SB0340 Engrossed LRB104 06459 JRC 16495 b
1		AN ACT concerning civil law.
2		Be it enacted by the People of the State of Illinois,
3		represented in the General Assembly:
4		Section 10. Short title. This Act may be cited as the
5		Illinois Consumer Data Privacy Act.
6		Section 11. Definitions. As used in this Act:
7		"Affiliate" means a legal entity that controls, is
8		controlled by, or is under common control with another legal
9		entity. As used in this definition, "control" or "controlled"
10		means: ownership of or the power to vote more than 50% of the
11		outstanding shares of any class of voting security of a
12		company; control in any manner over the election of a majority
13		of the directors or of individuals exercising similar
14		functions; or the power to exercise a controlling influence
15		over the management of a company.
16		"Authenticate" means to use reasonable means to determine
17		that a request to exercise any of the rights under subsection
18		(b) of Section 14 is being made by or rightfully on behalf of
19		the consumer who is entitled to exercise the rights with
20		respect to the personal data at issue.
21		"Biometric identifier" has the same meaning given to that
22		term in the Biometric Information Privacy Act.
23		"Biometric information" has the same meaning given to that

SB0340 Engrossed - 2 - LRB104 06459 JRC 16495 b
1		term in the Biometric Information Privacy Act.
2		"Child" has the meaning given in United States Code, Title
3		15, Section 6501.
4		"Collect" means to buy, rent, obtain, lease, access,
5		receive, or otherwise acquire personal data in any manner.
6		"Consent" means any freely given, specific, informed, and
7		unambiguous indication of the consumer's wishes by which the
8		consumer signifies agreement to the processing of personal
9		data relating to the consumer. Acceptance of general or broad
10		terms of use or similar document that contains descriptions of
11		personal data processing along with other, unrelated
12		information does not constitute consent. Hovering over,
13		muting, pausing, or closing a given piece of content does not
14		constitute consent. A consent is not valid when the consumer's
15		indication has been obtained by a dark pattern. A consumer may
16		revoke consent previously given consistent with this Act.
17		"Consumer" means a natural person who is an Illinois
18		resident acting only in an individual or household context.
19		Consumer does not include a natural person acting in a
20		commercial or employment context.
21		"Controller" means the natural or legal person who, alone
22		or jointly with others, determines the purposes and means of
23		the processing of personal data.
24		"Decisions that produce legal or similarly significant
25		effects concerning the consumer" means decisions made by the
26		controller that result in the provision or denial by the

SB0340 Engrossed - 3 - LRB104 06459 JRC 16495 b
1		controller of financial or lending services, housing,
2		insurance, education enrollment or opportunity, criminal
3		justice, employment opportunities, health care services, or
4		access to essential goods or services.
5		"Dark pattern" means a user interface designed or
6		manipulated with the substantial effect of subverting or
7		impairing user autonomy, decision making, or choice.
8		"Deidentified data" means data that cannot reasonably be
9		used to infer information about or otherwise be linked to an
10		identified or identifiable natural person or a device linked
11		to an identified or identifiable natural person, provided that
12		the controller that possesses the data:
13		(1) takes reasonable measures to ensure that the data
14		cannot be associated with a natural person;
15		(2) publicly commits to process the data only in a
16		deidentified fashion and not attempt to reidentify the
17		data; and
18		(3) contractually obligates any recipients of the
19		information to comply with all provisions of this
20		definition.
21		"Delete" means to remove or destroy information so that it
22		is not maintained in human- or machine-readable form and
23		cannot be retrieved or used in the ordinary course of
24		business.
25		"Genetic information" has the meaning ascribed to the term
26		under the Health Insurance Portability and Accountability Act

SB0340 Engrossed - 4 - LRB104 06459 JRC 16495 b
1		of 1996 as specified in 45 CFR 160.103.
2		"Identified or identifiable natural person" means a person
3		who can be readily identified, directly or indirectly.
4		"Known child" means a person under circumstances in which
5		a controller has actual knowledge of, or willfully disregards,
6		that the person is under 13 years of age.
7		"Personal data" means any information that is linked or
8		reasonably linkable to an identified or identifiable natural
9		person. Personal data does not include deidentified data,
10		pseudonymous data, or publicly available information. As used
11		in this definition, "publicly available information" means
12		information that (1) is lawfully made available from federal,
13		state, or local government records; or (2) a controller has a
14		reasonable basis to believe has lawfully been made available
15		to the general public.
16		"Process" or "processing" means any operation or set of
17		operations that are performed on personal data or on sets of
18		personal data, whether or not by automated means, including,
19		but not limited to, the collection, use, storage, disclosure,
20		analysis, deletion, monetization, sharing, retention,
21		organizing, structuring, licensing, or modification of
22		personal data.
23		"Processor" means a natural or legal person who processes
24		personal data on behalf of a controller.
25		"Profiling" means any form of automated processing of
26		personal data to evaluate, analyze, or predict personal

SB0340 Engrossed - 5 - LRB104 06459 JRC 16495 b
1		aspects related to an identified or identifiable natural
2		person's economic situation, health, personal preferences,
3		interests, reliability, behavior, location, or movements.
4		Profiling does not include automated processing used solely
5		for independent measurement.
6		"Pseudonymous data" means personal data that cannot be
7		attributed to a specific natural person without the use of
8		additional information, provided that the additional
9		information is kept separately and is subject to appropriate
10		technical and organizational measures to ensure that the
11		personal data are not attributed to an identified or
12		identifiable natural person.
13		"Sale", "sell", or "sold" means the exchange of personal
14		data for monetary or other valuable consideration by the
15		controller, processor, or an affiliate of the controller or
16		processor to a third party. "Sale" does not include the
17		following:
18		(1) the disclosure of personal data to a processor who
19		processes the personal data on behalf of the controller if
20		limited to the purposes of processing;
21		(2) the disclosure of personal data to a third party
22		for purposes of providing a product or service requested
23		by the consumer;
24		(3) the disclosure or transfer of personal data to an
25		affiliate of the controller;
26		(4) the disclosure of information that the consumer

SB0340 Engrossed - 6 - LRB104 06459 JRC 16495 b
1		intentionally made available to the general public via a
2		channel of mass media and did not restrict to a specific
3		audience;
4		(5) the disclosure or transfer of personal data to a
5		third party as an asset that is part of a completed or
6		proposed merger, acquisition, bankruptcy, or other
7		transaction in which the third party assumes control of
8		all or part of the controller's assets; or
9		(6) the exchange of personal data between the producer
10		of a good or service and authorized agents of the producer
11		who sell and service the goods and services to enable the
12		cooperative provisioning of goods and services by both the
13		producer and the producer's agents.
14		"Sensitive data" is a form of personal data. "Sensitive
15		data" means:
16		(1) personal data revealing racial or ethnic origin,
17		religious beliefs, mental or physical health condition or
18		diagnosis, sexual orientation, or citizenship or
19		immigration status;
20		(2) the processing of biometric identifiers or
21		information or genetic information for the purpose of
22		uniquely identifying an individual;
23		(3) the personal data of a known child;
24		(4) specific geolocation data;
25		(5) information that reveals the status of
26		identifiable natural person as a victim of a crime; or

SB0340 Engrossed - 7 - LRB104 06459 JRC 16495 b
1		(6) a government-issued identifier, including a social
2		security number, passport number, or a driver's license
3		number, that is not required by law to be displayed in
4		public.
5		"Specific geolocation data" means information derived from
6		technology, including, but not limited to, global positioning
7		system level latitude and longitude coordinates or other
8		mechanisms that can precisely and accurately identify the
9		specific location of a consumer or a device linked with a
10		consumer within a radius of 1,750 feet. Specific geolocation
11		data does not include the content of communications, the
12		contents of databases containing street address information
13		that are accessible to the public as authorized by law, or any
14		data generated by or connected to advanced utility metering
15		infrastructure systems or other equipment for use by a public
16		utility.
17		"Targeted advertising" means displaying advertisements to
18		a consumer or to a device linked to a consumer in which the
19		advertisement is selected based on personal data obtained or
20		inferred from the consumer's activities over time and across
21		nonaffiliated websites or online applications to predict the
22		consumer's preferences or interests. Targeted advertising does
23		not include:
24		(1) advertising based on activities within a
25		controller's own websites or online applications;
26		(2) advertising based on the context of a consumer's

SB0340 Engrossed - 8 - LRB104 06459 JRC 16495 b
1		current search query or visit to a website or online
2		application;
3		(3) advertising to a consumer in response to the
4		consumer's request for information or feedback; or
5		(4) processing personal data solely for measuring or
6		reporting content and advertising performance, reach, or
7		frequency, including independent measurement.
8		(z) "Third party" means a natural or legal person, public
9		authority, agency, or body other than the consumer,
10		controller, processor, or an affiliate of the processor or the
11		controller.
12		(aa) "Trade secret" has the same meaning given to the term
13		in the Illinois Trade Secrets Act.
14		Section 12. Scope; exclusions.
15		(a)(1) Scope. This Act applies to legal entities that
16		conduct business in Illinois or produce products or services
17		that are targeted to Illinois residents, and that satisfy one
18		or more of the following thresholds:
19		(A) during a calendar year, collects or processes
20		personal data of 100,000 consumers or more, excluding
21		personal data controlled or processed solely for the
22		purpose of completing a payment transaction; or
23		(B) derives over 25% of gross revenue from the sale of
24		personal data and processes or collects personal data of
25		25,000 consumers or more.

SB0340 Engrossed - 9 - LRB104 06459 JRC 16495 b
1		(2) A controller or processor shall comply with the
2		Student Online Personal Protection Act, except that if the
3		provisions of that Act conflict with this Act, the Student
4		Online Personal Protection Act prevails.
5		(3) All legal entities shall comply with the Biometric
6		Information Privacy Act and the Genetic Information Privacy
7		Act.
8		(b) Exclusions. The provisions of this Act do not apply to
9		the following entities, activities, or types of information:
10		(1) the State, a political subdivision of the State,
11		and units of local government;
12		(2) a federally recognized Indian tribe;
13		(3) information that meets the definition of:
14		(A) protected health information, as defined by
15		and for purposes of the Health Insurance Portability
16		and Accountability Act of 1996, Public Law 104-191,
17		and related regulations;
18		(B) health records, that includes, but is not
19		limited to, any information, whether oral or recorded
20		in any form or medium, that relates to the past,
21		present, or future physical or mental health or
22		condition of a patient; the provision of health care
23		to a patient; or the past, present, or future payment
24		for the provision of health care to a patient;
25		(C) patient identifying information for purposes
26		of Code of Federal Regulations, Title 42, Part 2,

SB0340 Engrossed - 10 - LRB104 06459 JRC 16495 b
1		established pursuant to the United States Code, Title
2		42, Section 290dd-2;
3		(D) identifiable private information for purposes
4		of the federal policy for the protection of human
5		subjects, the Code of Federal Regulations, Title 45,
6		Part 46; identifiable private information that is
7		otherwise information collected as part of human
8		subjects research under the good clinical practice
9		guidelines issued by the International Council for
10		Harmonisation; the protection of human subjects under
11		the Code of Federal Regulations, Title 21, Parts 50
12		and 56; or personal data used or shared in research
13		conducted in accordance with one or more of the
14		requirements set forth in this paragraph;
15		(E) information and documents created for purposes
16		of the federal Health Care Quality Improvement Act of
17		1986, Public Law 99-660, and related regulations; or
18		(F) patient safety work product for purposes of
19		Code of Federal Regulations, Title 42, Part 3,
20		established under the United States Code, Title 42,
21		Sections 299b-21 to 299b-26;
22		(4) information that is derived from any of the health
23		care-related information listed in clause (3), but that
24		has been deidentified in accordance with the requirements
25		for deidentification set forth in the Code of Federal
26		Regulations, Title 45, Part 164;

