SB0340sam002 104TH GENERAL ASSEMBLY

Sen. Laura M. Murphy

Filed: 5/19/2026

10400SB0340sam002

LRB104 06459 JRC 37974 a

1 AMENDMENT TO SENATE BILL 340

2 AMENDMENT NO. ______. Amend Senate Bill 340 by replacing

3 everything after the enacting clause with the following:

4 "Section 10. Short title. This Act may be cited as the

5 Illinois Consumer Data Privacy Act.

6 Section 11. Definitions. As used in this Act:

7 "Affiliate" means a legal entity that controls, is

8 controlled by, or is under common control with another legal

9 entity. As used in this definition, "control" or "controlled"

10 means: ownership of or the power to vote more than 50% of the

11 outstanding shares of any class of voting security of a

12 company; control in any manner over the election of a majority

13 of the directors or of individuals exercising similar

14 functions; or the power to exercise a controlling influence

15 over the management of a company.

16 "Authenticate" means to use reasonable means to determine

10400SB0340sam002

- 2 -

LRB104 06459 JRC 37974 a

1 that a request to exercise any of the rights under subsection

2 (b) of Section 14 is being made by or rightfully on behalf of

3 the consumer who is entitled to exercise the rights with

4 respect to the personal data at issue.

5 "Biometric identifier" has the same meaning given to that

6 term in the Biometric Information Privacy Act.

7 "Biometric information" has the same meaning given to that

8 term in the Biometric Information Privacy Act.

9 "Child" has the meaning given in United States Code, Title

10 15, Section 6501.

11 "Collect" means to buy, rent, obtain, lease, access,

12 receive, or otherwise acquire personal data in any manner.

13 "Consent" means any freely given, specific, informed, and

14 unambiguous indication of the consumer's wishes by which the

15 consumer signifies agreement to the processing of personal

16 data relating to the consumer. Acceptance of general or broad

17 terms of use or similar document that contains descriptions of

18 personal data processing along with other, unrelated

19 information does not constitute consent. Hovering over,

20 muting, pausing, or closing a given piece of content does not

21 constitute consent. A consent is not valid when the consumer's

22 indication has been obtained by a dark pattern. A consumer may

23 revoke consent previously given consistent with this Act.

24 "Consumer" means a natural person who is an Illinois

25 resident acting only in an individual or household context.

26 Consumer does not include a natural person acting in a

10400SB0340sam002

- 3 -

LRB104 06459 JRC 37974 a

1 commercial or employment context.

2 "Controller" means the natural or legal person who, alone

3 or jointly with others, determines the purposes and means of

4 the processing of personal data.

5 "Decisions that produce legal or similarly significant

6 effects concerning the consumer" means decisions made by the

7 controller that result in the provision or denial by the

8 controller of financial or lending services, housing,

9 insurance, education enrollment or opportunity, criminal

10 justice, employment opportunities, health care services, or

11 access to essential goods or services.

12 "Dark pattern" means a user interface designed or

13 manipulated with the substantial effect of subverting or

14 impairing user autonomy, decision-making, or choice.

15 "Deidentified data" means data that cannot reasonably be

16 used to infer information about or otherwise be linked to an

17 identified or identifiable natural person or a device linked

18 to an identified or identifiable natural person, provided that

19 the controller that possesses the data:

20 (1) takes reasonable measures to ensure that the data

21 cannot be associated with a natural person;

22 (2) publicly commits to process the data only in a

23 deidentified fashion and not attempt to reidentify the

24 data; and

25 (3) contractually obligates any recipients of the

26 information to comply with all provisions of this

10400SB0340sam002

- 4 -

LRB104 06459 JRC 37974 a

1 definition.

2 "Delete" means to remove or destroy information so that it

3 is not maintained in human- or machine-readable form and

4 cannot be retrieved or used in the ordinary course of

5 business.

6 "Genetic information" has the meaning ascribed to the term

7 under the Health Insurance Portability and Accountability Act

8 of 1996 as specified in 45 CFR 160.103.

9 "Identified or identifiable natural person" means a person

10 who can be readily identified, directly or indirectly.

11 "Known child" means a person under circumstances in which

12 a controller has actual knowledge of, or willfully disregards,

13 that the person is under 13 years of age.

14 "Personal data" means any information that is linked or

15 reasonably linkable to an identified or identifiable natural

16 person. "Personal data" does not include deidentified data,

17 pseudonymous data, or publicly available information. As used

18 in this definition, "publicly available information" means

19 information that (1) is lawfully made available from federal,

20 state, or local government records or (2) a controller has a

21 reasonable basis to believe has lawfully been made available

22 to the general public.

23 "Process" or "processing" means any operation or set of

24 operations that are performed on personal data or on sets of

25 personal data, whether or not by automated means, including,

26 but not limited to, the collection, use, storage, disclosure,

10400SB0340sam002

- 5 -

LRB104 06459 JRC 37974 a

1 analysis, deletion, sharing, retention, organizing,

2 structuring, or modification of personal data.

3 "Processor" means a natural or legal person who processes

4 personal data on behalf of a controller.

5 "Profiling" means any form of automated processing of

6 personal data to evaluate, analyze, or predict personal

7 aspects related to an identified or identifiable natural

8 person's economic situation, health, personal preferences,

9 interests, reliability, behavior, location, or movements.

10 Profiling does not include automated processing used solely

11 for independent measurement.

12 "Pseudonymous data" means personal data that cannot be

13 attributed to a specific natural person without the use of

14 additional information, provided that the additional

15 information is kept separately and is subject to appropriate

16 technical and organizational measures to ensure that the

17 personal data are not attributed to an identified or

18 identifiable natural person.

19 "Sale", "sell", or "sold" means the exchange of personal

20 data for monetary or other valuable consideration by the

21 controller, processor, or an affiliate of the controller or

22 processor to a third party. "Sale" does not include the

23 following:

24 (1) the disclosure of personal data to a processor who

25 processes the personal data on behalf of the controller if

26 limited to the purposes of processing;

10400SB0340sam002

- 6 -

LRB104 06459 JRC 37974 a

1 (2) the disclosure of personal data to a third party

2 for purposes of providing a product or service requested

3 by the consumer;

4 (3) the disclosure or transfer of personal data to an

5 affiliate of the controller;

6 (4) the disclosure of information that the consumer

7 intentionally made available to the general public via a

8 channel of mass media and did not restrict to a specific

9 audience; or

10 (5) the disclosure or transfer of personal data to a

11 third party as an asset that is part of a completed or

12 proposed merger, acquisition, bankruptcy, or other

13 transaction in which the third party assumes control of

14 all or part of the controller's assets.

15 "Sensitive data" is a form of personal data. "Sensitive

16 data" means:

17 (1) personal data revealing racial or ethnic origin,

18 religious beliefs, mental or physical health condition or

19 diagnosis, sexual orientation, or citizenship or

20 immigration status;

21 (2) the processing of biometric identifiers or

22 information or genetic information for the purpose of

23 uniquely identifying an individual;

24 (3) the personal data of a known child;

25 (4) specific geolocation data;

26 (5) information that reveals the status of

10400SB0340sam002

- 7 -

LRB104 06459 JRC 37974 a

1 identifiable natural person as a victim of a crime; or

2 (6) a government-issued identifier, including a social

3 security number, passport number, or a driver's license

4 number, that is not required by law to be displayed in

5 public.

6 "Specific geolocation data" means information derived from

7 technology, including, but not limited to, global positioning

8 system level latitude and longitude coordinates or other

9 mechanisms that can precisely and accurately identify the

10 specific location of a consumer or a device linked with a

11 consumer within a radius of 1,750 feet. Specific geolocation

12 data does not include the content of communications, the

13 contents of databases containing street address information

14 that are accessible to the public as authorized by law, or any

15 data generated by or connected to advanced utility metering

16 infrastructure systems or other equipment for use by a public

17 utility.

18 "Targeted advertising" means displaying advertisements to

19 a consumer or to a device linked to a consumer in which the

20 advertisement is selected based on personal data obtained or

21 inferred from the consumer's activities over time and across

22 nonaffiliated websites or online applications to predict the

23 consumer's preferences or interests. Targeted advertising does

24 not include:

25 (1) advertising based on activities within a

26 controller's own websites or online applications;

10400SB0340sam002

- 8 -

LRB104 06459 JRC 37974 a

1 (2) advertising based on the context of a consumer's

2 current search query or visit to a website or online

3 application;

4 (3) advertising to a consumer in response to the

5 consumer's request for information or feedback; or

6 (4) processing personal data solely for measuring or

7 reporting content and advertising performance, reach, or

8 frequency, including independent measurement.

9 (z) "Third party" means a natural or legal person, public

10 authority, agency, or body other than the consumer,

11 controller, processor, or an affiliate of the processor or the

12 controller.

13 (aa) "Trade secret" has the same meaning given to the term

14 in the Illinois Trade Secrets Act.

15 Section 12. Scope; exclusions.

16 (a)(1) Scope. This Act applies to legal entities that

17 conduct business in Illinois or produce products or services

18 that are targeted to Illinois residents, and that satisfy one

19 or more of the following thresholds:

20 (A) during a calendar year, collects or processes

21 personal data of 100,000 consumers or more, excluding

22 personal data controlled or processed solely for the

23 purpose of completing a payment transaction; or

24 (B) derives over 25% of gross revenue from the sale of

25 personal data and processes or collects personal data of

10400SB0340sam002

- 9 -

LRB104 06459 JRC 37974 a

1 25,000 consumers or more.

2 (2) A controller or processor shall comply with the

3 Student Online Personal Protection Act, except that if the

4 provisions of that Act conflict with this Act, the Student

5 Online Personal Protection Act prevails.

6 (3) All legal entities shall comply with the Biometric

7 Information Privacy Act and the Genetic Information Privacy

8 Act.

9 (b) Exclusions. The provisions of this Act do not apply to

10 the following entities, activities, or types of information:

11 (1) the State, a political subdivision of the State,

12 units of local government, and school districts;

13 (2) a federally recognized Indian tribe;

14 (3) information that meets the definition of:

15 (A) protected health information, as defined by

16 and for purposes of the Health Insurance Portability

17 and Accountability Act of 1996, Public Law 104-191,

18 and related regulations;

19 (B) health records, that includes, but is not

20 limited to, any information, whether oral or recorded

21 in any form or medium, that relates to the past,

22 present, or future physical or mental health or

23 condition of a patient; the provision of health care

24 to a patient; or the past, present, or future payment

25 for the provision of health care to a patient;

26 (C) patient identifying information for purposes

10400SB0340sam002

- 10 -

LRB104 06459 JRC 37974 a

1 of Code of Federal Regulations, Title 42, Part 2,

2 established pursuant to the United States Code, Title

3 42, Section 290dd-2;

4 (D) identifiable private information for purposes

5 of the federal policy for the protection of human

6 subjects, the Code of Federal Regulations, Title 45,

7 Part 46; identifiable private information that is

8 otherwise information collected as part of human

9 subjects research under the good clinical practice

10 guidelines issued by the International Council for

11 Harmonisation; the protection of human subjects under

12 the Code of Federal Regulations, Title 21, Parts 50

13 and 56; or personal data used or shared in research

14 conducted in accordance with one or more of the

15 requirements set forth in this paragraph;

16 (E) information and documents created for purposes

17 of the federal Health Care Quality Improvement Act of

18 1986, Public Law 99-660, and related regulations; or

19 (F) patient safety work product for purposes of

20 Code of Federal Regulations, Title 42, Part 3,

21 established under the United States Code, Title 42,

22 Sections 299b-21 to 299b-26;

23 (4) information that is derived from any of the health

24 care-related information listed in clause (3), but that

25 has been deidentified in accordance with the requirements

26 for deidentification set forth in the Code of Federal

10400SB0340sam002

- 11 -

LRB104 06459 JRC 37974 a

1 Regulations, Title 45, Part 164;

2 (5) information originating from, and intermingled to

3 be indistinguishable with, any of the health care-related

4 information listed in clause (3) that is maintained by:

