Sen. Laura M. Murphy

Filed: 5/11/2026

10400SB0340sam001

LRB104 06459 JRC 37578 a

1 AMENDMENT TO SENATE BILL 340

2 AMENDMENT NO. ______. Amend Senate Bill 340 by replacing

3 everything after the enacting clause with the following:

4 "Section 10. Short title. This Act may be cited as the

5 Illinois Consumer Data Privacy Act.

6 Section 11. Definitions. As used in this Act:

7 "Affiliate" means a legal entity that controls, is

8 controlled by, or is under common control with another legal

9 entity. As used in this definition, "control" or "controlled"

10 means: ownership of or the power to vote more than 50% of the

11 outstanding shares of any class of voting security of a

12 company; control in any manner over the election of a majority

13 of the directors or of individuals exercising similar

14 functions; or the power to exercise a controlling influence

15 over the management of a company.

16 "Authenticate" means to use reasonable means to determine

10400SB0340sam001

- 2 -

LRB104 06459 JRC 37578 a

1 that a request to exercise any of the rights under subsection

2 (b) of Section 14 is being made by or rightfully on behalf of

3 the consumer who is entitled to exercise the rights with

4 respect to the personal data at issue.

5 "Biometric identifier" has the same meaning given to that

6 term in the Biometric Information Privacy Act.

7 "Biometric information" has the same meaning given to that

8 term in the Biometric Information Privacy Act.

9 "Child" has the meaning given in United States Code, Title

10 15, Section 6501.

11 "Collect" means to buy, rent, obtain, lease, access,

12 receive, or otherwise acquire personal data in any manner.

13 "Consent" means any freely given, specific, informed, and

14 unambiguous indication of the consumer's wishes by which the

15 consumer signifies agreement to the processing of personal

16 data relating to the consumer. Acceptance of general or broad

17 terms of use or similar document that contains descriptions of

18 personal data processing along with other, unrelated

19 information does not constitute consent. Hovering over,

20 muting, pausing, or closing a given piece of content does not

21 constitute consent. A consent is not valid when the consumer's

22 indication has been obtained by a dark pattern. A consumer may

23 revoke consent previously given consistent with this Act.

24 "Consumer" means a natural person who is an Illinois

25 resident acting only in an individual or household context.

26 Consumer does not include a natural person acting in a

10400SB0340sam001

- 3 -

LRB104 06459 JRC 37578 a

1 commercial or employment context.

2 "Controller" means the natural or legal person who, alone

3 or jointly with others, determines the purposes and means of

4 the processing of personal data.

5 "Decisions that produce legal or similarly significant

6 effects concerning the consumer" means decisions made by the

7 controller that result in the provision or denial by the

8 controller of financial or lending services, housing,

9 insurance, education enrollment or opportunity, criminal

10 justice, employment opportunities, health care services, or

11 access to essential goods or services.

12 "Dark pattern" means a user interface designed or

13 manipulated with the substantial effect of subverting or

14 impairing user autonomy, decision making, or choice.

15 "Deidentified data" means data that cannot reasonably be

16 used to infer information about or otherwise be linked to an

17 identified or identifiable natural person or a device linked

18 to an identified or identifiable natural person, provided that

19 the controller that possesses the data:

20 (1) takes reasonable measures to ensure that the data

21 cannot be associated with a natural person;

22 (2) publicly commits to process the data only in a

23 deidentified fashion and not attempt to reidentify the

24 data; and

25 (3) contractually obligates any recipients of the

26 information to comply with all provisions of this

10400SB0340sam001

- 4 -

LRB104 06459 JRC 37578 a

1 definition.

2 "Delete" means to remove or destroy information so that it

3 is not maintained in human- or machine-readable form and

4 cannot be retrieved or used in the ordinary course of

5 business.

6 "Genetic information" has the meaning ascribed to the term

7 under the Health Insurance Portability and Accountability Act

8 of 1996 as specified in 45 CFR 160.103.

9 "Identified or identifiable natural person" means a person

10 who can be readily identified, directly or indirectly.

11 "Known child" means a person under circumstances in which

12 a controller has actual knowledge of, or willfully disregards,

13 that the person is under 13 years of age.

14 "Personal data" means any information that is linked or

15 reasonably linkable to an identified or identifiable natural

16 person. Personal data does not include deidentified data,

17 pseudonymous data, or publicly available information. As used

18 in this definition, "publicly available information" means

19 information that (1) is lawfully made available from federal,

20 state, or local government records; or (2) a controller has a

21 reasonable basis to believe has lawfully been made available

22 to the general public.

23 "Process" or "processing" means any operation or set of

24 operations that are performed on personal data or on sets of

25 personal data, whether or not by automated means, including,

26 but not limited to, the collection, use, storage, disclosure,

10400SB0340sam001

- 5 -

LRB104 06459 JRC 37578 a

1 analysis, deletion, monetization, sharing, retention,

2 organizing, structuring, licensing, or modification of

3 personal data.

4 "Processor" means a natural or legal person who processes

5 personal data on behalf of a controller.

6 "Profiling" means any form of automated processing of

7 personal data to evaluate, analyze, or predict personal

8 aspects related to an identified or identifiable natural

9 person's economic situation, health, personal preferences,

10 interests, reliability, behavior, location, or movements.

11 Profiling does not include automated processing used solely

12 for independent measurement.

13 "Pseudonymous data" means personal data that cannot be

14 attributed to a specific natural person without the use of

15 additional information, provided that the additional

16 information is kept separately and is subject to appropriate

17 technical and organizational measures to ensure that the

18 personal data are not attributed to an identified or

19 identifiable natural person.

20 "Sale", "sell", or "sold" means the exchange of personal

21 data for monetary or other valuable consideration by the

22 controller, processor, or an affiliate of the controller or

23 processor to a third party. "Sale" does not include the

24 following:

25 (1) the disclosure of personal data to a processor who

26 processes the personal data on behalf of the controller if

10400SB0340sam001

- 6 -

LRB104 06459 JRC 37578 a

1 limited to the purposes of processing;

2 (2) the disclosure of personal data to a third party

3 for purposes of providing a product or service requested

4 by the consumer;

5 (3) the disclosure or transfer of personal data to an

6 affiliate of the controller;

7 (4) the disclosure of information that the consumer

8 intentionally made available to the general public via a

9 channel of mass media and did not restrict to a specific

10 audience;

11 (5) the disclosure or transfer of personal data to a

12 third party as an asset that is part of a completed or

13 proposed merger, acquisition, bankruptcy, or other

14 transaction in which the third party assumes control of

15 all or part of the controller's assets; or

16 (6) the exchange of personal data between the producer

17 of a good or service and authorized agents of the producer

18 who sell and service the goods and services to enable the

19 cooperative provisioning of goods and services by both the

20 producer and the producer's agents.

21 "Sensitive data" is a form of personal data. "Sensitive

22 data" means:

23 (1) personal data revealing racial or ethnic origin,

24 religious beliefs, mental or physical health condition or

25 diagnosis, sexual orientation, or citizenship or

26 immigration status;

10400SB0340sam001

- 7 -

LRB104 06459 JRC 37578 a

1 (2) the processing of biometric identifiers or

2 information or genetic information for the purpose of

3 uniquely identifying an individual;

4 (3) the personal data of a known child;

5 (4) specific geolocation data;

6 (5) information that reveals the status of

7 identifiable natural person as a victim of a crime; or

8 (6) a government-issued identifier, including a social

9 security number, passport number, or a driver's license

10 number, that is not required by law to be displayed in

11 public.

12 "Specific geolocation data" means information derived from

13 technology, including, but not limited to, global positioning

14 system level latitude and longitude coordinates or other

15 mechanisms that can precisely and accurately identify the

16 specific location of a consumer or a device linked with a

17 consumer within a radius of 1,750 feet. Specific geolocation

18 data does not include the content of communications, the

19 contents of databases containing street address information

20 that are accessible to the public as authorized by law, or any

21 data generated by or connected to advanced utility metering

22 infrastructure systems or other equipment for use by a public

23 utility.

24 "Targeted advertising" means displaying advertisements to

25 a consumer or to a device linked to a consumer in which the

26 advertisement is selected based on personal data obtained or

10400SB0340sam001

- 8 -

LRB104 06459 JRC 37578 a

1 inferred from the consumer's activities over time and across

2 nonaffiliated websites or online applications to predict the

3 consumer's preferences or interests. Targeted advertising does

4 not include:

5 (1) advertising based on activities within a

6 controller's own websites or online applications;

7 (2) advertising based on the context of a consumer's

8 current search query or visit to a website or online

9 application;

10 (3) advertising to a consumer in response to the

11 consumer's request for information or feedback; or

12 (4) processing personal data solely for measuring or

13 reporting content and advertising performance, reach, or

14 frequency, including independent measurement.

15 (z) "Third party" means a natural or legal person, public

16 authority, agency, or body other than the consumer,

17 controller, processor, or an affiliate of the processor or the

18 controller.

19 (aa) "Trade secret" has the same meaning given to the term

20 in the Illinois Trade Secrets Act.

21 Section 12. Scope; exclusions.

22 (a)(1) Scope. This Act applies to legal entities that

23 conduct business in Illinois or produce products or services

24 that are targeted to Illinois residents, and that satisfy one

25 or more of the following thresholds:

10400SB0340sam001

- 9 -

LRB104 06459 JRC 37578 a

1 (A) during a calendar year, collects or processes

2 personal data of 100,000 consumers or more, excluding

3 personal data controlled or processed solely for the

4 purpose of completing a payment transaction; or

5 (B) derives over 25% of gross revenue from the sale of

6 personal data and processes or collects personal data of

7 25,000 consumers or more.

8 (2) A controller or processor shall comply with the

9 Student Online Personal Protection Act, except that if the

10 provisions of that Act conflict with this Act, the Student

11 Online Personal Protection Act prevails.

12 (3) All legal entities shall comply with the Biometric

13 Information Privacy Act and the Genetic Information Privacy

14 Act.

15 (b) Exclusions. The provisions of this Act do not apply to

16 the following entities, activities, or types of information:

17 (1) the State, a political subdivision of the State,

18 and units of local government;

19 (2) a federally recognized Indian tribe;

20 (3) information that meets the definition of:

21 (A) protected health information, as defined by

22 and for purposes of the Health Insurance Portability

23 and Accountability Act of 1996, Public Law 104-191,

24 and related regulations;

25 (B) health records, that includes, but is not

26 limited to, any information, whether oral or recorded

10400SB0340sam001

- 10 -

LRB104 06459 JRC 37578 a

1 in any form or medium, that relates to the past,

2 present, or future physical or mental health or

3 condition of a patient; the provision of health care

4 to a patient; or the past, present, or future payment

5 for the provision of health care to a patient;

6 (C) patient identifying information for purposes

7 of Code of Federal Regulations, Title 42, Part 2,

8 established pursuant to the United States Code, Title

9 42, Section 290dd-2;

10 (D) identifiable private information for purposes

11 of the federal policy for the protection of human

12 subjects, the Code of Federal Regulations, Title 45,

13 Part 46; identifiable private information that is

14 otherwise information collected as part of human

15 subjects research under the good clinical practice

16 guidelines issued by the International Council for

17 Harmonisation; the protection of human subjects under

18 the Code of Federal Regulations, Title 21, Parts 50

19 and 56; or personal data used or shared in research

20 conducted in accordance with one or more of the

21 requirements set forth in this paragraph;

22 (E) information and documents created for purposes

23 of the federal Health Care Quality Improvement Act of

24 1986, Public Law 99-660, and related regulations; or

25 (F) patient safety work product for purposes of

26 Code of Federal Regulations, Title 42, Part 3,

10400SB0340sam001

- 11 -

LRB104 06459 JRC 37578 a

1 established under the United States Code, Title 42,

2 Sections 299b-21 to 299b-26;

3 (4) information that is derived from any of the health

4 care-related information listed in clause (3), but that

5 has been deidentified in accordance with the requirements

6 for deidentification set forth in the Code of Federal

7 Regulations, Title 45, Part 164;

8 (5) information originating from, and intermingled to

9 be indistinguishable with, any of the health care-related

10 information listed in clause (3) that is maintained by:

