Sen. Sue Rezin

Filed: 3/13/2023

 

 

 

10300SB1126sam001 LRB103 05565 SPS 58495 a
1		AMENDMENT TO SENATE BILL 1126
2		AMENDMENT NO. ______. Amend Senate Bill 1126 by replacing
3		everything after the enacting clause with the following:
4		"Section 1. Short title. This Act may be cited as the
5		Illinois Age-Appropriate Design Code Act.
6		Section 5. Definitions. As used in this Act:
7		"Child" or "children", unless otherwise specified, means a
8		consumer or consumers who are under 18 years of age.
9		"Data protection impact assessment" means a systematic
10		survey to assess and mitigate risks that arise from the data
11		management practices of the business to children who are
12		reasonably likely to access the online service, product, or
13		feature at issue that arises from the provision of that online
14		service, product, or feature.
15		"Default" means a preselected option adopted by the
16		business for the online service, product, or feature.

10300SB1126sam001 - 2 - LRB103 05565 SPS 58495 a
1		"Likely to be accessed by children" means it is reasonable
2		to expect, based on the following indicators, that the online
3		service, product, or feature would be accessed by children:
4		(1) the online service, product, or feature is
5		directed to children as defined by the Children's Online
6		Privacy Protection Act (15 U.S.C. 6501 et seq.);
7		(2) the online service, product, or feature is
8		determined, based on competent and reliable evidence
9		regarding audience composition, to be routinely accessed
10		by a significant number of children;
11		(3) an online service, product, or feature with
12		advertisements marketed to children;
13		(4) an online service, product, or feature that is
14		substantially similar or the same as an online service,
15		product, or feature subject to paragraph (2);
16		(5) an online service, product, or feature that has
17		design elements that are known to be of interest to
18		children, including, but not limited to, games, cartoons,
19		music, and celebrities who appeal to children; and
20		(6) a significant amount of the audience of the online
21		service, product, or feature is determined, based on
22		internal company research, to be children.
23		"Online service, product, or feature" does not mean any of
24		the following:
25		(1) a broadband Internet access service;
26		(2) a telecommunications service; or

10300SB1126sam001 - 3 - LRB103 05565 SPS 58495 a
1		(3) the delivery or use of a physical product.
2		"Profiling" means any form of automated processing of
3		personal information that uses personal information to
4		evaluate certain aspects relating to a natural person,
5		including analyzing or predicting aspects concerning a natural
6		person's performance at work, economic situation, health,
7		personal preferences, interests, reliability, behavior,
8		location, or movements.
9		Section 10. Requirements for businesses that provide an
10		online service to children.
11		(a) A business that provides an online service, product,
12		or feature likely to be accessed by children shall take all of
13		the following actions:
14		(1) Before any new online services, products, or
15		features are offered to the public, complete a data
16		protection impact assessment for any online service,
17		product, or feature likely to be accessed by children and
18		maintain documentation of this assessment as long as the
19		online service, product, or feature is likely to be
20		accessed by children. A business shall biennially review
21		all data protection impact assessments. The data
22		protection impact assessment required by this paragraph
23		shall identify the purpose of the online service, product,
24		or feature, how it uses children's personal information,
25		and the risks of material detriment to children that arise

10300SB1126sam001 - 4 - LRB103 05565 SPS 58495 a
1		from the data management practices of the business. The
2		data protection impact assessment shall address, to the
3		extent applicable, all of the following:
4		(A) whether the design of the online product,
5		service, or feature could harm children, including by
6		exposing children to harmful, or potentially harmful,
7		content on the online product, service, or feature;
8		(B) whether the design of the online product,
9		service, or feature could lead to children
10		experiencing or being targeted by harmful, or
11		potentially harmful, contacts on the online product,
12		service, or feature;
13		(C) whether the design of the online product,
14		service, or feature could permit children to witness,
15		participate in, or be subject to harmful, or
16		potentially harmful, conduct on the online product,
17		service, or feature;
18		(D) whether the design of the online product,
19		service, or feature could allow children to be party
20		to or exploited by a harmful, or potentially harmful,
21		contact on the online product, service, or feature;
22		(E) whether algorithms used by the online product,
23		service, or feature could harm children;
24		(F) whether targeted advertising systems used by
25		the online product, service, or feature could harm
26		children;