5 (A) a covered entity or business associate, as

6 defined by the Health Insurance Portability and

7 Accountability Act of 1996, Public Law 104-191, and

8 related regulations to the extent the entity is acting

9 as a covered entity or business associate under the

10 Privacy and Security rules issued by the United States

11 Department of Health and Human Services, Parts 160 and

12 164 of Title 45 of the Code of Federal Regulations;

13 (B) a health care provider, to include, but not be

14 limited to, any public or private facility that

15 provides, on an inpatient or outpatient basis,

16 preventive, diagnostic, therapeutic, convalescent,

17 rehabilitation, mental health, or intellectual

18 disability services, including general or special

19 hospitals, skilled nursing homes, extended care

20 facilities, intermediate care facilities and mental

21 health centers; or

22 (C) a program or a qualified service organization,

23 as defined by Code of Federal Regulations, Title 42,

24 Part 2, established pursuant to United States Code,

25 Title 42, Section 290dd-2;

26 (6) information that is:

10400SB0340sam002

- 12 -

LRB104 06459 JRC 37974 a

1 (A) maintained by an entity that meets the

2 definition of health care provider under the Code of

3 Federal Regulations, Title 45, Section 160.103, to the

4 extent that the entity maintains the information in

5 the manner required of covered entities with respect

6 to protected health information for purposes of the

7 Health Insurance Portability and Accountability Act of

8 1996, Public Law 104-191, and related regulations;

9 (B) included in a limited data set, as described

10 under the Code of Federal Regulations, Title 45, Part

11 164.514(e), to the extent that the information is

12 used, disclosed, and maintained in the manner

13 specified by that part;

14 (C) maintained by, or maintained to comply with

15 the rules or orders of, a self-regulatory organization

16 as defined by the United States Code, Title 15,

17 Section 78c(a)(26) or of a registered futures

18 association as designated under the United States

19 Code, Title 7, Section 21;

20 (D) originated from, or intermingled with,

21 information described in clause (9) and that a

22 residential mortgage originator or residential

23 mortgage servicer regulated under the Residential

24 Mortgage License Act of 1987 collects, processes,

25 uses, or maintains in the same manner as required

26 under the laws and regulations specified in clause

10400SB0340sam002

- 13 -

LRB104 06459 JRC 37974 a

1 (9); or

2 (E) originated from, or intermingled with,

3 information described in clause (9) and that a nonbank

4 financial institution collects, processes, uses, or

5 maintains in the same manner as required under the

6 laws and regulations specified in clause (9);

7 (7) information used only for public health activities

8 and purposes, as described under the Code of Federal

9 Regulations, Title 45, Part 164.512;

10 (8) an activity involving the collection, maintenance,

11 disclosure, sale, communication, or use of any personal

12 data bearing on a consumer's credit worthiness, credit

13 standing, credit capacity, character, general reputation,

14 personal characteristics, or mode of living by a consumer

15 reporting agency, as defined in the United States Code,

16 Title 15, Section 1681a(f), by a furnisher of information,

17 as set forth in the United States Code, Title 15, Section

18 1681s-2, who provides information for use in a consumer

19 report, as defined in the United States Code, Title 15,

20 Section 1681a(d), and by a user of a consumer report, as

21 set forth in the United States Code, Title 15, Section

22 1681b, except that information is only excluded under this

23 paragraph to the extent that the activity involving the

24 collection, maintenance, disclosure, sale, communication,

25 or use of the information by the agency, furnisher, or

26 user is subject to regulation under the federal Fair

10400SB0340sam002

- 14 -

LRB104 06459 JRC 37974 a

1 Credit Reporting Act, United States Code, Title 15,

2 Sections 1681 to 1681x, and the information is not

3 collected, maintained, used, communicated, disclosed, or

4 sold except as authorized by the Fair Credit Reporting

5 Act;

6 (9) financial institutions, their affiliates, and

7 personal data subject to the federal Gramm-Leach-Bliley

8 Act, Public Law 106-102, and implementing regulations;

9 (10) personal data collected, processed, sold, or

10 disclosed pursuant to the federal Driver's Privacy

11 Protection Act of 1994, United States Code, Title 18,

12 Sections 2721 to 2725, if the collection, processing,

13 sale, or disclosure is in compliance with that law;

14 (11) personal data regulated by the federal Family

15 Educational Rights and Privacy Act, United States Code,

16 Title 20, Section 1232g, and implementing regulations;

17 (12) personal data collected, processed, sold, or

18 disclosed pursuant to the federal Farm Credit Act of 1971,

19 as amended, United States Code, Title 12, Sections 2001 to

20 2279cc, and implementing regulations, Code of Federal

21 Regulations, Title 12, Part 600, if the collection,

22 processing, sale, or disclosure is in compliance with that

23 law;

24 (13) data collected or maintained:

25 (A) in the course of an individual acting as a job

26 applicant to or an employee, owner, director, officer,

10400SB0340sam002

- 15 -

LRB104 06459 JRC 37974 a

1 medical staff member, or contractor of a business if

2 the data is collected and used solely within the

3 context of the role;

4 (B) as the emergency contact information of an

5 individual under item (A) if used solely for emergency

6 contact purposes; or

7 (C) that is necessary for the business to retain

8 to administer benefits for another individual relating

9 to the individual under item (1) if used solely for the

10 purposes of administering those benefits;

11 (14) personal data collected, processed, sold, or

12 disclosed under the Illinois Insurance Code;

13 (15) data collected, processed, sold, or disclosed as

14 part of a payment-only credit, check, or cash transaction

15 where no data about consumers, as defined in Section 11,

16 are retained;

17 (16) a State or federally chartered bank or credit

18 union, or an affiliate or subsidiary that is principally

19 engaged in financial activities, as described in the

20 United States Code, Title 12, Section 1843(k);

21 (17) information that originates from, or is

22 intermingled so as to be indistinguishable from,

23 information described in clause (8) and that a person

24 collects, processes, uses, or maintains in the same manner

25 as is required under the laws and regulations specified in

26 clause (8);

10400SB0340sam002

- 16 -

LRB104 06459 JRC 37974 a

1 (18) an insurance company and an insurance producer

2 that are regulated by the State under the Illinois

3 Insurance Code, a third-party administrator of

4 self-insurance, or an affiliate or subsidiary of any

5 entity identified in this clause that is principally

6 engaged in financial activities, as described in the

7 United States Code, Title 12, Section 1843(k), except that

8 this clause does not apply to a person that, alone or in

9 combination with another person, establishes and maintains

10 a self-insurance program that does not otherwise engage in

11 the business of entering into policies of insurance;

12 (19) a small business, as defined by the United States

13 Small Business Administration under the Code of Federal

14 Regulations, Title 13, Part 121, except that a small

15 business identified in this clause is subject to Section

16 17; and

17 (20) an air carrier subject to the federal Airline

18 Deregulation Act, Public Law 95-504, only to the extent

19 that an air carrier collects personal data related to

20 prices, routes, or services and only to the extent that

21 the provisions of the Airline Deregulation Act preempt the

22 requirements of this Act.

23 Controllers that are in compliance with the Children's

24 Online Privacy Protection Act, United States Code, Title 15,

25 Sections 6501 to 6506, and implementing regulations, are

26 deemed compliant with any obligation to obtain parental

10400SB0340sam002

- 17 -

LRB104 06459 JRC 37974 a

1 consent under this Act.

2 Section 13. Responsibility according to role.

3 (a) Controllers and processors are responsible for meeting

4 the respective obligations established under this Act.

5 (b) Processors are responsible under this Act for adhering

6 to the instructions of the controller and assisting the

7 controller to meet the controller's obligations under this

8 Act. Assistance under this subsection shall include the

9 following:

10 (1) taking into account the nature of the processing,

11 the processor shall assist the controller by appropriate

12 technical and organizational measures, insofar as this is

13 possible, for the fulfillment of the controller's

14 obligation to respond to consumer requests to exercise

15 their rights under Section 14; and

16 (2) taking into account the nature of processing and

17 the information available to the processor, the processor

18 shall assist the controller in meeting the controller's

19 obligations in relation to the security of processing the

20 personal data and in relation to the notification of a

21 breach of the security of the system under the Illinois

22 Personal Information Protection Act and provide

23 information to the controller necessary to enable the

24 controller to conduct and document any data privacy and

25 protection assessments required by Section 18.

10400SB0340sam002

- 18 -

LRB104 06459 JRC 37974 a

1 (c) A contract between a controller and a processor shall

2 govern the processor's data processing procedures with respect

3 to processing performed on behalf of the controller. The

4 contract shall be binding on both parties and clearly set

5 forth instructions for processing data, the nature and purpose

6 of processing, the type of data subject to processing, the

7 duration of processing, and the rights and obligations of both

8 parties. The contract shall also require that the processor:

9 (1) ensure that each person processing the personal

10 data is subject to a duty of confidentiality with respect

11 to the data;

12 (2) engage a subcontractor only under a written

13 contract in accordance with this subsection (c) that

14 requires the subcontractor to meet the obligations of the

15 processor with respect to the personal data;

16 (3) at the choice of the controller, delete or return

17 all personal data to the controller as requested at the

18 end of the provision of services, unless retention of the

19 personal data is required by law;

20 (4) upon a reasonable request from the controller,

21 make available to the controller all information necessary

22 to demonstrate compliance with the obligations in this

23 Act; and

24 (5) allow for, and contribute to, reasonable

25 assessments and inspections by the controller or the

26 controller's designated assessor. Alternatively, the

10400SB0340sam002

- 19 -

LRB104 06459 JRC 37974 a

1 processor may arrange for a qualified and independent

2 assessor to conduct, at least annually and at the

3 processor's expense, an assessment of the processor's

4 policies and technical and organizational measures in

5 support of the obligations under this Act. The assessor

6 must use an appropriate and accepted control standard or

7 framework and assessment procedure for assessments as

8 applicable and provide a report of an assessment to the

9 controller upon request.

10 (d) Taking into account the context of processing, the

11 controller and the processor shall implement appropriate

12 technical and organizational measures to ensure a level of

13 security appropriate to the risk and establish a clear

14 allocation of the responsibilities between the controller and

15 the processor to implement the technical and organizational

16 measures.

17 (e) In no event shall any contract relieve a controller or

18 a processor from the liabilities imposed on a controller or

19 processor by virtue of the controller's or processor's roles

20 in the processing relationship under this Act.

21 (f) Determining whether a person is acting as a controller

22 or processor with respect to a specific processing of data is a

23 fact-based determination that depends upon the context in

24 which personal data are to be processed. A person that is not

25 limited in the person's processing of personal data pursuant

26 to a controller's instructions, or that fails to adhere to a

10400SB0340sam002

- 20 -

LRB104 06459 JRC 37974 a

1 controller's instructions, is a controller and not a processor

2 with respect to a specific processing of data. A processor

3 that continues to adhere to a controller's instructions with

4 respect to a specific processing of personal data remains a

5 processor. If a processor begins, alone or jointly with

6 others, determining the purposes and means of the processing

7 of personal data, the processor is a controller with respect

8 to the processing.

9 Section 14. Consumer personal data rights.

10 (a)(1) Consumer rights provided. Except as provided in

11 this Act, a controller must comply with a request to exercise

12 the consumer rights provided in this subsection (a).

13 (2) A consumer has the right to confirm whether or not a

14 controller is processing personal data concerning the consumer

15 and access the personal data the controller is processing.

16 (3) A consumer has the right to correct inaccurate

17 personal data concerning the consumer taking into account the

18 nature of the personal data and the purposes of the processing

19 of the personal data.

20 (4) A consumer has the right to delete personal data

21 concerning the consumer.

22 (5) A consumer has the right to obtain personal data

23 concerning the consumer, which the consumer previously

24 provided to the controller, in a portable and, to the extent

25 technically feasible, readily usable format that allows the

10400SB0340sam002

- 21 -

LRB104 06459 JRC 37974 a

1 consumer to transmit the data to another controller without

2 hindrance, where the processing is carried out by automated

3 means.

