Full Text of SB1126 103rd General Assembly
SB1126sam001 103RD GENERAL ASSEMBLY | Sen. Sue Rezin Filed: 3/13/2023
| | 10300SB1126sam001 | | LRB103 05565 SPS 58495 a |
|
| 1 | | AMENDMENT TO SENATE BILL 1126
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 1126 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 1. Short title. This Act may be cited as the | 5 | | Illinois Age-Appropriate Design Code Act. | 6 | | Section 5. Definitions. As used in this Act: | 7 | | "Child" or "children", unless otherwise specified, means a | 8 | | consumer or consumers who are under 18 years of age. | 9 | | "Data protection impact assessment" means a systematic | 10 | | survey to assess and mitigate risks that arise from the data | 11 | | management practices of the business to children who are | 12 | | reasonably likely to access the online service, product, or | 13 | | feature at issue that arises from the provision of that online | 14 | | service, product, or feature. | 15 | | "Default" means a preselected option adopted by the | 16 | | business for the online service, product, or feature.
|
| | | 10300SB1126sam001 | - 2 - | LRB103 05565 SPS 58495 a |
|
| 1 | | "Likely to be accessed by children" means it is reasonable | 2 | | to expect, based on the following indicators, that the online | 3 | | service, product, or feature would be accessed by children: | 4 | | (1) the online service, product, or feature is | 5 | | directed to children as defined by the Children's Online | 6 | | Privacy Protection Act (15 U.S.C. 6501 et seq.); | 7 | | (2) the online service, product, or feature is | 8 | | determined, based on competent and reliable evidence | 9 | | regarding audience composition, to be routinely accessed | 10 | | by a significant number of children; | 11 | | (3) an online service, product, or feature with | 12 | | advertisements marketed to children; | 13 | | (4) an online service, product, or feature that is | 14 | | substantially similar or the same as an online service, | 15 | | product, or feature subject to paragraph (2); | 16 | | (5) an online service, product, or feature that has | 17 | | design elements that are known to be of interest to | 18 | | children, including, but not limited to, games, cartoons, | 19 | | music, and celebrities who appeal to children; and | 20 | | (6) a significant amount of the audience of the online | 21 | | service, product, or feature is determined, based on | 22 | | internal company research, to be children. | 23 | | "Online service, product, or feature" does not mean any of | 24 | | the following: | 25 | | (1) a broadband Internet access service; | 26 | | (2) a telecommunications service; or |
| | | 10300SB1126sam001 | - 3 - | LRB103 05565 SPS 58495 a |
|
| 1 | | (3) the delivery or use of a physical product. | 2 | | "Profiling" means any form of automated processing of | 3 | | personal information that uses personal information to | 4 | | evaluate certain aspects relating to a natural person, | 5 | | including analyzing or predicting aspects concerning a natural | 6 | | person's performance at work, economic situation, health, | 7 | | personal preferences, interests, reliability, behavior, | 8 | | location, or movements. | 9 | | Section 10. Requirements for businesses that provide an | 10 | | online service to children. | 11 | | (a) A business that provides an online service, product, | 12 | | or feature likely to be accessed by children shall take all of | 13 | | the following actions: | 14 | | (1) Before any new online services, products, or | 15 | | features are offered to the public, complete a data | 16 | | protection impact assessment for any online service, | 17 | | product, or feature likely to be accessed by children and | 18 | | maintain documentation of this assessment as long as the | 19 | | online service, product, or feature is likely to be | 20 | | accessed by children. A business shall biennially review | 21 | | all data protection impact assessments. The data | 22 | | protection impact assessment required by this paragraph | 23 | | shall identify the purpose of the online service, product, | 24 | | or feature, how it uses children's personal information, | 25 | | and the risks of material detriment to children that arise |
| | | 10300SB1126sam001 | - 4 - | LRB103 05565 SPS 58495 a |
|
