103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
SB3334

 

Introduced 2/7/2024, by Sen. Sue Rezin

 

SYNOPSIS AS INTRODUCED:
 
New Act
30 ILCS 105/5.1015 new

    Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately.


LRB103 38209 SPS 68343 b

 

 

A BILL FOR

 

SB3334LRB103 38209 SPS 68343 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Illinois Age-Appropriate Design Code Act.
 
6    Section 5. Intent. It is the intent of the General
7Assembly that nothing in this Act shall be construed to
8infringe on the existing rights and freedoms of children.
 
9    Section 10. Definitions. As used in this Act:
10    "Affiliate" means a legal entity that controls, is
11controlled by, or is under common control with, another legal
12entity. For the purposes of this definition, "control" or
13"controlled" means: (i) ownership of, or the power to vote,
14more than 50% of the outstanding shares of any class of voting
15security of a covered entity; (ii) control in any manner over
16the election of a majority of the directors or of individuals
17exercising similar functions; or (iii) the power to exercise a
18controlling influence over the management of a covered entity.
19    "Age-appropriate" means a recognition of the distinct
20needs and diversities of children at different age ranges. In
21order to help support the design of online services, products,
22and features, covered entities should take into account the

 

 

SB3334- 2 -LRB103 38209 SPS 68343 b

1unique needs and diversities of different age ranges,
2including the following developmental stages: 0 to 5 years of
3age or preliterate and early literacy; 6-9 years of age or core
4primary school years; 10 to 12 years of age or transition
5years; 13 to 15 years of age or early teens; and 16 to 17 years
6or age or approaching adulthood.
7    "Best interests of children" means the use, by a covered
8entity, of the personal data of a child or the design of an
9online service, product, or feature in a way that:
10        (1) will not benefit the covered entity to the
11    detriment of the child; and
12        (2) will not result in:
13            (A) reasonably foreseeable and material physical
14        or financial harm to the child;
15            (B) reasonably foreseeable and severe
16        psychological, or emotional harm to the child;
17            (C) a highly offensive intrusion on the reasonable
18        privacy expectations of the child; or
19            (D) discrimination against the child based upon
20        race, color, religion, national origin, disability,
21        sex, or sexual orientation.
22    "Child" means a consumer who is under 18 years of age.
23    "Collect" means buying, renting, gathering, obtaining,
24receiving, or accessing any personal data pertaining to a
25consumer by any means. "Collect" includes receiving data from
26the consumer, either actively or passively, or by observing

 

 

SB3334- 3 -LRB103 38209 SPS 68343 b

1the consumer's behavior.
2    "Covered entity" means:
3        (1) a sole proprietorship, partnership, limited
4    liability company, corporation, association, or other
5    legal entity that is organized or operated for the profit
6    or financial benefit of its shareholders or other owners;
7    and
8        (2) an affiliate of a covered entity that shares
9    common branding with the covered entity. For the purposes
10    of this definition, "common branding" means a shared name,
11    service mark, or trademark that the average consumer would
12    understand that 2 or more entities are commonly owned.
13    For purposes of this Act, for a joint venture or
14partnership composed of covered entities in which each covered
15entity has at least a 40% interest, the joint venture or
16partnership and each covered entity that composes the joint
17venture or partnership shall separately be considered a single
18covered entity, except that personal data in the possession of
19each covered entity and disclosed to the joint venture or
20partnership shall not be shared with the other covered entity.
21    "Consumer" means a natural person who is an Illinois
22resident, however identified, including by any unique
23identifier.
24    "Dark pattern" means a user interface designed or
25manipulated with the purpose of subverting or impairing user
26autonomy, decision making, or choice.