4 (6) A consumer has the right to opt out of the processing

5 of personal data concerning the consumer for purposes of: (i)

6 targeted advertising, (ii) the sale of personal data, or (iii)

7 profiling in furtherance of automated decisions that produce

8 legal effects concerning a consumer or similarly significant

9 effects concerning a consumer.

10 (7) A consumer has a right to obtain general descriptions

11 of categories of third parties to which the controller has

12 disclosed the consumer's personal data, unless such a list of

13 specific third parties is readily available to the controller.

14 (b)(1) Exercising consumer rights. A consumer may exercise

15 the rights set forth in subsection (a) by submitting a

16 request, at any time, to a controller specifying which rights

17 the consumer wishes to exercise.

18 (2) In the case of processing personal data concerning a

19 known child, the parent or legal guardian of the known child

20 may exercise the rights under this Act on the child's behalf.

21 (3) In the case of processing personal data concerning a

22 consumer legally subject to guardianship under the Probate Act

23 of 1975, the guardian of the consumer may exercise the rights

24 under this Act on the consumer's behalf.

25 (4) A consumer may designate another person as the

26 consumer's authorized agent to exercise the consumer's right

10400SB0340sam002

- 22 -

LRB104 06459 JRC 37974 a

1 to opt out of the processing of the consumer's personal data

2 for purposes of targeted advertising and sale under subsection

3 (c)(1) on the consumer's behalf. A consumer may designate an

4 authorized agent by way of, among other things, a technology,

5 including, but not limited to, an Internet link or a browser

6 setting, browser extension, or global device setting,

7 indicating the consumer's intent to opt out of the processing.

8 A controller shall comply with an opt-out request received

9 from an authorized agent if the controller is able to verify,

10 with commercially reasonable effort, the identity of the

11 consumer and the authorized agent's authority to act on the

12 consumer's behalf.

13 (c)(1) Universal opt-out mechanisms. A controller must

14 allow a consumer to opt out of any processing of the consumer's

15 personal data for the purposes of targeted advertising,

16 profiling in furtherance of automated decisions that produce

17 legal effects concerning the consumer or any sale of the

18 consumer's personal data through an opt-out preference signal

19 sent, with the consumer's consent, by a platform, technology,

20 or mechanism to the controller indicating the consumer's

21 intent to opt out of the processing, profiling, or sale. The

22 platform, technology, or mechanism must:

23 (A) not unfairly disadvantage another controller;

24 (B) not make use of a default setting but require the

25 consumer to make an affirmative, freely given, and

26 unambiguous choice to opt out of the processing of the

10400SB0340sam002

- 23 -

LRB104 06459 JRC 37974 a

1 consumer's personal data;

2 (C) be consumer-friendly and easy to use by the

3 average consumer;

4 (D) be as consistent as possible with any other

5 similar platform, technology, or mechanism required by any

6 federal or State law or regulation; and

7 (E) enable the controller to accurately determine

8 whether the consumer is an Illinois resident and whether

9 the consumer has made a legitimate request to opt out of

10 any sale of the consumer's personal data profiling in

11 furtherance of automated decisions that produce legal

12 effects concerning the consumer, or targeted advertising.

13 For purposes of this paragraph, the use of an Internet

14 protocol address to estimate the consumer's location is

15 sufficient to determine the consumer's residence.

16 (2) If a consumer's opt-out request is exercised through

17 the platform, technology, or mechanism required under

18 subsection (c)(1), and the request conflicts with the

19 consumer's existing controller-specific privacy setting or

20 voluntary participation in a controller's bona fide loyalty,

21 rewards, premium features, discounts, or club card program,

22 the controller must comply with the consumer's opt-out

23 preference signal but may also notify the consumer of the

24 conflict and provide the consumer a choice to confirm the

25 controller-specific privacy setting or participation in the

26 controller's program.

10400SB0340sam002

- 24 -

LRB104 06459 JRC 37974 a

1 (3) A controller that recognizes opt-out preference

2 signals that have been approved by other state laws or

3 regulations is in compliance with this subdivision.

4 (d)(1) Controller response to consumer requests. Except as

5 provided in this Act, a controller must comply with a request

6 to exercise the rights pursuant to subsection (a).

7 (2) A controller must provide one or more secure and

8 reliable means for consumers to submit a request to exercise

9 the consumer's rights under this Section. The means made

10 available must take into account the ways in which consumers

11 interact with the controller and the need for secure and

12 reliable communication of the requests.

13 (3) A controller may not require a consumer to create a new

14 account to exercise a right, but a controller may require a

15 consumer to use an existing account to exercise the consumer's

16 rights under this Section.

17 (4) A controller must comply with a request to exercise

18 the rights under this Section as soon as feasibly possible,

19 but no later than 45 days after the receipt of the request,

20 unless the controller extends the time.

21 (5) A controller must inform a consumer of any action

22 taken on a request under subsection (b) without undue delay

23 and in any event within 45 days after the receipt of the

24 request. That period may be extended once by 45 additional

25 days where reasonably necessary taking into account the

26 complexity and number of the requests. The controller must

10400SB0340sam002

- 25 -

LRB104 06459 JRC 37974 a

1 inform the consumer of any extension within the original

2 45-day window, together with the reasons for the delay.

3 (6) If a controller does not take action on a consumer's

4 request, the controller must inform the consumer without undue

5 delay and at the latest within 45 days after the receipt of the

6 request of the reasons for not taking action and instructions

7 for how to appeal the decision with the controller as

8 described in subsection (e).

9 (7) Information provided under this Section must be

10 provided by the controller free of charge up to twice annually

11 to the consumer. If requests from a consumer are manifestly

12 unfounded or excessive, in particular because of the

13 repetitive character of the requests, the controller may

14 either charge a reasonable fee to cover the administrative

15 costs of complying with the request or refuse to act on the

16 request. The controller bears the burden of demonstrating the

17 manifestly unfounded or excessive character of the request.

18 (8) A controller is not required to comply with a request

19 to exercise any of the rights under subsection (a), paragraphs

20 (2) to (5) and (8), if the controller is unable to authenticate

21 the request using commercially reasonable efforts. In such

22 cases, the controller may request the provision of additional

23 information reasonably necessary to authenticate the request.

24 A controller is not required to authenticate an opt-out

25 request, but a controller may deny an opt-out request if the

26 controller has a good faith, reasonable, and documented belief

10400SB0340sam002

- 26 -

LRB104 06459 JRC 37974 a

1 that the request is fraudulent. If a controller denies an

2 opt-out request because the controller believes a request is

3 fraudulent, the controller must notify the person who made the

4 request that the request was denied because of the

5 controller's belief that the request was fraudulent and state

6 the controller's basis for that belief.

7 (9) In response to a consumer request under subsection

8 (b), a controller must not disclose the following information

9 about a consumer but must instead inform the consumer with

10 sufficient particularity that the controller has collected

11 that type of information:

12 (A) Social Security number;

13 (B) driver's license number or other government-issued

14 identification number;

15 (C) financial account number;

16 (D) health insurance account number or medical

17 identification number;

18 (E) account password, security questions, or answers;

19 or

20 (F) biometric identifiers or information.

21 (10) In response to a consumer request under subsection

22 (b), a controller is not required to reveal any trade secret.

23 (11) A controller that has obtained personal data about a

24 consumer from a source other than the consumer may comply with

25 a consumer's request to delete the consumer's personal data

26 pursuant to subsection (a), paragraph (4), by either:

10400SB0340sam002

- 27 -

LRB104 06459 JRC 37974 a

1 (A) retaining a record of the deletion request,

2 retaining the minimum data necessary for the purpose of

3 ensuring the consumer's personal data remains deleted from

4 the business's records and not using the retained data for

5 any other purpose under the provisions of this Act; or

6 (B) opting the consumer out of the processing of

7 personal data for any purpose except for the purposes

8 exempted pursuant to the provisions of this Act.

9 (e)(1) Appeal process required. A controller must

10 establish an internal process in which a consumer may appeal a

11 refusal to take action on a request to exercise any of the

12 rights under subsection (a) within a reasonable period of time

13 after the consumer's receipt of the notice sent by the

14 controller under subsection (d), paragraph (6).

15 (2) The appeal process must be conspicuously available.

16 The process must include the ease of use provisions in

17 subsection (c)(1) applicable to submitting requests.

18 (3) Within 45 days after the receipt of an appeal, a

19 controller must inform the consumer of any action taken or not

20 taken in response to the appeal along with a written

21 explanation of the reasons in support thereof. That period may

22 be extended by 60 additional days if reasonably necessary,

23 taking into account the complexity and number of the requests

24 serving as the basis for the appeal. The controller must

25 inform the consumer of any extension within 45 days after the

26 receipt of the appeal together with the reasons for the delay.

10400SB0340sam002

- 28 -

LRB104 06459 JRC 37974 a

1 (4) When informing a consumer of any action taken or not

2 taken in response to an appeal pursuant to paragraph (3), the

3 controller must provide a written explanation of the reasons

4 for the controller's decision and clearly and prominently

5 provide the consumer with information about how to file a

6 complaint with the Attorney General. The controller must

7 maintain records of all appeals and the controller's responses

8 for at least 24 months and shall, upon written request by the

9 Attorney General as part of an investigation, compile and

10 provide a copy of the records to the Attorney General.

11 Section 15. Processing deidentified data or pseudonymous

12 data.

13 (a) This Act does not require a controller or processor to

14 do any of the following solely for purposes of complying with

15 this Act:

16 (1) reidentify deidentified data;

17 (2) maintain data in identifiable form, or collect,

18 obtain, retain, or access any data or technology, to be

19 capable of associating an authenticated consumer request

20 with personal data; or

21 (3) comply with an authenticated consumer request to

22 access, correct, delete, or port personal data under

23 Section 14, subsection (a), if all of the following are

24 true:

25 (A) the controller is not reasonably capable of

10400SB0340sam002

- 29 -

LRB104 06459 JRC 37974 a

1 associating the request with the personal data, or it

2 would be unreasonably burdensome for the controller to

3 associate the request with the personal data;

4 (B) the controller does not use the personal data

5 to recognize or respond to the specific consumer who

6 is the subject of the personal data or associate the

7 personal data with other personal data about the same

8 specific consumer; and

9 (C) the controller does not sell the personal data

10 to any third party or otherwise voluntarily disclose

11 the personal data to any third party other than a

12 processor, except as otherwise permitted in this

13 Section.

14 (b) The rights contained in paragraphs (2) to (5) and (8)

15 of subsection (a) of Section 14 do not apply to pseudonymous

16 data in cases in which the controller is able to demonstrate

17 any information necessary to identify the consumer is kept

18 separately and is subject to effective technical and

19 organizational controls that prevent the controller from

20 accessing the information.

21 (c) A controller that transfers, sells, or otherwise

22 discloses pseudonymous data or deidentified data must exercise

23 reasonable oversight to monitor compliance with any

24 contractual commitments to which the pseudonymous data or

25 deidentified data are subject, and must take appropriate steps

26 to address any breaches of contractual commitments.

10400SB0340sam002

- 30 -

LRB104 06459 JRC 37974 a

1 (d) A processor or third party must not attempt to

2 identify the subjects of deidentified or pseudonymous data

3 without the express authority of the controller that caused

4 the data to be deidentified or pseudonymized.

5 (e) A controller, processor, or third party must not

6 attempt to identify the subjects of data that has been

7 collected with only pseudonymous identifiers.

8 Section 16. Responsibilities of controllers.

9 (a)(1) Transparency obligations. Controllers must provide

10 consumers with a reasonably accessible, clear, and meaningful

11 privacy notice that includes:

12 (A) the categories of personal data processed by the

13 controller;

14 (B) the purposes for which the categories of personal

15 data are processed;

16 (C) an explanation of the rights contained in Section

17 14 and how and where consumers may exercise those rights,

18 including how a consumer may appeal a controller's action

19 with regard to the consumer's request;

20 (D) the categories of personal data that the

21 controller sells to or shares with third parties, if any;

22 (E) the categories of third parties, if any, with whom

23 the controller sells or shares personal data;

24 (F) the controller's contact information, including an

25 active email address or other online mechanism that the

10400SB0340sam002

- 31 -

LRB104 06459 JRC 37974 a

1 consumer may use to contact the controller;

2 (G) a description of the controller's retention

3 policies for personal data; and

4 (H) the date the privacy notice was last updated.

