Bill Text: IL SB3334 | 2023-2024 | 103rd General Assembly | Introduced
Bill Title: Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately.
Spectrum: Partisan Bill (Republican 3-0)
Status: (Introduced) 2024-03-06 - Added as Co-Sponsor Sen. Dale Fowler [SB3334 Detail]
Download: Illinois-2023-SB3334-Introduced.html
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
1 | AN ACT concerning business.
| |||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois, | |||||||||||||||||||||
3 | represented in the General Assembly:
| |||||||||||||||||||||
4 | Section 1. Short title. This Act may be cited as the | |||||||||||||||||||||
5 | Illinois Age-Appropriate Design Code Act.
| |||||||||||||||||||||
6 | Section 5. Intent. It is the intent of the General | |||||||||||||||||||||
7 | Assembly that nothing in this Act shall be construed to | |||||||||||||||||||||
8 | infringe on the existing rights and freedoms of children.
| |||||||||||||||||||||
9 | Section 10. Definitions. As used in this Act: | |||||||||||||||||||||
10 | "Affiliate" means a legal entity that controls, is | |||||||||||||||||||||
11 | controlled by, or is under common control with, another legal | |||||||||||||||||||||
12 | entity. For the purposes of this definition, "control" or | |||||||||||||||||||||
13 | "controlled" means: (i) ownership of, or the power to vote, | |||||||||||||||||||||
14 | more than 50% of the outstanding shares of any class of voting | |||||||||||||||||||||
15 | security of a covered entity; (ii) control in any manner over | |||||||||||||||||||||
16 | the election of a majority of the directors or of individuals | |||||||||||||||||||||
17 | exercising similar functions; or (iii) the power to exercise a | |||||||||||||||||||||
18 | controlling influence over the management of a covered entity. | |||||||||||||||||||||
19 | "Age-appropriate" means a recognition of the distinct | |||||||||||||||||||||
20 | needs and diversities of children at different age ranges. In | |||||||||||||||||||||
21 | order to help support the design of online services, products, | |||||||||||||||||||||
22 | and features, covered entities should take into account the |
| |||||||
| |||||||
1 | unique needs and diversities of different age ranges, | ||||||
2 | including the following developmental stages: 0 to 5 years of | ||||||
3 | age or preliterate and early literacy; 6-9 years of age or core | ||||||
4 | primary school years; 10 to 12 years of age or transition | ||||||
5 | years; 13 to 15 years of age or early teens; and 16 to 17 years | ||||||
6 | or age or approaching adulthood. | ||||||
7 | "Best interests of children" means the use, by a covered | ||||||
8 | entity, of the personal data of a child or the design of an | ||||||
9 | online service, product, or feature in a way that: | ||||||
10 | (1) will not benefit the covered entity to the | ||||||
11 | detriment of the child; and | ||||||
12 | (2) will not result in: | ||||||
13 | (A) reasonably foreseeable and material physical | ||||||
14 | or financial harm to the child; | ||||||
15 | (B) reasonably foreseeable and severe | ||||||
16 | psychological, or emotional harm to the child; | ||||||
17 | (C) a highly offensive intrusion on the reasonable | ||||||
18 | privacy expectations of the child; or | ||||||
19 | (D) discrimination against the child based upon | ||||||
20 | race, color, religion, national origin, disability, | ||||||
21 | sex, or sexual orientation. | ||||||
22 | "Child" means a consumer who is under 18 years of age. | ||||||
23 | "Collect" means buying, renting, gathering, obtaining, | ||||||
24 | receiving, or accessing any personal data pertaining to a | ||||||
25 | consumer by any means. "Collect" includes receiving data from | ||||||
26 | the consumer, either actively or passively, or by observing |
| |||||||
| |||||||
1 | the consumer's behavior. | ||||||
2 | "Covered entity" means: | ||||||
3 | (1) a sole proprietorship, partnership, limited | ||||||
4 | liability company, corporation, association, or other | ||||||
5 | legal entity that is organized or operated for the profit | ||||||
6 | or financial benefit of its shareholders or other owners; | ||||||
7 | and | ||||||
8 | (2) an affiliate of a covered entity that shares | ||||||
9 | common branding with the covered entity. For the purposes | ||||||
10 | of this definition, "common branding" means a shared name, | ||||||
11 | service mark, or trademark that the average consumer would | ||||||
12 | understand that 2 or more entities are commonly owned. | ||||||
13 | For purposes of this Act, for a joint venture or | ||||||