 

 

SB3334- 4 -LRB103 38209 SPS 68343 b

1    "Data protection impact assessment" means a systematic
2survey to assess compliance with the duty to act in the best
3interests of children and shall include a plan to ensure that
4all online products, services, or features provided by the
5covered entity are designed and offered in a manner consistent
6with the best interests of children reasonably likely to
7access the online product, service, or feature and a
8description of steps the covered entity has taken and will
9take to comply with the duty to act in the best interests of
10children.
11    "Default" means a preselected option adopted by the
12covered entity for the online service, product, or feature.
13    "Deidentified" means data that cannot reasonably be used
14to infer information about, or otherwise be linked to, an
15identified or identifiable natural person, or a device linked
16to such person, provided that the covered entity that
17possesses the data:
18        (1) takes reasonable measures to ensure that the data
19    cannot be associated with a natural person;
20        (2) publicly commits to maintain and use the data only
21    in a deidentified fashion and not attempt to re-identify
22    the data; and
23        (3) contractually obligates any recipients of the data
24    to comply with all provisions of this Act.
25    "Derived data" means data that is created by the
26derivation of information, data, assumptions, correlations,

 

 

SB3334- 5 -LRB103 38209 SPS 68343 b

1inferences, predictions, or conclusions from facts, evidence,
2or another source of information or data about a child or a
3child's device.
4    "Online service, product, or feature" does not mean any of
5the following:
6        (1) telecommunications service, as defined in 47
7    U.S.C. 153;
8        (2) a broadband service as defined in the Public
9    Utilities Act; or
10        (3) the sale, delivery, or use of a physical product.
11    "Personal data" means any information, including derived
12data, that is linked or reasonably linkable, alone or in
13combination with other information, to an identified or
14identifiable natural person. "Personal data" does not include
15de-identified data or publicly available information. For the
16purposes of this definition, "publicly available information"
17means information (i) that is lawfully made available from
18federal, State, or local government records or widely
19distributed media; and (ii) that a controller has a reasonable
20basis to believe a consumer has lawfully made available to the
21general public.
22    "Precise geolocation" means any data that is derived from
23a device and that is used or intended to be used to locate a
24consumer within a geographic area that is equal to or less than
25the area of a circle with a radius of 1,850 feet, except as
26prescribed by regulations.

 

 

SB3334- 6 -LRB103 38209 SPS 68343 b

1    "Process" or "processing" means to conduct or direct any
2operation or set of operations performed, whether by manual or
3automated means, on personal data or on sets of personal data,
4such as the collection, use, storage, disclosure, analysis,
5deletion, modification, or otherwise handling of personal
6data.
7    "Product experimentation results" means the data that
8companies collect to understand the experimental impact of
9their products.
10    "Profiling" means any form of automated processing of
11personal data to evaluate, analyze, or predict personal
12aspects concerning an identified or identifiable natural
13person's economic situation, health, personal preferences,
14interests, reliability, behavior, location, or movements.
15"Profiling" does not include the processing of information
16that does not result in an assessment or judgment about a
17natural person.
18    "Reasonably likely to be accessed" means an online
19service, product, or feature that is accessed by children
20based on any of the following indicators:
21        (1) the online service, product, or feature is
22    directed to children, as defined by the Children's Online
23    Privacy Protection Act, 15 U.S.C. 6501 et seq., and the
24    Federal Trade Commission rules implementing that Act;
25        (2) the online service, product, or feature is
26    determined, based on competent and reliable evidence

 

 

SB3334- 7 -LRB103 38209 SPS 68343 b

1    regarding audience composition, to be routinely accessed
2    by a significant number of children;
3        (3) the online service, product, or feature contains
4    advertisements marketed to children;
5        (4) the online service, product, or feature is
6    substantially similar or the same as an online service,
7    product, or feature subject to paragraph (2) of this
8    definition;
9        (5) a significant amount of the audience of the online
10    service, product, or feature is determined, based on
11    internal company research, to be children; and
12        (6) the covered entity knew or should have known that
13    a significant number of users are children, provided that,
14    in making this assessment, the covered entity shall not
15    collect or process any personal data that is not
16    reasonably necessary to provide an online service,
17    product, or feature with which a child is actively and
18    knowingly engaged.
19    "Sale" or "sell" means the exchange of personal data for
20monetary or other valuable consideration by a covered entity
21to a third party. "Sale" or "sell" do not include the
22following:
23        (1) the disclosure of personal data to a third party
24    who processes the personal data on behalf of the covered
25    entity;
26        (2) the disclosure of personal data to a third party