5 (2) If a controller sells personal data to third parties,

6 processes personal data for targeted advertising, or engages

7 in profiling in furtherance of decisions that produce legal

8 effects concerning a consumer or similarly significant effects

9 concerning a consumer, the controller must disclose the

10 processing in the privacy notice and provide access to a clear

11 and conspicuous method outside the privacy notice for a

12 consumer to opt out of the sale, processing, or profiling in

13 furtherance of decisions that produce legal effects concerning

14 a consumer or similarly significant effects concerning a

15 consumer. This method may include but is not limited to an

16 Internet hyperlink clearly labeled "Your Opt-Out Rights" or

17 "Your Privacy Rights" that directly effectuates the opt-out

18 request or takes consumers to a web page where the consumer can

19 make the opt-out request.

20 (3) The privacy notice must be made available to the

21 public in each language in which the controller provides a

22 product or service that is subject to the privacy notice or

23 carries out activities related to the product or service.

24 (4) The controller must provide the privacy notice in a

25 manner that is reasonably accessible to and usable by

26 individuals with disabilities.

10400SB0340sam002

- 32 -

LRB104 06459 JRC 37974 a

1 (5) Whenever a controller makes a material change to the

2 controller's privacy notice or practices, the controller must

3 notify consumers affected by the material change with respect

4 to any prospectively collected personal data and provide a

5 reasonable opportunity for consumers to withdraw consent to

6 any further materially different collection, processing, or

7 transfer of previously collected personal data under the

8 changed policy. The controller shall take all reasonable

9 electronic measures to provide notification regarding material

10 changes to affected consumers, taking into account available

11 technology and the nature of the relationship.

12 (6) A controller is not required to provide a separate

13 Illinois-specific privacy notice or section of a privacy

14 notice if the controller's general privacy notice contains all

15 the information required by this Section.

16 (7) The privacy notice must be posted online through a

17 conspicuous hyperlink using the word "privacy" on the

18 controller's website home page or on a mobile application's

19 app store page or download page. A controller that maintains

20 an application on a mobile or other device shall also include a

21 hyperlink to the privacy notice in the application's settings

22 menu or in a similarly conspicuous and accessible location. A

23 controller that does not operate a website shall make the

24 privacy notice conspicuously available to consumers through a

25 medium regularly used by the controller to interact with

26 consumers, including, but not limited to, mail.

10400SB0340sam002

- 33 -

LRB104 06459 JRC 37974 a

1 (b)(1) Use of data. A controller shall:

2 (A) limit the collection of personal data to what is

3 adequate, relevant, and reasonably necessary in relation

4 to the purposes for which the data are processed, which

5 must be disclosed to the consumer;

6 (B) not collect, process, or share sensitive data

7 concerning a consumer except when such collection,

8 processing, or transfer is strictly necessary to provide

9 or maintain a specific product or service requested by the

10 consumer to whom the sensitive data pertains. For purposes

11 of this Act, the collection and processing of specific

12 geolocation data or personal data to provide

13 transportation services by private entities regulated

14 under the Transportation Network Providers Act, is

15 strictly necessary to the extent that the private entity

16 uses the geolocation data or personal data for the sole

17 purpose of providing a service requested by the individual

18 or the use is otherwise consistent with that individual's

19 reasonable expectations considering the context in which

20 the individual provided the geolocation information to the

21 private entity. For purposes of this Act, the collection,

22 processing, and sharing of biometric identifiers and

23 information must be done in accordance with the

24 requirements of the Biometric Information Privacy Act. For

25 purposes of this Act, the collection, processing, and

26 sharing of genetic information must be done in accordance

10400SB0340sam002

- 34 -

LRB104 06459 JRC 37974 a

1 with the Genetic Information Privacy Act. For purposes of

2 this Act, the collection, processing, and sharing of

3 students' covered information must be done in accordance

4 with the Student Online Personal Protection Act; and

5 (C) not sell sensitive data.

6 (2) Except as provided in this Act, a controller may not

7 process personal data for purposes that are not reasonably

8 necessary to, or compatible with, the purposes for which the

9 personal data are processed, as disclosed to the consumer,

10 unless the controller obtains the consumer's consent.

11 (3) A controller shall establish, implement, and maintain

12 reasonable administrative, technical, and physical data

13 security practices to protect the confidentiality, integrity,

14 and accessibility of personal data, including the maintenance

15 of an inventory of the data that must be managed to exercise

16 these responsibilities. The data security practices shall be

17 appropriate to the volume and nature of the personal data at

18 issue.

19 (4) Except as otherwise provided in this Act, a controller

20 may not process sensitive data concerning a consumer without

21 obtaining the consumer's consent, or, in the case of the

22 processing of personal data concerning a known child, without

23 obtaining consent from the child's parent or lawful guardian,

24 in accordance with the requirement of the Children's Online

25 Privacy Protection Act, United States Code, Title 15, Sections

26 6501 to 6506, and its implementing regulations. A controller

10400SB0340sam002

- 35 -

LRB104 06459 JRC 37974 a

1 must follow the requirements of the Biometric Information

2 Privacy Act and the Genetic Information Privacy Act for

3 information covered by those Acts.

4 (5) A controller shall provide an effective mechanism for

5 a consumer, or, in the case of the processing of personal data

6 concerning a known child, the child's parent or lawful

7 guardian, to withdraw previously given consent under this

8 subsection. The mechanism provided shall be at least as easy

9 as the mechanism by which the consent was previously given.

10 Upon revocation of consent, a controller shall cease to

11 process the applicable data as soon as practicable, but no

12 later than 15 days after the receipt of the request.

13 (6) A controller may not process the personal data of a

14 consumer for purposes of targeted advertising, or sell the

15 consumer's personal data, without the consumer's consent,

16 under circumstances in which the controller knows that the

17 consumer is between the ages of 13 and 16.

18 (7) A controller may not retain personal data that is no

19 longer relevant and reasonably necessary in relation to the

20 purposes for which the data were collected and processed,

21 unless retention of the data is otherwise required by law or

22 permitted under Section 19 and in accordance with the

23 Biometric Information Privacy Act.

24 (c)(1) Nondiscrimination. A controller shall not process

25 personal data on the basis of a consumer's or a class of

26 consumers' actual or perceived race, color, ethnicity,

10400SB0340sam002

- 36 -

LRB104 06459 JRC 37974 a

1 religion, national origin, sex, gender, gender identity,

2 sexual orientation, familial status, lawful source of income,

3 or disability in a manner that unlawfully discriminates

4 against the consumer or class of consumers.

5 (2) A controller may not discriminate against a consumer

6 for exercising any of the rights contained in this Act,

7 including denying goods or services to the consumer, charging

8 different prices or rates for goods or services, and providing

9 a different level of quality of goods and services to the

10 consumer. This subsection does not: (i) require a controller

11 to provide a good or service that requires the consumer's

12 personal data that the controller does not collect or

13 maintain; or (ii) prohibit a controller from offering a

14 different price, rate, level, quality, or selection of goods

15 or services to a consumer, including offering goods or

16 services for no fee, if the offering is in connection with a

17 consumer's voluntary participation in a bona fide loyalty,

18 rewards, premium features, discounts, or club card program if

19 that difference is reasonably related to the value provided to

20 the business by the consumer's data.

21 (d) Waiver of rights unenforceable. Any provision of a

22 contract or agreement of any kind that purports to waive or

23 limit in any way a consumer's rights under this Act is contrary

24 to public policy and is void and unenforceable.

25 Section 17. Requirements for small businesses.

10400SB0340sam002

- 37 -

LRB104 06459 JRC 37974 a

1 (a) A small business, as defined by the United States

2 Small Business Administration under the Code of Federal

3 Regulations, Title 13, Part 121, that conducts business in

4 Illinois or produces products or services that are targeted to

5 Illinois residents must not sell a consumer's sensitive data.

6 (b) Penalties and enforcement procedures under Section 20

7 apply to a small business that violates this Section.

8 Section 18. Data privacy policies; data privacy and

9 protection assessments.

10 (a) A controller must document and maintain a description

11 of the policies and procedures the controller has adopted to

12 comply with this Act. The description must include, where

13 applicable:

14 (1) the name and contact information for the

15 controller's chief privacy officer or other individual

16 with primary responsibility for directing the policies and

17 procedures implemented to comply with the provisions of

18 this Act; and

19 (2) a description of the controller's data privacy

20 policies and procedures that reflect the requirements in

21 Section 16, and any policies and procedures designed to:

22 (i) reflect the requirements of this Act in the

23 design of the controller's systems;

24 (ii) identify and provide personal data to a

25 consumer as required by this Act;

10400SB0340sam002

- 38 -

LRB104 06459 JRC 37974 a

1 (iii) establish, implement, and maintain

2 reasonable administrative, technical, and physical

3 data security practices to protect the

4 confidentiality, integrity, and accessibility of

5 personal data, including the maintenance of an

6 inventory of the data that must be managed to exercise

7 the responsibilities under this item;

8 (iv) limit the collection of personal data to what

9 is adequate, relevant, and reasonably necessary in

10 relation to the purposes for which the data are

11 processed;

12 (v) prevent the retention of personal data that is

13 no longer relevant and reasonably necessary in

14 relation to the purposes for which the data were

15 collected and processed, unless retention of the data

16 is otherwise required by law or permitted under

17 Section 19 and in accordance with the Biometric

18 Information Privacy Act; and

19 (vi) identify and remediate violations of this

20 Act.

21 (b) A controller must conduct and document a data privacy

22 and protection assessment for each of the following processing

23 activities involving personal data:

24 (1) the processing of personal data for purposes of

25 targeted advertising;

26 (2) the sale of personal data;

10400SB0340sam002

- 39 -

LRB104 06459 JRC 37974 a

1 (3) the processing of sensitive data;

2 (4) any processing activities involving personal data

3 that present a heightened risk of harm to consumers; and

4 (5) the processing of personal data for purposes of

5 profiling, where the profiling presents a reasonably

6 foreseeable risk of:

7 (i) unfair or deceptive treatment of, or disparate

8 impact on, consumers;

9 (ii) financial, physical, or reputational injury

10 to consumers;

11 (iii) a physical or other intrusion upon the

12 solitude or seclusion, or the private affairs or

13 concerns, of consumers, where the intrusion would be

14 offensive to a reasonable person; or

15 (iv) other substantial injury to consumers.

16 (c) A data privacy and protection assessment must take

17 into account the type of personal data to be processed by the

18 controller, including the extent to which the personal data

19 are sensitive data, and the context in which the personal data

20 are to be processed.

21 (d) A data privacy and protection assessment must identify

22 and weigh the benefits that may flow directly and indirectly

23 from the processing to the controller, consumer, other

24 stakeholders, and the public against the potential risks to

25 the rights of the consumer associated with the processing, as

26 mitigated by safeguards that can be employed by the controller

10400SB0340sam002

- 40 -

LRB104 06459 JRC 37974 a

1 to reduce the potential risks. The use of deidentified data

2 and the reasonable expectations of consumers, as well as the

3 context of the processing and the relationship between the

4 controller and the consumer whose personal data will be

5 processed, must be factored into this assessment by the

6 controller.

7 (e) A data privacy and protection assessment must include

8 the description of policies and procedures required by

9 subsection (a).

10 (f) As part of a subpoena, the Attorney General or State's

11 Attorneys may request, in writing, that a controller disclose

12 any data privacy and protection assessment that is relevant to

13 an investigation conducted by the Attorney General or State's

14 Attorneys. The controller must make a data privacy and

15 protection assessment available to the Attorney General or

16 State's Attorneys upon a request made under this subsection.

17 The Attorney General or State's Attorneys may evaluate the

18 data privacy and protection assessments for compliance with

19 this Act. Data privacy and protection assessments are

20 nonpublic data that is required by State or federal law that

21 is: (1) not about an individual; (2) not accessible by the

22 general public; and (3) accessible by the subject of the data.

