Bill Text: IL SB2330 | 2019-2020 | 101st General Assembly | Introduced


Bill Title: Creates the Data Transparency and Privacy Act. Provides that any business that processes personal information or deidentified information must, prior to processing, provide notice to the consumer to whom the information refers or belongs of specific information in the service agreement or somewhere readily accessible on the business' website or mobile application. Establishes a "right to know" for consumers and prescribes types of information that they may request of businesses. Provides that consumers have the right to opt out of agreements that entail the disclosure of personal information from the business to third parties and affiliates, the sale of personal information from the business to third parties and affiliates, and the processing of personal information by the business, third parties, and affiliates. Provides that consumers have the right to request that a business correct inaccurate personal information about the consumer or delete personal information about the consumer. Prescribes a protocol for the handling of consumer requests by businesses. Prescribes pricing incentives and prohibitions against discrimination. Provides that businesses, affiliates, and third parties must conduct risk assessments and provides requirements for the assessments. Provides that enforcement of the Act may arise through private actions or enforcement by the Attorney General. Provides that any waiver of the provisions of the Act is void and unenforceable. Contains home rule preemption and severability provisions. Effective July 1, 2021.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Introduced) 2020-05-15 - Rule 2-10 Committee/3rd Reading Deadline Established As May 31, 2020 [SB2330 Detail]

Download: Illinois-2019-SB2330-Introduced.html


101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
SB2330

Introduced 1/8/2020, by Sen. Thomas Cullerton

SYNOPSIS AS INTRODUCED:
New Act

Creates the Data Transparency and Privacy Act. Provides that any business that processes personal information or deidentified information must, prior to processing, provide notice to the consumer to whom the information refers or belongs of specific information in the service agreement or somewhere readily accessible on the business' website or mobile application. Establishes a "right to know" for consumers and prescribes types of information that they may request of businesses. Provides that consumers have the right to opt out of agreements that entail the disclosure of personal information from the business to third parties and affiliates, the sale of personal information from the business to third parties and affiliates, and the processing of personal information by the business, third parties, and affiliates. Provides that consumers have the right to request that a business correct inaccurate personal information about the consumer or delete personal information about the consumer. Prescribes a protocol for the handling of consumer requests by businesses. Prescribes pricing incentives and prohibitions against discrimination. Provides that businesses, affiliates, and third parties must conduct risk assessments and provides requirements for the assessments. Provides that enforcement of the Act may arise through private actions or enforcement by the Attorney General. Provides that any waiver of the provisions of the Act is void and unenforceable. Contains home rule preemption and severability provisions. Effective July 1, 2021.
LRB101 16295 KTG 65668 b

A BILL FOR

SB2330LRB101 16295 KTG 65668 b
1 AN ACT concerning business.
2 Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
4 Section 1. Short title. This Act may be cited as the Data
5Transparency and Privacy Act.
6 Section 5. Findings. The General Assembly finds and
7declares that:
8 (1) The right to privacy is a personal and fundamental
9 right protected by the United States Constitution. As such,
10 all individuals have a right to privacy and a personal
11 property interest in information pertaining to them and
12 that information shall be adequately protected from
13 unlawful invasions and takings. This State recognizes the
14 importance of providing consumers with transparency about
15 how their personal information is stored, used, and shared
16 by businesses. This transparency is crucial for Illinois
17 citizens to protect themselves and their families from
18 cyber-crimes and identity thieves.
19 (2) Businesses are now collecting, sharing, and
20 selling personal information in ways not contemplated or
21 properly covered by current law.
22 (a) Some websites install tracking tools that
23 record when consumers visit web pages and send personal