14 | partnership composed of covered entities in which each covered | ||||||
15 | entity has at least a 40% interest, the joint venture or | ||||||
16 | partnership and each covered entity that composes the joint | ||||||
17 | venture or partnership shall separately be considered a single | ||||||
18 | covered entity, except that personal data in the possession of | ||||||
19 | each covered entity and disclosed to the joint venture or | ||||||
20 | partnership shall not be shared with the other covered entity. | ||||||
21 | "Consumer" means a natural person who is an Illinois | ||||||
22 | resident, however identified, including by any unique | ||||||
23 | identifier. | ||||||
24 | "Dark pattern" means a user interface designed or | ||||||
25 | manipulated with the purpose of subverting or impairing user | ||||||
26 | autonomy, decision making, or choice. |
| |||||||
| |||||||
1 | "Data protection impact assessment" means a systematic | ||||||
2 | survey to assess compliance with the duty to act in the best | ||||||
3 | interests of children and shall include a plan to ensure that | ||||||
4 | all online products, services, or features provided by the | ||||||
5 | covered entity are designed and offered in a manner consistent | ||||||
6 | with the best interests of children reasonably likely to | ||||||
7 | access the online product, service, or feature and a | ||||||
8 | description of steps the covered entity has taken and will | ||||||
9 | take to comply with the duty to act in the best interests of | ||||||
10 | children. | ||||||
11 | "Default" means a preselected option adopted by the | ||||||
12 | covered entity for the online service, product, or feature. | ||||||
13 | "Deidentified" means data that cannot reasonably be used | ||||||
14 | to infer information about, or otherwise be linked to, an | ||||||
15 | identified or identifiable natural person, or a device linked | ||||||
16 | to such person, provided that the covered entity that | ||||||
17 | possesses the data: | ||||||
18 | (1) takes reasonable measures to ensure that the data | ||||||
19 | cannot be associated with a natural person; | ||||||
20 | (2) publicly commits to maintain and use the data only | ||||||
21 | in a deidentified fashion and not attempt to re-identify | ||||||
22 | the data; and | ||||||
23 | (3) contractually obligates any recipients of the data | ||||||
24 | to comply with all provisions of this Act. | ||||||
25 | "Derived data" means data that is created by the | ||||||
26 | derivation of information, data, assumptions, correlations, |
| |||||||
| |||||||
1 | inferences, predictions, or conclusions from facts, evidence, | ||||||
2 | or another source of information or data about a child or a | ||||||
3 | child's device. | ||||||
4 | "Online service, product, or feature" does not mean any of | ||||||
5 | the following: | ||||||
6 | (1) telecommunications service, as defined in 47 | ||||||
7 | U.S.C. 153; | ||||||
8 | (2) a broadband service as defined in the Public | ||||||
9 | Utilities Act; or | ||||||
10 | (3) the sale, delivery, or use of a physical product. | ||||||
11 | "Personal data" means any information, including derived | ||||||
12 | data, that is linked or reasonably linkable, alone or in | ||||||
13 | combination with other information, to an identified or | ||||||
14 | identifiable natural person. "Personal data" does not include | ||||||
15 | de-identified data or publicly available information. For the | ||||||
16 | purposes of this definition, "publicly available information" | ||||||
17 | means information (i) that is lawfully made available from | ||||||
18 | federal, State, or local government records or widely | ||||||
19 | distributed media; and (ii) that a controller has a reasonable | ||||||
20 | basis to believe a consumer has lawfully made available to the | ||||||
21 | general public. | ||||||
22 | "Precise geolocation" means any data that is derived from | ||||||
23 | a device and that is used or intended to be used to locate a | ||||||
24 | consumer within a geographic area that is equal to or less than | ||||||
25 | the area of a circle with a radius of 1,850 feet, except as | ||||||
26 | prescribed by regulations. |
| |||||||
| |||||||
1 | "Process" or "processing" means to conduct or direct any | ||||||
2 | operation or set of operations performed, whether by manual or | ||||||
3 | automated means, on personal data or on sets of personal data, | ||||||
4 | such as the collection, use, storage, disclosure, analysis, | ||||||
