103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB3334   Introduced 2/7/2024, by Sen. Sue Rezin   SYNOPSIS AS INTRODUCED:   New Act 30 ILCS 105/5.1015 new     Creates the Illinois Age-Appropriate Design Code Act. Provides that all covered entities that operate in the State and process children's data in any capacity shall do so in a manner consistent with the best interests of children. Provides that a covered entity subject to the Act shall take specified actions to protect children's privacy in connection with online services, products, or features, including completing a data protection impact assessment for an online service, product, or feature that is reasonably likely to be accessed by children; and maintain documentation of the data protection impact assessment. Contains provisions concerning additional requirements for covered entities; prohibited acts by covered entities; data practices; enforcement by the Attorney General; limitations of the Act; data protection impact assessment dates; and severability. Amends the State Finance Act to create the Age-Appropriate Design Code Enforcement Fund. Effective immediately. LRB103 38209 SPS 68343 b     A BILL FOR
SB3334 LRB103 38209 SPS 68343 b
1		AN ACT concerning business.
2		Be it enacted by the People of the State of Illinois,
3		represented in the General Assembly:
4		Section 1. Short title. This Act may be cited as the
5		Illinois Age-Appropriate Design Code Act.
6		Section 5. Intent. It is the intent of the General
7		Assembly that nothing in this Act shall be construed to
8		infringe on the existing rights and freedoms of children.
9		Section 10. Definitions. As used in this Act:
10		"Affiliate" means a legal entity that controls, is
11		controlled by, or is under common control with, another legal
12		entity. For the purposes of this definition, "control" or
13		"controlled" means: (i) ownership of, or the power to vote,
14		more than 50% of the outstanding shares of any class of voting
15		security of a covered entity; (ii) control in any manner over
16		the election of a majority of the directors or of individuals
17		exercising similar functions; or (iii) the power to exercise a
18		controlling influence over the management of a covered entity.
19		"Age-appropriate" means a recognition of the distinct
20		needs and diversities of children at different age ranges. In
21		order to help support the design of online services, products,
22		and features, covered entities should take into account the

SB3334 - 2 - LRB103 38209 SPS 68343 b
1		unique needs and diversities of different age ranges,
2		including the following developmental stages: 0 to 5 years of
3		age or preliterate and early literacy; 6-9 years of age or core
4		primary school years; 10 to 12 years of age or transition
5		years; 13 to 15 years of age or early teens; and 16 to 17 years
6		or age or approaching adulthood.
7		"Best interests of children" means the use, by a covered
8		entity, of the personal data of a child or the design of an
9		online service, product, or feature in a way that:
10		(1) will not benefit the covered entity to the
11		detriment of the child; and
12		(2) will not result in:
13		(A) reasonably foreseeable and material physical
14		or financial harm to the child;
15		(B) reasonably foreseeable and severe
16		psychological, or emotional harm to the child;
17		(C) a highly offensive intrusion on the reasonable
18		privacy expectations of the child; or
19		(D) discrimination against the child based upon
20		race, color, religion, national origin, disability,
21		sex, or sexual orientation.
22		"Child" means a consumer who is under 18 years of age.
23		"Collect" means buying, renting, gathering, obtaining,
24		receiving, or accessing any personal data pertaining to a
25		consumer by any means. "Collect" includes receiving data from
26		the consumer, either actively or passively, or by observing

SB3334 - 3 - LRB103 38209 SPS 68343 b
1		the consumer's behavior.
2		"Covered entity" means:
3		(1) a sole proprietorship, partnership, limited
4		liability company, corporation, association, or other
5		legal entity that is organized or operated for the profit
6		or financial benefit of its shareholders or other owners;
7		and
8		(2) an affiliate of a covered entity that shares
9		common branding with the covered entity. For the purposes
10		of this definition, "common branding" means a shared name,
11		service mark, or trademark that the average consumer would
12		understand that 2 or more entities are commonly owned.
13		For purposes of this Act, for a joint venture or
14		partnership composed of covered entities in which each covered
15		entity has at least a 40% interest, the joint venture or
16		partnership and each covered entity that composes the joint
17		venture or partnership shall separately be considered a single
18		covered entity, except that personal data in the possession of
19		each covered entity and disclosed to the joint venture or
20		partnership shall not be shared with the other covered entity.
21		"Consumer" means a natural person who is an Illinois
22		resident, however identified, including by any unique
23		identifier.
24		"Dark pattern" means a user interface designed or
25		manipulated with the purpose of subverting or impairing user
26		autonomy, decision making, or choice.

