102ND GENERAL ASSEMBLY State of Illinois 2021 and 2022 SB3081   Introduced 1/11/2022, by Sen. Thomas Cullerton   SYNOPSIS AS INTRODUCED:   New Act     Creates the Do Not Track Act. Prohibits a party to a user action from tracking another user whenever the party receives a do-not-track signal indicating a user preference not to be tracked, with some exceptions. Provides that data that has been sufficiently de-identified such that it is rendered anonymous data may be processed for any purpose. Provides that a party may disregard a user's do-not-track signal when the user has given express affirmative consent to track. Provides that an organization may process data for specified uses if the organization: (i) limits the amount of identifiable data collected; (ii) limits the retention of identifiable data to no longer than what is reasonably needed for the permitted uses; (iii) uses anonymous data; (iv) processes the data separately from systems that are used for purposes other than the permitted uses; and (v) does not process the data beyond the permitted uses. Requires an organization that engages in tracking to describe, in understandable language and syntax such that an ordinary user can comprehend, its practices with respect to do-not-track signals in its privacy statement or similar notice, available through a clear and prominent link on the home page of its website. Prohibits a party from blocking a user's do-not-track signal. Provides that the Attorney General shall enforce the Act. Permits a user whose identifiable information has been processed in violation of the Act to bring a civil action in any court of competent jurisdiction. Preempts home rule powers. Effective January 1, 2023. LRB102 23767 SPS 32958 b     A BILL FOR
SB3081 LRB102 23767 SPS 32958 b
1		AN ACT concerning business.
2		Be it enacted by the People of the State of Illinois,
3		represented in the General Assembly:
4		Section 1. Short title. This Act may be cited as the Do Not
5		Track Act.
6		Section 5. Definitions. As used in this Act:
7		"Anonymous data" means data which does not relate to an
8		identified or identifiable user. Identifiable data may be
9		rendered anonymous data if it has become de-identified to an
10		extent that no user can be singled out or identified, either
11		directly or indirectly, by that data alone or in combination
12		with other data. To determine whether a user can be identified
13		from the data, account should be taken of all means reasonably
14		likely to be used by any party to identify the user. Data that
15		has been re-identified, is shown to be capable of
16		re-identification, or that is capable of being used for
17		personalization or profiling a user or a device used by a user
18		is not anonymous data.
19		"Collect" means to receive identifiable data in a network
20		interaction and to retain that data after the network
21		interaction is complete.
22		"Commission" means the Federal Trade Commission.
23		"Context" means a website or similar online resource, or a

SB3081 - 2 - LRB102 23767 SPS 32958 b
1		connected set of such resources. A connected set of resources
2		that are controlled by the same party or jointly controlled by
3		a set of parties can constitute a single context if a user
4		would reasonably expect them to form a single context. Factors
5		relevant to determining whether such a reasonable expectation
6		exists include, but are not limited to, whether they share
7		prominent branding, provide connected and integrated
8		user-facing features, are offered under the same domain name
9		or through a single app, use the same sign-in credentials, and
10		are marketed or sold as a single product or service.
11		"De-identify" means to alter data such that the likelihood
12		of identifying a user from the data is reduced.
13		De-identification includes a range of techniques and differing
14		levels or re-identification risk. Data that is fully
15		de-identified such that it becomes anonymous data is no longer
16		identifiable data. Data that is de-identified to a lesser
17		extent remains identifiable data.
18		"Do-not-track signal" means a signal sent by a web browser
19		or similar user agent that conveys a user's choice regarding
20		online tracking, reflects a deliberate choice by the user, and
21		otherwise complies with the latest Tracking Preference
22		Expression (DNT) specifications published by the World Wide
23		Web Consortium.
24		"First party" means, with respect to a given user action,
25		a party with which the user intends to interact, via one or
26		more network interactions, as a result of that action.