5 | deletion, modification, or otherwise handling of personal | ||||||
6 | data. | ||||||
7 | "Product experimentation results" means the data that | ||||||
8 | companies collect to understand the experimental impact of | ||||||
9 | their products. | ||||||
10 | "Profiling" means any form of automated processing of | ||||||
11 | personal data to evaluate, analyze, or predict personal | ||||||
12 | aspects concerning an identified or identifiable natural | ||||||
13 | person's economic situation, health, personal preferences, | ||||||
14 | interests, reliability, behavior, location, or movements. | ||||||
15 | "Profiling" does not include the processing of information | ||||||
16 | that does not result in an assessment or judgment about a | ||||||
17 | natural person. | ||||||
18 | "Reasonably likely to be accessed" means an online | ||||||
19 | service, product, or feature that is accessed by children | ||||||
20 | based on any of the following indicators: | ||||||
21 | (1) the online service, product, or feature is | ||||||
22 | directed to children, as defined by the Children's Online | ||||||
23 | Privacy Protection Act, 15 U.S.C. 6501 et seq., and the | ||||||
24 | Federal Trade Commission rules implementing that Act; | ||||||
25 | (2) the online service, product, or feature is | ||||||
26 | determined, based on competent and reliable evidence |
| |||||||
| |||||||
1 | regarding audience composition, to be routinely accessed | ||||||
2 | by a significant number of children; | ||||||
3 | (3) the online service, product, or feature contains | ||||||
4 | advertisements marketed to children; | ||||||
5 | (4) the online service, product, or feature is | ||||||
6 | substantially similar or the same as an online service, | ||||||
7 | product, or feature subject to paragraph (2) of this | ||||||
8 | definition; | ||||||
9 | (5) a significant amount of the audience of the online | ||||||
10 | service, product, or feature is determined, based on | ||||||
11 | internal company research, to be children; and | ||||||
12 | (6) the covered entity knew or should have known that | ||||||
13 | a significant number of users are children, provided that, | ||||||
14 | in making this assessment, the covered entity shall not | ||||||
15 | collect or process any personal data that is not | ||||||
16 | reasonably necessary to provide an online service, | ||||||
17 | product, or feature with which a child is actively and | ||||||
18 | knowingly engaged. | ||||||
19 | "Sale" or "sell" means the exchange of personal data for | ||||||
20 | monetary or other valuable consideration by a covered entity | ||||||
21 | to a third party. "Sale" or "sell" do not include the | ||||||
22 | following: | ||||||
23 | (1) the disclosure of personal data to a third party | ||||||
24 | who processes the personal data on behalf of the covered | ||||||
25 | entity; | ||||||
26 | (2) the disclosure of personal data to a third party |
| |||||||
| |||||||
1 | with whom the consumer has a direct relationship for | ||||||
2 | purposes of providing a product or service requested by | ||||||
3 | the consumer; | ||||||
4 | (3) the disclosure or transfer of personal data to an | ||||||
5 | affiliate of the covered entity; | ||||||
6 | (4) the disclosure of data that the consumer | ||||||
7 | intentionally made available to the general public via a | ||||||
8 | channel of mass media and did not restrict to a specific | ||||||
9 | audience; or | ||||||
10 | (5) the disclosure or transfer of personal data to a | ||||||
11 | third party as an asset that is part of a completed or | ||||||
12 | proposed merger, acquisition, bankruptcy, or other | ||||||
13 | transaction in which the third party assumes control of | ||||||
14 | all or part of the covered entity's assets. | ||||||
15 | "Share" means sharing, renting, releasing, disclosing, | ||||||
16 | disseminating, making available, transferring, or otherwise | ||||||
17 | communicating orally, in writing, or by electronic or other | ||||||
18 | means a consumer's personal data by the covered entity to a | ||||||
19 | third party for cross-context behavioral advertising, whether | ||||||
20 | or not for monetary or other valuable consideration, including | ||||||
21 | transactions between a covered entity and a third party for | ||||||
22 | cross-context behavioral advertising for the benefit of a | ||||||
23 | covered entity in which no money is exchanged. | ||||||
24 | "Third party" means a natural or legal person, public | ||||||
25 | authority, agency, or body other than the consumer or the | ||||||
26 | covered entity.
