Bill Text: IL SB3517 | 2023-2024 | 103rd General Assembly | Introduced


Bill Title: Creates the Privacy Rights Act. Sets forth duties and obligations of businesses that collected consumers' personal information and sensitive personal information to keep such information private. Sets forth consumer rights in relation to the collected personal information and sensitive personal information, including the right to: delete personal information; correct inaccurate personal information; know what personal information is sold or shared and to whom; opt out of the sale or sharing of personal information; limit use and disclosure of sensitive personal information; and no retaliation for exercising any rights. Sets forth enforcement provisions. Creates the Consumer Privacy Fund. Allows the Attorney General to create rules to implement the Act. Establishes the Privacy Protection Agency. Includes provisions regarding remedies and fines for violations of the Act. Makes a conforming change in the State Finance Act.

Spectrum: Partisan Bill (Republican 2-0)

Status: (Introduced) 2024-03-06 - Added as Co-Sponsor Sen. Sally J. Turner [SB3517 Detail]

Download: Illinois-2023-SB3517-Introduced.html

103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
SB3517

Introduced 2/9/2024, by Sen. Sue Rezin

SYNOPSIS AS INTRODUCED:
New Act
30 ILCS 105/5.1015 new

Creates the Privacy Rights Act. Sets forth duties and obligations of businesses that collected consumers' personal information and sensitive personal information to keep such information private. Sets forth consumer rights in relation to the collected personal information and sensitive personal information, including the right to: delete personal information; correct inaccurate personal information; know what personal information is sold or shared and to whom; opt out of the sale or sharing of personal information; limit use and disclosure of sensitive personal information; and no retaliation for exercising any rights. Sets forth enforcement provisions. Creates the Consumer Privacy Fund. Allows the Attorney General to create rules to implement the Act. Establishes the Privacy Protection Agency. Includes provisions regarding remedies and fines for violations of the Act. Makes a conforming change in the State Finance Act.
LRB103 35732 LNS 65813 b

A BILL FOR

SB3517LRB103 35732 LNS 65813 b
1 AN ACT concerning civil law.
2 Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
4
Article 5. General
5 Section 5-1. Short title. This Act may be cited as the
6Privacy Rights Act.
7 Section 5-5. Purpose and intent. In enacting this Act, it
8is the purpose and intent of the State to further protect
9consumers' rights, including the constitutional right of
10privacy. The implementation of this Act shall be guided by the
11following principles:
12 (1) Consumers should know who is collecting their
13 personal information and that of their children, how it is
14 being used, and to whom it is disclosed so that they have
15 the information necessary to exercise meaningful control
16 over businesses' use of their personal information and
17 that of their children.
18 (2) Consumers should be able to control the use of
19 their personal information, including limiting the use of
20 their sensitive personal information, the unauthorized use
21 or disclosure of which creates a heightened risk of harm
22 to the consumer, and they should have meaningful options

SB3517- 2 -LRB103 35732 LNS 65813 b
1 over how it is collected, used, and disclosed.
2 (3) Consumers should have access to their personal
3 information and should be able to correct it, delete it,
4 and take it with them from one business to another.
5 (4) Consumers or their authorized agents should be
6 able to exercise these options through easily accessible
7 self-serve tools.
8 (5) Consumers should be able to exercise these rights
9 without being penalized for doing so.
10 (6) Consumers should be able to hold businesses
11 accountable for failing to take reasonable precautions to
12 protect their most sensitive personal information from
13 hackers and security breaches.
14 (7) Consumers should benefit from businesses' use of
15 their personal information.
16 (8) The privacy interests of employees and independent
17 contractors should also be protected, taking into account
18 the differences in the relationship between employees or
19 independent contractors and businesses as compared to the
20 relationship between consumers and businesses. This Act is
21 not intended to interfere with the right to organize and
22 collective bargaining under the federal National Labor
23 Relations Act.
24 (9) Businesses should specifically and clearly inform
25 consumers about how they collect and use personal
26 information and how they can exercise their rights and

SB3517- 3 -LRB103 35732 LNS 65813 b
1 choice.
2 (10) Businesses should only collect consumers'
3 personal information for specific, explicit, and
4 legitimate disclosed purposes and should not further
5 collect, use, or disclose consumers' personal information
6 for reasons incompatible with those purposes.
7 (11) Businesses should collect consumers' personal
8 information only to the extent that it is relevant and
9 limited to what is necessary in relation to the purposes
10 for which it is being collected, used, and shared.
11 (12) Businesses should provide consumers or their
12 authorized agents with easily accessible means to allow
13 consumers and their children to obtain their personal
14 information, to delete it or correct it, to opt out of its
15 sale and sharing across business platforms, services,
16 businesses, and devices, and to limit the use of their
17 sensitive personal information.
18 (13) Businesses should not penalize consumers for
19 exercising these rights.
20 (14) Businesses should take reasonable precautions to
21 protect consumers' personal information from a security
22 breach.
23 (15) Businesses should be held accountable when they
24 violate consumers' privacy rights, and the penalties
25 should be higher when the violation affects children.
26 (16) The rights of consumers and the responsibilities

SB3517- 4 -LRB103 35732 LNS 65813 b
1 of businesses should be implemented with the goal of
2 strengthening consumer privacy while giving attention to
3 the impact on business and innovation. Consumer privacy
4 and the development of beneficial new products and
5 services are not necessarily incompatible goals. Strong
6 consumer privacy rights create incentives to innovate and
7 develop new products that are privacy protective.
8 (17) Businesses and consumers should be provided with
9 clear guidance about their responsibilities and rights.
10 (18) The law should place the consumer in a position
11 to knowingly and freely negotiate with a business over the
12 business' use of the personal information.
13 (19) The law should adjust to technological changes,
14 help consumers exercise their rights, and assist
15 businesses with compliance with the continuing goal of
16 strengthening consumer privacy.
17 (20) The law should enable proconsumer new products
18 and services and promote efficiency of implementation for
19 business as long as the law does not compromise or weaken
20 consumer privacy.
21 (21) The law should be amended, if necessary, to
22 improve its operation, as long as the amendments do not
23 compromise or weaken consumer privacy, while giving
24 attention to the impact on business and innovation.
25 (22) Businesses should be held accountable for
26 violating the law through vigorous administrative and

SB3517- 5 -LRB103 35732 LNS 65813 b
1 civil enforcement.
2 (23) To the extent it advances consumer privacy and
3 business compliance, the law should be compatible with
4 privacy laws in other jurisdictions.
5 Section 5-10. Definitions. As used in this Act:
6 "Advertising and marketing" means a communication by a
7business or person acting on behalf of the business in any
8medium intended to induce a consumer to obtain goods,
9services, or employment.
10 "Agency" means the Privacy Protection Agency.
11 "Aggregate consumer information" means information that
12relates to a group or category of consumers, from which
13individual consumer identities have been removed, that is not
14linked or reasonably linkable to any consumer or household,
15including via a device. "Aggregate consumer information" does
16not include one or more individual consumer records that have
17been deidentified.
18 "Biometric information" means an individual's
19physiological, biological, or behavioral characteristics,
20including information pertaining to an individual's
21deoxyribonucleic acid (DNA), that is used or is intended to be
22used singly or in combination with each other or with other
23identifying data, to establish individual identity. "Biometric
24information" includes, but is not limited to, imagery of the
25iris, retina, fingerprint, face, hand, palm, vein patterns,

SB3517- 6 -LRB103 35732 LNS 65813 b
1and voice recordings, from which an identifier template, such
2as a faceprint, a minutiae template, or a voiceprint, can be
3extracted, and keystroke patterns or rhythms, gait patterns or
4rhythms, and sleep, health, or exercise data that contain
5identifying information.
6 "Business" means:
7 (1) a sole proprietorship, partnership, limited
8 liability company, corporation, association, or other
9 legal entity that is organized or operated for the profit
10 or financial benefit of its shareholders or other owners,
11 that collects consumers' personal information, or on the
12 behalf of which such information is collected and that
13 determines the purposes and means of the processing of
14 consumers' personal information, does business in this
15 State, and satisfies one or more of the following
16 thresholds:
17 (A) as of January 1 of the calendar year, had
18 annual gross revenues in excess of $25,000,000 in the
19 preceding calendar year;
20 (B) alone or in combination, annually, buys,
21 sells, or shares the personal information of 100,000
22 or more consumers or households; or
23 (C) derives 50% or more of its annual revenues
24 from selling or sharing consumers' personal
25 information;
26 (2) any entity that controls or is controlled by a

SB3517- 7 -LRB103 35732 LNS 65813 b
1 business and that shares common branding with the business
2 and with whom the business shares consumers' personal
3 information;
4 (3) a joint venture or partnership composed of
5 businesses in which each business has at least a 40%
6 interest; or
7 (4) a person that does business in this State, that is
8 not covered by paragraph (1), (2), or (3) of this
9 definition and that voluntarily certifies to this Act that
10 it is in compliance with, and agrees to be bound by, this
11 Act.
12 "Business associate" has the meaning given to that term in
13Section 160.103 of Title 45 of the Code of Federal
14Regulations.
15 "Business controller information" means the name or names
16of the owner or owners, director, officer, or management
17employee of a business and the contact information, including
18a business title, for the owner or owners, director, officer,
19or management employee.
20 "Business purpose" means the use of personal information
21for the business's operational purposes, or other notified
22purposes, or for the service provider's or contractor's
23operational purposes, as long as the use of personal
24information is reasonably necessary and proportionate to
25achieve the purpose for which the personal information was
26collected or processed or for another purpose that is

SB3517- 8 -LRB103 35732 LNS 65813 b
1compatible with the context in which the personal information
2was collected. "Business purposes" includes:
3 (1) auditing related to counting ad impressions to
4 unique visitors, verifying positioning and quality of ad
5 impressions, and auditing compliance with this
6 specification and other standards;
7 (2) helping to ensure security and integrity to the
8 extent the use of the personal information is reasonably
9 necessary and proportionate for these purposes;
10 (3) debugging to identify and repair errors that
11 impair existing intended functionality;
12 (4) short-term, transient use, including, but not
13 limited to, nonpersonalized advertising shown as part of a
14 consumer's current interaction with the business, as long
15 as the personal information is not disclosed to another
16 third party and is not used to build a profile about the
17 consumer or otherwise alter the consumer's experience
18 outside the current interaction with the business;
19 (5) performing services on behalf of the business,
20 including maintaining or servicing accounts, providing
21 customer service, processing or fulfilling orders and
22 transactions, verifying customer information, processing
23 payments, providing financing, providing analytic
24 services, providing storage, or providing similar services
25 on behalf of the business;
26 (6) providing advertising and marketing services,

SB3517- 9 -LRB103 35732 LNS 65813 b
1 except for cross-context behavioral advertising, to the
2 consumer, as long as a service provider or contractor does
3 not combine the personal information of consumers who
4 opted-out that the service provider or contractor receives
5 from, or on behalf of, the business with personal
6 information that the service provider or contractor
7 receives from, or on behalf of, another person or persons
8 or collects from its own interaction with consumers;
9 (7) undertaking internal research for technological
10 development and demonstration; and
11 (8) undertaking activities to verify or maintain the
12 quality or safety of a service or device that is owned,
13 manufactured, manufactured for, or controlled by the
14 business, and to improve, upgrade, or enhance the service
15 or device that is owned, manufactured, manufactured for,
16 or controlled by the business.
17 "Collects", "collected", or "collection" means buying,
18renting, gathering, obtaining, receiving, or accessing any
19personal information pertaining to the consumer by any means.
20"Collects", "collected", or "collection" includes receiving
21information from the consumer, either actively or passively,
22or by observing the consumer's behavior.
23 "Commercial credit reporting agency" means any person who,
24for monetary fees, dues, or on a cooperative nonprofit basis,
25provides commercial credit reports to third parties.
26 "Commercial purposes" means to advance a person's

SB3517- 10 -LRB103 35732 LNS 65813 b
1commercial or economic interests, such as by inducing another
2person to buy, rent, lease, join, subscribe to, provide, or
3exchange products, goods, property, information, or services,
4or enabling or effecting, directly or indirectly, a commercial
5transaction.
6 "Common branding" means a shared name, service mark, or
7trademark that the average consumer would understand that 2 or
8more entities are commonly owned.
9 "Consent" means any freely given, specific, informed, and
10unambiguous indication of the consumer's wishes by which the
11consumer, the consumer's legal guardian, or a person who has
12power of attorney signifies agreement to the processing of
13personal information relating to the consumer for a narrowly
14defined particular purpose. "Consent" does not include
15acceptance of a general or broad terms of use, or similar
16document, that contains descriptions of personal information
17processing along with other, unrelated information, hovering
18over, muting, pausing, or closing a given piece of content, or
19an agreement obtained through use of dark patterns.
20 "Consumer" means a natural person who is a State resident,
21however identified, including by any unique identifier.
22 "Contractor" means a person to whom the business makes
23available personal information for a business purpose, under
24the written contract with the business, if the contract:
25 (1) prohibits the contractor from:
26 (A) selling or sharing the personal information;

SB3517- 11 -LRB103 35732 LNS 65813 b
1 (B) retaining, using, or disclosing the personal
2 information for any purpose other than for the
3 business purpose specified in the contract, including
4 retaining, using, or disclosing the personal
5 information for a commercial purpose other than the
6 business purposes specified in the contract, or as
7 otherwise permitted by this Act;
8 (C) retaining, using, or disclosing the personal
9 information outside of the direct business
10 relationship between the contractor and the business;
11 and
12 (D) combining the personal information that the
13 contractor receives under a written contract with the
14 business with personal information that it receives on
15 behalf of another person or persons, or collects from
16 its own interaction with the consumer;
17 (2) includes a certification made by the contractor
18 that the contractor understands the restrictions in
19 paragraph (1) and will comply with them; and
20 (3) permits, subject to agreement with the contractor,
21 the business to monitor the contractor's compliance with
22 the contract through measures, including, but not limited
23 to, ongoing manual reviews and automated scans and regular
24 assessments, audits, or other technical and operational
25 testing at least once every 12 months.
26 "Control" or "controlled" means ownership of, or the power

SB3517- 12 -LRB103 35732 LNS 65813 b
1to vote, more than 50% of the outstanding shares, control in
2any manner over the election of a majority of directors, or of
3individuals exercising similar functions, or the power to
4exercise a controlling influence over the management of the
5company.
6 "Covered entity" has the meaning given to that term in
7Section 160.103 of Title 45 of the Code of Federal
8Regulations.
9 "Cross-context behavioral advertising" means the targeting
10of advertising to a consumer based on the personal information
11obtained from the consumer's activity across businesses,
12distinctly branded websites, applications, or services, other
13than the business, distinctly branded website, application, or
14service with which the consumer intentionally interacts.
15 "Dark pattern" means a user interface designed or
16manipulated with the substantial effect of subverting or
17impairing user autonomy, decision-making, or choice.
18 "Deidentified" means information that cannot be reasonably
19used to infer information about, or otherwise be linked to, a
20particular consumer if the business that possesses the
21information:
22 (1) takes reasonable measures to ensure that the
23 information cannot be associated with a consumer or
24 household;
25 (2) publicly commits to maintain and use the
26 information in deidentified form and not to attempt to