23 The disclosure of a data privacy and protection assessment

24 under a request from the Attorney General or State's Attorneys

25 under this subsection does not constitute a waiver of the

26 attorney-client privilege or work product protection with

10400SB0340sam002

- 41 -

LRB104 06459 JRC 37974 a

1 respect to the assessment and any information contained in the

2 assessment.

3 (g) Data privacy and protection assessments or risk

4 assessments conducted by a controller for the purpose of

5 compliance with other laws or regulations may qualify under

6 this Section if the assessments have a similar scope and

7 effect.

8 (h) A single data protection assessment may address

9 multiple sets of comparable processing operations that include

10 similar activities.

11 Section 19. Limitations and applicability.

12 (a) The obligations imposed on controllers or processors

13 under this Act do not restrict a controller's or a processor's

14 ability to:

15 (1) comply with federal, State, or local laws, rules,

16 or regulations, including, but not limited to, data

17 retention requirements in State or federal law

18 notwithstanding a consumer's request to delete personal

19 data;

20 (2) comply with a civil, criminal, or regulatory

21 inquiry, investigation, subpoena, or summons by federal,

22 State, local, or other governmental authorities;

23 (3) cooperate with law enforcement agencies concerning

24 conduct or activity that the controller or processor

25 reasonably and in good faith believes may violate federal,

10400SB0340sam002

- 42 -

LRB104 06459 JRC 37974 a

1 State, or local laws, rules, or regulations;

2 (4) investigate, establish, exercise, prepare for, or

3 defend legal claims;

4 (5) provide a product or service specifically

5 requested by a consumer; perform a contract to which the

6 consumer is a party, including fulfilling the terms of a

7 written warranty; or take steps at the request of the

8 consumer prior to entering into a contract;

9 (6) take immediate steps to protect an interest that

10 is essential for the life or physical safety of the

11 consumer or of another natural person, and if the

12 processing cannot be manifestly based on another legal

13 basis;

14 (7) prevent, detect, protect against, or respond to

15 security incidents, identity theft, fraud, harassment,

16 malicious or deceptive activities, or any illegal

17 activity; preserve the integrity or security of systems;

18 or investigate, report, or prosecute those responsible for

19 any such action;

20 (8) assist another controller, processor, or third

21 party with any of the obligations under this subsection;

22 (9) engage in public or peer-reviewed scientific,

23 historical, or statistical research in the public interest

24 that adheres to all other applicable ethics and privacy

25 laws and is approved, monitored, and governed by an

26 institutional review board, human subjects research ethics

10400SB0340sam002

- 43 -

LRB104 06459 JRC 37974 a

1 review board, or a similar independent oversight entity

2 that has determined:

3 (A) the research is likely to provide substantial

4 benefits that do not exclusively accrue to the

5 controller;

6 (B) the expected benefits of the research outweigh

7 the privacy risks; and

8 (C) the controller has implemented reasonable

9 safeguards to mitigate privacy risks associated with

10 research, including any risks associated with

11 reidentification; or

12 (10) process personal data for the benefit of the

13 public in the areas of public health, community health, or

14 population health, but only to the extent that the

15 processing is:

16 (A) subject to suitable and specific measures to

17 safeguard the rights of the consumer whose personal

18 data is being processed; and

19 (B) under the responsibility of a professional

20 individual who is subject to confidentiality

21 obligations under federal, State, or local law.

22 (b) The obligations imposed on controllers or processors

23 under this Act do not restrict a controller's or processor's

24 ability to collect, use, or retain data to:

25 (1) effectuate a product recall or identify and repair

26 technical errors that impair existing or intended

10400SB0340sam002

- 44 -

LRB104 06459 JRC 37974 a

1 functionality;

2 (2) perform internal operations that are reasonably

3 aligned with the expectations of the consumer based on the

4 consumer's existing relationship with the controller, or

5 are otherwise compatible with processing in furtherance of

6 the provision of a product or service specifically

7 requested by a consumer or the performance of a contract

8 to which the consumer is a party; or

9 (3) conduct internal research to develop, improve, or

10 repair products, services, or technology.

11 (c) The obligations imposed on controllers or processors

12 under this Act do not apply if compliance by the controller or

13 processor with this Act would violate an evidentiary privilege

14 under Illinois law and do not prevent a controller or

15 processor from providing personal data concerning a consumer

16 to a person covered by an evidentiary privilege under Illinois

17 law as part of a privileged communication.

18 (d) A controller or processor that discloses personal data

19 to a third-party controller or processor in compliance with

20 the requirements of this Act is not in violation of this Act if

21 the recipient processes the personal data in violation of this

22 Act, provided that at the time of disclosing the personal

23 data, the disclosing controller or processor did not have

24 actual knowledge that the recipient intended to commit a

25 violation. A third-party controller or processor receiving

26 personal data from a controller or processor in compliance

10400SB0340sam002

- 45 -

LRB104 06459 JRC 37974 a

1 with the requirements of this Act is not in violation of this

2 Act for the obligations of the controller or processor from

3 which the third-party controller or processor receives the

4 personal data.

5 (e) Obligations imposed on controllers and processors

6 under this Act shall not:

7 (1) adversely affect the rights or freedoms of any

8 persons, including exercising the right of free speech

9 pursuant to the First Amendment of the United States

10 Constitution; or

11 (2) apply to the processing of personal data by a

12 natural person in the course of a purely personal or

13 household activity.

14 (f) Personal data that are processed by a controller

15 pursuant to this Section may be processed solely to the extent

16 that the processing is:

17 (1) necessary, reasonable, and proportionate to the

18 purposes listed in this Section;

19 (2) adequate, relevant, and limited to what is

20 necessary in relation to the specific purpose or purposes

21 listed in this Section; and

22 (3) insofar as possible, taking into account the

23 nature and purpose of processing the personal data,

24 subjected to reasonable administrative, technical, and

25 physical measures to protect the confidentiality,

26 integrity, and accessibility of the personal data, and to

10400SB0340sam002

- 46 -

LRB104 06459 JRC 37974 a

1 reduce reasonably foreseeable risks of harm to consumers.

2 (g) If a controller processes personal data pursuant to an

3 exemption in this Section, the controller bears the burden of

4 demonstrating that the processing qualifies for the exemption

5 and complies with the requirements in subsection (f).

6 (h) Processing personal data solely for the purposes

7 expressly identified in subsection (a), clauses (1) to (7),

8 does not, by itself, make an entity a controller with respect

9 to the processing.

10 Section 20. Enforcement.

11 (a) If a controller or processor violates this Act, the

12 Attorney General or the State's Attorney of any county in this

13 State, before filing an enforcement action under subsection

14 (b), must provide the controller or processor with a warning

15 letter identifying the specific provisions of this Act the

16 Attorney General or State's Attorney alleges have been or are

17 being violated. If, after 30 days of issuance of the warning

18 letter, the Attorney General or State's Attorney believes the

19 controller or processor has failed to cure any alleged

20 violation, the Attorney General or State's Attorney may bring

21 an enforcement action under subsection (b). This subsection

22 becomes inoperative January 1, 2029.

23 (b) The Attorney General or the State's Attorney of any

24 county in this State may bring an action in the name of the

25 People of this State against any person to restrain and

10400SB0340sam002

- 47 -

LRB104 06459 JRC 37974 a

1 prevent any pattern or practice in violation of this Act.

2 (c) A violation of this Act constitutes an unlawful

3 practice under the Consumer Fraud and Deceptive Business

4 Practices Act. All remedies, penalties, and authority granted

5 to the Attorney General or the State's Attorney by the

6 Consumer Fraud and Deceptive Business Practices Act are

7 available to the Attorney General or the State's Attorney for

8 the enforcement of this Act.

9 (d) Any civil penalties collected from the enforcement of

10 this Act shall be deposited into the Attorney General Court

11 Ordered and Voluntary Compliance Payment Projects Fund if the

12 Attorney General commenced the action or distributed to the

13 county in which the State's Attorney commenced the action and

14 deposited into a special fund in the county treasury and

15 appropriated to the State's Attorney for use in accordance

16 with law.

17 (e) Nothing in this Act shall be construed to establish a

18 private right of action associated with violations of this

19 Act.

20 (f) Nothing in this Act shall be construed to preempt the

21 enforcement provisions in the Biometric Information Privacy

22 Act or the Genetic Information Privacy Act.

23 Section 95. Home rule. A unit of local government,

24 including a home rule unit, may not regulate consumer data

25 privacy. This Section is a denial and limitation of home rule

10400SB0340sam002

- 48 -

LRB104 06459 JRC 37974 a

1 powers and functions under subsection (g) of Section 6 of

2 Article VII of the Illinois Constitution.

3 Section 97. Severability. If any provision of this Act or

4 its application to any person or circumstance is held invalid,

5 the invalidity of that provision or application does not

6 affect other provisions or applications of this Act that can

7 be given effect without the invalid provision or application.

8 Section 900. The Freedom of Information Act is amended by

9 changing Section 7.5 as follows:

10 (5 ILCS 140/7.5)

11 (Text of Section before amendment by P.A. 104-441 and

12 104-457)

13 Sec. 7.5. Statutory exemptions. To the extent provided for

14 by the statutes referenced below, the following shall be

15 exempt from inspection and copying:

16 (a) All information determined to be confidential

17 under Section 4002 of the Technology Advancement and

18 Development Act.

19 (b) Library circulation and order records identifying

20 library users with specific materials under the Library

21 Records Confidentiality Act.

22 (c) Applications, related documents, and medical

23 records received by the Experimental Organ Transplantation

10400SB0340sam002

- 49 -

LRB104 06459 JRC 37974 a

1 Procedures Board and any and all documents or other

2 records prepared by the Experimental Organ Transplantation

3 Procedures Board or its staff relating to applications it

4 has received.

5 (d) Information and records held by the Department of

6 Public Health and its authorized representatives relating

7 to known or suspected cases of sexually transmitted

8 infection or any information the disclosure of which is

9 restricted under the Illinois Sexually Transmitted

10 Infection Control Act.

11 (e) Information the disclosure of which is exempted

12 under Section 30 of the Radon Industry Licensing Act.

13 (f) Firm performance evaluations under Section 55 of

14 the Architectural, Engineering, and Land Surveying

15 Qualifications Based Selection Act.

16 (g) Information the disclosure of which is restricted

17 and exempted under Section 50 of the Illinois Prepaid

18 Tuition Act.

19 (h) Information the disclosure of which is exempted

20 under the State Officials and Employees Ethics Act, and

21 records of any lawfully created State or local inspector

22 general's office that would be exempt if created or

23 obtained by an Executive Inspector General's office under

24 that Act.

25 (i) Information contained in a local emergency energy

26 plan submitted to a municipality in accordance with a

10400SB0340sam002

- 50 -

LRB104 06459 JRC 37974 a

1 local emergency energy plan ordinance that is adopted

2 under Section 11-21.5-5 of the Illinois Municipal Code.

3 (j) Information and data concerning the distribution

4 of surcharge moneys collected and remitted by carriers

5 under the Emergency Telephone System Act.

6 (k) Law enforcement officer identification information

7 or driver identification information compiled by a law

8 enforcement agency or the Department of Transportation

9 under Section 11-212 of the Illinois Vehicle Code.

10 (l) Records and information provided to a residential

11 health care facility resident sexual assault and death

12 review team or the Executive Council under the Abuse

13 Prevention Review Team Act.

14 (m) Information provided to the predatory lending

15 database created pursuant to Article 3 of the Residential

16 Real Property Disclosure Act, except to the extent

17 authorized under that Article.

18 (n) Defense budgets and petitions for certification of

19 compensation and expenses for court appointed trial

20 counsel as provided under Sections 10 and 15 of the

21 Capital Crimes Litigation Act (repealed). This subsection

22 (n) shall apply until the conclusion of the trial of the

23 case, even if the prosecution chooses not to pursue the

24 death penalty prior to trial or sentencing.