|
| |||||||
| |||||||
1 | Section 15. Information fiduciary. All covered entities | ||||||
2 | that operate in this State and process children's data in any | ||||||
3 | capacity shall do so in a manner consistent with the best | ||||||
4 | interests of children.
| ||||||
5 | Section 20. Scope; exclusions. | ||||||
6 | (a) A covered entity operating in this State is subject to | ||||||
7 | the requirements of this Act if it: | ||||||
8 | (1) collects consumers' personal data or has | ||||||
9 | consumers' personal data collected on its behalf by a | ||||||
10 | third party; | ||||||
11 | (2) alone or jointly with others, determines the | ||||||
12 | purposes and means of the processing of consumers' | ||||||
13 | personal data; and | ||||||
14 | (3) satisfies one or more of the following thresholds: | ||||||
15 | (i) has annual gross revenues in excess of | ||||||
16 | $25,000,000, as adjusted every odd numbered year to | ||||||
17 | reflect the Consumer Price Index; | ||||||
18 | (ii) alone or in combination, annually buys, | ||||||
19 | receives for the covered entity's commercial purposes, | ||||||
20 | sells, or shares for commercial purposes, alone or in | ||||||
21 | combination, the personal data of 50,000 or more | ||||||
22 | consumers, households, or devices; or | ||||||
23 | (iii) derives 50% or more of its annual revenues | ||||||
24 | from selling consumers' personal data. |
| |||||||
| |||||||
1 | (b) This Act does not apply to: | ||||||
2 | (1) protected health information that is collected by | ||||||
3 | a covered entity or covered entity associate governed by | ||||||
4 | the privacy, security, and breach notification rules | ||||||
5 | issued by the United States Department of Health and Human | ||||||
6 | Services, 45 CFR 160 and 164, established pursuant to the | ||||||
7 | Health Insurance Portability and Accountability Act of | ||||||
8 | 1996, Public Law 104-191, and the Health Information | ||||||
9 | Technology for Economic and Clinical Health Act, Public | ||||||
10 | Law 111-5; | ||||||
11 | (2) a covered entity governed by the privacy, | ||||||
12 | security, and breach notification rules issued by the | ||||||
13 | United States Department of Health and Human Services, 45 | ||||||
14 | CFR 160 and 164, established pursuant to the Health | ||||||
15 | Insurance Portability and Accountability Act of 1996, | ||||||
16 | Public Law 104-191, to the extent the provider or covered | ||||||
17 | entity maintains patient information in the same manner as | ||||||
18 | medical information or protected health information as | ||||||
19 | described in paragraph (1); or | ||||||
20 | (3) information collected as part of a clinical trial | ||||||
21 | subject to the federal policy for the protection of human | ||||||
22 | subjects, also known as the common rule, pursuant to good | ||||||
23 | clinical practice guidelines issued by the International | ||||||
24 | Council for Harmonisation of Technical Requirements for | ||||||
25 | Pharmaceuticals for Human Use or human subject protection | ||||||
26 | requirements issued by the United States Food and Drug |
| |||||||
| |||||||
1 | Administration.