SB3517- 13 -LRB103 35732 LNS 65813 b
1 reidentify the information; and
2 (3) contractually obligates any recipients of the
3 information to comply with all provisions of this
4 definition.
5 "Designated methods for submitting requests" means a
6mailing address, email address, Internet webpage, Internet web
7portal, toll-free telephone number, or other applicable
8contact information, whereby consumers may submit a request or
9direction under this Act, and any new, consumer-friendly means
10of contacting a business.
11 "Device" means any physical object that is capable of
12connecting to the Internet, directly or indirectly, or to
13another device.
14 "Director" means a natural person designated in the
15articles of incorporation as director, or elected by the
16incorporators and natural persons designated, elected, or
17appointed by any other name or title to act as directors, and
18their successors.
19 "Educational standardized assessment or educational
20assessment" means a standardized or nonstandardized quiz,
21test, or other assessment used to evaluate students in or for
22entry to kindergarten and grades 1 through 12, schools,
23postsecondary institutions, vocational programs, and
24postgraduate programs that are accredited by an accrediting
25agency or organization recognized by the State or the United
26States Department of Education, as well as certification and

SB3517- 14 -LRB103 35732 LNS 65813 b
1licensure examinations used to determine competency and
2eligibility to receive certification or licensure from a
3government agency or government certification body.
4 "Family" means a custodial parent or guardian and any
5children under 18 years of age over which the parent or
6guardian has custody.
7 "Fraudulent concealment" means the person knows of
8material facts related to the person's duties under this Act
9and knowingly conceals the facts in performing or omitting to
10perform those duties for the purpose of defrauding the public
11of information to which it is entitled under this Act.
12 "Homepage" means the introductory page of an Internet
13website and any Internet webpage where personal information is
14collected. "Homepage", in the case of an online service such
15as a mobile application, means the application's platform page
16or download page, a link within the application, such as from
17the application configuration, "About", "Information", or
18settings page, and any other location that allows consumers to
19review the notices required by this Act, including, but not
20limited to, before downloading the application.
21 "Household" means a group, however identified, of
22consumers who cohabitate with one another at the same
23residential address and share use of common devices or
24services.
25 "Independent contractor" means a natural person who
26provides any service to a business under a written contract.

SB3517- 15 -LRB103 35732 LNS 65813 b
1 "Individually identifiable" means that the medical
2information includes or contains any element of personal
3identifying information sufficient to allow identification of
4the individual, such as the patient's name, address, email
5address, telephone number, or social security number, or other
6information that, alone or in combination with other publicly
7available information, reveals the identity of the individual.
8 "Infer" or "inference" means the derivation of
9information, data, assumptions, or conclusions from facts,
10evidence, or other sources of information or data.
11 "Insurance institution" means any corporation,
12association, partnership, reciprocal exchange, interinsurer,
13fraternal benefit society, or other person engaged in the
14business of insurance. "Insurance institution" does not
15include agents, insurance-support organizations, or health
16care service plans.
17 "Intentionally interacts" means when the consumer intends
18to interact with a person, or disclose personal information to
19a person, via one or more deliberate interactions, including
20visiting the person's website or purchasing a good or service
21from the person. "Intentionally interacts" does not include
22hovering over, muting, pausing, or closing a given piece of
23content.
24 "Jeopardize the validity and reliability of that
25educational standardized assessment or educational assessment"
26means releasing information that would provide an advantage to

SB3517- 16 -LRB103 35732 LNS 65813 b
1the consumer who has submitted a verifiable consumer request
2or to another natural person.
3 "Local educational agency" includes school districts,
4county offices of education, and charter schools.
5 "Management employee" means a natural person whose name
6and contact information is reported to or collected by a
7commercial credit reporting agency as the primary manager of a
8business and used solely within the context of the natural
9person's role as the primary manager of the business.
10 "Medical information" means any individually identifiable
11information, in electronic or physical form, in possession of
12or derived from a provider of health care, health care service
13plan, pharmaceutical company, or contractor regarding a
14patient's medical history, mental health application
15information, mental or physical condition, or treatment.
16 "Medical staff member" means a licensed physician and
17surgeon, dentist, or podiatric physician, licensed under the
18Medical Practice Act of 1987, the Illinois Dental Practice
19Act, or the Podiatric Medical Practice Act of 1987 and a
20clinical psychologist as defined in the Clinical Psychologist
21Licensing Act.
22 "New motor vehicle dealer" is a dealer who either acquires
23for resale new and unregistered motor vehicles from
24manufacturers or distributors of those motor vehicles or
25acquires for resale new off-highway motorcycles or all-terrain
26vehicles from manufacturers or distributors of the vehicles.

SB3517- 17 -LRB103 35732 LNS 65813 b
1 "Nonpersonalized advertising" means advertising and
2marketing that is based solely on personal information derived
3from the consumer's current interaction with the business with
4the exception of the consumer's precise geolocation.
5 "Officer" means a natural person elected or appointed by
6the board of directors to manage the daily operations of a
7corporation, including a chief executive officer, president,
8secretary, or treasurer.
9 "Owner" means a natural person who:
10 (1) has ownership of, or the power to vote, more than
11 50% of the outstanding shares of any class of voting
12 security of a business;
13 (2) has control in any manner over the election of a
14 majority of the directors or of individuals exercising
15 similar functions; or
16 (3) has the power to exercise a controlling influence
17 over the management of a company.
18 "Ownership information" means the name or names of and
19contact information for the registered owner or owners.
20 "Person" means an individual, proprietorship, firm,
21partnership, joint venture, syndicate, business, trust,
22company, corporation, limited liability company, association,
23committee, and any other organization or group of persons
24acting in concert.
25 "Personal information" means information that identifies,
26relates to, describes, is reasonably capable of being

SB3517- 18 -LRB103 35732 LNS 65813 b
1associated with, or could reasonably be linked, directly or
2indirectly, with a particular consumer or household. "Personal
3information" includes, but is not limited to, the following if
4it identifies, relates to, describes, is reasonably capable of
5being associated with, or could be reasonably linked, directly
6or indirectly, with a particular consumer or household:
7 (1) identifiers such as a real name, alias, postal
8 address, unique personal identifier, online identifier,
9 Internet Protocol address, email address, account name,
10 social security number, driver's license number, passport
11 number, or other similar identifiers;
12 (2) any information, including, but not limited to,
13 signature, physical characteristics or description,
14 address, telephone number, state identification card
15 number, insurance policy number, education, bank account
16 number, credit card number, debit card number, or any
17 other financial information, medical information, or
18 health insurance information, but does not include
19 publicly available information that is lawfully made
20 available to the general public from federal, State, or
21 local government records;
22 (3) characteristics of protected classifications under
23 State or federal law;
24 (4) commercial information, including records of
25 personal property, products or services purchased,
26 obtained, or considered, or other purchasing or consuming

SB3517- 19 -LRB103 35732 LNS 65813 b
1 histories or tendencies;
2 (5) biometric information;
3 (6) Internet or other electronic network activity
4 information, including, but not limited to, browsing
5 history, search history, and information regarding a
6 consumer's interaction with an Internet website,
7 application, or advertisement;
8 (7) geolocation data;
9 (8) audio, electronic, visual, thermal, olfactory, or
10 similar information;
11 (9) professional or employment-related information;
12 (10) education information that is not publicly
13 available, personally identifiable information as defined
14 in the federal Family Educational Rights and Privacy Act;
15 (11) inferences drawn from any of the information
16 identified in this definition to create a profile about a
17 consumer to reflect the consumer's preferences,
18 characteristics, psychological trends, predispositions,
19 behavior, attitudes, intelligence, abilities, and
20 aptitudes; or
21 (12) sensitive personal information.
22"Personal information" does not include publicly available
23information or lawfully obtained, truthful information that is
24a matter of public concern, consumer information that is
25deidentified, or aggregate consumer information.
26 "Precise geolocation" means any data that is derived from

SB3517- 20 -LRB103 35732 LNS 65813 b
1a device and that is used or intended to be used to locate a
2consumer within a geographic area that is equal to or less than
3the area of a circle with a radius of 1,850 feet, except as
4prescribed by rules.
5 "Processing" means any operation or set of operations that
6are performed on personal information or on sets of personal
7information, whether by automated means.
8 "Profiling" means any form of automated processing of
9personal information to evaluate certain personal aspects
10relating to a natural person and in particular to analyze or
11predict aspects concerning that natural person's performance
12at work, economic situation, health, personal preferences,
13interests, reliability, behavior, location, or movements.
14 "Protected health information" has the meaning given to
15that term in Section 160.103 of Title 45 of the Code of Federal
16Regulations.
17 "Provider of health care" means a person licensed or
18certified under the Medical Practice Act of 1987, the Nurse
19Practice Act, the Illinois Dental Practice Act, the Podiatric
20Medical Practice Act of 1987, the Illinois Speech-Language
21Pathology and Audiology Practice Act, the Illinois
22Occupational Therapy Practice Act, the Dietitian Nutritionist
23Practice Act, the Perfusionist Practice Act, the Illinois
24Physical Therapy Act, the Licensed Certified Professional
25Midwife Practice Act, the Clinical Psychologist Licensing Act,
26the Illinois Optometric Practice Act of 1987, the Physician

SB3517- 21 -LRB103 35732 LNS 65813 b
1Assistant Practice Act of 1987, the Respiratory Care Practice
2Act, the Pharmacy Practice Act, the Massage Licensing Act, the
3Music Therapy Licensing and Practice Act, the Veterinary
4Medicine and Surgery Practice Act of 2004, the Acupuncture
5Practice Act, the Marriage and Family Therapy Licensing Act,
6the Behavior Analyst Licensing Act, the Clinical Social Work
7and Social Work Practice Act, and the Professional Counselor
8and Clinical Professional Counselor Licensing and Practice Act
9or a clinic, health dispensary, or health facility licensed
10under the Community Living Facilities Licensing Act, the Home
11Health, Home Services, and Home Nursing Agency Licensing Act,
12the Hospice Program Licensing Act, and the Hospital Licensing
13Act. "Provider of health care" does not include insurance
14institutions.
15 "Pseudonymize" or "pseudonymization" means the processing
16of personal information in a manner that renders the personal
17information no longer attributable to a specific consumer
18without the use of additional information, as long as the
19additional information is kept separately and is subject to
20technical and organizational measures to ensure that the
21personal information is not attributed to an identified or
22identifiable consumer.
23 "Publicly available" means information that is lawfully
24made available from federal, State, or local government
25records, information that a business has a reasonable basis to
26believe is lawfully made available to the general public by

SB3517- 22 -LRB103 35732 LNS 65813 b
1the consumer or from widely distributed media or information
2made available by a person to whom the consumer has disclosed
3the information if the consumer has not restricted the
4information to a specific audience. "Publicly available" does
5not include biometric information collected by a business
6about a consumer without the consumer's knowledge.
7 "Research" means scientific analysis, systematic study,
8and observation, including basic research or applied research
9that is designed to develop or contribute to public or
10scientific knowledge and that adheres or otherwise conforms to
11all other applicable ethics and privacy laws, including, but
12not limited to, studies conducted in the public interest in
13the area of public health.
14 "Security and integrity" means the ability of:
15 (1) networks or information systems to detect security
16 incidents that compromise the availability, authenticity,
17 integrity, and confidentiality of stored or transmitted
18 personal information;
19 (2) businesses to detect security incidents, resist
20 malicious, deceptive, fraudulent, or illegal actions and
21 to help prosecute those responsible for those actions; and
22 (3) businesses to ensure the physical safety of
23 natural persons.
24 "Sell", "selling", "sale", or "sold" means selling,
25renting, releasing, disclosing, disseminating, making
26available, transferring, or otherwise communicating orally, in

SB3517- 23 -LRB103 35732 LNS 65813 b
1writing, or by electronic or other means personal information
2by the business to a third party for monetary or other valuable
3consideration.
4 "Sensitive personal information" means:
5 (1) personal information that reveals:
6 (A) a consumer's social security, driver's
7 license, state identification card, or passport
8 number;
9 (B) a consumer's account log-in, financial
10 account, debit card, or credit card number in
11 combination with any required security or access code,
12 password, or credentials allowing access to an
13 account;
14 (C) a consumer's precise geolocation;
15 (D) a consumer's racial or ethnic origin,
16 religious or philosophical beliefs, or union
17 membership;
18 (E) the contents of a consumer's mail, email, or
19 text messages unless the business is the intended
20 recipient of the communication; or
21 (F) a consumer's genetic data;
22 (2) the processing of biometric information for the
23 purpose of uniquely identifying a consumer;
24 (3) personal information collected and analyzed
25 concerning a consumer's health; or
26 (4) personal information collected and analyzed

SB3517- 24 -LRB103 35732 LNS 65813 b
1 concerning a consumer's sex life or sexual orientation.
2"Sensitive personal information" does not include sensitive
3personal information that is publicly available.
4 "Service" or "services" means work, labor, and services,
5including services furnished in connection with the sale or
6repair of goods.
7 "Service provider" means a person that processes personal
8information on behalf of a business and that receives from or
9on behalf of the business personal information for a business
10purpose under a written contract, as long as the contract
11prohibits the person from:
12 (1) selling or sharing the personal information;
13 (2) retaining, using, or disclosing the personal
14 information for any purpose other than for the specific
15 business purposes specified in the contract for the
16 business, including retaining, using, or disclosing the
17 personal information for a commercial purpose other than
18 the business purposes specified in the contract with the
19 business, or as otherwise permitted by this Act;
20 (3) retaining, using, or disclosing the personal
21 information outside of the direct business relationship
22 between the service provider and the business; or
23 (4) combining the personal information that the
24 service provider receives from, or on behalf of, the
25 business with personal information that it receives from,
26 or on behalf of, another person or persons, or collects

SB3517- 25 -LRB103 35732 LNS 65813 b
1 from its own interaction with the consumer.
2 "Share", "shared", or "sharing" means sharing, renting,
3releasing, disclosing, disseminating, making available,
4transferring, or otherwise communicating orally, in writing,
5or by electronic or other means personal information by the
6business to a third party for cross-context behavioral
7advertising, whether for monetary or other valuable
8consideration, including transactions between a business and a
9third party for cross-context behavioral advertising for the
10benefit of a business in which no money is exchanged.
11 "Third party" means a person who is not:
12 (1) the business with whom the consumer intentionally
13 interacts and that collects personal information from the
14 consumer as part of the consumer's current interaction
15 with the business under this Act;
16 (2) a service provider to the business; or
17 (3) a contractor.
18 "Unique identifier" or "unique personal identifier" means
19a persistent identifier that can be used to recognize a
20consumer, family, or device that is linked to a consumer or
21family, over time and across different services, including,
22but not limited to, a device identifier, Internet Protocol
23address, cookies, beacons, pixel tags, mobile ad identifiers,
24or similar technology, customer number, unique pseudonym, or
25user alias, telephone numbers, or other forms of persistent or
26probabilistic identifiers that can be used to identify a

