to a consumer request under this Section,
7
a controller must not disclose the following information about
8
a consumer but must instead inform the consumer with
9
sufficient particularity that the controller has collected
10
that type of information:
11

(A) Social Security number;
12

(B) driver's license number or other government-issued
13

identification number;
14

(C) financial account number;
15

(D) health insurance account number or medical
16

identification number;
17

(E) account password, security questions, or answers;
18

or
19

(F) biometric data.
20

(10) In response to a consumer request under subdivision
21
1, a controller is not required to reveal any trade secret.
22

(11) A controller that has obtained personal data about a
23
consumer from a source other than the consumer may comply with
24
a consumer's request to delete the consumer's personal data
25
pursuant to this Section, by either:
26

(A) retaining a record of the deletion request,

SB3890
- 29 -
LRB104 19719 JRC 33169 b
1

retaining the minimum data necessary for the purpose of
2

ensuring the consumer's personal data remains deleted from
3

the business's records and not using the retained data for
4

any other purpose under the provisions of this Act; or
5

(B) opting the consumer out of the processing of
6

personal data for any purpose except for the purposes
7

exempted pursuant to the provisions of this Act.
8

(e)(1) A controller must establish an internal process in
9
which a consumer may appeal a refusal to take action on a
10
request to exercise any of the rights under this Section
11
within a reasonable period of time after the consumer's
12
receipt of the notice sent by the controller under this
13
Section.
14

(2) The appeal process must be conspicuously available.
15
The process must include the ease of use provisions in this
16
Section 3 applicable to submitting requests.
17

(3) Within 45 days of receipt of an appeal, a controller
18
must inform the consumer of any action taken or not taken in
19
response to the appeal along with a written explanation of the
20
reasons in support thereof. That period may be extended by 60
21
additional days if reasonably necessary, taking into account
22
the complexity and number of the requests serving as the basis
23
for the appeal. The controller must inform the consumer of any
24
extension within 45 days of receipt of the appeal together
25
with the reasons for the delay.
26

(4) When informing a consumer of any action taken or not

SB3890
- 30 -
LRB104 19719 JRC 33169 b
1
taken in response to an appeal pursuant to paragraph (c), the
2
controller must provide a written explanation of the reasons
3
for the controller's decision and clearly and prominently
4
provide the consumer with information about how to file a
5
complaint with the Attorney General. The controller must
6
maintain records of all appeals and the controller's responses
7
for at least 24 months and shall, upon written request by the
8
Attorney General as part of an investigation, compile and
9
provide a copy of the records to the Attorney General.

10

Section 15.
Processing deidentified data or pseudonymous
11
data.
12

(a) This Act does not require a controller or processor to
13
do any of the following solely for purposes of complying with
14
this Act:
15

(1) reidentify deidentified data;
16

(2) maintain data in identifiable form, or collect,
17

obtain, retain, or access any data or technology, to be
18

capable of associating an authenticated consumer request
19

with personal data; or
20

(3) comply with an authenticated consumer request to
21

access, correct, delete, or port personal data under
22

Section 14, if all of the following are true:
23

(A) the controller is not reasonably capable of
24

associating the request with the personal data, or it
25

would be unreasonably burdensome for the controller to

SB3890
- 31 -
LRB104 19719 JRC 33169 b
1

associate the request with the personal data;
2

(B) the controller does not use the personal data
3

to recognize or respond to the specific consumer who
4

is the subject of the personal data or associate the
5

personal data with other personal data about the same
6

specific consumer; and
7

(C) the controller does not sell the personal data
8

to any third party or otherwise voluntarily disclose
9

the personal data to any third party other than a
10

processor, except as otherwise permitted in this
11

Section.
12

(b) The rights contained in Section 14, subsection (1),
13
paragraphs (b) to (e) and (h), do not apply to pseudonymous
14
data in cases where the controller is able to demonstrate any
15
information necessary to identify the consumer is kept
16
separately and is subject to effective technical and
17
organizational controls that prevent the controller from
18
accessing the information.
19

(c) A controller that uses pseudonymous data or
20
deidentified data must exercise reasonable oversight to
21
monitor compliance with any contractual commitments to which
22
the pseudonymous data or deidentified data are subject, and
23
must take appropriate steps to address any breaches of
24
contractual commitments.
25

(d) A processor or third party must not attempt to
26
identify the subjects of deidentified or pseudonymous data

SB3890
- 32 -
LRB104 19719 JRC 33169 b
1
without the express authority of the controller that caused
2
the data to be deidentified or pseudonymized.
3

(e) A controller, processor, or third party must not
4
attempt to identify the subjects of data that has been
5
collected with only pseudonymous identifiers.