SB0340 Engrossed - 11 - LRB104 06459 JRC 16495 b
1		(5) information originating from, and intermingled to
2		be indistinguishable with, any of the health care-related
3		information listed in clause (3) that is maintained by:
4		(A) a covered entity or business associate, as
5		defined by the Health Insurance Portability and
6		Accountability Act of 1996, Public Law 104-191, and
7		related regulations to the extent the entity is acting
8		as a covered entity or business associate under the
9		Privacy and Security rules issued by the United States
10		Department of Health and Human Services, Parts 160 and
11		164 of Title 45 of the Code of Federal Regulations;
12		(B) a health care provider, to include, but not be
13		limited to, any public or private facility that
14		provides, on an inpatient or outpatient basis,
15		preventive, diagnostic, therapeutic, convalescent,
16		rehabilitation, mental health, or intellectual
17		disability services, including general or special
18		hospitals, skilled nursing homes, extended care
19		facilities, intermediate care facilities and mental
20		health centers; or
21		(C) a program or a qualified service organization,
22		as defined by Code of Federal Regulations, Title 42,
23		Part 2, established pursuant to United States Code,
24		Title 42, Section 290dd-2;
25		(6) information that is:
26		(A) maintained by an entity that meets the

SB0340 Engrossed - 12 - LRB104 06459 JRC 16495 b
1		definition of health care provider under the Code of
2		Federal Regulations, Title 45, Section 160.103, to the
3		extent that the entity maintains the information in
4		the manner required of covered entities with respect
5		to protected health information for purposes of the
6		Health Insurance Portability and Accountability Act of
7		1996, Public Law 104-191, and related regulations;
8		(B) included in a limited data set, as described
9		under the Code of Federal Regulations, Title 45, Part
10		164.514(e), to the extent that the information is
11		used, disclosed, and maintained in the manner
12		specified by that part;
13		(C) maintained by, or maintained to comply with
14		the rules or orders of, a self-regulatory organization
15		as defined by the United States Code, Title 15,
16		Section 78c(a)(26) or of a registered futures
17		association as designated under the United States
18		Code, Title 7, Section 21;
19		(D) originated from, or intermingled with,
20		information described in clause (9) and that a
21		residential mortgage originator or residential
22		mortgage servicer regulated under the Residential
23		Mortgage License Act of 1987 collects, processes,
24		uses, or maintains in the same manner as required
25		under the laws and regulations specified in clause
26		(9); or

SB0340 Engrossed - 13 - LRB104 06459 JRC 16495 b
1		(E) originated from, or intermingled with,
2		information described in clause (9) and that a nonbank
3		financial institution collects, processes, uses, or
4		maintains in the same manner as required under the
5		laws and regulations specified in clause (9);
6		(7) information used only for public health activities
7		and purposes, as described under the Code of Federal
8		Regulations, Title 45, Part 164.512;
9		(8) an activity involving the collection, maintenance,
10		disclosure, sale, communication, or use of any personal
11		data bearing on a consumer's credit worthiness, credit
12		standing, credit capacity, character, general reputation,
13		personal characteristics, or mode of living by a consumer
14		reporting agency, as defined in the United States Code,
15		Title 15, Section 1681a(f), by a furnisher of information,
16		as set forth in the United States Code, Title 15, Section
17		1681s-2, who provides information for use in a consumer
18		report, as defined in the United States Code, Title 15,
19		Section 1681a(d), and by a user of a consumer report, as
20		set forth in the United States Code, Title 15, Section
21		1681b, except that information is only excluded under this
22		paragraph to the extent that the activity involving the
23		collection, maintenance, disclosure, sale, communication,
24		or use of the information by the agency, furnisher, or
25		user is subject to regulation under the federal Fair
26		Credit Reporting Act, United States Code, Title 15,

SB0340 Engrossed - 14 - LRB104 06459 JRC 16495 b
1		Sections 1681 to 1681x, and the information is not
2		collected, maintained, used, communicated, disclosed, or
3		sold except as authorized by the Fair Credit Reporting
4		Act;
5		(9) financial institutions, their affiliates, and
6		personal data subject to the federal Gramm-Leach-Bliley
7		Act, Public Law 106-102, and implementing regulations;
8		(10) personal data collected, processed, sold, or
9		disclosed pursuant to the federal Driver's Privacy
10		Protection Act of 1994, United States Code, Title 18,
11		Sections 2721 to 2725, if the collection, processing,
12		sale, or disclosure is in compliance with that law;
13		(11) personal data regulated by the federal Family
14		Educational Rights and Privacy Act, United States Code,
15		Title 20, Section 1232g, and implementing regulations;
16		(12) personal data collected, processed, sold, or
17		disclosed pursuant to the federal Farm Credit Act of 1971,
18		as amended, United States Code, Title 12, Sections 2001 to
19		2279cc, and implementing regulations, Code of Federal
20		Regulations, Title 12, Part 600, if the collection,
21		processing, sale, or disclosure is in compliance with that
22		law;
23		(13) data collected or maintained:
24		(A) in the course of an individual acting as a job
25		applicant to or an employee, owner, director, officer,
26		medical staff member, or contractor of a business if

SB0340 Engrossed - 15 - LRB104 06459 JRC 16495 b
1		the data is collected and used solely within the
2		context of the role;
3		(B) as the emergency contact information of an
4		individual under item (A) if used solely for emergency
5		contact purposes; or
6		(C) that is necessary for the business to retain
7		to administer benefits for another individual relating
8		to the individual under item (1) if used solely for the
9		purposes of administering those benefits;
10		(14) personal data collected, processed, sold, or
11		disclosed under the Illinois Insurance Code;
12		(15) data collected, processed, sold, or disclosed as
13		part of a payment-only credit, check, or cash transaction
14		where no data about consumers, as defined in Section 11,
15		are retained;
16		(16) a State or federally chartered bank or credit
17		union, or an affiliate or subsidiary that is principally
18		engaged in financial activities, as described in the
19		United States Code, Title 12, Section 1843(k);
20		(17) information that originates from, or is
21		intermingled so as to be indistinguishable from,
22		information described in clause (8) and that a person
23		collects, processes, uses, or maintains in the same manner
24		as is required under the laws and regulations specified in
25		clause (8);
26		(18) an insurance company and an insurance producer

SB0340 Engrossed - 16 - LRB104 06459 JRC 16495 b
1		that are regulated by the State under the Illinois
2		Insurance Code, a third-party administrator of
3		self-insurance, or an affiliate or subsidiary of any
4		entity identified in this clause that is principally
5		engaged in financial activities, as described in the
6		United States Code, Title 12, Section 1843(k), except that
7		this clause does not apply to a person that, alone or in
8		combination with another person, establishes and maintains
9		a self-insurance program that does not otherwise engage in
10		the business of entering into policies of insurance;
11		(19) a small business, as defined by the United States
12		Small Business Administration under the Code of Federal
13		Regulations, Title 13, Part 121, except that a small
14		business identified in this clause is subject to Section
15		17;
16		(20) a nonprofit organization that is established to
17		detect and prevent fraudulent acts in connection with
18		insurance; and
19		(21) an air carrier subject to the federal Airline
20		Deregulation Act, Public Law 95-504, only to the extent
21		that an air carrier collects personal data related to
22		prices, routes, or services and only to the extent that
23		the provisions of the Airline Deregulation Act preempt the
24		requirements of this Act.
25		Controllers that are in compliance with the Children's
26		Online Privacy Protection Act, United States Code, Title 15,

SB0340 Engrossed - 17 - LRB104 06459 JRC 16495 b
1		Sections 6501 to 6506, and implementing regulations, are
2		deemed compliant with any obligation to obtain parental
3		consent under this Act.
4		Section 13. Responsibility according to role.
5		(a) Controllers and processors are responsible for meeting
6		the respective obligations established under this Act.
7		(b) Processors are responsible under this Act for adhering
8		to the instructions of the controller and assisting the
9		controller to meet the controller's obligations under this
10		Act. Assistance under this subsection shall include the
11		following:
12		(1) taking into account the nature of the processing,
13		the processor shall assist the controller by appropriate
14		technical and organizational measures, insofar as this is
15		possible, for the fulfillment of the controller's
16		obligation to respond to consumer requests to exercise
17		their rights under Section 14; and
18		(2) taking into account the nature of processing and
19		the information available to the processor, the processor
20		shall assist the controller in meeting the controller's
21		obligations in relation to the security of processing the
22		personal data and in relation to the notification of a
23		breach of the security of the system under the Illinois
24		Personal Information Protection Act and provide
25		information to the controller necessary to enable the

SB0340 Engrossed - 18 - LRB104 06459 JRC 16495 b
1		controller to conduct and document any data privacy and
2		protection assessments required by Section 18.
3		(c) A contract between a controller and a processor shall
4		govern the processor's data processing procedures with respect
5		to processing performed on behalf of the controller. The
6		contract shall be binding on both parties and clearly set
7		forth instructions for processing data, the nature and purpose
8		of processing, the type of data subject to processing, the
9		duration of processing, and the rights and obligations of both
10		parties. The contract shall also require that the processor:
11		(1) ensure that each person processing the personal
12		data is subject to a duty of confidentiality with respect
13		to the data;
14		(2) engage a subcontractor only under a written
15		contract in accordance with this subsection (c) that
16		requires the subcontractor to meet the obligations of the
17		processor with respect to the personal data;
18		(3) at the choice of the controller, delete or return
19		all personal data to the controller as requested at the
20		end of the provision of services, unless retention of the
21		personal data is required by law;
22		(4) upon a reasonable request from the controller,
23		make available to the controller all information necessary
24		to demonstrate compliance with the obligations in this
25		Act; and
26		(5) allow for, and contribute to, reasonable

SB0340 Engrossed - 19 - LRB104 06459 JRC 16495 b
1		assessments and inspections by the controller or the
2		controller's designated assessor. Alternatively, the
3		processor may arrange for a qualified and independent
4		assessor to conduct, at least annually and at the
5		processor's expense, an assessment of the processor's
6		policies and technical and organizational measures in
7		support of the obligations under this Act. The assessor
8		must use an appropriate and accepted control standard or
9		framework and assessment procedure for assessments as
10		applicable and provide a report of an assessment to the
11		controller upon request.
12		(d) Taking into account the context of processing, the
13		controller and the processor shall implement appropriate
14		technical and organizational measures to ensure a level of
15		security appropriate to the risk and establish a clear
16		allocation of the responsibilities between the controller and
17		the processor to implement the technical and organizational
18		measures.
19		(e) In no event shall any contract relieve a controller or
20		a processor from the liabilities imposed on a controller or
21		processor by virtue of the controller's or processor's roles
22		in the processing relationship under this Act. Notwithstanding
23		any other provision of this Act, if a processor processes data
24		under a binding contract that sets forth the processing
25		instructions and limits the actions the processor may take
26		with respect to the data it processes on behalf of the

SB0340 Engrossed - 20 - LRB104 06459 JRC 16495 b
1		controller, the processor is not liable for the controller's
2		actions that led to a violation of this Act.
3		(f) Determining whether a person is acting as a controller
4		or processor with respect to a specific processing of data is a
5		fact-based determination that depends upon the context in
6		which personal data are to be processed. A person that is not
7		limited in the person's processing of personal data pursuant
8		to a controller's instructions, or that fails to adhere to a
9		controller's instructions, is a controller and not a processor
10		with respect to a specific processing of data. A processor
11		that continues to adhere to a controller's instructions with
12		respect to a specific processing of personal data remains a
13		processor. If a processor begins, alone or jointly with
14		others, determining the purposes and means of the processing
15		of personal data, the processor is a controller with respect
16		to the processing.
17		Section 14. Consumer personal data rights.
18		(a)(1) Consumer rights provided. Except as provided in
19		this Act, a controller must comply with a request to exercise
20		the consumer rights provided in this subsection (a).
21		(2) A consumer has the right to confirm whether or not a
22		controller is processing personal data concerning the consumer
23		and access the personal data the controller is processing.
24		(3) A consumer has the right to correct inaccurate
25		personal data concerning the consumer taking into account the

