Bill Text: IL HB3880 | 2023-2024 | 103rd General Assembly | Introduced
Bill Title: Creates the Children's Privacy Protection and Parental Empowerment Act. Provides that a business that provides an online service, product, or feature likely to be accessed by children shall take specified actions, including completing a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children. Provides that a business shall complete a Data Protection Impact Assessment on or before July 1, 2024, for any online service, product, or feature likely to be accessed by children offered to the public before July 1, 2024. Provides that any business that violates the Act shall be subject to an injunction and liable for a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation. Creates the Children's Data Protection Working Group to deliver a report to the General Assembly regarding best practices for the implementation of the Act. Effective immediately.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Introduced) 2023-03-10 - Rule 19(a) / Re-referred to Rules Committee [HB3880 Detail]
Download: Illinois-2023-HB3880-Introduced.html
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| 1 | AN ACT concerning business.
| |||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||
| 3 | represented in the General Assembly:
| |||||||||||||||||||
| 4 | Section 1. Short title. This Act may be cited as the | |||||||||||||||||||
| 5 | Children's Privacy Protection and Parental Empowerment Act.
| |||||||||||||||||||
| 6 | Section 5. Definitions. As used in this Act: | |||||||||||||||||||
| 7 | "Child" or "children", unless otherwise specified, means a | |||||||||||||||||||
| 8 | consumer or consumers who are under 18 years of age. | |||||||||||||||||||
| 9 | "Data Protection Impact Assessment" means a systematic | |||||||||||||||||||
| 10 | survey to assess and mitigate risks that arise from the data | |||||||||||||||||||
| 11 | management practices of the business to children who are | |||||||||||||||||||
| 12 | reasonably likely to access the online service, product, or | |||||||||||||||||||
| 13 | feature at issue that arises from the provision of that online | |||||||||||||||||||
| 14 | service, product, or feature. | |||||||||||||||||||
| 15 | "Default" means a preselected option adopted by the | |||||||||||||||||||
| 16 | business for the online service, product, or feature.
| |||||||||||||||||||
| 17 | "Likely to be accessed by children" means it is reasonable | |||||||||||||||||||
| 18 | to expect, based on the following indicators, that the online | |||||||||||||||||||
| 19 | service, product, or feature would be accessed by children: | |||||||||||||||||||
| 20 | (1) the online service, product, or feature is | |||||||||||||||||||
| 21 | directed to children as defined by the Children's Online | |||||||||||||||||||
| 22 | Privacy Protection Act (15 U.S.C. 6501 et seq.); | |||||||||||||||||||
| 23 | (2) the online service, product, or feature is | |||||||||||||||||||
| |||||||
| |||||||
| 1 | determined, based on competent and reliable evidence | ||||||
| 2 | regarding audience composition, to be routinely accessed | ||||||
| 3 | by a significant number of children; | ||||||
| 4 | (3) an online service, product, or feature with | ||||||
| 5 | advertisements marketed to children; | ||||||
| 6 | (4) an online service, product, or feature that is | ||||||
| 7 | substantially similar or the same as an online service, | ||||||
| 8 | product, or feature subject to subparagraph (2); | ||||||
| 9 | (5) an online service, product, or feature that has | ||||||
| 10 | design elements that are known to be of interest to | ||||||
| 11 | children, including, but not limited to, games, cartoons, | ||||||
| 12 | music, and celebrities who appeal to children; and | ||||||
| 13 | (6) a significant amount of the audience of the online | ||||||
| 14 | service, product, or feature is determined, based on | ||||||
| 15 | internal company research, to be children. | ||||||
| 16 | "Online service, product, or feature" does not mean any of | ||||||
| 17 | the following: | ||||||
| 18 | (1) a broadband Internet access service; | ||||||
| 19 | (2) a telecommunications service; or | ||||||
| 20 | (3) the delivery or use of a physical product. | ||||||
| 21 | "Profiling" means any form of automated processing of | ||||||
| 22 | personal information that uses personal information to | ||||||
| 23 | evaluate certain aspects relating to a natural person, | ||||||
| 24 | including analyzing or predicting aspects concerning a natural | ||||||
| 25 | person's performance at work, economic situation, health, | ||||||
| 26 | personal preferences, interests, reliability, behavior, | ||||||
| |||||||
| |||||||
| 1 | location, or movements.
