HomeBrowse Bills

Industries

HealthcareHR & HiringFinancial ServicesEducationGovernmentAgribusiness

Guides

Indiana AI LawsAI Hiring LawsCompliance ChecklistIllinois AI Act

Compliance

Framework GuideSOC 2ISO 27001ISO 42001NIST AI RMFCompare FrameworksCost ComparisonVendor VettingLawmakersData CentersGovernanceAbout
Risk Check
ILIn Committee

SB 3890

CONSUMER DATA PRIVACY

Medium Risk

May require changes to AI practices. Monitor and prepare.

TL;DR

Illinois SB 3890 would overhaul the state's consumer data privacy framework, creating new rules for how companies collect, use, and share personal data, including data fed into AI systems. The bill is currently stalled in committee (re-referred to Assignments under Rule 3-9(a)), meaning it has not advanced to a floor vote.

Read the Full Bill Text

How This Might Impact Your Business

Any company collecting personal data from Illinois residents would face new consent, disclosure, and data minimization requirements, regardless of where the company is headquartered.

Companies using AI tools that ingest consumer data (ad targeting, recommendation engines, predictive analytics, generative AI trained on customer interactions) would likely need to update privacy notices and obtain clearer user permissions.

Mid-size and large companies are typically the focus of state privacy laws like this, with thresholds often based on revenue, number of consumers, or volume of data processed (specific thresholds in SB 3890 are not yet public).

Retailers, ad-tech firms, SaaS providers, healthcare platforms, and financial services companies serving Illinois consumers would carry the heaviest compliance lift.

Penalties under Illinois privacy laws have historically been steep (BIPA generated billion-dollar settlements), so non-compliance risk could be material even if enforcement details are still being shaped.

The bill is stuck in committee assignment, so immediate compliance action is not required, but the direction of travel matches CCPA, CPA, and other state privacy regimes.

Small businesses and certain regulated entities (HIPAA-covered, GLBA-covered) are commonly exempted in similar laws, though SB 3890's exemptions are not yet confirmed.

What Should You Do

1

Ask your privacy or legal team to map what Illinois consumer data you collect and how it flows into AI or analytics systems, so you can move quickly if the bill advances.

2

Benchmark your current privacy program against CCPA and Colorado's CPA; if you comply with those, you are positioned well for most Illinois proposals.

3

Inventory AI vendors that process Illinois consumer data and confirm contracts include data processing terms, deletion rights, and audit provisions.

4

Assign someone to track SB 3890's committee status monthly; Illinois bills can move quickly once reassigned out of Rules.

5

Review your consumer-facing privacy notices and consent flows now, since updates take engineering and legal cycles that exceed typical compliance timelines.

Who It Affects

HealthcareHR & HiringFinancial Services
Retail and E-commerceAd Tech and MarTechSaaS and Cloud ServicesHealthcare and HealthTechFinancial ServicesHR Tech

Status Timeline

committee

Rule 3-9(a) / Re-referred to Assignments

May 22, 2026

AI-generated analysis for informational purposes only. Not legal advice. Always consult a qualified attorney for legal guidance.

Need help preparing your team for AI compliance?

Talk to LaunchReady about AI Training

Get the Weekly AI Law Roundup

Plain-English summaries of the AI laws that matter for your business. Every Monday. Free.

No spam. Unsubscribe anytime.