| ||||||
2 | Section 25. Requirements for covered entities. | ||||||
3 | (a) A covered entity subject to this Act shall: | ||||||
4 | (1) complete a data protection impact assessment for | ||||||
5 | an online service, product, or feature or any new online | ||||||
6 | service, product, or feature that is reasonably likely to | ||||||
7 | be accessed by children; and maintain documentation of the | ||||||
8 | data protection impact assessment for as long as the | ||||||
9 | online service, product, or feature is reasonably likely | ||||||
10 | to be accessed by children; | ||||||
11 | (2) review and modify all data protection impact | ||||||
12 | assessments as necessary to account for material changes | ||||||
13 | to processing pertaining to the online service, product, | ||||||
14 | or feature within 90 days after such material changes; | ||||||
15 | (3) within 5 business days after a written request by | ||||||
16 | the Attorney General, provide to the Attorney General a | ||||||
17 | list of all data protection impact assessments the covered | ||||||
18 | entity has completed; | ||||||
19 | (4) within 7 business days after a written request by | ||||||
20 | the Attorney General, provide the Attorney General with a | ||||||
21 | copy of any data protection impact assessment, unless the | ||||||
22 | Attorney General, in its discretion, extends the time | ||||||
23 | period for a covered entity to respond; | ||||||
24 | (5) configure all default privacy settings provided to | ||||||
25 | children by the online service, product, or feature to |
| |||||||
| |||||||
1 | settings that offer a high level of privacy, unless the | ||||||
2 | covered entity can demonstrate a compelling reason that a | ||||||
3 | different setting is in the best interests of children; | ||||||
4 | (6) provide any privacy information, terms of service, | ||||||
5 | policies, and community standards concisely, prominently, | ||||||
6 | and using clear language suited to the age of children | ||||||
7 | reasonably likely to access that online service, product, | ||||||
8 | or feature; and | ||||||
9 | (7) provide prominent, accessible, and responsive | ||||||
10 | tools to help children, or if applicable their parents or | ||||||
11 | guardians, exercise their privacy rights and report | ||||||
12 | concerns. | ||||||
13 | (b) A data protection, impact assessment required by this | ||||||
14 | Section shall identify the purpose of the online service, | ||||||
15 | product, or feature; how it uses children's personal data; and | ||||||
16 | determine whether the online service, product, or feature is | ||||||
17 | designed and offered in a age-appropriate manner consistent | ||||||
18 | with the best interests of children that are reasonably likely | ||||||
19 | to access the online product by examining, at a minimum, the | ||||||
20 | following: | ||||||
21 | (1) whether the design of the online service, product, | ||||||
22 | or feature could lead to children experiencing or being | ||||||
23 | targeted by contacts on the online service, product, or | ||||||
24 | feature that would result in: reasonably foreseeable and | ||||||
25 | material physical or financial harm to the child; | ||||||
26 | reasonably foreseeable and severe psychological or |
| |||||||
| |||||||
1 | emotional harm to the child; a highly offensive intrusion | ||||||
2 | on the reasonable privacy expectations of the child; or | ||||||
3 | discrimination against the child based upon race, color, | ||||||
4 | religion, national origin, disability, sex, or sexual | ||||||
5 | orientation; | ||||||
6 | (2) whether the design of the online service, product, | ||||||
7 | or feature could permit children to witness, participate | ||||||
8 | in, or be subject to conduct on the online service, | ||||||
9 | product, or feature that would result in: reasonably | ||||||
10 | foreseeable and material physical or financial harm to the | ||||||
11 | child; reasonably foreseeable and severe psychological or | ||||||
12 | emotional harm to the child; a highly offensive intrusion | ||||||
13 | on the reasonable privacy expectations of the child; or | ||||||
14 | discrimination against the child based upon race, color, | ||||||
15 | religion, national origin, disability, sex, or sexual | ||||||
16 | orientation; | ||||||
17 | (3) whether the design of the online service, product, | ||||||
18 | or feature are reasonably expected to allow children to be | ||||||
19 | party to or exploited by a contract on the online service, | ||||||
20 | product, or feature that would result in: reasonably | ||||||
