103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB3880
 
Introduced 2/17/2023, by Rep. Anna Moeller
 
SYNOPSIS AS INTRODUCED:
 

 
New Act

     Creates the Children's Privacy Protection and Parental Empowerment Act. Provides that a business that provides an online service, product, or feature likely to be accessed by children shall take specified actions, including completing a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children. Provides that a business shall complete a Data Protection Impact Assessment on or before July 1, 2024, for any online service, product, or feature likely to be accessed by children offered to the public before July 1, 2024. Provides that any business that violates the Act shall be subject to an injunction and liable for a civil penalty of not more than $2,500 per affected child for each negligent violation or not more than $7,500 per affected child for each intentional violation. Creates the Children's Data Protection Working Group to deliver a report to the General Assembly regarding best practices for the implementation of the Act. Effective immediately.
  


LRB103 29834 SPS 56242 b

 
 
A BILL FOR
 

  
HB3880LRB103 29834 SPS 56242 b


  
1    AN ACT concerning business.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 1. Short title. This Act may be cited as the 
5Children's Privacy Protection and Parental Empowerment Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Child" or "children", unless otherwise specified, means a 
8consumer or consumers who are under 18 years of age.
9    "Data Protection Impact Assessment" means a systematic 
10survey to assess and mitigate risks that arise from the data 
11management practices of the business to children who are 
12reasonably likely to access the online service, product, or 
13feature at issue that arises from the provision of that online 
14service, product, or feature.
15    "Default" means a preselected option adopted by the 
16business for the online service, product, or feature.

17    "Likely to be accessed by children" means it is reasonable 
18to expect, based on the following indicators, that the online 
19service, product, or feature would be accessed by children:
20        (1) the online service, product, or feature is 
21    directed to children as defined by the Children's Online 
22    Privacy Protection Act (15 U.S.C. 6501 et seq.);
23        (2) the online service, product, or feature is 
 
 
HB3880- 2 -LRB103 29834 SPS 56242 b

1    determined, based on competent and reliable evidence 
2    regarding audience composition, to be routinely accessed 
3    by a significant number of children;
4        (3) an online service, product, or feature with 
5    advertisements marketed to children;
6        (4) an online service, product, or feature that is 
7    substantially similar or the same as an online service, 
8    product, or feature subject to subparagraph (2);
9        (5) an online service, product, or feature that has 
10    design elements that are known to be of interest to 
11    children, including, but not limited to, games, cartoons, 
12    music, and celebrities who appeal to children; and
13        (6) a significant amount of the audience of the online 
14    service, product, or feature is determined, based on 
15    internal company research, to be children.
16    "Online service, product, or feature" does not mean any of 
17the following:
18        (1) a broadband Internet access service;
19        (2) a telecommunications service; or
20        (3) the delivery or use of a physical product.
21    "Profiling" means any form of automated processing of 
22personal information that uses personal information to 
23evaluate certain aspects relating to a natural person, 
24including analyzing or predicting aspects concerning a natural 
25person's performance at work, economic situation, health, 
26personal preferences, interests, reliability, behavior, 
 
 
HB3880- 3 -LRB103 29834 SPS 56242 b

1location, or movements.
 
2    Section 10. Requirements for businesses that provide an 
3online service to children. 
4    (a) A business that provides an online service, product, 
5or feature likely to be accessed by children shall take all of 
6the following actions:
7        (1)  Before any new online services, products, or 
8    features are offered to the public, complete a Data 
9    Protection Impact Assessment for any online service, 
10    product, or feature likely to be accessed by children and 
11    maintain documentation of this assessment as long as the 
12    online service, product, or feature is likely to be 
13    accessed by children. A business shall biennially review 
14    all Data Protection Impact Assessments. The Data 
15    Protection Impact Assessment required by this paragraph 
16    shall identify the purpose of the online service, product, 
17    or feature, how it uses children's personal information, 
18    and the risks of material detriment to children that arise 
19    from the data management practices of the business. The 
20    Data Protection Impact Assessment shall address, to the 
21    extent applicable, all of the following:
22            (A) whether the design of the online product, 
23        service, or feature could harm children, including by 
24        exposing children to harmful, or potentially harmful, 
25        content on the online product, service, or feature;
 
 
HB3880- 4 -LRB103 29834 SPS 56242 b

1            (B) whether the design of the online product, 
2        service, or feature could lead to children 
3        experiencing or being targeted by harmful, or 
4        potentially harmful, contacts on the online product, 
5        service, or feature;
6            (C) whether the design of the online product, 
7        service, or feature could permit children to witness, 
8        participate in, or be subject to harmful, or 
9        potentially harmful, conduct on the online product, 
10        service, or feature;
11            (D) whether the design of the online product, 
12        service, or feature could allow children to be party 
13        to or exploited by a harmful, or potentially harmful, 
14        contact on the online product, service, or feature;
15            (E) whether algorithms used by the online product, 
16        service, or feature could harm children;
17            (F) whether targeted advertising systems used by 
18        the online product, service, or feature could harm 
19        children;
20            (G) whether and how the online product, service, 
21        or feature uses system design features to increase, 
22        sustain, or extend use of the online product, service, 
23        or feature by children, including the automatic 
24        playing of media, rewards for time spent, and 
25        notifications; and
26            (H) whether, how, and for what purpose the online 
 
