DATA PRIVACY AND PROTECTION
Illinois limits data collection and requires explicit consent, including for algorithmic processing, with strong governance, accessibility, and child protection safeguards.
Illinois limits data collection and requires explicit consent, including for algorithmic processing, with strong governance, accessibility, and child protection safeguards.
Status & timeline
- Introduced: Feb 6, 2025 (Rep. Abdelnasser Rashid). Companion: SB 1716.
- Passed both chambers: May 2025. Signed by Governor: June 20, 2025.
- Final status in legislative record: signed 2025-06-20 and marked effective immediately. (The bill text as introduced stated “effective 180 days after becoming law”; the legislative actions indicate immediate effect upon signing.)
Purpose
- Establishes comprehensive privacy rules for how private-sector entities collect, process, and transfer personal data in Illinois. The Act emphasizes minimization, meaningful consent, transparency, protections for children, and governance requirements for algorithms and security.
Key definitions (selected)
- Covered entity: any non‑government entity or person (not an individual acting in a non‑commercial context) that determines the purposes and means of collecting, processing, or transferring covered data; includes related corporate control relationships.
- Covered data: information that identifies or is reasonably linkable to an individual or device (includes derived data and unique identifiers). Excludes: de‑identified data, employee data, and publicly available information (per the bill text).
- Affirmative express consent: an explicit, freely given, specific authorization obtained via a clear, standalone disclosure (in the primary medium), describing processing purpose and categories of data, accessible to people with disabilities, available in covered languages, with refusal as prominent as acceptance; consent may not be inferred from inaction or obtained via false statements or “dark pattern” UI design.
- Covered algorithm: computational processes (ML, NLP, AI, etc.) that make or assist decision‑making about covered data (e.g., ranking, recommending, amplifying).
Major requirements and prohibitions
- Data minimization: Covered entities may not collect, process, or transfer covered data unless the use is reasonably necessary and proportionate to the stated purpose.
- Governance: Covered entities and service providers must establish, implement, and maintain reasonable policies, practices, and procedures governing covered data handling.
- Consent rules: Detailed standards for what constitutes valid affirmative express consent; separate consent required for new processing purposes; protections against deceptive practices or manipulative UI.
- Accessibility & language: Consent notices and options must be accessible to individuals with disabilities and provided in each “covered language” used by the entity.
- Biometric data: Defines biometric information and narrows certain exclusions (photographs, recordings that cannot identify individuals are excluded).
- Algorithmic transparency/controls: The law explicitly addresses algorithms used to make decisions affecting individuals (definitions and implied oversight).
- Protections for children/minors, civil‑rights considerations, data security standards, executive responsibility, and small business accommodations are included (text references these topics; particulars may appear in full statute).
Scope & exemptions
- Applies broadly to private entities that determine purposes/means of processing. Excludes government entities and certain service providers acting on behalf of a government, and excludes de‑identified, employee, and publicly available data per text excerpt.
- Service providers and third parties are addressed separately (requirements for contracts, limits on onward transfers, etc., are included in the Act).
Enforcement, penalties, rulemaking
- The bill text indicates provisions on enforcement, civil rights remedies, severability, and rulemaking authority, but specifics (penalty amounts, private right of action, or enforcement agency) were not fully included in the excerpt provided.
Potential impacts
- Businesses (especially those using ML/AI and handling identifiable data) will face new compliance obligations: data inventories, updated consent flows, accessible language translations, algorithmic governance, security controls, and contractual changes with service providers.
- Consumers gain enhanced rights and clearer consent protections, particularly for children and in cases of algorithmic decision‑making.
- Small businesses are noted as receiving protections (details in the full statute).
For the definitive legal text, consult the enrolled bill and the final published statute.
Compiled from official sources — confirm details with the bill’s official record.
Sign in to ask a question.