25 (o) Information that is prohibited from being

26 disclosed under Section 4 of the Illinois Health and

10400SB0340sam002

- 51 -

LRB104 06459 JRC 37974 a

1 Hazardous Substances Registry Act.

2 (p) Security portions of system safety program plans,

3 investigation reports, surveys, schedules, lists, data, or

4 information compiled, collected, or prepared by or for the

5 Department of Transportation under Sections 2705-300 and

6 2705-616 of the Department of Transportation Law of the

7 Civil Administrative Code of Illinois, the Regional

8 Transportation Authority under Section 2.11 of the

9 Regional Transportation Authority Act, or the St. Clair

10 County Transit District under the Bi-State Transit Safety

11 Act (repealed).

12 (q) Information prohibited from being disclosed by the

13 Personnel Record Review Act.

14 (r) Information prohibited from being disclosed by the

15 Illinois School Student Records Act.

16 (s) Information the disclosure of which is restricted

17 under Section 5-108 of the Public Utilities Act.

18 (t) (Blank).

19 (u) Records and information provided to an independent

20 team of experts under the Developmental Disability and

21 Mental Health Safety Act (also known as Brian's Law).

22 (v) Names and information of people who have applied

23 for or received Firearm Owner's Identification Cards under

24 the Firearm Owners Identification Card Act or applied for

25 or received a concealed carry license under the Firearm

26 Concealed Carry Act, unless otherwise authorized by the

10400SB0340sam002

- 52 -

LRB104 06459 JRC 37974 a

1 Firearm Concealed Carry Act; and databases under the

2 Firearm Concealed Carry Act, records of the Concealed

3 Carry Licensing Review Board under the Firearm Concealed

4 Carry Act, and law enforcement agency objections under the

5 Firearm Concealed Carry Act.

6 (v-5) Records of the Firearm Owner's Identification

7 Card Review Board that are exempted from disclosure under

8 Section 10 of the Firearm Owners Identification Card Act.

9 (w) Personally identifiable information which is

10 exempted from disclosure under subsection (g) of Section

11 19.1 of the Toll Highway Act.

12 (x) Information which is exempted from disclosure

13 under Section 5-1014.3 of the Counties Code or Section

14 8-11-21 of the Illinois Municipal Code.

15 (y) Confidential information under the Adult

16 Protective Services Act and its predecessor enabling

17 statute, the Elder Abuse and Neglect Act, including

18 information about the identity and administrative finding

19 against any caregiver of a verified and substantiated

20 decision of abuse, neglect, or financial exploitation of

21 an eligible adult maintained in the Registry established

22 under Section 7.5 of the Adult Protective Services Act.

23 (z) Records and information provided to a fatality

24 review team or the Illinois Fatality Review Team Advisory

25 Council under Section 15 of the Adult Protective Services

26 Act.

10400SB0340sam002

- 53 -

LRB104 06459 JRC 37974 a

1 (aa) Information which is exempted from disclosure

2 under Section 2.37 of the Wildlife Code.

3 (bb) Information which is or was prohibited from

4 disclosure by the Juvenile Court Act of 1987.

5 (cc) Recordings made under the Law Enforcement

6 Officer-Worn Body Camera Act, except to the extent

7 authorized under that Act.

8 (dd) Information that is prohibited from being

9 disclosed under Section 45 of the Condominium and Common

10 Interest Community Ombudsperson Act.

11 (ee) Information that is exempted from disclosure

12 under Section 30.1 of the Pharmacy Practice Act.

13 (ff) Information that is exempted from disclosure

14 under the Revised Uniform Unclaimed Property Act.

15 (gg) Information that is prohibited from being

16 disclosed under Section 7-603.5 of the Illinois Vehicle

17 Code.

18 (hh) Records that are exempt from disclosure under

19 Section 1A-16.7 of the Election Code.

20 (ii) Information which is exempted from disclosure

21 under Section 2505-800 of the Department of Revenue Law of

22 the Civil Administrative Code of Illinois.

23 (jj) Information and reports that are required to be

24 submitted to the Department of Labor by registering day

25 and temporary labor service agencies but are exempt from

26 disclosure under subsection (a-1) of Section 45 of the Day

10400SB0340sam002

- 54 -

LRB104 06459 JRC 37974 a

1 and Temporary Labor Services Act.

2 (kk) Information prohibited from disclosure under the

3 Seizure and Forfeiture Reporting Act.

4 (ll) Information the disclosure of which is restricted

5 and exempted under Section 5-30.8 of the Illinois Public

6 Aid Code.

7 (mm) Records that are exempt from disclosure under

8 Section 4.2 of the Crime Victims Compensation Act.

9 (nn) Information that is exempt from disclosure under

10 Section 70 of the Higher Education Student Assistance Act.

11 (oo) Communications, notes, records, and reports

12 arising out of a peer support counseling session

13 prohibited from disclosure under the First Responders

14 Suicide Prevention Act.

15 (pp) Names and all identifying information relating to

16 an employee of an emergency services provider or law

17 enforcement agency under the First Responders Suicide

18 Prevention Act.

19 (qq) Information and records held by the Department of

20 Public Health and its authorized representatives collected

21 under the Reproductive Health Act.

22 (rr) Information that is exempt from disclosure under

23 the Cannabis Regulation and Tax Act.

24 (ss) Data reported by an employer to the Department of

25 Human Rights pursuant to Section 2-108 of the Illinois

26 Human Rights Act.

10400SB0340sam002

- 55 -

LRB104 06459 JRC 37974 a

1 (tt) Recordings made under the Children's Advocacy

2 Center Act, except to the extent authorized under that

3 Act.

4 (uu) Information that is exempt from disclosure under

5 Section 50 of the Sexual Assault Evidence Submission Act.

6 (vv) Information that is exempt from disclosure under

7 subsections (f) and (j) of Section 5-36 of the Illinois

8 Public Aid Code.

9 (ww) Information that is exempt from disclosure under

10 Section 16.8 of the State Treasurer Act.

11 (xx) Information that is exempt from disclosure or

12 information that shall not be made public under the

13 Illinois Insurance Code.

14 (yy) Information prohibited from being disclosed under

15 the Illinois Educational Labor Relations Act.

16 (zz) Information prohibited from being disclosed under

17 the Illinois Public Labor Relations Act.

18 (aaa) Information prohibited from being disclosed

19 under Section 1-167 of the Illinois Pension Code.

20 (bbb) Information that is prohibited from disclosure

21 by the Illinois Police Training Act and the Illinois State

22 Police Act.

23 (ccc) Records exempt from disclosure under Section

24 2605-304 of the Illinois State Police Law of the Civil

25 Administrative Code of Illinois.

26 (ddd) Information prohibited from being disclosed

10400SB0340sam002

- 56 -

LRB104 06459 JRC 37974 a

1 under Section 35 of the Address Confidentiality for

2 Victims of Domestic Violence, Sexual Assault, Human

3 Trafficking, or Stalking Act.

4 (eee) Information prohibited from being disclosed

5 under subsection (b) of Section 75 of the Domestic

6 Violence Fatality Review Act.

7 (fff) Images from cameras under the Expressway Camera

8 Act and all automated license plate reader (ALPR)

9 information used and collected by the Illinois State

10 Police. "ALPR information" means information gathered by

11 an ALPR or created from the analysis of data generated by

12 an ALPR. This subsection (fff) is inoperative on and after

13 July 1, 2028.

14 (ggg) Information prohibited from disclosure under

15 paragraph (3) of subsection (a) of Section 14 of the Nurse

16 Agency Licensing Act.

17 (hhh) Information submitted to the Illinois State

18 Police in an affidavit or application for an assault

19 weapon endorsement, assault weapon attachment endorsement,

20 .50 caliber rifle endorsement, or .50 caliber cartridge

21 endorsement under the Firearm Owners Identification Card

22 Act.

23 (iii) Data exempt from disclosure under Section 50 of

24 the School Safety Drill Act.

25 (jjj) Information exempt from disclosure under Section

26 30 of the Insurance Data Security Law.

10400SB0340sam002

- 57 -

LRB104 06459 JRC 37974 a

1 (kkk) Confidential business information prohibited

2 from disclosure under Section 45 of the Paint Stewardship

3 Act.

4 (lll) Data exempt from disclosure under Section

5 2-3.196 of the School Code.

6 (mmm) Information prohibited from being disclosed

7 under subsection (e) of Section 1-129 of the Illinois

8 Power Agency Act.

9 (nnn) Materials received by the Department of Commerce

10 and Economic Opportunity that are confidential under the

11 Music and Musicians Tax Credit and Jobs Act.

12 (ooo) Data or information provided pursuant to Section

13 20 of the Statewide Recycling Needs and Assessment Act.

14 (ppp) Information that is exempt from disclosure under

15 Section 28-11 of the Lawful Health Care Activity Act.

16 (qqq) Information that is exempt from disclosure under

17 Section 7-101 of the Illinois Human Rights Act.

18 (rrr) Information prohibited from being disclosed

19 under Section 4-2 of the Uniform Money Transmission

20 Modernization Act.

21 (sss) Information exempt from disclosure under Section

22 40 of the Student-Athlete Endorsement Rights Act.

23 (ttt) Audio recordings made under Section 30 of the

24 Illinois State Police Act, except to the extent authorized

25 under that Section.

26 (uuu) Information prohibited from being disclosed

10400SB0340sam002

- 58 -

LRB104 06459 JRC 37974 a

1 under Section 30-5 of the Digital Assets Regulation Act.

2 (www) Data privacy and protection assessments made

3 available to the Attorney General under Section 18 of the

4 Illinois Consumer Data Privacy Act.

5 (Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;

6 103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.

7 8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,

8 eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;

9 103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.

10 8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,

11 eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;

12 104-417, eff. 8-15-25; 104-428, eff. 8-18-25; revised

13 9-10-25.)

14 (Text of Section after amendment by P.A. 104-457 but

15 before 104-441)

16 Sec. 7.5. Statutory exemptions. To the extent provided for

17 by the statutes referenced below, the following shall be

18 exempt from inspection and copying:

19 (a) All information determined to be confidential

20 under Section 4002 of the Technology Advancement and

21 Development Act.

22 (b) Library circulation and order records identifying

23 library users with specific materials under the Library

24 Records Confidentiality Act.

25 (c) Applications, related documents, and medical

10400SB0340sam002

- 59 -

LRB104 06459 JRC 37974 a

1 records received by the Experimental Organ Transplantation

2 Procedures Board and any and all documents or other

3 records prepared by the Experimental Organ Transplantation

4 Procedures Board or its staff relating to applications it

5 has received.

6 (d) Information and records held by the Department of

7 Public Health and its authorized representatives relating

8 to known or suspected cases of sexually transmitted

9 infection or any information the disclosure of which is

10 restricted under the Illinois Sexually Transmitted

11 Infection Control Act.

12 (e) Information the disclosure of which is exempted

13 under Section 30 of the Radon Industry Licensing Act.

14 (f) Firm performance evaluations under Section 55 of

15 the Architectural, Engineering, and Land Surveying

16 Qualifications Based Selection Act.

17 (g) Information the disclosure of which is restricted

18 and exempted under Section 50 of the Illinois Prepaid

19 Tuition Act.

20 (h) Information the disclosure of which is exempted

21 under the State Officials and Employees Ethics Act, and

22 records of any lawfully created State or local inspector

23 general's office that would be exempt if created or

24 obtained by an Executive Inspector General's office under

25 that Act.

26 (i) Information contained in a local emergency energy

10400SB0340sam002

- 60 -

LRB104 06459 JRC 37974 a

1 plan submitted to a municipality in accordance with a

2 local emergency energy plan ordinance that is adopted

3 under Section 11-21.5-5 of the Illinois Municipal Code.

4 (j) Information and data concerning the distribution

5 of surcharge moneys collected and remitted by carriers

6 under the Emergency Telephone System Act.

7 (k) Law enforcement officer identification information

8 or driver identification information compiled by a law

9 enforcement agency or the Department of Transportation

10 under Section 11-212 of the Illinois Vehicle Code.