SB0340 Engrossed - 21 - LRB104 06459 JRC 16495 b
1		nature of the personal data and the purposes of the processing
2		of the personal data.
3		(4) A consumer has the right to delete personal data
4		concerning the consumer.
5		(5) A consumer has the right to obtain personal data
6		concerning the consumer, which the consumer previously
7		provided to the controller, in a portable and, to the extent
8		technically feasible, readily usable format that allows the
9		consumer to transmit the data to another controller without
10		hindrance, where the processing is carried out by automated
11		means.
12		(6) A consumer has the right to opt out of the processing
13		of personal data concerning the consumer for purposes of: (i)
14		targeted advertising, (ii) the sale of personal data, or (iii)
15		profiling in furtherance of automated decisions that produce
16		legal effects concerning a consumer or similarly significant
17		effects concerning a consumer.
18		(7) If a consumer's personal data is profiled in
19		furtherance of decisions that produce legal effects concerning
20		a consumer or similarly significant effects concerning a
21		consumer, the consumer has the right to question the result of
22		the profiling, only if the profiling produces legal or
23		similarly significant effects concerning the consumer. The
24		consumer has the right to review the consumer's personal data
25		used in the profiling. If the decision is determined to have
26		been based upon inaccurate personal data taking into account

SB0340 Engrossed - 22 - LRB104 06459 JRC 16495 b
1		the nature of the personal data and the purposes of the
2		processing of the personal data, the consumer has the right to
3		have the data corrected and the profiling decision reevaluated
4		based upon the corrected data.
5		(8) A consumer has a right to obtain general descriptions
6		of categories of third parties to which the controller has
7		disclosed the consumer's personal data, unless such a list of
8		specific third parties is readily available to the controller.
9		(b)(1) Exercising consumer rights. A consumer may exercise
10		the rights set forth in subsection (a) by submitting a
11		request, at any time, to a controller specifying which rights
12		the consumer wishes to exercise.
13		(2) In the case of processing personal data concerning a
14		known child, the parent or legal guardian of the known child
15		may exercise the rights under this Act on the child's behalf.
16		(3) In the case of processing personal data concerning a
17		consumer legally subject to guardianship under the Probate Act
18		of 1975, the guardian of the consumer may exercise the rights
19		under this Act on the consumer's behalf.
20		(4) A consumer may designate another person as the
21		consumer's authorized agent to exercise the consumer's right
22		to opt out of the processing of the consumer's personal data
23		for purposes of targeted advertising and sale under subsection
24		(c)(1) on the consumer's behalf. A consumer may designate an
25		authorized agent by way of, among other things, a technology,
26		including, but not limited to, an Internet link or a browser

SB0340 Engrossed - 23 - LRB104 06459 JRC 16495 b
1		setting, browser extension, or global device setting,
2		indicating the consumer's intent to opt out of the processing.
3		A controller shall comply with an opt-out request received
4		from an authorized agent if the controller is able to verify,
5		with commercially reasonable effort, the identity of the
6		consumer and the authorized agent's authority to act on the
7		consumer's behalf.
8		(c)(1) Universal opt-out mechanisms. A controller must
9		allow a consumer to opt out of any processing of the consumer's
10		personal data for the purposes of targeted advertising,
11		profiling in furtherance of automated decisions that produce
12		legal effects concerning the consumer or any sale of the
13		consumer's personal data through an opt-out preference signal
14		sent, with the consumer's consent, by a platform, technology,
15		or mechanism to the controller indicating the consumer's
16		intent to opt out of the processing, profiling, or sale. The
17		platform, technology, or mechanism must:
18		(A) not unfairly disadvantage another controller;
19		(B) not make use of a default setting but require the
20		consumer to make an affirmative, freely given, and
21		unambiguous choice to opt out of the processing of the
22		consumer's personal data;
23		(C) be consumer-friendly and easy to use by the
24		average consumer;
25		(D) be as consistent as possible with any other
26		similar platform, technology, or mechanism required by any

SB0340 Engrossed - 24 - LRB104 06459 JRC 16495 b
1		federal or State law or regulation; and
2		(E) enable the controller to accurately determine
3		whether the consumer is an Illinois resident and whether
4		the consumer has made a legitimate request to opt out of
5		any sale of the consumer's personal data profiling in
6		furtherance of automated decisions that produce legal
7		effects concerning the consumer, or targeted advertising.
8		For purposes of this paragraph, the use of an Internet
9		protocol address to estimate the consumer's location is
10		sufficient to determine the consumer's residence.
11		(2) If a consumer's opt-out request is exercised through
12		the platform, technology, or mechanism required under
13		subsection (c)(1), and the request conflicts with the
14		consumer's existing controller-specific privacy setting or
15		voluntary participation in a controller's bona fide loyalty,
16		rewards, premium features, discounts, or club card program,
17		the controller must comply with the consumer's opt-out
18		preference signal but may also notify the consumer of the
19		conflict and provide the consumer a choice to confirm the
20		controller-specific privacy setting or participation in the
21		controller's program.
22		(3) A controller that recognizes opt-out preference
23		signals that have been approved by other state laws or
24		regulations is in compliance with this subdivision.
25		(d)(1) Controller response to consumer requests. Except as
26		provided in this Act, a controller must comply with a request

SB0340 Engrossed - 25 - LRB104 06459 JRC 16495 b
1		to exercise the rights pursuant to subsection (a).
2		(2) A controller must provide one or more secure and
3		reliable means for consumers to submit a request to exercise
4		the consumer's rights under this Section. The means made
5		available must take into account the ways in which consumers
6		interact with the controller and the need for secure and
7		reliable communication of the requests.
8		(3) A controller may not require a consumer to create a new
9		account to exercise a right, but a controller may require a
10		consumer to use an existing account to exercise the consumer's
11		rights under this Section.
12		(4) A controller must comply with a request to exercise
13		the rights under this Section as soon as feasibly possible,
14		but no later than 45 days after the receipt of the request,
15		unless the controller extends the time.
16		(5) A controller must inform a consumer of any action
17		taken on a request under subsection (b) without undue delay
18		and in any event within 45 days after the receipt of the
19		request. That period may be extended once by 45 additional
20		days where reasonably necessary taking into account the
21		complexity and number of the requests. The controller must
22		inform the consumer of any extension within the original
23		45-day window, together with the reasons for the delay.
24		(6) If a controller does not take action on a consumer's
25		request, the controller must inform the consumer without undue
26		delay and at the latest within 45 days after the receipt of the

SB0340 Engrossed - 26 - LRB104 06459 JRC 16495 b
1		request of the reasons for not taking action and instructions
2		for how to appeal the decision with the controller as
3		described in subsection (e).
4		(7) Information provided under this Section must be
5		provided by the controller free of charge up to twice annually
6		to the consumer. If requests from a consumer are manifestly
7		unfounded or excessive, in particular because of the
8		repetitive character of the requests, the controller may
9		either charge a reasonable fee to cover the administrative
10		costs of complying with the request or refuse to act on the
11		request. The controller bears the burden of demonstrating the
12		manifestly unfounded or excessive character of the request.
13		(8) A controller is not required to comply with a request
14		to exercise any of the rights under subsection (a), paragraphs
15		(2) to (5) and (8), if the controller is unable to authenticate
16		the request using commercially reasonable efforts. In such
17		cases, the controller may request the provision of additional
18		information reasonably necessary to authenticate the request.
19		A controller is not required to authenticate an opt-out
20		request, but a controller may deny an opt-out request if the
21		controller has a good faith, reasonable, and documented belief
22		that the request is fraudulent. If a controller denies an
23		opt-out request because the controller believes a request is
24		fraudulent, the controller must notify the person who made the
25		request that the request was denied because of the
26		controller's belief that the request was fraudulent and state

SB0340 Engrossed - 27 - LRB104 06459 JRC 16495 b
1		the controller's basis for that belief.
2		(9) In response to a consumer request under subsection
3		(b), a controller must not disclose the following information
4		about a consumer but must instead inform the consumer with
5		sufficient particularity that the controller has collected
6		that type of information:
7		(A) Social Security number;
8		(B) driver's license number or other government-issued
9		identification number;
10		(C) financial account number;
11		(D) health insurance account number or medical
12		identification number;
13		(E) account password, security questions, or answers;
14		or
15		(F) biometric identifiers or information.
16		(10) In response to a consumer request under subsection
17		(b), a controller is not required to reveal any trade secret.
18		(11) A controller that has obtained personal data about a
19		consumer from a source other than the consumer may comply with
20		a consumer's request to delete the consumer's personal data
21		pursuant to subsection (a), paragraph (4), by either:
22		(A) retaining a record of the deletion request,
23		retaining the minimum data necessary for the purpose of
24		ensuring the consumer's personal data remains deleted from
25		the business's records and not using the retained data for
26		any other purpose under the provisions of this Act; or

SB0340 Engrossed - 28 - LRB104 06459 JRC 16495 b
1		(B) opting the consumer out of the processing of
2		personal data for any purpose except for the purposes
3		exempted pursuant to the provisions of this Act.
4		(e)(1) Appeal process required. A controller must
5		establish an internal process in which a consumer may appeal a
6		refusal to take action on a request to exercise any of the
7		rights under subsection (a) within a reasonable period of time
8		after the consumer's receipt of the notice sent by the
9		controller under subsection (d), paragraph (6).
10		(2) The appeal process must be conspicuously available.
11		The process must include the ease of use provisions in
12		subsection (c)(1) applicable to submitting requests.
13		(3) Within 45 days after the receipt of an appeal, a
14		controller must inform the consumer of any action taken or not
15		taken in response to the appeal along with a written
16		explanation of the reasons in support thereof. That period may
17		be extended by 60 additional days if reasonably necessary,
18		taking into account the complexity and number of the requests
19		serving as the basis for the appeal. The controller must
20		inform the consumer of any extension within 45 days after the
21		receipt of the appeal together with the reasons for the delay.
22		(4) When informing a consumer of any action taken or not
23		taken in response to an appeal pursuant to paragraph (3), the
24		controller must provide a written explanation of the reasons
25		for the controller's decision and clearly and prominently
26		provide the consumer with information about how to file a

SB0340 Engrossed - 29 - LRB104 06459 JRC 16495 b
1		complaint with the Attorney General. The controller must
2		maintain records of all appeals and the controller's responses
3		for at least 24 months and shall, upon written request by the
4		Attorney General as part of an investigation, compile and
5		provide a copy of the records to the Attorney General.
6		Section 15. Processing deidentified data or pseudonymous
7		data.
8		(a) This Act does not require a controller or processor to
9		do any of the following solely for purposes of complying with
10		this Act:
11		(1) reidentify deidentified data;
12		(2) maintain data in identifiable form, or collect,
13		obtain, retain, or access any data or technology, to be
14		capable of associating an authenticated consumer request
15		with personal data; or
16		(3) comply with an authenticated consumer request to
17		access, correct, delete, or port personal data under
18		Section 14, subsection (a), if all of the following are
19		true:
20		(A) the controller is not reasonably capable of
21		associating the request with the personal data, or it
22		would be unreasonably burdensome for the controller to
23		associate the request with the personal data;
24		(B) the controller does not use the personal data
25		to recognize or respond to the specific consumer who

SB0340 Engrossed - 30 - LRB104 06459 JRC 16495 b
1		is the subject of the personal data or associate the
2		personal data with other personal data about the same
3		specific consumer; and
4		(C) the controller does not sell the personal data
5		to any third party or otherwise voluntarily disclose
6		the personal data to any third party other than a
7		processor, except as otherwise permitted in this
8		Section.
9		(b) The rights contained in paragraphs (2) to (5) and (8)
10		of subsection (a) of Section 14 do not apply to pseudonymous
11		data in cases in which the controller is able to demonstrate
12		any information necessary to identify the consumer is kept
13		separately and is subject to effective technical and
14		organizational controls that prevent the controller from
15		accessing the information.
16		(c) A controller that transfers, sells, or otherwise
17		discloses pseudonymous data or deidentified data must exercise
18		reasonable oversight to monitor compliance with any
19		contractual commitments to which the pseudonymous data or
20		deidentified data are subject, and must take appropriate steps
21		to address any breaches of contractual commitments.
22		(d) A processor or third party must not attempt to
23		identify the subjects of deidentified or pseudonymous data
24		without the express authority of the controller that caused
25		the data to be deidentified or pseudonymized.
26		(e) A controller, processor, or third party must not