11 (A) a covered entity or business associate, as

12 defined by the Health Insurance Portability and

13 Accountability Act of 1996, Public Law 104-191, and

14 related regulations to the extent the entity is acting

15 as a covered entity or business associate under the

16 Privacy and Security rules issued by the United States

17 Department of Health and Human Services, Parts 160 and

18 164 of Title 45 of the Code of Federal Regulations;

19 (B) a health care provider, to include, but not be

20 limited to, any public or private facility that

21 provides, on an inpatient or outpatient basis,

22 preventive, diagnostic, therapeutic, convalescent,

23 rehabilitation, mental health, or intellectual

24 disability services, including general or special

25 hospitals, skilled nursing homes, extended care

26 facilities, intermediate care facilities and mental

10400SB0340sam001

- 12 -

LRB104 06459 JRC 37578 a

1 health centers; or

2 (C) a program or a qualified service organization,

3 as defined by Code of Federal Regulations, Title 42,

4 Part 2, established pursuant to United States Code,

5 Title 42, Section 290dd-2;

6 (6) information that is:

7 (A) maintained by an entity that meets the

8 definition of health care provider under the Code of

9 Federal Regulations, Title 45, Section 160.103, to the

10 extent that the entity maintains the information in

11 the manner required of covered entities with respect

12 to protected health information for purposes of the

13 Health Insurance Portability and Accountability Act of

14 1996, Public Law 104-191, and related regulations;

15 (B) included in a limited data set, as described

16 under the Code of Federal Regulations, Title 45, Part

17 164.514(e), to the extent that the information is

18 used, disclosed, and maintained in the manner

19 specified by that part;

20 (C) maintained by, or maintained to comply with

21 the rules or orders of, a self-regulatory organization

22 as defined by the United States Code, Title 15,

23 Section 78c(a)(26) or of a registered futures

24 association as designated under the United States

25 Code, Title 7, Section 21;

26 (D) originated from, or intermingled with,

10400SB0340sam001

- 13 -

LRB104 06459 JRC 37578 a

1 information described in clause (9) and that a

2 residential mortgage originator or residential

3 mortgage servicer regulated under the Residential

4 Mortgage License Act of 1987 collects, processes,

5 uses, or maintains in the same manner as required

6 under the laws and regulations specified in clause

7 (9); or

8 (E) originated from, or intermingled with,

9 information described in clause (9) and that a nonbank

10 financial institution collects, processes, uses, or

11 maintains in the same manner as required under the

12 laws and regulations specified in clause (9);

13 (7) information used only for public health activities

14 and purposes, as described under the Code of Federal

15 Regulations, Title 45, Part 164.512;

16 (8) an activity involving the collection, maintenance,

17 disclosure, sale, communication, or use of any personal

18 data bearing on a consumer's credit worthiness, credit

19 standing, credit capacity, character, general reputation,

20 personal characteristics, or mode of living by a consumer

21 reporting agency, as defined in the United States Code,

22 Title 15, Section 1681a(f), by a furnisher of information,

23 as set forth in the United States Code, Title 15, Section

24 1681s-2, who provides information for use in a consumer

25 report, as defined in the United States Code, Title 15,

26 Section 1681a(d), and by a user of a consumer report, as

10400SB0340sam001

- 14 -

LRB104 06459 JRC 37578 a

1 set forth in the United States Code, Title 15, Section

2 1681b, except that information is only excluded under this

3 paragraph to the extent that the activity involving the

4 collection, maintenance, disclosure, sale, communication,

5 or use of the information by the agency, furnisher, or

6 user is subject to regulation under the federal Fair

7 Credit Reporting Act, United States Code, Title 15,

8 Sections 1681 to 1681x, and the information is not

9 collected, maintained, used, communicated, disclosed, or

10 sold except as authorized by the Fair Credit Reporting

11 Act;

12 (9) financial institutions, their affiliates, and

13 personal data subject to the federal Gramm-Leach-Bliley

14 Act, Public Law 106-102, and implementing regulations;

15 (10) personal data collected, processed, sold, or

16 disclosed pursuant to the federal Driver's Privacy

17 Protection Act of 1994, United States Code, Title 18,

18 Sections 2721 to 2725, if the collection, processing,

19 sale, or disclosure is in compliance with that law;

20 (11) personal data regulated by the federal Family

21 Educational Rights and Privacy Act, United States Code,

22 Title 20, Section 1232g, and implementing regulations;

23 (12) personal data collected, processed, sold, or

24 disclosed pursuant to the federal Farm Credit Act of 1971,

25 as amended, United States Code, Title 12, Sections 2001 to

26 2279cc, and implementing regulations, Code of Federal

10400SB0340sam001

- 15 -

LRB104 06459 JRC 37578 a

1 Regulations, Title 12, Part 600, if the collection,

2 processing, sale, or disclosure is in compliance with that

3 law;

4 (13) data collected or maintained:

5 (A) in the course of an individual acting as a job

6 applicant to or an employee, owner, director, officer,

7 medical staff member, or contractor of a business if

8 the data is collected and used solely within the

9 context of the role;

10 (B) as the emergency contact information of an

11 individual under item (A) if used solely for emergency

12 contact purposes; or

13 (C) that is necessary for the business to retain

14 to administer benefits for another individual relating

15 to the individual under item (1) if used solely for the

16 purposes of administering those benefits;

17 (14) personal data collected, processed, sold, or

18 disclosed under the Illinois Insurance Code;

19 (15) data collected, processed, sold, or disclosed as

20 part of a payment-only credit, check, or cash transaction

21 where no data about consumers, as defined in Section 11,

22 are retained;

23 (16) a State or federally chartered bank or credit

24 union, or an affiliate or subsidiary that is principally

25 engaged in financial activities, as described in the

26 United States Code, Title 12, Section 1843(k);

10400SB0340sam001

- 16 -

LRB104 06459 JRC 37578 a

1 (17) information that originates from, or is

2 intermingled so as to be indistinguishable from,

3 information described in clause (8) and that a person

4 collects, processes, uses, or maintains in the same manner

5 as is required under the laws and regulations specified in

6 clause (8);

7 (18) an insurance company and an insurance producer

8 that are regulated by the State under the Illinois

9 Insurance Code, a third-party administrator of

10 self-insurance, or an affiliate or subsidiary of any

11 entity identified in this clause that is principally

12 engaged in financial activities, as described in the

13 United States Code, Title 12, Section 1843(k), except that

14 this clause does not apply to a person that, alone or in

15 combination with another person, establishes and maintains

16 a self-insurance program that does not otherwise engage in

17 the business of entering into policies of insurance;

18 (19) a small business, as defined by the United States

19 Small Business Administration under the Code of Federal

20 Regulations, Title 13, Part 121, except that a small

21 business identified in this clause is subject to Section

22 17;

23 (20) a nonprofit organization that is established to

24 detect and prevent fraudulent acts in connection with

25 insurance; and

26 (21) an air carrier subject to the federal Airline

10400SB0340sam001

- 17 -

LRB104 06459 JRC 37578 a

1 Deregulation Act, Public Law 95-504, only to the extent

2 that an air carrier collects personal data related to

3 prices, routes, or services and only to the extent that

4 the provisions of the Airline Deregulation Act preempt the

5 requirements of this Act.

6 Controllers that are in compliance with the Children's

7 Online Privacy Protection Act, United States Code, Title 15,

8 Sections 6501 to 6506, and implementing regulations, are

9 deemed compliant with any obligation to obtain parental

10 consent under this Act.

11 Section 13. Responsibility according to role.

12 (a) Controllers and processors are responsible for meeting

13 the respective obligations established under this Act.

14 (b) Processors are responsible under this Act for adhering

15 to the instructions of the controller and assisting the

16 controller to meet the controller's obligations under this

17 Act. Assistance under this subsection shall include the

18 following:

19 (1) taking into account the nature of the processing,

20 the processor shall assist the controller by appropriate

21 technical and organizational measures, insofar as this is

22 possible, for the fulfillment of the controller's

23 obligation to respond to consumer requests to exercise

24 their rights under Section 14; and

25 (2) taking into account the nature of processing and

10400SB0340sam001

- 18 -

LRB104 06459 JRC 37578 a

1 the information available to the processor, the processor

2 shall assist the controller in meeting the controller's

3 obligations in relation to the security of processing the

4 personal data and in relation to the notification of a

5 breach of the security of the system under the Illinois

6 Personal Information Protection Act and provide

7 information to the controller necessary to enable the

8 controller to conduct and document any data privacy and

9 protection assessments required by Section 18.

10 (c) A contract between a controller and a processor shall

11 govern the processor's data processing procedures with respect

12 to processing performed on behalf of the controller. The

13 contract shall be binding on both parties and clearly set

14 forth instructions for processing data, the nature and purpose

15 of processing, the type of data subject to processing, the

16 duration of processing, and the rights and obligations of both

17 parties. The contract shall also require that the processor:

18 (1) ensure that each person processing the personal

19 data is subject to a duty of confidentiality with respect

20 to the data;

21 (2) engage a subcontractor only under a written

22 contract in accordance with this subsection (c) that

23 requires the subcontractor to meet the obligations of the

24 processor with respect to the personal data;

25 (3) at the choice of the controller, delete or return

26 all personal data to the controller as requested at the

10400SB0340sam001

- 19 -

LRB104 06459 JRC 37578 a

1 end of the provision of services, unless retention of the

2 personal data is required by law;

3 (4) upon a reasonable request from the controller,

4 make available to the controller all information necessary

5 to demonstrate compliance with the obligations in this

6 Act; and

7 (5) allow for, and contribute to, reasonable

8 assessments and inspections by the controller or the

9 controller's designated assessor. Alternatively, the

10 processor may arrange for a qualified and independent

11 assessor to conduct, at least annually and at the

12 processor's expense, an assessment of the processor's

13 policies and technical and organizational measures in

14 support of the obligations under this Act. The assessor

15 must use an appropriate and accepted control standard or

16 framework and assessment procedure for assessments as

17 applicable and provide a report of an assessment to the

18 controller upon request.

19 (d) Taking into account the context of processing, the

20 controller and the processor shall implement appropriate

21 technical and organizational measures to ensure a level of

22 security appropriate to the risk and establish a clear

23 allocation of the responsibilities between the controller and

24 the processor to implement the technical and organizational

25 measures.

26 (e) In no event shall any contract relieve a controller or

10400SB0340sam001

- 20 -

LRB104 06459 JRC 37578 a

1 a processor from the liabilities imposed on a controller or

2 processor by virtue of the controller's or processor's roles

3 in the processing relationship under this Act.

4 (f) Determining whether a person is acting as a controller

5 or processor with respect to a specific processing of data is a

6 fact-based determination that depends upon the context in

7 which personal data are to be processed. A person that is not

8 limited in the person's processing of personal data pursuant

9 to a controller's instructions, or that fails to adhere to a

10 controller's instructions, is a controller and not a processor

11 with respect to a specific processing of data. A processor

12 that continues to adhere to a controller's instructions with

13 respect to a specific processing of personal data remains a

14 processor. If a processor begins, alone or jointly with

15 others, determining the purposes and means of the processing

16 of personal data, the processor is a controller with respect

17 to the processing.

18 Section 14. Consumer personal data rights.

19 (a)(1) Consumer rights provided. Except as provided in

20 this Act, a controller must comply with a request to exercise

21 the consumer rights provided in this subsection (a).

22 (2) A consumer has the right to confirm whether or not a

23 controller is processing personal data concerning the consumer

24 and access the personal data the controller is processing.

25 (3) A consumer has the right to correct inaccurate

10400SB0340sam001

- 21 -

LRB104 06459 JRC 37578 a

1 personal data concerning the consumer taking into account the

2 nature of the personal data and the purposes of the processing

3 of the personal data.

4 (4) A consumer has the right to delete personal data

5 concerning the consumer.

6 (5) A consumer has the right to obtain personal data

7 concerning the consumer, which the consumer previously

8 provided to the controller, in a portable and, to the extent

9 technically feasible, readily usable format that allows the

10 consumer to transmit the data to another controller without

11 hindrance, where the processing is carried out by automated

12 means.

13 (6) A consumer has the right to opt out of the processing

14 of personal data concerning the consumer for purposes of: (i)

15 targeted advertising, (ii) the sale of personal data, or (iii)

16 profiling in furtherance of automated decisions that produce

17 legal effects concerning a consumer or similarly significant

18 effects concerning a consumer.