6

Section 16.
Responsibilities of controllers.
7

(a)(1) Transparency obligations. Controllers must provide
8
consumers with a reasonably accessible, clear, and meaningful
9
privacy notice that includes:
10

(A) the categories of personal data processed by the
11

controller;
12

(B) the purposes for which the categories of personal
13

data are processed;
14

(C) an explanation of the rights contained in Section
15

14 and how and where consumers may exercise those rights,
16

including how a consumer may appeal a controller's action
17

with regard to the consumer's request;
18

(D) the categories of personal data that the
19

controller sells to or shares with third parties, if any;
20

(E) the categories of third parties, if any, with whom
21

the controller sells or shares personal data;
22

(F) the controller's contact information, including an
23

active email address or other online mechanism that the
24

consumer may use to contact the controller;
25

(G) a description of the controller's retention

SB3890
- 33 -
LRB104 19719 JRC 33169 b
1

policies for personal data; and
2

(H) the date the privacy notice was last updated.
3

(2) If a controller sells personal data to third parties,
4
processes personal data for targeted advertising, or engages
5
in profiling in furtherance of decisions that produce legal
6
effects concerning a consumer or similarly significant effects
7
concerning a consumer, the controller must disclose the
8
processing in the privacy notice and provide access to a clear
9
and conspicuous method outside the privacy notice for a
10
consumer to opt out of the sale, processing, or profiling in
11
furtherance of decisions that produce legal effects concerning
12
a consumer or similarly significant effects concerning a
13
consumer. This method may include but is not limited to an
14
Internet hyperlink clearly labeled "Your Opt-Out Rights" or
15
"Your Privacy Rights" that directly effectuates the opt-out
16
request or takes consumers to a web page where the consumer can
17
make the opt-out request.
18

(3) The privacy notice must be made available to the
19
public in each language in which the controller provides a
20
product or service that is subject to the privacy notice or
21
carries out activities related to the product or service.
22

(4) The controller must provide the privacy notice in a
23
manner that is reasonably accessible to and usable by
24
individuals with disabilities.
25

(5) Whenever a controller makes a material change to the
26
controller's privacy notice or practices, the controller must

SB3890
- 34 -
LRB104 19719 JRC 33169 b
1
notify consumers affected by the material change with respect
2
to any prospectively collected personal data and provide a
3
reasonable opportunity for consumers to withdraw consent to
4
any further materially different collection, processing, or
5
transfer of previously collected personal data under the
6
changed policy. The controller shall take all reasonable
7
electronic measures to provide notification regarding material
8
changes to affected consumers, taking into account available
9
technology and the nature of the relationship.
10

(6) A controller is not required to provide a separate
11
Illinois-specific privacy notice or section of a privacy
12
notice if the controller's general privacy notice contains all
13
the information required by this Section.
14

(7) The privacy notice must be posted online through a
15
conspicuous hyperlink using the word "privacy" on the
16
controller's website home page or on a mobile application's
17
app store page or download page. A controller that maintains
18
an application on a mobile or other device shall also include a
19
hyperlink to the privacy notice in the application's settings
20
menu or in a similarly conspicuous and accessible location. A
21
controller that does not operate a website shall make the
22
privacy notice conspicuously available to consumers through a
23
medium regularly used by the controller to interact with
24
consumers, including, but not limited to, mail.
25

(b)(1) A controller must limit the collection of personal
26
data to what is adequate, relevant, and reasonably necessary

SB3890
- 35 -
LRB104 19719 JRC 33169 b
1
in relation to the purposes for which the data are processed,
2
which must be disclosed to the consumer.
3

(2) Except as provided in this Act, a controller may not
4
process personal data for purposes that are not reasonably
5
necessary to, or compatible with, the purposes for which the
6
personal data are processed, as disclosed to the consumer,
7
unless the controller obtains the consumer's consent.
8

(3) A controller shall establish, implement, and maintain
9
reasonable administrative, technical, and physical data
10
security practices to protect the confidentiality, integrity,
11
and accessibility of personal data, including the maintenance
12
of an inventory of the data that must be managed to exercise
13
these responsibilities. The data security practices shall be
14
appropriate to the volume and nature of the personal data at
15
issue.
16

(4) Except as otherwise provided in this Act, a controller
17
may not process sensitive data concerning a consumer without
18
obtaining the consumer's consent, or, in the case of the
19
processing of personal data concerning a known child, without
20
obtaining consent from the child's parent or lawful guardian,
21
in accordance with the requirement of the Children's Online
22
Privacy Protection Act, United States Code, Title 15, Sections
23
6501 to 6506, and its implementing regulations.
24

