|
Sen. Sue Rezin
Filed: 3/13/2023
| | 10300SB1126sam001 | | LRB103 05565 SPS 58495 a |
|
|
| 1 | | AMENDMENT TO SENATE BILL 1126
|
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 1126 by replacing |
| 3 | | everything after the enacting clause with the following:
|
| 4 | | "Section 1. Short title. This Act may be cited as the |
| 5 | | Illinois Age-Appropriate Design Code Act.
|
| 6 | | Section 5. Definitions. As used in this Act: |
| 7 | | "Child" or "children", unless otherwise specified, means a |
| 8 | | consumer or consumers who are under 18 years of age. |
| 9 | | "Data protection impact assessment" means a systematic |
| 10 | | survey to assess and mitigate risks that arise from the data |
| 11 | | management practices of the business to children who are |
| 12 | | reasonably likely to access the online service, product, or |
| 13 | | feature at issue that arises from the provision of that online |
| 14 | | service, product, or feature. |
| 15 | | "Default" means a preselected option adopted by the |
| 16 | | business for the online service, product, or feature.
|
|
| | 10300SB1126sam001 | - 2 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | "Likely to be accessed by children" means it is reasonable |
| 2 | | to expect, based on the following indicators, that the online |
| 3 | | service, product, or feature would be accessed by children: |
| 4 | | (1) the online service, product, or feature is |
| 5 | | directed to children as defined by the Children's Online |
| 6 | | Privacy Protection Act (15 U.S.C. 6501 et seq.); |
| 7 | | (2) the online service, product, or feature is |
| 8 | | determined, based on competent and reliable evidence |
| 9 | | regarding audience composition, to be routinely accessed |
| 10 | | by a significant number of children; |
| 11 | | (3) an online service, product, or feature with |
| 12 | | advertisements marketed to children; |
| 13 | | (4) an online service, product, or feature that is |
| 14 | | substantially similar or the same as an online service, |
| 15 | | product, or feature subject to paragraph (2); |
| 16 | | (5) an online service, product, or feature that has |
| 17 | | design elements that are known to be of interest to |
| 18 | | children, including, but not limited to, games, cartoons, |
| 19 | | music, and celebrities who appeal to children; and |
| 20 | | (6) a significant amount of the audience of the online |
| 21 | | service, product, or feature is determined, based on |
| 22 | | internal company research, to be children. |
| 23 | | "Online service, product, or feature" does not mean any of |
| 24 | | the following: |
| 25 | | (1) a broadband Internet access service; |
| 26 | | (2) a telecommunications service; or |
|
| | 10300SB1126sam001 | - 3 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | (3) the delivery or use of a physical product. |
| 2 | | "Profiling" means any form of automated processing of |
| 3 | | personal information that uses personal information to |
| 4 | | evaluate certain aspects relating to a natural person, |
| 5 | | including analyzing or predicting aspects concerning a natural |
| 6 | | person's performance at work, economic situation, health, |
| 7 | | personal preferences, interests, reliability, behavior, |
| 8 | | location, or movements.
|
| 9 | | Section 10. Requirements for businesses that provide an |
| 10 | | online service to children. |
| 11 | | (a) A business that provides an online service, product, |
| 12 | | or feature likely to be accessed by children shall take all of |
| 13 | | the following actions: |
| 14 | | (1) Before any new online services, products, or |
| 15 | | features are offered to the public, complete a data |
| 16 | | protection impact assessment for any online service, |
| 17 | | product, or feature likely to be accessed by children and |
| 18 | | maintain documentation of this assessment as long as the |
| 19 | | online service, product, or feature is likely to be |
| 20 | | accessed by children. A business shall biennially review |
| 21 | | all data protection impact assessments. The data |
| 22 | | protection impact assessment required by this paragraph |
| 23 | | shall identify the purpose of the online service, product, |
| 24 | | or feature, how it uses children's personal information, |
| 25 | | and the risks of material detriment to children that arise |
|
| | 10300SB1126sam001 | - 4 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | from the data management practices of the business. The |