SB2330- 2 -LRB101 16295 KTG 65668 b
1 information collected to third party marketers and
2 data brokers.
3 (b) Third-party data broker companies are buying,
4 selling, and trading personal information obtained
5 from mobile phones, financial institutions, social
6 media sites, and other online and brick and mortar
7 companies.
8 (c) Social media companies, credit agencies and
9 retail stores have all had their internal security
10 systems breached, resulting in consumers' personal
11 information being stolen and sold on the black market.
12 (3) Illinois consumers must be better informed about
13 what kinds of personal information are collected, how
14 information is shared with third parties, and how
15 businesses store consumers' personal information. With
16 this specific information, consumers can knowledgeably
17 choose to opt in, opt out, or choose among businesses that
18 disclose information to third parties on the basis of how
19 protective the business is of consumers' privacy in order
20 to properly protect their privacy, property, personal
21 safety, and financial security.
22 Section 10. Definitions. As used in this Act:
23 "Affiliate" means a legal entity that controls, is
24controlled by, or is under common control with another legal
25entity.

SB2330- 3 -LRB101 16295 KTG 65668 b
1 "Business" means any sole proprietorship, partnership,
2limited liability company, corporation, association, or other
3legal entity that is organized or operated for the profit or
4financial benefit of its shareholders or other owners, that
5does business in the State of Illinois and meets one or more of
6the following thresholds:
7 (1) The business collects or discloses the personal
8 information of 50,000 or more persons, Illinois
9 households, or the combination thereof.
10 (2) The business derives 50% or more of its annual
11 revenues from selling consumers' personal information.
12 "Business" does not include any third party that operates,
13hosts, or manages, but does not own, a website or online
14service on the owner's behalf or by processing information on
15behalf of the owners, or any State and local governments or
16municipal corporations.
17 "Categories of sources" means types of entities from which
18a business collects personal information about consumers,
19including, but not limited to, the consumer directly,
20government entities from which public records are obtained, and
21consumer data resellers.
22 "Categories of third parties" means types of entities that
23do not collect personal information directly from consumers,
24including, but not limited to, advertising networks, internet
25service providers, data analytics providers, government
26entities, operating systems and platforms, social networks,

SB2330- 4 -LRB101 16295 KTG 65668 b
1and consumer data resellers.
2 "Consumer" means a natural person residing in this State.
3"Consumer" does not include a natural person acting in an
4employment context.
5 "Deidentified" means information that cannot reasonably
6identify, relate to, describe, be capable of being associated
7with, or be linked, directly or indirectly, to a particular
8consumer, provided that a business that uses deidentified
9information:
10 (1) Has implemented technical safeguards that prohibit
11 reidentification of the consumer to whom the information
12 may pertain.
13 (2) Has implemented business processes that
14 specifically prohibit reidentification of the information.
15 (3) Has implemented business processes to prevent
16 inadvertent release of deidentified information.
17 (4) Makes no attempt to reidentify the information.
18 "Designated request address" means an electronic mail
19address, online form, mailing address, or toll-free telephone
20number that a consumer may use to request information, opt out
21of the sale or disclosure of personal information, or correct
22or delete personal information, as required to be provided
23under this Act.
24 "Disclose" means to disclose, release, transfer, share,
25disseminate, make available, or otherwise communicate orally,
26in writing, or by electronic or any other means a consumer's

SB2330- 5 -LRB101 16295 KTG 65668 b
1personal information to any affiliate or third party.
2"Disclose" does not include:
3 (1) Disclosure of personal information by a business to
4 a third party or service provider under a written contract
5 authorizing the third party or service provider to use the
6 personal information to perform services on behalf of the
7 business, including, but not limited to, maintaining or
8 servicing accounts, disclosure of personal information by
9 a business to a service provider, processing or fulfilling
10 orders and transactions, verifying consumer information,
11 processing payments, providing financing, or similar
12 services, but only if: the contract prohibits the third
13 party or service provider from using the personal
14 information for any reason other than performing the
15 specified service on behalf of the business and from
16 disclosing any such personal information to additional
17 third parties or service providers unless those additional
18 third parties or service providers are allowed by the
19 contract to further the specified services and the
20 additional third parties and service providers and subject
21 to the same restrictions imposed by this subsection.
22 (2) Disclosure of personal information by a business to
23 a third party based on a good faith belief that disclosure
24 is required to comply with applicable law, regulation,
25 legal process, or court order.
26 (3) Disclosure of personal information by a business to