SB3517- 26 -LRB103 35732 LNS 65813 b
1particular consumer or device that is linked to a consumer or
2family.
3 "Vehicle information" means the vehicle information
4number, make, model, year, and odometer reading.
5 "Vehicle manufacturer" means any person who produces from
6raw materials or new basic components a vehicle of a type
7subject to registration, off-highway motorcycles or
8all-terrain vehicles subject to identification, or trailers
9subject to identification, or who permanently alters, for
10purposes of retail sales, new commercial vehicles by
11converting the vehicles into house cars.
12 "Verifiable consumer request" means a request that is made
13by a consumer, by a consumer on behalf of the consumer's minor
14child, by a natural person or a person registered with the
15Secretary of State authorized by the consumer to act on the
16consumer's behalf, or by a person who has power of attorney,
17and that the business can reasonably verify, using
18commercially reasonable methods to be the consumer about whom
19the business has collected personal information.
20 Section 5-15. Miscellaneous provisions.
21 (a) The joint venture or partnership and each business
22that composes the joint venture or partnership shall
23separately be considered a single business, except that
24personal information in the possession of each business and
25disclosed to the joint venture or partnership shall not be

SB3517- 27 -LRB103 35732 LNS 65813 b
1shared with the other business.
2 (b) A contractor may combine personal information to
3perform any business purpose, except as provided for in
4paragraph (6) of the definition of business purposes and in
5rules adopted by the Agency.
6 (c) If a contractor engages any other person to assist it
7in processing personal information for a business purpose on
8behalf of that business, or if any other person engaged by the
9contractor engages another person to assist in processing
10personal information for that business purposes, it shall
11notify the business of that engagement, and the engagement
12shall be under a written contract binding the other person to
13observe all of the requirements set forth in the definition of
14contractor.
15 (d) A business may attempt to reidentify the deindentified
16personal information solely for the purpose of determining
17whether its deidentification processes satisfies the
18requirements of the definition of deidentified.
19 (e) Research with personal information that may have been
20collected from a consumer in the course of consumer's
21interactions with a business's service or device for other
22purposes shall be:
23 (1) compatible with the business purpose for which the
24 personal information was collected;
25 (2) subsequently pseudonymized and deidentified, or
26 deidentified and in the aggregate, such that the

SB3517- 28 -LRB103 35732 LNS 65813 b
1 information cannot reasonably identify, relate to,
2 describe, be capable of being associated with, or be
3 linked, directly or indirectly, to a particular consumer,
4 by a business;
5 (3) made subject to technical safeguards that prohibit
6 reidentification of the consumer to whom the information
7 may pertain, other than as needed to support the research;
8 (4) subject to business processes that specifically
9 prohibit reidentification of the information, other than
10 as needed to support the research;
11 (5) made subject to business processes to prevent
12 inadvertent release of deidentified information;
13 (6) protected from any reidentification attempts;
14 (7) used solely for research purposes that are
15 compatible with the context in which the personal
16 information was collected; and
17 (8) subjected by the business conducting the research
18 to additional security controls that limit access to the
19 research data to only those individuals as are necessary
20 to carry out the research purpose.
21 (f) A business that does not sell or share personal
22information when:
23 (1) a consumer uses or directs the business to
24 intentionally:
25 (A) disclose personal information; or
26 (B) interact with one or more third parties;

SB3517- 29 -LRB103 35732 LNS 65813 b
1 (2) the business uses or shares an identifier for a
2 consumer who has opted-out of the sale of personal
3 information or limited the use of sensitive personal
4 information for the purposes of altering persons that the
5 consumer has opted-out of the sale of personal information
6 or limited the use of sensitive personal information; or
7 (3) the business transfers to a third party the
8 personal information as an asset that is part of a merger,
9 acquisition, bankruptcy, or other transaction in which the
10 third party assumes control of all or part of the
11 business, as long as that personal information is used or
12 shared consistently with this Act. If a third party
13 materially alters how it uses or shares the personal
14 information in a manner that is materially inconsistent
15 with the promises made at the time of collection, it shall
16 provide prior notice of the new or changed practice to the
17 consumer. The notice shall be sufficiently prominent and
18 robust to ensure that existing consumers can easily
19 exercise their choices consistently with this Act. This
20 paragraph does not authorize a business to make material,
21 retroactive privacy policy changes or make other changes
22 in their privacy policy in a manner that would violate the
23 Consumer Fraud and Deceptive Business Practices Act.
24 (g) A service provider may combine personal information to
25perform any business purpose, except as provided for in
26paragraph (6) of the definition of business purpose in Section

SB3517- 30 -LRB103 35732 LNS 65813 b
15-10 and in rules adopted by the Agency. The contract may,
2subject to agreement with the service provider, permit the
3business to monitor the service provider's compliance with the
4contract through measures, including, but not limited to,
5ongoing manual reviews and automated scans and regular
6assessments, audits, or other technical and operational
7testing at least once every 12 months.
8 (h) If a service provider engages any other person to
9assist it in processing personal information for a business
10purpose on behalf of the business, or if any other person
11engaged by the service provider engages another person to
12assist in processing personal information for that business
13purpose, it shall notify the business of that engagement, and
14the engagement shall be under a written contract binding the
15other person to observe all the requirements set forth in the
16definition of service provider.
17 (i) A business is not obligated to provide information to
18the consumer under Sections 10-20 and 10-25 to delete personal
19information or to correct inaccurate personal information, if
20the business cannot verify that the consumer making the
21request is the consumer about whom the business has collected
22information or is a person authorized by the consumer to act on
23such consumer's behalf.
24
Article 10. Personal Information

SB3517- 31 -LRB103 35732 LNS 65813 b
1 Section 10-5. General duties of businesses that collect
2personal information.
3 (a) A business that controls the collection of personal
4information shall, at or before the point of collection,
5inform consumers of:
6 (1) the categories of personal information to be
7 collected and the purposes for which the categories of
8 personal information are collected or used and whether
9 that information is sold or shared. A business shall not
10 collect additional categories of personal information or
11 use personal information collected for additional purposes
12 that are incompatible with the disclosed purpose for which
13 the personal information was collected without providing
14 the consumer with notice consistent with this Section
15 (2) if the business collects sensitive personal
16 information, the categories of sensitive personal
17 information to be collected and the purposes for which the
18 categories of sensitive personal information to be
19 collected. A business shall not collect additional
20 categories of sensitive personal information or use
21 sensitive personal information collected for additional
22 purposes that are incompatible with the disclosed purpose
23 for which the sensitive personal information was collected
24 without providing the consumer with notice consistent with
25 this Section; and
26 (3) the length of time the business intends to retain

SB3517- 32 -LRB103 35732 LNS 65813 b
1 each category of personal information, including sensitive
2 personal information, or, if that is not possible, the
3 criteria used to determine that period provided that a
4 business shall not retain personal information or
5 sensitive personal information for each disclosed purpose
6 for which the personal information was collected for
7 longer than is reasonably necessary for that disclosed
8 purpose.
9 (b) A business that, acting as a third party, controls the
10collection of personal information may satisfy its obligation
11under subsection (a) by providing the required information
12prominently and conspicuously on the homepage of its Internet
13website. If a business acting as a third party controls the
14collection of personal information on its premises, including
15in a vehicle, then the business shall, at or before the point
16of collection, inform consumers as to the categories of
17personal information to be collected and the purposes for
18which the categories of personal information are used, and
19whether that personal information is sold, in a clear and
20conspicuous manner at the location.
21 (c) Collection, use, retention, and sharing of personal
22information by a business shall be reasonably necessary and
23proportionate to achieve the purposes for which the personal
24information was collected or processed, or for another
25disclosed purpose that is compatible with the context in which
26the personal information was collected, and not further

SB3517- 33 -LRB103 35732 LNS 65813 b
1processed in a manner that is incompatible with those
2purposes.
3 (d) A business that collects personal information and that
4sells that personal information to, or shares it with, a third
5party or that discloses it to a service provider or contractor
6for a business purpose shall enter into an agreement with the
7third party, service provider, or contractor that:
8 (1) specifies that the personal information is sold or
9 disclosed by the business only for limited and specified
10 purposes;
11 (2) obligates the third party, service provider, or
12 contractor to comply with applicable obligations under
13 this Act and obligate those persons to provide the same
14 level of privacy protection as is required under this Act;
15 (3) grants the business rights to take reasonable and
16 appropriate steps to help ensure that the third party,
17 service provider, or contractor uses the personal
18 information transferred in a manner consistent with the
19 obligations of the business under this Act;
20 (4) requires the third party, service provider, or
21 contractor to notify the business if it makes a
22 determination that it can no longer meet its obligations
23 under this Act; and
24 (5) grants the business the right, upon notice, to
25 take reasonable and appropriate steps to stop and
26 remediate unauthorized use of personal information.

SB3517- 34 -LRB103 35732 LNS 65813 b
1 (e) A business that collects personal information shall
2implement reasonable security procedures and practices
3appropriate to the nature of the personal information to
4protect the personal information from unauthorized or illegal
5access, destruction, use, modification, or disclosure.
6 (f) Nothing in this Section shall require a business to
7disclose trade secrets.
8 Section 10-10. Right to delete personal information.
9 (a) A consumer shall have the right to request that a
10business delete any personal information about the consumer
11which the business has collected from the consumer.
12 (b) A business that collects personal information shall
13disclose the consumer's rights to request the deletion of the
14personal information.
15 (c) A business that receives a verifiable consumer request
16from a consumer to delete the personal information under
17subsection (a) shall delete the personal information from its
18records, notify any service providers or contractors to delete
19the personal information from their records, and notify all
20third parties to whom the business has sold or shared the
21personal information to delete the personal information unless
22this proves impossible or involves disproportionate effort.
23 The business may maintain a confidential record of
24deletion requests solely for the purpose of preventing the
25personal information of a consumer who has submitted a

SB3517- 35 -LRB103 35732 LNS 65813 b
1deletion request from being sold, for compliance with laws or
2for other purposes, solely to the extent permissible under
3this Act.
4 A service provider or contractor shall cooperate with the
5business in responding to a verifiable consumer request, and,
6at the direction of the business, shall delete, or enable the
7business to delete, and notify any of its own service
8providers or contractors to delete the personal information
9collected, used, processed, or retained by the service
10provider or contractor. The service provider or contractor
11shall notify any service providers, contractors, or third
12parties who may have accessed personal information from or
13through the service provider or contractor, unless the
14information was accessed at the direction of the business, to
15delete the personal information unless this proves impossible
16or involves disproportionate effort. A service provider or
17contractor shall not be required to comply with a deletion
18request submitted by the consumer directly to the service
19provider or contractor to the extent that the service provider
20or contractor has collected, used, processed, or retained the
21personal information in its role as a service provider or
22contractor to the business.
23 (d) A business, or a service provider or contractor acting
24under its contract with the business, shall not be required to
25comply with a consumer's request to delete personal
26information if it is reasonably necessary for the business,

SB3517- 36 -LRB103 35732 LNS 65813 b
1service provider, or contractor to maintain the personal
2information in order to:
3 (1) complete the transaction for which the personal
4 information was collected, fulfill the terms of a written
5 warranty or product recall conducted in accordance with
6 federal law, provide a good or service requested by the
7 consumer, or reasonably anticipate an ongoing business
8 relationship with the consumer, or otherwise perform a
9 contract between the business and the consumer;
10 (2) help to ensure security and integrity to the
11 extent the use of the personal information is reasonably
12 necessary and proportionate for those purposes;
13 (3) debug to identify and repair errors that impair
14 existing intended functionality;
15 (4) exercise free speech, ensure the right of another
16 consumer to exercise that consumer's right of free speech,
17 or exercise another right provided for by law;
18 (5) comply with the Protecting Household Privacy Act;
19 (6) engage in public or peer-reviewed scientific,
20 historical, or statistical research that conforms or
21 adheres to all other applicable ethics and privacy laws,
22 when the deletion of the information is likely to render
23 impossible or seriously impair the ability to complete
24 such research, if the consumer has provided informed
25 consent;
26 (7) to enable solely internal uses that are reasonably

SB3517- 37 -LRB103 35732 LNS 65813 b
1 aligned with the expectations of the consumer based on the
2 consumer's relationship with the business and compatible
3 with the context in which the consumer provided the
4 information; or
5 (8) comply with a legal obligation.
6 Section 10-15. Right to correct inaccurate personal
7information.
8 (a) A consumer shall have the right to request a business
9that maintains inaccurate personal information about the
10consumer to correct that inaccurate personal information,
11taking into account the nature of the personal information and
12the purposes of the processing of the personal information.
13 (b) A business that collects personal information shall
14disclose the consumer's right to request correction of
15inaccurate personal information.
16 (c) A business that receives a verifiable consumer request
17to correct inaccurate personal information shall use
18commercially reasonable efforts to correct the inaccurate
19personal information as directed by the consumer.
20 Section 10-20. Right to know what personal information is
21being collected; right to access personal information.
22 (a) A consumer shall have the right to request that a
23business that collects personal information about the consumer
24disclose to the consumer:

SB3517- 38 -LRB103 35732 LNS 65813 b
1 (1) the categories of personal information it has
2 collected about the consumer;
3 (2) the categories of sources from which the personal
4 information is collected;
5 (3) the business or commercial purpose for collecting,
6 selling, or sharing personal information;
7 (4) the categories of third parties to whom the
8 business discloses personal information; and
9 (5) the specific pieces of personal information it has
10 collected about that consumer.
11 (b) A business that collects personal information shall
12disclose to the consumer the information specified in
13subsection (a) upon receipt of a verifiable consumer request
14from the consumer.
15 (c) A business that collects personal information shall
16disclose that a consumer has the right to request the specific
17pieces of information the business has collected about that
18consumer.
19 Section 10-25. Right to know what personal information is
20sold or shared and to whom.
21 (a) A consumer shall have the right to request that a
22business that sells or shares personal information, or that
23discloses personal information for a business purpose,
24disclose to that consumer:
25 (1) the categories of personal information that the

SB3517- 39 -LRB103 35732 LNS 65813 b
1 business collected about the consumer;
2 (2) the categories of personal information that the
3 business sold or shared about the consumer and the
4 categories of third parties to whom the personal
5 information was sold or shared, by category or categories
6 of personal information for each category of third parties
7 to whom the personal information was sold or shared; and
8 (3) the categories of personal information that the
9 business disclosed about the consumer for a business
10 purpose and the categories of persons to whom it was
11 disclosed for a business purpose.
12 (b) A business that sells or shares personal information,
13or that discloses personal information for a business purpose,
14shall disclose the personal information specified in
15subsection (a) to the consumer upon receipt of a verifiable
16consumer request from the consumer.
17 (c) A business that sells or shares personal information,
18or that discloses personal information for a business purpose,
19shall disclose:
20 (1) the category or categories of personal information
21 it has sold or shared, or if the business has not sold or
22 shared personal information, it shall disclose that fact;
23 and
24 (2) the category or categories of personal information
25 it has disclosed for a business purpose, or if the
26 business has not disclosed personal information for a