SB3081 - 3 - LRB102 23767 SPS 32958 b
1		(1) Typically, when a user visits a website, the first
2		party is the organization identified in the website URL or
3		whose branding is most prominent on the website.
4		(2) More than one party can be a first party with
5		regard to a given user action.
6		(3) The mere presence of a first party's website of
7		embedded content from another party does not make that
8		other party a first party, and merely hovering over,
9		muting, pausing, or closing a given piece of content does
10		not constitute a user's intent to interact with a party.
11		When a user visits an organization's website that displays
12		advertisements from a third-party ad network, the
13		organization is a first party and the ad network is a third
14		party. When a user signs into an organization's website
15		using a sign-in method provided by another party, the
16		organization is a first party and the sign-in provider is
17		a third party with respect to user actions in that
18		website.
19		"Identifiable data" means data from which the user can be
20		singled out or identified, directly or indirectly, by that
21		data alone or in combination with other data. Identifiable
22		data includes, but is not limited to, a user's contact
23		information, such as email addresses and phone numbers, unique
24		persistent identifiers, such as IP addresses, cross-session
25		cookie IDs, and device identifiers including derived through
26		device fingerprinting and probabilistic techniques), and any

SB3081 - 4 - LRB102 23767 SPS 32958 b
1		other data associated with such identifiers. Identifiable data
2		does not include anonymous data.
3		"Network interaction" means an online connection
4		consisting of an HTTP or HTTPS request and as many
5		corresponding responses as are necessary to respond to a
6		single user action. A user interaction or session with a
7		website or other resource frequently consists of many network
8		interactions.
9		"Organization" means a legal entity. Such term does not
10		include government agencies or users.
11		"Party" means a user, an organization, or a group of legal
12		entities that share common ownership and control, operate as
13		an integrated enterprise, and have a group identity that is
14		easily discoverable by a user. Common branding or publishing a
15		list of affiliates that is readily available online via a
16		prominent link from a resource where a party describes its
17		Tracking Preference Expression (DNT) practices are deemed
18		easily discoverable. With respect to a user action, a party is
19		either a first party or a third party, but not both.
20		"Personalize" means to use identifiable data to alter the
21		experience of a user, including, but not limited to, the
22		content or advertising displayed to the user.
23		"Process" means to collect, use, or share data.
24		"Resource" means a single online destination or
25		experience, such as a website, streaming service, online game,
26		digital assistant, or other online service, accessed by a user

SB3081 - 5 - LRB102 23767 SPS 32958 b
1		through the use of a user agent.
2		"Service provider" means an organization that processes
3		identifiable data on behalf of another organization. A service
4		provider has no right to use any identifiable data for its own
5		purposes.
6		"Share" means, with respect to collected data, to transfer
7		or provide a copy of such data to any third party.
8		"Third party" means, for any user action, any party other
9		than the user, a first party to that user action, or a service
10		provider action on behalf of either the user or a first party.
11		"Tracking" or "track" means to (i) collect data regarding
12		a user action of a particular user, (ii) process such data
13		outside the context in which the user action occurred, (iii)
14		facilitate the creation of a user profile, or (iv) personalize
15		that user's online experience. For the purposes of this
16		definition, processing data related to a device used by a user
17		or the user's household shall be considered processing data
18		related to the user.
19		"User" means a natural person residing in this State who
20		uses the Internet.
21		"User action" means a deliberate online action by the
22		user, via configuration, invocation, or selection, to initiate
23		a network interaction. Selection of a link, submission of a
24		form, and reloading a page are examples of user actions.
25		"User agent" means any of the various client programs
26		capable of initiating network interactions, including, but not

