|
| | 103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
SB3334 Introduced 2/7/2024, by Sen. Sue Rezin SYNOPSIS AS INTRODUCED:
| | New Act | | 30 ILCS 105/5.1015 new | |
| Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately. |
| |
| | A BILL FOR |
|
|
| | SB3334 | | LRB103 38209 SPS 68343 b |
|
|
| 1 | | AN ACT concerning business.
|
| 2 | | Be it enacted by the People of the State of Illinois, |
| 3 | | represented in the General Assembly:
|
| 4 | | Section 1. Short title. This Act may be cited as the |
| 5 | | Illinois Age-Appropriate Design Code Act.
|
| 6 | | Section 5. Intent. It is the intent of the General |
| 7 | | Assembly that nothing in this Act shall be construed to |
| 8 | | infringe on the existing rights and freedoms of children.
|
| 9 | | Section 10. Definitions. As used in this Act: |
| 10 | | "Affiliate" means a legal entity that controls, is |
| 11 | | controlled by, or is under common control with, another legal |
| 12 | | entity. For the purposes of this definition, "control" or |
| 13 | | "controlled" means: (i) ownership of, or the power to vote, |
| 14 | | more than 50% of the outstanding shares of any class of voting |
| 15 | | security of a covered entity; (ii) control in any manner over |
| 16 | | the election of a majority of the directors or of individuals |
| 17 | | exercising similar functions; or (iii) the power to exercise a |
| 18 | | controlling influence over the management of a covered entity. |
| 19 | | "Age-appropriate" means a recognition of the distinct |
| 20 | | needs and diversities of children at different age ranges. In |
| 21 | | order to help support the design of online services, products, |
| 22 | | and features, covered entities should take into account the |
|
| | SB3334 | - 2 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | unique needs and diversities of different age ranges, |
| 2 | | including the following developmental stages: 0 to 5 years of |
| 3 | | age or preliterate and early literacy; 6-9 years of age or core |
| 4 | | primary school years; 10 to 12 years of age or transition |
| 5 | | years; 13 to 15 years of age or early teens; and 16 to 17 years |
| 6 | | or age or approaching adulthood. |
| 7 | | "Best interests of children" means the use, by a covered |
| 8 | | entity, of the personal data of a child or the design of an |
| 9 | | online service, product, or feature in a way that: |
| 10 | | (1) will not benefit the covered entity to the |
| 11 | | detriment of the child; and |
| 12 | | (2) will not result in: |
| 13 | | (A) reasonably foreseeable and material physical |
| 14 | | or financial harm to the child; |
| 15 | | (B) reasonably foreseeable and severe |
| 16 | | psychological, or emotional harm to the child; |
| 17 | | (C) a highly offensive intrusion on the reasonable |
| 18 | | privacy expectations of the child; or |
| 19 | | (D) discrimination against the child based upon |
| 20 | | race, color, religion, national origin, disability, |
| 21 | | sex, or sexual orientation. |
| 22 | | "Child" means a consumer who is under 18 years of age. |
| 23 | | "Collect" means buying, renting, gathering, obtaining, |
| 24 | | receiving, or accessing any personal data pertaining to a |
| 25 | | consumer by any means. "Collect" includes receiving data from |
| 26 | | the consumer, either actively or passively, or by observing |
|
| | SB3334 | - 3 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | the consumer's behavior. |
| 2 | | "Covered entity" means: |
| 3 | | (1) a sole proprietorship, partnership, limited |
| 4 | | liability company, corporation, association, or other |
| 5 | | legal entity that is organized or operated for the profit |
| 6 | | or financial benefit of its shareholders or other owners; |
| 7 | | and |
| 8 | | (2) an affiliate of a covered entity that shares |
| 9 | | common branding with the covered entity. For the purposes |
| 10 | | of this definition, "common branding" means a shared name, |
| 11 | | service mark, or trademark that the average consumer would |
| 12 | | understand that 2 or more entities are commonly owned. |
| 13 | | For purposes of this Act, for a joint venture or |
| 14 | | partnership composed of covered entities in which each covered |
| 15 | | entity has at least a 40% interest, the joint venture or |
| 16 | | partnership and each covered entity that composes the joint |
| 17 | | venture or partnership shall separately be considered a single |