11 (l) Records and information provided to a residential

12 health care facility resident sexual assault and death

13 review team or the Executive Council under the Abuse

14 Prevention Review Team Act.

15 (m) Information provided to the predatory lending

16 database created pursuant to Article 3 of the Residential

17 Real Property Disclosure Act, except to the extent

18 authorized under that Article.

19 (n) Defense budgets and petitions for certification of

20 compensation and expenses for court appointed trial

21 counsel as provided under Sections 10 and 15 of the

22 Capital Crimes Litigation Act (repealed). This subsection

23 (n) shall apply until the conclusion of the trial of the

24 case, even if the prosecution chooses not to pursue the

25 death penalty prior to trial or sentencing.

26 (o) Information that is prohibited from being

10400SB0340sam002

- 61 -

LRB104 06459 JRC 37974 a

1 disclosed under Section 4 of the Illinois Health and

2 Hazardous Substances Registry Act.

3 (p) Security portions of system safety program plans,

4 investigation reports, surveys, schedules, lists, data, or

5 information compiled, collected, or prepared by or for the

6 Department of Transportation under Sections 2705-300 and

7 2705-616 of the Department of Transportation Law of the

8 Civil Administrative Code of Illinois, the Northern

9 Illinois Transit Authority under Section 2.11 of the

10 Northern Illinois Transit Authority Act, or the St. Clair

11 County Transit District under the Bi-State Transit Safety

12 Act (repealed).

13 (q) Information prohibited from being disclosed by the

14 Personnel Record Review Act.

15 (r) Information prohibited from being disclosed by the

16 Illinois School Student Records Act.

17 (s) Information the disclosure of which is restricted

18 under Section 5-108 of the Public Utilities Act.

19 (t) (Blank).

20 (u) Records and information provided to an independent

21 team of experts under the Developmental Disability and

22 Mental Health Safety Act (also known as Brian's Law).

23 (v) Names and information of people who have applied

24 for or received Firearm Owner's Identification Cards under

25 the Firearm Owners Identification Card Act or applied for

26 or received a concealed carry license under the Firearm

10400SB0340sam002

- 62 -

LRB104 06459 JRC 37974 a

1 Concealed Carry Act, unless otherwise authorized by the

2 Firearm Concealed Carry Act; and databases under the

3 Firearm Concealed Carry Act, records of the Concealed

4 Carry Licensing Review Board under the Firearm Concealed

5 Carry Act, and law enforcement agency objections under the

6 Firearm Concealed Carry Act.

7 (v-5) Records of the Firearm Owner's Identification

8 Card Review Board that are exempted from disclosure under

9 Section 10 of the Firearm Owners Identification Card Act.

10 (w) Personally identifiable information which is

11 exempted from disclosure under subsection (g) of Section

12 19.1 of the Toll Highway Act.

13 (x) Information which is exempted from disclosure

14 under Section 5-1014.3 of the Counties Code or Section

15 8-11-21 of the Illinois Municipal Code.

16 (y) Confidential information under the Adult

17 Protective Services Act and its predecessor enabling

18 statute, the Elder Abuse and Neglect Act, including

19 information about the identity and administrative finding

20 against any caregiver of a verified and substantiated

21 decision of abuse, neglect, or financial exploitation of

22 an eligible adult maintained in the Registry established

23 under Section 7.5 of the Adult Protective Services Act.

24 (z) Records and information provided to a fatality

25 review team or the Illinois Fatality Review Team Advisory

26 Council under Section 15 of the Adult Protective Services

10400SB0340sam002

- 63 -

LRB104 06459 JRC 37974 a

1 Act.

2 (aa) Information which is exempted from disclosure

3 under Section 2.37 of the Wildlife Code.

4 (bb) Information which is or was prohibited from

5 disclosure by the Juvenile Court Act of 1987.

6 (cc) Recordings made under the Law Enforcement

7 Officer-Worn Body Camera Act, except to the extent

8 authorized under that Act.

9 (dd) Information that is prohibited from being

10 disclosed under Section 45 of the Condominium and Common

11 Interest Community Ombudsperson Act.

12 (ee) Information that is exempted from disclosure

13 under Section 30.1 of the Pharmacy Practice Act.

14 (ff) Information that is exempted from disclosure

15 under the Revised Uniform Unclaimed Property Act.

16 (gg) Information that is prohibited from being

17 disclosed under Section 7-603.5 of the Illinois Vehicle

18 Code.

19 (hh) Records that are exempt from disclosure under

20 Section 1A-16.7 of the Election Code.

21 (ii) Information which is exempted from disclosure

22 under Section 2505-800 of the Department of Revenue Law of

23 the Civil Administrative Code of Illinois.

24 (jj) Information and reports that are required to be

25 submitted to the Department of Labor by registering day

26 and temporary labor service agencies but are exempt from

10400SB0340sam002

- 64 -

LRB104 06459 JRC 37974 a

1 disclosure under subsection (a-1) of Section 45 of the Day

2 and Temporary Labor Services Act.

3 (kk) Information prohibited from disclosure under the

4 Seizure and Forfeiture Reporting Act.

5 (ll) Information the disclosure of which is restricted

6 and exempted under Section 5-30.8 of the Illinois Public

7 Aid Code.

8 (mm) Records that are exempt from disclosure under

9 Section 4.2 of the Crime Victims Compensation Act.

10 (nn) Information that is exempt from disclosure under

11 Section 70 of the Higher Education Student Assistance Act.

12 (oo) Communications, notes, records, and reports

13 arising out of a peer support counseling session

14 prohibited from disclosure under the First Responders

15 Suicide Prevention Act.

16 (pp) Names and all identifying information relating to

17 an employee of an emergency services provider or law

18 enforcement agency under the First Responders Suicide

19 Prevention Act.

20 (qq) Information and records held by the Department of

21 Public Health and its authorized representatives collected

22 under the Reproductive Health Act.

23 (rr) Information that is exempt from disclosure under

24 the Cannabis Regulation and Tax Act.

25 (ss) Data reported by an employer to the Department of

26 Human Rights pursuant to Section 2-108 of the Illinois

10400SB0340sam002

- 65 -

LRB104 06459 JRC 37974 a

1 Human Rights Act.

2 (tt) Recordings made under the Children's Advocacy

3 Center Act, except to the extent authorized under that

4 Act.

5 (uu) Information that is exempt from disclosure under

6 Section 50 of the Sexual Assault Evidence Submission Act.

7 (vv) Information that is exempt from disclosure under

8 subsections (f) and (j) of Section 5-36 of the Illinois

9 Public Aid Code.

10 (ww) Information that is exempt from disclosure under

11 Section 16.8 of the State Treasurer Act.

12 (xx) Information that is exempt from disclosure or

13 information that shall not be made public under the

14 Illinois Insurance Code.

15 (yy) Information prohibited from being disclosed under

16 the Illinois Educational Labor Relations Act.

17 (zz) Information prohibited from being disclosed under

18 the Illinois Public Labor Relations Act.

19 (aaa) Information prohibited from being disclosed

20 under Section 1-167 of the Illinois Pension Code.

21 (bbb) Information that is prohibited from disclosure

22 by the Illinois Police Training Act and the Illinois State

23 Police Act.

24 (ccc) Records exempt from disclosure under Section

25 2605-304 of the Illinois State Police Law of the Civil

26 Administrative Code of Illinois.

10400SB0340sam002

- 66 -

LRB104 06459 JRC 37974 a

1 (ddd) Information prohibited from being disclosed

2 under Section 35 of the Address Confidentiality for

3 Victims of Domestic Violence, Sexual Assault, Human

4 Trafficking, or Stalking Act.

5 (eee) Information prohibited from being disclosed

6 under subsection (b) of Section 75 of the Domestic

7 Violence Fatality Review Act.

8 (fff) Images from cameras under the Expressway Camera

9 Act and all automated license plate reader (ALPR)

10 information used and collected by the Illinois State

11 Police. "ALPR information" means information gathered by

12 an ALPR or created from the analysis of data generated by

13 an ALPR. This subsection (fff) is inoperative on and after

14 July 1, 2028.

15 (ggg) Information prohibited from disclosure under

16 paragraph (3) of subsection (a) of Section 14 of the Nurse

17 Agency Licensing Act.

18 (hhh) Information submitted to the Illinois State

19 Police in an affidavit or application for an assault

20 weapon endorsement, assault weapon attachment endorsement,

21 .50 caliber rifle endorsement, or .50 caliber cartridge

22 endorsement under the Firearm Owners Identification Card

23 Act.

24 (iii) Data exempt from disclosure under Section 50 of

25 the School Safety Drill Act.

26 (jjj) Information exempt from disclosure under Section

10400SB0340sam002

- 67 -

LRB104 06459 JRC 37974 a

1 30 of the Insurance Data Security Law.

2 (kkk) Confidential business information prohibited

3 from disclosure under Section 45 of the Paint Stewardship

4 Act.

5 (lll) Data exempt from disclosure under Section

6 2-3.196 of the School Code.

7 (mmm) Information prohibited from being disclosed

8 under subsection (e) of Section 1-129 of the Illinois

9 Power Agency Act.

10 (nnn) Materials received by the Department of Commerce

11 and Economic Opportunity that are confidential under the

12 Music and Musicians Tax Credit and Jobs Act.

13 (ooo) Data or information provided pursuant to Section

14 20 of the Statewide Recycling Needs and Assessment Act.

15 (ppp) Information that is exempt from disclosure under

16 Section 28-11 of the Lawful Health Care Activity Act.

17 (qqq) Information that is exempt from disclosure under

18 Section 7-101 of the Illinois Human Rights Act.

19 (rrr) Information prohibited from being disclosed

20 under Section 4-2 of the Uniform Money Transmission

21 Modernization Act.

22 (sss) Information exempt from disclosure under Section

23 40 of the Student-Athlete Endorsement Rights Act.

24 (ttt) Audio recordings made under Section 30 of the

25 Illinois State Police Act, except to the extent authorized

26 under that Section.

10400SB0340sam002

- 68 -

LRB104 06459 JRC 37974 a

1 (uuu) Information prohibited from being disclosed

2 under Section 30-5 of the Digital Assets Regulation Act.

3 (www) Data privacy and protection assessments made

4 available to the Attorney General under Section 18 of the

5 Illinois Consumer Data Privacy Act.

6 (Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;

7 103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.

8 8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,

9 eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;

10 103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.

11 8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,

12 eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;

13 104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-457, eff.

14 6-1-26; revised 1-7-26.)

15 (Text of Section after amendment by P.A. 104-441)

16 Sec. 7.5. Statutory exemptions. To the extent provided for

17 by the statutes referenced below, the following shall be

18 exempt from inspection and copying:

19 (a) All information determined to be confidential

20 under Section 4002 of the Technology Advancement and

21 Development Act.

22 (b) Library circulation and order records identifying

23 library users with specific materials under the Library

24 Records Confidentiality Act.

25 (c) Applications, related documents, and medical

10400SB0340sam002

- 69 -

LRB104 06459 JRC 37974 a

1 records received by the Experimental Organ Transplantation

2 Procedures Board and any and all documents or other

3 records prepared by the Experimental Organ Transplantation

4 Procedures Board or its staff relating to applications it

5 has received.

6 (d) Information and records held by the Department of

7 Public Health and its authorized representatives relating

8 to known or suspected cases of sexually transmitted

9 infection or any information the disclosure of which is

10 restricted under the Illinois Sexually Transmitted

11 Infection Control Act.

12 (e) Information the disclosure of which is exempted

13 under Section 30 of the Radon Industry Licensing Act.

14 (f) Firm performance evaluations under Section 55 of

15 the Architectural, Engineering, and Land Surveying

16 Qualifications Based Selection Act.

17 (g) Information the disclosure of which is restricted

18 and exempted under Section 50 of the Illinois Prepaid

19 Tuition Act.

20 (h) Information the disclosure of which is exempted

21 under the State Officials and Employees Ethics Act, and

22 records of any lawfully created State or local inspector

23 general's office that would be exempt if created or

24 obtained by an Executive Inspector General's office under

25 that Act.