(5) A controller shall provide an effective mechanism for
25
a consumer, or, in the case of the processing of personal data
26
concerning a known child, the child's parent or lawful

SB3890
- 36 -
LRB104 19719 JRC 33169 b
1
guardian, to revoke previously given consent under this
2
subsection. The mechanism provided shall be at least as easy
3
as the mechanism by which the consent was previously given.
4
Upon revocation of consent, a controller shall cease to
5
process the applicable data as soon as practicable, but no
6
later than 15 days after the receipt of the request.
7

(6) A controller may not process the personal data of a
8
consumer for purposes of targeted advertising, or sell the
9
consumer's personal data, without the consumer's consent,
10
under circumstances in which the controller knows that the
11
consumer is between the ages of 13 and 16.
12

(7) A controller may not retain personal data that is no
13
longer relevant and reasonably necessary in relation to the
14
purposes for which the data were collected and processed,
15
unless retention of the data is otherwise required by law or
16
permitted under Section 19.
17

(c)(1) Nondiscrimination. A controller shall not process
18
personal data on the basis of a consumer's or a class of
19
consumers' actual or perceived race, color, ethnicity,
20
religion, national origin, sex, gender, gender identity,
21
sexual orientation, familial status, lawful source of income,
22
or disability in a manner that unlawfully discriminates
23
against the consumer or class of consumers with respect to the
24
offering or provision of: housing, employment, credit, or
25
education; or the goods, services, facilities, privileges,
26
advantages, or accommodations of any place of public

SB3890
- 37 -
LRB104 19719 JRC 33169 b
1
accommodation.
2

(2) A controller may not discriminate against a consumer
3
for exercising any of the rights contained in this Act,
4
including denying goods or services to the consumer, charging
5
different prices or rates for goods or services, and providing
6
a different level of quality of goods and services to the
7
consumer. This does not: (i) require a controller to provide a
8
good or service that requires the consumer's personal data
9
that the controller does not collect or maintain; or (ii)
10
prohibit a controller from offering a different price, rate,
11
level, quality, or selection of goods or services to a
12
consumer, including offering goods or services for no fee, if
13
the offering is in connection with a consumer's voluntary
14
participation in a bona fide loyalty, rewards, premium
15
features, discounts, or club card program.
16

(d) Any provision of a contract or agreement of any kind
17
that purports to waive or limit in any way a consumer's rights
18
under this Act is contrary to public policy and is void and
19
unenforceable.

20

Section 17.
Requirements for small businesses.
21

(a) A small business, as defined by the United States
22
Small Business Administration under the Code of Federal
23
Regulations, Title 13, Part 121, that conducts business in
24
Illinois or produces products or services that are targeted to
25
Illinois residents must not sell a consumer's sensitive data

SB3890
- 38 -
LRB104 19719 JRC 33169 b
1
without the consumer's prior consent.
2

(b) Penalties and Attorney General enforcement procedures
3
under Section 20 apply to a small business that violates this
4
Section.

5

Section 18.
Data privacy policies; data privacy and
6
protection assessments.
7

(a) A controller must document and maintain a description
8
of the policies and procedures the controller has adopted to
9
comply with this Act. The description must include, where
10
applicable:
11

(1) the name and contact information for the
12

controller's chief privacy officer or other individual
13

with primary responsibility for directing the policies and
14

procedures implemented to comply with the provisions of
15

this Act; and
16

(2) a description of the controller's data privacy
17

policies and procedures that reflect the requirements in
18

Section 16, and any policies and procedures designed to:
19

(i) reflect the requirements of this Act in the
20

design of the controller's systems;
21

(ii) identify and provide personal data to a
22

consumer as required by this Act;
23

(iii) establish, implement, and maintain
24

reasonable administrative, technical, and physical
25

data security practices to protect the

SB3890
- 39 -
LRB104 19719 JRC 33169 b
1

confidentiality, integrity, and accessibility of
2

personal data, including the maintenance of an
3

inventory of the data that must be managed to exercise
4

the responsibilities under this item;
5

(iv) limit the collection of personal data to what
6

is adequate, relevant, and reasonably necessary in
7

relation to the purposes for which the data are
8

processed;
9

(v) prevent the retention of personal data that is
10

no longer relevant and reasonably necessary in
11

relation to the purposes for which the data were
12

collected and processed, unless retention of the data
13

is otherwise required by law or permitted under
14

Section 19; and
15

(vi) identify and remediate violations of this
16

Act.
17

(b) A controller must conduct and document a data privacy
18
and protection assessment for each of the following processing
19
activities involving personal data:
20