| 18 | | covered entity, except that personal data in the possession of |
| 19 | | each covered entity and disclosed to the joint venture or |
| 20 | | partnership shall not be shared with the other covered entity. |
| 21 | | "Consumer" means a natural person who is an Illinois |
| 22 | | resident, however identified, including by any unique |
| 23 | | identifier. |
| 24 | | "Dark pattern" means a user interface designed or |
| 25 | | manipulated with the purpose of subverting or impairing user |
| 26 | | autonomy, decision making, or choice. |
|
| | SB3334 | - 4 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | "Data protection impact assessment" means a systematic |
| 2 | | survey to assess compliance with the duty to act in the best |
| 3 | | interests of children and shall include a plan to ensure that |
| 4 | | all online products, services, or features provided by the |
| 5 | | covered entity are designed and offered in a manner consistent |
| 6 | | with the best interests of children reasonably likely to |
| 7 | | access the online product, service, or feature and a |
| 8 | | description of steps the covered entity has taken and will |
| 9 | | take to comply with the duty to act in the best interests of |
| 10 | | children. |
| 11 | | "Default" means a preselected option adopted by the |
| 12 | | covered entity for the online service, product, or feature. |
| 13 | | "Deidentified" means data that cannot reasonably be used |
| 14 | | to infer information about, or otherwise be linked to, an |
| 15 | | identified or identifiable natural person, or a device linked |
| 16 | | to such person, provided that the covered entity that |
| 17 | | possesses the data: |
| 18 | | (1) takes reasonable measures to ensure that the data |
| 19 | | cannot be associated with a natural person; |
| 20 | | (2) publicly commits to maintain and use the data only |
| 21 | | in a deidentified fashion and not attempt to re-identify |
| 22 | | the data; and |
| 23 | | (3) contractually obligates any recipients of the data |
| 24 | | to comply with all provisions of this Act. |
| 25 | | "Derived data" means data that is created by the |
| 26 | | derivation of information, data, assumptions, correlations, |
|
| | SB3334 | - 5 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | inferences, predictions, or conclusions from facts, evidence, |
| 2 | | or another source of information or data about a child or a |
| 3 | | child's device. |
| 4 | | "Online service, product, or feature" does not mean any of |
| 5 | | the following: |
| 6 | | (1) telecommunications service, as defined in 47 |
| 7 | | U.S.C. 153; |
| 8 | | (2) a broadband service as defined in the Public |
| 9 | | Utilities Act; or |
| 10 | | (3) the sale, delivery, or use of a physical product. |
| 11 | | "Personal data" means any information, including derived |
| 12 | | data, that is linked or reasonably linkable, alone or in |
| 13 | | combination with other information, to an identified or |
| 14 | | identifiable natural person. "Personal data" does not include |
| 15 | | de-identified data or publicly available information. For the |
| 16 | | purposes of this definition, "publicly available information" |
| 17 | | means information (i) that is lawfully made available from |
| 18 | | federal, State, or local government records or widely |
| 19 | | distributed media; and (ii) that a controller has a reasonable |
| 20 | | basis to believe a consumer has lawfully made available to the |
| 21 | | general public. |
| 22 | | "Precise geolocation" means any data that is derived from |
| 23 | | a device and that is used or intended to be used to locate a |
| 24 | | consumer within a geographic area that is equal to or less than |
| 25 | | the area of a circle with a radius of 1,850 feet, except as |
| 26 | | prescribed by regulations. |
|
| | SB3334 | - 6 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | "Process" or "processing" means to conduct or direct any |
| 2 | | operation or set of operations performed, whether by manual or |
| 3 | | automated means, on personal data or on sets of personal data, |
| 4 | | such as the collection, use, storage, disclosure, analysis, |
| 5 | | deletion, modification, or otherwise handling of personal |
| 6 | | data. |
| 7 | | "Product experimentation results" means the data that |
| 8 | | companies collect to understand the experimental impact of |
| 9 | | their products. |
| 10 | | "Profiling" means any form of automated processing of |
