Comprehensive Illinois Bill Proposes Privacy Agency
New-for-2025 comprehensive privacy bills appeared in Illinois and Oklahoma this week. In Illinois, state Sen. Sue Rezin's (R) proposed measure seems based on California’s law. The Oklahoma proposal, from Sen. Brent Howard (R), takes a Virginia-style approach. Privacy Daily is tracking comprehensive bills in at least five states.
Sign up for a free preview to unlock the rest of this article
Rezin’s comprehensive privacy measure (SB-52) is a refiled version of her 2024 bill. A comparison shows no substantive differences. Notably, the bill would establish a state privacy agency with rulemaking and enforcement authority. Also, it would provide a limited private right of action in the case of a security breach, though consumers would first have to give businesses a notice and 30 days to cure the alleged violation.
Rezin additionally filed SB-47 to require data brokers to annually register with the state AG and pay a fee. Moreover, Rezin crafted two versions of an age-appropriate design code (AADC) bill. One is seemingly based on Maryland’s law (SB-50), with the other taking its cues from California’s (SB-51).
“These bills are a part of my ongoing legislative package that was created out of my Safe Screens, Healthy Minds initiative,” Rezin said in an emailed statement Tuesday. “We cannot continue to ignore the negative impact that social media has had on the well-being of minors. It is vital that we take action to alleviate the known harm that these platforms present and safeguard the mental and physical health of our children.”
Rezin’s comprehensive privacy bill is “a bit of an outlier -- rather than being based on the prevailing Washington Privacy Act framework, it's modeled after the” California Privacy Rights Act (CPRA), said Jordan Francis, Future of Privacy Forum (FPF) policy counsel, in an email Tuesday. The Washington Privacy Act was not approved, but it was a template for Virginia’s measure and many subsequent state privacy laws.
A Rezin spokesperson said the senator “worked with national advocates to help develop her legislative package and also looked at what other states were implementing,” including legislation from California, Colorado, Utah and Virginia.
In Oklahoma, Howard prefiled a comprehensive privacy bill (SB-546) that will go up against a similar House bill (HB-1012), which Rep. Josh West (R) prefiled previously. The Oklahoma session starts Feb. 3.
West’s bill is “another outlier bill” based on the 2018 California Consumer Protection Act before it was amended by the CPRA, said Francis: Versions of it date back to 2021. However, the fresh bill by Howard “is a more standard Virginia-style bill,” he said.
A purpose statement in Illinois SB-52 says, “Consumers should know who is collecting their personal information and that of their children, how it is being used, and to whom it is disclosed so that they have the information necessary to exercise meaningful control over businesses' use of their personal information and that of their children.” Also, consumers should have “meaningful options” to control collection, use and disclosure of personal information, the bill says: That includes the right to correct, delete and port data between businesses. And consumers “or their authorized agents should be able to exercise these options through easily accessible self-serve tools.”
Businesses should clearly inform consumers how they collect and use personal data, it says. Also, they “should only collect consumers' personal information for specific, explicit, and legitimate disclosed purposes and should not further collect, use, or disclose consumers' personal information for reasons incompatible with those purposes.” In addition, the bill would limit data collection to what “is relevant and … necessary in relation to the purposes for which it is being collected, used, and shared.”
The Illinois bill would apply to companies doing business in the state and which meet at least one threshold: (1) at least $25 million in annual gross revenue; (2) buys or sells personal information of at least 100,000 consumers or households annually; or (3) derives 50% or more annual revenue from selling or sharing consumers’ personal information.
"The Illinois bill includes many of the standard privacy-related protections we've come to expect in state privacy bills, like rights to access, correct, and delete data, and rights to opt-out of the sale of data and certain uses of sensitive information," said Eric Null, Center for Democracy and Technology Privacy & Data Project co-director. "It also includes some less common provisions, such as a provision granting broad rulemaking authority and a provision creating a separate state-level privacy enforcement agency." However, said Null, "this bill continues the trend we have seen at the state level that burdens consumers with more and more privacy notices and opt-outs, while essentially blessing current company practices ... Without strong data minimization requirements that limit collection, processing, and transfer of data to what is necessary to provide the service, companies will continue doing essentially anything they want with consumer data."
On differences between Rezin’s two AADC bills, the senator’s spokesperson said SB-50 “is designed to cover all social media and target the algorithms that show harmful material to children,” whereas SB-51 focuses on online material “likely to be accessed by children." FPF's Francis pointed to “subtle but consequential differences between” the AADC bills. For example, he said, SB-50 “defines ‘best interests of the child’ and does not include an obligation to estimate users' age.”