The Illinois legislature closes today. Ten privacy and AI bills are still in play, and the most consequential one, SB 340, a consumer data privacy bill that would outright ban the sale of biometric identifiers, geolocation data, health information, and racial or ethnic origin, just cleared the Senate 54–3 last week and is heading to a House floor vote before adjournment. If it passes, Illinois becomes one of over 21 states to enact broad consumer privacy protections, and would pair comprehensive consumer privacy protections with an existing biometric enforcement regime (BIPA). Unlike California's CCPA, which lets companies sell data as long as users opt out, SB 340 prohibits sale of sensitive categories outright, companies either do not collect it or face liability.

The bill, authored by State Senator Laura Murphy (D-Des Plaines), grants Illinois residents the right to access, correct, delete, and opt out of data sales, and imposes data minimization obligations on companies handling sensitive information. Sensitive data is defined to include biometric identifiers, geolocation, health records, religious beliefs, and race or ethnicity. Under the bill's framework, companies cannot use this data for targeted advertising or profiling unless the data is strictly necessary to provide a service the consumer explicitly requested. The Senate vote, 54–3, is a signal. This is not a partisan fight. The friction is between tech platforms and consumer protection, and in Illinois, consumer protection is winning.

What makes SB 340 different from other state privacy laws is the scope of the prohibition. Oklahoma and Alabama passed consumer privacy bills in early 2026, but neither created an outright ban on sensitive data sales; both required opt-out mechanisms. Louisiana's SB 386, also passed in May, includes privacy rights but does not match SB 340's explicit category bans. Illinois' existing BIPA (Biometric Information Privacy Act) of 2008 already established strict liability for unauthorized collection of biometric data; courts had interpreted statutory damages as accruing per-incident (per scan), making enforcement extremely expensive until the 2024 amendment limited liability to a single recovery per person. SB 340 extends that logic to health data, geolocation, and other sensitive categories, creating a state where the cost of monetizing consumer surveillance simply becomes prohibitive for most ad-tech platforms unless they rearchitect their entire data flow.

The mechanics matter. SB 340 defines data controllers (companies that determine how and why data is collected) and data processors (companies that handle it on behalf of controllers) with distinct obligations. Consumers can request confirmation of what data is being processed, demand correction of inaccurate records, request deletion, opt out of processing, and, critically, challenge algorithmic profiling decisions that affect major life outcomes like loan approvals, job screening, or insurance rates. This last right is the one that actually costs money to implement: it requires human review and explainability, not just a delete button. The House vote happens today. If SB 340 passes and the governor signs it, the law takes effect in 2027, giving companies roughly 18 months to build compliance infrastructure.

Who benefits and who loses is clear. Privacy-forward users and consumer advocacy groups (Consumer Reports, Electronic Frontier Foundation) win, they get baseline rights with no opt-in friction, and sensitive data becomes a liability rather than an asset. Illinois residents using local banks, healthcare providers, and state services get stronger protections on health and financial data. Who loses: ad-tech platforms (Google, Meta, Amazon's advertising division), data brokers, and insurance companies that rely on algorithmic profiling to segment consumers. These companies will need to rebuild their Illinois-specific data pipelines or exit the state's market for certain services. The cost is real; the precedent is dangerous for them because if Illinois succeeds without a consumer outcry, other states will follow.

Watch three things over the next week. First, whether SB 340 clears the House before the 11:59 p.m. May 31 adjournment, it has momentum (54–3 in the Senate, bipartisan support), but legislative deadlines are real and bills die in final hours. Second, whether the governor signs it immediately or pauses for industry lobbying, the window for challenge is narrow because the law's effective date will depend on signature timing. Third, whether California or other large states announce plans to match the ban on sensitive data sales rather than relying on opt-out frameworks. If Illinois passes, the Overton window shifts: opt-out becomes insufficient, and opt-in or prohibition becomes the baseline expectation.