 

 

SB3334- 8 -LRB103 38209 SPS 68343 b

1    with whom the consumer has a direct relationship for
2    purposes of providing a product or service requested by
3    the consumer;
4        (3) the disclosure or transfer of personal data to an
5    affiliate of the covered entity;
6        (4) the disclosure of data that the consumer
7    intentionally made available to the general public via a
8    channel of mass media and did not restrict to a specific
9    audience; or
10        (5) the disclosure or transfer of personal data to a
11    third party as an asset that is part of a completed or
12    proposed merger, acquisition, bankruptcy, or other
13    transaction in which the third party assumes control of
14    all or part of the covered entity's assets.
15    "Share" means sharing, renting, releasing, disclosing,
16disseminating, making available, transferring, or otherwise
17communicating orally, in writing, or by electronic or other
18means a consumer's personal data by the covered entity to a
19third party for cross-context behavioral advertising, whether
20or not for monetary or other valuable consideration, including
21transactions between a covered entity and a third party for
22cross-context behavioral advertising for the benefit of a
23covered entity in which no money is exchanged.
24    "Third party" means a natural or legal person, public
25authority, agency, or body other than the consumer or the
26covered entity.
 

 

 

SB3334- 9 -LRB103 38209 SPS 68343 b

1    Section 15. Information fiduciary. All covered entities
2that operate in this State and process children's data in any
3capacity shall do so in a manner consistent with the best
4interests of children.
 
5    Section 20. Scope; exclusions.
6    (a) A covered entity operating in this State is subject to
7the requirements of this Act if it:
8        (1) collects consumers' personal data or has
9    consumers' personal data collected on its behalf by a
10    third party;
11        (2) alone or jointly with others, determines the
12    purposes and means of the processing of consumers'
13    personal data; and
14        (3) satisfies one or more of the following thresholds:
15            (i) has annual gross revenues in excess of
16        $25,000,000, as adjusted every odd numbered year to
17        reflect the Consumer Price Index;
18            (ii) alone or in combination, annually buys,
19        receives for the covered entity's commercial purposes,
20        sells, or shares for commercial purposes, alone or in
21        combination, the personal data of 50,000 or more
22        consumers, households, or devices; or
23            (iii) derives 50% or more of its annual revenues
24        from selling consumers' personal data.

 

 

SB3334- 10 -LRB103 38209 SPS 68343 b

1    (b) This Act does not apply to:
2        (1) protected health information that is collected by
3    a covered entity or covered entity associate governed by
4    the privacy, security, and breach notification rules
5    issued by the United States Department of Health and Human
6    Services, 45 CFR 160 and 164, established pursuant to the
7    Health Insurance Portability and Accountability Act of
8    1996, Public Law 104-191, and the Health Information
9    Technology for Economic and Clinical Health Act, Public
10    Law 111-5;
11        (2) a covered entity governed by the privacy,
12    security, and breach notification rules issued by the
13    United States Department of Health and Human Services, 45
14    CFR 160 and 164, established pursuant to the Health
15    Insurance Portability and Accountability Act of 1996,
16    Public Law 104-191, to the extent the provider or covered
17    entity maintains patient information in the same manner as
18    medical information or protected health information as
19    described in paragraph (1); or
20        (3) information collected as part of a clinical trial
21    subject to the federal policy for the protection of human
22    subjects, also known as the common rule, pursuant to good
23    clinical practice guidelines issued by the International
24    Council for Harmonisation of Technical Requirements for
25    Pharmaceuticals for Human Use or human subject protection
26    requirements issued by the United States Food and Drug

 

 