| 2 | | data protection impact assessment shall address, to the |
| 3 | | extent applicable, all of the following: |
| 4 | | (A) whether the design of the online product, |
| 5 | | service, or feature could harm children, including by |
| 6 | | exposing children to harmful, or potentially harmful, |
| 7 | | content on the online product, service, or feature; |
| 8 | | (B) whether the design of the online product, |
| 9 | | service, or feature could lead to children |
| 10 | | experiencing or being targeted by harmful, or |
| 11 | | potentially harmful, contacts on the online product, |
| 12 | | service, or feature; |
| 13 | | (C) whether the design of the online product, |
| 14 | | service, or feature could permit children to witness, |
| 15 | | participate in, or be subject to harmful, or |
| 16 | | potentially harmful, conduct on the online product, |
| 17 | | service, or feature; |
| 18 | | (D) whether the design of the online product, |
| 19 | | service, or feature could allow children to be party |
| 20 | | to or exploited by a harmful, or potentially harmful, |
| 21 | | contact on the online product, service, or feature; |
| 22 | | (E) whether algorithms used by the online product, |
| 23 | | service, or feature could harm children; |
| 24 | | (F) whether targeted advertising systems used by |
| 25 | | the online product, service, or feature could harm |
| 26 | | children; |
|
| | 10300SB1126sam001 | - 5 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | (G) whether and how the online product, service, |
| 2 | | or feature uses system design features to increase, |
| 3 | | sustain, or extend use of the online product, service, |
| 4 | | or feature by children, including the automatic |
| 5 | | playing of media, rewards for time spent, and |
| 6 | | notifications; and |
| 7 | | (H) whether, how, and for what purpose the online |
| 8 | | product, service, or feature collects or processes |
| 9 | | sensitive personal information of children. |
| 10 | | (2) Document any risk of material detriment to |
| 11 | | children that arises from the data management practices of |
| 12 | | the business identified in the data protection impact |
| 13 | | assessment required by paragraph (1) and create a timed |
| 14 | | plan to mitigate or eliminate the risk before the online |
| 15 | | service, product, or feature is accessed by children. |
| 16 | | (3) Within 3 business days of a written request by the |
| 17 | | Attorney General, provide to the Attorney General a list |
| 18 | | of all data protection impact assessments the business has |
| 19 | | completed. |
| 20 | | (4) For any data protection impact assessment |
| 21 | | completed as required by paragraph (1), make the data |
| 22 | | protection impact assessment available, within 5 business |
| 23 | | days, to the Attorney General pursuant to a written |
| 24 | | request. To the extent any information contained in a data |
| 25 | | protection impact assessment disclosed to the Attorney |
| 26 | | General includes information subject to attorney-client |
|
| | 10300SB1126sam001 | - 6 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | privilege or work product protection, disclosure required |
| 2 | | by this paragraph shall not constitute a waiver of that |
| 3 | | privilege or protection. |
| 4 | | (5) Estimate the age of child users with a reasonable |
| 5 | | level of certainty appropriate to the risks that arise |
| 6 | | from the data management practices of the business or |
| 7 | | apply the privacy and data protections afforded to |
| 8 | | children to all consumers. |
| 9 | | (6) Configure all default privacy settings provided to |
| 10 | | children by the online service, product, or feature to |
| 11 | | settings that offer a high level of privacy, unless the |
| 12 | | business can demonstrate a compelling reason that a |
| 13 | | different setting is in the best interests of children. |
| 14 | | (7) Provide any privacy information, terms of service, |
| 15 | | policies, and community standards concisely, prominently, |
| 16 | | and using clear language suited to the age of children |
| 17 | | likely to access that online service, product, or feature. |
| 18 | | (8) If the online service, product, or feature allows |
| 19 | | the child's parent, guardian, or any other consumer to |
| 20 | | monitor the child's online activity or track the child's |
| 21 | | location, provide an obvious signal to the child when the |
| 22 | | child is being monitored or tracked. |
| 23 | | (9) Enforce published terms, policies, and community |