19 (7) If a consumer's personal data is profiled in

20 furtherance of decisions that produce legal effects concerning

21 a consumer or similarly significant effects concerning a

22 consumer, the consumer has the right to question the result of

23 the profiling, only if the profiling produces legal or

24 similarly significant effects concerning the consumer. The

25 consumer has the right to review the consumer's personal data

26 used in the profiling. If the decision is determined to have

10400SB0340sam001

- 22 -

LRB104 06459 JRC 37578 a

1 been based upon inaccurate personal data taking into account

2 the nature of the personal data and the purposes of the

3 processing of the personal data, the consumer has the right to

4 have the data corrected and the profiling decision reevaluated

5 based upon the corrected data.

6 (8) A consumer has a right to obtain general descriptions

7 of categories of third parties to which the controller has

8 disclosed the consumer's personal data, unless such a list of

9 specific third parties is readily available to the controller.

10 (b)(1) Exercising consumer rights. A consumer may exercise

11 the rights set forth in subsection (a) by submitting a

12 request, at any time, to a controller specifying which rights

13 the consumer wishes to exercise.

14 (2) In the case of processing personal data concerning a

15 known child, the parent or legal guardian of the known child

16 may exercise the rights under this Act on the child's behalf.

17 (3) In the case of processing personal data concerning a

18 consumer legally subject to guardianship under the Probate Act

19 of 1975, the guardian of the consumer may exercise the rights

20 under this Act on the consumer's behalf.

21 (4) A consumer may designate another person as the

22 consumer's authorized agent to exercise the consumer's right

23 to opt out of the processing of the consumer's personal data

24 for purposes of targeted advertising and sale under subsection

25 (c)(1) on the consumer's behalf. A consumer may designate an

26 authorized agent by way of, among other things, a technology,

10400SB0340sam001

- 23 -

LRB104 06459 JRC 37578 a

1 including, but not limited to, an Internet link or a browser

2 setting, browser extension, or global device setting,

3 indicating the consumer's intent to opt out of the processing.

4 A controller shall comply with an opt-out request received

5 from an authorized agent if the controller is able to verify,

6 with commercially reasonable effort, the identity of the

7 consumer and the authorized agent's authority to act on the

8 consumer's behalf.

9 (c)(1) Universal opt-out mechanisms. A controller must

10 allow a consumer to opt out of any processing of the consumer's

11 personal data for the purposes of targeted advertising,

12 profiling in furtherance of automated decisions that produce

13 legal effects concerning the consumer or any sale of the

14 consumer's personal data through an opt-out preference signal

15 sent, with the consumer's consent, by a platform, technology,

16 or mechanism to the controller indicating the consumer's

17 intent to opt out of the processing, profiling, or sale. The

18 platform, technology, or mechanism must:

19 (A) not unfairly disadvantage another controller;

20 (B) not make use of a default setting but require the

21 consumer to make an affirmative, freely given, and

22 unambiguous choice to opt out of the processing of the

23 consumer's personal data;

24 (C) be consumer-friendly and easy to use by the

25 average consumer;

26 (D) be as consistent as possible with any other

10400SB0340sam001

- 24 -

LRB104 06459 JRC 37578 a

1 similar platform, technology, or mechanism required by any

2 federal or State law or regulation; and

3 (E) enable the controller to accurately determine

4 whether the consumer is an Illinois resident and whether

5 the consumer has made a legitimate request to opt out of

6 any sale of the consumer's personal data profiling in

7 furtherance of automated decisions that produce legal

8 effects concerning the consumer, or targeted advertising.

9 For purposes of this paragraph, the use of an Internet

10 protocol address to estimate the consumer's location is

11 sufficient to determine the consumer's residence.

12 (2) If a consumer's opt-out request is exercised through

13 the platform, technology, or mechanism required under

14 subsection (c)(1), and the request conflicts with the

15 consumer's existing controller-specific privacy setting or

16 voluntary participation in a controller's bona fide loyalty,

17 rewards, premium features, discounts, or club card program,

18 the controller must comply with the consumer's opt-out

19 preference signal but may also notify the consumer of the

20 conflict and provide the consumer a choice to confirm the

21 controller-specific privacy setting or participation in the

22 controller's program.

23 (3) A controller that recognizes opt-out preference

24 signals that have been approved by other state laws or

25 regulations is in compliance with this subdivision.

26 (d)(1) Controller response to consumer requests. Except as

10400SB0340sam001

- 25 -

LRB104 06459 JRC 37578 a

1 provided in this Act, a controller must comply with a request

2 to exercise the rights pursuant to subsection (a).

3 (2) A controller must provide one or more secure and

4 reliable means for consumers to submit a request to exercise

5 the consumer's rights under this Section. The means made

6 available must take into account the ways in which consumers

7 interact with the controller and the need for secure and

8 reliable communication of the requests.

9 (3) A controller may not require a consumer to create a new

10 account to exercise a right, but a controller may require a

11 consumer to use an existing account to exercise the consumer's

12 rights under this Section.

13 (4) A controller must comply with a request to exercise

14 the rights under this Section as soon as feasibly possible,

15 but no later than 45 days after the receipt of the request,

16 unless the controller extends the time.

17 (5) A controller must inform a consumer of any action

18 taken on a request under subsection (b) without undue delay

19 and in any event within 45 days after the receipt of the

20 request. That period may be extended once by 45 additional

21 days where reasonably necessary taking into account the

22 complexity and number of the requests. The controller must

23 inform the consumer of any extension within the original

24 45-day window, together with the reasons for the delay.

25 (6) If a controller does not take action on a consumer's

26 request, the controller must inform the consumer without undue

10400SB0340sam001

- 26 -

LRB104 06459 JRC 37578 a

1 delay and at the latest within 45 days after the receipt of the

2 request of the reasons for not taking action and instructions

3 for how to appeal the decision with the controller as

4 described in subsection (e).

5 (7) Information provided under this Section must be

6 provided by the controller free of charge up to twice annually

7 to the consumer. If requests from a consumer are manifestly

8 unfounded or excessive, in particular because of the

9 repetitive character of the requests, the controller may

10 either charge a reasonable fee to cover the administrative

11 costs of complying with the request or refuse to act on the

12 request. The controller bears the burden of demonstrating the

13 manifestly unfounded or excessive character of the request.

14 (8) A controller is not required to comply with a request

15 to exercise any of the rights under subsection (a), paragraphs

16 (2) to (5) and (8), if the controller is unable to authenticate

17 the request using commercially reasonable efforts. In such

18 cases, the controller may request the provision of additional

19 information reasonably necessary to authenticate the request.

20 A controller is not required to authenticate an opt-out

21 request, but a controller may deny an opt-out request if the

22 controller has a good faith, reasonable, and documented belief

23 that the request is fraudulent. If a controller denies an

24 opt-out request because the controller believes a request is

25 fraudulent, the controller must notify the person who made the

26 request that the request was denied because of the

10400SB0340sam001

- 27 -

LRB104 06459 JRC 37578 a

1 controller's belief that the request was fraudulent and state

2 the controller's basis for that belief.

3 (9) In response to a consumer request under subsection

4 (b), a controller must not disclose the following information

5 about a consumer but must instead inform the consumer with

6 sufficient particularity that the controller has collected

7 that type of information:

8 (A) Social Security number;

9 (B) driver's license number or other government-issued

10 identification number;

11 (C) financial account number;

12 (D) health insurance account number or medical

13 identification number;

14 (E) account password, security questions, or answers;

15 or

16 (F) biometric identifiers or information.

17 (10) In response to a consumer request under subsection

18 (b), a controller is not required to reveal any trade secret.

19 (11) A controller that has obtained personal data about a

20 consumer from a source other than the consumer may comply with

21 a consumer's request to delete the consumer's personal data

22 pursuant to subsection (a), paragraph (4), by either:

23 (A) retaining a record of the deletion request,

24 retaining the minimum data necessary for the purpose of

25 ensuring the consumer's personal data remains deleted from

26 the business's records and not using the retained data for

10400SB0340sam001

- 28 -

LRB104 06459 JRC 37578 a

1 any other purpose under the provisions of this Act; or

2 (B) opting the consumer out of the processing of

3 personal data for any purpose except for the purposes

4 exempted pursuant to the provisions of this Act.

5 (e)(1) Appeal process required. A controller must

6 establish an internal process in which a consumer may appeal a

7 refusal to take action on a request to exercise any of the

8 rights under subsection (a) within a reasonable period of time

9 after the consumer's receipt of the notice sent by the

10 controller under subsection (d), paragraph (6).

11 (2) The appeal process must be conspicuously available.

12 The process must include the ease of use provisions in

13 subsection (c)(1) applicable to submitting requests.

14 (3) Within 45 days after the receipt of an appeal, a

15 controller must inform the consumer of any action taken or not

16 taken in response to the appeal along with a written

17 explanation of the reasons in support thereof. That period may

18 be extended by 60 additional days if reasonably necessary,

19 taking into account the complexity and number of the requests

20 serving as the basis for the appeal. The controller must

21 inform the consumer of any extension within 45 days after the

22 receipt of the appeal together with the reasons for the delay.

23 (4) When informing a consumer of any action taken or not

24 taken in response to an appeal pursuant to paragraph (3), the

25 controller must provide a written explanation of the reasons

26 for the controller's decision and clearly and prominently

10400SB0340sam001

- 29 -

LRB104 06459 JRC 37578 a

1 provide the consumer with information about how to file a

2 complaint with the Attorney General. The controller must

3 maintain records of all appeals and the controller's responses

4 for at least 24 months and shall, upon written request by the

5 Attorney General as part of an investigation, compile and

6 provide a copy of the records to the Attorney General.

7 Section 15. Processing deidentified data or pseudonymous

8 data.

9 (a) This Act does not require a controller or processor to

10 do any of the following solely for purposes of complying with

11 this Act:

12 (1) reidentify deidentified data;

13 (2) maintain data in identifiable form, or collect,

14 obtain, retain, or access any data or technology, to be

15 capable of associating an authenticated consumer request

16 with personal data; or

17 (3) comply with an authenticated consumer request to

18 access, correct, delete, or port personal data under

19 Section 14, subsection (a), if all of the following are

20 true:

21 (A) the controller is not reasonably capable of

22 associating the request with the personal data, or it

23 would be unreasonably burdensome for the controller to

24 associate the request with the personal data;

25 (B) the controller does not use the personal data

10400SB0340sam001

- 30 -

LRB104 06459 JRC 37578 a

1 to recognize or respond to the specific consumer who

2 is the subject of the personal data or associate the

3 personal data with other personal data about the same

4 specific consumer; and

5 (C) the controller does not sell the personal data

6 to any third party or otherwise voluntarily disclose

7 the personal data to any third party other than a

8 processor, except as otherwise permitted in this

9 Section.

10 (b) The rights contained in paragraphs (2) to (5) and (8)

11 of subsection (a) of Section 14 do not apply to pseudonymous

12 data in cases in which the controller is able to demonstrate

13 any information necessary to identify the consumer is kept

14 separately and is subject to effective technical and

15 organizational controls that prevent the controller from

16 accessing the information.

17 (c) A controller that transfers, sells, or otherwise

18 discloses pseudonymous data or deidentified data must exercise

19 reasonable oversight to monitor compliance with any

20 contractual commitments to which the pseudonymous data or

21 deidentified data are subject, and must take appropriate steps

22 to address any breaches of contractual commitments.

23 (d) A processor or third party must not attempt to

24 identify the subjects of deidentified or pseudonymous data

25 without the express authority of the controller that caused

26 the data to be deidentified or pseudonymized.

10400SB0340sam001

- 31 -

LRB104 06459 JRC 37578 a

1 (e) A controller, processor, or third party must not

2 attempt to identify the subjects of data that has been

3 collected with only pseudonymous identifiers.

