This bill establishes the Illinois Data Privacy Protection Act, a statewide privacy framework that gives Illinois residents a set of enforceable rights over personal data and imposes substantive obligations on entities that meet statutory coverage thresholds. It requires controllers and processors to adopt transparency, data-minimization, and security practices; to perform documented privacy and risk assessments for higher‑risk processing; and to honor requests to access, correct, delete, and port personal data, including opt-outs for targeted advertising and sales.
In parallel the bill requires data brokers to register annually with the Attorney General, funds a public-facing registry and a centralized deletion mechanism that lets consumers request deletions across registered brokers, and authorizes the Attorney General to seek injunctions and civil penalties for violations. The statute also contains exclusions for certain federally regulated data regimes, duties for controller‑processor contracts, limits on home rule data privacy regulation, and a severability clause.
At a Glance
What It Does
Covers entities doing business in Illinois or targeting Illinois residents that meet numerical thresholds, grants consumers specific rights (access, correction, deletion, portability, opt‑out of targeted advertising/sales and profiling that produces significant effects), requires documented data privacy and protection assessments for high‑risk activities, and mandates controller and processor contractual and security obligations. It creates a data‑broker registration, a public website with registration data, and a statewide deletion mechanism operated by the Attorney General.
Who It Affects
Large digital platforms, online advertisers, ad tech intermediaries, controllers that process 100,000+ Illinois consumers' personal data annually (or smaller entities that derive >25% revenue from selling personal data and process 25,000+ consumers), data brokers that collect and sell data about people with whom they lack a direct relationship, and the processors and service providers they engage.
Why It Matters
The bill blends EU/US-style privacy guardrails with a state‑run data‑broker remediation tool — creating both compliance burdens (assessments, contracts, audits, deletion workflows) and new consumer-facing mechanics (universal opt‑out signals, a single-batch broker deletion path). It centralizes enforcement with the Attorney General and removes local home rule fragmentation on consumer data privacy.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act divides responsibilities by role: controllers set the purposes and means of processing and therefore bear primary obligations; processors must follow controller instructions and help controllers respond to consumer requests and security incidents. Contracts between controllers and processors must be written, binding, and include instructions, confidentiality duties, subcontractor rules, and provisions allowing controllers to require the return or deletion of data at the end of services.
A processor that effectively takes on decision‑making for a particular processing is treated as a controller for that processing.
Consumers gain a suite of rights: confirmation and categorical access, correction, deletion, portability (machine‑readable, if technically feasible), and a right to opt out of targeted advertising, sales, and profiling that produces legal or similarly significant effects. The bill requires controllers to provide secure, accessible mechanisms to submit requests, to respond within 45 days (with one 45‑day extension for complexity), and to offer an internal appeal process with recordkeeping.
Controllers must avoid discriminatory treatment for exercising rights and cannot contract away consumer protections.Operationally, controllers must publish clear, language‑appropriate privacy notices, limit collection to what is necessary for stated purposes, maintain reasonable security practices scaled to risk, and obtain consent before processing sensitive categories (including biometric, genetic, known‑child data, and precise geolocation). For activities identified as higher risk — targeted advertising, sales, processing of sensitive data, extensive profiling, and other reasonably foreseeable high‑harm uses — controllers must perform and document data privacy and protection assessments that weigh benefits against risks and describe mitigating safeguards.The bill also treats deidentified and pseudonymous data differently: controllers need not reidentify data solely to comply with consumer requests, and pseudonymous/deidentified datasets are exempt from some access and correction duties so long as adequate technical and contractual controls prevent reidentification.
For enforcement and remediation, the Attorney General gets a pre‑suit warning letter with a 30‑day cure window (a temporary requirement that sunsets), can seek injunctions and civil penalties (up to statutory caps per violation), and may compel production of the controllers' assessments during investigations.
The Five Things You Need to Know
Coverage thresholds: the Act applies to entities that either process personal data of 100,000 or more Illinois consumers in a calendar year (excluding payment‑only transaction data) or that derive >25% of gross revenue from selling personal data and process at least 25,000 consumers.