| 1 | | from the data management practices of the business. The | 2 | | data protection impact assessment shall address, to the | 3 | | extent applicable, all of the following: | 4 | | (A) whether the design of the online product, | 5 | | service, or feature could harm children, including by | 6 | | exposing children to harmful, or potentially harmful, | 7 | | content on the online product, service, or feature; | 8 | | (B) whether the design of the online product, | 9 | | service, or feature could lead to children | 10 | | experiencing or being targeted by harmful, or | 11 | | potentially harmful, contacts on the online product, | 12 | | service, or feature; | 13 | | (C) whether the design of the online product, | 14 | | service, or feature could permit children to witness, | 15 | | participate in, or be subject to harmful, or | 16 | | potentially harmful, conduct on the online product, | 17 | | service, or feature; | 18 | | (D) whether the design of the online product, | 19 | | service, or feature could allow children to be party | 20 | | to or exploited by a harmful, or potentially harmful, | 21 | | contact on the online product, service, or feature; | 22 | | (E) whether algorithms used by the online product, | 23 | | service, or feature could harm children; | 24 | | (F) whether targeted advertising systems used by | 25 | | the online product, service, or feature could harm | 26 | | children; |
| | | 10300SB1126sam001 | - 5 - | LRB103 05565 SPS 58495 a |
|
| 1 | | (G) whether and how the online product, service, | 2 | | or feature uses system design features to increase, | 3 | | sustain, or extend use of the online product, service, | 4 | | or feature by children, including the automatic | 5 | | playing of media, rewards for time spent, and | 6 | | notifications; and | 7 | | (H) whether, how, and for what purpose the online | 8 | | product, service, or feature collects or processes | 9 | | sensitive personal information of children. | 10 | | (2) Document any risk of material detriment to | 11 | | children that arises from the data management practices of | 12 | | the business identified in the data protection impact | 13 | | assessment required by paragraph (1) and create a timed | 14 | | plan to mitigate or eliminate the risk before the online | 15 | | service, product, or feature is accessed by children. | 16 | | (3) Within 3 business days of a written request by the | 17 | | Attorney General, provide to the Attorney General a list | 18 | | of all data protection impact assessments the business has | 19 | | completed. | 20 | | (4) For any data protection impact assessment | 21 | | completed as required by paragraph (1), make the data | 22 | | protection impact assessment available, within 5 business | 23 | | days, to the Attorney General pursuant to a written | 24 | | request. To the extent any information contained in a data | 25 | | protection impact assessment disclosed to the Attorney | 26 | | General includes information subject to attorney-client |
| | | 10300SB1126sam001 | - 6 - | LRB103 05565 SPS 58495 a |
|
| 1 | | privilege or work product protection, disclosure required | 2 | | by this paragraph shall not constitute a waiver of that | 3 | | privilege or protection. | 4 | | (5) Estimate the age of child users with a reasonable | 5 | | level of certainty appropriate to the risks that arise | 6 | | from the data management practices of the business or | 7 | | apply the privacy and data protections afforded to | 8 | | children to all consumers. | 9 | | (6) Configure all default privacy settings provided to | 10 | | children by the online service, product, or feature to | 11 | | settings that offer a high level of privacy, unless the | 12 | | business can demonstrate a compelling reason that a | 13 | | different setting is in the best interests of children. | 14 | | (7) Provide any privacy information, terms of service, | 15 | | policies, and community standards concisely, prominently, | 16 | | and using clear language suited to the age of children | 17 | | likely to access that online service, product, or feature. | 18 | | (8) If the online service, product, or feature allows | 19 | | the child's parent, guardian, or any other consumer to | 20 | | monitor the child's online activity or track the child's | 21 | | location, provide an obvious signal to the child when the | 22 | | child is being monitored or tracked. | 23 | | (9) Enforce published terms, policies, and community | 24 | | standards established by the business, including, but not | 25 | | limited to, privacy policies and those concerning | 26 | | children. |
| | | 10300SB1126sam001 | - 7 - | LRB103 05565 SPS 58495 a |
|