4 Section 16. Responsibilities of controllers.

5 (a)(1) Transparency obligations. Controllers must provide

6 consumers with a reasonably accessible, clear, and meaningful

7 privacy notice, at or before collection, that includes:

8 (A) the categories of personal data processed by the

9 controller;

10 (B) the purposes for which the categories of personal

11 data are processed;

12 (C) an explanation of the rights contained in Section

13 14 and how and where consumers may exercise those rights,

14 including how a consumer may appeal a controller's action

15 with regard to the consumer's request;

16 (D) the categories of personal data that the

17 controller sells to or shares with third parties, if any;

18 (E) the categories of third parties, if any, with whom

19 the controller sells or shares personal data;

20 (F) the controller's contact information, including an

21 active email address or other online mechanism that the

22 consumer may use to contact the controller;

23 (G) a description of the controller's retention

24 policies for personal data; and

25 (H) the date the privacy notice was last updated.

10400SB0340sam001

- 32 -

LRB104 06459 JRC 37578 a

1 (2) If a controller sells personal data to third parties,

2 processes personal data for targeted advertising, or engages

3 in profiling in furtherance of decisions that produce legal

4 effects concerning a consumer or similarly significant effects

5 concerning a consumer, the controller must disclose the

6 processing in the privacy notice and provide access to a clear

7 and conspicuous method outside the privacy notice for a

8 consumer to opt out of the sale, processing, or profiling in

9 furtherance of decisions that produce legal effects concerning

10 a consumer or similarly significant effects concerning a

11 consumer. This method may include but is not limited to an

12 Internet hyperlink clearly labeled "Your Opt-Out Rights" or

13 "Your Privacy Rights" that directly effectuates the opt-out

14 request or takes consumers to a web page where the consumer can

15 make the opt-out request.

16 (3) The privacy notice must be made available to the

17 public in each language in which the controller provides a

18 product or service that is subject to the privacy notice or

19 carries out activities related to the product or service.

20 (4) The controller must provide the privacy notice in a

21 manner that is reasonably accessible to and usable by

22 individuals with disabilities.

23 (5) Whenever a controller makes a material change to the

24 controller's privacy notice or practices, the controller must

25 notify consumers affected by the material change with respect

26 to any prospectively collected personal data and provide a

10400SB0340sam001

- 33 -

LRB104 06459 JRC 37578 a

1 reasonable opportunity for consumers to withdraw consent to

2 any further materially different collection, processing, or

3 transfer of previously collected personal data under the

4 changed policy. The controller shall take all reasonable

5 electronic measures to provide notification regarding material

6 changes to affected consumers, taking into account available

7 technology and the nature of the relationship.

8 (6) A controller is not required to provide a separate

9 Illinois-specific privacy notice or section of a privacy

10 notice if the controller's general privacy notice contains all

11 the information required by this Section.

12 (7) The privacy notice must be posted online through a

13 conspicuous hyperlink using the word "privacy" on the

14 controller's website home page or on a mobile application's

15 app store page or download page. A controller that maintains

16 an application on a mobile or other device shall also include a

17 hyperlink to the privacy notice in the application's settings

18 menu or in a similarly conspicuous and accessible location. A

19 controller that does not operate a website shall make the

20 privacy notice conspicuously available to consumers through a

21 medium regularly used by the controller to interact with

22 consumers, including, but not limited to, mail.

23 (b)(1) Use of data. A controller shall:

24 (A) limit the collection of personal data to what is

25 adequate, relevant, and reasonably necessary in relation

26 to the purposes for which the data are processed, which

10400SB0340sam001

- 34 -

LRB104 06459 JRC 37578 a

1 must be disclosed to the consumer;

2 (B) not collect, process, or share sensitive data

3 concerning a consumer except when such collection,

4 processing, or transfer is strictly necessary to provide

5 or maintain a specific product or service requested by the

6 consumer to whom the sensitive data pertains. For purposes

7 of this Act, the collection, processing, and sharing of

8 biometric identifiers and information must be done in

9 accordance with the requirements of the Biometric

10 Information Privacy Act. For purposes of this Act, the

11 collection, processing, and sharing of genetic information

12 must be done in accordance with the Genetic Information

13 Privacy Act. For purposes of this Act, the collection,

14 processing, and sharing of students' covered information

15 must be done in accordance with the Student Online

16 Personal Protection Act; and

17 (C) not sell sensitive data.

18 (2) Except as provided in this Act, a controller may not

19 process personal data for purposes that are not reasonably

20 necessary to, or compatible with, the purposes for which the

21 personal data are processed, as disclosed to the consumer,

22 unless the controller obtains the consumer's consent.

23 (3) A controller shall establish, implement, and maintain

24 reasonable administrative, technical, and physical data

25 security practices to protect the confidentiality, integrity,

26 and accessibility of personal data, including the maintenance

10400SB0340sam001

- 35 -

LRB104 06459 JRC 37578 a

1 of an inventory of the data that must be managed to exercise

2 these responsibilities. The data security practices shall be

3 appropriate to the volume and nature of the personal data at

4 issue.

5 (4) Except as otherwise provided in this Act, a controller

6 may not process sensitive data concerning a consumer without

7 obtaining the consumer's consent, or, in the case of the

8 processing of personal data concerning a known child, without

9 obtaining consent from the child's parent or lawful guardian,

10 in accordance with the requirement of the Children's Online

11 Privacy Protection Act, United States Code, Title 15, Sections

12 6501 to 6506, and its implementing regulations. A controller

13 must follow the requirements of the Biometric Information

14 Privacy Act and the Genetic Information Privacy Act for

15 information covered by those Acts.

16 (5) A controller shall provide an effective mechanism for

17 a consumer, or, in the case of the processing of personal data

18 concerning a known child, the child's parent or lawful

19 guardian, to withdraw previously given consent under this

20 subsection. The mechanism provided shall be at least as easy

21 as the mechanism by which the consent was previously given.

22 Upon revocation of consent, a controller shall cease to

23 process the applicable data as soon as practicable, but no

24 later than 15 days after the receipt of the request.

25 (6) A controller may not process the personal data of a

26 consumer for purposes of targeted advertising, or sell the

10400SB0340sam001

- 36 -

LRB104 06459 JRC 37578 a

1 consumer's personal data, without the consumer's consent,

2 under circumstances in which the controller knows that the

3 consumer is between the ages of 13 and 16.

4 (7) A controller may not retain personal data that is no

5 longer relevant and reasonably necessary in relation to the

6 purposes for which the data were collected and processed,

7 unless retention of the data is otherwise required by law or

8 permitted under Section 19 and in accordance with the

9 Biometric Information Privacy Act.

10 (c)(1) Nondiscrimination. A controller shall not process

11 personal data on the basis of a consumer's or a class of

12 consumers' actual or perceived race, color, ethnicity,

13 religion, national origin, sex, gender, gender identity,

14 sexual orientation, familial status, lawful source of income,

15 or disability in a manner that unlawfully discriminates

16 against the consumer or class of consumers.

17 (2) A controller may not discriminate against a consumer

18 for exercising any of the rights contained in this Act,

19 including denying goods or services to the consumer, charging

20 different prices or rates for goods or services, and providing

21 a different level of quality of goods and services to the

22 consumer. This subsection does not: (i) require a controller

23 to provide a good or service that requires the consumer's

24 personal data that the controller does not collect or

25 maintain; or (ii) prohibit a controller from offering a

26 different price, rate, level, quality, or selection of goods

10400SB0340sam001

- 37 -

LRB104 06459 JRC 37578 a

1 or services to a consumer, including offering goods or

2 services for no fee, if the offering is in connection with a

3 consumer's voluntary participation in a bona fide loyalty,

4 rewards, premium features, discounts, or club card program.

5 (d) Waiver of rights unenforceable. Any provision of a

6 contract or agreement of any kind that purports to waive or

7 limit in any way a consumer's rights under this Act is contrary

8 to public policy and is void and unenforceable.

9 Section 17. Requirements for small businesses.

10 (a) A small business, as defined by the United States

11 Small Business Administration under the Code of Federal

12 Regulations, Title 13, Part 121, that conducts business in

13 Illinois or produces products or services that are targeted to

14 Illinois residents must not sell a consumer's sensitive data.

15 (b) Penalties and enforcement procedures under Section 20

16 apply to a small business that violates this Section.

17 Section 18. Data privacy policies; data privacy and

18 protection assessments.

19 (a) A controller must document and maintain a description

20 of the policies and procedures the controller has adopted to

21 comply with this Act. The description must include, where

22 applicable:

23 (1) the name and contact information for the

24 controller's chief privacy officer or other individual

10400SB0340sam001

- 38 -

LRB104 06459 JRC 37578 a

1 with primary responsibility for directing the policies and

2 procedures implemented to comply with the provisions of

3 this Act; and

4 (2) a description of the controller's data privacy

5 policies and procedures that reflect the requirements in

6 Section 16, and any policies and procedures designed to:

7 (i) reflect the requirements of this Act in the

8 design of the controller's systems;

9 (ii) identify and provide personal data to a

10 consumer as required by this Act;

11 (iii) establish, implement, and maintain

12 reasonable administrative, technical, and physical

13 data security practices to protect the

14 confidentiality, integrity, and accessibility of

15 personal data, including the maintenance of an

16 inventory of the data that must be managed to exercise

17 the responsibilities under this item;

18 (iv) limit the collection of personal data to what

19 is adequate, relevant, and reasonably necessary in

20 relation to the purposes for which the data are

21 processed;

22 (v) prevent the retention of personal data that is

23 no longer relevant and reasonably necessary in

24 relation to the purposes for which the data were

25 collected and processed, unless retention of the data

26 is otherwise required by law or permitted under

10400SB0340sam001

- 39 -

LRB104 06459 JRC 37578 a

1 Section 19 and in accordance with the Biometric

2 Information Privacy Act; and

3 (vi) identify and remediate violations of this

4 Act.

5 (b) A controller must conduct and document a data privacy

6 and protection assessment for each of the following processing

7 activities involving personal data:

8 (1) the processing of personal data for purposes of

9 targeted advertising;

10 (2) the sale of personal data;

11 (3) the processing of sensitive data;

12 (4) any processing activities involving personal data

13 that present a heightened risk of harm to consumers; and

14 (5) the processing of personal data for purposes of

15 profiling, where the profiling presents a reasonably

16 foreseeable risk of:

17 (i) unfair or deceptive treatment of, or disparate

18 impact on, consumers;

19 (ii) financial, physical, or reputational injury

20 to consumers;

21 (iii) a physical or other intrusion upon the

22 solitude or seclusion, or the private affairs or

23 concerns, of consumers, where the intrusion would be

24 offensive to a reasonable person; or

25 (iv) other substantial injury to consumers.

26 (c) A data privacy and protection assessment must take

10400SB0340sam001

- 40 -

LRB104 06459 JRC 37578 a

1 into account the type of personal data to be processed by the

2 controller, including the extent to which the personal data

3 are sensitive data, and the context in which the personal data

4 are to be processed.

5 (d) A data privacy and protection assessment must identify

6 and weigh the benefits that may flow directly and indirectly

7 from the processing to the controller, consumer, other

8 stakeholders, and the public against the potential risks to

9 the rights of the consumer associated with the processing, as

10 mitigated by safeguards that can be employed by the controller

11 to reduce the potential risks. The use of deidentified data

12 and the reasonable expectations of consumers, as well as the

13 context of the processing and the relationship between the

14 controller and the consumer whose personal data will be

15 processed, must be factored into this assessment by the

16 controller.

17 (e) A data privacy and protection assessment must include

18 the description of policies and procedures required by

19 subsection (a).

20 (f) As part of a civil investigative demand, the Attorney

21 General or State's Attorneys may request, in writing, that a

22 controller disclose any data privacy and protection assessment

23 that is relevant to an investigation conducted by the Attorney

24 General or State's Attorneys. The controller must make a data

25 privacy and protection assessment available to the Attorney

26 General or State's Attorneys upon a request made under this

10400SB0340sam001

- 41 -

LRB104 06459 JRC 37578 a

1 subsection. The Attorney General or State's Attorneys may

2 evaluate the data privacy and protection assessments for

3 compliance with this Act. Data privacy and protection

4 assessments are nonpublic data that is required by State or

5 federal law that is: (1) not about an individual; (2) not

6 accessible by the general public; and (3) accessible by the

7 subject of the data. The disclosure of a data privacy and

8 protection assessment under a request from the Attorney

9 General or State's Attorneys under this subsection does not

10 constitute a waiver of the attorney-client privilege or work

11 product protection with respect to the assessment and any

12 information contained in the assessment.

