Sen. Sue Rezin

Filed: 3/13/2023

 

 


 

 


 
10300SB1126sam001LRB103 05565 SPS 58495 a

1
AMENDMENT TO SENATE BILL 1126

2    AMENDMENT NO. ______. Amend Senate Bill 1126 by replacing
3everything after the enacting clause with the following:
 
4    "Section 1. Short title. This Act may be cited as the
5Illinois Age-Appropriate Design Code Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Child" or "children", unless otherwise specified, means a
8consumer or consumers who are under 18 years of age.
9    "Data protection impact assessment" means a systematic
10survey to assess and mitigate risks that arise from the data
11management practices of the business to children who are
12reasonably likely to access the online service, product, or
13feature at issue that arises from the provision of that online
14service, product, or feature.
15    "Default" means a preselected option adopted by the
16business for the online service, product, or feature.

 

 

10300SB1126sam001- 2 -LRB103 05565 SPS 58495 a

1    "Likely to be accessed by children" means it is reasonable
2to expect, based on the following indicators, that the online
3service, product, or feature would be accessed by children:
4        (1) the online service, product, or feature is
5    directed to children as defined by the Children's Online
6    Privacy Protection Act (15 U.S.C. 6501 et seq.);
7        (2) the online service, product, or feature is
8    determined, based on competent and reliable evidence
9    regarding audience composition, to be routinely accessed
10    by a significant number of children;
11        (3) an online service, product, or feature with
12    advertisements marketed to children;
13        (4) an online service, product, or feature that is
14    substantially similar or the same as an online service,
15    product, or feature subject to paragraph (2);
16        (5) an online service, product, or feature that has
17    design elements that are known to be of interest to
18    children, including, but not limited to, games, cartoons,
19    music, and celebrities who appeal to children; and
20        (6) a significant amount of the audience of the online
21    service, product, or feature is determined, based on
22    internal company research, to be children.
23    "Online service, product, or feature" does not mean any of
24the following:
25        (1) a broadband Internet access service;
26        (2) a telecommunications service; or

 

 

10300SB1126sam001- 3 -LRB103 05565 SPS 58495 a

1        (3) the delivery or use of a physical product.
2    "Profiling" means any form of automated processing of
3personal information that uses personal information to
4evaluate certain aspects relating to a natural person,
5including analyzing or predicting aspects concerning a natural
6person's performance at work, economic situation, health,
7personal preferences, interests, reliability, behavior,
8location, or movements.
 
9    Section 10. Requirements for businesses that provide an
10online service to children.
11    (a) A business that provides an online service, product,
12or feature likely to be accessed by children shall take all of
13the following actions:
14        (1) Before any new online services, products, or
15    features are offered to the public, complete a data
16    protection impact assessment for any online service,
17    product, or feature likely to be accessed by children and
18    maintain documentation of this assessment as long as the
19    online service, product, or feature is likely to be
20    accessed by children. A business shall biennially review
21    all data protection impact assessments. The data
22    protection impact assessment required by this paragraph
23    shall identify the purpose of the online service, product,
24    or feature, how it uses children's personal information,
25    and the risks of material detriment to children that arise

 

 

10300SB1126sam001- 4 -LRB103 05565 SPS 58495 a

1    from the data management practices of the business. The
2    data protection impact assessment shall address, to the
3    extent applicable, all of the following:
4            (A) whether the design of the online product,
5        service, or feature could harm children, including by
6        exposing children to harmful, or potentially harmful,
7        content on the online product, service, or feature;
8            (B) whether the design of the online product,
9        service, or feature could lead to children
10        experiencing or being targeted by harmful, or
11        potentially harmful, contacts on the online product,
12        service, or feature;
13            (C) whether the design of the online product,
14        service, or feature could permit children to witness,
15        participate in, or be subject to harmful, or
16        potentially harmful, conduct on the online product,
17        service, or feature;
18            (D) whether the design of the online product,
19        service, or feature could allow children to be party
20        to or exploited by a harmful, or potentially harmful,
21        contact on the online product, service, or feature;
22            (E) whether algorithms used by the online product,
23        service, or feature could harm children;
24            (F) whether targeted advertising systems used by
25        the online product, service, or feature could harm
26        children;

 

 