| 1 | | (10) Provide prominent, accessible, and responsive | 2 | | tools to help children, or if applicable their parents or | 3 | | guardians, exercise their privacy rights and report | 4 | | concerns. | 5 | | (b) A business that provides an online service, product, | 6 | | or feature likely to be accessed by children shall not take any | 7 | | of the following actions: | 8 | | (1) Use the personal information of any child in a way | 9 | | that the business knows, or has reason to know, is | 10 | | materially detrimental to the physical health, mental | 11 | | health, or well-being of a child. | 12 | | (2) Profile a child by default unless the following | 13 | | criteria are met: | 14 | | (A) the business can demonstrate it has | 15 | | appropriate safeguards in place to protect children; | 16 | | and | 17 | | (B) either of the following is true: | 18 | | (i) profiling is necessary to provide the | 19 | | online service, product, or feature requested and | 20 | | only with respect to the aspects of the online | 21 | | service, product, or feature with which the child | 22 | | is actively and knowingly engaged; or | 23 | | (ii) the business can demonstrate a compelling | 24 | | reason that profiling is in the best interests of | 25 | | children. | 26 | | (3) Collect, sell, share, or retain any personal |
| | | 10300SB1126sam001 | - 8 - | LRB103 05565 SPS 58495 a |
|
| 1 | | information that is not necessary to provide an online | 2 | | service, product, or feature with which a child is | 3 | | actively and knowingly engaged unless the business can | 4 | | demonstrate a compelling reason that the collecting, | 5 | | selling, sharing, or retaining of the personal information | 6 | | is in the best interests of children likely to access the | 7 | | online service, product, or feature. | 8 | | (4) If the end user is a child, use personal | 9 | | information for any reason other than a reason for which | 10 | | that personal information was collected, unless the | 11 | | business can demonstrate a compelling reason that use of | 12 | | the personal information is in the best interests of | 13 | | children. | 14 | | (5) Collect, sell, or share any precise geolocation | 15 | | information of children by default unless the collection | 16 | | of that precise geolocation information is strictly | 17 | | necessary for the business to provide the service, | 18 | | product, or feature requested and then only for the | 19 | | limited time that the collection of precise geolocation | 20 | | information is necessary to provide the service, product, | 21 | | or feature. | 22 | | (6) Collect any precise geolocation information of a | 23 | | child without providing an obvious sign to the child for | 24 | | the duration of that collection that precise geolocation | 25 | | information is being collected. | 26 | | (7) Use dark patterns to lead or encourage children to |
| | | 10300SB1126sam001 | - 9 - | LRB103 05565 SPS 58495 a |
|
| 1 | | provide personal information beyond what is reasonably | 2 | | expected to provide that online service, product, or | 3 | | feature to bypass privacy protections, or to take any | 4 | | action that the business knows, or has reason to know, is | 5 | | materially detrimental to the child's physical health, | 6 | | mental health, or well-being. | 7 | | (8) Use any personal information collected to estimate | 8 | | age or age range for any other purpose or retain that | 9 | | personal information longer than necessary to estimate | 10 | | age. Age assurance shall be proportionate to the risks and | 11 | | data practice of an online service, product, or feature. | 12 | | (c) A data protection impact assessment conducted by a | 13 | | business for the purpose of compliance with any other law | 14 | | complies with this Section if the data protection impact | 15 | | assessment meets the requirements of this Act. A single data | 16 | | protection impact assessment may contain multiple similar | 17 | | processing operations that present similar risks only if each | 18 | | relevant online service, product, or feature is addressed. | 19 | | Section 15. Children's Data Protection Working Group. | 20 | | (a) The Children's Data Protection Working Group is hereby | 21 | | created to deliver a report to the General Assembly, as | 22 | | described in subsection (e), regarding best practices for the | 23 | | implementation of this Act. | 24 | | (b) Working Group members shall consist of residents of | 25 | | this State with expertise in at least 2 of the following areas: |
| | | 10300SB1126sam001 | - 10 - | LRB103 05565 SPS 58495 a |
|