13 (g) Data privacy and protection assessments or risk

14 assessments conducted by a controller for the purpose of

15 compliance with other laws or regulations may qualify under

16 this Section if the assessments have a similar scope and

17 effect.

18 (h) A single data protection assessment may address

19 multiple sets of comparable processing operations that include

20 similar activities.

21 Section 19. Limitations and applicability.

22 (a) The obligations imposed on controllers or processors

23 under this Act do not restrict a controller's or a processor's

24 ability to:

25 (1) comply with federal, State, or local laws, rules,

10400SB0340sam001

- 42 -

LRB104 06459 JRC 37578 a

1 or regulations, including, but not limited to, data

2 retention requirements in State or federal law

3 notwithstanding a consumer's request to delete personal

4 data;

5 (2) comply with a civil, criminal, or regulatory

6 inquiry, investigation, subpoena, or summons by federal,

7 State, local, or other governmental authorities;

8 (3) cooperate with law enforcement agencies concerning

9 conduct or activity that the controller or processor

10 reasonably and in good faith believes may violate federal,

11 State, or local laws, rules, or regulations;

12 (4) investigate, establish, exercise, prepare for, or

13 defend legal claims;

14 (5) provide a product or service specifically

15 requested by a consumer; perform a contract to which the

16 consumer is a party, including fulfilling the terms of a

17 written warranty; or take steps at the request of the

18 consumer prior to entering into a contract;

19 (6) take immediate steps to protect an interest that

20 is essential for the life or physical safety of the

21 consumer or of another natural person, and if the

22 processing cannot be manifestly based on another legal

23 basis;

24 (7) prevent, detect, protect against, or respond to

25 security incidents, identity theft, fraud, harassment,

26 malicious or deceptive activities, or any illegal

10400SB0340sam001

- 43 -

LRB104 06459 JRC 37578 a

1 activity; preserve the integrity or security of systems;

2 or investigate, report, or prosecute those responsible for

3 any such action;

4 (8) assist another controller, processor, or third

5 party with any of the obligations under this subsection;

6 (9) engage in public or peer-reviewed scientific,

7 historical, or statistical research in the public interest

8 that adheres to all other applicable ethics and privacy

9 laws and is approved, monitored, and governed by an

10 institutional review board, human subjects research ethics

11 review board, or a similar independent oversight entity

12 that has determined:

13 (A) the research is likely to provide substantial

14 benefits that do not exclusively accrue to the

15 controller;

16 (B) the expected benefits of the research outweigh

17 the privacy risks; and

18 (C) the controller has implemented reasonable

19 safeguards to mitigate privacy risks associated with

20 research, including any risks associated with

21 reidentification; or

22 (10) process personal data for the benefit of the

23 public in the areas of public health, community health, or

24 population health, but only to the extent that the

25 processing is:

26 (A) subject to suitable and specific measures to

10400SB0340sam001

- 44 -

LRB104 06459 JRC 37578 a

1 safeguard the rights of the consumer whose personal

2 data is being processed; and

3 (B) under the responsibility of a professional

4 individual who is subject to confidentiality

5 obligations under federal, State, or local law.

6 (b) The obligations imposed on controllers or processors

7 under this Act do not restrict a controller's or processor's

8 ability to collect, use, or retain data to:

9 (1) effectuate a product recall or identify and repair

10 technical errors that impair existing or intended

11 functionality;

12 (2) perform internal operations that are reasonably

13 aligned with the expectations of the consumer based on the

14 consumer's existing relationship with the controller, or

15 are otherwise compatible with processing in furtherance of

16 the provision of a product or service specifically

17 requested by a consumer or the performance of a contract

18 to which the consumer is a party; or

19 (3) conduct internal research to develop, improve, or

20 repair products, services, or technology.

21 (c) The obligations imposed on controllers or processors

22 under this Act do not apply if compliance by the controller or

23 processor with this Act would violate an evidentiary privilege

24 under Illinois law and do not prevent a controller or

25 processor from providing personal data concerning a consumer

26 to a person covered by an evidentiary privilege under Illinois

10400SB0340sam001

- 45 -

LRB104 06459 JRC 37578 a

1 law as part of a privileged communication.

2 (d) A controller or processor that discloses personal data

3 to a third-party controller or processor in compliance with

4 the requirements of this Act is not in violation of this Act if

5 the recipient processes the personal data in violation of this

6 Act, provided that at the time of disclosing the personal

7 data, the disclosing controller or processor did not have

8 actual knowledge that the recipient intended to commit a

9 violation. A third-party controller or processor receiving

10 personal data from a controller or processor in compliance

11 with the requirements of this Act is not in violation of this

12 Act for the obligations of the controller or processor from

13 which the third-party controller or processor receives the

14 personal data.

15 (e) Obligations imposed on controllers and processors

16 under this Act shall not:

17 (1) adversely affect the rights or freedoms of any

18 persons, including exercising the right of free speech

19 pursuant to the First Amendment of the United States

20 Constitution; or

21 (2) apply to the processing of personal data by a

22 natural person in the course of a purely personal or

23 household activity.

24 (f) Personal data that are processed by a controller

25 pursuant to this Section may be processed solely to the extent

26 that the processing is:

10400SB0340sam001

- 46 -

LRB104 06459 JRC 37578 a

1 (1) necessary, reasonable, and proportionate to the

2 purposes listed in this Section;

3 (2) adequate, relevant, and limited to what is

4 necessary in relation to the specific purpose or purposes

5 listed in this Section; and

6 (3) insofar as possible, taking into account the

7 nature and purpose of processing the personal data,

8 subjected to reasonable administrative, technical, and

9 physical measures to protect the confidentiality,

10 integrity, and accessibility of the personal data, and to

11 reduce reasonably foreseeable risks of harm to consumers.

12 (g) If a controller processes personal data pursuant to an

13 exemption in this Section, the controller bears the burden of

14 demonstrating that the processing qualifies for the exemption

15 and complies with the requirements in subsection (f).

16 (h) Processing personal data solely for the purposes

17 expressly identified in subsection (a), clauses (1) to (7),

18 does not, by itself, make an entity a controller with respect

19 to the processing.

20 Section 20. Enforcement.

21 (a) If a controller or processor violates this Act, the

22 Attorney General or the State's Attorney of any county in this

23 State, before filing an enforcement action under subsection

24 (b), must provide the controller or processor with a warning

25 letter identifying the specific provisions of this Act the

10400SB0340sam001

- 47 -

LRB104 06459 JRC 37578 a

1 Attorney General or State's Attorney alleges have been or are

2 being violated. If, after 30 days of issuance of the warning

3 letter, the Attorney General or State's Attorney believes the

4 controller or processor has failed to cure any alleged

5 violation, the Attorney General or State's Attorney may bring

6 an enforcement action under subsection (b). This subsection

7 becomes inoperative January 1, 2028.

8 (b) The Attorney General or the State's Attorney of any

9 county in this State may bring an action in the name of the

10 People of this State against any person to restrain and

11 prevent any pattern or practice in violation of this Act.

12 (c) A violation of this Act constitutes an unlawful

13 practice under the Consumer Fraud and Deceptive Business

14 Practices Act. All remedies, penalties, and authority granted

15 to the Attorney General or the State's Attorney by the

16 Consumer Fraud and Deceptive Business Practices Act are

17 available to the Attorney General or the State's Attorney for

18 the enforcement of this Act.

19 (d) Any civil penalties collected from the enforcement of

20 this Act shall be deposited into the Attorney General Court

21 Ordered and Voluntary Compliance Payment Projects Fund if the

22 Attorney General commenced the action or distributed to the

23 county in which the State's Attorney commenced the action and

24 deposited into a special fund in the county treasury and

25 appropriated to the State's Attorney for use in accordance

26 with law. Moneys in the Attorney General Court Ordered and

10400SB0340sam001

- 48 -

LRB104 06459 JRC 37578 a

1 Voluntary Compliance Payment Projects Fund shall be used,

2 subject to appropriation, for the performance of any function

3 pertaining to the exercise of the duties of the Attorney

4 General, including, but not limited to, enforcement of any law

5 of this State and conducting public education programs.

6 However, any moneys in the Fund that are required by the court

7 or by an agreement to be used for a particular purpose shall be

8 used for that purpose.

9 (e) Beginning January 1, 2028, any person who suffers

10 actual damage as a result of a violation of this Act may bring

11 an action under Section 10a of the Consumer Fraud and

12 Deceptive Business Practices Act.

13 (f) Nothing in this Act shall be construed to preempt the

14 enforcement provisions in the Biometric Information Privacy

15 Act or the Genetic Information Privacy Act.

16 Section 95. Home rule. A unit of local government,

17 including a home rule unit, may not regulate consumer data

18 privacy. This Section is a denial and limitation of home rule

19 powers and functions under subsection (g) of Section 6 of

20 Article VII of the Illinois Constitution.

21 Section 97. Severability. If any provision of this Act or

22 its application to any person or circumstance is held invalid,

23 the invalidity of that provision or application does not

24 affect other provisions or applications of this Act that can

10400SB0340sam001

- 49 -

LRB104 06459 JRC 37578 a

1 be given effect without the invalid provision or application.

2 Section 900. The Freedom of Information Act is amended by

3 changing Section 7.5 as follows:

4 (5 ILCS 140/7.5)

5 (Text of Section before amendment by P.A. 104-441 and

6 104-457)

7 Sec. 7.5. Statutory exemptions. To the extent provided for

8 by the statutes referenced below, the following shall be

9 exempt from inspection and copying:

10 (a) All information determined to be confidential

11 under Section 4002 of the Technology Advancement and

12 Development Act.

13 (b) Library circulation and order records identifying

14 library users with specific materials under the Library

15 Records Confidentiality Act.

16 (c) Applications, related documents, and medical

17 records received by the Experimental Organ Transplantation

18 Procedures Board and any and all documents or other

19 records prepared by the Experimental Organ Transplantation

20 Procedures Board or its staff relating to applications it

21 has received.

22 (d) Information and records held by the Department of

23 Public Health and its authorized representatives relating

24 to known or suspected cases of sexually transmitted

10400SB0340sam001

- 50 -

LRB104 06459 JRC 37578 a

1 infection or any information the disclosure of which is

2 restricted under the Illinois Sexually Transmitted

3 Infection Control Act.

4 (e) Information the disclosure of which is exempted

5 under Section 30 of the Radon Industry Licensing Act.

6 (f) Firm performance evaluations under Section 55 of

7 the Architectural, Engineering, and Land Surveying

8 Qualifications Based Selection Act.

9 (g) Information the disclosure of which is restricted

10 and exempted under Section 50 of the Illinois Prepaid

11 Tuition Act.

12 (h) Information the disclosure of which is exempted

13 under the State Officials and Employees Ethics Act, and

14 records of any lawfully created State or local inspector

15 general's office that would be exempt if created or

16 obtained by an Executive Inspector General's office under

17 that Act.

18 (i) Information contained in a local emergency energy

19 plan submitted to a municipality in accordance with a

20 local emergency energy plan ordinance that is adopted

21 under Section 11-21.5-5 of the Illinois Municipal Code.

22 (j) Information and data concerning the distribution

23 of surcharge moneys collected and remitted by carriers

24 under the Emergency Telephone System Act.

25 (k) Law enforcement officer identification information

26 or driver identification information compiled by a law

10400SB0340sam001

- 51 -

LRB104 06459 JRC 37578 a

1 enforcement agency or the Department of Transportation

2 under Section 11-212 of the Illinois Vehicle Code.

3 (l) Records and information provided to a residential

4 health care facility resident sexual assault and death

5 review team or the Executive Council under the Abuse

6 Prevention Review Team Act.

7 (m) Information provided to the predatory lending

8 database created pursuant to Article 3 of the Residential

9 Real Property Disclosure Act, except to the extent

10 authorized under that Article.

11 (n) Defense budgets and petitions for certification of

12 compensation and expenses for court appointed trial

13 counsel as provided under Sections 10 and 15 of the

14 Capital Crimes Litigation Act (repealed). This subsection

15 (n) shall apply until the conclusion of the trial of the

16 case, even if the prosecution chooses not to pursue the

17 death penalty prior to trial or sentencing.