SB2330- 6 -LRB101 16295 KTG 65668 b
1 a third party that is reasonably necessary to address
2 fraud, risk management, security, or technical issues; to
3 protect the disclosing business' right or property; or to
4 protect consumers or the public from illegal activities.
5 (4) Disclosure of personal information by a business to
6 a third party in connection with the proposed or actual
7 sale, merger, or bankruptcy of the business, to a third
8 party.
9 "Personal information" means information that identifies,
10relates to, describes, is reasonably capable of being
11associated with, or could reasonably be linked, directly or
12indirectly, with a particular consumer or household. Personal
13information includes, but is not limited to, the following:
14 (1) Identifiers such as a real name, alias, signature,
15 postal address, telephone number, unique personal
16 identifier, online identifier Internet Protocol address,
17 email address, account name, social security number,
18 driver's license number, state identification number,
19 passport number, physical characteristics or description,
20 insurance policy number, employment, employment history,
21 bank account number, credit card number, debit card number,
22 financial information, medical information, health
23 insurance information, or other similar identifiers.
24 (2) Characteristics of protected classifications under
25 Illinois or federal law.
26 (3) Commercial information, including records of

SB2330- 7 -LRB101 16295 KTG 65668 b
1 personal property, products or services purchased,
2 obtained, or considered, or other purchasing or consuming
3 histories or tendencies.
4 (4) Biometric information.
5 (5) Internet or other electronic network activity
6 information, including, but not limited to, browsing
7 history, search history, and information regarding a
8 consumer's interaction with an Internet website,
9 application or advertisement.
10 (6) Geolocation data.
11 (7) Audio, electronic, visual, thermal, olfactory, or
12 similar information.
13 (8) Professional or employment-related information.
14 (9) Educational information.
15 (10) Inferences drawn from any of the information
16 identified in this Section to create a profile about a
17 consumer reflecting the consumer's preferences,
18 characteristics, psychological trends, preferences,
19 predispositions, behavior, attitudes, intelligence,
20 abilities, and aptitudes.
21 "Personal information" does not include publicly available
22information which the business obtained directly from records
23lawfully made available from federal, state, or local
24government records. "Personal information" does not include
25consumer information that is deidentified or aggregate
26consumer information.

SB2330- 8 -LRB101 16295 KTG 65668 b
1 "Process" or "processes" means any collection, use,
2storage, disclosure, analysis, deletion, or modification of
3personal information.
4 "Request" means a consumer right set forth in this Act
5including one or more of the following: (i) for the disclosure
6of information regarding a consumer's personal information;
7(ii) the opt out of sale or disclosure of a consumer's personal
8information; (iii) the correction of inaccurate personal
9information; and (iv) the deletion of personal information.
10 "Sale" or "sell" means the selling, renting, or licensing
11of a consumer's personal information by a business to a third
12party in direct exchange for monetary consideration, whereby,
13as a result of such transaction, the third party may use the
14personal information for its own commercial purposes. "Sale" or
15"sell" does not include circumstances in which:
16 (1) A consumer uses or directs the business to
17 intentionally disclose personal information or uses the
18 business to intentionally interact with a third party or
19 affiliate, provided the third party or affiliate does not
20 also sell the personal information, unless that disclosure
21 would be consistent with the provisions of this Act. An
22 intentional interaction occurs when the consumer intends
23 to interact with the third party by one or more deliberate
24 interactions. Hovering over, muting, pausing, or closing a
25 given piece of content does not constitute a consumer's
26 intent to interact with a third party.