| 11 | | personal data to evaluate, analyze, or predict personal |
| 12 | | aspects concerning an identified or identifiable natural |
| 13 | | person's economic situation, health, personal preferences, |
| 14 | | interests, reliability, behavior, location, or movements. |
| 15 | | "Profiling" does not include the processing of information |
| 16 | | that does not result in an assessment or judgment about a |
| 17 | | natural person. |
| 18 | | "Reasonably likely to be accessed" means an online |
| 19 | | service, product, or feature that is accessed by children |
| 20 | | based on any of the following indicators: |
| 21 | | (1) the online service, product, or feature is |
| 22 | | directed to children, as defined by the Children's Online |
| 23 | | Privacy Protection Act, 15 U.S.C. 6501 et seq., and the |
| 24 | | Federal Trade Commission rules implementing that Act; |
| 25 | | (2) the online service, product, or feature is |
| 26 | | determined, based on competent and reliable evidence |
|
| | SB3334 | - 7 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | regarding audience composition, to be routinely accessed |
| 2 | | by a significant number of children; |
| 3 | | (3) the online service, product, or feature contains |
| 4 | | advertisements marketed to children; |
| 5 | | (4) the online service, product, or feature is |
| 6 | | substantially similar or the same as an online service, |
| 7 | | product, or feature subject to paragraph (2) of this |
| 8 | | definition; |
| 9 | | (5) a significant amount of the audience of the online |
| 10 | | service, product, or feature is determined, based on |
| 11 | | internal company research, to be children; and |
| 12 | | (6) the covered entity knew or should have known that |
| 13 | | a significant number of users are children, provided that, |
| 14 | | in making this assessment, the covered entity shall not |
| 15 | | collect or process any personal data that is not |
| 16 | | reasonably necessary to provide an online service, |
| 17 | | product, or feature with which a child is actively and |
| 18 | | knowingly engaged. |
| 19 | | "Sale" or "sell" means the exchange of personal data for |
| 20 | | monetary or other valuable consideration by a covered entity |
| 21 | | to a third party. "Sale" or "sell" do not include the |
| 22 | | following: |
| 23 | | (1) the disclosure of personal data to a third party |
| 24 | | who processes the personal data on behalf of the covered |
| 25 | | entity; |
| 26 | | (2) the disclosure of personal data to a third party |
|
| | SB3334 | - 8 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | with whom the consumer has a direct relationship for |
| 2 | | purposes of providing a product or service requested by |
| 3 | | the consumer; |
| 4 | | (3) the disclosure or transfer of personal data to an |
| 5 | | affiliate of the covered entity; |
| 6 | | (4) the disclosure of data that the consumer |
| 7 | | intentionally made available to the general public via a |
| 8 | | channel of mass media and did not restrict to a specific |
| 9 | | audience; or |
| 10 | | (5) the disclosure or transfer of personal data to a |
| 11 | | third party as an asset that is part of a completed or |
| 12 | | proposed merger, acquisition, bankruptcy, or other |
| 13 | | transaction in which the third party assumes control of |
| 14 | | all or part of the covered entity's assets. |
| 15 | | "Share" means sharing, renting, releasing, disclosing, |
| 16 | | disseminating, making available, transferring, or otherwise |
| 17 | | communicating orally, in writing, or by electronic or other |
| 18 | | means a consumer's personal data by the covered entity to a |
| 19 | | third party for cross-context behavioral advertising, whether |
| 20 | | or not for monetary or other valuable consideration, including |
| 21 | | transactions between a covered entity and a third party for |
| 22 | | cross-context behavioral advertising for the benefit of a |
| 23 | | covered entity in which no money is exchanged. |
| 24 | | "Third party" means a natural or legal person, public |
| 25 | | authority, agency, or body other than the consumer or the |
| 26 | | covered entity.
|
|
| | SB3334 | - 9 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | Section 15. Information fiduciary. All covered entities |
| 2 | | that operate in this State and process children's data in any |
| 3 | | capacity shall do so in a manner consistent with the best |
| 4 | | interests of children.