SB3517- 40 -LRB103 35732 LNS 65813 b
1 business purpose, it shall disclose that fact.
2 (d) A third party shall not sell or share personal
3information that has been sold to, or shared with, the third
4party by a business unless the consumer has received explicit
5notice and is provided an opportunity to exercise the right to
6opt out.
7 Section 10-30. Right to opt out of sale or sharing of
8personal information.
9 (a) A consumer shall have the right, at any time, to direct
10a business that sells or shares personal information to third
11parties not to sell or share the personal information. This
12right may be referred to as the right to opt out of sale or
13sharing.
14 (b) A business that sells personal information to, or
15shares it with, third parties shall provide notice to
16consumers that this information may be sold or shared and that
17consumers have the right to opt out of the sale or sharing of
18their personal information.
19 (c) Notwithstanding subsection (a), a business shall not
20sell or share the personal information of consumers if the
21business has actual knowledge that the consumer is less than
2216 years of age, unless the consumer, in the case of consumers
23at least 13 years of age and less than 16 years of age, or the
24consumer's parent or guardian in the case of consumers who are
25less than 13 years of age, has affirmatively authorized the

SB3517- 41 -LRB103 35732 LNS 65813 b
1sale or sharing of the personal information. A business that
2willfully disregards the consumer's age shall be deemed to
3have had actual knowledge of the consumer's age.
4 (d) A business that has received direction from a consumer
5not to sell or share personal information or, in the case of a
6minor consumer's personal information has not received consent
7to sell or share the minor consumer's personal information,
8shall be prohibited from selling or sharing the personal
9information after its receipt of the consumer's direction,
10unless the consumer subsequently provides consent, for the
11sale or sharing of the personal information.
12 Section 10-35. Right to limit use and disclosure of
13sensitive personal information.
14 (a) A consumer shall have the right, at any time, to direct
15a business that collects sensitive personal information to
16limit its use of the sensitive personal information to that
17use which is necessary to perform the services or provide the
18goods reasonably expected by an average consumer who requests
19those goods or services, to perform the services set forth in
20paragraphs (2), (4), (5), and (8) in the definition of
21business purpose in Section 5-10, and as authorized by rule. A
22business that uses or discloses sensitive personal information
23for purposes other than those specified in this subsection
24shall provide notice to consumers that this information may be
25used, or disclosed to a service provider or contractor, for

SB3517- 42 -LRB103 35732 LNS 65813 b
1additional, specified purposes and that consumers have the
2right to limit the use or disclosure of their sensitive
3personal information.
4 (b) A business that has received direction from a consumer
5not to use or disclose the sensitive personal information,
6except as authorized under subsection (a), shall be prohibited
7from using or disclosing the sensitive personal information
8for any other purpose after its receipt of the consumer's
9direction unless the consumer subsequently provides consent
10for the use or disclosure of the sensitive personal
11information for additional purposes.
12 (c) A service provider or contractor that assists a
13business in performing the purposes authorized by subsection
14(a) may not use the sensitive personal information after it
15has received instructions from the business and to the extent
16it has actual knowledge that the sensitive personal
17information is sensitive personal information for any other
18purpose. A service provider or contractor is only required to
19limit its use of sensitive personal information received under
20a written contract with the business in response to
21instructions from the business and only with respect to its
22relationship with that business.
23 (d) Sensitive personal information that is collected or
24processed without the purpose of inferring characteristics
25about a consumer is not subject to this Section, as further
26defined by rule, and shall be treated as personal information.

SB3517- 43 -LRB103 35732 LNS 65813 b
1 Section 10-40. Right of no retaliation following opt-out
2or exercise of other rights.
3 (a) A business shall not discriminate against a consumer
4because the consumer exercised any of the consumer's rights
5under this Act, including, but not limited to:
6 (1) denying goods or services to the consumer;
7 (2) charging different prices or rates for goods or
8 services, including through the use of discounts or other
9 benefits or imposing penalties;
10 (3) providing a different level or quality of goods or
11 services to the consumer; or
12 (4) suggesting that the consumer will receive a
13 different price or rate for goods or services or a
14 different level or quality of goods or services.
15 A business shall not retaliate against an employee
16applicant for employment, or independent contractor for
17exercising their rights under this Act.
18 Nothing in this subsection prohibits a business from
19charging a consumer a different price or rate, or from
20providing a different level or quality of goods or services,
21to the consumer if that difference is reasonably related to
22the value provided to the business by the consumer's data.
23 This subsection does not prohibit a business from offering
24loyalty, rewards, premium features, discounts, or club card
25programs consistent with this Act.

SB3517- 44 -LRB103 35732 LNS 65813 b
1 (b) A business may offer financial incentives, including
2payments to consumers as compensation, for the collection of
3personal information, or the retention of personal
4information. A business may also offer a different price,
5rate, level, or quality of goods or services to the consumer if
6that price or difference is reasonably related to the value
7provided to the business by the consumer's data.
8 A business that offers any financial incentives under this
9subsection shall notify consumers of the financial incentives
10under Section 10-45.
11 A business may enter a consumer into a financial incentive
12program only if the consumer gives the business prior opt-in
13consent based on clearly described material terms of the
14financial incentive program, which may be revoked by the
15consumer at any time. If a consumer refuses to provide opt-in
16consent, then the business shall wait for at least 12 months
17before next requesting that the consumer provide opt-in
18consent, or as prescribed by rules.
19 A business shall not use financial incentive practices
20that are unjust, unreasonable, coercive, or usurious in
21nature.
22 Section 10-45. Notice, disclosure, correction, and
23deletion requirements.
24 (a) In order to comply with Sections 10-5, 10-10, 10-15,
2510-20, 10-25, and 10-45, a business shall, in a form that is

SB3517- 45 -LRB103 35732 LNS 65813 b
1reasonably accessible to consumers:
2 (1) (A) make available to consumers 2 or more
3 designated methods for submitting requests for information
4 required to be disclosed under Sections 10-20 and 10-25 or
5 requests for deletion or correction under Sections 10-10
6 and 10-15, including, at a minimum, a toll-free telephone
7 number. A business that operates exclusively online and
8 has a direct relationship with a consumer from whom it
9 collects personal information shall only be required to
10 provide an email address for submitting requests for
11 information required to be disclosed under Sections 10-20
12 and 10-25;
13 (B) if the business maintains an Internet website,
14 make the internet website available to consumers to submit
15 requests for information required to be disclosed under
16 Sections 10-20 and 10-25 or requests for deletion or
17 correction under Sections 10-10 and 10-15;
18 (2) disclose and deliver the required information to a
19 consumer free of charge, correct inaccurate personal
20 information, or delete personal information, based on the
21 consumer's request, within 45 days of receiving a
22 verifiable consumer request from the consumer. The
23 business shall promptly take steps to determine whether
24 the request is a verifiable consumer request, but this
25 shall not extend the business's duty to disclose and
26 deliver the information, correct inaccurate personal

SB3517- 46 -LRB103 35732 LNS 65813 b
1 information, or delete personal information within 45 days
2 of receipt of the consumer's request. The period to
3 provide the required information, correct inaccurate
4 personal information, or delete personal information may
5 be extended once by an additional 45 days when reasonably
6 necessary, as long as the consumer is provided notice of
7 the extension within the first 45-day period. The
8 disclosure of the required information shall be made in
9 writing and delivered through the consumer's account with
10 the business, if the consumer maintains an account with
11 the business, or by mail or electronically at the
12 consumer's option if the consumer does not maintain an
13 account with the business, in a readily usable format that
14 allows the consumer to transmit this information from one
15 entity to another entity without hindrance. The business
16 may require authentication of the consumer that is
17 reasonable in light of the nature of the personal
18 information requested, but shall not require the consumer
19 to create an account with the business in order to make a
20 verifiable consumer request. If the consumer has an
21 account with the business, the business may require the
22 consumer to use that account to submit a verifiable
23 consumer request.
24 The disclosure of the required information shall cover
25 the 12-month period preceding the business' receipt of the
26 verifiable consumer request. Upon the adoption of a rule

SB3517- 47 -LRB103 35732 LNS 65813 b
1 under Section 10-75, a consumer may request that the
2 business disclose the required information beyond the
3 12-month period, and the business shall be required to
4 provide that information unless doing so proves impossible
5 or would involve a disproportionate effort. A consumer's
6 right to request required information beyond the 12-month
7 period, and a business's obligation to provide that
8 information, shall only apply to personal information
9 collected on or after January 1, 2025. Nothing in this
10 subparagraph shall require a business to keep personal
11 information for any length of time;
12 (3) a business that receives a verifiable consumer
13 request under Section 10-20 or 10-25, disclose any
14 personal information it has collected about a consumer,
15 directly or indirectly, including through or by a service
16 provider or contractor, to the consumer. A service
17 provider or contractor shall not be required to comply
18 with a verifiable consumer request received directly from
19 a consumer or consumer's authorized agent under Section
20 10-20 or 10-25 to the extent that the service provider or
21 contractor has collected personal information about the
22 consumer in its role as a service provider or contractor.
23 A service provider or contractor shall provide assistance
24 to a business with which it has a contractual relationship
25 with respect to the business's response to a verifiable
26 consumer request, including, but not limited to, by

SB3517- 48 -LRB103 35732 LNS 65813 b
1 providing to the business the personal information in the
2 service provider's or contractor's possession that the
3 service provider or contractor obtained as a result of
4 providing services to the business and by correcting
5 inaccurate information or by enabling the business to do
6 the same. A service provider or contractor that collects
7 personal information under a written contract with a
8 business shall be required to assist the business through
9 appropriate technical and organizational measures in
10 complying with the requirements of subsections (d) through
11 (f) of Section 10-5, taking into account the nature of the
12 processing.
13 (4) for purposes of subsection (b) of Section 10-20:
14 (A) to identify the consumer, associate the
15 information provided to the consumer in the verifiable
16 consumer request to any personal information
17 previously collected by the business about the
18 consumer;
19 (B) identify by category or categories the
20 personal information collected about the consumer for
21 the applicable period by reference to the enumerated
22 category or categories in subsection (c) that most
23 closely describes the personal information collected,
24 the categories of sources from which the personal
25 information was collected, the business or commercial
26 purpose for collecting, selling, or sharing the

SB3517- 49 -LRB103 35732 LNS 65813 b
1 personal information, and the categories of third
2 parties to whom the business discloses the personal
3 information; and
4 (C) provide the specific pieces of personal
5 information obtained from the consumer in a format
6 that is easily understandable to the average consumer,
7 and to the extent technically feasible, in a
8 structured, commonly used, machine-readable format
9 that may also be transmitted to another entity at the
10 consumer's request without hindrance. Specific pieces
11 of personal information do not include data generated
12 to help ensure security and integrity or as prescribed
13 by rule. Personal information is not considered to
14 have been disclosed by a business when a consumer
15 instructs a business to transfer the personal
16 information from one business to another in the
17 context of switching services;
18 (5) for purposes of subsection (b) of Section 10-25:
19 (A) identify the consumer and associate the
20 information provided by the consumer in the verifiable
21 consumer request to any personal information
22 previously collected by the business about the
23 consumer;
24 (B) identify by category or categories the
25 personal information of the consumer that the business
26 sold or shared during the applicable period by

SB3517- 50 -LRB103 35732 LNS 65813 b
1 reference to the enumerated category in subsection (c)
2 that most closely describes the personal information,
3 and provide the categories of third parties to whom
4 the personal information was sold or shared during the
5 applicable period by reference to the enumerated
6 category or categories in subsection (c) that most
7 closely describes the personal information sold or
8 shared. The business shall disclose the information in
9 a list that is separate from a list generated under
10 subparagraph (C); and
11 (C) identify by category or categories the
12 personal information of the consumer that the business
13 disclosed for a business purpose during the applicable
14 period by reference to the enumerated category or
15 categories in subsection (c) that most closely
16 describes the personal information, and provide the
17 categories of persons to whom the personal information
18 was disclosed for a business purpose during the
19 applicable period by reference to the enumerated
20 category or categories in subsection (c) that most
21 closely describes the personal information disclosed.
22 The business shall disclose the information in a list
23 that is separate from a list generated under
24 subparagraph (B);
25 (6) disclose the following information in its online
26 privacy policy or policies if the business has an online

SB3517- 51 -LRB103 35732 LNS 65813 b
1 privacy police or policies and in any State-specific
2 description of consumer privacy rights, or if the business
3 does not maintain those policies, on its Internet website
4 and update that information at least once every 12 months:
5 (A) a description of a consumer's rights under
6 Sections 10-5, 10-10, 10-15, 10-20, 10-25, and 10-45
7 and 2 more designated methods for submitting requests,
8 except as provided in subparagraph (A) of paragraph
9 (1) of subsection (a);
10 (B) for purposes of subsection (c) of Section
11 10-20:
12 (i) a list of categories of personal
13 information it has collected about consumers in
14 the preceding 12 months by reference to the
15 enumerated category or categories in subsection
16 (c) that most closely describe the personal
17 information collected;
18 (ii) the categories of sources from which
19 personal information is collected;
20 (iii) the business or commercial purpose for
21 collecting, selling, or sharing personal
22 information; and
23 (iv) the categories of third parties to whom
24 the business discloses personal information; and
25 (C) for purposes of paragraphs (1) and (2) of
26 subsection (c) of Section 10-25, 2 separate lists:

SB3517- 52 -LRB103 35732 LNS 65813 b
1 (i) a list of categories of personal
2 information it has sold or shared about consumers
3 in the preceding 12 months by reference to the
4 enumerated category or categories in subsection
5 (c) that most closely describe the personal
6 information sold or shared, or if the business has
7 not sold or shared personal information in the
8 preceding 12 months, the business shall
9 prominently disclose that fact in its privacy
10 policy; and
11 (ii) a list of the categories of personal
12 information it has disclosed about consumers for a
13 business purpose in the preceding 12 months by
14 reference to the enumerated category or categories
15 in subsection (c) that most closely describes the
16 personal information disclosed, or if the business
17 has not disclosed personal information in the
18 preceding 12 months, the business shall disclose
19 that fact;
20 (7) ensure that all individuals responsible for
21 handling consumer inquiries about the business' privacy
22 practices or the business' compliance with this Act are
23 informed of all requirements in Sections 10-5, 10-10,
24 10-15, 10-20, 10-25, and 10-45 and this Section, and how
25 to direct consumers to exercise their rights under those
26 Sections; and