SB2330- 9 -LRB101 16295 KTG 65668 b
1 (2) The business uses or shares an identifier for a
2 consumer who has opted out of the sale of the consumer's
3 personal information for the purposes of altering third
4 parties or affiliates that the consumer has opted out of
5 the sale of the consumer's personal information.
6 (3) The business uses or shares with a service provider
7 personal information of a consumer that is necessary to
8 perform a business purpose or business purposes if the
9 service provider does not further collect, sell, or use the
10 personal information of the consumer except as necessary to
11 perform the business purposes.
12 (4) The business transfers to a third party the
13 personal information of a consumer as an asset that is part
14 of a merger, acquisition, bankruptcy, or other transaction
15 in which the third party or affiliate assumes control of
16 all or part of the business, provided that information is
17 used or shared consistently with this Act. If a third party
18 or affiliate materially alters how it uses or shares the
19 personal information of a consumer in a manner that is
20 materially inconsistent with the promises made at the time
21 of collection, it shall provide prior notice of the new or
22 changed practice to the consumer. The notice shall be
23 sufficiently prominent and robust to ensure that existing
24 consumers can easily exercise their choices consistent
25 with Section 20 and Section 25. This subparagraph does not
26 authorize a business to make material, retroactive privacy

SB2330- 10 -LRB101 16295 KTG 65668 b
1 policy changes or make other changes in their privacy
2 policy in a manner that would violate the Consumer Fraud
3 and Deceptive Business Practices Act.
4 (5) A business uses a consumer's personal information
5 to sell targeted advertising space to a third party as long
6 as the personal information is not sold by the business to
7 the third party or affiliate.
8 (6) The disclosure or transfer of personal information
9 to an affiliate of the business.
10 "Service provider" means the natural or legal person that
11processes personal information on behalf of the business.
12 "Third party" means a business that is: (1) not an
13affiliate of the business that has collected, disclosed, or
14sold personal information; or (2) an affiliate with the
15business that has collected, disclosed, or sold personal
16information and the affiliate relationship is not clear to the
17consumer.
18 Section 15. Right to transparency. Any business that
19processes personal information or deidentified information
20must, prior to processing, provide notice to the consumer of
21the following in the service agreement or somewhere readily
22accessible on the business' website or mobile application:
23 (1) All categories of personal information and
24 deidentified information that the business processes about
25 individual consumers;

SB2330- 11 -LRB101 16295 KTG 65668 b
1 (2) All categories of third parties and affiliates with
2 whom the business may disclose or sell that personal
3 information or deidentified information and the business
4 purpose for the disclosure or sale;
5 (3) The process in which an individual consumer may:
6 (A) review the personal information collected by
7 the business;
8 (B) request changes to inaccurate personal
9 information;
10 (C) opt out of the disclosure or sale of personal
11 information; and
12 (D) request deletion of personal information; and
13 (4) The process in which the business notifies
14 consumers of material changes to the notice required to be
15 made available under this Section.
16 Section 20. Right to know. Consumers may request the
17following information of businesses:
18 (1) Copies of specific pieces of personal information
19 about the consumer processed by the business.
20 (2) Categories of sources for the personal information
21 processed.
22 (3) Name and contact information for each third party
23 and affiliate to whom the personal information is disclosed
24 or sold.

SB2330- 12 -LRB101 16295 KTG 65668 b
1 Section 25. Right to opt out, correct, and delete.
2Consumers have the following rights concerning their personal
3information:
4 (1) The right to request to opt out of the following:
5 (A) the disclosure of personal information from
6 the business to third parties and affiliates;
7 (B) the sale of personal information from the
8 business to third parties and affiliates; and
9 (C) the processing of personal information by the
10 business, third parties, and affiliates.
11 (2) The right to request that a business correct
12 inaccurate personal information about the consumer.
13 (3) The right to request that a business delete
14 personal information about the consumer.
15 Section 30. Consumer requests and business responses.
16 (a) Businesses shall establish a process for collecting
17consumer requests and reasonably authenticating consumers
18making the requests and reasonably authenticating any request
19to correct inaccurate personal information. The method by which
20a consumer may submit a request under Section 20 and Section 25
21shall be done in a form and manner determined by the business
22in a way that is not overly burdensome on the consumer.
23 (b) A business shall post on its website, online service,
24and within any mobile application, a link to a designated
25request address web page maintained by the business for the