SB3081 - 6 - LRB102 23767 SPS 32958 b
1		limited to, browsers, web-based robots, command-line tools,
2		native applications, mobile apps, or Internet-connected
3		devices.
4		Section 10. Response to do-not-track signals.
5		(a) In general. Except as permitted in this Section, a
6		party to a user action that receives a do-not-track signal
7		indicating a user preference not to be tracked shall not
8		track.
9		(b) Exceptions.
10		(1) First party. A first party to a user action within
11		a context to which the user has affirmatively signed in
12		may process data received from such user action, including
13		for personalized content, services, and advertising,
14		within that context. However, a first party shall not
15		share such data with a third party. For the purposes of
16		this paragraph, a user is signed into a context when the
17		user has affirmatively authenticated and identified
18		oneself by entering a username and password, or similar
19		credentials.
20		(2) Anonymous data. Data that has been sufficiently
21		de-identified such that it is rendered anonymous data may
22		be processed for any purpose, including outside the
23		context of the user actions from which it originates, or
24		across multiple contexts.
25		(3) Consent. A party may disregard a user's

SB3081 - 7 - LRB102 23767 SPS 32958 b
1		do-not-track signal when the user has given express
2		affirmative consent to track. A user may give consent
3		through a technical means defined in the Tracking
4		Preference Expression (DNT) specification published by the
5		World Wide Web Consortium or through a separate mechanism
6		such as an online or offline consent form that
7		demonstrates a specific and voluntary choice of the user.
8		For instance, accepting a general or broad terms of use
9		document that contains a clause regarding tracing does not
10		constitute express affirmation consent for the purposes of
11		this Act. Likewise, agreement obtained through a user
12		interface designed or manipulated with the purpose of
13		substantial effect of subverting or impairing user
14		autonomy, decision-making, or choice does not constitute
15		consent for the purposes of this Act. When relying on
16		consent from a user given through a separate mechanism, a
17		party must provide notice in accordance with Section 20.
18		(4) Permitted uses.
19		(A) In general. An organization may process data
20		for the uses specified in subparagraphs (B), (C), (D),
21		(E), (F), and (G), provided the organization:
22		(i) limits the amount of identifiable data
23		collected to that which is strictly needed for the
24		permitted uses;
25		(ii) limits the retention of identifiable data
26		to no longer than what is reasonably needed for

SB3081 - 8 - LRB102 23767 SPS 32958 b
1		the permitted uses;
2		(iii) uses anonymous data to the extent the
3		permitted uses can be achieved with such data, or
4		otherwise de-identifies the identifiable data to
5		the greatest extent that is compatible with the
6		permitted uses;
7		(iv) processes the data separately from
8		systems that are used for purposes other than the
9		permitted uses specified in this Section; and
10		(v) does not process the data beyond the
11		permitted uses.
12		(B) Providing a service. An organization may
13		process data to the extent necessary to effectuate a
14		transaction with the user, or to provide a product or
15		service to a user, provided the user has consented to
16		or authorized the transaction or the provision of the
17		product or service and any tracking, including
18		personalization, that is a necessary or inherent part
19		of that transaction, product, or service would have
20		been clear to the user at the time of such consent or
21		authorization. If such processing requires sharing
22		data with a third party, such third party may not
23		process the data for any other purpose.
24		(C) Security. An organization may process data to
25		the extent reasonably necessary to detect security
26		incidents, protect the website or other resource

SB3081 - 9 - LRB102 23767 SPS 32958 b
1		accessed by the user against malicious, deceptive,
2		fraudulent, or illegal activity, and prosecute those
3		responsible for such activity.
4		(D) Debugging. An organization may process data
5		for debugging purposes to identify and repair errors
6		that impair the existing functionality of the website
7		or other resource accessed by the user.
8		(E) Financial logging. An organization may process
9		data for billing and auditing related to network
10		interactions and related transactions.
11		(F) Research. An organization may process data to
12		conduct security research.
13		(G) Journalism. An organization may process data
14		as necessary for news gathering purposes by
15		journalists or other purposes protected by the First
16		Amendment of the United States Constitution.
17		(5) Technical errors. Data that is processed by a
18		party due to a technical error does not violate this Act if
19		such error is unintentional and unexpected, and within 30
20		days of the party discovering or receiving a report of the
21		error: (i) the error is corrected, (ii) any processing by
22		the party that is otherwise prohibited is stopped, and
23		(iii) the party deletes any data that should not have been
24		collected.
25		Section 15. Contractual obligations and liability. A first