| ||||||
| 2 | Section 10. Requirements for businesses that provide an | ||||||
| 3 | online service to children. | ||||||
| 4 | (a) A business that provides an online service, product, | ||||||
| 5 | or feature likely to be accessed by children shall take all of | ||||||
| 6 | the following actions: | ||||||
| 7 | (1) Before any new online services, products, or | ||||||
| 8 | features are offered to the public, complete a Data | ||||||
| 9 | Protection Impact Assessment for any online service, | ||||||
| 10 | product, or feature likely to be accessed by children and | ||||||
| 11 | maintain documentation of this assessment as long as the | ||||||
| 12 | online service, product, or feature is likely to be | ||||||
| 13 | accessed by children. A business shall biennially review | ||||||
| 14 | all Data Protection Impact Assessments. The Data | ||||||
| 15 | Protection Impact Assessment required by this paragraph | ||||||
| 16 | shall identify the purpose of the online service, product, | ||||||
| 17 | or feature, how it uses children's personal information, | ||||||
| 18 | and the risks of material detriment to children that arise | ||||||
| 19 | from the data management practices of the business. The | ||||||
| 20 | Data Protection Impact Assessment shall address, to the | ||||||
| 21 | extent applicable, all of the following: | ||||||
| 22 | (A) whether the design of the online product, | ||||||
| 23 | service, or feature could harm children, including by | ||||||
| 24 | exposing children to harmful, or potentially harmful, | ||||||
| 25 | content on the online product, service, or feature; | ||||||
| |||||||
| |||||||
| 1 | (B) whether the design of the online product, | ||||||
| 2 | service, or feature could lead to children | ||||||
| 3 | experiencing or being targeted by harmful, or | ||||||
| 4 | potentially harmful, contacts on the online product, | ||||||
| 5 | service, or feature; | ||||||
| 6 | (C) whether the design of the online product, | ||||||
| 7 | service, or feature could permit children to witness, | ||||||
| 8 | participate in, or be subject to harmful, or | ||||||
| 9 | potentially harmful, conduct on the online product, | ||||||
| 10 | service, or feature; | ||||||
| 11 | (D) whether the design of the online product, | ||||||
| 12 | service, or feature could allow children to be party | ||||||
| 13 | to or exploited by a harmful, or potentially harmful, | ||||||
| 14 | contact on the online product, service, or feature; | ||||||
| 15 | (E) whether algorithms used by the online product, | ||||||
| 16 | service, or feature could harm children; | ||||||
| 17 | (F) whether targeted advertising systems used by | ||||||
| 18 | the online product, service, or feature could harm | ||||||
| 19 | children; | ||||||
| 20 | (G) whether and how the online product, service, | ||||||
| 21 | or feature uses system design features to increase, | ||||||
| 22 | sustain, or extend use of the online product, service, | ||||||
| 23 | or feature by children, including the automatic | ||||||
| 24 | playing of media, rewards for time spent, and | ||||||
| 25 | notifications; and | ||||||
| 26 | (H) whether, how, and for what purpose the online | ||||||
| |||||||
| |||||||
| 1 | product, service, or feature collects or processes | ||||||
| 2 | sensitive personal information of children. | ||||||
| 3 | (2) Document any risk of material detriment to | ||||||
| 4 | children that arises from the data management practices of | ||||||
| 5 | the business identified in the Data Protection Impact | ||||||
| 6 | Assessment required by paragraph (1) and create a timed | ||||||
| 7 | plan to mitigate or eliminate the risk before the online | ||||||
| 8 | service, product, or feature is accessed by children. | ||||||
| 9 | (3) Within 3 business days of a written request by the | ||||||
| 10 | Attorney General, provide to the Attorney General a list | ||||||
| 11 | of all Data Protection Impact Assessments the business has | ||||||
| 12 | completed. | ||||||
| 13 | (4) For any Data Protection Impact Assessment | ||||||
| 14 | completed as required by paragraph (1), make the Data | ||||||
| 15 | Protection Impact Assessment available, within 5 business | ||||||