SB2330- 13 -LRB101 16295 KTG 65668 b
1purpose of collecting and processing consumer requests. The
2business shall also post a designated request street address
3for consumers to submit requests by mail.
4 (c) A parent or legal guardian of a consumer under the age
5of 13 may submit a request on behalf of that consumer.
6 (d) A business that receives a request from a consumer
7through a designated request address shall promptly take steps
8to disclose and deliver, free of charge to the consumer, the
9personal information required or confirmation of the consumers
10opt out, correction or deletion request and business'
11compliance.
12 (1) The information may be delivered by mail or
13 electronically, and if provided electronically, the
14 information shall be in a portable and, to the extent
15 technically feasible, in a readily usable format that
16 allows the consumer to transmit this information to another
17 entity without hindrance.
18 (2) A business that has received a request to opt out
19 of the disclosure or sale of a consumer's personal
20 information shall be prohibited from selling or disclosing
21 that consumer's personal information after its receipt of
22 the consumer's request, unless the consumer subsequently
23 provides express authorization for the sale or disclosure
24 of the consumer's personal information.
25 (3) A business that receives a request to delete the
26 consumer's personal information, shall delete the

SB2330- 14 -LRB101 16295 KTG 65668 b
1 consumer's personal information from its records and
2 direct any third party or affiliate with whom the personal
3 information was disclosed, to delete the consumer's
4 personal information from their records.
5 (4) A business shall not be required to comply with a
6 consumer's request to delete the consumer's personal
7 information if it is necessary for the business to maintain
8 the consumer's personal information in order to:
9 (i) Complete the transaction for which the
10 personal information was collected, provide a good or
11 service requested by the consumer, or reasonably
12 anticipated within the context of a business' ongoing
13 business relationship with the consumer, or otherwise
14 perform a contract between the business and the
15 consumer.
16 (ii) Detect security incidents, protect against
17 malicious, deceptive, fraudulent, or illegal activity;
18 or prosecute those responsible for that activity.
19 (iii) Debug to identify and repair errors that
20 impair existing intended functionality.
21 (iv) Exercise free speech, ensure the right of
22 another consumer to exercise their right of free
23 speech, or exercise another right provided for by law.
24 (v) Engage in public or peer-reviewed scientific,
25 historical, or statistical research in the public
26 interest that adheres to all other applicable ethics

SB2330- 15 -LRB101 16295 KTG 65668 b
1 and privacy laws, when the business' deletion of the
2 information is likely to render impossible or
3 seriously impair the achievement of such research, if
4 the consumer has provided informed consent.
5 (vi) To enable solely internal uses that are
6 reasonably aligned with the expectations of the
7 consumer based on the consumer's relationship with the
8 business.
9 (vii) Comply with a legal obligation.
10 (viii) Otherwise use the consumer's personal
11 information, internally, in a lawful manner that is
12 compatible with the context in which the consumer
13 provided the information.
14 (e) A business must provide a response to the consumer
15within 45 days of a request under Section 20 and Section 25.
16 (1) The business shall promptly take steps to verify
17 the request, but shall not extend the business' duty to
18 disclose and deliver the information within 45 days of
19 receipt of the consumer's request. The time period to
20 provide the required information may be extended once by an
21 additional 45 days when reasonably necessary, provided the
22 consumer is provided notice of the extension within the
23 first 45-day period.
24 (2) The disclosure shall cover at least the 12-month
25 period preceding the business' receipt of the request. The
26 business shall not require the consumer to create an