SB3334 - 4 - LRB103 38209 SPS 68343 b
1		"Data protection impact assessment" means a systematic
2		survey to assess compliance with the duty to act in the best
3		interests of children and shall include a plan to ensure that
4		all online products, services, or features provided by the
5		covered entity are designed and offered in a manner consistent
6		with the best interests of children reasonably likely to
7		access the online product, service, or feature and a
8		description of steps the covered entity has taken and will
9		take to comply with the duty to act in the best interests of
10		children.
11		"Default" means a preselected option adopted by the
12		covered entity for the online service, product, or feature.
13		"Deidentified" means data that cannot reasonably be used
14		to infer information about, or otherwise be linked to, an
15		identified or identifiable natural person, or a device linked
16		to such person, provided that the covered entity that
17		possesses the data:
18		(1) takes reasonable measures to ensure that the data
19		cannot be associated with a natural person;
20		(2) publicly commits to maintain and use the data only
21		in a deidentified fashion and not attempt to re-identify
22		the data; and
23		(3) contractually obligates any recipients of the data
24		to comply with all provisions of this Act.
25		"Derived data" means data that is created by the
26		derivation of information, data, assumptions, correlations,

SB3334 - 5 - LRB103 38209 SPS 68343 b
1		inferences, predictions, or conclusions from facts, evidence,
2		or another source of information or data about a child or a
3		child's device.
4		"Online service, product, or feature" does not mean any of
5		the following:
6		(1) telecommunications service, as defined in 47
7		U.S.C. 153;
8		(2) a broadband service as defined in the Public
9		Utilities Act; or
10		(3) the sale, delivery, or use of a physical product.
11		"Personal data" means any information, including derived
12		data, that is linked or reasonably linkable, alone or in
13		combination with other information, to an identified or
14		identifiable natural person. "Personal data" does not include
15		de-identified data or publicly available information. For the
16		purposes of this definition, "publicly available information"
17		means information (i) that is lawfully made available from
18		federal, State, or local government records or widely
19		distributed media; and (ii) that a controller has a reasonable
20		basis to believe a consumer has lawfully made available to the
21		general public.
22		"Precise geolocation" means any data that is derived from
23		a device and that is used or intended to be used to locate a
24		consumer within a geographic area that is equal to or less than
25		the area of a circle with a radius of 1,850 feet, except as
26		prescribed by regulations.

SB3334 - 6 - LRB103 38209 SPS 68343 b
1		"Process" or "processing" means to conduct or direct any
2		operation or set of operations performed, whether by manual or
3		automated means, on personal data or on sets of personal data,
4		such as the collection, use, storage, disclosure, analysis,
5		deletion, modification, or otherwise handling of personal
6		data.
7		"Product experimentation results" means the data that
8		companies collect to understand the experimental impact of
9		their products.
10		"Profiling" means any form of automated processing of
11		personal data to evaluate, analyze, or predict personal
12		aspects concerning an identified or identifiable natural
13		person's economic situation, health, personal preferences,
14		interests, reliability, behavior, location, or movements.
15		"Profiling" does not include the processing of information
16		that does not result in an assessment or judgment about a
17		natural person.
18		"Reasonably likely to be accessed" means an online
19		service, product, or feature that is accessed by children
20		based on any of the following indicators:
21		(1) the online service, product, or feature is
22		directed to children, as defined by the Children's Online
23		Privacy Protection Act, 15 U.S.C. 6501 et seq., and the
24		Federal Trade Commission rules implementing that Act;
25		(2) the online service, product, or feature is
26		determined, based on competent and reliable evidence