|
| 5 | | Section 20. Scope; exclusions. |
| 6 | | (a) A covered entity operating in this State is subject to |
| 7 | | the requirements of this Act if it: |
| 8 | | (1) collects consumers' personal data or has |
| 9 | | consumers' personal data collected on its behalf by a |
| 10 | | third party; |
| 11 | | (2) alone or jointly with others, determines the |
| 12 | | purposes and means of the processing of consumers' |
| 13 | | personal data; and |
| 14 | | (3) satisfies one or more of the following thresholds: |
| 15 | | (i) has annual gross revenues in excess of |
| 16 | | $25,000,000, as adjusted every odd numbered year to |
| 17 | | reflect the Consumer Price Index; |
| 18 | | (ii) alone or in combination, annually buys, |
| 19 | | receives for the covered entity's commercial purposes, |
| 20 | | sells, or shares for commercial purposes, alone or in |
| 21 | | combination, the personal data of 50,000 or more |
| 22 | | consumers, households, or devices; or |
| 23 | | (iii) derives 50% or more of its annual revenues |
| 24 | | from selling consumers' personal data. |
|
| | SB3334 | - 10 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | (b) This Act does not apply to: |
| 2 | | (1) protected health information that is collected by |
| 3 | | a covered entity or covered entity associate governed by |
| 4 | | the privacy, security, and breach notification rules |
| 5 | | issued by the United States Department of Health and Human |
| 6 | | Services, 45 CFR 160 and 164, established pursuant to the |
| 7 | | Health Insurance Portability and Accountability Act of |
| 8 | | 1996, Public Law 104-191, and the Health Information |
| 9 | | Technology for Economic and Clinical Health Act, Public |
| 10 | | Law 111-5; |
| 11 | | (2) a covered entity governed by the privacy, |
| 12 | | security, and breach notification rules issued by the |
| 13 | | United States Department of Health and Human Services, 45 |
| 14 | | CFR 160 and 164, established pursuant to the Health |
| 15 | | Insurance Portability and Accountability Act of 1996, |
| 16 | | Public Law 104-191, to the extent the provider or covered |
| 17 | | entity maintains patient information in the same manner as |
| 18 | | medical information or protected health information as |
| 19 | | described in paragraph (1); or |
| 20 | | (3) information collected as part of a clinical trial |
| 21 | | subject to the federal policy for the protection of human |
| 22 | | subjects, also known as the common rule, pursuant to good |
| 23 | | clinical practice guidelines issued by the International |
| 24 | | Council for Harmonisation of Technical Requirements for |
| 25 | | Pharmaceuticals for Human Use or human subject protection |
| 26 | | requirements issued by the United States Food and Drug |
|
| | SB3334 | - 11 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | Administration.
|
| 2 | | Section 25. Requirements for covered entities. |
| 3 | | (a) A covered entity subject to this Act shall: |
| 4 | | (1) complete a data protection impact assessment for |
| 5 | | an online service, product, or feature or any new online |
| 6 | | service, product, or feature that is reasonably likely to |
| 7 | | be accessed by children; and maintain documentation of the |
| 8 | | data protection impact assessment for as long as the |
| 9 | | online service, product, or feature is reasonably likely |
| 10 | | to be accessed by children; |
| 11 | | (2) review and modify all data protection impact |
| 12 | | assessments as necessary to account for material changes |
| 13 | | to processing pertaining to the online service, product, |
| 14 | | or feature within 90 days after such material changes; |
| 15 | | (3) within 5 business days after a written request by |
| 16 | | the Attorney General, provide to the Attorney General a |
| 17 | | list of all data protection impact assessments the covered |
| 18 | | entity has completed; |
| 19 | | (4) within 7 business days after a written request by |
| 20 | | the Attorney General, provide the Attorney General with a |
| 21 | | copy of any data protection impact assessment, unless the |
| 22 | | Attorney General, in its discretion, extends the time |
| 23 | | period for a covered entity to respond; |
| 24 | | (5) configure all default privacy settings provided to |
| 25 | | children by the online service, product, or feature to |
|
| | SB3334 | - 12 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | settings that offer a high level of privacy, unless the |
| 2 | | covered entity can demonstrate a compelling reason that a |
| 3 | | different setting is in the best interests of children; |
| 4 | | (6) provide any privacy information, terms of service, |
| 5 | | policies, and community standards concisely, prominently, |
| 6 | | and using clear language suited to the age of children |
| 7 | | reasonably likely to access that online service, product, |
| 8 | | or feature; and |
| 9 | | (7) provide prominent, accessible, and responsive |
| 10 | | tools to help children, or if applicable their parents or |
| 11 | | guardians, exercise their privacy rights and report |
| 12 | | concerns. |
| 13 | | (b) A data protection, impact assessment required by this |
| 14 | | Section shall identify the purpose of the online service, |
| 15 | | product, or feature; how it uses children's personal data; and |
| 16 | | determine whether the online service, product, or feature is |
| 17 | | designed and offered in a age-appropriate manner consistent |
| 18 | | with the best interests of children that are reasonably likely |
| 19 | | to access the online product by examining, at a minimum, the |
| 20 | | following: |
| 21 | | (1) whether the design of the online service, product, |
| 22 | | or feature could lead to children experiencing or being |
| 23 | | targeted by contacts on the online service, product, or |
| 24 | | feature that would result in: reasonably foreseeable and |