SB3517- 53 -LRB103 35732 LNS 65813 b
1 (8) use any personal information collected from the
2 consumer in connection with the business' verification of
3 the consumer's request solely for the purposes of
4 verification and shall not further disclose the personal
5 information, retain it longer than necessary for purposes
6 of verification, or use it for unrelated purposes.
7 (b) A business is not obligated to provide the information
8required by Sections 10-20 and 10-25 to the same consumer more
9than twice in a 12-month period.
10 (c) The categories of personal information required to be
11disclosed under Sections 10-5, 10-20, and 10-25 shall follow
12the definitions of personal information and sensitive personal
13information by describing the categories of personal
14information using the specific terms set forth in the
15definition of personal information and by describing the
16categories of sensitive personal information using the
17specific terms set forth in the definition of sensitive
18personal information.
19 Section 10-50. Methods of limiting sale, sharing, and use
20of personal information and use of sensitive personal
21information.
22 (a) A business that is sells or shares personal
23information or discloses sensitive personal information for
24purposes other than those authorized by subsection (a) of
25Section 10-35 shall, in a form that is reasonably accessible

SB3517- 54 -LRB103 35732 LNS 65813 b
1to consumers:
2 (1) provide a clear and conspicuous link on the
3 business's Internet homepage titled "Do Not Sell or Share
4 My Personal Information" to an Internet webpage that
5 enables a consumer, or a person authorized by the
6 consumer, to opt out of the sale or sharing of the personal
7 information;
8 (2) provide a clear and conspicuous link on the
9 business's Internet homepage titled "Limit the Use of My
10 Sensitive Personal Information" that enables a consumer,
11 or a person authorized by the consumer, to limit the use or
12 disclosure of the sensitive personal information;
13 (3) at the business's discretion, use a single,
14 clearly labeled link on the business's Internet homepage,
15 in lieu of complying with paragraphs (1) and (2), if that
16 link easily allows a consumer to opt out of the sale or
17 sharing of the personal information and to limit the use
18 or disclosure of the sensitive personal information; and
19 (4) if the business responds to opt-out requests
20 received under paragraph (1), (2), or (3) by informing the
21 consumer of a charge for the use of any product or service,
22 present the terms of any financial incentive offered under
23 subsection (b) of Section 10-40, for the retention, use,
24 sale, or sharing of the personal information or sensitive
25 personal information.
26 (b) A business shall not be required to comply with

SB3517- 55 -LRB103 35732 LNS 65813 b
1subsection (a) if the business allows consumers to opt out of
2the sale or sharing of personal information or limit the use of
3sensitive personal information through an opt-out preference
4signal sent with the consumer's consent by a platform,
5technology, or mechanism, based on technical specifications
6set forth by rules, to the business indicating the consumer's
7intent to opt out of the business's sale or sharing of the
8personal information or to limit the use or disclosure of the
9sensitive personal information, or both.
10 A business that allows consumers to opt out of the sale or
11sharing of their personal information and to limit the use of
12sensitive personal information under this subsection may
13provide a link to a webpage that enables the consumer to
14consent to the business ignoring the opt-out preference signal
15with respect to that business's sale or sharing of the
16personal information or the use of the sensitive personal
17information for additional purposes if:
18 (1) the consent webpage also allows the consumer
19 or a person authorized by the consumer to revoke the
20 consent as easily as it affirmatively provided;
21 (2) the link to the webpage does not degrade the
22 consumer's experience on the webpage the consumer
23 intends to visit and has a similar look, feel, and size
24 relative to other links on the same webpage; and
25 (3) the consent webpage complies with technical
26 specifications set forth by rules.

SB3517- 56 -LRB103 35732 LNS 65813 b
1 A business that complies with subsection (a) is not
2required to comply with subsection (b). A business may elect
3whether to comply with subsection (a) or (b).
4 (c) A business that is subject to this Section shall:
5 (1) not require a consumer to create an account or
6 provide additional information beyond what is necessary in
7 order to direct the business not to sell or share the
8 personal information or to limit use or disclosure of the
9 sensitive personal information;
10 (2) include a description of a consumer's rights under
11 Sections 10-30 and 10-35, along with a separate link to
12 the "Do Not Sell or Share My Personal Information"
13 Internet webpage and a separate link to the "Limit the Use
14 of My Sensitive Personal Information" Internet webpage, if
15 applicable, or a single link to both choices, or a
16 statement that the business responds to and abides by
17 opt-out preference signals sent by a platform, technology,
18 or mechanism in accordance with subsection (b), in:
19 (A) its online privacy policy or policies if the
20 business has an online privacy policy or policies; and
21 (B) any State-specific description of consumers'
22 privacy rights;
23 (3) ensure that all individuals responsible for
24 handling consumer inquiries about the business's privacy
25 practices or the business's compliance with this Act are
26 informed of all requirements in Sections 10-30 and 10-35

SB3517- 57 -LRB103 35732 LNS 65813 b
1 and this Section and how to direct consumers to exercise
2 their rights under those Sections;
3 (4) for consumers who exercise their right to opt out
4 of the sale or sharing of their personal information or
5 limit the use or disclosure of their sensitive personal
6 information, refrain from selling or sharing the personal
7 information or using or disclosing the sensitive personal
8 information and wait for at least 12 months before
9 requesting that the consumer authorize the sale or sharing
10 of the personal information or the use and disclosure of
11 the sensitive personal information for additional
12 purposes, or as authorized by rules;
13 (5) for consumers under 16 years of age who do not
14 consent to the sale or sharing of their personal
15 information, refrain from selling or sharing the personal
16 information of the consumer under 16 years of age and wait
17 for at least 12 months before requesting the consumer's
18 consent again, or as authorized by rules or until the
19 consumer attains 16 years of age; and
20 (6) use any personal information collected from the
21 consumer in connection with the submission of the
22 consumer's opt-out request solely for the purposes of
23 complying with the opt-out request.
24 (d) Nothing in this Act shall be construed to require a
25business to comply with the Act by including the required
26links and text on the homepage that the business makes

SB3517- 58 -LRB103 35732 LNS 65813 b
1available to the public generally, if the business maintains a
2separate and additional homepage that is dedicated to State
3consumers and that includes the required links and text, and
4the business takes reasonable steps to ensure that State
5consumers are directed to the homepage for State consumers and
6not the homepage made available to the public generally.
7 (e) A consumer may authorize another person to opt out of
8the sale or sharing of the personal information and to limit
9the use of the sensitive personal information on the
10consumer's behalf, including through an opt-out preference
11signal, indicating the consumer's intent to opt out, and a
12business shall comply with an opt-out request received from a
13person authorized by the consumer to act on the consumer's
14behalf, under the rules adopted by the Attorney General,
15regardless of whether the business has elected to comply with
16subsection (a) or (b). A business that elects to comply with
17subsection (a) may respond to the consumer's opt-out request
18consistent with Section 10-40.
19 (f) If a business communicates a consumer's opt-out
20request to any persona authorized by the business to collect
21personal information, the person shall thereafter only use
22that personal information for a business purpose specified by
23the business, or as otherwise permitted by this Act, and shall
24be prohibited from:
25 (1) selling or sharing that personal information; or
26 (2) retaining, using, or disclosing that personal

SB3517- 59 -LRB103 35732 LNS 65813 b
1 information:
2 (A) for any purpose other than for the specific
3 purpose of performing the services offered to the
4 business;
5 (B) outside of the direct business relationship
6 between the person and the business; or
7 (C) for a commercial purpose other than providing
8 the services to the business.
9 (g) A business that communicates a consumer's opt-out
10request to a person under subsection (f) shall not be liable
11under this Act if the person receiving the opt-out request
12violates the restrictions set forth in the Act, if, at the time
13of communicating the opt-out request, the business does not
14have actual knowledge, or reason to believe, that the person
15intends to commit such a violation. Any provision of a
16contract or agreement of any kind that purports to waive or
17limit this subsection in any way shall be void and
18unenforceable.
19 Section 10-55. Exemptions.
20 (a) The obligations imposed on a business by this Act
21shall not restrict a business's ability to:
22 (1) comply with federal, State, or local laws or
23 comply with a court order or subpoena to provide
24 information;
25 (2) comply with a civil, criminal, or regulatory

SB3517- 60 -LRB103 35732 LNS 65813 b
1 inquiry, investigation, subpoena, or summons by federal,
2 State, or local authorities. Law enforcement agencies,
3 including police and sheriff's departments, may direct a
4 business under a law enforcement agency-approved
5 investigation with an active case number not to delete
6 personal information, and upon receipt of that direction,
7 a business shall not delete the personal information for
8 90 days in order to allow the law enforcement agency to
9 obtain a court-issued subpoena, order, or warrant to
10 obtain that personal information. For good cause and only
11 to the extent necessary for investigatory purposes, a law
12 enforcement agency may direct a business not to delete the
13 personal information for additional 90-day periods. A
14 business that has received direction from a law
15 enforcement agency not to delete the personal information
16 of a consumer who has requested deletion of the personal
17 information shall not use the personal information for any
18 purpose other than retaining it to produce to law
19 enforcement in response to a court-issued subpoena, order,
20 or warrant unless the deletion request is subject to an
21 exemption from deletion under this Act;
22 (3) cooperate with law enforcement agencies concerning
23 conduct or activity that the business, service provider,
24 or third party reasonably and in good faith believes may
25 violate federal, State, or local law;
26 (4) cooperate with a government agency request for

SB3517- 61 -LRB103 35732 LNS 65813 b
1 emergency access to personal information if a natural
2 person is at risk or danger of death or serious physical
3 injury if:
4 (A) the request is approved by a high-ranking
5 government agency officer for emergency access to
6 personal information;
7 (B) the request is based on the government
8 agency's good faith determination that it has a lawful
9 basis to access the personal information on a
10 nonemergency basis; and
11 (C) the government agency agrees to petition a
12 court for an appropriate order within 3 days and to
13 destroy the personal information if that order is not
14 granted;
15 (5) exercise or defend legal claims;
16 (6) collect, use, retain, sell, share, or disclose
17 personal information that is deidentified or aggregate
18 consumer information; or
19 (7) collect, sell, or share personal information if
20 every aspect of that commercial conduct takes place wholly
21 outside of the State. Commercial conduct takes place
22 wholly outside of the State if the business collected that
23 information while the consumer was outside of the State,
24 no part of the sale of the personal information occurred
25 in the State, and no personal information collected while
26 the consumer was in the State is sold. This paragraph

SB3517- 62 -LRB103 35732 LNS 65813 b
1 shall not prohibit a business from storing, including on a
2 device, personal information about a consumer when the
3 consumer is in the State and then collecting that personal
4 information when the consumer and stored personal
5 information is outside of the State.
6 (b) The obligations imposed on businesses by Sections
710-20, 10-25, 10-30, 10-35, 10-45, and 10-50 shall not apply
8where compliance by the business with the Act would violate an
9evidentiary privilege under State law and shall not prevent a
10business from providing the personal information of a consumer
11to a person covered by an evidentiary privilege under State
12law as part of a privileged communication.
13 (c) This Act shall not apply to:
14 (1) medical information governed by the Medical
15 Patient Rights Act or protected health information that is
16 collected by a covered entity or business associate
17 governed by the privacy, security, and breach notification
18 rules issued by the United States Department of Health and
19 Human Services, Parts 160 and 164 of Title 45 of the Code
20 of Federal Regulations;
21 (2) a provider of health care governed by the Medical
22 Patient Rights Act or a covered entity governed by the
23 privacy, security, and breach notification rules issued by
24 the United States Department of Health and Human Services,
25 Parts 160 and 164 of Title 45 of the Code of Federal
26 Regulations to the extent the provider or covered entity

SB3517- 63 -LRB103 35732 LNS 65813 b
1 maintains patient information in the same manner as
2 medical information or protected health information as
3 described in paragraph (1); or
4 (3) personal information collected as part of a
5 clinical trial or other biomedical research study subject
6 to or conducted in accordance with the Federal Policy for
7 the Protection of Human Subjects under good clinical
8 practice guidelines issued by the International Council
9 for Harmonisation or under human subject protection
10 requirements of the United States Food and Drug
11 Administration, as long as the information is not sold or
12 shared in a manner not permitted by this paragraph, and if
13 it is inconsistent, that participants be informed of that
14 use and provide consent.
15 (d) This Act applies to an activity involving the
16collection, maintenance, disclosure, sale, communication, or
17use of any personal information bearing on a consumer's credit
18worthiness, credit standing, credit capacity, character,
19general reputation, personal characteristics, or mode of
20living by a consumer reporting agency, as defined in
21subsection (f) of Section 1681a of Title 15 of the United
22States Code, by a furnisher of information, as set forth in
23Section 1681s-2 of Title 15 of the United States Code, who
24provides information for use in a consumer report, as defined
25in subsection (d) of Section 1681a of Title 15 of the United
26States Code, and by a user of a consumer report, as set forth

SB3517- 64 -LRB103 35732 LNS 65813 b
1in Section 1681b of Title 15 of the United States Code.
2 This subsection applies only to the extent that such
3activity involving the collection, maintenance, disclosure,
4sale, communication, or use of such information by the
5consumer reporting agency, furnisher, or user is subject to
6regulation under the federal Fair Credit Reporting Act and the
7information is not collected, maintained, used, communicated,
8disclosed, or sold except as authorized by the federal Fair
9Credit Reporting Act.
10 This subsection shall not apply to Section 10-60.
11 (e) This Act shall not apply to personal information
12collected, processed, sold, or disclosed under the federal
13Gramm-Leach-Bliley Act or the federal Farm Credit Act of 1971.
14This subsection shall not apply to Section 10-60.
15 (f) This Act shall not apply to personal information
16collected, processed, sold, or disclosed under the federal
17Driver's Privacy Protection Act of 1994. This subsection shall
18not apply to Section 10-60.
19 (g) Section 10-30 shall not apply to vehicle information
20or ownership information retained or shared between a new
21motor vehicle dealer and the vehicle's manufacturer, if the
22vehicle or ownership information is shared for the purpose of
23effectuating, or in anticipation of effectuating, a vehicle
24repair covered by a vehicle warranty or a recall conducted
25under Sections 30118 through 30120 of Title 49 of the United
26States Code, as long as the new motor vehicle dealer or vehicle

SB3517- 65 -LRB103 35732 LNS 65813 b
1manufacturer with which that vehicle information or ownership
2information is shared does not sell, share, or use that
3information for any other purpose.
4 (h) Notwithstanding a business's obligations to respond to
5and honor consumer rights requests under this Act:
6 (1) a period for a business to respond to a consumer
7 for any verifiable consumer request may be extended by up
8 to a total of 90 additional days where necessary, taking
9 into account the complexity and number of the requests.
10 The business shall inform the consumer of any such
11 extension within 45 days of receipt of the request,
12 together with the reasons for the delay;
13 (2) if the business does not take action on the
14 request of the consumer, the business shall inform the
15 consumer, without delay and, at the latest, within the
16 time permitted of response by this subsection, of the
17 reasons for not taking action and any rights the consumer
18 may have to appeal the decision to the business; and
19 (3) if requests from a consumer are manifestly
20 unfounded or excessive, in particular because of their
21 repetitive character, a business may either charge a
22 reasonable fee, taking into account the administrative
23 costs of providing the information or communication or
24 taking the action requested, or refuse to act on the
25 request and notify the consumer of the reason for refusing
26 the request. The business shall bear the burden of

