WeVote

Bill

Bill

SB 3603

CONSUMERS–DATA PROCESSING

104th Regular Session Introduced by Steve Stadelman

Illinois entities handling targeted ads must provide clear opt-out rights and accessible mechanisms for consumers to stop processing or selling their data starting Jan 1, 2028.

Rule 2-10 Committee/3rd Reading Deadline Established As May 15, 2026
0
WeVote Research Nonpartisan
Bill Summary · SB 3603

Summary of SB 3603 (104th Illinois General Assembly)

Purpose and Intent

SB 3603 proposes to regulate data processing by requiring consumer opt-out rights for targeted advertising. It amends the Illinois Consumer Fraud and Deceptive Business Practices Act to ensure consumers can opt out of processing or selling their personal data for targeted ads. The bill also requires clear disclosure of data processing/sales for targeted advertising in a privacy notice and creates an accessible opt-out mechanism outside of that privacy notice. The act would take effect January 1, 2028.

Key Provisions

  • Definitions (Section 2MMMM)

    • Establishes terms for “controller,” “processor,” “personal data,” “deidentified data,” and “targeted advertising.”
    • Clarifies what counts as “personal data” (excluding deidentified data and publicly available information) and what constitutes targeted advertising (with several exceptions).
  • Opt-Out Rights (Subsections b, c, d, e)

    • Consumer Opt-Out: A consumer may opt out of processing personal data for targeted advertising by submitting a request via methods specified in the controller’s privacy notice, at any time.
    • Conspicuous Opt-Out Mechanism: Controllers must provide a clear and conspicuous method to opt out of targeted advertising processing, including secure and reliable means to submit requests and identity verification considerations.
    • Authorization by Third Parties: A consumer may authorize another person to opt out on their behalf; controllers must authenticate the consumer and the agent’s authority.
  • Protection for Minors and Protected Adults (Subsection e)

    • Parents/guardians may opt out a child’s data from targeted advertising; guardians or conservators may opt out for adults under protective arrangements.
  • Universal Opt-Out Mechanism (Subsection f)

    • Requires support for a user-selected, universal opt-out mechanism, such as opt-out preference signals (with consent) or other mechanisms indicating opt-out intent.
  • Disclosure and Accessibility (Subsection g)

    • If a controller processes or sells personal data for targeted advertising, it must disclose this in a privacy notice and provide a direct, conspicuous opt-out method outside the privacy notice (e.g., a clearly labeled hyperlink like “Your Opt-Out Rights” or “Your Privacy Rights” that directly effectuates the opt-out).
    • The privacy notice must be accessible via conspicuous hyperlinks on the controller’s homepage or mobile app store page; for apps, a link should also appear in the app’s settings or equivalent location; if no website is operated, the notice must be reasonably accessible to consumers through other means.
  • Scope and Applicability (Subsection h)

    • Applies to legal entities operating in Illinois or targeting Illinois residents that meet either: 1) 100,000 or more Illinois consumers processed in a calendar year (excluding data solely for completing a payment transaction), or 2) derive over 25% of gross revenue from selling personal data and process or control personal data of 25,000+ Illinois consumers.
  • Enforcement (Subsection i)

    • Violations constitute unlawful practices under the Consumer Fraud Act.

Who and What Is Affected

  • Covered Entities: Legal entities doing business in Illinois or targeting Illinois residents that meet the thresholds in (h). These entities would be subject to the opt-out requirements for targeted advertising processing and sales.
  • Individuals: Illinois consumers and, specifically, minors or protected adults whose data is processed for targeted advertising would gain opt-out rights.
  • Controllers and Processors: Entities determining purposes/means of processing personal data (controllers) and those processing data on behalf of controllers (processors) must implement opt-out mechanisms and privacy notices as described.

Procedural and Timeline Aspects

  • Effective Date: January 1, 2028.
  • Legislative Timeline: Introduced February 5, 2026; assigned to committees with standard Illinois process timelines (Rule 2-10 deadlines noted in action history). Final enactment and publication would follow legislative approval and any required governor action.

Practical Implications

  • Enhances consumer control over targeted advertising and data sales.
  • Requires visible privacy notices and accessible opt-out pathways beyond privacy notices themselves.
  • Establishes thresholds that determine which entities must comply, focusing on larger data processors and data-driven revenue models.
  • Adds enforcement under the Illinois Consumer Fraud Act, creating potential legal exposure for noncompliance.

If you’d like, I can provide a side-by-side comparison with existing Illinois privacy provisions or draft a plain-language explainer for public posting.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.