(1) the processing of personal data for purposes of
21

targeted advertising;
22

(2) the sale of personal data;
23

(3) the processing of sensitive data;
24

(4) any processing activities involving personal data
25

that present a heightened risk of harm to consumers; and
26

(5) the processing of personal data for purposes of

SB3890
- 40 -
LRB104 19719 JRC 33169 b
1

profiling, where the profiling presents a reasonably
2

foreseeable risk of:
3

(i) unfair or deceptive treatment of, or disparate
4

impact on, consumers;
5

(ii) financial, physical, or reputational injury
6

to consumers;
7

(iii) a physical or other intrusion upon the
8

solitude or seclusion, or the private affairs or
9

concerns, of consumers, where the intrusion would be
10

offensive to a reasonable person; or
11

(iv) other substantial injury to consumers.
12

(c) A data privacy and protection assessment must take
13
into account the type of personal data to be processed by the
14
controller, including the extent to which the personal data
15
are sensitive data, and the context in which the personal data
16
are to be processed.
17

(d) A data privacy and protection assessment must identify
18
and weigh the benefits that may flow directly and indirectly
19
from the processing to the controller, consumer, other
20
stakeholders, and the public against the potential risks to
21
the rights of the consumer associated with the processing, as
22
mitigated by safeguards that can be employed by the controller
23
to reduce the potential risks. The use of deidentified data
24
and the reasonable expectations of consumers, as well as the
25
context of the processing and the relationship between the
26
controller and the consumer whose personal data will be

SB3890
- 41 -
LRB104 19719 JRC 33169 b
1
processed, must be factored into this assessment by the
2
controller.
3

(e) A data privacy and protection assessment must include
4
the description of policies and procedures required by
5
subsection (a).
6

(f) As part of a civil investigative demand, the Attorney
7
General may request, in writing, that a controller disclose
8
any data privacy and protection assessment that is relevant to
9
an investigation conducted by the Attorney General. The
10
controller must make a data privacy and protection assessment
11
available to the Attorney General upon a request made under
12
this subsection. The Attorney General may evaluate the data
13
privacy and protection assessments for compliance with this
14
Act. Data privacy and protection assessments are nonpublic
15
data that is data required by State or federal law that is: (1)
16
not about an individual; (2) not accessible by the general
17
public; and (3) accessible by the subject of the data. The
18
disclosure of a data privacy and protection assessment under a
19
request from the Attorney General under this subsection does
20
not constitute a waiver of the attorney-client privilege or
21
work product protection with respect to the assessment and any
22
information contained in the assessment.
23

(g) Data privacy and protection assessments or risk
24
assessments conducted by a controller for the purpose of
25
compliance with other laws or regulations may qualify under
26
this Section if the assessments have a similar scope and

SB3890
- 42 -
LRB104 19719 JRC 33169 b
1
effect.
2

(h) A single data protection assessment may address
3
multiple sets of comparable processing operations that include
4
similar activities.

5

Section 19.
Limitations and applicability.
6

(a) The obligations imposed on controllers or processors
7
under this Act do not restrict a controller's or a processor's
8
ability to:
9