SB2330- 16 -LRB101 16295 KTG 65668 b
1 account with the business in order to make a request.
2 (3) If requests from a consumer are manifestly
3 unfounded or excessive, in particular because of their
4 repetitive character, a business may either charge a
5 reasonable fee, taking into account the administrative
6 costs of providing the information or communication or
7 taking the action requested or refuse to act on the request
8 and notify the consumer of the reason for refusing the
9 request. The business shall bear the burden of
10 demonstrating that any consumer request is manifestly
11 unfounded or excessive.
12 (f) A business shall not be required to respond to a
13request made by or on behalf of the same consumer more than
14once in any 12-month period.
15 Section 35. Businesses, affiliates, and third parties.
16 (a) A business is not required to retain any personal
17information collected for a single, one-time transaction, if
18such information is not sold or retained by the business or to
19reidentify or otherwise link information that is not maintained
20in a manner that would be considered personal information.
21 (b) A business shall not reidentify any deidentified
22consumer information, unless the consumer subsequently
23provides express authorization for reidentification of
24deidentified information.
25 (c) A business shall not sell the personal information of

SB2330- 17 -LRB101 16295 KTG 65668 b
1any consumer for which the business has actual knowledge that
2the consumer is less than 16 years of age. A business that
3willfully disregards the consumer's age shall be deemed to have
4had actual knowledge of the consumer's age.
5 (d) A business shall not use a consumer's personal
6information for any purpose other than those disclosed in the
7notice at collection. If the business intends to use a
8consumer's personal information for a purpose that was not
9previously disclosed to the consumer in the notice at
10collection, the business shall directly notify the consumer of
11this new use and obtain explicit consent from the consumer to
12use it for this new purpose.
13 (e) A business shall not collect categories of personal
14information other than those disclosed in the notice at
15collection. If the business intends to collect additional
16categories of personal information, the business shall provide
17a new notice at collection.
18 (f) If a business does not give the notice at collection to
19the consumer at or before the collection of their personal
20information, the business shall not collect personal
21information from the consumer.
22 (g) Affiliates and third parties shall not sell consumer
23personal information purchased from a business unless the
24consumer has received notice and is provided an opportunity to
25opt out of the resale of the consumer's personal information.
26 (h) Pricing incentives and prohibition of discrimination.

SB2330- 18 -LRB101 16295 KTG 65668 b
1 (1) A business shall not discriminate against a
2 consumer because the consumer exercised any of the
3 consumer's rights in this Act, including, but not limited
4 to:
5 (A) Denying goods or services to the consumer.
6 (B) Charging different prices or rates for goods or
7 services, including through the use of discounts or
8 other benefits or imposing penalties.
9 (C) Providing a different level or quality of goods
10 or services to the consumer, if the consumer exercises
11 the consumer's rights under this Act.
12 (D) Suggesting that the consumer will receive a
13 different price or rate for goods or services or a
14 different level or quality of goods or services.
15 (2) Nothing shall prohibit a business from charging a
16 consumer a different price or rate, or from providing a
17 different level or quality of goods or services to the
18 consumer, if that difference is reasonably related to the
19 value provided to the consumer by the consumer's data.
20 (3) A business may offer financial incentives,
21 including payments to consumers as compensation, for the
22 collection of personal information, the sale of personal
23 information, or the deletion of personal information. A
24 business may also offer a different price, rate, level, or
25 quality of goods or services to the consumer if that price
26 or difference is directly related to the value provided to