10300SB1126sam001- 5 -LRB103 05565 SPS 58495 a

1            (G) whether and how the online product, service,
2        or feature uses system design features to increase,
3        sustain, or extend use of the online product, service,
4        or feature by children, including the automatic
5        playing of media, rewards for time spent, and
6        notifications; and
7            (H) whether, how, and for what purpose the online
8        product, service, or feature collects or processes
9        sensitive personal information of children.
10        (2) Document any risk of material detriment to
11    children that arises from the data management practices of
12    the business identified in the data protection impact
13    assessment required by paragraph (1) and create a timed
14    plan to mitigate or eliminate the risk before the online
15    service, product, or feature is accessed by children.
16        (3) Within 3 business days of a written request by the
17    Attorney General, provide to the Attorney General a list
18    of all data protection impact assessments the business has
19    completed.
20        (4) For any data protection impact assessment
21    completed as required by paragraph (1), make the data
22    protection impact assessment available, within 5 business
23    days, to the Attorney General pursuant to a written
24    request. To the extent any information contained in a data
25    protection impact assessment disclosed to the Attorney
26    General includes information subject to attorney-client

 

 

10300SB1126sam001- 6 -LRB103 05565 SPS 58495 a

1    privilege or work product protection, disclosure required
2    by this paragraph shall not constitute a waiver of that
3    privilege or protection.
4        (5) Estimate the age of child users with a reasonable
5    level of certainty appropriate to the risks that arise
6    from the data management practices of the business or
7    apply the privacy and data protections afforded to
8    children to all consumers.
9        (6) Configure all default privacy settings provided to
10    children by the online service, product, or feature to
11    settings that offer a high level of privacy, unless the
12    business can demonstrate a compelling reason that a
13    different setting is in the best interests of children.
14        (7) Provide any privacy information, terms of service,
15    policies, and community standards concisely, prominently,
16    and using clear language suited to the age of children
17    likely to access that online service, product, or feature.
18        (8) If the online service, product, or feature allows
19    the child's parent, guardian, or any other consumer to
20    monitor the child's online activity or track the child's
21    location, provide an obvious signal to the child when the
22    child is being monitored or tracked.
23        (9) Enforce published terms, policies, and community
24    standards established by the business, including, but not
25    limited to, privacy policies and those concerning
26    children.

 

 

10300SB1126sam001- 7 -LRB103 05565 SPS 58495 a

1        (10) Provide prominent, accessible, and responsive
2    tools to help children, or if applicable their parents or
3    guardians, exercise their privacy rights and report
4    concerns.
5    (b) A business that provides an online service, product,
6or feature likely to be accessed by children shall not take any
7of the following actions:
8        (1) Use the personal information of any child in a way
9    that the business knows, or has reason to know, is
10    materially detrimental to the physical health, mental
11    health, or well-being of a child.
12        (2) Profile a child by default unless the following
13    criteria are met:
14            (A) the business can demonstrate it has
15        appropriate safeguards in place to protect children;
16        and
17            (B) either of the following is true:
18                (i) profiling is necessary to provide the
19            online service, product, or feature requested and
20            only with respect to the aspects of the online
21            service, product, or feature with which the child
22            is actively and knowingly engaged; or
23                (ii) the business can demonstrate a compelling
24            reason that profiling is in the best interests of
25            children.
26        (3) Collect, sell, share, or retain any personal

 

 

10300SB1126sam001- 8 -LRB103 05565 SPS 58495 a

1    information that is not necessary to provide an online
2    service, product, or feature with which a child is
3    actively and knowingly engaged unless the business can
4    demonstrate a compelling reason that the collecting,
5    selling, sharing, or retaining of the personal information
6    is in the best interests of children likely to access the
7    online service, product, or feature.
8        (4) If the end user is a child, use personal
9    information for any reason other than a reason for which
10    that personal information was collected, unless the
11    business can demonstrate a compelling reason that use of
12    the personal information is in the best interests of
13    children.
14        (5) Collect, sell, or share any precise geolocation
15    information of children by default unless the collection
16    of that precise geolocation information is strictly
17    necessary for the business to provide the service,
18    product, or feature requested and then only for the
19    limited time that the collection of precise geolocation
20    information is necessary to provide the service, product,
21    or feature.
22        (6) Collect any precise geolocation information of a
23    child without providing an obvious sign to the child for
24    the duration of that collection that precise geolocation
25    information is being collected.
26        (7) Use dark patterns to lead or encourage children to

 

 

10300SB1126sam001- 9 -LRB103 05565 SPS 58495 a

1    provide personal information beyond what is reasonably
2    expected to provide that online service, product, or
3    feature to bypass privacy protections, or to take any
4    action that the business knows, or has reason to know, is
5    materially detrimental to the child's physical health,
6    mental health, or well-being.
7        (8) Use any personal information collected to estimate
8    age or age range for any other purpose or retain that
9    personal information longer than necessary to estimate
10    age. Age assurance shall be proportionate to the risks and
11    data practice of an online service, product, or feature.
12    (c) A data protection impact assessment conducted by a
13business for the purpose of compliance with any other law
14complies with this Section if the data protection impact
15assessment meets the requirements of this Act. A single data
16protection impact assessment may contain multiple similar
17processing operations that present similar risks only if each
18relevant online service, product, or feature is addressed.
 