| 25 | | material physical or financial harm to the child; |
| 26 | | reasonably foreseeable and severe psychological or |
|
| | SB3334 | - 13 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | emotional harm to the child; a highly offensive intrusion |
| 2 | | on the reasonable privacy expectations of the child; or |
| 3 | | discrimination against the child based upon race, color, |
| 4 | | religion, national origin, disability, sex, or sexual |
| 5 | | orientation; |
| 6 | | (2) whether the design of the online service, product, |
| 7 | | or feature could permit children to witness, participate |
| 8 | | in, or be subject to conduct on the online service, |
| 9 | | product, or feature that would result in: reasonably |
| 10 | | foreseeable and material physical or financial harm to the |
| 11 | | child; reasonably foreseeable and severe psychological or |
| 12 | | emotional harm to the child; a highly offensive intrusion |
| 13 | | on the reasonable privacy expectations of the child; or |
| 14 | | discrimination against the child based upon race, color, |
| 15 | | religion, national origin, disability, sex, or sexual |
| 16 | | orientation; |
| 17 | | (3) whether the design of the online service, product, |
| 18 | | or feature are reasonably expected to allow children to be |
| 19 | | party to or exploited by a contract on the online service, |
| 20 | | product, or feature that would result in: reasonably |
| 21 | | foreseeable and material physical or financial harm to the |
| 22 | | child; reasonably foreseeable and severe psychological or |
| 23 | | emotional harm to the child; a highly offensive intrusion |
| 24 | | on the reasonable privacy expectations of the child; or |
| 25 | | discrimination against the child based upon race, color, |
| 26 | | religion, national origin, disability, sex, or sexual |
|
| | SB3334 | - 14 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | orientation; |
| 2 | | (4) whether algorithms used by the product, service, |
| 3 | | or feature would result in: reasonably foreseeable and |
| 4 | | material physical or financial harm to the child; |
| 5 | | reasonably foreseeable and severe psychological or |
| 6 | | emotional harm to the child; a highly offensive intrusion |
| 7 | | on the reasonable privacy expectations of the child; or |
| 8 | | discrimination against the child based upon race, color, |
| 9 | | religion, national origin, disability, sex, or sexual |
| 10 | | orientation; |
| 11 | | (5) whether targeted advertising systems used by the |
| 12 | | online service, product, or feature would result in: |
| 13 | | reasonably foreseeable and material physical or financial |
| 14 | | harm to the child; reasonably foreseeable and severe |
| 15 | | psychological or emotional harm to the child; a highly |
| 16 | | offensive intrusion on the reasonable privacy expectations |
| 17 | | of the child; or discrimination against the child based |
| 18 | | upon race, color, religion, national origin, disability, |
| 19 | | sex, or sexual orientation; |
| 20 | | (6) whether the online service, product, or feature |
| 21 | | uses system design features to increase, sustain, or |
| 22 | | extend use of the online service, product, or feature by |
| 23 | | children, including the automatic playing of media, |
| 24 | | rewards for time spent, and notifications, that would |
| 25 | | result in: reasonably foreseeable and material physical or |
| 26 | | financial harm to the child; reasonably foreseeable and |
|
| | SB3334 | - 15 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | severe psychological or emotional harm to the child; a |
| 2 | | highly offensive intrusion on the reasonable privacy |
| 3 | | expectations of the child; or discrimination against the |
| 4 | | child based upon race, color, religion, national origin, |
| 5 | | disability, sex, or sexual orientation; and |
| 6 | | (7) whether, how, and for what purpose the online |
| 7 | | product, service, or feature collects or processes |
| 8 | | personal data of children, and whether those practices |
| 9 | | would result in: reasonably foreseeable and material |
| 10 | | physical or financial harm to the child; reasonably |
| 11 | | foreseeable and severe psychological or emotional harm to |
| 12 | | the child; a highly offensive intrusion on the reasonable |
| 13 | | privacy expectations of the child; or discrimination |
| 14 | | against the child based upon race, color, religion, |
| 15 | | national origin, disability, sex, or sexual orientation; |
| 16 | | and |
| 17 | | (8) whether and how product experimentation results |
| 18 | | for the online product, service, or feature reveal data |
| 19 | | management or design practices that would result in: |
| 20 | | reasonably foreseeable and material physical or financial |
| 21 | | harm to the child; reasonably foreseeable and extreme |
| 22 | | psychological or emotional harm to the child; a highly |
| 23 | | offensive intrusion on the reasonable privacy expectations |
| 24 | | of the child; or discrimination against the child based |
| 25 | | upon race, color, religion, national origin, disability, |
| 26 | | sex, or sexual orientation. |
|
| | SB3334 | - 16 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | (c) A data protection impact assessment conducted by a |
| 2 | | covered entity for the purpose of compliance with any other |
| 3 | | law complies with this Section if the data protection impact |
| 4 | | assessment meets the requirement of this Act. |
| 5 | | (d) A single data protection impact assessment may contain |
| 6 | | multiple similar processing operations that present similar |
| 7 | | risk only if each relevant online service, product, or feature |
| 8 | | is addressed. |
| 9 | | (e) A company may process only the personal data |
| 10 | | reasonably necessary to provide an online service, product, or |
| 11 | | feature with which a child is actively and knowingly engaged |
| 12 | | to estimate age.