SB0340 Engrossed - 31 - LRB104 06459 JRC 16495 b
1		attempt to identify the subjects of data that has been
2		collected with only pseudonymous identifiers.
3		Section 16. Responsibilities of controllers.
4		(a)(1) Transparency obligations. Controllers must provide
5		consumers with a reasonably accessible, clear, and meaningful
6		privacy notice, at or before collection, that includes:
7		(A) the categories of personal data processed by the
8		controller;
9		(B) the purposes for which the categories of personal
10		data are processed;
11		(C) an explanation of the rights contained in Section
12		14 and how and where consumers may exercise those rights,
13		including how a consumer may appeal a controller's action
14		with regard to the consumer's request;
15		(D) the categories of personal data that the
16		controller sells to or shares with third parties, if any;
17		(E) the categories of third parties, if any, with whom
18		the controller sells or shares personal data;
19		(F) the controller's contact information, including an
20		active email address or other online mechanism that the
21		consumer may use to contact the controller;
22		(G) a description of the controller's retention
23		policies for personal data; and
24		(H) the date the privacy notice was last updated.
25		(2) If a controller sells personal data to third parties,

SB0340 Engrossed - 32 - LRB104 06459 JRC 16495 b
1		processes personal data for targeted advertising, or engages
2		in profiling in furtherance of decisions that produce legal
3		effects concerning a consumer or similarly significant effects
4		concerning a consumer, the controller must disclose the
5		processing in the privacy notice and provide access to a clear
6		and conspicuous method outside the privacy notice for a
7		consumer to opt out of the sale, processing, or profiling in
8		furtherance of decisions that produce legal effects concerning
9		a consumer or similarly significant effects concerning a
10		consumer. This method may include but is not limited to an
11		Internet hyperlink clearly labeled "Your Opt-Out Rights" or
12		"Your Privacy Rights" that directly effectuates the opt-out
13		request or takes consumers to a web page where the consumer can
14		make the opt-out request.
15		(3) The privacy notice must be made available to the
16		public in each language in which the controller provides a
17		product or service that is subject to the privacy notice or
18		carries out activities related to the product or service.
19		(4) The controller must provide the privacy notice in a
20		manner that is reasonably accessible to and usable by
21		individuals with disabilities.
22		(5) Whenever a controller makes a material change to the
23		controller's privacy notice or practices, the controller must
24		notify consumers affected by the material change with respect
25		to any prospectively collected personal data and provide a
26		reasonable opportunity for consumers to withdraw consent to

SB0340 Engrossed - 33 - LRB104 06459 JRC 16495 b
1		any further materially different collection, processing, or
2		transfer of previously collected personal data under the
3		changed policy. The controller shall take all reasonable
4		electronic measures to provide notification regarding material
5		changes to affected consumers, taking into account available
6		technology and the nature of the relationship.
7		(6) A controller is not required to provide a separate
8		Illinois-specific privacy notice or section of a privacy
9		notice if the controller's general privacy notice contains all
10		the information required by this Section.
11		(7) The privacy notice must be posted online through a
12		conspicuous hyperlink using the word "privacy" on the
13		controller's website home page or on a mobile application's
14		app store page or download page. A controller that maintains
15		an application on a mobile or other device shall also include a
16		hyperlink to the privacy notice in the application's settings
17		menu or in a similarly conspicuous and accessible location. A
18		controller that does not operate a website shall make the
19		privacy notice conspicuously available to consumers through a
20		medium regularly used by the controller to interact with
21		consumers, including, but not limited to, mail.
22		(b)(1) Use of data. A controller shall:
23		(A) limit the collection of personal data to what is
24		adequate, relevant, and reasonably necessary in relation
25		to the purposes for which the data are processed, which
26		must be disclosed to the consumer;

SB0340 Engrossed - 34 - LRB104 06459 JRC 16495 b
1		(B) not collect, process, or share sensitive data
2		concerning a consumer except when such collection,
3		processing, or transfer is strictly necessary to provide
4		or maintain a specific product or service requested by the
5		consumer to whom the sensitive data pertains. For purposes
6		of this Act, the collection, processing, and sharing of
7		biometric identifiers and information must be done in
8		accordance with the requirements of the Biometric
9		Information Privacy Act. For purposes of this Act, the
10		collection, processing, and sharing of genetic information
11		must be done in accordance with the Genetic Information
12		Privacy Act. For purposes of this Act, the collection,
13		processing, and sharing of students' covered information
14		must be done in accordance with the Student Online
15		Personal Protection Act; and
16		(C) not sell sensitive data.
17		(2) Except as provided in this Act, a controller may not
18		process personal data for purposes that are not reasonably
19		necessary to, or compatible with, the purposes for which the
20		personal data are processed, as disclosed to the consumer,
21		unless the controller obtains the consumer's consent.
22		(3) A controller shall establish, implement, and maintain
23		reasonable administrative, technical, and physical data
24		security practices to protect the confidentiality, integrity,
25		and accessibility of personal data, including the maintenance
26		of an inventory of the data that must be managed to exercise

SB0340 Engrossed - 35 - LRB104 06459 JRC 16495 b
1		these responsibilities. The data security practices shall be
2		appropriate to the volume and nature of the personal data at
3		issue.
4		(4) Except as otherwise provided in this Act, a controller
5		may not process sensitive data concerning a consumer without
6		obtaining the consumer's consent, or, in the case of the
7		processing of personal data concerning a known child, without
8		obtaining consent from the child's parent or lawful guardian,
9		in accordance with the requirement of the Children's Online
10		Privacy Protection Act, United States Code, Title 15, Sections
11		6501 to 6506, and its implementing regulations. A controller
12		must follow the requirements of the Biometric Information
13		Privacy Act and the Genetic Information Privacy Act for
14		information covered by those Acts.
15		(5) A controller shall provide an effective mechanism for
16		a consumer, or, in the case of the processing of personal data
17		concerning a known child, the child's parent or lawful
18		guardian, to withdraw previously given consent under this
19		subsection. The mechanism provided shall be at least as easy
20		as the mechanism by which the consent was previously given.
21		Upon revocation of consent, a controller shall cease to
22		process the applicable data as soon as practicable, but no
23		later than 15 days after the receipt of the request.
24		(6) A controller may not process the personal data of a
25		consumer for purposes of targeted advertising, or sell the
26		consumer's personal data, without the consumer's consent,

SB0340 Engrossed - 36 - LRB104 06459 JRC 16495 b
1		under circumstances in which the controller knows that the
2		consumer is between the ages of 13 and 16.
3		(7) A controller may not retain personal data that is no
4		longer relevant and reasonably necessary in relation to the
5		purposes for which the data were collected and processed,
6		unless retention of the data is otherwise required by law or
7		permitted under Section 19 and in accordance with the
8		Biometric Information Privacy Act.
9		(c)(1) Nondiscrimination. A controller shall not process
10		personal data on the basis of a consumer's or a class of
11		consumers' actual or perceived race, color, ethnicity,
12		religion, national origin, sex, gender, gender identity,
13		sexual orientation, familial status, lawful source of income,
14		or disability in a manner that unlawfully discriminates
15		against the consumer or class of consumers.
16		(2) A controller may not discriminate against a consumer
17		for exercising any of the rights contained in this Act,
18		including denying goods or services to the consumer, charging
19		different prices or rates for goods or services, and providing
20		a different level of quality of goods and services to the
21		consumer. This subsection does not: (i) require a controller
22		to provide a good or service that requires the consumer's
23		personal data that the controller does not collect or
24		maintain; or (ii) prohibit a controller from offering a
25		different price, rate, level, quality, or selection of goods
26		or services to a consumer, including offering goods or

SB0340 Engrossed - 37 - LRB104 06459 JRC 16495 b
1		services for no fee, if the offering is in connection with a
2		consumer's voluntary participation in a bona fide loyalty,
3		rewards, premium features, discounts, or club card program.
4		(d) Waiver of rights unenforceable. Any provision of a
5		contract or agreement of any kind that purports to waive or
6		limit in any way a consumer's rights under this Act is contrary
7		to public policy and is void and unenforceable.
8		Section 17. Requirements for small businesses.
9		(a) A small business, as defined by the United States
10		Small Business Administration under the Code of Federal
11		Regulations, Title 13, Part 121, that conducts business in
12		Illinois or produces products or services that are targeted to
13		Illinois residents must not sell a consumer's sensitive data.
14		(b) Penalties and enforcement procedures under Section 20
15		apply to a small business that violates this Section.
16		Section 18. Data privacy policies; data privacy and
17		protection assessments.
18		(a) A controller must document and maintain a description
19		of the policies and procedures the controller has adopted to
20		comply with this Act. The description must include, where
21		applicable:
22		(1) the name and contact information for the
23		controller's chief privacy officer or other individual
24		with primary responsibility for directing the policies and

SB0340 Engrossed - 38 - LRB104 06459 JRC 16495 b
1		procedures implemented to comply with the provisions of
2		this Act; and
3		(2) a description of the controller's data privacy
4		policies and procedures that reflect the requirements in
5		Section 16, and any policies and procedures designed to:
6		(i) reflect the requirements of this Act in the
7		design of the controller's systems;
8		(ii) identify and provide personal data to a
9		consumer as required by this Act;
10		(iii) establish, implement, and maintain
11		reasonable administrative, technical, and physical
12		data security practices to protect the
13		confidentiality, integrity, and accessibility of
14		personal data, including the maintenance of an
15		inventory of the data that must be managed to exercise
16		the responsibilities under this item;
17		(iv) limit the collection of personal data to what
18		is adequate, relevant, and reasonably necessary in
19		relation to the purposes for which the data are
20		processed;
21		(v) prevent the retention of personal data that is
22		no longer relevant and reasonably necessary in
23		relation to the purposes for which the data were
24		collected and processed, unless retention of the data
25		is otherwise required by law or permitted under
26		Section 19 and in accordance with the Biometric

SB0340 Engrossed - 39 - LRB104 06459 JRC 16495 b
1		Information Privacy Act; and
2		(vi) identify and remediate violations of this
3		Act.
4		(b) A controller must conduct and document a data privacy
5		and protection assessment for each of the following processing
6		activities involving personal data:
7		(1) the processing of personal data for purposes of
8		targeted advertising;
9		(2) the sale of personal data;
10		(3) the processing of sensitive data;
11		(4) any processing activities involving personal data
12		that present a heightened risk of harm to consumers; and
13		(5) the processing of personal data for purposes of
14		profiling, where the profiling presents a reasonably
15		foreseeable risk of:
16		(i) unfair or deceptive treatment of, or disparate
17		impact on, consumers;
18		(ii) financial, physical, or reputational injury
19		to consumers;
20		(iii) a physical or other intrusion upon the
21		solitude or seclusion, or the private affairs or
22		concerns, of consumers, where the intrusion would be
23		offensive to a reasonable person; or
24		(iv) other substantial injury to consumers.
25		(c) A data privacy and protection assessment must take
26		into account the type of personal data to be processed by the

SB0340 Engrossed - 40 - LRB104 06459 JRC 16495 b
1		controller, including the extent to which the personal data
2		are sensitive data, and the context in which the personal data
3		are to be processed.
4		(d) A data privacy and protection assessment must identify
5		and weigh the benefits that may flow directly and indirectly
6		from the processing to the controller, consumer, other
7		stakeholders, and the public against the potential risks to
8		the rights of the consumer associated with the processing, as
9		mitigated by safeguards that can be employed by the controller
10		to reduce the potential risks. The use of deidentified data
11		and the reasonable expectations of consumers, as well as the
12		context of the processing and the relationship between the
13		controller and the consumer whose personal data will be
14		processed, must be factored into this assessment by the
15		controller.
16		(e) A data privacy and protection assessment must include
17		the description of policies and procedures required by
18		subsection (a).
19		(f) As part of a civil investigative demand, the Attorney
20		General or State's Attorneys may request, in writing, that a
21		controller disclose any data privacy and protection assessment
22		that is relevant to an investigation conducted by the Attorney
23		General or State's Attorneys. The controller must make a data
24		privacy and protection assessment available to the Attorney
25		General or State's Attorneys upon a request made under this
26		subsection. The Attorney General or State's Attorneys may