Response timing and appeals: controllers must respond to consumer requests within 45 days, may extend once by 45 days for complexity, must provide an internal appeal process and keep appeal records for 24 months.
Data‑broker obligations and deletion portal: data brokers must register annually with the Attorney General; the Attorney General must build a public registry and a centralized deletion mechanism (operational requirements set, with the deletion portal due Jan 1, 2027 and broker processing obligations kicking in August 1, 2027).
Assessment requirements: controllers must conduct documented privacy and protection assessments for targeted advertising, sales, processing of sensitive data, profiling posing foreseeable harms, and other high‑risk operations, and must make those assessments available to the Attorney General on civil investigative demand.
Enforcement and remedies: the Attorney General gets a 30‑day warning letter (currently expiring Jan 1, 2028) before bringing suit, may obtain injunctions, and may seek civil penalties up to $7,500 per violation; the Act creates no private right of action.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions that shape coverage and obligations
The bill defines core terms — consumer, controller, processor, personal data, sensitive data, sale, targeted advertising, dark patterns, deidentified/pseudonymous data — in ways that drive downstream duties. Practically, those definitions restrict certain controller tactics (dark patterns are invalid for consent), narrow 'sale' to exclude many service relationships and affiliates, and make specific categories (biometrics, genetic info, known children, precise geolocation) automatically 'sensitive', which triggers higher consent and assessment requirements.
Scope: coverage thresholds and exclusions
Coverage turns on two numerical tests (100,000 consumers processed annually, or a revenue‑from‑sales threshold with 25,000 consumers) and applies to entities doing business or targeting Illinois residents. The section also lists detailed exclusions for federal regimes (HIPAA, GLBA, FCRA, Driver's Privacy, FERPA), certain financial and employment contexts, and small businesses (with a carve‑in for Section 17 obligations). For compliance planning, those exclusions require map‑ping data flows to determine which datasets and business lines remain governed by Illinois rules.
Role allocation and contract requirements for controllers and processors
Controllers must set purposes and means; processors must obey instructions and assist with security and consumer requests. Contracts must specify nature/purpose/type/duration of processing, confidentiality duties, subcontractor rules, and contain provisions for returning or deleting data. Processors must support controller audits or arrange independent annual assessments at their own expense; contracts cannot absolve either party of statutory liability.
Consumer rights, universal opt‑out signals, and request mechanics
Consumers get a broad suite of rights: confirmation/access, correction, deletion, portability, opt‑out of targeted advertising/sale, and a limited right to question profiling used for significant decisions. The bill requires secure, accessible submission channels, allows authorized agents, requires controllers to honor universal opt‑out preference signals, and sets authentication and free‑provision limits (two free responses per year). Procedurally, controllers must disclose categories of third parties and provide an appeals path, with recordkeeping obligations and narrowly drawn non‑disclosure exceptions (trade secrets, certain identifiers).
Transparency, data minimization, security, and required assessments
Controllers must post clear, accessible privacy notices, limit collection to what is adequate and necessary for stated purposes, and implement security practices proportionate to risk. They must maintain documented policies (including chief privacy contacts) and perform data privacy and protection assessments for targeted advertising, sales, sensitive processing, profiling with foreseeable harms, and other high‑risk operations. Assessments must weigh benefits against consumer risks, describe safeguards, and may be requested by the Attorney General in investigations; they are treated as nonpublic but discoverable in enforcement.
Data‑broker registration, public registry, and centralized deletion mechanism
Data brokers (entities that collect and sell personal information about people they don't have a direct relationship with) must register annually with the Attorney General and provide details about minor data, precise geolocation, reproductive health data, and links free of dark patterns. The Attorney General must publish registration data and operate a deletion mechanism allowing one verifiable request to remove a consumer's data across registered brokers; brokers must process deletion requests, instruct contractors to delete, and begin periodic audits (first due Jan 1, 2029). The statute requires concrete security, multilingual and accessible interfaces, and a consumer ability to selectively exclude brokers from a batch deletion.