SB3517- 66 -LRB103 35732 LNS 65813 b
1 demonstrating that any verifiable consumer request is
2 manifestly unfounded or excessive.
3 (i)(1) A business that discloses personal information to a
4service provider or contractor in compliance with this Act
5shall not be liable under this Act if the service provider or
6contractor receiving the personal information uses it in
7violation of the restrictions set forth in this Act, and if, at
8the time of disclosing the personal information, the business
9does not have actual knowledge, or reason to believe, that the
10service provider or contractor intends to commit such a
11violation. A service provider or contractor shall not be
12liable under this Act for the obligations of a business for
13which it provides services as set forth in this Act. The
14service provider or contractor shall be liable for its own
15violations of this Act.
16 (2) A business that discloses personal information of a
17consumer, with the exception of consumers who have exercised
18their right to opt out of the sale or sharing of their personal
19information, consumers who have limited the use or disclosure
20of their sensitive personal information, and minor consumers
21who have not opted-in to the collection or sale of their
22personal information, to a third party under a written
23contract that requires the third party to provide the same
24level of protection of the consumer's rights under this Act as
25provided by the business shall not be liable under this Act if
26the third party receiving the personal information uses it in

SB3517- 67 -LRB103 35732 LNS 65813 b
1violation of the restrictions set forth in this Act, and if, at
2the time of disclosing the personal information, the business
3does not have actual knowledge, or reason to believe, that the
4third party intends to commit such a violation.
5 (j) This Act shall not be construed to require a business,
6service provider, or contractor to:
7 (1) reidentify or otherwise link information that, in
8 the ordinary course of business, is not maintained in a
9 manner that would be considered personal information;
10 (2) retain any personal information about a consumer
11 if, in the ordinary course of business, that information
12 about the consumer would not be retained; or
13 (3) maintain information in identifiable, linkable, or
14 associable form, or collect, obtain, retain, or access any
15 data or technology, in order to be capable of linking or
16 associating a verifiable consumer request with personal
17 information.
18 (k) The rights afforded to consumers and the obligations
19imposed on the business in this Act shall not adversely affect
20the rights and freedoms of other natural persons. A verifiable
21consumer request for specific pieces of personal information,
22to delete personal information, or to correct inaccurate
23personal information shall not extend to personal information
24about the consumer that belongs to, or the business maintains
25on behalf of, another natural person. A business may rely on
26representations made in a verifiable consumer request as to

SB3517- 68 -LRB103 35732 LNS 65813 b
1rights with respect to personal information and is under no
2legal requirement to seek out other persons that may have or
3claim to have rights to personal information, and a business
4is under no legal obligation under this Act or any other
5provision of law to take any action under this Act if there is
6a dispute between or among persons claiming rights to personal
7information in the business' possession.
8 (l) The rights afforded to consumers and the obligations
9imposed on businesses under this Act shall not apply to the
10extent that they infringe on the noncommercial activities of a
11person or entity described in Section 4 of Article I of the
12Illinois Constitution.
13 (m) This Act shall not apply to:
14 (1) personal information that is collected by a
15 business about a natural person in the course of the
16 natural person acting as a job applicant to, employee of,
17 owner of, director of, officer of, medical staff member
18 of, or independent contractor of that business to the
19 extent that the natural person's personal information is
20 collected and used by the business solely within the
21 context of the natural person's role or former role as a
22 job applicant to, an employee of, owner of, director of,
23 officer of, medical staff member of, or an independent
24 contractor of, that business;
25 (2) personal information that is collected by a
26 business that is emergency contact information of the

SB3517- 69 -LRB103 35732 LNS 65813 b
1 natural person acting as a job applicant to, employee of,
2 owner of, director of, officer of, medical staff member
3 of, or independent contractor of that business to the
4 extent that the personal information is collected and used
5 solely within the context of having an emergency contact
6 on file; or
7 (3) personal information that is necessary for the
8 business to retain to administer benefits for another
9 natural person relating to the natural person acting as a
10 job applicant to, employee of, owner of, director of,
11 officer of, medical staff member of, or independent
12 contractor of that business to the extent that the
13 personal information is collected and used solely within
14 the context of administering those benefits.
15 This subsection shall not apply to subsection (a) of
16Section 10-5 or 10-60.
17 This subsection shall become inoperative on January 1,
182026.
19 (n) The obligations imposed on businesses by Sections
2010-5, 10-10, 10-15, 10-20, 10-25, 10-35, 10-45, and 10-50
21shall not apply to personal information reflecting a written
22or verbal communication or a transaction between the business
23and the consumer, where the consumer is a natural person who
24acted or is acting as an employee, owner, director, officer,
25or independent contractor of a company, partnership, sole
26proprietorship, nonprofit, or government agency and whose

SB3517- 70 -LRB103 35732 LNS 65813 b
1communications or transaction with the business occur solely
2within the context of the business conducting due diligence
3regarding, or providing or receiving a product or service to
4or from such company, partnership, sole proprietorship,
5nonprofit, or government agency.
6 This subsection shall become inoperative on January 1,
72026.
8 (o) Sections 10-10 and 10-30 shall not apply to a
9commercial credit reporting agency's collection, processing,
10sale, or disclosure of business controller information to the
11extent the commercial credit reporting agency uses the
12business controller information solely to identify the
13relationship of a consumer to a business that the consumer
14owns or contact the consumer only in the consumer's role as the
15owner, director, officer, or management employee of the
16business.
17 (p) The obligations imposed on businesses in Sections
1810-10, 10-15, 10-20, and 10-25 shall not apply to household
19data.
20 (q) This Act does not require a business to comply with a
21verifiable consumer request to delete personal information to
22the extent the verifiable consumer request applies to a
23student's grades, educational scores, or educational test
24results that the business holds on behalf of a local
25educational agency at which the student is currently enrolled.
26If a business does not comply with a request under this

SB3517- 71 -LRB103 35732 LNS 65813 b
1Section, it shall notify the consumer that it is acting under
2this exception.
3 This Act does not require, in response to a request under
4Section 10-20, that a business disclose an educational
5standardized assessment or educational assessment or a
6consumer's specific responses to the educational standardized
7assessment or educational assessment if consumer access,
8possession, or control would jeopardize the validity and
9reliability of that educational standardized assessment or
10educational assessment. If a business does not comply with a
11request under this Section, it shall notify the consumer that
12it is acting under this exception.
13 (r) Sections 10-10 and 10-30 shall not apply to a
14business's use, disclosure, or sale of particular pieces of
15personal information if the consumer has consented to the
16business's use, disclosure, or sale of that personal
17information to produce a physical item, including a school
18yearbook containing the consumer's photograph, if:
19 (1) the business has incurred significant expense in
20 reliance on the consumer's consent;
21 (2) compliance with the consumer's request to opt out
22 of the sale of the personal information or to delete the
23 personal information would not be commercially reasonable;
24 and
25 (3) the business complies with the consumer's request
26 as soon as it is commercially reasonable to do so.

SB3517- 72 -LRB103 35732 LNS 65813 b
1 Section 10-60. Personal information security breaches.
2 (a) Any consumer whose nonencrypted and nonredacted
3personal information or whose email address in combination
4with a password or security question and answer that would
5permit access to the account is subject to an unauthorized
6access and exfiltration, theft, or disclosure as a result of
7the business's violation of the duty to implement and maintain
8reasonable security procedures and practices appropriate to
9the nature of the information to protect the personal
10information may institute a civil action for:
11 (1) the recovery of damages in an amount not less than
12 $100 and not greater than $750 per consumer per incident
13 or actual damages, whichever is greater;
14 (2) injunctive or declaratory relief; or
15 (3) any other relief the court deems proper.
16 In assessing the amount of statutory damages, the court
17shall consider any one or more of the relevant circumstances
18presented by any of the parties to the case, including, but not
19limited to, the nature and seriousness of the misconduct, the
20number of violations, the persistence of the misconduct, the
21length of time over which the misconduct occurred, the
22willfulness of the defendant's misconduct, and the defendant's
23assets, liabilities, and net worth.
24 (b) Actions under this Section may be brought by a
25consumer if, prior to initiating any action against a business

SB3517- 73 -LRB103 35732 LNS 65813 b
1for statutory damages on an individual or classwide basis, a
2consumer provides a business 30 days' written notice
3identifying the specific provisions of this Act the consumer
4alleges have been or are being violated. If a cure is possible
5and if, within the 30 days, the business actually cures the
6noticed violation and provides the consumer an express written
7statement that the violations have been cured and that no
8further violations shall occur, no action for individual
9statutory damages or classwide statutory damages may be
10initiated against the business. The implementation and
11maintenance of reasonable security procedures and practices
12following a breach does not constitute a cure with respect to
13that breach. No notice shall be required prior to an
14individual consumer initiating an action solely for actual
15pecuniary damages suffered as a result of the alleged
16violations of this Act. If a business continues to violate
17this Act in breach of the express written statement provided
18to the consumer under this Section, the consumer may initiate
19an action against the business to enforce the written
20statement and may pursue statutory damages for each breach of
21the express written statement, as well as any other violation
22of this Act that postdates the written statement.
23 (c) The cause of action established by this Section shall
24apply only to violations as defined in subsection (a) and
25shall not be based on violations of any other Section of this
26Act. Nothing in this Act shall be interpreted to serve as the

SB3517- 74 -LRB103 35732 LNS 65813 b
1basis for a private right of action under any other law. This
2shall not be construed to relieve any party from any duties or
3obligations imposed under other law or the United States or
4Illinois Constitution.
5 Section 10-65. Administrative enforcement.
6 (a) Any business, service provider, contractor, or other
7person that violates this Act shall be subject to an
8injunction and liable for an administrative fine of not more
9than $2,500 for each violation or $7,500 for each intentional
10violation or violations involving the personal information of
11consumers whom the business, service provider, contractor, or
12other person has actual knowledge are under 16 years of age in
13an administrative enforcement action brought by the Agency.
14 (b) Any administrative fine assessed for a violation of
15this Act, and the proceeds of any settlement of an action
16brought under subsection (a), shall be deposited into the
17Consumer Privacy Fund, with the intent to fully offset any
18costs incurred by the State courts, the Attorney General, and
19the Agency in connection with this Act.
20 Section 10-70. Consumer Privacy Fund.
21 (a) A special fund to be known as the Consumer Privacy Fund
22is hereby created within the State treasury, and is available
23upon appropriation by the General Assembly first to offset any
24costs incurred by the State courts in connection with actions

SB3517- 75 -LRB103 35732 LNS 65813 b
1brought to enforce this Act, the costs incurred by the
2Attorney General in carrying out the Attorney General's duties
3under this Act, and then for the purposes of establishing an
4investment fund in the State treasury, with any earnings or
5interest from the Fund to be deposited into the General
6Revenue Fund, and making grants to promote and protect
7consumer privacy, educate children in the area of online
8privacy, and fund cooperative programs with international law
9enforcement organizations to combat fraudulent activities with
10respect to consumer data breaches.
11 (b) Funds transferred to the Consumer Privacy Fund shall
12be used exclusively as follows:
13 (1) to offset any costs incurred by the State courts
14 and the Attorney General in connection with this Act; and
15 (2) after satisfying the obligations under paragraph
16 (1), the remaining funds shall be allocated each fiscal
17 year as follows:
18 (A) 91% shall be invested by the Treasurer in
19 financial assets with the goal of maximizing long term
20 yields consistent with a prudent level of risk. The
21 principal shall not be subject to transfer or
22 appropriation, as long as any interest and earnings
23 shall be transferred on an annual basis to the General
24 Revenue Fund for appropriation by the General Assembly
25 for General Revenue Fund purposes; and
26 (B) 9% shall be made available to the Agency for

SB3517- 76 -LRB103 35732 LNS 65813 b
1 the purposes of making grants in this State, with 3%
2 allocated to the following grant recipients:
3 (i) nonprofit organizations to promote and
4 protect consumer privacy;
5 (ii) nonprofit organizations and public
6 agencies, including school districts, to educate
7 children in the area of online privacy; and
8 (iii) State and local law enforcement agencies
9 to fund cooperative programs with international
10 law enforcement organizations to combat fraudulent
11 activities with respect to consumer data breaches.
12 (c) Funds in the Consumer Privacy Fund shall not be
13subject to appropriation or transfer by the General Assembly
14for any other purpose.
15 Section 10-75. Rules.
16 (a) By July 1, 2025, the Attorney General shall solicit
17broad public participation and adopt rules to further the
18purposes of this Act, including, but not limited to:
19 (1) updating or adding categories of personal
20 information to the definition of personal information and
21 updating or adding categories of sensitive personal
22 information to the definition of sensitive personal
23 information in order to address changes in technology,
24 data collection practices, obstacles to implementation,
25 and privacy concerns;

SB3517- 77 -LRB103 35732 LNS 65813 b
1 (2) updating as needed the definitions of deidentified
2 and unique identifier to address changes in technology,
3 data collection, obstacles to implementation, and privacy
4 concerns and adding, modifying, or deleting categories to
5 the definition of designated methods for submitting
6 requests to facilitate a consumer's ability to obtain
7 information from a business under Section 10-45. The
8 authority to update the definition of deidentified shall
9 not apply to deidentification standards set forth in
10 Section 164.514 of Title 45 of the Code of Federal
11 Regulations;
12 (3) establishing any exceptions necessary to comply
13 with State or federal law, including, but not limited to,
14 those relating to trade secrets and intellectual property
15 rights, within one year of the effective date of this Act
16 and as needed thereafter, with the intention that trade
17 secrets should not be disclosed in response to a
18 verifiable consumer request;
19 (4) establishing rules and procedures:
20 (A) to facilitate and govern the submission of a
21 request by a consumer to opt out of the sale or sharing
22 of personal information and to limit the use of
23 sensitive personal information to ensure that
24 consumers have the ability to exercise their choices
25 without undue burden and to prevent business from
26 engaging in deceptive or harassing conduct, including

SB3517- 78 -LRB103 35732 LNS 65813 b
1 in retaliation against consumers for exercising their
2 rights, while allowing businesses to inform consumers
3 of the consequences of their decision to opt out of the
4 sale or sharing of their personal information or to
5 limit the use of their sensitive personal information;
6 (B) to govern business compliance with a
7 consumer's opt-out request; and
8 (C) for the development and use of a recognizable
9 and uniform opt-out logo or button by all businesses
10 to promote consumer awareness of the opportunity to
11 opt out of the sale of personal information;
12 (5) adjusting the monetary threshold in January of
13 every odd-numbered year to reflect any increase in the
14 Consumer Price Index, in the definition of business,
15 subparagraph (A) of paragraph (1) of subsection (a) of
16 Section 10-60, subsection (a) of Section 10-65, Section
17 15-20, and subsection (a) of Section 15-85;
18 (6) establishing rules, procedures, and any exceptions
19 necessary to ensure that the notices and information that
20 businesses are required to provide under this Act are
21 provided in a manner that may be easily understood by the
22 average consumer, are accessible to consumers with
23 disabilities, and are available in the language primarily
24 used to interact with the consumer, including establishing
25 rules and guidelines regarding financial incentives,
26 within one year of the effective date of this Act and as