SB3334 - 7 - LRB103 38209 SPS 68343 b
1		regarding audience composition, to be routinely accessed
2		by a significant number of children;
3		(3) the online service, product, or feature contains
4		advertisements marketed to children;
5		(4) the online service, product, or feature is
6		substantially similar or the same as an online service,
7		product, or feature subject to paragraph (2) of this
8		definition;
9		(5) a significant amount of the audience of the online
10		service, product, or feature is determined, based on
11		internal company research, to be children; and
12		(6) the covered entity knew or should have known that
13		a significant number of users are children, provided that,
14		in making this assessment, the covered entity shall not
15		collect or process any personal data that is not
16		reasonably necessary to provide an online service,
17		product, or feature with which a child is actively and
18		knowingly engaged.
19		"Sale" or "sell" means the exchange of personal data for
20		monetary or other valuable consideration by a covered entity
21		to a third party. "Sale" or "sell" do not include the
22		following:
23		(1) the disclosure of personal data to a third party
24		who processes the personal data on behalf of the covered
25		entity;
26		(2) the disclosure of personal data to a third party

SB3334 - 8 - LRB103 38209 SPS 68343 b
1		with whom the consumer has a direct relationship for
2		purposes of providing a product or service requested by
3		the consumer;
4		(3) the disclosure or transfer of personal data to an
5		affiliate of the covered entity;
6		(4) the disclosure of data that the consumer
7		intentionally made available to the general public via a
8		channel of mass media and did not restrict to a specific
9		audience; or
10		(5) the disclosure or transfer of personal data to a
11		third party as an asset that is part of a completed or
12		proposed merger, acquisition, bankruptcy, or other
13		transaction in which the third party assumes control of
14		all or part of the covered entity's assets.
15		"Share" means sharing, renting, releasing, disclosing,
16		disseminating, making available, transferring, or otherwise
17		communicating orally, in writing, or by electronic or other
18		means a consumer's personal data by the covered entity to a
19		third party for cross-context behavioral advertising, whether
20		or not for monetary or other valuable consideration, including
21		transactions between a covered entity and a third party for
22		cross-context behavioral advertising for the benefit of a
23		covered entity in which no money is exchanged.
24		"Third party" means a natural or legal person, public
25		authority, agency, or body other than the consumer or the
26		covered entity.

SB3334 - 9 - LRB103 38209 SPS 68343 b
1		Section 15. Information fiduciary. All covered entities
2		that operate in this State and process children's data in any
3		capacity shall do so in a manner consistent with the best
4		interests of children.
5		Section 20. Scope; exclusions.
6		(a) A covered entity operating in this State is subject to
7		the requirements of this Act if it:
8		(1) collects consumers' personal data or has
9		consumers' personal data collected on its behalf by a
10		third party;
11		(2) alone or jointly with others, determines the
12		purposes and means of the processing of consumers'
13		personal data; and
14		(3) satisfies one or more of the following thresholds:
15		(i) has annual gross revenues in excess of
16		$25,000,000, as adjusted every odd numbered year to
17		reflect the Consumer Price Index;
18		(ii) alone or in combination, annually buys,
19		receives for the covered entity's commercial purposes,
20		sells, or shares for commercial purposes, alone or in
21		combination, the personal data of 50,000 or more
22		consumers, households, or devices; or
23		(iii) derives 50% or more of its annual revenues
24		from selling consumers' personal data.

SB3334 - 10 - LRB103 38209 SPS 68343 b
1		(b) This Act does not apply to:
2		(1) protected health information that is collected by
3		a covered entity or covered entity associate governed by
4		the privacy, security, and breach notification rules
5		issued by the United States Department of Health and Human
6		Services, 45 CFR 160 and 164, established pursuant to the
7		Health Insurance Portability and Accountability Act of
8		1996, Public Law 104-191, and the Health Information
9		Technology for Economic and Clinical Health Act, Public
10		Law 111-5;
11		(2) a covered entity governed by the privacy,
12		security, and breach notification rules issued by the
13		United States Department of Health and Human Services, 45
14		CFR 160 and 164, established pursuant to the Health
15		Insurance Portability and Accountability Act of 1996,
16		Public Law 104-191, to the extent the provider or covered
17		entity maintains patient information in the same manner as
18		medical information or protected health information as
19		described in paragraph (1); or
20		(3) information collected as part of a clinical trial
21		subject to the federal policy for the protection of human
22		subjects, also known as the common rule, pursuant to good
23		clinical practice guidelines issued by the International
24		Council for Harmonisation of Technical Requirements for
25		Pharmaceuticals for Human Use or human subject protection
26		requirements issued by the United States Food and Drug