(1) comply with federal, State, or local laws, rules,
10

or regulations, including, but not limited to, data
11

retention requirements in State or federal law
12

notwithstanding a consumer's request to delete personal
13

data;
14

(2) comply with a civil, criminal, or regulatory
15

inquiry, investigation, subpoena, or summons by federal,
16

State, local, or other governmental authorities;
17

(3) cooperate with law enforcement agencies concerning
18

conduct or activity that the controller or processor
19

reasonably and in good faith believes may violate federal,
20

State, or local laws, rules, or regulations;
21

(4) investigate, establish, exercise, prepare for, or
22

defend legal claims;
23

(5) provide a product or service specifically
24

requested by a consumer; perform a contract to which the
25

consumer is a party, including fulfilling the terms of a

SB3890
- 43 -
LRB104 19719 JRC 33169 b
1

written warranty; or take steps at the request of the
2

consumer prior to entering into a contract;
3

(6) take immediate steps to protect an interest that
4

is essential for the life or physical safety of the
5

consumer or of another natural person, and if the
6

processing cannot be manifestly based on another legal
7

basis;
8

(7) prevent, detect, protect against, or respond to
9

security incidents, identity theft, fraud, harassment,
10

malicious or deceptive activities, or any illegal
11

activity; preserve the integrity or security of systems;
12

or investigate, report, or prosecute those responsible for
13

any such action;
14

(8) assist another controller, processor, or third
15

party with any of the obligations under this subsection;
16

(9) engage in public or peer-reviewed scientific,
17

historical, or statistical research in the public interest
18

that adheres to all other applicable ethics and privacy
19

laws and is approved, monitored, and governed by an
20

institutional review board, human subjects research ethics
21

review board, or a similar independent oversight entity
22

that has determined:
23

(A) the research is likely to provide substantial
24

benefits that do not exclusively accrue to the
25

controller;
26

(B) the expected benefits of the research outweigh

SB3890
- 44 -
LRB104 19719 JRC 33169 b
1

the privacy risks; and
2

(C) the controller has implemented reasonable
3

safeguards to mitigate privacy risks associated with
4

research, including any risks associated with
5

reidentification; or
6

(10) process personal data for the benefit of the
7

public in the areas of public health, community health, or
8

population health, but only to the extent that the
9

processing is:
10

(A) subject to suitable and specific measures to
11

safeguard the rights of the consumer whose personal
12

data is being processed; and
13

(B) under the responsibility of a professional
14

individual who is subject to confidentiality
15

obligations under federal, State, or local law.
16

(b) The obligations imposed on controllers or processors
17
under this Act do not restrict a controller's or processor's
18
ability to collect, use, or retain data to:
19

(1) effectuate a product recall or identify and repair
20

technical errors that impair existing or intended
21

functionality;
22

(2) perform internal operations that are reasonably
23

aligned with the expectations of the consumer based on the
24

consumer's existing relationship with the controller, or
25

are otherwise compatible with processing in furtherance of
26

the provision of a product or service specifically

SB3890
- 45 -
LRB104 19719 JRC 33169 b
1

requested by a consumer or the performance of a contract
2

to which the consumer is a party; or
3

(3) conduct internal research to develop, improve, or
4

repair products, services, or technology.
5

(c) The obligations imposed on controllers or processors
6
under this Act do not apply if compliance by the controller or
7
processor with this Act would violate an evidentiary privilege
8
under Illinois law and do not prevent a controller or
9
processor from providing personal data concerning a consumer
10
to a person covered by an evidentiary privilege under Illinois
11
law as part of a privileged communication.
12

(d) A controller or processor that discloses personal data
13
to a third-party controller or processor in compliance with
14
the requirements of this Act is not in violation of this Act if
15
the recipient processes the personal data in violation of this
16
Act, provided that at the time of disclosing the personal
17
data, the disclosing controller or processor did not have
18
actual knowledge that the recipient intended to commit a
19
violation. A third-party controller or processor receiving
20
personal data from a controller or processor in compliance
21
with the requirements of this Act is not in violation of this
22
Act for the obligations of the controller or processor from
23
which the third-party controller or processor receives the
24
personal data.
25

(e) Obligations imposed on controllers and processors
26
under this Act shall not:

SB3890
- 46 -
LRB104 19719 JRC 33169 b
1

(1) adversely affect the rights or freedoms of any
2

persons, including exercising the right of free speech
3

pursuant to the First Amendment of the United States
4

Constitution; or
5

(2) apply to the processing of personal data by a
6

natural person in the course of a purely personal or
7

household activity.
8

(f) Personal data that are processed by a controller
9
pursuant to this Section may be processed solely to the extent
10
that the processing is:
11

(1) necessary, reasonable, and proportionate to the
12

purposes listed in this Section;
13

(2) adequate, relevant, and limited to what is
14

necessary in relation to the specific purpose or purposes
15

listed in this Section; and
16

(3) insofar as possible, taking into account the
17

nature and purpose of processing the personal data,
18

subjected to reasonable administrative, technical, and
19

physical measures to protect the confidentiality,
20

integrity, and accessibility of the personal data, and to
21

reduce reasonably foreseeable risks of harm to consumers.
22

(g) If a controller processes personal data under an
23
exemption in this Section, the controller bears the burden of
24
demonstrating that the processing qualifies for the exemption
25
and complies with the requirements in subsection (f).
26

(h) Processing personal data solely for the purposes

SB3890
- 47 -
LRB104 19719 JRC 33169 b
1
expressly identified in subsection (a), clauses (1) to (7),
2
does not, by itself, make an entity a controller with respect
3
to the processing.