SB2330- 19 -LRB101 16295 KTG 65668 b
1 the consumer by the consumer's data.
2 (A) A business that offers any financial
3 incentives regarding consumer personal information or
4 deidentified information, shall notify consumers of
5 the financial incentives in the consumer service
6 agreement, website, online service or mobile
7 application.
8 (B) A business may enter a consumer into a
9 financial incentive program only if the consumer gives
10 the business prior opt-in consent which clearly
11 describes the material terms of the financial
12 incentive program, and which may be revoked by the
13 consumer at any time.
14 (C) A business shall not use financial incentive
15 practices that are unjust, unreasonable, or coercive.
16 (i) A business that discloses personal information to a
17service provider shall not be liable under this Act if the
18service provider receiving the personal information uses it in
19violation of the restrictions set forth in the Act, provided
20that, at the time of disclosing the personal information, the
21business does not have actual knowledge, or reason to believe,
22that the service provider intends to commit such a violation. A
23service provider shall likewise not be liable under this Act
24for the obligations of a business for which it provides
25services as set forth in this Act.
26 (j) The obligations imposed on businesses by this Act do

SB2330- 20 -LRB101 16295 KTG 65668 b
1not restrict a business' ability to:
2 (1) Comply with federal, state, or local laws, rules,
3 regulations, or enforceable guidance.
4 (2) Comply with a civil, criminal, or regulatory
5 inquiry, investigation, subpoena, or summons by federal,
6 state, or local authorities.
7 (3) Cooperate with law enforcement agencies concerning
8 conduct or activity that the business, service provider, or
9 third party reasonably and in good faith believes may
10 violate federal, state, or local law.
11 (4) Exercise or defend legal claims.
12 (5) Prevent, detect, or respond to identity theft,
13 fraud, or other malicious or illegal activity.
14 (6) Collect, use, retain, sell, or disclose consumer's
15 personal information that is deidentified or in the
16 aggregate consumer information.
17 (k) Businesses, affiliates, and third parties shall take
18reasonable measures to protect customer's personal information
19from unauthorized use, disclosure, or access.
20 (1) In implementing security measures required by this
21 subsection, a business, affiliate, and third party shall
22 take into account each of the following factors:
23 (A) The nature and scope of the business;,
24 affiliate's, or third party's activities;
25 (B) The sensitivity of the data processed;
26 (C) The size of the business, affiliate, or third

SB2330- 21 -LRB101 16295 KTG 65668 b
1 party; and
2 (D) The technical feasibility of the security
3 measures.
4 (2) A business, affiliate, or third party may employ
5 any lawful measure that allows the business, affiliate, or
6 third party to comply with the requirements of this
7 subsection.
8 (l) Risk assessments.
9 (1) Businesses, affiliates, and third parties must
10 conduct, to the extent not previously conducted, a risk
11 assessment of each of their processing activities
12 involving personal information and an additional risk
13 assessment any time there is a change in processing that
14 materially increases the risk to consumers. Such risk
15 assessments must take into account the type of personal
16 data to be processed by the business, affiliate, or third
17 party, including the extent to which the personal
18 information is sensitive information or otherwise
19 sensitive in nature, and the context in which the personal
20 information is to be processed.
21 (2) Risk assessments conducted under subsection (a)
22 must identify and weigh the benefits that may flow directly
23 and indirectly from the processing to the business,
24 consumer, other stakeholders, and the public, against the
25 potential risks to the rights of the consumer associated
26 with such processing, as mitigated by safeguards that can

SB2330- 22 -LRB101 16295 KTG 65668 b
1 be employed by the business to reduce such risks. The use
2 of deidentified data and the reasonable expectations of
3 consumers, as well as the context of the processing and the
4 relationship between the business, affiliate, or third
5 party and the consumer whose personal data will be
6 processed, must factor into this assessment by the
7 business, affiliate, or third party.
8 (3) If the risk assessment conducted under subsection
9 (a) of this Section determines that the potential risks of
10 privacy harm to consumers are substantial and outweigh the
11 interests of the business, consumer, other stakeholders,
12 and the public in processing the personal information of
13 the consumer, the business may only engage in such
14 processing with the consent of the consumer or if another
15 exemption under this Act applies. To the extent the
16 business seeks consumer consent for processing, such
17 consent shall be as easy to withdraw as to give.
18 (4) Processing for a business purpose shall be presumed
19 to be permissible unless: (i) it involves the processing of
20 sensitive data; and (ii) the risk of processing cannot be
21 reduced through the use of appropriate administrative and
22 technical safeguards.
23 (5) The business, affiliate, and third party must make
24 the risk assessment available to the Office of the Attorney
25 General upon request. Risk assessments are confidential
26 and exempt from public inspection and copying under the