SB3334 - 11 - LRB103 38209 SPS 68343 b
1		Administration.
2		Section 25. Requirements for covered entities.
3		(a) A covered entity subject to this Act shall:
4		(1) complete a data protection impact assessment for
5		an online service, product, or feature or any new online
6		service, product, or feature that is reasonably likely to
7		be accessed by children; and maintain documentation of the
8		data protection impact assessment for as long as the
9		online service, product, or feature is reasonably likely
10		to be accessed by children;
11		(2) review and modify all data protection impact
12		assessments as necessary to account for material changes
13		to processing pertaining to the online service, product,
14		or feature within 90 days after such material changes;
15		(3) within 5 business days after a written request by
16		the Attorney General, provide to the Attorney General a
17		list of all data protection impact assessments the covered
18		entity has completed;
19		(4) within 7 business days after a written request by
20		the Attorney General, provide the Attorney General with a
21		copy of any data protection impact assessment, unless the
22		Attorney General, in its discretion, extends the time
23		period for a covered entity to respond;
24		(5) configure all default privacy settings provided to
25		children by the online service, product, or feature to

SB3334 - 12 - LRB103 38209 SPS 68343 b
1		settings that offer a high level of privacy, unless the
2		covered entity can demonstrate a compelling reason that a
3		different setting is in the best interests of children;
4		(6) provide any privacy information, terms of service,
5		policies, and community standards concisely, prominently,
6		and using clear language suited to the age of children
7		reasonably likely to access that online service, product,
8		or feature; and
9		(7) provide prominent, accessible, and responsive
10		tools to help children, or if applicable their parents or
11		guardians, exercise their privacy rights and report
12		concerns.
13		(b) A data protection, impact assessment required by this
14		Section shall identify the purpose of the online service,
15		product, or feature; how it uses children's personal data; and
16		determine whether the online service, product, or feature is
17		designed and offered in a age-appropriate manner consistent
18		with the best interests of children that are reasonably likely
19		to access the online product by examining, at a minimum, the
20		following:
21		(1) whether the design of the online service, product,
22		or feature could lead to children experiencing or being
23		targeted by contacts on the online service, product, or
24		feature that would result in: reasonably foreseeable and
25		material physical or financial harm to the child;
26		reasonably foreseeable and severe psychological or

SB3334 - 13 - LRB103 38209 SPS 68343 b
1		emotional harm to the child; a highly offensive intrusion
2		on the reasonable privacy expectations of the child; or
3		discrimination against the child based upon race, color,
4		religion, national origin, disability, sex, or sexual
5		orientation;
6		(2) whether the design of the online service, product,
7		or feature could permit children to witness, participate
8		in, or be subject to conduct on the online service,
9		product, or feature that would result in: reasonably
10		foreseeable and material physical or financial harm to the
11		child; reasonably foreseeable and severe psychological or
12		emotional harm to the child; a highly offensive intrusion
13		on the reasonable privacy expectations of the child; or
14		discrimination against the child based upon race, color,
15		religion, national origin, disability, sex, or sexual
16		orientation;
17		(3) whether the design of the online service, product,
18		or feature are reasonably expected to allow children to be
19		party to or exploited by a contract on the online service,
20		product, or feature that would result in: reasonably
21		foreseeable and material physical or financial harm to the
22		child; reasonably foreseeable and severe psychological or
23		emotional harm to the child; a highly offensive intrusion
24		on the reasonable privacy expectations of the child; or
25		discrimination against the child based upon race, color,
26		religion, national origin, disability, sex, or sexual