4

Section 20.
Attorney General enforcement.
5

(a) If a controller or processor violates this Act, the
6
Attorney General, before filing an enforcement action under
7
subsection (b), must provide the controller or processor with
8
a warning letter identifying the specific provisions of this
9
Act the Attorney General alleges have been or are being
10
violated. If, after 30 days of issuance of the warning letter,
11
the Attorney General believes the controller or processor has
12
failed to cure any alleged violation, the Attorney General may
13
bring an enforcement action under subsection (b). This
14
subsection expires January 1, 2028.
15

(b) The Attorney General may bring a civil action against
16
a controller or processor to enforce a provision of this Act.
17
If the State prevails in an action to enforce this Act, the
18
State may, in addition to penalties provided by subsection (c)
19
or other remedies provided by law, be allowed an amount
20
determined by the court to be the reasonable value of all or
21
part of the State's litigation expenses incurred.
22

(c) Any controller or processor that violates this Act is
23
subject to an injunction and liable for a civil penalty of not
24
more than $7,500 for each violation.
25

(d) Nothing in this Act establishes a private right of

SB3890
- 48 -
LRB104 19719 JRC 33169 b
1
action for a violation of this Act or any other law.

2

Section 95.
Home rule.
A unit of local government,
3
including a home rule unit, may not regulate consumer data
4
privacy. This Section is a denial and limitation of home rule
5
powers and functions under subsection (g) of Section 6 of
6
Article VII of the Illinois Constitution.

7

Section 900.
The State Finance Act is amended by adding
8
Section 5.1038 as follows:

9

(30 ILCS 105/5.1038 new)
10

Sec. 5.1038.
The Data Privacy Protection Fund.

11

Section 905.
The Personal Information Protection Act is
12
amended by adding Sections 55, 60, and 65 as follows:

13

(815 ILCS 530/55 new)
14

Sec. 55.
Data broker registry.
15

(a) As used in this Section, "data broker" means a
16
business that knowingly collects and sells to third parties
17
the personal information of a consumer with whom the business
18
does not have a direct relationship. "Data broker" does not
19
include:
20

(1) an entity to the extent that it is covered by the
21

federal Fair Credit Reporting Act;

SB3890
- 49 -
LRB104 19719 JRC 33169 b
1

(2) an entity to the extent that it is covered by the
2

Gramm-Leach-Bliley Act and its implementing regulations;
3

or
4

(3) an entity that collects information that is
5

processed for purposes of providing compliance, enrollment
6

or degree verification, or research services by a
7

nonprofit organization that is established to provide
8

enrollment data reporting services on behalf of
9

postsecondary schools.
10

(b) Annually, on or before January 31, a data broker
11
operating in this State must register with the Attorney
12
General.
13

(c) In registering with the Attorney General, a data
14
broker must pay a registration fee in an amount determined by
15
the Attorney General not to exceed the reasonable costs of
16
establishing and maintaining the informational Internet
17
website described in Section 60. A data broker must also
18
provide the following information:
19

(1) the name of the data broker and its primary
20

physical, email, and Internet website addresses;
21

(2) whether the data broker collects the personal
22

information of minors;
23

(3) whether the data broker collects consumers'
24

precise geolocation;
25

(4) whether the data broker collects consumers'
26

reproductive health care data;

SB3890
- 50 -
LRB104 19719 JRC 33169 b
1

(5) a link to a page on the data broker's Internet
2

website that does not make use of any dark patterns;
3

(6) whether, and to what extent, the data broker or
4

any of its subsidiaries is regulated by any of the
5

following:

6

(A) the federal Fair Credit Reporting Act; and
7

(B) the Gramm-Leach-Bliley Act and its
8

implementing regulations; and
9

(7) any additional information or explanation the data
10

broker chooses to provide concerning its data collection
11

practices.
12

(d) The Attorney General must create a page on its
13
Internet website in which the registration information
14
provided in subsection (c) is made accessible to the public.
15

(e) A data broker that fails to register as required by
16
this Section is liable for civil penalties and costs in an
17
action brought by the Attorney General as follows:
18

(1) a civil penalty of $200 for each day the data
19

broker fails to register as required by this Section;
20

(2) an amount equal to the fees that were due during
21

the period it failed to register; and
22

(3) expenses incurred by the Attorney General in the
23

investigation and administration of the action as the
24

court deems appropriate.
25

(f) All moneys received by the Attorney General under this
26
Section must be deposited into the Data Broker Registry Fund,

SB3890
- 51 -
LRB104 19719 JRC 33169 b
1
a special fund created in the State treasury and be used,
2
subject to appropriation and as directed by the Attorney
3
General, to offset all reasonable costs of enforcing the
4
registration requirements described in subsection (c) and
5
establishing and maintaining the Internet website in
6
subsection (d).

7

(815 ILCS 530/60 new)
8

Sec. 60.
Registration information; disclosures.