 
HB3880- 5 -LRB103 29834 SPS 56242 b

1        product, service, or feature collects or processes 
2        sensitive personal information of children.
3        (2) Document any risk of material detriment to 
4    children that arises from the data management practices of 
5    the business identified in the Data Protection Impact 
6    Assessment required by paragraph (1) and create a timed 
7    plan to mitigate or eliminate the risk before the online 
8    service, product, or feature is accessed by children.
9        (3) Within 3 business days of a written request by the 
10    Attorney General, provide to the Attorney General a list 
11    of all Data Protection Impact Assessments the business has 
12    completed.
13        (4) For any Data Protection Impact Assessment 
14    completed as required by paragraph (1), make the Data 
15    Protection Impact Assessment available, within 5 business 
16    days, to the Attorney General pursuant to a written 
17    request. To the extent any information contained in a Data 
18    Protection Impact Assessment disclosed to the Attorney 
19    General includes information subject to attorney-client 
20    privilege or work product protection, disclosure required 
21    by this paragraph shall not constitute a waiver of that 
22    privilege or protection.
23        (5) Estimate the age of child users with a reasonable 
24    level of certainty appropriate to the risks that arise 
25    from the data management practices of the business or 
26    apply the privacy and data protections afforded to 
 
 
HB3880- 6 -LRB103 29834 SPS 56242 b

1    children to all consumers.
2        (6) Configure all default privacy settings provided to 
3    children by the online service, product, or feature to 
4    settings that offer a high level of privacy, unless the 
5    business can demonstrate a compelling reason that a 
6    different setting is in the best interests of children.
7        (7) Provide any privacy information, terms of service, 
8    policies, and community standards concisely, prominently, 
9    and using clear language suited to the age of children 
10    likely to access that online service, product, or feature.
11        (8) If the online service, product, or feature allows 
12    the child's parent, guardian, or any other consumer to 
13    monitor the child's online activity or track the child's 
14    location, provide an obvious signal to the child when the 
15    child is being monitored or tracked.
16        (9) Enforce published terms, policies, and community 
17    standards established by the business, including, but not 
18    limited to, privacy policies and those concerning 
19    children.
20        (10) Provide prominent, accessible, and responsive 
21    tools to help children, or if applicable their parents or 
22    guardians, exercise their privacy rights and report 
23    concerns.
24    (b) A business that provides an online service, product, 
25or feature likely to be accessed by children shall not take any 
26of the following actions:
 
 
HB3880- 7 -LRB103 29834 SPS 56242 b

1        (1) Use the personal information of any child in a way 
2    that the business knows, or has reason to know, is 
3    materially detrimental to the physical health, mental 
4    health, or well-being of a child.
5        (2) Profile a child by default unless the following 
6    criteria are met:
7            (A) the business can demonstrate it has 
8        appropriate safeguards in place to protect children; 
9        and
10            (B) either of the following is true:
11                (i) profiling is necessary to provide the 
12            online service, product, or feature requested and 
13            only with respect to the aspects of the online 
14            service, product, or feature with which the child 
15            is actively and knowingly engaged; or
16                (ii) the business can demonstrate a compelling 
17            reason that profiling is in the best interests of 
18            children.
19        (3) Collect, sell, share, or retain any personal 
20    information that is not necessary to provide an online 
21    service, product, or feature with which a child is 
22    actively and knowingly engaged unless the business can 
23    demonstrate a compelling reason that the collecting, 
24    selling, sharing, or retaining of the personal information 
25    is in the best interests of children likely to access the 
26    online service, product, or feature.
 
 
HB3880- 8 -LRB103 29834 SPS 56242 b

1        (4) If the end user is a child, use personal 
2    information for any reason other than a reason for which 
3    that personal information was collected, unless the 
4    business can demonstrate a compelling reason that use of 
5    the personal information is in the best interests of 
6    children.
7        (5) Collect, sell, or share any precise geolocation 
8    information of children by default unless the collection 
9    of that precise geolocation information is strictly 
10    necessary for the business to provide the service, 
11    product, or feature requested and then only for the 
12    limited time that the collection of precise geolocation 
13    information is necessary to provide the service, product, 
14    or feature.
15        (6) Collect any precise geolocation information of a 
16    child without providing an obvious sign to the child for 
17    the duration of that collection that precise geolocation 
18    information is being collected.
19        (7) Use dark patterns to lead or encourage children to 
20    provide personal information beyond what is reasonably 
21    expected to provide that online service, product, or 
22    feature to bypass privacy protections, or to take any 
23    action that the business knows, or has reason to know, is 
24    materially detrimental to the child's physical health, 
25    mental health, or well-being.
26        (8) Use any personal information collected to estimate 
 
 
HB3880- 9 -LRB103 29834 SPS 56242 b

1    age or age range for any other purpose or retain that 
2    personal information longer than necessary to estimate 
3    age. Age assurance shall be proportionate to the risks and 
4    data practice of an online service, product, or feature.
5    (c) A Data Protection Impact Assessment conducted by a 
6business for the purpose of compliance with any other law 
7complies with this Section if the Data Protection Impact 
8Assessment meets the requirements of this Act. A single Data 
9Protection Impact Assessment may contain multiple similar 
10processing operations that present similar risks only if each 
11relevant online service, product, or feature is addressed.
 
