WeVote

Bill

Bill

SB 3220

CONSUMER DATA PRIVACY

104th Regular Session Introduced by Sue Rezin

Illinois residents gain rights to access, correct, delete, and opt out of data processing; the AG enforces with penalties for noncompliance.

Rule 3-9(a) / Re-referred to Assignments
0
WeVote Research Nonpartisan
Bill Summary · SB 3220

Summary of SB 3220 (Illinois) – Illinois Consumer Data Privacy Act

Jurisdiction: Illinois | Session: 104th General Assembly | Introduced: Feb 2, 2026

Purpose
- Establishes a comprehensive state-level framework to protect the personal data of Illinois residents.
- Creates consumer rights related to personal data processing and sets standards for how controllers and processors handle data.
- Provides enforcement by the Illinois Attorney General and creates a dedicated Consumer Privacy Fund to support enforcement.

Key Provisions and Changes

1) Core Rights for Consumers
- Right to confirm whether a controller is processing their personal data and access that data.
- Right to correct inaccuracies in their personal data.
- Right to delete personal data provided by or about the consumer.
- Right to obtain a copy of their data in a portable, machine-readable format.
- Right to opt out of:
- Targeted advertising
- Sale of personal data
- Profiling in ways that produce legal or similarly significant effects

2) Scope and Applicability
- Applies to entities that do business in Illinois or target Illinois residents and:
- Process personal data of at least 100,000 consumers in a calendar year, or
- Process data of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
- Exemptions for:
- Local governments, financial institutions (and GLBA-regulated data), HIPAA-covered entities/business associates, nonprofit organizations, institutions of higher education, certain law enforcement and public utilities, among others.

3) Definitions (selected)
- Controller and Processor: Distinguishes roles and responsibilities; defines affiliations, authentication, and processing concepts.
- Personal Data, Sensitive Data, Deidentified Data, Pseudonymous Data: Sets boundaries for what is protected and how it can be used.
- Targeted Advertising, Sale of Personal Data, Profiling: Definitions to guide rights and prohibitions.
- Trade Secret and Confidential Information: Protections for businesses in disclosures.

4) Duties of Controllers and Processors
- Controller duties:
- Limit data collection to what is adequate, relevant, and necessary.
- Do not process data beyond disclosed purposes without consent (with exceptions).
- Implement reasonable data security measures.
- Prohibit discrimination against data subjects for exercising rights.
- Obtain consent for processing sensitive data; comply with COPPA parental consent if applicable.
- Provide a clear privacy notice detailing categories of data processed, purposes, rights, sharing, and third parties.
- Clearly disclose data selling or targeted advertising activities and opt-out mechanisms.
- Establish accessible mechanisms for exercising rights; authentication required for requests.
- Processor duties:
- Follow controller instructions and assist with rights requests and security.
- Maintain a contract with controllers outlining processing specifics and safeguards.
- Ensure confidentiality of processing personnel; allow audits/assessments.

5) Data Protection Impact Assessments (DPIAs)
- Controllers must conduct DPIAs for:
- Targeted advertising
- Selling data
- Profiling with significant risk
- Processing of sensitive data
- Any processing presenting heightened risk
- DPIAs assess benefits versus privacy risks and safeguards; may be requested by the Attorney General and are confidential under FOIA.

6) De-identified Data
- Special provisions to protect and oversee de-identified data; prohibits re-identification and requires contractual obligations on recipients.

7) Enforcement and Penalties
- Exclusive enforcement by the Illinois Attorney General.
- Initial cure period: 30 days’ notice to cure alleged violations; if cured, no damages action may be brought.
- If violations persist after cure, the AG may seek damages up to $7,500 per continued violation.
- No private right of action is created under the Act.
- Civil penalties and enforcement costs go to the Consumer Privacy Fund, administered by the AG.

8) Consumer Privacy Fund
- Establishes the Consumer Privacy Fund in the State treasury.
- All civil penalties collected under the Act go into the Fund.
- Funds used by the AG’s office to enforce the Act.

9) FOIA and Related Revisions
- Amends the Freedom of Information Act (FOIA) to exempt data protection impact assessments conducted under this Act from disclosure, reinforcing confidentiality of DPIAs.

10) Effective Dates and Related Impacts
- DPIA requirements generally apply to processing activities created or generated on or after June 1, 2028.
- Other provisions become effective per standard legislative timing (noted in the text as of introduction; final dates may depend on enactment).

Potential Impact

  • Businesses targeting Illinois residents or processing Illinois residents’ data may face new compliance costs, data governance requirements, and consumer-rights processes.
  • Stronger protections for consumers regarding access, correction, deletion, and opt-out rights, plus explicit DPIA requirements for high-risk processing.
  • A centralized enforcement mechanism via the Illinois Attorney General, with penalties designed to deter noncompliance.
  • Exemptions and safeguards tailored to align with existing federal laws and sector-specific privacy regimes (HIPAA, GLBA, FERPA, etc.).

Note: This summary reflects the introduced text and outlines key provisions, rights, obligations, and potential effects. Final provisions may change with amendments or legislative action.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.