| 24 | | standards established by the business, including, but not |
| 25 | | limited to, privacy policies and those concerning |
| 26 | | children. |
|
| | 10300SB1126sam001 | - 7 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | (10) Provide prominent, accessible, and responsive |
| 2 | | tools to help children, or if applicable their parents or |
| 3 | | guardians, exercise their privacy rights and report |
| 4 | | concerns. |
| 5 | | (b) A business that provides an online service, product, |
| 6 | | or feature likely to be accessed by children shall not take any |
| 7 | | of the following actions: |
| 8 | | (1) Use the personal information of any child in a way |
| 9 | | that the business knows, or has reason to know, is |
| 10 | | materially detrimental to the physical health, mental |
| 11 | | health, or well-being of a child. |
| 12 | | (2) Profile a child by default unless the following |
| 13 | | criteria are met: |
| 14 | | (A) the business can demonstrate it has |
| 15 | | appropriate safeguards in place to protect children; |
| 16 | | and |
| 17 | | (B) either of the following is true: |
| 18 | | (i) profiling is necessary to provide the |
| 19 | | online service, product, or feature requested and |
| 20 | | only with respect to the aspects of the online |
| 21 | | service, product, or feature with which the child |
| 22 | | is actively and knowingly engaged; or |
| 23 | | (ii) the business can demonstrate a compelling |
| 24 | | reason that profiling is in the best interests of |
| 25 | | children. |
| 26 | | (3) Collect, sell, share, or retain any personal |
|
| | 10300SB1126sam001 | - 8 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | information that is not necessary to provide an online |
| 2 | | service, product, or feature with which a child is |
| 3 | | actively and knowingly engaged unless the business can |
| 4 | | demonstrate a compelling reason that the collecting, |
| 5 | | selling, sharing, or retaining of the personal information |
| 6 | | is in the best interests of children likely to access the |
| 7 | | online service, product, or feature. |
| 8 | | (4) If the end user is a child, use personal |
| 9 | | information for any reason other than a reason for which |
| 10 | | that personal information was collected, unless the |
| 11 | | business can demonstrate a compelling reason that use of |
| 12 | | the personal information is in the best interests of |
| 13 | | children. |
| 14 | | (5) Collect, sell, or share any precise geolocation |
| 15 | | information of children by default unless the collection |
| 16 | | of that precise geolocation information is strictly |
| 17 | | necessary for the business to provide the service, |
| 18 | | product, or feature requested and then only for the |
| 19 | | limited time that the collection of precise geolocation |
| 20 | | information is necessary to provide the service, product, |
| 21 | | or feature. |
| 22 | | (6) Collect any precise geolocation information of a |
| 23 | | child without providing an obvious sign to the child for |
| 24 | | the duration of that collection that precise geolocation |
| 25 | | information is being collected. |
| 26 | | (7) Use dark patterns to lead or encourage children to |
|
| | 10300SB1126sam001 | - 9 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | provide personal information beyond what is reasonably |
| 2 | | expected to provide that online service, product, or |
| 3 | | feature to bypass privacy protections, or to take any |
| 4 | | action that the business knows, or has reason to know, is |
| 5 | | materially detrimental to the child's physical health, |
| 6 | | mental health, or well-being. |
| 7 | | (8) Use any personal information collected to estimate |
| 8 | | age or age range for any other purpose or retain that |
| 9 | | personal information longer than necessary to estimate |
| 10 | | age. Age assurance shall be proportionate to the risks and |
| 11 | | data practice of an online service, product, or feature. |
| 12 | | (c) A data protection impact assessment conducted by a |
| 13 | | business for the purpose of compliance with any other law |
| 14 | | complies with this Section if the data protection impact |
| 15 | | assessment meets the requirements of this Act. A single data |
| 16 | | protection impact assessment may contain multiple similar |
| 17 | | processing operations that present similar risks only if each |
| 18 | | relevant online service, product, or feature is addressed.