| 16 | days, to the Attorney General pursuant to a written | ||||||
| 17 | request. To the extent any information contained in a Data | ||||||
| 18 | Protection Impact Assessment disclosed to the Attorney | ||||||
| 19 | General includes information subject to attorney-client | ||||||
| 20 | privilege or work product protection, disclosure required | ||||||
| 21 | by this paragraph shall not constitute a waiver of that | ||||||
| 22 | privilege or protection. | ||||||
| 23 | (5) Estimate the age of child users with a reasonable | ||||||
| 24 | level of certainty appropriate to the risks that arise | ||||||
| 25 | from the data management practices of the business or | ||||||
| 26 | apply the privacy and data protections afforded to | ||||||
| |||||||
| |||||||
| 1 | children to all consumers. | ||||||
| 2 | (6) Configure all default privacy settings provided to | ||||||
| 3 | children by the online service, product, or feature to | ||||||
| 4 | settings that offer a high level of privacy, unless the | ||||||
| 5 | business can demonstrate a compelling reason that a | ||||||
| 6 | different setting is in the best interests of children. | ||||||
| 7 | (7) Provide any privacy information, terms of service, | ||||||
| 8 | policies, and community standards concisely, prominently, | ||||||
| 9 | and using clear language suited to the age of children | ||||||
| 10 | likely to access that online service, product, or feature. | ||||||
| 11 | (8) If the online service, product, or feature allows | ||||||
| 12 | the child's parent, guardian, or any other consumer to | ||||||
| 13 | monitor the child's online activity or track the child's | ||||||
| 14 | location, provide an obvious signal to the child when the | ||||||
| 15 | child is being monitored or tracked. | ||||||
| 16 | (9) Enforce published terms, policies, and community | ||||||
| 17 | standards established by the business, including, but not | ||||||
| 18 | limited to, privacy policies and those concerning | ||||||
| 19 | children. | ||||||
| 20 | (10) Provide prominent, accessible, and responsive | ||||||
| 21 | tools to help children, or if applicable their parents or | ||||||
| 22 | guardians, exercise their privacy rights and report | ||||||
| 23 | concerns. | ||||||
| 24 | (b) A business that provides an online service, product, | ||||||
| 25 | or feature likely to be accessed by children shall not take any | ||||||
| 26 | of the following actions: | ||||||
| |||||||
| |||||||
| 1 | (1) Use the personal information of any child in a way | ||||||
| 2 | that the business knows, or has reason to know, is | ||||||
| 3 | materially detrimental to the physical health, mental | ||||||
| 4 | health, or well-being of a child. | ||||||
| 5 | (2) Profile a child by default unless the following | ||||||
| 6 | criteria are met: | ||||||
| 7 | (A) the business can demonstrate it has | ||||||
| 8 | appropriate safeguards in place to protect children; | ||||||
| 9 | and | ||||||
| 10 | (B) either of the following is true: | ||||||
| 11 | (i) profiling is necessary to provide the | ||||||
| 12 | online service, product, or feature requested and | ||||||
| 13 | only with respect to the aspects of the online | ||||||
| 14 | service, product, or feature with which the child | ||||||
| 15 | is actively and knowingly engaged; or | ||||||
| 16 | (ii) the business can demonstrate a compelling | ||||||
| 17 | reason that profiling is in the best interests of | ||||||
| 18 | children. | ||||||
| 19 | (3) Collect, sell, share, or retain any personal | ||||||
| 20 | information that is not necessary to provide an online | ||||||
| 21 | service, product, or feature with which a child is | ||||||
| 22 | actively and knowingly engaged unless the business can | ||||||
| 23 | demonstrate a compelling reason that the collecting, | ||||||
| 24 | selling, sharing, or retaining of the personal information | ||||||
| 25 | is in the best interests of children likely to access the | ||||||
| 26 | online service, product, or feature. | ||||||
| |||||||
| |||||||
| 1 | (4) If the end user is a child, use personal | ||||||
| 2 | information for any reason other than a reason for which | ||||||