21 | foreseeable and material physical or financial harm to the | ||||||
22 | child; reasonably foreseeable and severe psychological or | ||||||
23 | emotional harm to the child; a highly offensive intrusion | ||||||
24 | on the reasonable privacy expectations of the child; or | ||||||
25 | discrimination against the child based upon race, color, | ||||||
26 | religion, national origin, disability, sex, or sexual |
| |||||||
| |||||||
1 | orientation; | ||||||
2 | (4) whether algorithms used by the product, service, | ||||||
3 | or feature would result in: reasonably foreseeable and | ||||||
4 | material physical or financial harm to the child; | ||||||
5 | reasonably foreseeable and severe psychological or | ||||||
6 | emotional harm to the child; a highly offensive intrusion | ||||||
7 | on the reasonable privacy expectations of the child; or | ||||||
8 | discrimination against the child based upon race, color, | ||||||
9 | religion, national origin, disability, sex, or sexual | ||||||
10 | orientation; | ||||||
11 | (5) whether targeted advertising systems used by the | ||||||
12 | online service, product, or feature would result in: | ||||||
13 | reasonably foreseeable and material physical or financial | ||||||
14 | harm to the child; reasonably foreseeable and severe | ||||||
15 | psychological or emotional harm to the child; a highly | ||||||
16 | offensive intrusion on the reasonable privacy expectations | ||||||
17 | of the child; or discrimination against the child based | ||||||
18 | upon race, color, religion, national origin, disability, | ||||||
19 | sex, or sexual orientation; | ||||||
20 | (6) whether the online service, product, or feature | ||||||
21 | uses system design features to increase, sustain, or | ||||||
22 | extend use of the online service, product, or feature by | ||||||
23 | children, including the automatic playing of media, | ||||||
24 | rewards for time spent, and notifications, that would | ||||||
25 | result in: reasonably foreseeable and material physical or | ||||||
26 | financial harm to the child; reasonably foreseeable and |
| |||||||
| |||||||
1 | severe psychological or emotional harm to the child; a | ||||||
2 | highly offensive intrusion on the reasonable privacy | ||||||
3 | expectations of the child; or discrimination against the | ||||||
4 | child based upon race, color, religion, national origin, | ||||||
5 | disability, sex, or sexual orientation; and | ||||||
6 | (7) whether, how, and for what purpose the online | ||||||
7 | product, service, or feature collects or processes | ||||||
8 | personal data of children, and whether those practices | ||||||
9 | would result in: reasonably foreseeable and material | ||||||
10 | physical or financial harm to the child; reasonably | ||||||
11 | foreseeable and severe psychological or emotional harm to | ||||||
12 | the child; a highly offensive intrusion on the reasonable | ||||||
13 | privacy expectations of the child; or discrimination | ||||||
14 | against the child based upon race, color, religion, | ||||||
15 | national origin, disability, sex, or sexual orientation; | ||||||
16 | and | ||||||
17 | (8) whether and how product experimentation results | ||||||
18 | for the online product, service, or feature reveal data | ||||||
19 | management or design practices that would result in: | ||||||
20 | reasonably foreseeable and material physical or financial | ||||||
21 | harm to the child; reasonably foreseeable and extreme | ||||||
22 | psychological or emotional harm to the child; a highly | ||||||
23 | offensive intrusion on the reasonable privacy expectations | ||||||
24 | of the child; or discrimination against the child based | ||||||
25 | upon race, color, religion, national origin, disability, | ||||||
26 | sex, or sexual orientation. |
| |||||||
| |||||||
1 | (c) A data protection impact assessment conducted by a | ||||||
2 | covered entity for the purpose of compliance with any other | ||||||
3 | law complies with this Section if the data protection impact | ||||||
4 | assessment meets the requirement of this Act. | ||||||
5 | (d) A single data protection impact assessment may contain | ||||||
6 | multiple similar processing operations that present similar | ||||||
7 | risk only if each relevant online service, product, or feature | ||||||
8 | is addressed. | ||||||
9 | (e) A company may process only the personal data | ||||||
10 | reasonably necessary to provide an online service, product, or | ||||||
11 | feature with which a child is actively and knowingly engaged | ||||||
12 | to estimate age.