18 (o) Information that is prohibited from being

19 disclosed under Section 4 of the Illinois Health and

20 Hazardous Substances Registry Act.

21 (p) Security portions of system safety program plans,

22 investigation reports, surveys, schedules, lists, data, or

23 information compiled, collected, or prepared by or for the

24 Department of Transportation under Sections 2705-300 and

25 2705-616 of the Department of Transportation Law of the

26 Civil Administrative Code of Illinois, the Regional

10400SB0340sam001

- 52 -

LRB104 06459 JRC 37578 a

1 Transportation Authority under Section 2.11 of the

2 Regional Transportation Authority Act, or the St. Clair

3 County Transit District under the Bi-State Transit Safety

4 Act (repealed).

5 (q) Information prohibited from being disclosed by the

6 Personnel Record Review Act.

7 (r) Information prohibited from being disclosed by the

8 Illinois School Student Records Act.

9 (s) Information the disclosure of which is restricted

10 under Section 5-108 of the Public Utilities Act.

11 (t) (Blank).

12 (u) Records and information provided to an independent

13 team of experts under the Developmental Disability and

14 Mental Health Safety Act (also known as Brian's Law).

15 (v) Names and information of people who have applied

16 for or received Firearm Owner's Identification Cards under

17 the Firearm Owners Identification Card Act or applied for

18 or received a concealed carry license under the Firearm

19 Concealed Carry Act, unless otherwise authorized by the

20 Firearm Concealed Carry Act; and databases under the

21 Firearm Concealed Carry Act, records of the Concealed

22 Carry Licensing Review Board under the Firearm Concealed

23 Carry Act, and law enforcement agency objections under the

24 Firearm Concealed Carry Act.

25 (v-5) Records of the Firearm Owner's Identification

26 Card Review Board that are exempted from disclosure under

10400SB0340sam001

- 53 -

LRB104 06459 JRC 37578 a

1 Section 10 of the Firearm Owners Identification Card Act.

2 (w) Personally identifiable information which is

3 exempted from disclosure under subsection (g) of Section

4 19.1 of the Toll Highway Act.

5 (x) Information which is exempted from disclosure

6 under Section 5-1014.3 of the Counties Code or Section

7 8-11-21 of the Illinois Municipal Code.

8 (y) Confidential information under the Adult

9 Protective Services Act and its predecessor enabling

10 statute, the Elder Abuse and Neglect Act, including

11 information about the identity and administrative finding

12 against any caregiver of a verified and substantiated

13 decision of abuse, neglect, or financial exploitation of

14 an eligible adult maintained in the Registry established

15 under Section 7.5 of the Adult Protective Services Act.

16 (z) Records and information provided to a fatality

17 review team or the Illinois Fatality Review Team Advisory

18 Council under Section 15 of the Adult Protective Services

19 Act.

20 (aa) Information which is exempted from disclosure

21 under Section 2.37 of the Wildlife Code.

22 (bb) Information which is or was prohibited from

23 disclosure by the Juvenile Court Act of 1987.

24 (cc) Recordings made under the Law Enforcement

25 Officer-Worn Body Camera Act, except to the extent

26 authorized under that Act.

10400SB0340sam001

- 54 -

LRB104 06459 JRC 37578 a

1 (dd) Information that is prohibited from being

2 disclosed under Section 45 of the Condominium and Common

3 Interest Community Ombudsperson Act.

4 (ee) Information that is exempted from disclosure

5 under Section 30.1 of the Pharmacy Practice Act.

6 (ff) Information that is exempted from disclosure

7 under the Revised Uniform Unclaimed Property Act.

8 (gg) Information that is prohibited from being

9 disclosed under Section 7-603.5 of the Illinois Vehicle

10 Code.

11 (hh) Records that are exempt from disclosure under

12 Section 1A-16.7 of the Election Code.

13 (ii) Information which is exempted from disclosure

14 under Section 2505-800 of the Department of Revenue Law of

15 the Civil Administrative Code of Illinois.

16 (jj) Information and reports that are required to be

17 submitted to the Department of Labor by registering day

18 and temporary labor service agencies but are exempt from

19 disclosure under subsection (a-1) of Section 45 of the Day

20 and Temporary Labor Services Act.

21 (kk) Information prohibited from disclosure under the

22 Seizure and Forfeiture Reporting Act.

23 (ll) Information the disclosure of which is restricted

24 and exempted under Section 5-30.8 of the Illinois Public

25 Aid Code.

26 (mm) Records that are exempt from disclosure under

10400SB0340sam001

- 55 -

LRB104 06459 JRC 37578 a

1 Section 4.2 of the Crime Victims Compensation Act.

2 (nn) Information that is exempt from disclosure under

3 Section 70 of the Higher Education Student Assistance Act.

4 (oo) Communications, notes, records, and reports

5 arising out of a peer support counseling session

6 prohibited from disclosure under the First Responders

7 Suicide Prevention Act.

8 (pp) Names and all identifying information relating to

9 an employee of an emergency services provider or law

10 enforcement agency under the First Responders Suicide

11 Prevention Act.

12 (qq) Information and records held by the Department of

13 Public Health and its authorized representatives collected

14 under the Reproductive Health Act.

15 (rr) Information that is exempt from disclosure under

16 the Cannabis Regulation and Tax Act.

17 (ss) Data reported by an employer to the Department of

18 Human Rights pursuant to Section 2-108 of the Illinois

19 Human Rights Act.

20 (tt) Recordings made under the Children's Advocacy

21 Center Act, except to the extent authorized under that

22 Act.

23 (uu) Information that is exempt from disclosure under

24 Section 50 of the Sexual Assault Evidence Submission Act.

25 (vv) Information that is exempt from disclosure under

26 subsections (f) and (j) of Section 5-36 of the Illinois

10400SB0340sam001

- 56 -

LRB104 06459 JRC 37578 a

1 Public Aid Code.

2 (ww) Information that is exempt from disclosure under

3 Section 16.8 of the State Treasurer Act.

4 (xx) Information that is exempt from disclosure or

5 information that shall not be made public under the

6 Illinois Insurance Code.

7 (yy) Information prohibited from being disclosed under

8 the Illinois Educational Labor Relations Act.

9 (zz) Information prohibited from being disclosed under

10 the Illinois Public Labor Relations Act.

11 (aaa) Information prohibited from being disclosed

12 under Section 1-167 of the Illinois Pension Code.

13 (bbb) Information that is prohibited from disclosure

14 by the Illinois Police Training Act and the Illinois State

15 Police Act.

16 (ccc) Records exempt from disclosure under Section

17 2605-304 of the Illinois State Police Law of the Civil

18 Administrative Code of Illinois.

19 (ddd) Information prohibited from being disclosed

20 under Section 35 of the Address Confidentiality for

21 Victims of Domestic Violence, Sexual Assault, Human

22 Trafficking, or Stalking Act.

23 (eee) Information prohibited from being disclosed

24 under subsection (b) of Section 75 of the Domestic

25 Violence Fatality Review Act.

26 (fff) Images from cameras under the Expressway Camera

10400SB0340sam001

- 57 -

LRB104 06459 JRC 37578 a

1 Act and all automated license plate reader (ALPR)

2 information used and collected by the Illinois State

3 Police. "ALPR information" means information gathered by

4 an ALPR or created from the analysis of data generated by

5 an ALPR. This subsection (fff) is inoperative on and after

6 July 1, 2028.

7 (ggg) Information prohibited from disclosure under

8 paragraph (3) of subsection (a) of Section 14 of the Nurse

9 Agency Licensing Act.

10 (hhh) Information submitted to the Illinois State

11 Police in an affidavit or application for an assault

12 weapon endorsement, assault weapon attachment endorsement,

13 .50 caliber rifle endorsement, or .50 caliber cartridge

14 endorsement under the Firearm Owners Identification Card

15 Act.

16 (iii) Data exempt from disclosure under Section 50 of

17 the School Safety Drill Act.

18 (jjj) Information exempt from disclosure under Section

19 30 of the Insurance Data Security Law.

20 (kkk) Confidential business information prohibited

21 from disclosure under Section 45 of the Paint Stewardship

22 Act.

23 (lll) Data exempt from disclosure under Section

24 2-3.196 of the School Code.

25 (mmm) Information prohibited from being disclosed

26 under subsection (e) of Section 1-129 of the Illinois

10400SB0340sam001

- 58 -

LRB104 06459 JRC 37578 a

1 Power Agency Act.

2 (nnn) Materials received by the Department of Commerce

3 and Economic Opportunity that are confidential under the

4 Music and Musicians Tax Credit and Jobs Act.

5 (ooo) Data or information provided pursuant to Section

6 20 of the Statewide Recycling Needs and Assessment Act.

7 (ppp) Information that is exempt from disclosure under

8 Section 28-11 of the Lawful Health Care Activity Act.

9 (qqq) Information that is exempt from disclosure under

10 Section 7-101 of the Illinois Human Rights Act.

11 (rrr) Information prohibited from being disclosed

12 under Section 4-2 of the Uniform Money Transmission

13 Modernization Act.

14 (sss) Information exempt from disclosure under Section

15 40 of the Student-Athlete Endorsement Rights Act.

16 (ttt) Audio recordings made under Section 30 of the

17 Illinois State Police Act, except to the extent authorized

18 under that Section.

19 (uuu) Information prohibited from being disclosed

20 under Section 30-5 of the Digital Assets Regulation Act.

21 (www) Data privacy and protection assessments made

22 available to the Attorney General under Section 18 of the

23 Illinois Consumer Data Privacy Act.

24 (Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;

25 103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.

26 8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,

10400SB0340sam001

- 59 -

LRB104 06459 JRC 37578 a

1 eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;

2 103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.

3 8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,

4 eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;

5 104-417, eff. 8-15-25; 104-428, eff. 8-18-25; revised

6 9-10-25.)

7 (Text of Section after amendment by P.A. 104-457 but

8 before 104-441)

9 Sec. 7.5. Statutory exemptions. To the extent provided for

10 by the statutes referenced below, the following shall be

11 exempt from inspection and copying:

12 (a) All information determined to be confidential

13 under Section 4002 of the Technology Advancement and

14 Development Act.

15 (b) Library circulation and order records identifying

16 library users with specific materials under the Library

17 Records Confidentiality Act.

18 (c) Applications, related documents, and medical

19 records received by the Experimental Organ Transplantation

20 Procedures Board and any and all documents or other

21 records prepared by the Experimental Organ Transplantation

22 Procedures Board or its staff relating to applications it

23 has received.

24 (d) Information and records held by the Department of

25 Public Health and its authorized representatives relating

10400SB0340sam001

- 60 -

LRB104 06459 JRC 37578 a

1 to known or suspected cases of sexually transmitted

2 infection or any information the disclosure of which is

3 restricted under the Illinois Sexually Transmitted

4 Infection Control Act.

5 (e) Information the disclosure of which is exempted

6 under Section 30 of the Radon Industry Licensing Act.

7 (f) Firm performance evaluations under Section 55 of

8 the Architectural, Engineering, and Land Surveying

9 Qualifications Based Selection Act.

10 (g) Information the disclosure of which is restricted

11 and exempted under Section 50 of the Illinois Prepaid

12 Tuition Act.

13 (h) Information the disclosure of which is exempted

14 under the State Officials and Employees Ethics Act, and

15 records of any lawfully created State or local inspector

16 general's office that would be exempt if created or

17 obtained by an Executive Inspector General's office under

18 that Act.

19 (i) Information contained in a local emergency energy

20 plan submitted to a municipality in accordance with a

21 local emergency energy plan ordinance that is adopted

22 under Section 11-21.5-5 of the Illinois Municipal Code.

23 (j) Information and data concerning the distribution

24 of surcharge moneys collected and remitted by carriers

25 under the Emergency Telephone System Act.

26 (k) Law enforcement officer identification information

10400SB0340sam001

- 61 -

LRB104 06459 JRC 37578 a

1 or driver identification information compiled by a law

2 enforcement agency or the Department of Transportation

3 under Section 11-212 of the Illinois Vehicle Code.

4 (l) Records and information provided to a residential

5 health care facility resident sexual assault and death

6 review team or the Executive Council under the Abuse

7 Prevention Review Team Act.

8 (m) Information provided to the predatory lending

9 database created pursuant to Article 3 of the Residential

10 Real Property Disclosure Act, except to the extent

11 authorized under that Article.