SB3334- 11 -LRB103 38209 SPS 68343 b

1    Administration.
 
2    Section 25. Requirements for covered entities.
3    (a) A covered entity subject to this Act shall:
4        (1) complete a data protection impact assessment for
5    an online service, product, or feature or any new online
6    service, product, or feature that is reasonably likely to
7    be accessed by children; and maintain documentation of the
8    data protection impact assessment for as long as the
9    online service, product, or feature is reasonably likely
10    to be accessed by children;
11        (2) review and modify all data protection impact
12    assessments as necessary to account for material changes
13    to processing pertaining to the online service, product,
14    or feature within 90 days after such material changes;
15        (3) within 5 business days after a written request by
16    the Attorney General, provide to the Attorney General a
17    list of all data protection impact assessments the covered
18    entity has completed;
19        (4) within 7 business days after a written request by
20    the Attorney General, provide the Attorney General with a
21    copy of any data protection impact assessment, unless the
22    Attorney General, in its discretion, extends the time
23    period for a covered entity to respond;
24        (5) configure all default privacy settings provided to
25    children by the online service, product, or feature to

 

 

SB3334- 12 -LRB103 38209 SPS 68343 b

1    settings that offer a high level of privacy, unless the
2    covered entity can demonstrate a compelling reason that a
3    different setting is in the best interests of children;
4        (6) provide any privacy information, terms of service,
5    policies, and community standards concisely, prominently,
6    and using clear language suited to the age of children
7    reasonably likely to access that online service, product,
8    or feature; and
9        (7) provide prominent, accessible, and responsive
10    tools to help children, or if applicable their parents or
11    guardians, exercise their privacy rights and report
12    concerns.
13    (b) A data protection, impact assessment required by this
14Section shall identify the purpose of the online service,
15product, or feature; how it uses children's personal data; and
16determine whether the online service, product, or feature is
17designed and offered in a age-appropriate manner consistent
18with the best interests of children that are reasonably likely
19to access the online product by examining, at a minimum, the
20following:
21        (1) whether the design of the online service, product,
22    or feature could lead to children experiencing or being
23    targeted by contacts on the online service, product, or
24    feature that would result in: reasonably foreseeable and
25    material physical or financial harm to the child;
26    reasonably foreseeable and severe psychological or

 

 

SB3334- 13 -LRB103 38209 SPS 68343 b

1    emotional harm to the child; a highly offensive intrusion
2    on the reasonable privacy expectations of the child; or
3    discrimination against the child based upon race, color,
4    religion, national origin, disability, sex, or sexual
5    orientation;
6        (2) whether the design of the online service, product,
7    or feature could permit children to witness, participate
8    in, or be subject to conduct on the online service,
9    product, or feature that would result in: reasonably
10    foreseeable and material physical or financial harm to the
11    child; reasonably foreseeable and severe psychological or
12    emotional harm to the child; a highly offensive intrusion
13    on the reasonable privacy expectations of the child; or
14    discrimination against the child based upon race, color,
15    religion, national origin, disability, sex, or sexual
16    orientation;
17        (3) whether the design of the online service, product,
18    or feature are reasonably expected to allow children to be
19    party to or exploited by a contract on the online service,
20    product, or feature that would result in: reasonably
21    foreseeable and material physical or financial harm to the
22    child; reasonably foreseeable and severe psychological or
23    emotional harm to the child; a highly offensive intrusion
24    on the reasonable privacy expectations of the child; or
25    discrimination against the child based upon race, color,
26    religion, national origin, disability, sex, or sexual

 

 

SB3334- 14 -LRB103 38209 SPS 68343 b

1    orientation;
2        (4) whether algorithms used by the product, service,
3    or feature would result in: reasonably foreseeable and
4    material physical or financial harm to the child;
5    reasonably foreseeable and severe psychological or
6    emotional harm to the child; a highly offensive intrusion
7    on the reasonable privacy expectations of the child; or
8    discrimination against the child based upon race, color,
9    religion, national origin, disability, sex, or sexual
10    orientation;
11        (5) whether targeted advertising systems used by the
12    online service, product, or feature would result in:
13    reasonably foreseeable and material physical or financial
14    harm to the child; reasonably foreseeable and severe
15    psychological or emotional harm to the child; a highly
16    offensive intrusion on the reasonable privacy expectations
17    of the child; or discrimination against the child based
18    upon race, color, religion, national origin, disability,
19    sex, or sexual orientation;
20        (6) whether the online service, product, or feature
21    uses system design features to increase, sustain, or
22    extend use of the online service, product, or feature by
23    children, including the automatic playing of media,
24    rewards for time spent, and notifications, that would
25    result in: reasonably foreseeable and material physical or
26    financial harm to the child; reasonably foreseeable and