| ||||||
13 | Section 30. Prohibited acts by covered entities. A covered | ||||||
14 | entity that provides an online service, product, or feature | ||||||
15 | reasonably likely to be accessed by children shall not: | ||||||
16 | (1) process the personal data of any child in a way | ||||||
17 | that is inconsistent with the best interests of children | ||||||
18 | reasonably likely to access the online service, product, | ||||||
19 | or feature; | ||||||
20 | (2) profile a child by default unless: | ||||||
21 | (A) the covered entity can demonstrate it has | ||||||
22 | appropriate safeguards in place to ensure that | ||||||
23 | profiling is consistent with the best interests of | ||||||
24 | children reasonably likely to access the online | ||||||
25 | service, product, or feature; and |
| |||||||
| |||||||
1 | (B) either of the following is true: | ||||||
2 | (i) profiling is necessary to provide the | ||||||
3 | online service, product, or feature requested and | ||||||
4 | only with respect to the aspects of the online | ||||||
5 | service, product, or feature with which a child is | ||||||
6 | actively and knowingly engaged; | ||||||
7 | (ii) the covered entity can demonstrate a | ||||||
8 | compelling reason that profiling is in the best | ||||||
9 | interests of children; | ||||||
10 | (3) process any personal data that is not reasonably | ||||||
11 | necessary to provide an online service, product, or | ||||||
12 | feature with which a child is actively and knowingly | ||||||
13 | engaged; | ||||||
14 | (4) if the end user is a child, process personal data | ||||||
15 | for any reason other than a reason for which that personal | ||||||
16 | data was collected; | ||||||
17 | (5) process any precise geolocation information of | ||||||
18 | children by default, unless the collection of that precise | ||||||
19 | geolocation information is strictly necessary for the | ||||||
20 | covered entity to provide the service, product, or feature | ||||||
21 | requested and then only for the limited time that the | ||||||
22 | collection of precise geolocation information is necessary | ||||||
23 | to provide the service, product, or feature; | ||||||
24 | (6) process any precise geolocation information of a | ||||||
25 | child without providing an obvious sign to the child for | ||||||
26 | the duration of that collection that precise geolocation |
| |||||||
| |||||||
1 | information is being collected; | ||||||
2 | (7) use dark patterns to cause children to provide | ||||||
3 | personal data beyond what is reasonably expected to | ||||||
4 | provide that online service, product, or feature to forgo | ||||||
5 | privacy protections, or to take any action that the | ||||||
6 | covered entity knows, or has reason to know, is not in the | ||||||
7 | best interests of children reasonably likely to access the | ||||||
8 | online service, product, or feature; and | ||||||
9 | (8) allow a child's parent, guardian, or any other | ||||||
10 | consumer to monitor the child's online activity or track | ||||||
11 | the child's location, without providing an obvious signal | ||||||
12 | to the child when the child is being monitored or tracked.
| ||||||
13 | Section 35. Data practices. | ||||||
14 | (a) A data protection impact assessment collected or | ||||||
15 | maintained by the Attorney General under Section 25 is | ||||||
16 | classified as nonpublic data. | ||||||
17 | (b) To the extent any information contained in a data | ||||||
18 | protection impact assessment disclosed to the Attorney General | ||||||
19 | includes information subject to attorney-client privilege or | ||||||
20 | work product protection, disclosure does not constitute a | ||||||
21 | waiver of that privilege or protection.