12 (n) Defense budgets and petitions for certification of

13 compensation and expenses for court appointed trial

14 counsel as provided under Sections 10 and 15 of the

15 Capital Crimes Litigation Act (repealed). This subsection

16 (n) shall apply until the conclusion of the trial of the

17 case, even if the prosecution chooses not to pursue the

18 death penalty prior to trial or sentencing.

19 (o) Information that is prohibited from being

20 disclosed under Section 4 of the Illinois Health and

21 Hazardous Substances Registry Act.

22 (p) Security portions of system safety program plans,

23 investigation reports, surveys, schedules, lists, data, or

24 information compiled, collected, or prepared by or for the

25 Department of Transportation under Sections 2705-300 and

26 2705-616 of the Department of Transportation Law of the

10400SB0340sam001

- 62 -

LRB104 06459 JRC 37578 a

1 Civil Administrative Code of Illinois, the Northern

2 Illinois Transit Authority under Section 2.11 of the

3 Northern Illinois Transit Authority Act, or the St. Clair

4 County Transit District under the Bi-State Transit Safety

5 Act (repealed).

6 (q) Information prohibited from being disclosed by the

7 Personnel Record Review Act.

8 (r) Information prohibited from being disclosed by the

9 Illinois School Student Records Act.

10 (s) Information the disclosure of which is restricted

11 under Section 5-108 of the Public Utilities Act.

12 (t) (Blank).

13 (u) Records and information provided to an independent

14 team of experts under the Developmental Disability and

15 Mental Health Safety Act (also known as Brian's Law).

16 (v) Names and information of people who have applied

17 for or received Firearm Owner's Identification Cards under

18 the Firearm Owners Identification Card Act or applied for

19 or received a concealed carry license under the Firearm

20 Concealed Carry Act, unless otherwise authorized by the

21 Firearm Concealed Carry Act; and databases under the

22 Firearm Concealed Carry Act, records of the Concealed

23 Carry Licensing Review Board under the Firearm Concealed

24 Carry Act, and law enforcement agency objections under the

25 Firearm Concealed Carry Act.

26 (v-5) Records of the Firearm Owner's Identification

10400SB0340sam001

- 63 -

LRB104 06459 JRC 37578 a

1 Card Review Board that are exempted from disclosure under

2 Section 10 of the Firearm Owners Identification Card Act.

3 (w) Personally identifiable information which is

4 exempted from disclosure under subsection (g) of Section

5 19.1 of the Toll Highway Act.

6 (x) Information which is exempted from disclosure

7 under Section 5-1014.3 of the Counties Code or Section

8 8-11-21 of the Illinois Municipal Code.

9 (y) Confidential information under the Adult

10 Protective Services Act and its predecessor enabling

11 statute, the Elder Abuse and Neglect Act, including

12 information about the identity and administrative finding

13 against any caregiver of a verified and substantiated

14 decision of abuse, neglect, or financial exploitation of

15 an eligible adult maintained in the Registry established

16 under Section 7.5 of the Adult Protective Services Act.

17 (z) Records and information provided to a fatality

18 review team or the Illinois Fatality Review Team Advisory

19 Council under Section 15 of the Adult Protective Services

20 Act.

21 (aa) Information which is exempted from disclosure

22 under Section 2.37 of the Wildlife Code.

23 (bb) Information which is or was prohibited from

24 disclosure by the Juvenile Court Act of 1987.

25 (cc) Recordings made under the Law Enforcement

26 Officer-Worn Body Camera Act, except to the extent

10400SB0340sam001

- 64 -

LRB104 06459 JRC 37578 a

1 authorized under that Act.

2 (dd) Information that is prohibited from being

3 disclosed under Section 45 of the Condominium and Common

4 Interest Community Ombudsperson Act.

5 (ee) Information that is exempted from disclosure

6 under Section 30.1 of the Pharmacy Practice Act.

7 (ff) Information that is exempted from disclosure

8 under the Revised Uniform Unclaimed Property Act.

9 (gg) Information that is prohibited from being

10 disclosed under Section 7-603.5 of the Illinois Vehicle

11 Code.

12 (hh) Records that are exempt from disclosure under

13 Section 1A-16.7 of the Election Code.

14 (ii) Information which is exempted from disclosure

15 under Section 2505-800 of the Department of Revenue Law of

16 the Civil Administrative Code of Illinois.

17 (jj) Information and reports that are required to be

18 submitted to the Department of Labor by registering day

19 and temporary labor service agencies but are exempt from

20 disclosure under subsection (a-1) of Section 45 of the Day

21 and Temporary Labor Services Act.

22 (kk) Information prohibited from disclosure under the

23 Seizure and Forfeiture Reporting Act.

24 (ll) Information the disclosure of which is restricted

25 and exempted under Section 5-30.8 of the Illinois Public

26 Aid Code.

10400SB0340sam001

- 65 -

LRB104 06459 JRC 37578 a

1 (mm) Records that are exempt from disclosure under

2 Section 4.2 of the Crime Victims Compensation Act.

3 (nn) Information that is exempt from disclosure under

4 Section 70 of the Higher Education Student Assistance Act.

5 (oo) Communications, notes, records, and reports

6 arising out of a peer support counseling session

7 prohibited from disclosure under the First Responders

8 Suicide Prevention Act.

9 (pp) Names and all identifying information relating to

10 an employee of an emergency services provider or law

11 enforcement agency under the First Responders Suicide

12 Prevention Act.

13 (qq) Information and records held by the Department of

14 Public Health and its authorized representatives collected

15 under the Reproductive Health Act.

16 (rr) Information that is exempt from disclosure under

17 the Cannabis Regulation and Tax Act.

18 (ss) Data reported by an employer to the Department of

19 Human Rights pursuant to Section 2-108 of the Illinois

20 Human Rights Act.

21 (tt) Recordings made under the Children's Advocacy

22 Center Act, except to the extent authorized under that

23 Act.

24 (uu) Information that is exempt from disclosure under

25 Section 50 of the Sexual Assault Evidence Submission Act.

26 (vv) Information that is exempt from disclosure under

10400SB0340sam001

- 66 -

LRB104 06459 JRC 37578 a

1 subsections (f) and (j) of Section 5-36 of the Illinois

2 Public Aid Code.

3 (ww) Information that is exempt from disclosure under

4 Section 16.8 of the State Treasurer Act.

5 (xx) Information that is exempt from disclosure or

6 information that shall not be made public under the

7 Illinois Insurance Code.

8 (yy) Information prohibited from being disclosed under

9 the Illinois Educational Labor Relations Act.

10 (zz) Information prohibited from being disclosed under

11 the Illinois Public Labor Relations Act.

12 (aaa) Information prohibited from being disclosed

13 under Section 1-167 of the Illinois Pension Code.

14 (bbb) Information that is prohibited from disclosure

15 by the Illinois Police Training Act and the Illinois State

16 Police Act.

17 (ccc) Records exempt from disclosure under Section

18 2605-304 of the Illinois State Police Law of the Civil

19 Administrative Code of Illinois.

20 (ddd) Information prohibited from being disclosed

21 under Section 35 of the Address Confidentiality for

22 Victims of Domestic Violence, Sexual Assault, Human

23 Trafficking, or Stalking Act.

24 (eee) Information prohibited from being disclosed

25 under subsection (b) of Section 75 of the Domestic

26 Violence Fatality Review Act.

10400SB0340sam001

- 67 -

LRB104 06459 JRC 37578 a

1 (fff) Images from cameras under the Expressway Camera

2 Act and all automated license plate reader (ALPR)

3 information used and collected by the Illinois State

4 Police. "ALPR information" means information gathered by

5 an ALPR or created from the analysis of data generated by

6 an ALPR. This subsection (fff) is inoperative on and after

7 July 1, 2028.

8 (ggg) Information prohibited from disclosure under

9 paragraph (3) of subsection (a) of Section 14 of the Nurse

10 Agency Licensing Act.

11 (hhh) Information submitted to the Illinois State

12 Police in an affidavit or application for an assault

13 weapon endorsement, assault weapon attachment endorsement,

14 .50 caliber rifle endorsement, or .50 caliber cartridge

15 endorsement under the Firearm Owners Identification Card

16 Act.

17 (iii) Data exempt from disclosure under Section 50 of

18 the School Safety Drill Act.

19 (jjj) Information exempt from disclosure under Section

20 30 of the Insurance Data Security Law.

21 (kkk) Confidential business information prohibited

22 from disclosure under Section 45 of the Paint Stewardship

23 Act.

24 (lll) Data exempt from disclosure under Section

25 2-3.196 of the School Code.

26 (mmm) Information prohibited from being disclosed

10400SB0340sam001

- 68 -

LRB104 06459 JRC 37578 a

1 under subsection (e) of Section 1-129 of the Illinois

2 Power Agency Act.

3 (nnn) Materials received by the Department of Commerce

4 and Economic Opportunity that are confidential under the

5 Music and Musicians Tax Credit and Jobs Act.

6 (ooo) Data or information provided pursuant to Section

7 20 of the Statewide Recycling Needs and Assessment Act.

8 (ppp) Information that is exempt from disclosure under

9 Section 28-11 of the Lawful Health Care Activity Act.

10 (qqq) Information that is exempt from disclosure under

11 Section 7-101 of the Illinois Human Rights Act.

12 (rrr) Information prohibited from being disclosed

13 under Section 4-2 of the Uniform Money Transmission

14 Modernization Act.

15 (sss) Information exempt from disclosure under Section

16 40 of the Student-Athlete Endorsement Rights Act.

17 (ttt) Audio recordings made under Section 30 of the

18 Illinois State Police Act, except to the extent authorized

19 under that Section.

20 (uuu) Information prohibited from being disclosed

21 under Section 30-5 of the Digital Assets Regulation Act.

22 (www) Data privacy and protection assessments made

23 available to the Attorney General under Section 18 of the

24 Illinois Consumer Data Privacy Act.

25 (Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;

26 103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.

10400SB0340sam001

- 69 -

LRB104 06459 JRC 37578 a

1 8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,

2 eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;

3 103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.

4 8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,

5 eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;

6 104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-457, eff.

7 6-1-26; revised 1-7-26.)

8 (Text of Section after amendment by P.A. 104-441)

9 Sec. 7.5. Statutory exemptions. To the extent provided for

10 by the statutes referenced below, the following shall be

11 exempt from inspection and copying:

12 (a) All information determined to be confidential

13 under Section 4002 of the Technology Advancement and

14 Development Act.

15 (b) Library circulation and order records identifying

16 library users with specific materials under the Library

17 Records Confidentiality Act.

18 (c) Applications, related documents, and medical

19 records received by the Experimental Organ Transplantation

20 Procedures Board and any and all documents or other

21 records prepared by the Experimental Organ Transplantation

22 Procedures Board or its staff relating to applications it

23 has received.

24 (d) Information and records held by the Department of

25 Public Health and its authorized representatives relating

10400SB0340sam001

- 70 -

LRB104 06459 JRC 37578 a

1 to known or suspected cases of sexually transmitted

2 infection or any information the disclosure of which is

3 restricted under the Illinois Sexually Transmitted

4 Infection Control Act.

5 (e) Information the disclosure of which is exempted

6 under Section 30 of the Radon Industry Licensing Act.

7 (f) Firm performance evaluations under Section 55 of

8 the Architectural, Engineering, and Land Surveying

9 Qualifications Based Selection Act.

10 (g) Information the disclosure of which is restricted

11 and exempted under Section 50 of the Illinois Prepaid

12 Tuition Act.

13 (h) Information the disclosure of which is exempted

14 under the State Officials and Employees Ethics Act, and

15 records of any lawfully created State or local inspector

16 general's office that would be exempt if created or

17 obtained by an Executive Inspector General's office under

18 that Act.

19 (i) Information contained in a local emergency energy

20 plan submitted to a municipality in accordance with a

21 local emergency energy plan ordinance that is adopted

22 under Section 11-21.5-5 of the Illinois Municipal Code.

23 (j) Information and data concerning the distribution

24 of surcharge moneys collected and remitted by carriers

25 under the Emergency Telephone System Act.

26 (k) Law enforcement officer identification information

10400SB0340sam001

- 71 -

LRB104 06459 JRC 37578 a

1 or driver identification information compiled by a law

2 enforcement agency or the Department of Transportation

3 under Section 11-212 of the Illinois Vehicle Code.