|
| 19 | | Section 15. Children's Data Protection Working Group. |
| 20 | | (a) The Children's Data Protection Working Group is hereby |
| 21 | | created to deliver a report to the General Assembly, as |
| 22 | | described in subsection (e), regarding best practices for the |
| 23 | | implementation of this Act. |
| 24 | | (b) Working Group members shall consist of residents of |
| 25 | | this State with expertise in at least 2 of the following areas: |
|
| | 10300SB1126sam001 | - 10 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | (1) children's data privacy; |
| 2 | | (2) physical health; |
| 3 | | (3) mental health and well-being; |
| 4 | | (4) computer science; and |
| 5 | | (5) children's rights. |
| 6 | | (c) The Working Group shall select a chairperson and a |
| 7 | | vice chairperson from among its members and shall consist of |
| 8 | | the following 8 members: |
| 9 | | (1) two members appointed by the Governor; |
| 10 | | (2) two members appointed by the President of the |
| 11 | | Senate; |
| 12 | | (3) two members appointed by the Speaker of the House |
| 13 | | of Representatives; and |
| 14 | | (4) two members appointed by the Attorney General. |
| 15 | | (d) The Working Group shall take input from a broad range |
| 16 | | of stakeholders, including from academia, consumer advocacy |
| 17 | | groups, and small, medium, and large businesses affected by |
| 18 | | data privacy policies and shall make recommendations to the |
| 19 | | General Assembly on best practices regarding, at minimum, all |
| 20 | | of the following: |
| 21 | | (1) identifying online services, products, or features |
| 22 | | likely to be accessed by children; |
| 23 | | (2) evaluating and prioritizing the best interests of |
| 24 | | children with respect to their privacy, physical health, |
| 25 | | and mental health and well-being and evaluating how those |
| 26 | | interests may be furthered by the design, development, and |
|
| | 10300SB1126sam001 | - 11 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | implementation of an online service, product, or feature; |
| 2 | | (3) ensuring that age assurance methods used by |
| 3 | | businesses that provide online services, products, or |
| 4 | | features likely to be accessed by children are |
| 5 | | proportionate to the risks that arise from the data |
| 6 | | management practices of the business, privacy protective, |
| 7 | | and minimally invasive; |
| 8 | | (4) assessing and mitigating risks to children that |
| 9 | | arise from the use of an online service, product, or |
| 10 | | feature; and |
| 11 | | (5) publishing privacy information, policies, and |
| 12 | | standards in concise, clear language suited for the age of |
| 13 | | children likely to access an online service, product, or |
| 14 | | feature. |
| 15 | | (e) On or before January 1, 2024, and every 2 years |
| 16 | | thereafter, the Working Group shall submit a report to the |
| 17 | | General Assembly regarding the recommendations described in |
| 18 | | subsection (d). |
| 19 | | (f) The members of the Working Group shall serve without |
| 20 | | compensation but shall be reimbursed for all necessary |
| 21 | | expenses actually incurred in the performance of their duties. |
| 22 | | (g) The Working Group is dissolved, and this Section is |
| 23 | | repealed, on January 1, 2030.
|
| 24 | | Section 20. Data protection impact assessment. |
| 25 | | (a) A business shall complete a data protection impact |
|
| | 10300SB1126sam001 | - 12 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | assessment on or before July 1, 2024, for any online service, |
| 2 | | product, or feature likely to be accessed by children offered |
| 3 | | to the public before July 1, 2024. |
| 4 | | (b) This Section does not apply to an online service, |
| 5 | | product, or feature that is not offered to the public on or |
| 6 | | after July 1, 2024.
|
| 7 | | Section 25. Violations; civil penalties |
| 8 | | (a) Any business that violates this Act shall be subject |
| 9 | | to an injunction and liable for a civil penalty of not more |
| 10 | | than $2,500 per affected child for each negligent violation or |
| 11 | | not more than $7,500 per affected child for each intentional |
| 12 | | violation, that shall be assessed and recovered only in a |
| 13 | | civil action brought by the Attorney General. |
| 14 | | (b) If a business is in substantial compliance with the |
| 15 | | requirements of paragraphs (1) through (4) of subsection (a) |
| 16 | | of Section 10, the Attorney General shall provide written |
| 17 | | notice to the business, before initiating an action under this |
| 18 | | Act, identifying the specific provisions of this Act that the |
| 19 | | Attorney General alleges have been or are being violated. |
| 20 | | (c) If, within 90 days after the notice required by |
| 21 | | subsection (b), the business cures any noticed violation and |
| 22 | | provides the Attorney General a written statement that the |
| 23 | | alleged violations have been cured, and sufficient measures |
| 24 | | have been taken to prevent future violations, the business |
| 25 | | shall not be liable for a civil penalty for any violation cured |
|
| | 10300SB1126sam001 | - 13 - | LRB103 05565 SPS 58495 a |
|
|
| 1 | | under this subsection. |
| 2 | | (d) Any penalties, fees, and expenses recovered in an |
| 3 | | action brought under this Act shall be deposited into the |
| 4 | | General Revenue Fund. |
| 5 | | (e) Nothing in this Act shall be interpreted to serve as |
| 6 | | the basis for a private right of action under this Act or any |
| 7 | | other law. |
| 8 | | (f) The Attorney General may solicit broad public |
| 9 | | participation and adopt regulations to clarify the |
| 10 | | requirements of this Act.".
|