| 3 | that personal information was collected, unless the | ||||||
| 4 | business can demonstrate a compelling reason that use of | ||||||
| 5 | the personal information is in the best interests of | ||||||
| 6 | children. | ||||||
| 7 | (5) Collect, sell, or share any precise geolocation | ||||||
| 8 | information of children by default unless the collection | ||||||
| 9 | of that precise geolocation information is strictly | ||||||
| 10 | necessary for the business to provide the service, | ||||||
| 11 | product, or feature requested and then only for the | ||||||
| 12 | limited time that the collection of precise geolocation | ||||||
| 13 | information is necessary to provide the service, product, | ||||||
| 14 | or feature. | ||||||
| 15 | (6) Collect any precise geolocation information of a | ||||||
| 16 | child without providing an obvious sign to the child for | ||||||
| 17 | the duration of that collection that precise geolocation | ||||||
| 18 | information is being collected. | ||||||
| 19 | (7) Use dark patterns to lead or encourage children to | ||||||
| 20 | provide personal information beyond what is reasonably | ||||||
| 21 | expected to provide that online service, product, or | ||||||
| 22 | feature to bypass privacy protections, or to take any | ||||||
| 23 | action that the business knows, or has reason to know, is | ||||||
| 24 | materially detrimental to the child's physical health, | ||||||
| 25 | mental health, or well-being. | ||||||
| 26 | (8) Use any personal information collected to estimate | ||||||
| |||||||
| |||||||
| 1 | age or age range for any other purpose or retain that | ||||||
| 2 | personal information longer than necessary to estimate | ||||||
| 3 | age. Age assurance shall be proportionate to the risks and | ||||||
| 4 | data practice of an online service, product, or feature. | ||||||
| 5 | (c) A Data Protection Impact Assessment conducted by a | ||||||
| 6 | business for the purpose of compliance with any other law | ||||||
| 7 | complies with this Section if the Data Protection Impact | ||||||
| 8 | Assessment meets the requirements of this Act. A single Data | ||||||
| 9 | Protection Impact Assessment may contain multiple similar | ||||||
| 10 | processing operations that present similar risks only if each | ||||||
| 11 | relevant online service, product, or feature is addressed.
| ||||||
| 12 | Section 15. Children's Data Protection Working Group. | ||||||
| 13 | (a) The Children's Data Protection Working Group is hereby | ||||||
| 14 | created to deliver a report to the General Assembly, as | ||||||
| 15 | described in subsection (e), regarding best practices for the | ||||||
| 16 | implementation of this Act. | ||||||
| 17 | (b) Working group members shall consist of residents of | ||||||
| 18 | this State with expertise in at least 2 of the following areas: | ||||||
| 19 | (1) children's data privacy; | ||||||
| 20 | (2) physical health; | ||||||
| 21 | (3) mental health and well-being; | ||||||
| 22 | (4) computer science; and | ||||||
| 23 | (5) children's rights. | ||||||
| 24 | (c) The working group shall select a chairperson and a | ||||||
| 25 | vice chairperson from among its members and shall consist of | ||||||
| |||||||
| |||||||
| 1 | the following 8 members: | ||||||
| 2 | (1) two members appointed by the Governor; | ||||||
| 3 | (2) two members appointed by the President of the | ||||||
| 4 | Senate; | ||||||
| 5 | (3) two members appointed by the Speaker of the House | ||||||
| 6 | of Representatives; and | ||||||
| 7 | (4) two members appointed by the Attorney General. | ||||||
| 8 | (d) The working group shall take input from a broad range | ||||||
| 9 | of stakeholders, including from academia, consumer advocacy | ||||||
| 10 | groups, and small, medium, and large businesses affected by | ||||||
| 11 | data privacy policies and shall make recommendations to the | ||||||
| 12 | General Assembly on best practices regarding, at minimum, all | ||||||
| 13 | of the following: | ||||||
| 14 | (1) identifying online services, products, or features | ||||||
| 15 | likely to be accessed by children; | ||||||
| 16 | (2) evaluating and prioritizing the best interests of | ||||||