|
| 13 | | Section 30. Prohibited acts by covered entities. A covered |
| 14 | | entity that provides an online service, product, or feature |
| 15 | | reasonably likely to be accessed by children shall not: |
| 16 | | (1) process the personal data of any child in a way |
| 17 | | that is inconsistent with the best interests of children |
| 18 | | reasonably likely to access the online service, product, |
| 19 | | or feature; |
| 20 | | (2) profile a child by default unless: |
| 21 | | (A) the covered entity can demonstrate it has |
| 22 | | appropriate safeguards in place to ensure that |
| 23 | | profiling is consistent with the best interests of |
| 24 | | children reasonably likely to access the online |
| 25 | | service, product, or feature; and |
|
| | SB3334 | - 17 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | (B) either of the following is true: |
| 2 | | (i) profiling is necessary to provide the |
| 3 | | online service, product, or feature requested and |
| 4 | | only with respect to the aspects of the online |
| 5 | | service, product, or feature with which a child is |
| 6 | | actively and knowingly engaged; |
| 7 | | (ii) the covered entity can demonstrate a |
| 8 | | compelling reason that profiling is in the best |
| 9 | | interests of children; |
| 10 | | (3) process any personal data that is not reasonably |
| 11 | | necessary to provide an online service, product, or |
| 12 | | feature with which a child is actively and knowingly |
| 13 | | engaged; |
| 14 | | (4) if the end user is a child, process personal data |
| 15 | | for any reason other than a reason for which that personal |
| 16 | | data was collected; |
| 17 | | (5) process any precise geolocation information of |
| 18 | | children by default, unless the collection of that precise |
| 19 | | geolocation information is strictly necessary for the |
| 20 | | covered entity to provide the service, product, or feature |
| 21 | | requested and then only for the limited time that the |
| 22 | | collection of precise geolocation information is necessary |
| 23 | | to provide the service, product, or feature; |
| 24 | | (6) process any precise geolocation information of a |
| 25 | | child without providing an obvious sign to the child for |
| 26 | | the duration of that collection that precise geolocation |
|
| | SB3334 | - 18 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | information is being collected; |
| 2 | | (7) use dark patterns to cause children to provide |
| 3 | | personal data beyond what is reasonably expected to |
| 4 | | provide that online service, product, or feature to forgo |
| 5 | | privacy protections, or to take any action that the |
| 6 | | covered entity knows, or has reason to know, is not in the |
| 7 | | best interests of children reasonably likely to access the |
| 8 | | online service, product, or feature; and |
| 9 | | (8) allow a child's parent, guardian, or any other |
| 10 | | consumer to monitor the child's online activity or track |
| 11 | | the child's location, without providing an obvious signal |
| 12 | | to the child when the child is being monitored or tracked.
|
| 13 | | Section 35. Data practices. |
| 14 | | (a) A data protection impact assessment collected or |
| 15 | | maintained by the Attorney General under Section 25 is |
| 16 | | classified as nonpublic data. |
| 17 | | (b) To the extent any information contained in a data |
| 18 | | protection impact assessment disclosed to the Attorney General |
| 19 | | includes information subject to attorney-client privilege or |
| 20 | | work product protection, disclosure does not constitute a |
| 21 | | waiver of that privilege or protection.