19    Section 15. Children's Data Protection Working Group.
20    (a) The Children's Data Protection Working Group is hereby
21created to deliver a report to the General Assembly, as
22described in subsection (e), regarding best practices for the
23implementation of this Act.
24    (b) Working Group members shall consist of residents of
25this State with expertise in at least 2 of the following areas:

 

 

10300SB1126sam001- 10 -LRB103 05565 SPS 58495 a

1        (1) children's data privacy;
2        (2) physical health;
3        (3) mental health and well-being;
4        (4) computer science; and
5        (5) children's rights.
6    (c) The Working Group shall select a chairperson and a
7vice chairperson from among its members and shall consist of
8the following 8 members:
9        (1) two members appointed by the Governor;
10        (2) two members appointed by the President of the
11    Senate;
12        (3) two members appointed by the Speaker of the House
13    of Representatives; and
14        (4) two members appointed by the Attorney General.
15    (d) The Working Group shall take input from a broad range
16of stakeholders, including from academia, consumer advocacy
17groups, and small, medium, and large businesses affected by
18data privacy policies and shall make recommendations to the
19General Assembly on best practices regarding, at minimum, all
20of the following:
21        (1) identifying online services, products, or features
22    likely to be accessed by children;
23        (2) evaluating and prioritizing the best interests of
24    children with respect to their privacy, physical health,
25    and mental health and well-being and evaluating how those
26    interests may be furthered by the design, development, and

 

 

10300SB1126sam001- 11 -LRB103 05565 SPS 58495 a

1    implementation of an online service, product, or feature;
2        (3) ensuring that age assurance methods used by
3    businesses that provide online services, products, or
4    features likely to be accessed by children are
5    proportionate to the risks that arise from the data
6    management practices of the business, privacy protective,
7    and minimally invasive;
8        (4) assessing and mitigating risks to children that
9    arise from the use of an online service, product, or
10    feature; and
11        (5) publishing privacy information, policies, and
12    standards in concise, clear language suited for the age of
13    children likely to access an online service, product, or
14    feature.
15    (e) On or before January 1, 2024, and every 2 years
16thereafter, the Working Group shall submit a report to the
17General Assembly regarding the recommendations described in
18subsection (d).
19    (f) The members of the Working Group shall serve without
20compensation but shall be reimbursed for all necessary
21expenses actually incurred in the performance of their duties.
22    (g) The Working Group is dissolved, and this Section is
23repealed, on January 1, 2030.
 
24    Section 20. Data protection impact assessment.
25    (a) A business shall complete a data protection impact

 

 

10300SB1126sam001- 12 -LRB103 05565 SPS 58495 a

1assessment on or before July 1, 2024, for any online service,
2product, or feature likely to be accessed by children offered
3to the public before July 1, 2024.
4    (b) This Section does not apply to an online service,
5product, or feature that is not offered to the public on or
6after July 1, 2024.
 
7    Section 25. Violations; civil penalties
8    (a) Any business that violates this Act shall be subject
9to an injunction and liable for a civil penalty of not more
10than $2,500 per affected child for each negligent violation or
11not more than $7,500 per affected child for each intentional
12violation, that shall be assessed and recovered only in a
13civil action brought by the Attorney General.
14    (b) If a business is in substantial compliance with the
15requirements of paragraphs (1) through (4) of subsection (a)
16of Section 10, the Attorney General shall provide written
17notice to the business, before initiating an action under this
18Act, identifying the specific provisions of this Act that the
19Attorney General alleges have been or are being violated.
20    (c) If, within 90 days after the notice required by
21subsection (b), the business cures any noticed violation and
22provides the Attorney General a written statement that the
23alleged violations have been cured, and sufficient measures
24have been taken to prevent future violations, the business
25shall not be liable for a civil penalty for any violation cured

 

 

10300SB1126sam001- 13 -LRB103 05565 SPS 58495 a

1under this subsection.
2    (d) Any penalties, fees, and expenses recovered in an
3action brought under this Act shall be deposited into the
4General Revenue Fund.
5    (e) Nothing in this Act shall be interpreted to serve as
6the basis for a private right of action under this Act or any
7other law.
8    (f) The Attorney General may solicit broad public
9participation and adopt regulations to clarify the
10requirements of this Act.".