4 (l) Records and information provided to a residential

5 health care facility resident sexual assault and death

6 review team or the Executive Council under the Abuse

7 Prevention Review Team Act.

8 (m) Information provided to the predatory lending

9 database created pursuant to Article 3 of the Residential

10 Real Property Disclosure Act, except to the extent

11 authorized under that Article.

12 (n) Defense budgets and petitions for certification of

13 compensation and expenses for court appointed trial

14 counsel as provided under Sections 10 and 15 of the

15 Capital Crimes Litigation Act (repealed). This subsection

16 (n) shall apply until the conclusion of the trial of the

17 case, even if the prosecution chooses not to pursue the

18 death penalty prior to trial or sentencing.

19 (o) Information that is prohibited from being

20 disclosed under Section 4 of the Illinois Health and

21 Hazardous Substances Registry Act.

22 (p) Security portions of system safety program plans,

23 investigation reports, surveys, schedules, lists, data, or

24 information compiled, collected, or prepared by or for the

25 Department of Transportation under Sections 2705-300 and

26 2705-616 of the Department of Transportation Law of the

10400SB0340sam001

- 72 -

LRB104 06459 JRC 37578 a

1 Civil Administrative Code of Illinois, the Northern

2 Illinois Transit Authority under Section 2.11 of the

3 Northern Illinois Transit Authority Act, or the St. Clair

4 County Transit District under the Bi-State Transit Safety

5 Act (repealed).

6 (q) Information prohibited from being disclosed by the

7 Personnel Record Review Act.

8 (r) Information prohibited from being disclosed by the

9 Illinois School Student Records Act.

10 (s) Information the disclosure of which is restricted

11 under Section 5-108 of the Public Utilities Act.

12 (t) (Blank).

13 (u) Records and information provided to an independent

14 team of experts under the Developmental Disability and

15 Mental Health Safety Act (also known as Brian's Law).

16 (v) Names and information of people who have applied

17 for or received Firearm Owner's Identification Cards under

18 the Firearm Owners Identification Card Act or applied for

19 or received a concealed carry license under the Firearm

20 Concealed Carry Act, unless otherwise authorized by the

21 Firearm Concealed Carry Act; and databases under the

22 Firearm Concealed Carry Act, records of the Concealed

23 Carry Licensing Review Board under the Firearm Concealed

24 Carry Act, and law enforcement agency objections under the

25 Firearm Concealed Carry Act.

26 (v-5) Records of the Firearm Owner's Identification

10400SB0340sam001

- 73 -

LRB104 06459 JRC 37578 a

1 Card Review Board that are exempted from disclosure under

2 Section 10 of the Firearm Owners Identification Card Act.

3 (w) Personally identifiable information which is

4 exempted from disclosure under subsection (g) of Section

5 19.1 of the Toll Highway Act.

6 (x) Information which is exempted from disclosure

7 under Section 5-1014.3 of the Counties Code or Section

8 8-11-21 of the Illinois Municipal Code.

9 (y) Confidential information under the Adult

10 Protective Services Act and its predecessor enabling

11 statute, the Elder Abuse and Neglect Act, including

12 information about the identity and administrative finding

13 against any caregiver of a verified and substantiated

14 decision of abuse, neglect, or financial exploitation of

15 an eligible adult maintained in the Registry established

16 under Section 7.5 of the Adult Protective Services Act.

17 (z) Records and information provided to a fatality

18 review team or the Illinois Fatality Review Team Advisory

19 Council under Section 15 of the Adult Protective Services

20 Act.

21 (aa) Information which is exempted from disclosure

22 under Section 2.37 of the Wildlife Code.

23 (bb) Information which is or was prohibited from

24 disclosure by the Juvenile Court Act of 1987.

25 (cc) Recordings made under the Law Enforcement

26 Officer-Worn Body Camera Act, except to the extent

10400SB0340sam001

- 74 -

LRB104 06459 JRC 37578 a

1 authorized under that Act.

2 (dd) Information that is prohibited from being

3 disclosed under Section 45 of the Condominium and Common

4 Interest Community Ombudsperson Act.

5 (ee) Information that is exempted from disclosure

6 under Section 30.1 of the Pharmacy Practice Act.

7 (ff) Information that is exempted from disclosure

8 under the Revised Uniform Unclaimed Property Act.

9 (gg) Information that is prohibited from being

10 disclosed under Section 7-603.5 of the Illinois Vehicle

11 Code.

12 (hh) Records that are exempt from disclosure under

13 Section 1A-16.7 of the Election Code.

14 (ii) Information which is exempted from disclosure

15 under Section 2505-800 of the Department of Revenue Law of

16 the Civil Administrative Code of Illinois.

17 (jj) Information and reports that are required to be

18 submitted to the Department of Labor by registering day

19 and temporary labor service agencies but are exempt from

20 disclosure under subsection (a-1) of Section 45 of the Day

21 and Temporary Labor Services Act.

22 (kk) Information prohibited from disclosure under the

23 Seizure and Forfeiture Reporting Act.

24 (ll) Information the disclosure of which is restricted

25 and exempted under Section 5-30.8 of the Illinois Public

26 Aid Code.

10400SB0340sam001

- 75 -

LRB104 06459 JRC 37578 a

1 (mm) Records that are exempt from disclosure under

2 Section 4.2 of the Crime Victims Compensation Act.

3 (nn) Information that is exempt from disclosure under

4 Section 70 of the Higher Education Student Assistance Act.

5 (oo) Communications, notes, records, and reports

6 arising out of a peer support counseling session

7 prohibited from disclosure under the First Responders

8 Suicide Prevention Act.

9 (pp) Names and all identifying information relating to

10 an employee of an emergency services provider or law

11 enforcement agency under the First Responders Suicide

12 Prevention Act.

13 (qq) Information and records held by the Department of

14 Public Health and its authorized representatives collected

15 under the Reproductive Health Act.

16 (rr) Information that is exempt from disclosure under

17 the Cannabis Regulation and Tax Act.

18 (ss) Data reported by an employer to the Department of

19 Human Rights pursuant to Section 2-108 of the Illinois

20 Human Rights Act.

21 (tt) Recordings made under the Children's Advocacy

22 Center Act, except to the extent authorized under that

23 Act.

24 (uu) Information that is exempt from disclosure under

25 Section 50 of the Sexual Assault Evidence Submission Act.

26 (vv) Information that is exempt from disclosure under

10400SB0340sam001

- 76 -

LRB104 06459 JRC 37578 a

1 subsections (f) and (j) of Section 5-36 of the Illinois

2 Public Aid Code.

3 (ww) Information that is exempt from disclosure under

4 Section 16.8 of the State Treasurer Act.

5 (xx) Information that is exempt from disclosure or

6 information that shall not be made public under the

7 Illinois Insurance Code.

8 (yy) Information prohibited from being disclosed under

9 the Illinois Educational Labor Relations Act.

10 (zz) Information prohibited from being disclosed under

11 the Illinois Public Labor Relations Act.

12 (aaa) Information prohibited from being disclosed

13 under Section 1-167 of the Illinois Pension Code.

14 (bbb) Information that is prohibited from disclosure

15 by the Illinois Police Training Act and the Illinois State

16 Police Act.

17 (ccc) Records exempt from disclosure under Section

18 2605-304 of the Illinois State Police Law of the Civil

19 Administrative Code of Illinois.

20 (ddd) Information prohibited from being disclosed

21 under Section 35 of the Address Confidentiality for

22 Victims of Domestic Violence, Sexual Assault, Human

23 Trafficking, or Stalking Act.

24 (eee) Information prohibited from being disclosed

25 under subsection (b) of Section 75 of the Domestic

26 Violence Fatality Review Act.

10400SB0340sam001

- 77 -

LRB104 06459 JRC 37578 a

1 (fff) Images from cameras under the Expressway Camera

2 Act and all automated license plate reader (ALPR)

3 information used and collected by the Illinois State

4 Police. "ALPR information" means information gathered by

5 an ALPR or created from the analysis of data generated by

6 an ALPR. This subsection (fff) is inoperative on and after

7 July 1, 2028.

8 (ggg) Information prohibited from disclosure under

9 paragraph (3) of subsection (a) of Section 14 of the Nurse

10 Agency Licensing Act.

11 (hhh) Information submitted to the Illinois State

12 Police in an affidavit or application for an assault

13 weapon endorsement, assault weapon attachment endorsement,

14 .50 caliber rifle endorsement, or .50 caliber cartridge

15 endorsement under the Firearm Owners Identification Card

16 Act.

17 (iii) Data exempt from disclosure under Section 50 of

18 the School Safety Drill Act.

19 (jjj) Information exempt from disclosure under Section

20 30 of the Insurance Data Security Law.

21 (kkk) Confidential business information prohibited

22 from disclosure under Section 45 of the Paint Stewardship

23 Act.

24 (lll) Data exempt from disclosure under Section

25 2-3.196 of the School Code.

26 (mmm) Information prohibited from being disclosed

10400SB0340sam001

- 78 -

LRB104 06459 JRC 37578 a

1 under subsection (e) of Section 1-129 of the Illinois

2 Power Agency Act.

3 (nnn) Materials received by the Department of Commerce

4 and Economic Opportunity that are confidential under the

5 Music and Musicians Tax Credit and Jobs Act.

6 (ooo) Data or information provided pursuant to Section

7 20 of the Statewide Recycling Needs and Assessment Act.

8 (ppp) Information that is exempt from disclosure under

9 Section 28-11 of the Lawful Health Care Activity Act.

10 (qqq) Information that is exempt from disclosure under

11 Section 7-101 of the Illinois Human Rights Act.

12 (rrr) Information prohibited from being disclosed

13 under Section 4-2 of the Uniform Money Transmission

14 Modernization Act.

15 (sss) Information exempt from disclosure under Section

16 40 of the Student-Athlete Endorsement Rights Act.

17 (ttt) Audio recordings made under Section 30 of the

18 Illinois State Police Act, except to the extent authorized

19 under that Section.

20 (uuu) Information prohibited from being disclosed

21 under Section 30-5 of the Digital Assets Regulation Act.

22 (vvv) ~~(uuu)~~ Information exempt from disclosure under

23 Section 70 of the End-of-Life Options for Terminally Ill

24 Patients Act.

25 (www) Data privacy and protection assessments made

26 available to the Attorney General under Section 18 of the

10400SB0340sam001

- 79 -

LRB104 06459 JRC 37578 a

1 Illinois Consumer Data Privacy Act.

2 (Source: P.A. 103-8, eff. 6-7-23; 103-34, eff. 6-9-23;

3 103-142, eff. 1-1-24; 103-372, eff. 1-1-24; 103-472, eff.

4 8-1-24; 103-508, eff. 8-4-23; 103-580, eff. 12-8-23; 103-592,

5 eff. 6-7-24; 103-605, eff. 7-1-24; 103-636, eff. 7-1-24;

6 103-724, eff. 1-1-25; 103-786, eff. 8-7-24; 103-859, eff.

7 8-9-24; 103-991, eff. 8-9-24; 103-1049, eff. 8-9-24; 103-1081,

8 eff. 3-21-25; 104-10, eff. 6-16-25; 104-18, eff. 6-30-25;

9 104-417, eff. 8-15-25; 104-428, eff. 8-18-25; 104-441, eff.

10 9-12-26; 104-457, eff. 6-1-26; revised 1-7-26.)

11 Section 905. The Consumer Fraud and Deceptive Business

12 Practices Act is amended by adding Section 2MMMM as follows:

13 (815 ILCS 505/2MMMM new)

14 Sec. 2MMMM. Violations of the Illinois Consumer Data

15 Privacy Act. Any person who violates the Illinois Consumer

16 Data Privacy Act commits an unlawful practice within the

17 meaning of this Act.

18 Section 995. No acceleration or delay. Where this Act

19 makes changes in a statute that is represented in this Act by

20 text that is not yet or no longer in effect (for example, a

21 Section represented by multiple versions), the use of that

22 text does not accelerate or delay the taking effect of (i) the

23 changes made by this Act or (ii) provisions derived from any

10400SB0340sam001

- 80 -

LRB104 06459 JRC 37578 a

1 other Public Act.

2 Section 999. Effective date. This Act takes effect January

3 1, 2027.".