SB3517- 79 -LRB103 35732 LNS 65813 b
1 needed thereafter;
2 (7) establishing rules and procedures to further the
3 purposes of Sections 10-10, 10-15, 10-20, and 10-25 and to
4 facilitate a consumer's or the consumer's authorized
5 agent's ability to delete personal information, correct
6 inaccurate personal information, or obtain information,
7 with the goal of minimizing the administrative burden on a
8 consumer, taking into account available technology,
9 security concerns, and the burden on the business, to
10 govern a business's determination that a request for
11 information received from a consumer is a verifiable
12 consumer request, including treating a request submitted
13 through a password-protected account maintained by the
14 consumer with the business while the consumer is logged
15 into the account as a verifiable consumer request and
16 providing a mechanism for a consumer who does not maintain
17 an account with the business to request information
18 through the business's authentication of the consumer's
19 identity, within one year of the effective date of this
20 Act and as needed thereafter;
21 (8) establishing how often, and under what
22 circumstances, a consumer may request a correction under
23 Section 10-15, including standards governing:
24 (A) how a business responds to a request for
25 correction, including exceptions for requests to which
26 a response is impossible or would involve

SB3517- 80 -LRB103 35732 LNS 65813 b
1 disproportionate effort, and requests for correction
2 of accurate information;
3 (B) how concerns regarding the accuracy of the
4 information may be resolved;
5 (C) the steps a business may take to prevent
6 fraud; and
7 (D) if a business rejects a request to correct
8 personal information collected and analyzed concerning
9 a consumer's health, the right of a consumer to
10 provide a written addendum to the business with
11 respect to any item or statement regarding any such
12 personal information that the consumer believes to be
13 incomplete or incorrect. The addendum shall be limited
14 to 250 words per alleged incomplete or incorrect item
15 and shall clearly indicate in writing that the
16 consumer requests the addendum to be made a part of the
17 consumer's record;
18 (9) establishing the standard to govern a business's
19 determination that providing information beyond the
20 12-month period in a response to a verifiable consumer
21 request is impossible or would involve a disproportionate
22 effort;
23 (10) issuing rules further defining and adding to the
24 business purposes, including other notified purposes, for
25 which businesses, service providers, and contractors may
26 use personal information consistent with consumers'

SB3517- 81 -LRB103 35732 LNS 65813 b
1 expectations, and further defining the business purposes
2 for which service providers and contractors may combine
3 personal information obtained from different sources,
4 except as provided for in the definition of business
5 purposes;
6 (11) issuing rules identifying those business
7 purposes, including other notified purposes, for which
8 service providers and contractors may use consumers'
9 personal information received under a written contract
10 with a business, for the service provider or contractor's
11 own business purposes, with the goal of maximizing
12 consumer privacy;
13 (12) issuing rules to further define intentionally
14 interacts with the goal of maximizing consumer privacy;
15 (13) issuing rules to further define precise
16 geolocation, including if the size defined is not
17 sufficient to protect consumer privacy in sparsely
18 populated areas or when the personal information is used
19 for normal operational purposes, including billing;
20 (14) issuing rules to define specific pieces of
21 information obtained from the consumer with the goal of
22 maximizing a consumer's right to access relevant personal
23 information while minimizing the delivery of information
24 to a consumer that would not be useful to the consumer,
25 including system log information and other technical data.
26 For delivery of the most sensitive personal information,

SB3517- 82 -LRB103 35732 LNS 65813 b
1 the rules may require a higher standard of authentication
2 as long as the Agency shall monitor the impact of the
3 higher standard on the right of consumers to obtain their
4 personal information to ensure that the requirements of
5 verification do not result in the unreasonable denial of
6 verifiable consumer requests;
7 (15) issuing rules requiring businesses whose
8 processing of personal information presents significant
9 risk to consumers' privacy or security, to:
10 (A) perform a cybersecurity audit on an annual
11 basis, including defining the scope of the audit and
12 establishing a process to ensure that audits are
13 thorough and independent. The factors to be considered
14 in determining when processing may result in
15 significant risk to the security of personal
16 information shall include the size and complexity of
17 the business and the nature and scope of processing
18 activities; and
19 (B) submit to the Agency on a regular basis a risk
20 assessment with respect to their processing of
21 personal information, including whether the processing
22 involves sensitive personal information, and
23 identifying and weighing the benefits resulting from
24 the processing to the business, the consumer, other
25 stakeholders, and the public, against the potential
26 risks to the rights of the consumer associated with

SB3517- 83 -LRB103 35732 LNS 65813 b
1 that processing, with the goal of restricting or
2 prohibiting the processing if the risks to privacy of
3 the consumer outweigh the benefits resulting from
4 processing to the consumer, the business, other
5 stakeholders, and the public. Nothing in this Section
6 shall require a business to divulge trade secrets;
7 (16) issuing rules governing access and opt-out rights
8 with respect to a business's use of automated
9 decision-making technology, including profiling and
10 requiring business's response to access requests to
11 include meaningful information about the logic involved in
12 those decision-making processes, as well as a description
13 of the likely outcome of the process with respect to the
14 consumer;
15 (17) issuing rules to further define a law enforcement
16 agency-approved investigation for purposes of the
17 exception in paragraph (2) of subsection (a) of Section
18 10-55;
19 (18) issuing rules to define the scope and process for
20 the exercise of the Agency's audit authority, to establish
21 criteria for selection of persons to audit, and to protect
22 consumers' personal information from disclosure to an
23 auditor in the absence of a court order, warrant, or
24 subpoena;
25 (19) (A) issuing rules to define the requirements and
26 technical specifications for an opt-out preference signal

SB3517- 84 -LRB103 35732 LNS 65813 b
1 sent by a platform, technology, or mechanism, to indicate
2 a consumer's intent to opt out of the sale or sharing of
3 the personal information and to limit the use or
4 disclosure of the sensitive personal information. The
5 requirements and specifications for the opt-out preference
6 signal should be updated from time to time to reflect the
7 means by which consumers interact with businesses, and
8 should:
9 (i) ensure that the manufacturer of a platform or
10 browser or device that sends the opt-out preference
11 signal cannot unfairly disadvantage another business;
12 (ii) ensure that the opt-out preference signal is
13 consumer-friendly, clearly described, and easy to use
14 by an average consumer and does not require that the
15 consumer provide additional information beyond what is
16 necessary;
17 (iii) clearly represent a consumer's intent and be
18 free of defaults constraining or presupposing that
19 intent;
20 (iv) ensure that the opt-out preference signal
21 does not conflict with other commonly used privacy
22 settings or tools that consumers may employ;
23 (v) provide a mechanism for the consumer to
24 selectively consent to a business's sale of the
25 personal information or the use or disclosure of the
26 sensitive personal information without affecting the

SB3517- 85 -LRB103 35732 LNS 65813 b
1 consumer's preferences with respect to other
2 businesses or disabling the opt-out preference signal
3 globally; and
4 (vi) state that in the case of a page or setting
5 view that the consumer accesses to set the opt-out
6 preference signal, the consumer should see up to 3
7 choices, including:
8 (I) a global opt-out from sale and sharing of
9 personal information, including a direction to
10 limit the use of sensitive personal information;
11 (II) a choice to "Limit the Use of My
12 Sensitive Personal Information"; and
13 (III) a choice to "Do Not Sell or Do Not Share
14 My Personal Information for Cross-Context
15 Behavioral Advertising";
16 (B) issuing rules to establish technical
17 specifications for an opt-out preference signal that
18 allows the consumer, or the consumer's parent or guardian,
19 to specify that the consumer is less than 13 years of age
20 or at least 13 years of age and less than 16 years of age;
21 and
22 (C) issuing rules, with the goal of strengthening
23 consumer privacy while considering the legitimate
24 operational interests of businesses, to govern the use or
25 disclosure of sensitive personal information,
26 notwithstanding the consumer's direction to limit the use

SB3517- 86 -LRB103 35732 LNS 65813 b
1 or disclosure of the sensitive personal information,
2 including:
3 (i) determining any additional purposes for which
4 a business may use or disclose sensitive personal
5 information;
6 (ii) determining the scope of activities permitted
7 under the definition of business purposes, as
8 authorized by subsection (a) of Section 10-35, to
9 ensure that the activities do not involve
10 health-related research;
11 (iii) ensuring the functionality of the business'
12 operations; and
13 (iv) ensuring that the exemption in subsection (d)
14 of Section 10-35 for sensitive personal information
15 applies to sensitive personal information that is
16 collected or processed incidentally, or without the
17 purpose of inferring characteristics about a consumer,
18 while ensuring that businesses do not use the
19 exemption for the purpose of evading consumers' rights
20 to limit the use and disclosure of sensitive personal
21 information under Section 10-35;
22 (20) issuing rules to govern how a business that has
23 elected to comply with subsection (b) of Section 10-50
24 responds to the opt-out preference signal and provides
25 consumers with the opportunity subsequently to consent to
26 the sale or sharing of their personal information or the

SB3517- 87 -LRB103 35732 LNS 65813 b
1 use and disclosure of their sensitive personal information
2 for purposes in addition to those authorized by subsection
3 (a) of Section 10-50. The rules should:
4 (A) strive to promote competition and consumer
5 choice and be technology neutral;
6 (B) ensure that the business does not respond to
7 an opt-out preference signal by:
8 (i) intentionally degrading the functionality
9 of the consumer experience;
10 (ii) charging the consumer a fee in response
11 to the consumer's opt-out preferences;
12 (iii) making any products or services not
13 function properly or fully for the consumer, as
14 compared to consumers who do not use the opt-out
15 preference signal;
16 (iv) attempting to coerce the consumer to opt
17 in to the sale or sharing of the personal
18 information, or the use or disclosure of the
19 sensitive personal information, by stating or
20 implying that the use of the opt-out preference
21 signal will adversely affect the consumer as
22 compared to consumers who do not use the opt-out
23 preference signal, including stating or implying
24 that the consumer will not be able to use the
25 business' products or services or that those
26 products or services may not function properly or

SB3517- 88 -LRB103 35732 LNS 65813 b
1 fully; and
2 (v) displaying any notification or pop-up in
3 response to the consumer's opt-out preference
4 signal;
5 (C) ensure that any link to a webpage or its
6 supporting content that allows the consumer to consent
7 to opt in:
8 (i) is not part of a pop-up, notice, banner,
9 or other intrusive design that obscures any part
10 of the webpage the consumer intended to visit from
11 full view or that interferes with or impedes in
12 any way the consumer's experience visiting or
13 browsing the webpage or website the consumer
14 intended to visit;
15 (ii) does not require or imply that the
16 consumer must click the link to receive full
17 functionality of any products or services,
18 including the website;
19 (iii) does not make use of any dark patterns;
20 and
21 (iv) applies only to the business with which
22 the consumer intends to interact; and
23 (D) strive to curb coercive or deceptive practices
24 in response to an opt-out preference signal but should
25 not unduly restrict businesses that are trying in good
26 faith to comply with Section 10-50;

SB3517- 89 -LRB103 35732 LNS 65813 b
1 (21) reviewing existing Illinois Insurance Code
2 provisions and rules relating to consumer privacy, except
3 those relating to insurance rates or pricing, to determine
4 whether any provisions of the Illinois Insurance Code
5 provide greater protection to consumers than the
6 provisions of this Act. Upon completing its review, the
7 Agency shall adopt a rule that applies only the more
8 protective provisions of this Act to insurance companies.
9 The Director of Insurance shall have jurisdiction over
10 insurance rates and pricing; and
11 (22) harmonizing the rules governing opt-out
12 mechanisms, notices to consumers, and other operational
13 mechanisms in this Act to promote clarity and the
14 functionality of this Act for consumers.
15 (b) The Attorney General may adopt additional rules as
16necessary to further the purposes of this Act.
17 (c) The Attorney General shall not bring an enforcement
18action under this Act until 6 months after the publication of
19the final rules adopted under this Section or July 1, 2025,
20whichever is sooner.
21 (d) Notwithstanding subsection (a), the timeline for
22adopting final rules required by the Act shall be July 1, 2025.
23Beginning the later of July 1, 2025, or 6 months after the
24Agency provides notice to the Attorney General that it is
25prepared to begin rulemaking under this Act, the authority
26assigned to the Attorney General to adopt rules under this

SB3517- 90 -LRB103 35732 LNS 65813 b
1Section shall be exercised by the Agency. Notwithstanding any
2other law, civil and administrative enforcement of the
3provisions of law added or amended by this Act shall not
4commence until July 1, 2025, and shall only apply to
5violations occurring on or after that date.
6 Section 10-80. Anti-avoidance. A court or the Agency shall
7disregard the intermediate steps or transactions for purposes
8of effectuating the purposes of this Act:
9 (1) if a series of steps or transactions were
10 component parts of a single transaction intended from the
11 beginning to be taken with the intention of avoiding the
12 reach of this Act, including the disclosure of personal
13 information by a business to a third party in order to
14 avoid the definition of sell or share; or
15 (2) if steps or transactions were taken to purposely
16 avoid the definition of sell or share by eliminating any
17 monetary or other valuable consideration, including by
18 entering into contracts that do not include an exchange
19 for monetary or other valuable consideration, but where a
20 party is obtaining something of value or use.
21 Section 10-85. Waiver. Any provision of a contract or
22agreement of any kind, including a representative action
23waiver, that purports to waive or limit in any way a consumer's
24rights under this Act, including, but not limited to, any

SB3517- 91 -LRB103 35732 LNS 65813 b
1right to a remedy or means of enforcement, shall be deemed
2contrary to public policy and shall be void and unenforceable.
3This Section shall not prevent a consumer from declining to
4request personal information from a business, declining to opt
5out of a business's sale of the personal information, or
6authorizing a business to sell or share the personal
7information after previously opting-out.
8 Section 10-90. Good faith cooperation. The Agency, and any
9court, as applicable, shall consider the good faith
10cooperation of the business, service provider, contractor, or
11other person in determining the amount of any administrative
12fine or civil penalty for a violation of this Act. A business
13shall not be required by the Agency, a court, or otherwise to
14pay both an administrative fine and a civil penalty for the
15same violation.
16 Section 10-95. Remedies.
17 (a) Any business, service provider, contractor, or other
18person that violates this Act shall be subject to an
19injunction and liable for a civil penalty of not more than
20$2,500 for each violation or $7,500 for each intentional
21violation and each violation involving the personal
22information of minor consumers, as adjusted by rule, which
23shall be assessed and recovered in a civil action brought by
24the Attorney General. The court may consider the good faith