10300SB1126sam001 - 5 - LRB103 05565 SPS 58495 a
1		(G) whether and how the online product, service,
2		or feature uses system design features to increase,
3		sustain, or extend use of the online product, service,
4		or feature by children, including the automatic
5		playing of media, rewards for time spent, and
6		notifications; and
7		(H) whether, how, and for what purpose the online
8		product, service, or feature collects or processes
9		sensitive personal information of children.
10		(2) Document any risk of material detriment to
11		children that arises from the data management practices of
12		the business identified in the data protection impact
13		assessment required by paragraph (1) and create a timed
14		plan to mitigate or eliminate the risk before the online
15		service, product, or feature is accessed by children.
16		(3) Within 3 business days of a written request by the
17		Attorney General, provide to the Attorney General a list
18		of all data protection impact assessments the business has
19		completed.
20		(4) For any data protection impact assessment
21		completed as required by paragraph (1), make the data
22		protection impact assessment available, within 5 business
23		days, to the Attorney General pursuant to a written
24		request. To the extent any information contained in a data
25		protection impact assessment disclosed to the Attorney
26		General includes information subject to attorney-client

10300SB1126sam001 - 6 - LRB103 05565 SPS 58495 a
1		privilege or work product protection, disclosure required
2		by this paragraph shall not constitute a waiver of that
3		privilege or protection.
4		(5) Estimate the age of child users with a reasonable
5		level of certainty appropriate to the risks that arise
6		from the data management practices of the business or
7		apply the privacy and data protections afforded to
8		children to all consumers.
9		(6) Configure all default privacy settings provided to
10		children by the online service, product, or feature to
11		settings that offer a high level of privacy, unless the
12		business can demonstrate a compelling reason that a
13		different setting is in the best interests of children.
14		(7) Provide any privacy information, terms of service,
15		policies, and community standards concisely, prominently,
16		and using clear language suited to the age of children
17		likely to access that online service, product, or feature.
18		(8) If the online service, product, or feature allows
19		the child's parent, guardian, or any other consumer to
20		monitor the child's online activity or track the child's
21		location, provide an obvious signal to the child when the
22		child is being monitored or tracked.
23		(9) Enforce published terms, policies, and community
24		standards established by the business, including, but not
25		limited to, privacy policies and those concerning
26		children.

10300SB1126sam001 - 7 - LRB103 05565 SPS 58495 a
1		(10) Provide prominent, accessible, and responsive
2		tools to help children, or if applicable their parents or
3		guardians, exercise their privacy rights and report
4		concerns.
5		(b) A business that provides an online service, product,
6		or feature likely to be accessed by children shall not take any
7		of the following actions:
8		(1) Use the personal information of any child in a way
9		that the business knows, or has reason to know, is
10		materially detrimental to the physical health, mental
11		health, or well-being of a child.
12		(2) Profile a child by default unless the following
13		criteria are met:
14		(A) the business can demonstrate it has
15		appropriate safeguards in place to protect children;
16		and
17		(B) either of the following is true:
18		(i) profiling is necessary to provide the
19		online service, product, or feature requested and
20		only with respect to the aspects of the online
21		service, product, or feature with which the child
22		is actively and knowingly engaged; or
23		(ii) the business can demonstrate a compelling
24		reason that profiling is in the best interests of
25		children.
26		(3) Collect, sell, share, or retain any personal

10300SB1126sam001 - 8 - LRB103 05565 SPS 58495 a
1		information that is not necessary to provide an online
2		service, product, or feature with which a child is
3		actively and knowingly engaged unless the business can
4		demonstrate a compelling reason that the collecting,
5		selling, sharing, or retaining of the personal information
6		is in the best interests of children likely to access the
7		online service, product, or feature.
8		(4) If the end user is a child, use personal
9		information for any reason other than a reason for which
10		that personal information was collected, unless the
11		business can demonstrate a compelling reason that use of
12		the personal information is in the best interests of
13		children.
14		(5) Collect, sell, or share any precise geolocation
15		information of children by default unless the collection
16		of that precise geolocation information is strictly
17		necessary for the business to provide the service,
18		product, or feature requested and then only for the
19		limited time that the collection of precise geolocation
20		information is necessary to provide the service, product,
21		or feature.
22		(6) Collect any precise geolocation information of a
23		child without providing an obvious sign to the child for
24		the duration of that collection that precise geolocation
25		information is being collected.
26		(7) Use dark patterns to lead or encourage children to