SB0340 Engrossed - 41 - LRB104 06459 JRC 16495 b
1		evaluate the data privacy and protection assessments for
2		compliance with this Act. Data privacy and protection
3		assessments are nonpublic data that is required by State or
4		federal law that is: (1) not about an individual; (2) not
5		accessible by the general public; and (3) accessible by the
6		subject of the data. The disclosure of a data privacy and
7		protection assessment under a request from the Attorney
8		General or State's Attorneys under this subsection does not
9		constitute a waiver of the attorney-client privilege or work
10		product protection with respect to the assessment and any
11		information contained in the assessment.
12		(g) Data privacy and protection assessments or risk
13		assessments conducted by a controller for the purpose of
14		compliance with other laws or regulations may qualify under
15		this Section if the assessments have a similar scope and
16		effect.
17		(h) A single data protection assessment may address
18		multiple sets of comparable processing operations that include
19		similar activities.
20		Section 19. Limitations and applicability.
21		(a) The obligations imposed on controllers or processors
22		under this Act do not restrict a controller's or a processor's
23		ability to:
24		(1) comply with federal, State, or local laws, rules,
25		or regulations, including, but not limited to, data

SB0340 Engrossed - 42 - LRB104 06459 JRC 16495 b
1		retention requirements in State or federal law
2		notwithstanding a consumer's request to delete personal
3		data;
4		(2) comply with a civil, criminal, or regulatory
5		inquiry, investigation, subpoena, or summons by federal,
6		State, local, or other governmental authorities;
7		(3) cooperate with law enforcement agencies concerning
8		conduct or activity that the controller or processor
9		reasonably and in good faith believes may violate federal,
10		State, or local laws, rules, or regulations;
11		(4) investigate, establish, exercise, prepare for, or
12		defend legal claims;
13		(5) provide a product or service specifically
14		requested by a consumer; perform a contract to which the
15		consumer is a party, including fulfilling the terms of a
16		written warranty; or take steps at the request of the
17		consumer prior to entering into a contract;
18		(6) take immediate steps to protect an interest that
19		is essential for the life or physical safety of the
20		consumer or of another natural person, and if the
21		processing cannot be manifestly based on another legal
22		basis;
23		(7) prevent, detect, protect against, or respond to
24		security incidents, identity theft, fraud, harassment,
25		malicious or deceptive activities, or any illegal
26		activity; preserve the integrity or security of systems;

SB0340 Engrossed - 43 - LRB104 06459 JRC 16495 b
1		or investigate, report, or prosecute those responsible for
2		any such action;
3		(8) assist another controller, processor, or third
4		party with any of the obligations under this subsection;
5		(9) engage in public or peer-reviewed scientific,
6		historical, or statistical research in the public interest
7		that adheres to all other applicable ethics and privacy
8		laws and is approved, monitored, and governed by an
9		institutional review board, human subjects research ethics
10		review board, or a similar independent oversight entity
11		that has determined:
12		(A) the research is likely to provide substantial
13		benefits that do not exclusively accrue to the
14		controller;
15		(B) the expected benefits of the research outweigh
16		the privacy risks; and
17		(C) the controller has implemented reasonable
18		safeguards to mitigate privacy risks associated with
19		research, including any risks associated with
20		reidentification; or
21		(10) process personal data for the benefit of the
22		public in the areas of public health, community health, or
23		population health, but only to the extent that the
24		processing is:
25		(A) subject to suitable and specific measures to
26		safeguard the rights of the consumer whose personal

SB0340 Engrossed - 44 - LRB104 06459 JRC 16495 b
1		data is being processed; and
2		(B) under the responsibility of a professional
3		individual who is subject to confidentiality
4		obligations under federal, State, or local law.
5		(b) The obligations imposed on controllers or processors
6		under this Act do not restrict a controller's or processor's
7		ability to collect, use, or retain data to:
8		(1) effectuate a product recall or identify and repair
9		technical errors that impair existing or intended
10		functionality;
11		(2) perform internal operations that are reasonably
12		aligned with the expectations of the consumer based on the
13		consumer's existing relationship with the controller, or
14		are otherwise compatible with processing in furtherance of
15		the provision of a product or service specifically
16		requested by a consumer or the performance of a contract
17		to which the consumer is a party; or
18		(3) conduct internal research to develop, improve, or
19		repair products, services, or technology.
20		(c) The obligations imposed on controllers or processors
21		under this Act do not apply if compliance by the controller or
22		processor with this Act would violate an evidentiary privilege
23		under Illinois law and do not prevent a controller or
24		processor from providing personal data concerning a consumer
25		to a person covered by an evidentiary privilege under Illinois
26		law as part of a privileged communication.

SB0340 Engrossed - 45 - LRB104 06459 JRC 16495 b
1		(d) A controller or processor that discloses personal data
2		to a third-party controller or processor in compliance with
3		the requirements of this Act is not in violation of this Act if
4		the recipient processes the personal data in violation of this
5		Act, provided that at the time of disclosing the personal
6		data, the disclosing controller or processor did not have
7		actual knowledge that the recipient intended to commit a
8		violation. A third-party controller or processor receiving
9		personal data from a controller or processor in compliance
10		with the requirements of this Act is not in violation of this
11		Act for the obligations of the controller or processor from
12		which the third-party controller or processor receives the
13		personal data.
14		(e) Obligations imposed on controllers and processors
15		under this Act shall not:
16		(1) adversely affect the rights or freedoms of any
17		persons, including exercising the right of free speech
18		pursuant to the First Amendment of the United States
19		Constitution; or
20		(2) apply to the processing of personal data by a
21		natural person in the course of a purely personal or
22		household activity.
23		(f) Personal data that are processed by a controller
24		pursuant to this Section may be processed solely to the extent
25		that the processing is:
26		(1) necessary, reasonable, and proportionate to the

SB0340 Engrossed - 46 - LRB104 06459 JRC 16495 b
1		purposes listed in this Section;
2		(2) adequate, relevant, and limited to what is
3		necessary in relation to the specific purpose or purposes
4		listed in this Section; and
5		(3) insofar as possible, taking into account the
6		nature and purpose of processing the personal data,
7		subjected to reasonable administrative, technical, and
8		physical measures to protect the confidentiality,
9		integrity, and accessibility of the personal data, and to
10		reduce reasonably foreseeable risks of harm to consumers.
11		(g) If a controller processes personal data pursuant to an
12		exemption in this Section, the controller bears the burden of
13		demonstrating that the processing qualifies for the exemption
14		and complies with the requirements in subsection (f).
15		(h) Processing personal data solely for the purposes
16		expressly identified in subsection (a), clauses (1) to (7),
17		does not, by itself, make an entity a controller with respect
18		to the processing.
19		Section 20. Enforcement.
20		(a) If a controller or processor violates this Act, the
21		Attorney General or the State's Attorney of any county in this
22		State, before filing an enforcement action under subsection
23		(b), must provide the controller or processor with a warning
24		letter identifying the specific provisions of this Act the
25		Attorney General or State's Attorney alleges have been or are

SB0340 Engrossed - 47 - LRB104 06459 JRC 16495 b
1		being violated. If, after 30 days of issuance of the warning
2		letter, the Attorney General or State's Attorney believes the
3		controller or processor has failed to cure any alleged
4		violation, the Attorney General or State's Attorney may bring
5		an enforcement action under subsection (b). This subsection
6		becomes inoperative January 1, 2028.
7		(b) The Attorney General or the State's Attorney of any
8		county in this State may bring an action in the name of the
9		People of this State against any person to restrain and
10		prevent any pattern or practice in violation of this Act.
11		(c) A violation of this Act constitutes an unlawful
12		practice under the Consumer Fraud and Deceptive Business
13		Practices Act. All remedies, penalties, and authority granted
14		to the Attorney General or the State's Attorney by the
15		Consumer Fraud and Deceptive Business Practices Act are
16		available to the Attorney General or the State's Attorney for
17		the enforcement of this Act.
18		(d) Any civil penalties collected from the enforcement of
19		this Act shall be deposited into the Attorney General Court
20		Ordered and Voluntary Compliance Payment Projects Fund if the
21		Attorney General commenced the action or distributed to the
22		county in which the State's Attorney commenced the action and
23		deposited into a special fund in the county treasury and
24		appropriated to the State's Attorney for use in accordance
25		with law. Moneys in the Attorney General Court Ordered and
26		Voluntary Compliance Payment Projects Fund shall be used,

SB0340 Engrossed - 48 - LRB104 06459 JRC 16495 b
1		subject to appropriation, for the performance of any function
2		pertaining to the exercise of the duties of the Attorney
3		General, including, but not limited to, enforcement of any law
4		of this State and conducting public education programs.
5		However, any moneys in the Fund that are required by the court
6		or by an agreement to be used for a particular purpose shall be
7		used for that purpose.
8		(e) Beginning January 1, 2028, any person who suffers
9		actual damage as a result of a violation of this Act may bring
10		an action under Section 10a of the Consumer Fraud and
11		Deceptive Business Practices Act.
12		(f) Nothing in this Act shall be construed to preempt the
13		enforcement provisions in the Biometric Information Privacy
14		Act or the Genetic Information Privacy Act.
15		Section 95. Home rule. A unit of local government,
16		including a home rule unit, may not regulate consumer data
17		privacy. This Section is a denial and limitation of home rule
18		powers and functions under subsection (g) of Section 6 of
19		Article VII of the Illinois Constitution.
20		Section 97. Severability. If any provision of this Act or
21		its application to any person or circumstance is held invalid,
22		the invalidity of that provision or application does not
23		affect other provisions or applications of this Act that can
24		be given effect without the invalid provision or application.

SB0340 Engrossed - 49 - LRB104 06459 JRC 16495 b
1		Section 900. The Freedom of Information Act is amended by
2		changing Section 7.5 as follows:
3		(5 ILCS 140/7.5)
4		(Text of Section before amendment by P.A. 104-441 and
5		104-457)
6		Sec. 7.5. Statutory exemptions. To the extent provided for
7		by the statutes referenced below, the following shall be
8		exempt from inspection and copying:
9		(a) All information determined to be confidential
10		under Section 4002 of the Technology Advancement and
11		Development Act.
12		(b) Library circulation and order records identifying
13		library users with specific materials under the Library
14		Records Confidentiality Act.
15		(c) Applications, related documents, and medical
16		records received by the Experimental Organ Transplantation
17		Procedures Board and any and all documents or other
18		records prepared by the Experimental Organ Transplantation
19		Procedures Board or its staff relating to applications it
20		has received.
21		(d) Information and records held by the Department of
22		Public Health and its authorized representatives relating
23		to known or suspected cases of sexually transmitted
24		infection or any information the disclosure of which is

SB0340 Engrossed - 50 - LRB104 06459 JRC 16495 b
1		restricted under the Illinois Sexually Transmitted
2		Infection Control Act.
3		(e) Information the disclosure of which is exempted
4		under Section 30 of the Radon Industry Licensing Act.
5		(f) Firm performance evaluations under Section 55 of
6		the Architectural, Engineering, and Land Surveying
7		Qualifications Based Selection Act.
8		(g) Information the disclosure of which is restricted
9		and exempted under Section 50 of the Illinois Prepaid
10		Tuition Act.
11		(h) Information the disclosure of which is exempted
12		under the State Officials and Employees Ethics Act, and
13		records of any lawfully created State or local inspector
14		general's office that would be exempt if created or
15		obtained by an Executive Inspector General's office under
16		that Act.
17		(i) Information contained in a local emergency energy
18		plan submitted to a municipality in accordance with a
19		local emergency energy plan ordinance that is adopted
20		under Section 11-21.5-5 of the Illinois Municipal Code.
21		(j) Information and data concerning the distribution
22		of surcharge moneys collected and remitted by carriers
23		under the Emergency Telephone System Act.
24		(k) Law enforcement officer identification information
25		or driver identification information compiled by a law
26		enforcement agency or the Department of Transportation