| ||||||
22 | Section 40. Attorney General enforcement. | ||||||
23 | (a) A covered entity that violates this Act may be subject | ||||||
24 | to an injunction and liable for a civil penalty of not more |
| |||||||
| |||||||
1 | than $2,500 per affected child for each negligent violation, | ||||||
2 | or not more than $7,500 per affected child for each | ||||||
3 | intentional violation, which may be assessed or recovered only | ||||||
4 | in a civil action brought by the Attorney General. If the State | ||||||
5 | prevails in an action to enforce this Act, the State may, in | ||||||
6 | addition to civil penalties provided by this subsection or | ||||||
7 | other remedies provided by the law, be allowed an amount | ||||||
8 | determined by the court to be the reasonable value of all or | ||||||
9 | part of the State's litigation expenses incurred. | ||||||
10 | (b) All moneys received by the Attorney General as civil | ||||||
11 | penalties, fees, or other amounts under subsection (a) shall | ||||||
12 | be deposited into the Age-Appropriate Design Code Enforcement | ||||||
13 | Fund, a special fund created in the State treasury, and shall | ||||||
14 | be used, subject to appropriation and as directed by the | ||||||
15 | Attorney General, to offset costs incurred by the Attorney | ||||||
16 | General in connection with the enforcement of this Act. | ||||||
17 | (c) If a covered entity is in substantial compliance with | ||||||
18 | the requirements of Section 25, the Attorney General shall, | ||||||
19 | before initiating a civil action under this Section, provide | ||||||
20 | written notice to the covered entity identifying the specific | ||||||
21 | provisions of this Act that the Attorney General alleges have | ||||||
22 | been or are being violated. If, for a covered entity that | ||||||
23 | satisfied Section 50 or subsection (a) of Section 25 before | ||||||
24 | offering any new online product, service, or feature | ||||||
25 | reasonably likely to be accessed by children to the public, | ||||||
26 | within 90 days after the notice required by this subsection, |
| |||||||
| |||||||
1 | the covered entity cures any noticed violation and provides | ||||||
2 | the Attorney General a written statement that the alleged | ||||||
3 | violations have been cured, and sufficient measures have been | ||||||
4 | taken to prevent future violations, the covered entity is not | ||||||
5 | liable for a civil penalty for any violation cured pursuant to | ||||||
6 | this Act. | ||||||
7 | (d) Nothing in this Act shall be construed to create a | ||||||
8 | private right of action.
| ||||||
9 | Section 45. Limitations. Nothing in this Act shall be | ||||||
10 | interpreted or construed to: | ||||||
11 | (1) impose liability in a manner that is inconsistent | ||||||
12 | with 47 U.S.C. 230; | ||||||
13 | (2) prevent or preclude any child from deliberately or | ||||||
14 | independently searching for, or specifically requesting, | ||||||
15 | content; or | ||||||
16 | (3) require a covered entity to implement an age | ||||||
17 | gating requirement.
| ||||||
18 | Section 50. Data protection impact assessment date. | ||||||
19 | (a) By January 1, 2025 a covered entity shall complete a | ||||||
20 | data protection impact assessment for any online service, | ||||||
21 | product, or feature reasonably likely to be accessed by | ||||||
22 | children offered to the public before January 1, 2025, unless | ||||||
23 | that online service, product, or feature is exempt under | ||||||
24 | paragraph (b). |
| |||||||
| |||||||
1 | (b) This Act does not apply to an online service, product, | ||||||
2 | or feature that is not offered to the public on or after | ||||||
3 | January 1, 2025.
| ||||||
4 | Section 55. Severability. If any provision of this Act, or | ||||||
5 | an amendment made by this Act, is determined to be | ||||||
6 | unenforceable or invalid, the remaining provisions of this Act | ||||||
7 | and the amendments made by this Act shall not be affected.
| ||||||
8 | Section 90. The State Finance Act is amended by adding | ||||||
9 | Section 5.1015 as follows:
| ||||||
10 | (30 ILCS 105/5.1015 new) | ||||||
11 | Sec. 5.1015. The Age-Appropriate Design Code Enforcement | ||||||
12 | Fund.
|