| 1 | | (1) children's data privacy; | 2 | | (2) physical health; | 3 | | (3) mental health and well-being; | 4 | | (4) computer science; and | 5 | | (5) children's rights. | 6 | | (c) The Working Group shall select a chairperson and a | 7 | | vice chairperson from among its members and shall consist of | 8 | | the following 8 members: | 9 | | (1) two members appointed by the Governor; | 10 | | (2) two members appointed by the President of the | 11 | | Senate; | 12 | | (3) two members appointed by the Speaker of the House | 13 | | of Representatives; and | 14 | | (4) two members appointed by the Attorney General. | 15 | | (d) The Working Group shall take input from a broad range | 16 | | of stakeholders, including from academia, consumer advocacy | 17 | | groups, and small, medium, and large businesses affected by | 18 | | data privacy policies and shall make recommendations to the | 19 | | General Assembly on best practices regarding, at minimum, all | 20 | | of the following: | 21 | | (1) identifying online services, products, or features | 22 | | likely to be accessed by children; | 23 | | (2) evaluating and prioritizing the best interests of | 24 | | children with respect to their privacy, physical health, | 25 | | and mental health and well-being and evaluating how those | 26 | | interests may be furthered by the design, development, and |
| | | 10300SB1126sam001 | - 11 - | LRB103 05565 SPS 58495 a |
|
| 1 | | implementation of an online service, product, or feature; | 2 | | (3) ensuring that age assurance methods used by | 3 | | businesses that provide online services, products, or | 4 | | features likely to be accessed by children are | 5 | | proportionate to the risks that arise from the data | 6 | | management practices of the business, privacy protective, | 7 | | and minimally invasive; | 8 | | (4) assessing and mitigating risks to children that | 9 | | arise from the use of an online service, product, or | 10 | | feature; and | 11 | | (5) publishing privacy information, policies, and | 12 | | standards in concise, clear language suited for the age of | 13 | | children likely to access an online service, product, or | 14 | | feature. | 15 | | (e) On or before January 1, 2024, and every 2 years | 16 | | thereafter, the Working Group shall submit a report to the | 17 | | General Assembly regarding the recommendations described in | 18 | | subsection (d). | 19 | | (f) The members of the Working Group shall serve without | 20 | | compensation but shall be reimbursed for all necessary | 21 | | expenses actually incurred in the performance of their duties. | 22 | | (g) The Working Group is dissolved, and this Section is | 23 | | repealed, on January 1, 2030. | 24 | | Section 20. Data protection impact assessment. | 25 | | (a) A business shall complete a data protection impact |
| | | 10300SB1126sam001 | - 12 - | LRB103 05565 SPS 58495 a |
|
| 1 | | assessment on or before July 1, 2024, for any online service, | 2 | | product, or feature likely to be accessed by children offered | 3 | | to the public before July 1, 2024. | 4 | | (b) This Section does not apply to an online service, | 5 | | product, or feature that is not offered to the public on or | 6 | | after July 1, 2024.
| 7 | | Section 25. Violations; civil penalties | 8 | | (a) Any business that violates this Act shall be subject | 9 | | to an injunction and liable for a civil penalty of not more | 10 | | than $2,500 per affected child for each negligent violation or | 11 | | not more than $7,500 per affected child for each intentional | 12 | | violation, that shall be assessed and recovered only in a | 13 | | civil action brought by the Attorney General. | 14 | | (b) If a business is in substantial compliance with the | 15 | | requirements of paragraphs (1) through (4) of subsection (a) | 16 | | of Section 10, the Attorney General shall provide written | 17 | | notice to the business, before initiating an action under this | 18 | | Act, identifying the specific provisions of this Act that the | 19 | | Attorney General alleges have been or are being violated. | 20 | | (c) If, within 90 days after the notice required by | 21 | | subsection (b), the business cures any noticed violation and | 22 | | provides the Attorney General a written statement that the | 23 | | alleged violations have been cured, and sufficient measures | 24 | | have been taken to prevent future violations, the business | 25 | | shall not be liable for a civil penalty for any violation cured |
| | | 10300SB1126sam001 | - 13 - | LRB103 05565 SPS 58495 a |
|
| 1 | | under this subsection. | 2 | | (d) Any penalties, fees, and expenses recovered in an | 3 | | action brought under this Act shall be deposited into the | 4 | | General Revenue Fund. | 5 | | (e) Nothing in this Act shall be interpreted to serve as | 6 | | the basis for a private right of action under this Act or any | 7 | | other law. | 8 | | (f) The Attorney General may solicit broad public | 9 | | participation and adopt regulations to clarify the | 10 | | requirements of this Act.".
|
|