SB3081 - 10 - LRB102 23767 SPS 32958 b
1		party that enables or permits a third party to engage in
2		tracking on or through the first party's website or other
3		resource:
4		(1) Must require the third party, through a contract,
5		terms of service, or similar binding and enforceable legal
6		agreement, to comply with this Act.
7		(2) Shall be liable for the third party's
8		non-compliance with this Act if the first party knew or
9		could have upon the exercise of due diligence known of the
10		third party's non-compliance and failed to take adequate
11		corrective action.
12		Section 20. Transparency. An organization that engages in
13		tracking shall describe, in understandable language and syntax
14		such that an ordinary user can comprehend, its practices with
15		respect to do-not-track signals in its privacy statement or
16		similar notice, available through a clear and prominent link
17		on the home page of its website. The description required
18		under this paragraph must include at least the following
19		information:
20		(1) the exceptions or permitted uses under this Act
21		under which the organization processes data;
22		(2) the effects on the user, if any, resulting from a
23		do-not-track signal, including if any webpages, features,
24		or services are not available or reduced in functionality;
25		(3) if the organization obtains out-of-band consent to

SB3081 - 11 - LRB102 23767 SPS 32958 b
1		disregard the do-not-track signal, a description of how a
2		user may give and revoke consent, and the scope of any such
3		consent, and the anticipated effect of the consent or
4		revocation on the user;
5		(4) the time period or periods for which identifiable
6		data collected by the organization is retained or the
7		criteria used to determine such time periods, and whether
8		such identifiable data is rendered anonymous data in lieu
9		of being deleted; and
10		(5) how a user may contact the organization with any
11		inquiries or complaints regarding the organization's
12		do-not-track practices.
13		Section 25. No circumvention. A party shall not block or
14		take similar actions to avoid receiving a user's do-not-track
15		signal. Nor shall any party take other actions to circumvent
16		the effectiveness of do-not-track signals.
17		Section 30. Enforcement.
18		(a) De facto and de jure harm. Users from whom
19		identifiable information has been processed in violation of
20		this Act shall be deemed to have been harmed by such
21		violations.
22		(b) Enforcement by the Attorney General. Whenever the
23		Attorney General has reasonable cause to believe that a party
24		or organization has engaged in a violation of this Act, the

SB3081 - 12 - LRB102 23767 SPS 32958 b
1		Attorney General shall enforce the provisions of this Act by
2		bringing a civil action on behalf of the people of this State
3		in a court of competent jurisdiction:
4		(1) to enjoin further violation of this Act by the
5		defendant; or
6		(2) to obtain damages on behalf of the people of this
7		State, in the amount authorized under State law or as
8		permitted under federal law, whichever is greater.
9		(c) A user from whom identifiable information has been
10		processed in violation of this Act may bring a civil action in
11		any court of competent jurisdiction:
12		(1) to enjoin further violation of this Act by the
13		defendant; or
14		(2) to obtain damages, in the amount of $1,000 or
15		actual damages shown, whichever is greater.
16		(d) Attorney fees. In the case of any successful action
17		under this Section, the court, in its discretion, may award
18		the costs of the action and reasonable attorney fees to the
19		State or the user.
20		Section 35. Home rule preemption. Except as otherwise
21		provided in this Act, the regulation of the activities
22		described in this Act are the exclusive powers and functions
23		of the State. Except as otherwise provided in this Act, a unit
24		of local government, including a home rule unit, may not
25		regulate the activities described in this Act. This Section is

SB3081 - 13 - LRB102 23767 SPS 32958 b
1		a denial and limitation of home rule powers and functions
2		under subsection (h) of Section 6 of Article VII of the
3		Illinois Constitution.
4		Section 97. Severability. The provisions of this Act are
5		severable under Section 1.31 of the Statute on Statutes.
6		Section 99. Effective date. This Act takes effect January
7		1, 2023.