SB0340 Engrossed - 51 - LRB104 06459 JRC 16495 b
1		under Section 11-212 of the Illinois Vehicle Code.
2		(l) Records and information provided to a residential
3		health care facility resident sexual assault and death
4		review team or the Executive Council under the Abuse
5		Prevention Review Team Act.
6		(m) Information provided to the predatory lending
7		database created pursuant to Article 3 of the Residential
8		Real Property Disclosure Act, except to the extent
9		authorized under that Article.
10		(n) Defense budgets and petitions for certification of
11		compensation and expenses for court appointed trial
12		counsel as provided under Sections 10 and 15 of the
13		Capital Crimes Litigation Act (repealed). This subsection
14		(n) shall apply until the conclusion of the trial of the
15		case, even if the prosecution chooses not to pursue the
16		death penalty prior to trial or sentencing.
17		(o) Information that is prohibited from being
18		disclosed under Section 4 of the Illinois Health and
19		Hazardous Substances Registry Act.
20		(p) Security portions of system safety program plans,
21		investigation reports, surveys, schedules, lists, data, or
22		information compiled, collected, or prepared by or for the
23		Department of Transportation under Sections 2705-300 and
24		2705-616 of the Department of Transportation Law of the
25		Civil Administrative Code of Illinois, the Regional
26		Transportation Authority under Section 2.11 of the

SB0340 Engrossed - 52 - LRB104 06459 JRC 16495 b
1		Regional Transportation Authority Act, or the St. Clair
2		County Transit District under the Bi-State Transit Safety
3		Act (repealed).
4		(q) Information prohibited from being disclosed by the
5		Personnel Record Review Act.
6		(r) Information prohibited from being disclosed by the
7		Illinois School Student Records Act.
8		(s) Information the disclosure of which is restricted
9		under Section 5-108 of the Public Utilities Act.
10		(t) (Blank).
11		(u) Records and information provided to an independent
12		team of experts under the Developmental Disability and
13		Mental Health Safety Act (also known as Brian's Law).
14		(v) Names and information of people who have applied
15		for or received Firearm Owner's Identification Cards under
16		the Firearm Owners Identification Card Act or applied for
17		or received a concealed carry license under the Firearm
18		Concealed Carry Act, unless otherwise authorized by the
19		Firearm Concealed Carry Act; and databases under the
20		Firearm Concealed Carry Act, records of the Concealed
21		Carry Licensing Review Board under the Firearm Concealed
22		Carry Act, and law enforcement agency objections under the
23		Firearm Concealed Carry Act.
24		(v-5) Records of the Firearm Owner's Identification
25		Card Review Board that are exempted from disclosure under
26		Section 10 of the Firearm Owners Identification Card Act.

SB0340 Engrossed - 53 - LRB104 06459 JRC 16495 b
1		(w) Personally identifiable information which is
2		exempted from disclosure under subsection (g) of Section
3		19.1 of the Toll Highway Act.
4		(x) Information which is exempted from disclosure
5		under Section 5-1014.3 of the Counties Code or Section
6		8-11-21 of the Illinois Municipal Code.
7		(y) Confidential information under the Adult
8		Protective Services Act and its predecessor enabling
9		statute, the Elder Abuse and Neglect Act, including
10		information about the identity and administrative finding
11		against any caregiver of a verified and substantiated
12		decision of abuse, neglect, or financial exploitation of
13		an eligible adult maintained in the Registry established
14		under Section 7.5 of the Adult Protective Services Act.
15		(z) Records and information provided to a fatality
16		review team or the Illinois Fatality Review Team Advisory
17		Council under Section 15 of the Adult Protective Services
18		Act.
19		(aa) Information which is exempted from disclosure
20		under Section 2.37 of the Wildlife Code.
21		(bb) Information which is or was prohibited from
22		disclosure by the Juvenile Court Act of 1987.
23		(cc) Recordings made under the Law Enforcement
24		Officer-Worn Body Camera Act, except to the extent
25		authorized under that Act.
26		(dd) Information that is prohibited from being

SB0340 Engrossed - 54 - LRB104 06459 JRC 16495 b
1		disclosed under Section 45 of the Condominium and Common
2		Interest Community Ombudsperson Act.
3		(ee) Information that is exempted from disclosure
4		under Section 30.1 of the Pharmacy Practice Act.
5		(ff) Information that is exempted from disclosure
6		under the Revised Uniform Unclaimed Property Act.
7		(gg) Information that is prohibited from being
8		disclosed under Section 7-603.5 of the Illinois Vehicle
9		Code.
10		(hh) Records that are exempt from disclosure under
11		Section 1A-16.7 of the Election Code.
12		(ii) Information which is exempted from disclosure
13		under Section 2505-800 of the Department of Revenue Law of
14		the Civil Administrative Code of Illinois.
15		(jj) Information and reports that are required to be
16		submitted to the Department of Labor by registering day
17		and temporary labor service agencies but are exempt from
18		disclosure under subsection (a-1) of Section 45 of the Day
19		and Temporary Labor Services Act.
20		(kk) Information prohibited from disclosure under the
21		Seizure and Forfeiture Reporting Act.
22		(ll) Information the disclosure of which is restricted
23		and exempted under Section 5-30.8 of the Illinois Public
24		Aid Code.
25		(mm) Records that are exempt from disclosure under
26		Section 4.2 of the Crime Victims Compensation Act.

SB0340 Engrossed - 55 - LRB104 06459 JRC 16495 b
1		(nn) Information that is exempt from disclosure under
2		Section 70 of the Higher Education Student Assistance Act.
3		(oo) Communications, notes, records, and reports
4		arising out of a peer support counseling session
5		prohibited from disclosure under the First Responders
6		Suicide Prevention Act.
7		(pp) Names and all identifying information relating to
8		an employee of an emergency services provider or law
9		enforcement agency under the First Responders Suicide
10		Prevention Act.
11		(qq) Information and records held by the Department of
12		Public Health and its authorized representatives collected
13		under the Reproductive Health Act.
14		(rr) Information that is exempt from disclosure under
15		the Cannabis Regulation and Tax Act.
16		(ss) Data reported by an employer to the Department of
17		Human Rights pursuant to Section 2-108 of the Illinois
18		Human Rights Act.
19		(tt) Recordings made under the Children's Advocacy
20		Center Act, except to the extent authorized under that
21		Act.
22		(uu) Information that is exempt from disclosure under
23		Section 50 of the Sexual Assault Evidence Submission Act.
24		(vv) Information that is exempt from disclosure under
25		subsections (f) and (j) of Section 5-36 of the Illinois
26		Public Aid Code.

SB0340 Engrossed - 56 - LRB104 06459 JRC 16495 b
1		(ww) Information that is exempt from disclosure under
2		Section 16.8 of the State Treasurer Act.
3		(xx) Information that is exempt from disclosure or
4		information that shall not be made public under the
5		Illinois Insurance Code.
6		(yy) Information prohibited from being disclosed under
7		the Illinois Educational Labor Relations Act.
8		(zz) Information prohibited from being disclosed under
9		the Illinois Public Labor Relations Act.
10		(aaa) Information prohibited from being disclosed
11		under Section 1-167 of the Illinois Pension Code.
12		(bbb) Information that is prohibited from disclosure
13		by the Illinois Police Training Act and the Illinois State
14		Police Act.
15		(ccc) Records exempt from disclosure under Section
16		2605-304 of the Illinois State Police Law of the Civil
17		Administrative Code of Illinois.
18		(ddd) Information prohibited from being disclosed
19		under Section 35 of the Address Confidentiality for
20		Victims of Domestic Violence, Sexual Assault, Human
21		Trafficking, or Stalking Act.
22		(eee) Information prohibited from being disclosed
23		under subsection (b) of Section 75 of the Domestic
24		Violence Fatality Review Act.
25		(fff) Images from cameras under the Expressway Camera
26		Act and all automated license plate reader (ALPR)

SB0340 Engrossed - 57 - LRB104 06459 JRC 16495 b
1		information used and collected by the Illinois State
2		Police. "ALPR information" means information gathered by
3		an ALPR or created from the analysis of data generated by
4		an ALPR. This subsection (fff) is inoperative on and after
5		July 1, 2028.
6		(ggg) Information prohibited from disclosure under
7		paragraph (3) of subsection (a) of Section 14 of the Nurse
8		Agency Licensing Act.
9		(hhh) Information submitted to the Illinois State
10		Police in an affidavit or application for an assault
11		weapon endorsement, assault weapon attachment endorsement,
12		.50 caliber rifle endorsement, or .50 caliber cartridge
13		endorsement under the Firearm Owners Identification Card
14		Act.
15		(iii) Data exempt from disclosure under Section 50 of
16		the School Safety Drill Act.
17		(jjj) Information exempt from disclosure under Section
18		30 of the Insurance Data Security Law.
19		(kkk) Confidential business information prohibited
20		from disclosure under Section 45 of the Paint Stewardship
21		Act.
22		(lll) Data exempt from disclosure under Section
23		2-3.196 of the School Code.
24		(mmm) Information prohibited from being disclosed
25		under subsection (e) of Section 1-129 of the Illinois
26		Power Agency Act.

SB0340 Engrossed - 58 - LRB104 06459 JRC 16495 b
1		(nnn) Materials received by the Department of Commerce
2		and Economic Opportunity that are confidential under the
3		Music and Musicians Tax Credit and Jobs Act.
4		(ooo) Data or information provided pursuant to Section
5		20 of the Statewide Recycling Needs and Assessment Act.
6		(ppp) Information that is exempt from disclosure under
7		Section 28-11 of the Lawful Health Care Activity Act.
8		(qqq) Information that is exempt from disclosure under
9		Section 7-101 of the Illinois Human Rights Act.
10		(rrr) Information prohibited from being disclosed
11		under Section 4-2 of the Uniform Money Transmission
12		Modernization Act.
13		(sss) Information exempt from disclosure under Section
14		40 of the Student-Athlete Endorsement Rights Act.
15		(ttt) Audio recordings made under Section 30 of the
16		Illinois State Police Act, except to the extent authorized
17		under that Section.
18		(uuu) Information prohibited from being disclosed
19		under Section 30-5 of the Digital Assets Regulation Act.
20		(www) Data privacy and protection assessments made
21		available to the Attorney General under Section 18 of the
22		Illinois Consumer Data Privacy Act.
23		(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
24		103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
25		8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
26		eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;

SB0340 Engrossed - 59 - LRB104 06459 JRC 16495 b
1		103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
2		8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
3		eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
4		104-417, eff. 8-15-25; 104-428, eff. 8-18-25; revised
5		9-10-25.)
6		(Text of Section after amendment by P.A. 104-457 but
7		before 104-441)
8		Sec. 7.5. Statutory exemptions. To the extent provided for
9		by the statutes referenced below, the following shall be
10		exempt from inspection and copying:
11		(a) All information determined to be confidential
12		under Section 4002 of the Technology Advancement and
13		Development Act.
14		(b) Library circulation and order records identifying
15		library users with specific materials under the Library
16		Records Confidentiality Act.
17		(c) Applications, related documents, and medical
18		records received by the Experimental Organ Transplantation
19		Procedures Board and any and all documents or other
20		records prepared by the Experimental Organ Transplantation
21		Procedures Board or its staff relating to applications it
22		has received.
23		(d) Information and records held by the Department of
24		Public Health and its authorized representatives relating
25		to known or suspected cases of sexually transmitted

SB0340 Engrossed - 60 - LRB104 06459 JRC 16495 b
1		infection or any information the disclosure of which is
2		restricted under the Illinois Sexually Transmitted
3		Infection Control Act.
4		(e) Information the disclosure of which is exempted
5		under Section 30 of the Radon Industry Licensing Act.
6		(f) Firm performance evaluations under Section 55 of
7		the Architectural, Engineering, and Land Surveying
8		Qualifications Based Selection Act.
9		(g) Information the disclosure of which is restricted
10		and exempted under Section 50 of the Illinois Prepaid
11		Tuition Act.
12		(h) Information the disclosure of which is exempted
13		under the State Officials and Employees Ethics Act, and
14		records of any lawfully created State or local inspector
15		general's office that would be exempt if created or
16		obtained by an Executive Inspector General's office under
17		that Act.
18		(i) Information contained in a local emergency energy
19		plan submitted to a municipality in accordance with a
20		local emergency energy plan ordinance that is adopted
21		under Section 11-21.5-5 of the Illinois Municipal Code.
22		(j) Information and data concerning the distribution
23		of surcharge moneys collected and remitted by carriers
24		under the Emergency Telephone System Act.
25		(k) Law enforcement officer identification information
26		or driver identification information compiled by a law