|
| 22 | | Section 40. Attorney General enforcement. |
| 23 | | (a) A covered entity that violates this Act may be subject |
| 24 | | to an injunction and liable for a civil penalty of not more |
|
| | SB3334 | - 19 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | than $2,500 per affected child for each negligent violation, |
| 2 | | or not more than $7,500 per affected child for each |
| 3 | | intentional violation, which may be assessed or recovered only |
| 4 | | in a civil action brought by the Attorney General. If the State |
| 5 | | prevails in an action to enforce this Act, the State may, in |
| 6 | | addition to civil penalties provided by this subsection or |
| 7 | | other remedies provided by the law, be allowed an amount |
| 8 | | determined by the court to be the reasonable value of all or |
| 9 | | part of the State's litigation expenses incurred. |
| 10 | | (b) All moneys received by the Attorney General as civil |
| 11 | | penalties, fees, or other amounts under subsection (a) shall |
| 12 | | be deposited into the Age-Appropriate Design Code Enforcement |
| 13 | | Fund, a special fund created in the State treasury, and shall |
| 14 | | be used, subject to appropriation and as directed by the |
| 15 | | Attorney General, to offset costs incurred by the Attorney |
| 16 | | General in connection with the enforcement of this Act. |
| 17 | | (c) If a covered entity is in substantial compliance with |
| 18 | | the requirements of Section 25, the Attorney General shall, |
| 19 | | before initiating a civil action under this Section, provide |
| 20 | | written notice to the covered entity identifying the specific |
| 21 | | provisions of this Act that the Attorney General alleges have |
| 22 | | been or are being violated. If, for a covered entity that |
| 23 | | satisfied Section 50 or subsection (a) of Section 25 before |
| 24 | | offering any new online product, service, or feature |
| 25 | | reasonably likely to be accessed by children to the public, |
| 26 | | within 90 days after the notice required by this subsection, |
|
| | SB3334 | - 20 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | the covered entity cures any noticed violation and provides |
| 2 | | the Attorney General a written statement that the alleged |
| 3 | | violations have been cured, and sufficient measures have been |
| 4 | | taken to prevent future violations, the covered entity is not |
| 5 | | liable for a civil penalty for any violation cured pursuant to |
| 6 | | this Act. |
| 7 | | (d) Nothing in this Act shall be construed to create a |
| 8 | | private right of action.
|
| 9 | | Section 45. Limitations. Nothing in this Act shall be |
| 10 | | interpreted or construed to: |
| 11 | | (1) impose liability in a manner that is inconsistent |
| 12 | | with 47 U.S.C. 230; |
| 13 | | (2) prevent or preclude any child from deliberately or |
| 14 | | independently searching for, or specifically requesting, |
| 15 | | content; or |
| 16 | | (3) require a covered entity to implement an age |
| 17 | | gating requirement.
|
| 18 | | Section 50. Data protection impact assessment date. |
| 19 | | (a) By January 1, 2025 a covered entity shall complete a |
| 20 | | data protection impact assessment for any online service, |
| 21 | | product, or feature reasonably likely to be accessed by |
| 22 | | children offered to the public before January 1, 2025, unless |
| 23 | | that online service, product, or feature is exempt under |
| 24 | | paragraph (b). |
|
| | SB3334 | - 21 - | LRB103 38209 SPS 68343 b |
|
|
| 1 | | (b) This Act does not apply to an online service, product, |
| 2 | | or feature that is not offered to the public on or after |
| 3 | | January 1, 2025.
|
| 4 | | Section 55. Severability. If any provision of this Act, or |
| 5 | | an amendment made by this Act, is determined to be |
| 6 | | unenforceable or invalid, the remaining provisions of this Act |
| 7 | | and the amendments made by this Act shall not be affected.
|
| 8 | | Section 90. The State Finance Act is amended by adding |
| 9 | | Section 5.1015 as follows:
|
| 10 | | (30 ILCS 105/5.1015 new) |
| 11 | | Sec. 5.1015. The Age-Appropriate Design Code Enforcement |
| 12 | | Fund.
|
| 13 | | Section 99. Effective date. This Act takes effect upon |
| 14 | | becoming law. |