9

(a) The Attorney General must create a page on its
10
Internet website in which the registration information
11
provided by data brokers described in subsection (b) of
12
Section 55 and the accessible deletion mechanism described in
13
Section 65 are accessible to the public.
14

(b) On or before July 1 following each calendar year in
15
which a business meets the definition of a data broker as
16
defined by this Act, the business must do all of the following:
17

(1) Compile the number of requests under subsection
18

(c) of Section 65 of this Act and Section 14 of the
19

Illinois Data Privacy Protection Act that the data broker
20

received, complied with in whole or in part, and denied
21

during the previous calendar year.
22

(2) Compile the median and the mean number of days
23

within which the data broker substantively responded to
24

requests under subsection (c) of Section 65 of this Act
25

and Section 14 of the Illinois Data Privacy Protection Act

SB3890
- 52 -
LRB104 19719 JRC 33169 b
1

that the data broker received during the previous calendar
2

year.
3

(3) Disclose the metrics compiled under paragraphs (1)
4

and (2) within the data broker's privacy policy posted on
5

the data broker's Internet website and accessible from a
6

link included in the data broker's privacy policy.
7

(c) In its disclosure under paragraph (3) of subsection
8
(b) regarding requests made under subsection (c) of Section 65
9
of this Act, a data broker must disclose the number of requests
10
that the data broker denied in whole or in part because of any
11
of the following:
12

(1) The request was not verifiable.
13

(2) The request was not made by a consumer.
14

(3) The request called for information exempt from
15

deletion.
16

(4) The request was denied on other grounds.
17

(d) In its disclosure under paragraph (3) of subsection
18
(b), a data broker must, for each provision of subsection (b)
19
of Section 12 of the Illinois Data Privacy Protection Act and
20
under which deletion was not required, specify the number of
21
requests in which deletion was not required in whole, or in
22
part, under that provision.

23

(815 ILCS 530/65 new)
24

Sec. 65.
Deletion mechanism.
25

(a) By January 1, 2027, the Attorney General, in

SB3890
- 53 -
LRB104 19719 JRC 33169 b
1
consultation with the Illinois Department of Innovation and
2
Technology, must establish an accessible deletion mechanism
3
that does all of the following:
4

(1) Implements and maintains reasonable security
5

procedures and practices, including, but not limited to,
6

administrative, physical, and technical safeguards
7

appropriate to the nature of the information and the
8

purposes for which the personal information will be used
9

and to protect consumers' personal information from
10

unauthorized use, disclosure, access, destruction, or
11

modification.
12

(2) Allows a consumer, through a single verifiable
13

consumer request, to request that every data broker that
14

maintains any personal information delete any personal
15

information related to that consumer held by the data
16

broker or associated service provider or contractor.
17

(3) Allows a consumer to selectively exclude specific
18

data brokers from a request made under subsection (2).
19

(4) Allows a consumer to make a request to alter a
20

previous request made under this Section after at least 45
21

days have passed since the consumer last made a request
22

under this Section.
23

(b) The accessible deletion mechanism established in
24
subsection (a) must meet all of the following requirements:
25

(1) The accessible deletion mechanism must allow a
26

consumer to request the deletion of all personal

SB3890
- 54 -
LRB104 19719 JRC 33169 b
1

information related to that consumer through a single
2

deletion request.
3

(2) The accessible deletion mechanism must permit a
4

consumer to securely submit information in one or more
5

privacy-protecting ways determined by the Attorney General
6

to aid in the deletion request.
7

(3) The accessible deletion mechanism must allow data
8

brokers registered with the Attorney General to determine
9

whether an individual has submitted a verifiable consumer
10

request to delete the personal information related to that
11

consumer as described in paragraph (1) and may not allow
12

the disclosure of any additional personal information when
13

the data broker accesses the accessible deletion mechanism
14

unless otherwise specified in this Section.
15

(4) The accessible deletion mechanism must allow a
16

consumer to make a request described in paragraph (1)
17

using an Internet service operated by the Attorney
18

General.
19

(5) The accessible deletion mechanism must not charge
20

a consumer to make a request described in paragraph (1).
21

(6) The accessible deletion mechanism must allow a
22

consumer to make a request described in paragraph (1) in
23

any language spoken by any consumer for whom personal
24

information has been collected by data brokers.
25

(7) The accessible deletion mechanism must be readily
26

accessible and usable by consumers with disabilities.