26 (i) Information contained in a local emergency energy

10400SB0340sam002

- 70 -

LRB104 06459 JRC 37974 a

1 plan submitted to a municipality in accordance with a

2 local emergency energy plan ordinance that is adopted

3 under Section 11-21.5-5 of the Illinois Municipal Code.

4 (j) Information and data concerning the distribution

5 of surcharge moneys collected and remitted by carriers

6 under the Emergency Telephone System Act.

7 (k) Law enforcement officer identification information

8 or driver identification information compiled by a law

9 enforcement agency or the Department of Transportation

10 under Section 11-212 of the Illinois Vehicle Code.

11 (l) Records and information provided to a residential

12 health care facility resident sexual assault and death

13 review team or the Executive Council under the Abuse

14 Prevention Review Team Act.

15 (m) Information provided to the predatory lending

16 database created pursuant to Article 3 of the Residential

17 Real Property Disclosure Act, except to the extent

18 authorized under that Article.

19 (n) Defense budgets and petitions for certification of

20 compensation and expenses for court appointed trial

21 counsel as provided under Sections 10 and 15 of the

22 Capital Crimes Litigation Act (repealed). This subsection

23 (n) shall apply until the conclusion of the trial of the

24 case, even if the prosecution chooses not to pursue the

25 death penalty prior to trial or sentencing.

26 (o) Information that is prohibited from being

10400SB0340sam002

- 71 -

LRB104 06459 JRC 37974 a

1 disclosed under Section 4 of the Illinois Health and

2 Hazardous Substances Registry Act.

3 (p) Security portions of system safety program plans,

4 investigation reports, surveys, schedules, lists, data, or

5 information compiled, collected, or prepared by or for the

6 Department of Transportation under Sections 2705-300 and

7 2705-616 of the Department of Transportation Law of the

8 Civil Administrative Code of Illinois, the Northern

9 Illinois Transit Authority under Section 2.11 of the

10 Northern Illinois Transit Authority Act, or the St. Clair

11 County Transit District under the Bi-State Transit Safety

12 Act (repealed).

13 (q) Information prohibited from being disclosed by the

14 Personnel Record Review Act.

15 (r) Information prohibited from being disclosed by the

16 Illinois School Student Records Act.

17 (s) Information the disclosure of which is restricted

18 under Section 5-108 of the Public Utilities Act.

19 (t) (Blank).

20 (u) Records and information provided to an independent

21 team of experts under the Developmental Disability and

22 Mental Health Safety Act (also known as Brian's Law).

23 (v) Names and information of people who have applied

24 for or received Firearm Owner's Identification Cards under

25 the Firearm Owners Identification Card Act or applied for

26 or received a concealed carry license under the Firearm

10400SB0340sam002

- 72 -

LRB104 06459 JRC 37974 a

1 Concealed Carry Act, unless otherwise authorized by the

2 Firearm Concealed Carry Act; and databases under the

3 Firearm Concealed Carry Act, records of the Concealed

4 Carry Licensing Review Board under the Firearm Concealed

5 Carry Act, and law enforcement agency objections under the

6 Firearm Concealed Carry Act.

7 (v-5) Records of the Firearm Owner's Identification

8 Card Review Board that are exempted from disclosure under

9 Section 10 of the Firearm Owners Identification Card Act.

10 (w) Personally identifiable information which is

11 exempted from disclosure under subsection (g) of Section

12 19.1 of the Toll Highway Act.

13 (x) Information which is exempted from disclosure

14 under Section 5-1014.3 of the Counties Code or Section

15 8-11-21 of the Illinois Municipal Code.

16 (y) Confidential information under the Adult

17 Protective Services Act and its predecessor enabling

18 statute, the Elder Abuse and Neglect Act, including

19 information about the identity and administrative finding

20 against any caregiver of a verified and substantiated

21 decision of abuse, neglect, or financial exploitation of

22 an eligible adult maintained in the Registry established

23 under Section 7.5 of the Adult Protective Services Act.

24 (z) Records and information provided to a fatality

25 review team or the Illinois Fatality Review Team Advisory

26 Council under Section 15 of the Adult Protective Services

10400SB0340sam002

- 73 -

LRB104 06459 JRC 37974 a

1 Act.

2 (aa) Information which is exempted from disclosure

3 under Section 2.37 of the Wildlife Code.

4 (bb) Information which is or was prohibited from

5 disclosure by the Juvenile Court Act of 1987.

6 (cc) Recordings made under the Law Enforcement

7 Officer-Worn Body Camera Act, except to the extent

8 authorized under that Act.

9 (dd) Information that is prohibited from being

10 disclosed under Section 45 of the Condominium and Common

11 Interest Community Ombudsperson Act.

12 (ee) Information that is exempted from disclosure

13 under Section 30.1 of the Pharmacy Practice Act.

14 (ff) Information that is exempted from disclosure

15 under the Revised Uniform Unclaimed Property Act.

16 (gg) Information that is prohibited from being

17 disclosed under Section 7-603.5 of the Illinois Vehicle

18 Code.

19 (hh) Records that are exempt from disclosure under

20 Section 1A-16.7 of the Election Code.

21 (ii) Information which is exempted from disclosure

22 under Section 2505-800 of the Department of Revenue Law of

23 the Civil Administrative Code of Illinois.

24 (jj) Information and reports that are required to be

25 submitted to the Department of Labor by registering day

26 and temporary labor service agencies but are exempt from

10400SB0340sam002

- 74 -

LRB104 06459 JRC 37974 a

1 disclosure under subsection (a-1) of Section 45 of the Day

2 and Temporary Labor Services Act.

3 (kk) Information prohibited from disclosure under the

4 Seizure and Forfeiture Reporting Act.

5 (ll) Information the disclosure of which is restricted

6 and exempted under Section 5-30.8 of the Illinois Public

7 Aid Code.

8 (mm) Records that are exempt from disclosure under

9 Section 4.2 of the Crime Victims Compensation Act.

10 (nn) Information that is exempt from disclosure under

11 Section 70 of the Higher Education Student Assistance Act.

12 (oo) Communications, notes, records, and reports

13 arising out of a peer support counseling session

14 prohibited from disclosure under the First Responders

15 Suicide Prevention Act.

16 (pp) Names and all identifying information relating to

17 an employee of an emergency services provider or law

18 enforcement agency under the First Responders Suicide

19 Prevention Act.

20 (qq) Information and records held by the Department of

21 Public Health and its authorized representatives collected

22 under the Reproductive Health Act.

23 (rr) Information that is exempt from disclosure under

24 the Cannabis Regulation and Tax Act.

25 (ss) Data reported by an employer to the Department of

26 Human Rights pursuant to Section 2-108 of the Illinois

10400SB0340sam002

- 75 -

LRB104 06459 JRC 37974 a

1 Human Rights Act.

2 (tt) Recordings made under the Children's Advocacy

3 Center Act, except to the extent authorized under that

4 Act.

5 (uu) Information that is exempt from disclosure under

6 Section 50 of the Sexual Assault Evidence Submission Act.

7 (vv) Information that is exempt from disclosure under

8 subsections (f) and (j) of Section 5-36 of the Illinois

9 Public Aid Code.

10 (ww) Information that is exempt from disclosure under

11 Section 16.8 of the State Treasurer Act.

12 (xx) Information that is exempt from disclosure or

13 information that shall not be made public under the

14 Illinois Insurance Code.

15 (yy) Information prohibited from being disclosed under

16 the Illinois Educational Labor Relations Act.

17 (zz) Information prohibited from being disclosed under

18 the Illinois Public Labor Relations Act.

19 (aaa) Information prohibited from being disclosed

20 under Section 1-167 of the Illinois Pension Code.

21 (bbb) Information that is prohibited from disclosure

22 by the Illinois Police Training Act and the Illinois State

23 Police Act.

24 (ccc) Records exempt from disclosure under Section

25 2605-304 of the Illinois State Police Law of the Civil

26 Administrative Code of Illinois.

10400SB0340sam002

- 76 -

LRB104 06459 JRC 37974 a

1 (ddd) Information prohibited from being disclosed

2 under Section 35 of the Address Confidentiality for

3 Victims of Domestic Violence, Sexual Assault, Human

4 Trafficking, or Stalking Act.

5 (eee) Information prohibited from being disclosed

6 under subsection (b) of Section 75 of the Domestic

7 Violence Fatality Review Act.

8 (fff) Images from cameras under the Expressway Camera

9 Act and all automated license plate reader (ALPR)

10 information used and collected by the Illinois State

11 Police. "ALPR information" means information gathered by

12 an ALPR or created from the analysis of data generated by

13 an ALPR. This subsection (fff) is inoperative on and after

14 July 1, 2028.

15 (ggg) Information prohibited from disclosure under

16 paragraph (3) of subsection (a) of Section 14 of the Nurse

17 Agency Licensing Act.

18 (hhh) Information submitted to the Illinois State

19 Police in an affidavit or application for an assault

20 weapon endorsement, assault weapon attachment endorsement,

21 .50 caliber rifle endorsement, or .50 caliber cartridge

22 endorsement under the Firearm Owners Identification Card

23 Act.

24 (iii) Data exempt from disclosure under Section 50 of

25 the School Safety Drill Act.

26 (jjj) Information exempt from disclosure under Section

10400SB0340sam002

- 77 -

LRB104 06459 JRC 37974 a

1 30 of the Insurance Data Security Law.

2 (kkk) Confidential business information prohibited

3 from disclosure under Section 45 of the Paint Stewardship

4 Act.

5 (lll) Data exempt from disclosure under Section

6 2-3.196 of the School Code.

7 (mmm) Information prohibited from being disclosed

8 under subsection (e) of Section 1-129 of the Illinois

9 Power Agency Act.

10 (nnn) Materials received by the Department of Commerce

11 and Economic Opportunity that are confidential under the

12 Music and Musicians Tax Credit and Jobs Act.

13 (ooo) Data or information provided pursuant to Section

14 20 of the Statewide Recycling Needs and Assessment Act.

15 (ppp) Information that is exempt from disclosure under

16 Section 28-11 of the Lawful Health Care Activity Act.

17 (qqq) Information that is exempt from disclosure under

18 Section 7-101 of the Illinois Human Rights Act.

19 (rrr) Information prohibited from being disclosed

20 under Section 4-2 of the Uniform Money Transmission

21 Modernization Act.

22 (sss) Information exempt from disclosure under Section

23 40 of the Student-Athlete Endorsement Rights Act.

24 (ttt) Audio recordings made under Section 30 of the

25 Illinois State Police Act, except to the extent authorized

26 under that Section.

10400SB0340sam002

- 78 -

LRB104 06459 JRC 37974 a

1 (uuu) Information prohibited from being disclosed

2 under Section 30-5 of the Digital Assets Regulation Act.

3 (vvv) ~~(uuu)~~ Information exempt from disclosure under

4 Section 70 of the End-of-Life Options for Terminally Ill

5 Patients Act.

6 (www) Data privacy and protection assessments made

7 available to the Attorney General under Section 18 of the

8 Illinois Consumer Data Privacy Act.

9 (Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;

10 103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.

11 8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,

12 eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;

13 103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.

14 8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,

15 eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;

16 104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-441, eff.

17 9-12-26; 104-457, eff. 6-1-26; revised 1-7-26.)

18 Section 905. The Consumer Fraud and Deceptive Business

19 Practices Act is amended by adding Section 2MMMM as follows:

20 (815 ILCS 505/2MMMM new)

21 Sec. 2MMMM. Violations of the Illinois Consumer Data

22 Privacy Act. Any person who violates the Illinois Consumer

23 Data Privacy Act commits an unlawful practice within the

24 meaning of this Act.

10400SB0340sam002

- 79 -

LRB104 06459 JRC 37974 a

1 Section 995. No acceleration or delay. Where this Act

2 makes changes in a statute that is represented in this Act by

3 text that is not yet or no longer in effect (for example, a

4 Section represented by multiple versions), the use of that

5 text does not accelerate or delay the taking effect of (i) the

6 changes made by this Act or (ii) provisions derived from any

7 other Public Act.

8 Section 999. Effective date. This Act takes effect January

9 1, 2027.".