Enforcement, penalties, and preemption of local privacy rules
Enforcement is centralized with the Illinois Attorney General: the AG must send a warning letter and allow a cure period before suing (a pre‑suit warning requirement that sunsets). Remedies include injunctions and civil penalties (statutory cap of up to $7,500 per violation). The Act explicitly forbids local governments from enacting their own consumer data privacy regulations, preempting home rule in this domain and aiming to create a uniform statewide standard.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Illinois consumers — gain enumerated rights (access, correction, deletion, portability, opt‑out of targeted ads/sales) and a single‑stop deletion path for data brokers, improving control and remediation options over distributed personal information.
- Parents and guardians — benefit from explicit protections for known children, including parental rights to exercise data subject requests on behalf of minors and stricter consent regimes for under‑13 and 13–16 age ranges.
- Privacy and compliance professionals — increased demand for documented assessments, privacy notices, and controller‑processor contracts creates consulting and in‑house work for privacy officers, auditors, and legal teams.
- Responsible processors and security vendors — the statutory emphasis on technical and organizational measures and on processor cooperation creates market opportunities for secure hosting, assessment frameworks, and audit services.
Who Bears the Cost
- Covered controllers and platforms — must invest in inventorying personal data, updating notices, building consumer‑request workflows, conducting data‑protection assessments, and reworking contracts and vendor relationships to meet the Act's requirements.
- Data brokers — must register annually, integrate with the Attorney General's deletion mechanism, implement repeated deletion cycles, undergo independent audits (starting 2029), and potentially pay registration and access fees, creating recurring operational costs.
- Small businesses that meet the Act's thresholds or rely on selling data — will face compliance costs and restrictions (for example, a ban on selling sensitive data without consent), and may need legal analysis to determine whether exclusions apply.
- The Attorney General and State IT agencies — must build and operate the public registry and the deletion portal, process registrations and complaints, and enforce the Act, which will require staffing and funding (partly offset by registration and access fees deposited into the Data Privacy Protection Fund).
Key Issues
The Core Tension
The central dilemma is balancing meaningful, enforceable individual control over personal data against the operational realities and economic functions of modern data ecosystems: strong deletion, consent, and opt‑out rights protect privacy but can complicate legitimate data uses, analytics, and ad‑supported business models — the Act tries to thread that needle by carving out exemptions, deferring to deidentification, and centralizing enforcement, but those same design choices shift burdens onto regulators, compliance teams, and technical systems, with no guarantee that the state's enforcement resources will scale to match the new obligations.
The bill packs many operational requirements into broad policy statements, which creates implementation work and a number of open questions. 'Sale' and the enumerated exceptions to it (e.g., affiliate transfers, processors, asset sales) will be a focal point for litigation and compliance mapping: businesses that monetize data via ad networks, data clean rooms, or affiliate exchanges will need granular legal analysis to determine whether transactions qualify as a sale. The universal opt‑out preference signal is practical in principle, but the law leaves interoperability, standards, and abuse prevention (e.g., fingerprinting to bypass signals) to implementation; controllers and platform operators will need coordinated specifications to avoid fragmentation or gaming.
The centralized deletion mechanism for data brokers is novel and consumer‑empowering, but it raises feasibility and accuracy issues: matching records across broker datasets, defining what constitutes 'related personal information', and reconciling legitimate retention exceptions (law enforcement, fraud prevention, or permitted research) will create edge cases. The bill's deidentified/pseudonymous data carveouts reduce burdens for analytics, yet the statute's reliance on contractual promises and 'reasonable measures' to prevent reidentification will put a premium on robust technical controls and independent audits.
Finally, concentrating enforcement with the Attorney General and denying a private right of action reduces the risk of defensive litigation but could also throttle enforcement capacity; the AG's resources and prioritization choices will materially affect how quickly and consistently the law deters bad actors.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.