SB3890
- 55 -
LRB104 19719 JRC 33169 b
1

(8) The accessible deletion mechanism must support the
2

ability of a consumer's authorized agents to aid in the
3

deletion request.
4

(9) The accessible deletion mechanism must allow the
5

consumer or an authorized agent to verify the status of
6

the consumer's deletion request.
7

(10) The accessible deletion mechanism must provide a
8

description of all of the following:
9

(A) The deletion permitted by this Section,
10

including, but not limited to, the actions required by
11

subsections (c) and (d).
12

(B) The process for submitting a deletion request
13

under this Section.
14

(C) Examples of the types of information that may
15

be deleted.
16

(c)(1) Beginning August 1, 2027, a data broker must access
17
the accessible deletion mechanism established under subsection
18
(a) at least once every 45 days and do all of the following:
19

(A) Within 45 days after receiving a request made
20

under this Section, process all deletion requests made
21

under this Section and delete all personal information
22

related to the consumers making the requests consistent
23

with the requirements of this section.
24

(B) In cases in which a data broker denies a consumer
25

request to delete because the request cannot be verified,
26

process the request as an opt-out of the sale or sharing of

SB3890
- 56 -
LRB104 19719 JRC 33169 b
1

the consumer's personal information as provided for under
2

Section 14 of the Illinois Data Privacy Protection Act and
3

limited by that Act.
4

(C) Direct all service providers or contractors
5

associated with the data broker to delete all personal
6

information in their possession related to the consumers
7

making the requests described in subparagraph (A) of
8

paragraph (1) of subsection (c).
9

(D) Direct all service providers or contractors
10

associated with the data broker to process a request
11

described by subparagraph (B) of paragraph (1) of
12

subsection (c) as an opt-out of the sale or sharing of the
13

consumer's personal information as provided for under
14

Section 14 of the Illinois Data Privacy Protection Act and
15

limited by that Act.
16

(2) Notwithstanding paragraph (1), a data broker may not
17
be required to delete a consumer's personal information if
18
either of the following apply:
19

(A) It is reasonably necessary for the data broker to
20

maintain the personal information to fulfill a purpose
21

described in Section 19 of the Illinois Data Privacy
22

Protection Act.
23

(B) The deletion is not required under Section 14 and
24

subsection (b) of Section 12 of the Illinois Data Privacy
25

Protection Act.
26

(3) Personal information described in paragraph (2) may

SB3890
- 57 -
LRB104 19719 JRC 33169 b
1
only be used for the purposes described in paragraph (2) and
2
may not be used or disclosed for any other purpose, including,
3
but not limited to, marketing purposes.
4

(d)(1) Beginning August 1, 2027, after a consumer has
5
submitted a deletion request and a data broker has deleted the
6
consumer's data under this Section, the data broker must
7
delete all personal information of the consumer at least once
8
every 45 days under this Section unless the consumer requests
9
otherwise or the deletion is not required under paragraph (2)
10
of subsection (c).
11

(2) Beginning August 1, 2027, after a consumer has
12
submitted a deletion request and a data broker has deleted the
13
consumer's data under this Section, the data broker may not
14
sell or share new personal information of the consumer unless
15
the consumer requests otherwise or selling or sharing the
16
personal information is permitted under Section 14 and
17
subsection (b) of Section 12 of the Illinois Data Privacy
18
Protection Act.
19

(e)(1) Beginning January 1, 2029, and every 3 years
20
thereafter, a data broker must undergo an audit by an
21
independent third party to determine compliance with this
22
Section.
23

(2) For an audit completed under paragraph (1), the data
24
broker must submit a report resulting from the audit and any
25
related materials to the Attorney General within 5 business
26
days of a written request from the Attorney General.

SB3890
- 58 -
LRB104 19719 JRC 33169 b
1

(3) A data broker must maintain the report and materials
2
described in paragraph (2) for at least 6 years.
3

(f) The Attorney General may charge an access fee to a data
4
broker when the data broker accesses the accessible deletion
5
mechanism under subsection (d) that does not exceed the
6
reasonable costs of providing that access. A fee collected by
7
the Attorney General under this subsection (f) must be
8
deposited in the Data Privacy Protection Fund.

9

Section 997.
Severability.
If any provision of this Act or
10
its application to any person or circumstance is held invalid,
11
the invalidity of that provision or application does not
12
affect other provisions or applications of this Act that can
13
be given effect without the invalid provision or application.

Footer

Disclaimer

This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.

Contact ILGA Webmaster

ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies

ILGA.GOV

2026 ILGA.gov | All Rights Reserved |
ADA

|
Disclaimers
|
Learn

This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster

ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies

ILGA.GOV

2026 ILGA.gov | All Rights Reserved |
ADA

|
Disclaimers
|
Learn