SB3334 - 14 - LRB103 38209 SPS 68343 b
1		orientation;
2		(4) whether algorithms used by the product, service,
3		or feature would result in: reasonably foreseeable and
4		material physical or financial harm to the child;
5		reasonably foreseeable and severe psychological or
6		emotional harm to the child; a highly offensive intrusion
7		on the reasonable privacy expectations of the child; or
8		discrimination against the child based upon race, color,
9		religion, national origin, disability, sex, or sexual
10		orientation;
11		(5) whether targeted advertising systems used by the
12		online service, product, or feature would result in:
13		reasonably foreseeable and material physical or financial
14		harm to the child; reasonably foreseeable and severe
15		psychological or emotional harm to the child; a highly
16		offensive intrusion on the reasonable privacy expectations
17		of the child; or discrimination against the child based
18		upon race, color, religion, national origin, disability,
19		sex, or sexual orientation;
20		(6) whether the online service, product, or feature
21		uses system design features to increase, sustain, or
22		extend use of the online service, product, or feature by
23		children, including the automatic playing of media,
24		rewards for time spent, and notifications, that would
25		result in: reasonably foreseeable and material physical or
26		financial harm to the child; reasonably foreseeable and

SB3334 - 15 - LRB103 38209 SPS 68343 b
1		severe psychological or emotional harm to the child; a
2		highly offensive intrusion on the reasonable privacy
3		expectations of the child; or discrimination against the
4		child based upon race, color, religion, national origin,
5		disability, sex, or sexual orientation; and
6		(7) whether, how, and for what purpose the online
7		product, service, or feature collects or processes
8		personal data of children, and whether those practices
9		would result in: reasonably foreseeable and material
10		physical or financial harm to the child; reasonably
11		foreseeable and severe psychological or emotional harm to
12		the child; a highly offensive intrusion on the reasonable
13		privacy expectations of the child; or discrimination
14		against the child based upon race, color, religion,
15		national origin, disability, sex, or sexual orientation;
16		and
17		(8) whether and how product experimentation results
18		for the online product, service, or feature reveal data
19		management or design practices that would result in:
20		reasonably foreseeable and material physical or financial
21		harm to the child; reasonably foreseeable and extreme
22		psychological or emotional harm to the child; a highly
23		offensive intrusion on the reasonable privacy expectations
24		of the child; or discrimination against the child based
25		upon race, color, religion, national origin, disability,
26		sex, or sexual orientation.

SB3334 - 16 - LRB103 38209 SPS 68343 b
1		(c) A data protection impact assessment conducted by a
2		covered entity for the purpose of compliance with any other
3		law complies with this Section if the data protection impact
4		assessment meets the requirement of this Act.
5		(d) A single data protection impact assessment may contain
6		multiple similar processing operations that present similar
7		risk only if each relevant online service, product, or feature
8		is addressed.
9		(e) A company may process only the personal data
10		reasonably necessary to provide an online service, product, or
11		feature with which a child is actively and knowingly engaged
12		to estimate age.
13		Section 30. Prohibited acts by covered entities. A covered
14		entity that provides an online service, product, or feature
15		reasonably likely to be accessed by children shall not:
16		(1) process the personal data of any child in a way
17		that is inconsistent with the best interests of children
18		reasonably likely to access the online service, product,
19		or feature;
20		(2) profile a child by default unless:
21		(A) the covered entity can demonstrate it has
22		appropriate safeguards in place to ensure that
23		profiling is consistent with the best interests of
24		children reasonably likely to access the online
25		service, product, or feature; and

SB3334 - 17 - LRB103 38209 SPS 68343 b
1		(B) either of the following is true:
2		(i) profiling is necessary to provide the
3		online service, product, or feature requested and
4		only with respect to the aspects of the online
5		service, product, or feature with which a child is
6		actively and knowingly engaged;
7		(ii) the covered entity can demonstrate a
8		compelling reason that profiling is in the best
9		interests of children;
10		(3) process any personal data that is not reasonably
11		necessary to provide an online service, product, or
12		feature with which a child is actively and knowingly
13		engaged;
14		(4) if the end user is a child, process personal data
15		for any reason other than a reason for which that personal
16		data was collected;
17		(5) process any precise geolocation information of
18		children by default, unless the collection of that precise
19		geolocation information is strictly necessary for the
20		covered entity to provide the service, product, or feature
21		requested and then only for the limited time that the
22		collection of precise geolocation information is necessary
23		to provide the service, product, or feature;
24		(6) process any precise geolocation information of a
25		child without providing an obvious sign to the child for
26		the duration of that collection that precise geolocation