10300SB1126sam001 - 9 - LRB103 05565 SPS 58495 a
1		provide personal information beyond what is reasonably
2		expected to provide that online service, product, or
3		feature to bypass privacy protections, or to take any
4		action that the business knows, or has reason to know, is
5		materially detrimental to the child's physical health,
6		mental health, or well-being.
7		(8) Use any personal information collected to estimate
8		age or age range for any other purpose or retain that
9		personal information longer than necessary to estimate
10		age. Age assurance shall be proportionate to the risks and
11		data practice of an online service, product, or feature.
12		(c) A data protection impact assessment conducted by a
13		business for the purpose of compliance with any other law
14		complies with this Section if the data protection impact
15		assessment meets the requirements of this Act. A single data
16		protection impact assessment may contain multiple similar
17		processing operations that present similar risks only if each
18		relevant online service, product, or feature is addressed.
19		Section 15. Children's Data Protection Working Group.
20		(a) The Children's Data Protection Working Group is hereby
21		created to deliver a report to the General Assembly, as
22		described in subsection (e), regarding best practices for the
23		implementation of this Act.
24		(b) Working Group members shall consist of residents of
25		this State with expertise in at least 2 of the following areas:

10300SB1126sam001 - 10 - LRB103 05565 SPS 58495 a
1		(1) children's data privacy;
2		(2) physical health;
3		(3) mental health and well-being;
4		(4) computer science; and
5		(5) children's rights.
6		(c) The Working Group shall select a chairperson and a
7		vice chairperson from among its members and shall consist of
8		the following 8 members:
9		(1) two members appointed by the Governor;
10		(2) two members appointed by the President of the
11		Senate;
12		(3) two members appointed by the Speaker of the House
13		of Representatives; and
14		(4) two members appointed by the Attorney General.
15		(d) The Working Group shall take input from a broad range
16		of stakeholders, including from academia, consumer advocacy
17		groups, and small, medium, and large businesses affected by
18		data privacy policies and shall make recommendations to the
19		General Assembly on best practices regarding, at minimum, all
20		of the following:
21		(1) identifying online services, products, or features
22		likely to be accessed by children;
23		(2) evaluating and prioritizing the best interests of
24		children with respect to their privacy, physical health,
25		and mental health and well-being and evaluating how those
26		interests may be furthered by the design, development, and

10300SB1126sam001 - 11 - LRB103 05565 SPS 58495 a
1		implementation of an online service, product, or feature;
2		(3) ensuring that age assurance methods used by
3		businesses that provide online services, products, or
4		features likely to be accessed by children are
5		proportionate to the risks that arise from the data
6		management practices of the business, privacy protective,
7		and minimally invasive;
8		(4) assessing and mitigating risks to children that
9		arise from the use of an online service, product, or
10		feature; and
11		(5) publishing privacy information, policies, and
12		standards in concise, clear language suited for the age of
13		children likely to access an online service, product, or
14		feature.
15		(e) On or before January 1, 2024, and every 2 years
16		thereafter, the Working Group shall submit a report to the
17		General Assembly regarding the recommendations described in
18		subsection (d).
19		(f) The members of the Working Group shall serve without
20		compensation but shall be reimbursed for all necessary
21		expenses actually incurred in the performance of their duties.
22		(g) The Working Group is dissolved, and this Section is
23		repealed, on January 1, 2030.
24		Section 20. Data protection impact assessment.
25		(a) A business shall complete a data protection impact

10300SB1126sam001 - 12 - LRB103 05565 SPS 58495 a
1		assessment on or before July 1, 2024, for any online service,
2		product, or feature likely to be accessed by children offered
3		to the public before July 1, 2024.
4		(b) This Section does not apply to an online service,
5		product, or feature that is not offered to the public on or
6		after July 1, 2024.
7		Section 25. Violations; civil penalties
8		(a) Any business that violates this Act shall be subject
9		to an injunction and liable for a civil penalty of not more
10		than $2,500 per affected child for each negligent violation or
11		not more than $7,500 per affected child for each intentional
12		violation, that shall be assessed and recovered only in a
13		civil action brought by the Attorney General.
14		(b) If a business is in substantial compliance with the
15		requirements of paragraphs (1) through (4) of subsection (a)
16		of Section 10, the Attorney General shall provide written
17		notice to the business, before initiating an action under this
18		Act, identifying the specific provisions of this Act that the
19		Attorney General alleges have been or are being violated.
20		(c) If, within 90 days after the notice required by
21		subsection (b), the business cures any noticed violation and
22		provides the Attorney General a written statement that the
23		alleged violations have been cured, and sufficient measures
24		have been taken to prevent future violations, the business
25		shall not be liable for a civil penalty for any violation cured

10300SB1126sam001 - 13 - LRB103 05565 SPS 58495 a
1		under this subsection.
2		(d) Any penalties, fees, and expenses recovered in an
3		action brought under this Act shall be deposited into the
4		General Revenue Fund.
5		(e) Nothing in this Act shall be interpreted to serve as
6		the basis for a private right of action under this Act or any
7		other law.
8		(f) The Attorney General may solicit broad public
9		participation and adopt regulations to clarify the
10		requirements of this Act.".