SB0340 Engrossed - 61 - LRB104 06459 JRC 16495 b
1		enforcement agency or the Department of Transportation
2		under Section 11-212 of the Illinois Vehicle Code.
3		(l) Records and information provided to a residential
4		health care facility resident sexual assault and death
5		review team or the Executive Council under the Abuse
6		Prevention Review Team Act.
7		(m) Information provided to the predatory lending
8		database created pursuant to Article 3 of the Residential
9		Real Property Disclosure Act, except to the extent
10		authorized under that Article.
11		(n) Defense budgets and petitions for certification of
12		compensation and expenses for court appointed trial
13		counsel as provided under Sections 10 and 15 of the
14		Capital Crimes Litigation Act (repealed). This subsection
15		(n) shall apply until the conclusion of the trial of the
16		case, even if the prosecution chooses not to pursue the
17		death penalty prior to trial or sentencing.
18		(o) Information that is prohibited from being
19		disclosed under Section 4 of the Illinois Health and
20		Hazardous Substances Registry Act.
21		(p) Security portions of system safety program plans,
22		investigation reports, surveys, schedules, lists, data, or
23		information compiled, collected, or prepared by or for the
24		Department of Transportation under Sections 2705-300 and
25		2705-616 of the Department of Transportation Law of the
26		Civil Administrative Code of Illinois, the Northern

SB0340 Engrossed - 62 - LRB104 06459 JRC 16495 b
1		Illinois Transit Authority under Section 2.11 of the
2		Northern Illinois Transit Authority Act, or the St. Clair
3		County Transit District under the Bi-State Transit Safety
4		Act (repealed).
5		(q) Information prohibited from being disclosed by the
6		Personnel Record Review Act.
7		(r) Information prohibited from being disclosed by the
8		Illinois School Student Records Act.
9		(s) Information the disclosure of which is restricted
10		under Section 5-108 of the Public Utilities Act.
11		(t) (Blank).
12		(u) Records and information provided to an independent
13		team of experts under the Developmental Disability and
14		Mental Health Safety Act (also known as Brian's Law).
15		(v) Names and information of people who have applied
16		for or received Firearm Owner's Identification Cards under
17		the Firearm Owners Identification Card Act or applied for
18		or received a concealed carry license under the Firearm
19		Concealed Carry Act, unless otherwise authorized by the
20		Firearm Concealed Carry Act; and databases under the
21		Firearm Concealed Carry Act, records of the Concealed
22		Carry Licensing Review Board under the Firearm Concealed
23		Carry Act, and law enforcement agency objections under the
24		Firearm Concealed Carry Act.
25		(v-5) Records of the Firearm Owner's Identification
26		Card Review Board that are exempted from disclosure under

SB0340 Engrossed - 63 - LRB104 06459 JRC 16495 b
1		Section 10 of the Firearm Owners Identification Card Act.
2		(w) Personally identifiable information which is
3		exempted from disclosure under subsection (g) of Section
4		19.1 of the Toll Highway Act.
5		(x) Information which is exempted from disclosure
6		under Section 5-1014.3 of the Counties Code or Section
7		8-11-21 of the Illinois Municipal Code.
8		(y) Confidential information under the Adult
9		Protective Services Act and its predecessor enabling
10		statute, the Elder Abuse and Neglect Act, including
11		information about the identity and administrative finding
12		against any caregiver of a verified and substantiated
13		decision of abuse, neglect, or financial exploitation of
14		an eligible adult maintained in the Registry established
15		under Section 7.5 of the Adult Protective Services Act.
16		(z) Records and information provided to a fatality
17		review team or the Illinois Fatality Review Team Advisory
18		Council under Section 15 of the Adult Protective Services
19		Act.
20		(aa) Information which is exempted from disclosure
21		under Section 2.37 of the Wildlife Code.
22		(bb) Information which is or was prohibited from
23		disclosure by the Juvenile Court Act of 1987.
24		(cc) Recordings made under the Law Enforcement
25		Officer-Worn Body Camera Act, except to the extent
26		authorized under that Act.

SB0340 Engrossed - 64 - LRB104 06459 JRC 16495 b
1		(dd) Information that is prohibited from being
2		disclosed under Section 45 of the Condominium and Common
3		Interest Community Ombudsperson Act.
4		(ee) Information that is exempted from disclosure
5		under Section 30.1 of the Pharmacy Practice Act.
6		(ff) Information that is exempted from disclosure
7		under the Revised Uniform Unclaimed Property Act.
8		(gg) Information that is prohibited from being
9		disclosed under Section 7-603.5 of the Illinois Vehicle
10		Code.
11		(hh) Records that are exempt from disclosure under
12		Section 1A-16.7 of the Election Code.
13		(ii) Information which is exempted from disclosure
14		under Section 2505-800 of the Department of Revenue Law of
15		the Civil Administrative Code of Illinois.
16		(jj) Information and reports that are required to be
17		submitted to the Department of Labor by registering day
18		and temporary labor service agencies but are exempt from
19		disclosure under subsection (a-1) of Section 45 of the Day
20		and Temporary Labor Services Act.
21		(kk) Information prohibited from disclosure under the
22		Seizure and Forfeiture Reporting Act.
23		(ll) Information the disclosure of which is restricted
24		and exempted under Section 5-30.8 of the Illinois Public
25		Aid Code.
26		(mm) Records that are exempt from disclosure under

SB0340 Engrossed - 65 - LRB104 06459 JRC 16495 b
1		Section 4.2 of the Crime Victims Compensation Act.
2		(nn) Information that is exempt from disclosure under
3		Section 70 of the Higher Education Student Assistance Act.
4		(oo) Communications, notes, records, and reports
5		arising out of a peer support counseling session
6		prohibited from disclosure under the First Responders
7		Suicide Prevention Act.
8		(pp) Names and all identifying information relating to
9		an employee of an emergency services provider or law
10		enforcement agency under the First Responders Suicide
11		Prevention Act.
12		(qq) Information and records held by the Department of
13		Public Health and its authorized representatives collected
14		under the Reproductive Health Act.
15		(rr) Information that is exempt from disclosure under
16		the Cannabis Regulation and Tax Act.
17		(ss) Data reported by an employer to the Department of
18		Human Rights pursuant to Section 2-108 of the Illinois
19		Human Rights Act.
20		(tt) Recordings made under the Children's Advocacy
21		Center Act, except to the extent authorized under that
22		Act.
23		(uu) Information that is exempt from disclosure under
24		Section 50 of the Sexual Assault Evidence Submission Act.
25		(vv) Information that is exempt from disclosure under
26		subsections (f) and (j) of Section 5-36 of the Illinois

SB0340 Engrossed - 66 - LRB104 06459 JRC 16495 b
1		Public Aid Code.
2		(ww) Information that is exempt from disclosure under
3		Section 16.8 of the State Treasurer Act.
4		(xx) Information that is exempt from disclosure or
5		information that shall not be made public under the
6		Illinois Insurance Code.
7		(yy) Information prohibited from being disclosed under
8		the Illinois Educational Labor Relations Act.
9		(zz) Information prohibited from being disclosed under
10		the Illinois Public Labor Relations Act.
11		(aaa) Information prohibited from being disclosed
12		under Section 1-167 of the Illinois Pension Code.
13		(bbb) Information that is prohibited from disclosure
14		by the Illinois Police Training Act and the Illinois State
15		Police Act.
16		(ccc) Records exempt from disclosure under Section
17		2605-304 of the Illinois State Police Law of the Civil
18		Administrative Code of Illinois.
19		(ddd) Information prohibited from being disclosed
20		under Section 35 of the Address Confidentiality for
21		Victims of Domestic Violence, Sexual Assault, Human
22		Trafficking, or Stalking Act.
23		(eee) Information prohibited from being disclosed
24		under subsection (b) of Section 75 of the Domestic
25		Violence Fatality Review Act.
26		(fff) Images from cameras under the Expressway Camera

SB0340 Engrossed - 67 - LRB104 06459 JRC 16495 b
1		Act and all automated license plate reader (ALPR)
2		information used and collected by the Illinois State
3		Police. "ALPR information" means information gathered by
4		an ALPR or created from the analysis of data generated by
5		an ALPR. This subsection (fff) is inoperative on and after
6		July 1, 2028.
7		(ggg) Information prohibited from disclosure under
8		paragraph (3) of subsection (a) of Section 14 of the Nurse
9		Agency Licensing Act.
10		(hhh) Information submitted to the Illinois State
11		Police in an affidavit or application for an assault
12		weapon endorsement, assault weapon attachment endorsement,
13		.50 caliber rifle endorsement, or .50 caliber cartridge
14		endorsement under the Firearm Owners Identification Card
15		Act.
16		(iii) Data exempt from disclosure under Section 50 of
17		the School Safety Drill Act.
18		(jjj) Information exempt from disclosure under Section
19		30 of the Insurance Data Security Law.
20		(kkk) Confidential business information prohibited
21		from disclosure under Section 45 of the Paint Stewardship
22		Act.
23		(lll) Data exempt from disclosure under Section
24		2-3.196 of the School Code.
25		(mmm) Information prohibited from being disclosed
26		under subsection (e) of Section 1-129 of the Illinois

SB0340 Engrossed - 68 - LRB104 06459 JRC 16495 b
1		Power Agency Act.
2		(nnn) Materials received by the Department of Commerce
3		and Economic Opportunity that are confidential under the
4		Music and Musicians Tax Credit and Jobs Act.
5		(ooo) Data or information provided pursuant to Section
6		20 of the Statewide Recycling Needs and Assessment Act.
7		(ppp) Information that is exempt from disclosure under
8		Section 28-11 of the Lawful Health Care Activity Act.
9		(qqq) Information that is exempt from disclosure under
10		Section 7-101 of the Illinois Human Rights Act.
11		(rrr) Information prohibited from being disclosed
12		under Section 4-2 of the Uniform Money Transmission
13		Modernization Act.
14		(sss) Information exempt from disclosure under Section
15		40 of the Student-Athlete Endorsement Rights Act.
16		(ttt) Audio recordings made under Section 30 of the
17		Illinois State Police Act, except to the extent authorized
18		under that Section.
19		(uuu) Information prohibited from being disclosed
20		under Section 30-5 of the Digital Assets Regulation Act.
21		(www) Data privacy and protection assessments made
22		available to the Attorney General under Section 18 of the
23		Illinois Consumer Data Privacy Act.
24		(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
25		103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
26		8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,

SB0340 Engrossed - 69 - LRB104 06459 JRC 16495 b
1		eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
2		103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
3		8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
4		eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
5		104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-457, eff.
6		6-1-26; revised 1-7-26.)
7		(Text of Section after amendment by P.A. 104-441)
8		Sec. 7.5. Statutory exemptions. To the extent provided for
9		by the statutes referenced below, the following shall be
10		exempt from inspection and copying:
11		(a) All information determined to be confidential
12		under Section 4002 of the Technology Advancement and
13		Development Act.
14		(b) Library circulation and order records identifying
15		library users with specific materials under the Library
16		Records Confidentiality Act.
17		(c) Applications, related documents, and medical
18		records received by the Experimental Organ Transplantation
19		Procedures Board and any and all documents or other
20		records prepared by the Experimental Organ Transplantation
21		Procedures Board or its staff relating to applications it
22		has received.
23		(d) Information and records held by the Department of
24		Public Health and its authorized representatives relating
25		to known or suspected cases of sexually transmitted

SB0340 Engrossed - 70 - LRB104 06459 JRC 16495 b
1		infection or any information the disclosure of which is
2		restricted under the Illinois Sexually Transmitted
3		Infection Control Act.
4		(e) Information the disclosure of which is exempted
5		under Section 30 of the Radon Industry Licensing Act.
6		(f) Firm performance evaluations under Section 55 of
7		the Architectural, Engineering, and Land Surveying
8		Qualifications Based Selection Act.
9		(g) Information the disclosure of which is restricted
10		and exempted under Section 50 of the Illinois Prepaid
11		Tuition Act.
12		(h) Information the disclosure of which is exempted
13		under the State Officials and Employees Ethics Act, and
14		records of any lawfully created State or local inspector
15		general's office that would be exempt if created or
16		obtained by an Executive Inspector General's office under
17		that Act.
18		(i) Information contained in a local emergency energy
19		plan submitted to a municipality in accordance with a
20		local emergency energy plan ordinance that is adopted
21		under Section 11-21.5-5 of the Illinois Municipal Code.
22		(j) Information and data concerning the distribution
23		of surcharge moneys collected and remitted by carriers
24		under the Emergency Telephone System Act.
25		(k) Law enforcement officer identification information
26		or driver identification information compiled by a law