 

 

SB3334- 15 -LRB103 38209 SPS 68343 b

1    severe psychological or emotional harm to the child; a
2    highly offensive intrusion on the reasonable privacy
3    expectations of the child; or discrimination against the
4    child based upon race, color, religion, national origin,
5    disability, sex, or sexual orientation; and
6        (7) whether, how, and for what purpose the online
7    product, service, or feature collects or processes
8    personal data of children, and whether those practices
9    would result in: reasonably foreseeable and material
10    physical or financial harm to the child; reasonably
11    foreseeable and severe psychological or emotional harm to
12    the child; a highly offensive intrusion on the reasonable
13    privacy expectations of the child; or discrimination
14    against the child based upon race, color, religion,
15    national origin, disability, sex, or sexual orientation;
16    and
17        (8) whether and how product experimentation results
18    for the online product, service, or feature reveal data
19    management or design practices that would result in:
20    reasonably foreseeable and material physical or financial
21    harm to the child; reasonably foreseeable and extreme
22    psychological or emotional harm to the child; a highly
23    offensive intrusion on the reasonable privacy expectations
24    of the child; or discrimination against the child based
25    upon race, color, religion, national origin, disability,
26    sex, or sexual orientation.

 

 

SB3334- 16 -LRB103 38209 SPS 68343 b

1    (c) A data protection impact assessment conducted by a
2covered entity for the purpose of compliance with any other
3law complies with this Section if the data protection impact
4assessment meets the requirement of this Act.
5    (d) A single data protection impact assessment may contain
6multiple similar processing operations that present similar
7risk only if each relevant online service, product, or feature
8is addressed.
9    (e) A company may process only the personal data
10reasonably necessary to provide an online service, product, or
11feature with which a child is actively and knowingly engaged
12to estimate age.
 
13    Section 30. Prohibited acts by covered entities. A covered
14entity that provides an online service, product, or feature
15reasonably likely to be accessed by children shall not:
16        (1) process the personal data of any child in a way
17    that is inconsistent with the best interests of children
18    reasonably likely to access the online service, product,
19    or feature;
20        (2) profile a child by default unless:
21            (A) the covered entity can demonstrate it has
22        appropriate safeguards in place to ensure that
23        profiling is consistent with the best interests of
24        children reasonably likely to access the online
25        service, product, or feature; and

 

 

SB3334- 17 -LRB103 38209 SPS 68343 b

1            (B) either of the following is true:
2                (i) profiling is necessary to provide the
3            online service, product, or feature requested and
4            only with respect to the aspects of the online
5            service, product, or feature with which a child is
6            actively and knowingly engaged;
7                (ii) the covered entity can demonstrate a
8            compelling reason that profiling is in the best
9            interests of children;
10        (3) process any personal data that is not reasonably
11    necessary to provide an online service, product, or
12    feature with which a child is actively and knowingly
13    engaged;
14        (4) if the end user is a child, process personal data
15    for any reason other than a reason for which that personal
16    data was collected;
17        (5) process any precise geolocation information of
18    children by default, unless the collection of that precise
19    geolocation information is strictly necessary for the
20    covered entity to provide the service, product, or feature
21    requested and then only for the limited time that the
22    collection of precise geolocation information is necessary
23    to provide the service, product, or feature;
24        (6) process any precise geolocation information of a
25    child without providing an obvious sign to the child for
26    the duration of that collection that precise geolocation

 

 

SB3334- 18 -LRB103 38209 SPS 68343 b

1    information is being collected;
2        (7) use dark patterns to cause children to provide
3    personal data beyond what is reasonably expected to
4    provide that online service, product, or feature to forgo
5    privacy protections, or to take any action that the
6    covered entity knows, or has reason to know, is not in the
7    best interests of children reasonably likely to access the
8    online service, product, or feature; and
9        (8) allow a child's parent, guardian, or any other
10    consumer to monitor the child's online activity or track
11    the child's location, without providing an obvious signal
12    to the child when the child is being monitored or tracked.
 