SB3517- 92 -LRB103 35732 LNS 65813 b
1cooperation of the business, service provider, contractor, or
2other person in determining the amount of the civil penalty.
3 (b) Any civil penalty recovered by an action brought by
4the Attorney General for a violation of this Act, and the
5proceeds of any settlement of any said action, shall be
6deposited into the Consumer Privacy Fund.
7 (c) The Agency shall, upon request by the Attorney
8General, stay an administrative action or investigation under
9this Act to permit the Attorney General to proceed with an
10investigation or civil action and shall not pursue an
11administrative action or investigation, unless the Attorney
12General subsequently determines not to pursue an investigation
13or civil action. The Agency may not limit the authority of the
14Attorney General to enforce this Act.
15 (d) No civil action may be filed by the Attorney General
16under this Section for any violation of this Act after the
17Agency has issued a decision under Section 15-80 or an order
18under Section 15-50 against that person for the same
19violation.
20 (e) This Section shall not affect the private right of
21action provided for in Section 10-60.
22
Article 15. Privacy Protection Agency
23 Section 15-5. Establishment of Privacy Protection Agency.
24 (a) There is hereby established the Privacy Protection

SB3517- 93 -LRB103 35732 LNS 65813 b
1Agency, which is vested with full administrative power,
2authority, and jurisdiction to implement and enforce this Act.
3The Agency shall be governed by a 5-member board, including
4the chairperson. The chairperson and one member of the Board
5shall be appointed by the Governor. The Attorney General,
6President of the Senate, and Speaker of the House shall each
7appoint one member to the Board. These appointments should be
8made from among State residents with expertise in the areas of
9privacy, technology, and consumer rights.
10 (b) The initial appointments to the Board shall be made
11within 90 days of the effective date of this Act.
12 Section 15-10. Member requirements. Members of the Board
13shall:
14 (1) have qualifications, experience, and skills, in
15 particular in the areas of privacy and technology,
16 required to perform the duties of the Agency and exercise
17 its powers;
18 (2) maintain the confidentiality of information which
19 has come to their knowledge in the course of the
20 performance of their tasks or exercise of their powers,
21 except to the extent that disclosure is required by the
22 Freedom of Information Act;
23 (3) remain free from external influence, whether
24 direct or indirect, and shall neither seek nor take
25 instructions from another;

SB3517- 94 -LRB103 35732 LNS 65813 b
1 (4) refrain from any action incompatible with their
2 duties and engaging in any incompatible occupation,
3 whether gainful or not, during their term;
4 (5) have the right of access to all information made
5 available by the Agency to the chairperson;
6 (6) be precluded, for a period of one year after
7 leaving office, from accepting employment with a business
8 that was subject to an enforcement action or civil action
9 under this Act during the member's tenure or during the
10 5-year period preceding the member's appointment; and
11 (7) be precluded for a period of 2 years after leaving
12 office from acting, for compensation, as an agent or
13 attorney for, or otherwise representing, any other person
14 in a matter pending before the Agency if the purpose is to
15 influence an action of the Agency.
16 Section 15-15. Terms. Members of the Board, including the
17chairperson, shall serve at the pleasure of their appointing
18authority but shall serve for no longer than 8 consecutive
19years.
20 Section 15-20. Compensation. For each day on which they
21engage in official duties, members of the Board shall be
22compensated at the rate of $100, adjusted biennially to
23reflect changes in the cost of living, and shall be reimbursed
24for expenses incurred in performance of their official duties.

SB3517- 95 -LRB103 35732 LNS 65813 b
1 Section 15-25. Executive director, officers, counsel, and
2employees. The Board shall appoint an executive director who
3shall act in accordance with Agency policies and rules and
4with applicable law. The Agency shall appoint and discharge
5officers, counsel, and employees, consistent with applicable
6civil service laws, and shall fix the compensation of
7employees and prescribe their duties. The Agency may contract
8for services that cannot be provided by its employees.
9 Section 15-30. Authority. The Board may delegate authority
10to the chairperson or the executive director to act in the name
11of the Agency between meetings of the Agency, except with
12respect to resolution of enforcement actions and rulemaking
13authority.
14 Section 15-35. Functions. The Agency shall perform the
15following functions:
16 (1) administer, implement, and enforce through
17 administrative actions this Act;
18 (2) on and after the earlier of July 1, 2025, or within
19 6 months of the Agency providing the Attorney General with
20 notice that it is prepared to assume rulemaking
21 responsibilities under this Act, adopt, amend, and rescind
22 rules under Section 10-75 to carry out the purposes and
23 provisions of this Act, including rules specifying

SB3517- 96 -LRB103 35732 LNS 65813 b
1 recordkeeping requirements for businesses to ensure
2 compliance with this Act;
3 (3) through the implementation of this Act, protect
4 the fundamental privacy rights of natural persons with
5 respect to the use of their personal information;
6 (4) promote public awareness and understanding of the
7 risks, rules, responsibilities, safeguards, and rights in
8 relation to the collection, use, sale, and disclosure of
9 personal information, including the rights of minors with
10 respect to their own information, and provide a public
11 report summarizing the risk assessments filed with the
12 Agency while ensuring that data security is not
13 compromised;
14 (5) provide guidance to consumers regarding their
15 rights under this Act;
16 (6) provide guidance to businesses regarding their
17 duties and responsibilities under this Act and appoint a
18 Chief Privacy Auditor to conduct audits of businesses to
19 ensure compliance with this Act;
20 (7) provide technical assistance and advice to the
21 General Assembly, upon request, with respect to
22 privacy-related legislation;
23 (8) monitor relevant developments relating to the
24 protection of personal information and in particular, the
25 development of information and communication technologies
26 and commercial practices;

SB3517- 97 -LRB103 35732 LNS 65813 b
1 (9) cooperate with other agencies with jurisdiction
2 over privacy laws and with data processing authorities in
3 this State, other states, territories, and countries to
4 ensure consistent application of privacy protections;
5 (10) establish a mechanism under which persons doing
6 business in this State that do not meet the definition of
7 business may voluntarily certify that they are in
8 compliance with this Act, and make a list of those
9 entities available to the public;
10 (11) solicit, review, and approve applications for
11 grants to the extent funds are available under paragraph
12 (2) of subsection (b) of Section 10-70; and
13 (12) perform all other acts necessary or appropriate
14 in the exercise of its power, authority, and jurisdiction
15 and seek to balance the goals of strengthening consumer
16 privacy while giving attention to the impact on
17 businesses.
18 Section 15-40. Investigation of violations.
19 (a) Upon the sworn complaint of any person or on its own
20initiative, the Agency may investigate possible violations of
21this Act relating to any business, service provider,
22contractor, or person. The Agency may decide not to
23investigate a complaint or decide to provide a business with a
24period to cure the alleged violation. In making a decision not
25to investigate or provide more time to cure, the Agency may

SB3517- 98 -LRB103 35732 LNS 65813 b
1consider:
2 (1) the lack of intent to violate this Act; and
3 (2) the voluntary efforts undertaken by the business,
4 service provider, contractor, or person to cure the
5 alleged violation prior to being notified by the Agency of
6 the complaint.
7 (b) The Agency shall notify in writing the person who made
8the complaint of the action, if any, the Agency has taken or
9plans to take on the complaint, together with the reasons for
10that action or nonaction.
11 Section 15-45. Notice. No finding of probable cause to
12believe this Act has been violated shall be made by the Agency
13unless, at least 30 days prior to the Agency's consideration
14of the alleged violation, the business, service provider,
15contractor, or person alleged to have violated this Act is
16notified of the violation by service of process or registered
17mail with return receipt requested, provided with a summary of
18the evidence, and informed of their right to be present in
19person and represented by counsel at any proceeding of the
20Agency held for the purpose of considering whether probable
21cause exists for believing the person violated this Act.
22Notice to the alleged violator shall be deemed made on the date
23of service, the date the registered mail receipt is signed, or
24if the registered mail receipt is not signed, the date
25returned by the post office. A proceeding held for the purpose

SB3517- 99 -LRB103 35732 LNS 65813 b
1of considering probable cause shall be private unless the
2alleged violator files with the Agency a written request that
3the proceeding be public.
4 Section 15-50. Procedure.
5 (a) If the Agency determines there is probable cause for
6believing this Act has been violated, it shall hold a hearing
7to determine if a violation or violations have occurred.
8Notice shall be given and the hearing conducted in accordance
9with the Illinois Administrative Procedure Act. The Agency
10shall have all the powers granted by that Act. If the Agency
11determines on the basis of the hearing conducted under this
12subsection that a violation or violations have occurred, it
13shall issue an order that may require the violator to do all or
14any of the following:
15 (1) cease and desist violation of this Act; or
16 (2) subject to Section 10-65, pay an administrative
17 fine of up to $2,500 for each violation, or up to $7,500
18 for each intentional violation and each violation
19 involving the personal information of minor consumers to
20 the Consumer Privacy Fund.
21 If the Agency determines that no violation has occurred,
22it shall publish a declaration so stating.
23 (b) If 2 or more persons are responsible for any violation
24or violations, they shall be jointly and severally liable.

SB3517- 100 -LRB103 35732 LNS 65813 b
1 Section 15-55. Rejection of administrative law decision.
2Whenever the Agency rejects the decision of an administrative
3law judge, the Agency shall state the reasons in writing for
4rejecting the decision.
5 Section 15-60. Subpoenas and evidence. The Agency may
6subpoena witnesses, compel their attendance and testimony,
7administer oaths and affirmations, take evidence and require
8by subpoena the production of any books, papers, records, or
9other items material to the performance of the Agency's duties
10or exercise of its powers, including, but not limited to, its
11power to audit a business's compliance with this Act.
12 Section 15-65. Limitations. No administrative action
13brought under this Act alleging a violation of any of the
14provisions of this Act shall be commenced more than 5 years
15after the date on which the violation occurred.
16 (1) The service of the probable cause hearing notice
17 upon the person alleged to have violated this Act shall
18 constitute the commencement of the administrative action.
19 (2) If the person alleged to have violated this Act
20 engages in the fraudulent concealment of the person's acts
21 or identity, the 5-year period shall be tolled for the
22 period of the concealment.
23 (3) If, upon being ordered by a court to produce any
24 documents sought by a subpoena in any administrative

SB3517- 101 -LRB103 35732 LNS 65813 b
1 proceeding under this Act and the person alleged to have
2 violated this Act fails to produce documents in response
3 to the order by the date ordered to comply therewith, the
4 5-year period shall be tolled for the period of the delay
5 from the date of filing of the motion to compel until the
6 date the documents are produced.
7 Section 15-70. Collection of administrative fines.
8 (a) In addition to any other available remedies, the
9Agency may bring a civil action and obtain a judgment in court
10for the purpose of collecting any unpaid administrative fines
11imposed under this Act after exhaustion of judicial review of
12the Agency's action. The venue for this action shall be in the
13county where the administrative fines were imposed by the
14Agency. In order to obtain a judgment in a proceeding under
15this Section, the Agency shall show, following the procedures
16and rules of evidence as applied in ordinary civil actions:
17 (1) that the administrative fines were imposed
18 following the procedures set forth in this Act and
19 implementing rules;
20 (2) that the defendant or defendants in the action
21 were notified, by actual or constructive notice, of the
22 imposition of the administrative fines; and
23 (3) that a demand for payment has been made by the
24 Agency and full payment has not been received.
25 (b) A civil action brought under subsection (a) shall be

SB3517- 102 -LRB103 35732 LNS 65813 b
1commenced within 4 years after the date on which the
2administrative fines were imposed.
3 Section 15-75. Judgment.
4 (a) If the time for judicial review of a final Agency order
5or decision has lapsed, or if all means of judicial review of
6the order or decision have been exhausted, the Agency may
7apply to the clerk of the court for a judgment to collect the
8administrative fines imposed by the order or decision, or the
9order as modified in accordance with a decision on judicial
10review.
11 (b) The application, which shall include a certified copy
12of the order or decision, or the order as modified in
13accordance with a decision on judicial review, and proof of
14service of the order or decision, constitutes a sufficient
15showing to warrant issuance of the judgment to collect the
16administrative fines. The clerk of the court shall enter the
17judgment immediately in conformity with the application.
18 (c) An application made under this Section shall be made
19to the clerk of the court in the county where the
20administrative fines were imposed by the Agency.
21 (d) A judgment entered in accordance with this Section has
22the same force and effect as, and is subject to all the
23provisions of law relating to, a judgment in a civil action and
24may be enforced in the same manner as any other judgment of the
25court in which it is entered.

SB3517- 103 -LRB103 35732 LNS 65813 b
1 (e) The Agency may bring an application under this Section
2only within 4 years after the date on which all means of
3judicial review of the order or decision have been exhausted.
4 (f) The remedies available under this Section are in
5addition to those available under any other law.
6 Section 15-80. Judicial review. Any decision of the Agency
7with respect to a complaint or administrative fine shall be
8subject to judicial review in an action brought by an
9interested party to the complaint or administrative fine and
10shall be subject to an abuse of discretion standard.
11
Article 20. Miscellaneous
12 Section 20-5. Conflicting provisions. This Act is intended
13to further the constitutional right of privacy and to
14supplement existing laws relating to personal information. The
15provisions of this Act are not limited to information
16collected electronically or over the Internet, but apply to
17the collection and sale of all personal information collected
18by a business from consumers. Wherever possible, law relating
19to personal information should be construed to harmonize with
20the provisions of this Act, but if a conflict between other
21laws and the provisions of this Act, the provisions of the law
22that afford the greatest protection for the right of privacy
23for consumers shall control.

SB3517- 104 -LRB103 35732 LNS 65813 b
1 Section 20-10. Preemption. This Act is a matter of
2statewide concern and supersedes and preempts all rules,
3regulations, codes, ordinances, and other laws adopted by a
4city, county, municipality, or local agency regarding the
5collection and sale of consumers' personal information by a
6business.
7 Section 20-15. Severability. The provisions of this Act
8are severable under Section 1.31 of the Statute on Statutes.
9 Section 20-20. Standing. Notwithstanding any other
10provision of law, if the State or any of its officials fail to
11defend the constitutionality of this Act, any other
12governmental agency of this State shall have the authority to
13intervene in any court action challenging the
14constitutionality of this Act for the purpose of defending its
15constitutionality, whether that action is in State or federal
16trial court, on appeal, or on discretionary review by the
17Illinois Supreme Court or the Supreme Court of the United
18States. The reasonable fees and costs of defending the action
19shall be a charge on funds appropriated to the Office of the
20Attorney General, which shall be satisfied promptly.
21 Section 20-25. Construction. This Act shall be liberally
22construed to effectuate its purposes.

SB3517- 105 -LRB103 35732 LNS 65813 b
1 Section 20-30. Saving clause. This Act is intended to
2supplement federal and State law, where permissible, but shall
3not apply if that application is preempted by, or in conflict
4with, federal law or the Illinois Constitution. The provisions
5of this Act relating to children under 16 years of age shall
6only apply to the extent not in conflict with the federal
7Children's Online Privacy Protection Act.
8
Article 25. Amendatory Provisions
9 Section 25-5. The State Finance Act is amended by adding
10Section 5.1015 as follows:
feedback