CONSUMER DATA PRIVACY
Illinois enacts a comprehensive data privacy law granting residents broad rights over their data and imposing strict duties on controllers/processors, plus a data broker registry a
Illinois enacts a comprehensive data privacy law granting residents broad rights over their data and imposing strict duties on controllers/processors, plus a data broker registry a
Project overview
- Bill: SB 3890
- Session: 104th General Assembly, Illinois
- Introduced: February 6, 2026
- Primary sponsor: Sen. Rachel Ventura
- Purpose: Create a comprehensive Illinois Data Privacy Protection Act to regulate how personal data is collected, stored, processed, sold, and protected by entities doing business in Illinois or targeting Illinois residents. Establish robust consumer rights, data broker registration, and a dedicated enforcement framework.
Scope and thresholds
- Applies to legal entities that:
- Conduct business in Illinois or offer products/services targeted to Illinois residents, and
- Meet either of the thresholds:
- Process personal data of 100,000 or more Illinois consumers in a year (excluding data solely for payment transactions), or
- Derive more than 25% of gross revenue from the sale of personal data and process/collect data of 25,000 or more Illinois consumers.
Key rights and duties for consumers
- Rights conferred to Illinois residents (consumers), including:
- Access to personal data and disclosure of third parties with whom data has been shared
- Correction of inaccurate data
- Deletion of personal data
- Portability of data in a usable format
- Opt-out of targeted advertising, sales of data, and profiling decisions with legal or similarly significant effects
- Ability to question profiling results and access data used in profiling
- Right to non-discrimination for exercising privacy rights
- Secure, verifiable methods to submit requests
- Free access to privacy information at least twice per year; certain fees may apply for manifestly unfounded or excessive requests
- Provisions to protect sensitive data and data of known children, with parental consent where required
Controller/processor obligations
- Define roles: Controller (determines purposes/means of processing) and Processor (processes data on behalf of a controller)
- Contracts between controllers and processors must specify processing instructions, data types, duration, and rights/obligations; include confidentiality, subcontractor controls, and opportunities for audits or assessments
- Implement reasonable security measures proportional to risk
- Limit data collection to what is adequate, relevant, and necessary
- Maintain data inventories and conduct data privacy/protection assessments for certain processing activities (see Small Business section for specifics)
- De-identification/pseudonymization: allowed under certain conditions; limits on re-identification and responsibilities around deidentified data
Data rights administration and notices
- Transparency: require clear privacy notices detailing data categories, purposes, consumer rights, data sharing/sales, third-party recipients, retention, and contact information
- Notices must be accessible in languages used by the controller and with accessibility considerations
- Material changes to privacy notices require notifying affected consumers and offering an opportunity to withdraw consent for future changes
- Universal opt-out mechanisms for targeted advertising and data sales via cross-platform signals, with consumer-friendly design and Illinois-residency verification
Data brokers and enforcement
- Establishes a Data Broker Registry within the Illinois Attorney General (AG)
- Data brokers must register annually; the AG website will host registration and deletion mechanism information
- Creates a public data broker deletion mechanism allowing consumers to delete data across registered brokers via a single request
- Data brokers must report deletion request metrics and provide publicly accessible disclosures
- Civil penalties: up to $7,500 per violation; AG enforcement provisions include warning letters before suit (effective until January 1, 2028)
- Creates the Data Privacy Protection Fund to support enforcement
Exclusions and limitations
- Excludes States/local governments, federally recognized tribes, and certain health and education data governed by existing federal laws (e.g., HIPAA, FERPA)
- Small businesses receive tailored provisions under Section 17, with limitations on selling sensitive data without consent
- Home rule limits: local governments cannot regulate consumer data privacy
Effective dates and administration
- Key timelines for data broker registration, data broker deletion mechanism deployment, and privacy notices
- The bill includes severability, privacy protections, and provisions for non-private rights of action (no private right of action created)
Overall impact
- Creates a comprehensive state-level framework mirroring modern consumer privacy regimes
- Enhances consumer control over personal data and imposes stricter data governance on large data handlers and data brokers
- Establishes robust enforcement and a dedicated fund to support privacy protections in Illinois
Compiled from official sources — confirm details with the bill’s official record.
Sign in to ask a question.