SB0340 Engrossed - 71 - LRB104 06459 JRC 16495 b
1		enforcement agency or the Department of Transportation
2		under Section 11-212 of the Illinois Vehicle Code.
3		(l) Records and information provided to a residential
4		health care facility resident sexual assault and death
5		review team or the Executive Council under the Abuse
6		Prevention Review Team Act.
7		(m) Information provided to the predatory lending
8		database created pursuant to Article 3 of the Residential
9		Real Property Disclosure Act, except to the extent
10		authorized under that Article.
11		(n) Defense budgets and petitions for certification of
12		compensation and expenses for court appointed trial
13		counsel as provided under Sections 10 and 15 of the
14		Capital Crimes Litigation Act (repealed). This subsection
15		(n) shall apply until the conclusion of the trial of the
16		case, even if the prosecution chooses not to pursue the
17		death penalty prior to trial or sentencing.
18		(o) Information that is prohibited from being
19		disclosed under Section 4 of the Illinois Health and
20		Hazardous Substances Registry Act.
21		(p) Security portions of system safety program plans,
22		investigation reports, surveys, schedules, lists, data, or
23		information compiled, collected, or prepared by or for the
24		Department of Transportation under Sections 2705-300 and
25		2705-616 of the Department of Transportation Law of the
26		Civil Administrative Code of Illinois, the Northern

SB0340 Engrossed - 72 - LRB104 06459 JRC 16495 b
1		Illinois Transit Authority under Section 2.11 of the
2		Northern Illinois Transit Authority Act, or the St. Clair
3		County Transit District under the Bi-State Transit Safety
4		Act (repealed).
5		(q) Information prohibited from being disclosed by the
6		Personnel Record Review Act.
7		(r) Information prohibited from being disclosed by the
8		Illinois School Student Records Act.
9		(s) Information the disclosure of which is restricted
10		under Section 5-108 of the Public Utilities Act.
11		(t) (Blank).
12		(u) Records and information provided to an independent
13		team of experts under the Developmental Disability and
14		Mental Health Safety Act (also known as Brian's Law).
15		(v) Names and information of people who have applied
16		for or received Firearm Owner's Identification Cards under
17		the Firearm Owners Identification Card Act or applied for
18		or received a concealed carry license under the Firearm
19		Concealed Carry Act, unless otherwise authorized by the
20		Firearm Concealed Carry Act; and databases under the
21		Firearm Concealed Carry Act, records of the Concealed
22		Carry Licensing Review Board under the Firearm Concealed
23		Carry Act, and law enforcement agency objections under the
24		Firearm Concealed Carry Act.
25		(v-5) Records of the Firearm Owner's Identification
26		Card Review Board that are exempted from disclosure under

SB0340 Engrossed - 73 - LRB104 06459 JRC 16495 b
1		Section 10 of the Firearm Owners Identification Card Act.
2		(w) Personally identifiable information which is
3		exempted from disclosure under subsection (g) of Section
4		19.1 of the Toll Highway Act.
5		(x) Information which is exempted from disclosure
6		under Section 5-1014.3 of the Counties Code or Section
7		8-11-21 of the Illinois Municipal Code.
8		(y) Confidential information under the Adult
9		Protective Services Act and its predecessor enabling
10		statute, the Elder Abuse and Neglect Act, including
11		information about the identity and administrative finding
12		against any caregiver of a verified and substantiated
13		decision of abuse, neglect, or financial exploitation of
14		an eligible adult maintained in the Registry established
15		under Section 7.5 of the Adult Protective Services Act.
16		(z) Records and information provided to a fatality
17		review team or the Illinois Fatality Review Team Advisory
18		Council under Section 15 of the Adult Protective Services
19		Act.
20		(aa) Information which is exempted from disclosure
21		under Section 2.37 of the Wildlife Code.
22		(bb) Information which is or was prohibited from
23		disclosure by the Juvenile Court Act of 1987.
24		(cc) Recordings made under the Law Enforcement
25		Officer-Worn Body Camera Act, except to the extent
26		authorized under that Act.

SB0340 Engrossed - 74 - LRB104 06459 JRC 16495 b
1		(dd) Information that is prohibited from being
2		disclosed under Section 45 of the Condominium and Common
3		Interest Community Ombudsperson Act.
4		(ee) Information that is exempted from disclosure
5		under Section 30.1 of the Pharmacy Practice Act.
6		(ff) Information that is exempted from disclosure
7		under the Revised Uniform Unclaimed Property Act.
8		(gg) Information that is prohibited from being
9		disclosed under Section 7-603.5 of the Illinois Vehicle
10		Code.
11		(hh) Records that are exempt from disclosure under
12		Section 1A-16.7 of the Election Code.
13		(ii) Information which is exempted from disclosure
14		under Section 2505-800 of the Department of Revenue Law of
15		the Civil Administrative Code of Illinois.
16		(jj) Information and reports that are required to be
17		submitted to the Department of Labor by registering day
18		and temporary labor service agencies but are exempt from
19		disclosure under subsection (a-1) of Section 45 of the Day
20		and Temporary Labor Services Act.
21		(kk) Information prohibited from disclosure under the
22		Seizure and Forfeiture Reporting Act.
23		(ll) Information the disclosure of which is restricted
24		and exempted under Section 5-30.8 of the Illinois Public
25		Aid Code.
26		(mm) Records that are exempt from disclosure under

SB0340 Engrossed - 75 - LRB104 06459 JRC 16495 b
1		Section 4.2 of the Crime Victims Compensation Act.
2		(nn) Information that is exempt from disclosure under
3		Section 70 of the Higher Education Student Assistance Act.
4		(oo) Communications, notes, records, and reports
5		arising out of a peer support counseling session
6		prohibited from disclosure under the First Responders
7		Suicide Prevention Act.
8		(pp) Names and all identifying information relating to
9		an employee of an emergency services provider or law
10		enforcement agency under the First Responders Suicide
11		Prevention Act.
12		(qq) Information and records held by the Department of
13		Public Health and its authorized representatives collected
14		under the Reproductive Health Act.
15		(rr) Information that is exempt from disclosure under
16		the Cannabis Regulation and Tax Act.
17		(ss) Data reported by an employer to the Department of
18		Human Rights pursuant to Section 2-108 of the Illinois
19		Human Rights Act.
20		(tt) Recordings made under the Children's Advocacy
21		Center Act, except to the extent authorized under that
22		Act.
23		(uu) Information that is exempt from disclosure under
24		Section 50 of the Sexual Assault Evidence Submission Act.
25		(vv) Information that is exempt from disclosure under
26		subsections (f) and (j) of Section 5-36 of the Illinois

SB0340 Engrossed - 76 - LRB104 06459 JRC 16495 b
1		Public Aid Code.
2		(ww) Information that is exempt from disclosure under
3		Section 16.8 of the State Treasurer Act.
4		(xx) Information that is exempt from disclosure or
5		information that shall not be made public under the
6		Illinois Insurance Code.
7		(yy) Information prohibited from being disclosed under
8		the Illinois Educational Labor Relations Act.
9		(zz) Information prohibited from being disclosed under
10		the Illinois Public Labor Relations Act.
11		(aaa) Information prohibited from being disclosed
12		under Section 1-167 of the Illinois Pension Code.
13		(bbb) Information that is prohibited from disclosure
14		by the Illinois Police Training Act and the Illinois State
15		Police Act.
16		(ccc) Records exempt from disclosure under Section
17		2605-304 of the Illinois State Police Law of the Civil
18		Administrative Code of Illinois.
19		(ddd) Information prohibited from being disclosed
20		under Section 35 of the Address Confidentiality for
21		Victims of Domestic Violence, Sexual Assault, Human
22		Trafficking, or Stalking Act.
23		(eee) Information prohibited from being disclosed
24		under subsection (b) of Section 75 of the Domestic
25		Violence Fatality Review Act.
26		(fff) Images from cameras under the Expressway Camera

SB0340 Engrossed - 77 - LRB104 06459 JRC 16495 b
1		Act and all automated license plate reader (ALPR)
2		information used and collected by the Illinois State
3		Police. "ALPR information" means information gathered by
4		an ALPR or created from the analysis of data generated by
5		an ALPR. This subsection (fff) is inoperative on and after
6		July 1, 2028.
7		(ggg) Information prohibited from disclosure under
8		paragraph (3) of subsection (a) of Section 14 of the Nurse
9		Agency Licensing Act.
10		(hhh) Information submitted to the Illinois State
11		Police in an affidavit or application for an assault
12		weapon endorsement, assault weapon attachment endorsement,
13		.50 caliber rifle endorsement, or .50 caliber cartridge
14		endorsement under the Firearm Owners Identification Card
15		Act.
16		(iii) Data exempt from disclosure under Section 50 of
17		the School Safety Drill Act.
18		(jjj) Information exempt from disclosure under Section
19		30 of the Insurance Data Security Law.
20		(kkk) Confidential business information prohibited
21		from disclosure under Section 45 of the Paint Stewardship
22		Act.
23		(lll) Data exempt from disclosure under Section
24		2-3.196 of the School Code.
25		(mmm) Information prohibited from being disclosed
26		under subsection (e) of Section 1-129 of the Illinois

SB0340 Engrossed - 78 - LRB104 06459 JRC 16495 b
1		Power Agency Act.
2		(nnn) Materials received by the Department of Commerce
3		and Economic Opportunity that are confidential under the
4		Music and Musicians Tax Credit and Jobs Act.
5		(ooo) Data or information provided pursuant to Section
6		20 of the Statewide Recycling Needs and Assessment Act.
7		(ppp) Information that is exempt from disclosure under
8		Section 28-11 of the Lawful Health Care Activity Act.
9		(qqq) Information that is exempt from disclosure under
10		Section 7-101 of the Illinois Human Rights Act.
11		(rrr) Information prohibited from being disclosed
12		under Section 4-2 of the Uniform Money Transmission
13		Modernization Act.
14		(sss) Information exempt from disclosure under Section
15		40 of the Student-Athlete Endorsement Rights Act.
16		(ttt) Audio recordings made under Section 30 of the
17		Illinois State Police Act, except to the extent authorized
18		under that Section.
19		(uuu) Information prohibited from being disclosed
20		under Section 30-5 of the Digital Assets Regulation Act.
21		(vvv) (uuu) Information exempt from disclosure under
22		Section 70 of the End-of-Life Options for Terminally Ill
23		Patients Act.
24		(www) Data privacy and protection assessments made
25		available to the Attorney General under Section 18 of the
26		Illinois Consumer Data Privacy Act.

SB0340 Engrossed - 79 - LRB104 06459 JRC 16495 b
1		(Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;
2		103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.
3		8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,
4		eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;
5		103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.
6		8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,
7		eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;
8		104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-441, eff.
9		9-12-26; 104-457, eff. 6-1-26; revised 1-7-26.)
10		Section 905. The Consumer Fraud and Deceptive Business
11		Practices Act is amended by adding Section 2MMMM as follows:
12		(815 ILCS 505/2MMMM new)
13		Sec. 2MMMM. Violations of the Illinois Consumer Data
14		Privacy Act.
15		(a) Any person who violates the Illinois Consumer Data
16		Privacy Act commits an unlawful practice within the meaning of
17		this Act.
18		(b) The provisions of Section 10a do not apply to a
19		violation of this Section.
20		Section 995. No acceleration or delay. Where this Act
21		makes changes in a statute that is represented in this Act by
22		text that is not yet or no longer in effect (for example, a
23		Section represented by multiple versions), the use of that

SB0340 Engrossed - 80 - LRB104 06459 JRC 16495 b
1		text does not accelerate or delay the taking effect of (i) the
2		changes made by this Act or (ii) provisions derived from any
3		other Public Act.
4		Section 999. Effective date. This Act takes effect January
5		1, 2027.