12    Section 15. Children's Data Protection Working Group.
13    (a) The Children's Data Protection Working Group is hereby 
14created to deliver a report to the General Assembly, as 
15described in subsection (e), regarding best practices for the 
16implementation of this Act.
17    (b) Working group members shall consist of residents of 
18this State with expertise in at least 2 of the following areas:
19        (1) children's data privacy;
20        (2) physical health;
21        (3) mental health and well-being;
22        (4) computer science; and
23        (5) children's rights.
24    (c) The working group shall select a chairperson and a 
25vice chairperson from among its members and shall consist of 
 
 
HB3880- 10 -LRB103 29834 SPS 56242 b

1the following 8 members:
2        (1) two members appointed  by the Governor;
3        (2) two members appointed by the President of the 
4    Senate;
5        (3) two members appointed by the Speaker of the House 
6    of Representatives; and
7        (4) two members appointed by the Attorney General.
8    (d) The working group shall take input from a broad range 
9of stakeholders, including from academia, consumer advocacy 
10groups, and small, medium, and large businesses affected by 
11data privacy policies and shall make recommendations to the 
12General Assembly on best practices regarding, at minimum, all 
13of the following:
14        (1) identifying online services, products, or features 
15    likely to be accessed by children;
16        (2) evaluating and prioritizing the best interests of 
17    children with respect to their privacy, physical health, 
18    and mental health and well-being and evaluating how those 
19    interests may be furthered by the design, development, and 
20    implementation of an online service, product, or feature;
21        (3) ensuring that age assurance methods used by 
22    businesses that provide online services, products, or 
23    features likely to be accessed by children are 
24    proportionate to the risks that arise from the data 
25    management practices of the business, privacy protective, 
26    and minimally invasive;
 
 
HB3880- 11 -LRB103 29834 SPS 56242 b

1        (4) assessing and mitigating risks to children that 
2    arise from the use of an online service, product, or 
3    feature; and
4        (5) publishing privacy information, policies, and 
5    standards in concise, clear language suited for the age of 
6    children likely to access an online service, product, or 
7    feature.
8    (e) On or before January 1, 2024, and every 2 years 
9thereafter, the working group shall submit a report to the 
10General Assembly regarding the recommendations described in 
11subsection (d).
12    (f) The members of the working group shall serve without 
13compensation but shall be reimbursed for all necessary 
14expenses actually incurred in the performance of their duties.
15    (g) This Section is repealed January 1, 2030.
 
16    Section 20. Data Protection Impact Assessment.
17    (a) A business shall complete a Data Protection Impact 
18Assessment on or before July 1, 2024, for any online service, 
19product, or feature likely to be accessed by children offered 
20to the public before July 1, 2024.
21    (b) This Section does not apply to an online service, 
22product, or feature that is not offered to the public on or 
23after July 1, 2024.

 
24    Section 25. Violations; civil penalties
 
 
HB3880- 12 -LRB103 29834 SPS 56242 b

1    (a) Any business that violates this Act shall be subject 
2to an injunction and liable for a civil penalty of not more 
3than $2,500 per affected child for each negligent violation or 
4not more than $7,500 per affected child for each intentional 
5violation, that shall be assessed and recovered only in a 
6civil action brought by the Attorney General.
7    (b) If a business is in substantial compliance with the 
8requirements of paragraphs (1) through (4) of subsection (a) 
9of Section 10, the Attorney General shall provide written 
10notice to the business, before initiating an action under this 
11Act, identifying the specific provisions of this Act that the 
12Attorney General alleges have been or are being violated.
13    (c) If, within 90 days after the notice required by 
14subsection (b), the business cures any noticed violation and 
15provides the Attorney General a written statement that the 
16alleged violations have been cured, and sufficient measures 
17have been taken to prevent future violations, the business 
18shall not be liable for a civil penalty for any violation cured 
19under this subsection.
20    (d) Any penalties, fees, and expenses recovered in an 
21action brought under this Act shall be deposited in the 
22General Revenue Fund.
23    (e) Nothing in this Act shall be interpreted to serve as 
24the basis for a private right of action under this Act or any 
25other law.
26    (f) The Attorney General may solicit broad public 
 
 
HB3880- 13 -LRB103 29834 SPS 56242 b

1participation and adopt regulations to clarify the 
2requirements of this Act.

  
 
 
3    Section 99. Effective date. This Act takes effect upon 
4becoming law.