| 17 | children with respect to their privacy, physical health, | ||||||
| 18 | and mental health and well-being and evaluating how those | ||||||
| 19 | interests may be furthered by the design, development, and | ||||||
| 20 | implementation of an online service, product, or feature; | ||||||
| 21 | (3) ensuring that age assurance methods used by | ||||||
| 22 | businesses that provide online services, products, or | ||||||
| 23 | features likely to be accessed by children are | ||||||
| 24 | proportionate to the risks that arise from the data | ||||||
| 25 | management practices of the business, privacy protective, | ||||||
| 26 | and minimally invasive; | ||||||
| |||||||
| |||||||
| 1 | (4) assessing and mitigating risks to children that | ||||||
| 2 | arise from the use of an online service, product, or | ||||||
| 3 | feature; and | ||||||
| 4 | (5) publishing privacy information, policies, and | ||||||
| 5 | standards in concise, clear language suited for the age of | ||||||
| 6 | children likely to access an online service, product, or | ||||||
| 7 | feature. | ||||||
| 8 | (e) On or before January 1, 2024, and every 2 years | ||||||
| 9 | thereafter, the working group shall submit a report to the | ||||||
| 10 | General Assembly regarding the recommendations described in | ||||||
| 11 | subsection (d). | ||||||
| 12 | (f) The members of the working group shall serve without | ||||||
| 13 | compensation but shall be reimbursed for all necessary | ||||||
| 14 | expenses actually incurred in the performance of their duties. | ||||||
| 15 | (g) This Section is repealed January 1, 2030.
| ||||||
| 16 | Section 20. Data Protection Impact Assessment. | ||||||
| 17 | (a) A business shall complete a Data Protection Impact | ||||||
| 18 | Assessment on or before July 1, 2024, for any online service, | ||||||
| 19 | product, or feature likely to be accessed by children offered | ||||||
| 20 | to the public before July 1, 2024. | ||||||
| 21 | (b) This Section does not apply to an online service, | ||||||
| 22 | product, or feature that is not offered to the public on or | ||||||
| 23 | after July 1, 2024.
| ||||||
| 24 | Section 25. Violations; civil penalties | ||||||
| |||||||
| |||||||
| 1 | (a) Any business that violates this Act shall be subject | ||||||
| 2 | to an injunction and liable for a civil penalty of not more | ||||||
| 3 | than $2,500 per affected child for each negligent violation or | ||||||
| 4 | not more than $7,500 per affected child for each intentional | ||||||
| 5 | violation, that shall be assessed and recovered only in a | ||||||
| 6 | civil action brought by the Attorney General. | ||||||
| 7 | (b) If a business is in substantial compliance with the | ||||||
| 8 | requirements of paragraphs (1) through (4) of subsection (a) | ||||||
| 9 | of Section 10, the Attorney General shall provide written | ||||||
| 10 | notice to the business, before initiating an action under this | ||||||
| 11 | Act, identifying the specific provisions of this Act that the | ||||||
| 12 | Attorney General alleges have been or are being violated. | ||||||
| 13 | (c) If, within 90 days after the notice required by | ||||||
| 14 | subsection (b), the business cures any noticed violation and | ||||||
| 15 | provides the Attorney General a written statement that the | ||||||
| 16 | alleged violations have been cured, and sufficient measures | ||||||
| 17 | have been taken to prevent future violations, the business | ||||||
| 18 | shall not be liable for a civil penalty for any violation cured | ||||||
| 19 | under this subsection. | ||||||
| 20 | (d) Any penalties, fees, and expenses recovered in an | ||||||
| 21 | action brought under this Act shall be deposited in the | ||||||
| 22 | General Revenue Fund. | ||||||
| 23 | (e) Nothing in this Act shall be interpreted to serve as | ||||||
| 24 | the basis for a private right of action under this Act or any | ||||||
| 25 | other law. | ||||||
| 26 | (f) The Attorney General may solicit broad public | ||||||
| |||||||
| |||||||
| 1 | participation and adopt regulations to clarify the | ||||||
| 2 | requirements of this Act.
| ||||||
| 3 | Section 99. Effective date. This Act takes effect upon | ||||||
| 4 | becoming law.
| ||||||