SB2330- 23 -LRB101 16295 KTG 65668 b
1 Freedom of Information Act.
2 Section 40. Enforcement.
3 (a) Private right of action.
4 (1) Any consumer whose unencrypted or unredacted
5 personal information is subject to an unauthorized access
6 and exfiltration, theft, or disclosure as a result of the
7 business' violation of the duty to implement and maintain
8 reasonable security procedures and practices appropriate
9 to the nature of the information to protect the personal
10 information may institute a civil action for any of the
11 following:
12 (A) To recover damages in an amount not less than
13 $100 and not greater than $750 per customer per
14 incident or actual damages, whichever is greater.
15 (B) Injunctive or declaratory relief.
16 (C) Any other relief the court deems proper.
17 (2) In assessing the amount of statutory damages, the
18 court shall consider any one or more of the relevant
19 circumstances presented by any of the parties to the case,
20 including, but not limited to, the nature and seriousness
21 of the misconduct, the number of violations, the
22 persistence of the misconduct, the length of time over
23 which the misconduct occurred, the willfulness of the
24 defendant's misconduct, and the defendant's assets,
25 liabilities, and net worth.

SB2330- 24 -LRB101 16295 KTG 65668 b
1 (3) Nothing in this Act shall be interpreted to serve
2 as the basis for a private right of action under any other
3 law. This shall not be construed to relieve any party from
4 any duties or obligations imposed under other law or the
5 United States or Illinois Constitution.
6 (b) Attorney General enforcement. A violation of this Act
7constitutes an unlawful practice under the Consumer Fraud and
8Deceptive Business Practices Act. The Attorney General has
9authority to enforce this Act as a violation of the Consumer
10Fraud and Deceptive Business Practices Act, subject to the
11remedies available to the Attorney General under the Consumer
12Fraud and Deceptive Business Practices Act.
13 Section 45. Applicability.
14 (a) This Act does not apply to personal information
15collected, processed, sold, or disclosed under:
16 (1) The Gramm-Leach-Bliley Act, and the rules
17 promulgated under that Act.
18 (2) The Health Insurance Portability and
19 Accountability Act of 1996, and the rules promulgated under
20 that Act.
21 (3) The Fair Credit Reporting Act, and the rules
22 promulgated under that Act.
23 (b) Nothing in this Act restricts a business' ability to
24collect or disclose a consumer's personal information if a
25consumer's conduct takes place wholly outside of Illinois. For

SB2330- 25 -LRB101 16295 KTG 65668 b
1purposes of this Act, conduct takes place wholly outside of
2Illinois if the business collected that information while the
3consumer was outside of Illinois, no part of the sale of the
4consumer's personal information occurred in Illinois, and no
5personal information collected while the consumer was in
6Illinois is disclosed.
7 Section 50. Waivers; contracts. Any waiver of the
8provisions of this Act is void and unenforceable.
9 Section 55. Home rule preemption. Except as otherwise
10provided in this Act, the regulation of the activities
11described in this Act are the exclusive powers and functions of
12the State. Except as otherwise provided in this Act, a unit of
13local government, including a home rule unit, may not regulate
14the activities described in this Act. This Section is a denial
15and limitation of home rule powers and functions under
16subsection (h) of Section 6 of Article VII of the Illinois
17Constitution.
18 Section 97. Severability. The provisions of this Act are
19severable under Section 1.31 of the Statute on Statutes.
20 Section 99. Effective date. This Act takes effect July 1,
212021.
feedback