SB3334 - 18 - LRB103 38209 SPS 68343 b
1		information is being collected;
2		(7) use dark patterns to cause children to provide
3		personal data beyond what is reasonably expected to
4		provide that online service, product, or feature to forgo
5		privacy protections, or to take any action that the
6		covered entity knows, or has reason to know, is not in the
7		best interests of children reasonably likely to access the
8		online service, product, or feature; and
9		(8) allow a child's parent, guardian, or any other
10		consumer to monitor the child's online activity or track
11		the child's location, without providing an obvious signal
12		to the child when the child is being monitored or tracked.
13		Section 35. Data practices.
14		(a) A data protection impact assessment collected or
15		maintained by the Attorney General under Section 25 is
16		classified as nonpublic data.
17		(b) To the extent any information contained in a data
18		protection impact assessment disclosed to the Attorney General
19		includes information subject to attorney-client privilege or
20		work product protection, disclosure does not constitute a
21		waiver of that privilege or protection.
22		Section 40. Attorney General enforcement.
23		(a) A covered entity that violates this Act may be subject
24		to an injunction and liable for a civil penalty of not more

SB3334 - 19 - LRB103 38209 SPS 68343 b
1		than $2,500 per affected child for each negligent violation,
2		or not more than $7,500 per affected child for each
3		intentional violation, which may be assessed or recovered only
4		in a civil action brought by the Attorney General. If the State
5		prevails in an action to enforce this Act, the State may, in
6		addition to civil penalties provided by this subsection or
7		other remedies provided by the law, be allowed an amount
8		determined by the court to be the reasonable value of all or
9		part of the State's litigation expenses incurred.
10		(b) All moneys received by the Attorney General as civil
11		penalties, fees, or other amounts under subsection (a) shall
12		be deposited into the Age-Appropriate Design Code Enforcement
13		Fund, a special fund created in the State treasury, and shall
14		be used, subject to appropriation and as directed by the
15		Attorney General, to offset costs incurred by the Attorney
16		General in connection with the enforcement of this Act.
17		(c) If a covered entity is in substantial compliance with
18		the requirements of Section 25, the Attorney General shall,
19		before initiating a civil action under this Section, provide
20		written notice to the covered entity identifying the specific
21		provisions of this Act that the Attorney General alleges have
22		been or are being violated. If, for a covered entity that
23		satisfied Section 50 or subsection (a) of Section 25 before
24		offering any new online product, service, or feature
25		reasonably likely to be accessed by children to the public,
26		within 90 days after the notice required by this subsection,

SB3334 - 20 - LRB103 38209 SPS 68343 b
1		the covered entity cures any noticed violation and provides
2		the Attorney General a written statement that the alleged
3		violations have been cured, and sufficient measures have been
4		taken to prevent future violations, the covered entity is not
5		liable for a civil penalty for any violation cured pursuant to
6		this Act.
7		(d) Nothing in this Act shall be construed to create a
8		private right of action.
9		Section 45. Limitations. Nothing in this Act shall be
10		interpreted or construed to:
11		(1) impose liability in a manner that is inconsistent
12		with 47 U.S.C. 230;
13		(2) prevent or preclude any child from deliberately or
14		independently searching for, or specifically requesting,
15		content; or
16		(3) require a covered entity to implement an age
17		gating requirement.
18		Section 50. Data protection impact assessment date.
19		(a) By January 1, 2025 a covered entity shall complete a
20		data protection impact assessment for any online service,
21		product, or feature reasonably likely to be accessed by
22		children offered to the public before January 1, 2025, unless
23		that online service, product, or feature is exempt under
24		paragraph (b).

SB3334 - 21 - LRB103 38209 SPS 68343 b
1		(b) This Act does not apply to an online service, product,
2		or feature that is not offered to the public on or after
3		January 1, 2025.
4		Section 55. Severability. If any provision of this Act, or
5		an amendment made by this Act, is determined to be
6		unenforceable or invalid, the remaining provisions of this Act
7		and the amendments made by this Act shall not be affected.
8		Section 90. The State Finance Act is amended by adding
9		Section 5.1015 as follows:
10		(30 ILCS 105/5.1015 new)
11		Sec. 5.1015. The Age-Appropriate Design Code Enforcement
12		Fund.
13		Section 99. Effective date. This Act takes effect upon
14		becoming law.