13    Section 35. Data practices.
14    (a) A data protection impact assessment collected or
15maintained by the Attorney General under Section 25 is
16classified as nonpublic data.
17    (b) To the extent any information contained in a data
18protection impact assessment disclosed to the Attorney General
19includes information subject to attorney-client privilege or
20work product protection, disclosure does not constitute a
21waiver of that privilege or protection.
 
22    Section 40. Attorney General enforcement.
23    (a) A covered entity that violates this Act may be subject
24to an injunction and liable for a civil penalty of not more

 

 

SB3334- 19 -LRB103 38209 SPS 68343 b

1than $2,500 per affected child for each negligent violation,
2or not more than $7,500 per affected child for each
3intentional violation, which may be assessed or recovered only
4in a civil action brought by the Attorney General. If the State
5prevails in an action to enforce this Act, the State may, in
6addition to civil penalties provided by this subsection or
7other remedies provided by the law, be allowed an amount
8determined by the court to be the reasonable value of all or
9part of the State's litigation expenses incurred.
10    (b) All moneys received by the Attorney General as civil
11penalties, fees, or other amounts under subsection (a) shall
12be deposited into the Age-Appropriate Design Code Enforcement
13Fund, a special fund created in the State treasury, and shall
14be used, subject to appropriation and as directed by the
15Attorney General, to offset costs incurred by the Attorney
16General in connection with the enforcement of this Act.
17    (c) If a covered entity is in substantial compliance with
18the requirements of Section 25, the Attorney General shall,
19before initiating a civil action under this Section, provide
20written notice to the covered entity identifying the specific
21provisions of this Act that the Attorney General alleges have
22been or are being violated. If, for a covered entity that
23satisfied Section 50 or subsection (a) of Section 25 before
24offering any new online product, service, or feature
25reasonably likely to be accessed by children to the public,
26within 90 days after the notice required by this subsection,

 

 

SB3334- 20 -LRB103 38209 SPS 68343 b

1the covered entity cures any noticed violation and provides
2the Attorney General a written statement that the alleged
3violations have been cured, and sufficient measures have been
4taken to prevent future violations, the covered entity is not
5liable for a civil penalty for any violation cured pursuant to
6this Act.
7    (d) Nothing in this Act shall be construed to create a
8private right of action.
 
9    Section 45. Limitations. Nothing in this Act shall be
10interpreted or construed to:
11        (1) impose liability in a manner that is inconsistent
12    with 47 U.S.C. 230;
13        (2) prevent or preclude any child from deliberately or
14    independently searching for, or specifically requesting,
15    content; or
16        (3) require a covered entity to implement an age
17    gating requirement.
 
18    Section 50. Data protection impact assessment date.
19    (a) By January 1, 2025 a covered entity shall complete a
20data protection impact assessment for any online service,
21product, or feature reasonably likely to be accessed by
22children offered to the public before January 1, 2025, unless
23that online service, product, or feature is exempt under
24paragraph (b).

 

 

SB3334- 21 -LRB103 38209 SPS 68343 b

1    (b) This Act does not apply to an online service, product,
2or feature that is not offered to the public on or after
3January 1, 2025.
 
4    Section 55. Severability. If any provision of this Act, or
5an amendment made by this Act, is determined to be
6unenforceable or invalid, the remaining provisions of this Act
7and the amendments made by this Act shall not be affected.
 
8    Section 90. The State Finance Act is amended by adding
9Section 5.1015 as follows:
 
10    (30 ILCS 105/5.1015 new)
11    Sec. 5.1015. The Age-Appropriate Design Code Enforcement
12Fund.
 
13    Section 99. Effective date. This Act takes effect upon
14becoming law.